Towards a Unified Theory of Timed Automata by Fontana, Peter Christopher
Abstract
Title of dissertation: TOWARDS A UNIFIED THEORY
OF TIMED AUTOMATA
Peter Christopher Fontana,
Doctor of Philosophy, 2014
Dissertation directed by: Professor Rance Cleaveland
Department of Computer Science
Timed automata are finite-state machines augmented with special clock vari-
ables that reflect the advancement of time. Able to both capture real-time behav-
ior and be verified algorithmically (model-checked), timed automata are used to
model real-time systems. These observations have led to the development of sev-
eral timed-automata verification tools that have been successfully applied to the
analysis of a number of different systems; however, the practical utility of timed
automata is undermined by the theories underlying different tools differing in
subtle but important ways. Since algorithmic results that hold for the variant used
by one tool may not apply to another variant, this complicates the application of
different tools to different models. The thesis of this dissertation is this: the theory
of timed automata can be unified, and a practical unified approach to timed-
automata model checking can be built around the paradigm of proof search.
First, this dissertation establishes the mutual expressivity of timed automata
variants, thereby providing precise characterizations of when theoretical results of
one variant apply to other variants. Second, it proves powerful expressive prop-
erties about different logics for timed behavior, and as a result, enlarges the set
of verifiable properties. Third, it discusses an implementation of a verification
tool for an expressive fixpoint-based logic, demonstrating an application of this
newly developed theory. The tool is based on a proof-search paradigm; verifying
timed automata involves constructing proofs using proof rules that enable verifi-
cation problems to be translated into subproblems that must be solved. The tool’s
performance is optimized by using derived proof rules, thereby providing a theo-
retically sound basis for faster model checking. Last, this dissertation utilizes the
proofs generated during verification to gain additional information about the vac-
uous satisfaction of certain formulae: whether the automaton satisfied a formula
by never satisfying certain premises of that specification. This extra information is
often obtained without significantly decreasing the verifier’s performance.
TOWARDS A UNIFIED THEORY OF TIMED AUTOMATA
by
Peter Christopher Fontana
Dissertation submitted to the Faculty of the Graduate School of the
University of Maryland, College Park in partial fulfillment




Professor Rance Cleaveland, Chair









Welcome to my dissertation. This preface describes the purpose of this dissertation
as well as some background that might be helpful to understand some of the
details in the dissertation.
iii
Dissertation Structure
This dissertation provides motivation for my research, a description of relevant
previous work as well as some background review and a discussion of my com-
pleted work. The motivation of the work is discussed Chapter 1 (Introduction).
Chapter 2 (Background and Related Work) contains some background definitions
and a summary of relevant related work. Some details and definitions are in dis-
cussed in the relevant chapters of the dissertation. The scope of the dissertation’s
contribution are split into the next four chapters (3, 4, 5, and 6), one chapter per
contribution area. The contribution of Chapter 3 is a formalization of the timed
automata model, reconciling different variants throughout the literature. The con-
tribution of Chapter 4 is expressiveness proofs for a timed mu-calculus. The con-
tribution of Chapter 5 is an extended implementation of a tool to model check
properties in this timed my-calculus. The contribution of Chapter 6 is to gain ad-
ditional information from the model checker while verifying formulas, leveraging
that information to determine if a formula is satisfied without its premises ever
being satisfied. For a detailed outline of this dissertation’s material, please see the
Table of Contents of this dissertation.
Intended Audience
This dissertation is geared towards a broad technical audience. Its aim is that the
Abstract is accessible to any researcher in any area. However, in order to better aid
researchers in my field, some technical terms have been added in the Introduction.
The intention is that while the Introduction can be understood without knowing
these terms, knowing these terms will better allow a researcher to understand the
details of the contributions.
The aim is to make the rest of the dissertation accessible to any researcher with
iv
the mathematical maturity of 1-2 undergraduate proof-based mathematics courses
and the programming knowledge of 1-2 computer science courses. Background
that will help the understanding of this dissertation include:
• Mathematical proof: understanding proofs will be helpful when following
these proofs and digesting some of the more specialized mathematics such
as the logic expressivity results. Having the level of proof knowledge of a
discrete math class will be helpful; two texts for discrete math courses are
Epp [71], Scheinerman [142].
• Programming: Knowledge of programming concepts and data structures
such as loops, functions, arrays, linked-lists will be helpful. Also knowing
pointers may be helpful.
• Graphs and automata: Knowledge of finite automata is helpful; especially
knowledge of states. Also, knowing what a graph is (here we mean a graph
G = (V, E)), a directed vs. undirected graphs, and graph terms such as
components and shortest paths will be helpful.
• Logic and model checking: Having some background in logic will be help-
ful. This includes understanding what the model checking problem is will
be helpful. Also understanding temporal logics used in untimed systems
such as CTL (Computation Tree Logic) will be helpful.
• Lattices and fixpoints: Some understanding of the mathematical construct
of a lattice and a complete lattice L = (S,,⋃,⋂), as well as the theory of
fixpoints on lattices will be helpful.
• Timed automata: Occasionally a part of this dissertation will aim itself to
fellow timed automata researchers who have an understanding of timed
automata, clock zones, and region equivalence.
v
In order to give technical details, some parts of the dissertation give techni-
cal details aimed at the background of model checking researchers, sometimes
assuming knowledge from the background areas given above.
vi
Acknowledgements
I would like to thank my Ph.D. Advisor: Professor Rance Cleaveland. I have
learned many things from him, both directly through his advice and indirectly
through working with him, which include the research process, motivating a pa-
per, the flow of research, and how to write up results. From him I have also gained
insights on how to be patient with others, how to use simple examples to illustrate
points, how to give presentations, how to identify the relevant contributions of in-
terest, and how to interact with others to bring the best out of them. Additionally,
I am grateful for his patience and flexibility throughout the Ph.D. process.
I would like to thank the remaining members of my Ph.D. committee: Professor
William Gasarch, Professor Michael Hicks, Professor Samir Khuller, and Professor
Steven Marcus. I am grateful for their insights and feedback, which improved my
dissertation. I am also grateful for their support throughout the Ph.D. process.
I would like to thank the National Science Foundation for its research funding.
I would like to thank my collaborators in the Communications Department at
UMD: Professor Andrew Wolvin and Steven D. Cohen. Working with them has
allowed me to grow as a researcher, improve my communication skills, and gain
a better understanding “interdisciplinary.”
I would like to thank the staff of the UMD Computer Science department, who
include: Brandi Adams, Fatima Bangura, Brenda Chick, Felicia Chelliah, Jodie
Gray, Adelaide Findlay, JoAnn Simms, and Jennifer Story. I thank them for all of
their good work; they have helped make my experience in the department a more
pleasant one.
I would like to thank various people whom I met in the University of Maryland
vii
Gamer Symphony Orchestra (GSO), who include: Chris Apple, Greg Cox, Rob
Garner, Sam Kretschmer, Kerry Leonard, and Katie Noble. Each of these people
has contributed to my intellectual, musical, or social growth in a different way. I
am grateful to have been influenced by them.
I would like to thank my friends, colleagues, and acquaintances, who include:
Zamira Daw, Cody Dunne, James Ferlez, Sam Huang, Michael Lam, Christoph
Schulze, Bhaskar Ramasubramanian, and Kent Wills. They have warmed up the
research atmosphere and provided insightful and enjoyable conversations.
I would like to thank my best friend: Craig Greenberg. He has provided me
guidance, advice, and support throughout the Ph.D. process. I have applied his
insights throughout the entire Ph.D. process and utilized his friendship to grow
as a person as well as a researcher. To say that he is a friend is an understatement;
to me, he is family.
I would like to thank my family. First, I would like to thank my father, Bill.
His insights on the working world, the research process, and presentations have
permeated throughout my research career, and I am also grateful for his moral
support. Next, I would like to thank my mother, Carol. Her gentleness and love
encouraged me to find hope even during hard points in the process, and her
constant moral support was essential for me to complete this task. Last, I would
like to thank my brother, Matthew. His technical insights were invaluable, as well
as his moral support; having a supportive family member who helped me grow
as a researcher and a person while growing with him made him an indispensable
ally throughout the Ph.D. process.
I would like to thank God; God has provided me with many blessings through-
out the Ph.D. process.




Dissertation Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii
Intended Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii
Acknowledgements vi
List of Figures xv
List of Tables xix
1 Introduction 1
1.1 The Choice of Timed Automata . . . . . . . . . . . . . . . . . . . . . . 2
1.2 Improving Timed Automata Model Checking . . . . . . . . . . . . . 3
1.2.1 Aspect 1: Timed Automata . . . . . . . . . . . . . . . . . . . . 4
1.2.2 Aspect 2: Timed Logics . . . . . . . . . . . . . . . . . . . . . . 6
1.2.3 Aspect 3: Model Checker Output . . . . . . . . . . . . . . . . . 8
1.3 These Errors Don’t Happen in Practice...Do They? . . . . . . . . . . . 9
1.4 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2 Background and Related Work 11
2.1 Context: Logics and Model Checking . . . . . . . . . . . . . . . . . . 12
2.1.1 Logics and Models . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.1.2 Model Checking . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.1.3 Satisfiability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.1.4 Model Checking for Propositional Logic . . . . . . . . . . . . 13
Contents ix
2.2 Timed Automata: Baseline Definition . . . . . . . . . . . . . . . . . . 15
2.2.1 Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.2.2 Semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
2.2.3 Timed Runs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
2.2.4 Urgent Locations . . . . . . . . . . . . . . . . . . . . . . . . . . 23
2.3 Networks of Timed Automata: Parallel Composition . . . . . . . . . 24
2.4 Timelocks, Actionlocks and Zeno Executions . . . . . . . . . . . . . . 29
2.4.1 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
2.5 Bisimulation and Region Equivalence . . . . . . . . . . . . . . . . . . 32
2.5.1 Bisimulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
2.5.2 Region Equivalence . . . . . . . . . . . . . . . . . . . . . . . . 34
2.5.3 Region Equivalence is a Bisimulation . . . . . . . . . . . . . . 39
2.6 Untimed Logics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
2.6.1 Computation Tree Logic (CTL) . . . . . . . . . . . . . . . . . . 44
2.6.2 Untimed Modal Mu-Calculus . . . . . . . . . . . . . . . . . . . 47
2.7 Related Work I: Untimed Systems and Untimed Logics . . . . . . . . 50
2.7.1 Untimed Systems: Automata and Kripke Structures . . . . . . 50
2.7.2 Untimed Logics . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
2.8 Related Work II: Timed Systems . . . . . . . . . . . . . . . . . . . . . 52
2.8.1 Timed Automata Variants . . . . . . . . . . . . . . . . . . . . . 52
2.8.2 Other Real-Time Systems Models . . . . . . . . . . . . . . . . 54
2.8.3 Model-Checking Data Structures . . . . . . . . . . . . . . . . . 55
2.9 Related Work III: Timed Logics . . . . . . . . . . . . . . . . . . . . . . 56
2.9.1 Extensions of CTL and LTL . . . . . . . . . . . . . . . . . . . . 56
2.9.2 Extensions of the Modal Mu-Calculus . . . . . . . . . . . . . . 57
2.10 Related Work IV: Surveys, Uses, and Tools . . . . . . . . . . . . . . . 58
Contents x
2.10.1 Surveys, Books and Book Chapters . . . . . . . . . . . . . . . 58
2.10.2 Uses of Timed Automata . . . . . . . . . . . . . . . . . . . . . 59
2.10.3 Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
2.11 Related Work V: Vacuity . . . . . . . . . . . . . . . . . . . . . . . . . . 60
2.11.1 Untimed Systems with Temporal Logics . . . . . . . . . . . . 60
2.11.2 Work Involving Real-Time Systems . . . . . . . . . . . . . . . 61
3 Timed Automata: Definitions, Variants and Equivalences 63
3.1 Types of Equivalence . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
3.1.1 Label-Preserving Isomorphism . . . . . . . . . . . . . . . . . . 64
3.1.2 Reachable Subsystem Isomorphism . . . . . . . . . . . . . . . 65
3.1.3 Non-Label-Preserving Isomorphism . . . . . . . . . . . . . . . 66
3.2 Variants and Conversions: An Overview . . . . . . . . . . . . . . . . 67
3.2.1 Variants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
3.2.2 Establishing Equivalence . . . . . . . . . . . . . . . . . . . . . 70
3.2.3 Composition of Variant Conversions . . . . . . . . . . . . . . . 71
3.3 Timed Automata Equivalences: (Label-Preserving) Isomorphism . . 72
3.3.1 Disjunctive Guard Constraints . . . . . . . . . . . . . . . . . . 72
3.3.2 Timed Automata with Variables . . . . . . . . . . . . . . . . . 75
3.3.3 Guarded-Command Programs . . . . . . . . . . . . . . . . . . 85
3.4 Timed Automata Equivalences: Isomorphism of Reachable Subsys-
tems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
3.4.1 Unsatisfied Invariants . . . . . . . . . . . . . . . . . . . . . . . 91
3.4.2 Clock Difference Inequalities in Clock Constraints . . . . . . 109
3.5 Timed Automata Equivalences: Other Equivalences . . . . . . . . . . 117
3.5.1 Rational Clock Constraints . . . . . . . . . . . . . . . . . . . . 117
3.5.2 Clock Assignments . . . . . . . . . . . . . . . . . . . . . . . . . 123
Contents xi
3.6 Composition of Variant Conversions . . . . . . . . . . . . . . . . . . . 131
3.6.1 Extending the Conversion Functions . . . . . . . . . . . . . . . 132
3.6.2 Extended Functions Preserve Equivalence . . . . . . . . . . . 132
3.6.3 Composition Preserves Equivalences . . . . . . . . . . . . . . 134
3.6.4 Commutativity and Associativity of Semantics . . . . . . . . 136
3.6.5 Putting it All Together . . . . . . . . . . . . . . . . . . . . . . . 142
3.7 Summary of Established Equivalences . . . . . . . . . . . . . . . . . . 143
3.8 Dissertation Contributions . . . . . . . . . . . . . . . . . . . . . . . . . 143
3.8.1 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
3.8.2 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
4 Timed Logics and Expressivity Results 147
4.1 Timed Computation Tree Logic (TCTL) . . . . . . . . . . . . . . . . . 148
4.2 Timed Modal-Mu Calcului Lν,µ and Lrelν,µ . . . . . . . . . . . . . . . . . 151
4.2.1 Lrelν,µ Syntax and Semantics . . . . . . . . . . . . . . . . . . . . . 151
4.2.2 Lrelν,µ Modal Equation Systems . . . . . . . . . . . . . . . . . . . 154
4.3 Timed Modal-Mu Calculus Tµ . . . . . . . . . . . . . . . . . . . . . . . 156
4.4 Region and Logical Equivalence . . . . . . . . . . . . . . . . . . . . . 157
4.5 Lrelν,µ is Region Equivalence Invariant . . . . . . . . . . . . . . . . . . . 159
4.6 Tµ ⊆T A Lrelν,µ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
4.7 TCTL ⊆T A Lrelν,µ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
4.7.1 Incorrect Attempts to Show TCTL ⊆T A Lrelν,µ . . . . . . . . . . 162
4.7.2 Converting Interval Timing Bounds . . . . . . . . . . . . . . . 166
4.7.3 Expressing TCTL in Lrelν,µ . . . . . . . . . . . . . . . . . . . . . . 167
4.7.4 Removing Timelock-free and Nonzeno Assumptions . . . . . 177
4.8 Lν,µ 6⊆T A TCTL and TCTL 6⊆T A Lν,µ . . . . . . . . . . . . . . . . . . . 178
4.8.1 Expressive power of fixpoints: Lν,µ 6⊆T A TCTL . . . . . . . . . 178
Contents xii
4.8.2 Necessity of Relativization for TCTL: TCTL 6⊆T A Lν,µ . . . . . 180
4.9 Proving Lν,µ 6=T A Lrelν,µ . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
4.9.1 Summary of Previous Work . . . . . . . . . . . . . . . . . . . . 181
4.9.2 Adaptation of Proof . . . . . . . . . . . . . . . . . . . . . . . . 183
4.10 Additional Expressivity Results . . . . . . . . . . . . . . . . . . . . . . 187
4.10.1 Set of Next States . . . . . . . . . . . . . . . . . . . . . . . . . . 187
4.10.2 Detecting and Bypassing Timelocks and Actionlocks . . . . . 189
4.11 Summary of Established Expressiveness Results . . . . . . . . . . . . 190
4.12 Dissertation Contributions . . . . . . . . . . . . . . . . . . . . . . . . . 190
4.12.1 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
4.12.2 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
5 Model Checking Lrelν,µ with Predicate Equation Systems (PES) 193
5.1 Predicate Equation Systems . . . . . . . . . . . . . . . . . . . . . . . . 194
5.2 Model-Checking Algorithm . . . . . . . . . . . . . . . . . . . . . . . . 194
5.2.1 PES Model Checking Algorithm . . . . . . . . . . . . . . . . . 195
5.2.2 Conversion to PES . . . . . . . . . . . . . . . . . . . . . . . . . 195
5.2.3 Timed Automata Model Checker: Adaptations from PES Tool 197
5.3 The Proof-Based Approach and Proof Rules . . . . . . . . . . . . . . 198
5.4 La fν,µ Proof Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
5.5 Extended Tool: Verifying Lrel,a fν,µ . . . . . . . . . . . . . . . . . . . . . . 204
5.5.1 New Lrel,a fν,µ Proof Rules . . . . . . . . . . . . . . . . . . . . . . 204
5.5.2 Performance Optimization: Derived Proof Rules . . . . . . . . 210
5.5.3 Optimizing ∨ . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
5.5.4 Optimizing ∀φ1(φ2) . . . . . . . . . . . . . . . . . . . . . . . . . 211
5.5.5 Optimizing the Handling of Invariants . . . . . . . . . . . . . 216
5.6 Additional Implementation Details . . . . . . . . . . . . . . . . . . . . 219
Contents xiii
5.6.1 Addressing Performance: Simpler PES Formulas . . . . . . . 220
5.6.2 Placeholder Implementation Complexities . . . . . . . . . . . 224
5.7 Clock Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
5.7.1 Clock Zone Operations . . . . . . . . . . . . . . . . . . . . . . 226
5.7.2 Clock Zone Operation Details . . . . . . . . . . . . . . . . . . 230
5.8 Clock Zone Implementations . . . . . . . . . . . . . . . . . . . . . . . 235
5.8.1 Difference Bound Matrix (DBM) . . . . . . . . . . . . . . . . . 235
5.8.2 Alternative Implementations, CRDZone and CRDArray . . . 236
5.9 Unions of Clock Zones and More Complex Data Structures . . . . . 238
5.10 Preliminary Evaluation I: Clock Zone Implementation Performance 239
5.10.1 Experimental Setup . . . . . . . . . . . . . . . . . . . . . . . . 239
5.10.2 Experimental Data . . . . . . . . . . . . . . . . . . . . . . . . . 240
5.10.3 Histograms and Descriptive Statistics . . . . . . . . . . . . . . 241
5.10.4 Analysis of Results . . . . . . . . . . . . . . . . . . . . . . . . . 243
5.10.5 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
5.11 Preliminary Evaluation II: PES Tool Implementation . . . . . . . . . . 249
5.11.1 Methods: Evaluation Design . . . . . . . . . . . . . . . . . . . 250
5.11.2 Data and Results . . . . . . . . . . . . . . . . . . . . . . . . . . 255
5.11.3 Analysis and Discussion . . . . . . . . . . . . . . . . . . . . . . 256
5.12 Dissertation Contributions . . . . . . . . . . . . . . . . . . . . . . . . . 258
5.12.1 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
5.12.2 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
6 Timed Vacuity in Model Checking 261
6.1 Vacuity: Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
6.1.1 Vacuous Formulas . . . . . . . . . . . . . . . . . . . . . . . . . 262
6.1.2 Polarity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
Contents xiv
6.1.3 Mutual Vacuity . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
6.2 Vacuity and Untimed Temporal Logics . . . . . . . . . . . . . . . . . 267
6.3 Detecting Vacuity in Untimed Systems . . . . . . . . . . . . . . . . . 270
6.4 Vacuity and Proofs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
6.5 Timed Vacuity: Theoretical Results . . . . . . . . . . . . . . . . . . . . 275
6.5.1 Polarity of Lrelν,µ . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
6.5.2 Using the Proof Paradigm for Fast Vacuity Checking . . . . . 277
6.5.3 Using the Proof Paradigm for Additional Vacuity Checking . 279
6.6 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
6.6.1 Fast Vacuity: Finding Unneeded Subformulas Within One
Proof . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
6.6.2 Complete Vacuity: Building and Searching the Tree of Proofs 282
6.6.3 Handling Placeholders and Splitting Rules . . . . . . . . . . . 284
6.7 Performance Evaluation: One-Proof Vacuity . . . . . . . . . . . . . . 285
6.7.1 Evaluation on PES Tool Implementation Examples . . . . . . 285
6.7.2 Evaluation on Additional Vacuity Examples . . . . . . . . . . 290
6.8 Dissertation Contributions . . . . . . . . . . . . . . . . . . . . . . . . . 292
6.8.1 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
6.8.2 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
7 Conclusions and Future Work 295
7.1 Straightforward By Design . . . . . . . . . . . . . . . . . . . . . . . . . 296
7.2 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296




1.1 A timed automaton of the Alur-Dill model. . . . . . . . . . . . . . . . 5
2.1 Timed automaton TAGT, a model similar to the model of a train in
the generalized railroad crossing (GRC) protocol. . . . . . . . . . . . 18
2.2 Timed automaton with location 1 as urgent. Figure is used and
adapted from Fontana and Cleaveland [74] with permission. . . . . . 24
2.3 The model of the gate, timed automaton TAgate. Figure is used and
adapted from Fontana and Cleaveland [74] with permission. . . . . . 27
2.4 Timed automaton TAGT||TAgate. Dashed lines are used to represent
synchronous edges. Unreachable locations are not shown. Note that
the locations (2: in, 1: lower) and (3: out, 0: up), though shown, are
unreachable; all other shown locations are reachable. Figure is used
and adapted from Fontana and Cleaveland [74] with permission. . . 28
2.5 The set of equivalent regions for two clocks x1, x2 ∈ CX where
c(x1) = 2 and c(x2) = 1. There are 8 area regions, 6 point regions,
and 14 line regions, totaling 28 clock regions. . . . . . . . . . . . . . . 35
2.6 The set of equivalent regions for two clocks x1, x2 ∈ CX where
c(x1) = 3 and c(x2) = 2. There are 60 clock regions. . . . . . . . . . . 36
3.1 Timed automaton with variables TAV1 with variable p1. Figure is
used and adapted from Fontana and Cleaveland [74] with permission. 79
3.2 Timed automaton TA(TAV1). Only locations reachable from the ini-
tial location are shown. Figure is used and adapted from Fontana
and Cleaveland [74] with permission. . . . . . . . . . . . . . . . . . . 82
List of Figures xvi
3.3 Timed automaton where the invariant is always initially unsatisfied
at location 1. Figure is used and adapted from Fontana and Cleave-
land [74] with permission. . . . . . . . . . . . . . . . . . . . . . . . . . 93
3.4 Timed automaton from Figure 3.3 converted into our baseline for-
malism with urgent location 1u. Only locations with states reachable
from the initial state are shown. Figure is used and adapted from
Fontana and Cleaveland [74] with permission. . . . . . . . . . . . . . 101
3.5 Timed automaton TAd with clock difference constraint x1 − x2 < 3.
Figure is used and adapted from Fontana and Cleaveland [74] with
permission. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
3.6 Diagonal-free timed automaton DF(TAd) equivalent to TAd. Figure
is used and adapted from Fontana and Cleaveland [74] with per-
mission. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
3.7 Diagram illustrating preservation of bisimulation. The top bisimu-
lation can be obtained by following the other path using the bisim-
ulation between TA1 and TA2. Figure is used and adapted from
Fontana and Cleaveland [74] with permission. . . . . . . . . . . . . . 123
3.8 Timed automaton TA5 with clock assignments (top) and the timed
automaton ASN(TA5) after performing the conversion (bottom).
In ASN(TA5), only the states reachable from the initial state are
shown. Figure is used and adapted from Fontana and Cleaveland
[74] with permission. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
List of Figures xvii
3.9 Timed automaton TA6 with clock assignments (left) and the timed
automaton ASN(TA6) after performing the conversion (right). In
ASN(TA6), only the states reachable from the initial state are shown.
Figure is used and adapted from Fontana and Cleaveland [74] with
permission. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
4.1 Two path-prefix types satisfying TCTL formula E [[φ1]U [φ2]]. . . . . 150
4.2 Timed automaton with CX = {x1} and a coarse bisimulation. . . . . 159
4.3 Timed automata TA1 and TA2. . . . . . . . . . . . . . . . . . . . . . . 163
4.4 Timed automata TA3 and TA4. . . . . . . . . . . . . . . . . . . . . . . 165
4.5 Timed automaton TAtl with a timelock and zeno timed automaton
TAz with zeno timed runs. . . . . . . . . . . . . . . . . . . . . . . . . . 176
4.6 The left timed automaton with invariant x1 ≥ 0 does not allow time
to advance; the right timed automaton with invariant x1 ≥ 1 does. . 179
5.1 Proof rules (without placeholders) adapted for timed automata and
MES. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
5.2 Proof rules (involving placeholders) adapted for timed automata
and MES. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
5.3 A timed automaton of the Alur-Dill model. This is the same figure
as Figure 1.1 in Chapter 1. . . . . . . . . . . . . . . . . . . . . . . . . . 204
5.4 Proof Rules for ∨ and ∃φ1(φ2). . . . . . . . . . . . . . . . . . . . . . . 205
5.5 Derived proof rules for ∀φ1(φ2). . . . . . . . . . . . . . . . . . . . . . . 211
5.6 DBM: a matrix with constraint xi − xj ≤ uij in entry (i, j). . . . . . . 235
5.7 Histograms comparing the DBM − (minus) CRDZone time (s) (top)
and space (MB) (bottom) differences. . . . . . . . . . . . . . . . . . . 248
5.8 Histograms comparing the DBM− (minus) CRDArray time (s) (top)
and space (MB) (bottom) differences. . . . . . . . . . . . . . . . . . . 249
List of Figures xviii
5.9 Histograms comparing the CRDZone − (minus) CRDArray time (s)
(top) and space (MB) (bottom) differences. . . . . . . . . . . . . . . . 250
5.10 Histograms illustrating the DBM Time (s) (top) and Space (MB)
(bottom) distributions. . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
5.11 Figure comparing the PES tool time performance with UPPAAL
time performance. Points are colored by the specification category.
All timed out (TO) examples or examples that ran out of memory
(O/M) have their time set to 7200s, the value of the dashed lines. . . 259
6.1 Two models of a gate, TAdown and TAup, illustrate that some prop-
erties can be satisfied in different ways. . . . . . . . . . . . . . . . . . 263
6.2 Timed (or untimed) automaton illustrating that formula vacuity can
be subtle and complex. . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
6.3 Diagrams illustrating how to compute the sets of subformulas needed
for ∧ and ∨ branches of the proof-trees structure. . . . . . . . . . . . 284
6.4 Figure comparing the PES tool time performance with the PES tool
with vacuity time performance. Each example is a point, and the
line drawn is the y = x line, or the line where the performance of
the PES tool and the PVac tool are the same. . . . . . . . . . . . . . . 289
6.5 Timed (or untimed) automaton used as the model for VacuityTes-
tAXAF2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
xix
List of Tables
3.1 Summary of timed automata variants and their equivalences. . . . . 144
4.1 Summary of logical equivalences and expressiveness results. . . . . 191
5.1 Experiment Results—A Examples—Time (s): correct system, correct
specification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
5.2 Experiment Results—A Examples—Space (MB): correct system, cor-
rect specification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
5.3 Experiment Results—B Examples—Time (s): correct system, invalid
specification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
5.4 Experiment Results—B Examples—Space (MB): correct system, in-
valid specification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
5.5 Experiment Results—C Examples—Time (s): buggy system, correct
specification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
5.6 Experiment Results—C Examples—Space (MB): buggy system, cor-
rect specification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
5.7 Descriptive Statistics for paired DBM − (minus) CRDZone exam-
ples, for time (s) and space (MB). . . . . . . . . . . . . . . . . . . . . . 246
5.8 Descriptive Statistics for paired DBM − (minus) CRDArray exam-
ples, for time (s) and space (MB). . . . . . . . . . . . . . . . . . . . . . 246
5.9 Descriptive Statistics for paired CRDZone − (minus) CRDArray ex-
amples, for time (s) and space (MB). . . . . . . . . . . . . . . . . . . . 247
5.10 Examples that UPPAAL does not support. All times are in seconds
(s). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
List of Tables xx
5.11 Time performance in seconds (s) on examples comparing PES and
UPPAAL (Table 1 of 2). . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
5.12 Time performance in seconds (s) on examples comparing PES and
UPPAAL (Table 2 of 2). . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
6.1 Table comparing PES tool without vacuity (PES) and PES tool with
performance-light vacuity (PVac). Times are reported in seconds (s).
(Table 1 of 2.) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
6.2 Table comparing PES tool without vacuity (PES) and PES tool with
performance-light vacuity (PVac). Times are reported in seconds (s).
(Table 2 of 2.) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
6.3 Table comparing PES tool without vacuity (PES) and PES tool with
performance-light vacuity (PVac) on examples to illustrate vacuity.
Times are reported in seconds (s). Any example with a vacuous
subformula is in italics and marked with a ∗. . . . . . . . . . . . . . . 290




Timed automata are models of real-time systems; they are used to precisely de-
scribe a system’s behavior, so that desired properties of system executions may be
investigated. In many cases these properties may be checked automatically, and
these decidability results prompted a variety of groups to develop so-called model
checkers for classes of formulas and timed automata (see Section 2.10.3). How-
ever, the use of timed automata has developed faster than its foundational theory.
This creates some problems because the correctness of model checkers depend on
this theory and the correctness proofs it enables. Specifically, different variants of
timed automata are used in different sources. Some are equivalent; others are not.
Formalizing expressiveness of temporal logics, including timed modal mu-calculi
is not yet complete. By advancing the theory of timed automata further to closer
meet practice, we will be able to model systems more cleanly and model check
even more powerful properties. The thesis of my dissertation is this.
Theorem 1.0.1 (Thesis of dissertation). The theory of timed automata can be
unified, and a practical unified approach to timed-automata model checking
can be built around the paradigm of proof search.
1.1. The Choice of Timed Automata 2
1.1 The Choice of Timed Automata
In many cases, software designers wish to be able to establish that properties hold
over all executions of a program. For some classes of models, researchers have
developed algorithms for answering such verification questions. This is model
checking. In order to describe systems or programs, researchers abstract the pro-
gram as a model. In order to specify properties, researchers developed logics and
express properties as logical formulas supported by those logics. Tools are then
developed to verify these properties. In these instances, the user specifies a model,
and properties it wants the model to satisfy. By showing that the model does not
satisfy a desired property, the tool has identified an bug or error in the model.
Model checking started with finite automata as models and with various prop-
erties over untimed logics, such as Computation Tree Logic (CTL) (see Clarke et al.
[54]), which include safety (“always”) and liveness (“inevitable”) properties. While
the applicability of these models may be limited, their computational tractability
is highly desirable.
One useful extension to the original theory is to support real-time constraints,
both in the models and the specifications. One such way to model real-time con-
straints is with timed automata (see Alur and Dill [7]). Timed automata extend
finite state machines with clocks that model the passage of time.
Clocks in timed automata may be viewed as restricted stopwatches. The watches
all start at 0 and elapse time at the same rate. However, the watches are broken:
they cannot be stopped. One can only do two things with these watches: read the
current values on the stopwatches, or reset any number of the watches to 0. An
example is in Figure 1.1.
To support timing constraints in the specifications, the untimed logic CTL was
extended to Timed CTL (TCTL, see Alur et al. [9, 12]). (Other timed logics have also
1.2. Improving Timed Automata Model Checking 3
been considered.) While verifying TCTL properties over timed automata becomes
harder than verifying CTL properties over finite-state machines, model checking
TCTL properties is still decidable. While timed automata are less expressive than
other formalisms for real time, they afford enough capability to capture many
timed systems, and they are one of the most tractable models that supports real
time constraints. If one can specify a problem in terms of timed automata, one can
leverage these tools to verify desirable properties.
Remark 1.1.1 (Fixing the stopwatches). If one were to fix the stopwatches so that the
watches can stop, these automata are called stopwatch automata [89, 91]. While
some stopwatch automata can be converted to timed automata [91], some cannot.
This follows because reachability in stopwatch automata is undecidable [91].
1.2 Improving Timed Automata Model Checking
Timed automata model checking tool papers often have claims similar to the fol-
lowing:
“We implement a faster timed automata model checker.”
Given that model checking claims 100% correctness when it determines if a
program has a desired property, its correctness needs to be guaranteed. If these
components of the claim are in question, then it is not clear if this tool meets
the needs of the reader of the paper. Can that tool support one’s model? Can it
express the properties one wants? What information does one get from the model
checker?
For instance, if a tool supports a model of timed automata different than the
model defined in theory papers, it is not clear whether theoretical algorithms and
their correctness results can be applied. Additionally, because a property can be
1.2. Improving Timed Automata Model Checking 4
specified different ways with different logics, if a tool uses a different logic than
the logic used in theory papers, it may not be clear if the property given to the
tool is subtly different from the intended property written in another logic. These
consequences make it unclear if the tool is 100% correct. Also, when comparing
model checkers, a model checker being faster may not be relevant or comparable
if the model, the model checking output, or the information produced differs.
This dissertation examines three various aspects of timed automata model
checking: timed automata, timed logics, and model checker output. This disserta-
tion discusses each of these three aspects and improves the state of the art of each
of these three aspects.
1.2.1 Aspect 1: Timed Automata
The first aspect involves the theory of timed automata. In many timed automata
papers, the models considered differ subtly, but importantly, from each other.
Timed automata were first defined in Alur and Dill [6] (in that paper they
are called timed Büchi automata). This model is sometimes referred to as the
“Alur-Dill” model, referencing the authors of the paper. (Alur and Dill [6] is a
conference paper, and the updated journal paper is Alur and Dill [7], which also
updates material presented in Alur et al. [10]). We given an example of a timed
automaton defined in this model in Figure 1.1. This timed automaton is a model
of a train for the Generalized Railroad Crossing (GRC) protocol (see Alur et al.
[11], Heitmeyer and Lynch [84], Heitmeyer et al. [85]). The GRC protocol models
the situation where a train on a railroad is crossing a road that cars drive on. The
model has various trains that can cross the road, a gate, and a controller. When
a train approaches, the control tells the gate to lower, and when all trains leave,
the controller raises the gate. This models the interaction where the gate is down
when trains are crossing the road. Notice that this model has the three nodes 0: far,
1.2. Improving Timed Automata Model Checking 5











Figure 1.1: A timed automaton of the Alur-Dill model.
1: near, and 2: in like nodes in an untimed automaton, which represent when the
train is far away from the road, is approaching the road, and as in the segment of
the road. Additionally, the model has a clock x1 which advances continuously.
However, let us consider models used in various tools. While the model is still
considered a “timed automaton,” there are some striking differences:
• Use of variables: The Alur-Dill model uses locations and no variables, but
various tools often use variables and variable assignments.
• Clock assignments: In various tools, clocks are not just reset, they are as-
signed to the value of another clock.
• Invariant specification: Tools specify invariants for multiple locations at a
once.
• Initial states: Some tools allow additional initial states. Usually, clocks have
the initial value 0, but some tools allow the initial values of clocks to be
user-defined.
It is not obvious that the Alur-Dill model and the models used by the vari-
ous tools are “the same.” In fact, some of these modeling differences are equiva-
lent (syntactic sugar) but others are not. Some variants claimed as extensions are
equivalent and other variants claimed as equivalent may be extensions.
1.2. Improving Timed Automata Model Checking 6
In order to show that a tool does indeed model check timed automata, one
needs to show that the model supported by the tool is equivalent to or at least as
strong as the timed automata model defined in the literature. Furthermore, if the
model checker uses correctness results from the theory, then the theoretical model
needs to be at least as strong as the model used in the tool. If a model checker
verifies a slightly different model, it may not be wise to judge the tool as better
purely because it is faster.
We give formalizations for many of these variants used in the example above
as well as the formalizations of the equivalences in Chapter 3. We also give a
precise definition of equivalence. In some cases the equivalence is isomorphism
(see Definition 3.1.2); in other cases the equivalence is weaker, but at least as strong
as timed bisimulation [74].
1.2.2 Aspect 2: Timed Logics
The key question asked is: what properties can a tool model check? Different
tools use different logics to specify properties and can model check different frag-
ments of these logics. While this is usually specified in the work, theoretical results
equating expressive equivalence do not always exist. Different tools can check var-
ious properties:
• Some tools mention that they can check safety properties, liveness proper-
ties, or both without giving a logic. Examples include an unnamed tool in
Ehlers et al. [67].
• Other tools model check fragments of TCTL (Timed Computation Tree Logic,
see Section 4.1). Examples include UPPAAL [23] and REDLIB [157].
• Other tools model check the alternation-free fragment of the timed modal-
mu calculus (see Section 4.2). Examples include CMC [107] and CBWB-RT
1.2. Improving Timed Automata Model Checking 7
[73, 168].
Section 2.10.3 gives a complete list of tools referenced in this dissertation. With
these tools, we want to specify properties and determine properties of our model.
In order to express properties in a way that a computer can understand and reason
with, we use logics. These timed logics specify properties of timed automata. Some
of these timed logics are:
• TCTL (Timed Computation Tree Logic). This logic has been extensively stud-
ied and is a baseline logic for model checking real-time systems.
• The timed modal mu-calculus Tµ. This logic has been studied by Henzinger
et al. [87, 88] and contains extensive theoretical work, but some practical
work is missing. Specifically, there is no practical way of expressing an un-
bounded liveness property (it requires the user to guess a bound).
• The timed modal mu-calculus Lν,µ. The logic Lν,µ and its greatest fixpoint
fragment Lν have been defined, but limited expressiveness proofs were pro-
vided for those logics.
• The timed modal mu-calculus Lrelν,µ. This is an extension of Lν,µ that extends
the logic with relativized operators.
Given the ease for humans to write down desirable properties in TCTL, TCTL
is widely used. Although the logics Lν,µ and Lrelν,µ show promise by being able to
encode many properties and be model-checked reasonably efficiently, they lack
expressivity results. For instance, there is no formal proof published on how to
write a safety or liveness property (easily written in TCTL) in Lrelν,µ (some papers
have been published that claim to have tools that check these safety and liveness
properties). For instance, Lν,µ model checkers exist, (these include CMC [107] and
1.2. Improving Timed Automata Model Checking 8
CWB-RT [73, 168]) but what properties can they check? Can we write a safety
property? How about a TCTL property? What about Lrelν,µ?
This dissertation strengthens the connections between these logics compares
their expressiveness in Chapter 4.
1.2.3 Aspect 3: Model Checker Output
For the model checking problem, the typical timed automata model checker takes
in a timed automaton and a property, and gives a yes or no answer on whether
the timed automaton satisfies the property. However, sometimes we can get some
additional information from a model checker, such as:
• Counterexamples. In certain properties, such as safety properties, if the
model does not satisfy the property then the tool can sometimes give a trace
of the model that violates the property. This trace is sometimes called a
counterexample.
• Vacuous Satisfaction. Consider an if-then property. If the if-then property is
true because the if clause is always false, the property is vacuously satisfied
[20]. A model checker might be able to tell if a formula is satisfied vacuously
or satisfied non-vacuously.
When comparing model checkers, the information it outputs can enhance the
experience and make up for some delay in performance.
While many timed automata model checkers only give yes or no answers,
sometimes with counterexamples, our timed automata model checker also pro-
duces a proof of its answer. This proof contains useful information that can be
used to enrich the output that the model checker provides. With this proof, we
can extend the research in vacuity in untimed systems to timed systems, being the
first to understand vacuity on timed systems.
1.3. These Errors Don’t Happen in Practice...Do They? 9
We discuss how our model checker produces a proof in Chapter 5, and we
discuss how we leverage this proof to get additional information on vacuous sat-
isfaction in Chapter 6.
1.3 These Errors Don’t Happen in Practice...Do They?
In the previous sections this dissertation discusses how the theory may differ from
practice, suggesting that subtly inconsistencies in the theory can result in errors
in model checking tools, and that these errors may appear when the tool is used
in practice.
The first thought that may come to mind is “these errors don’t happen in
practice.” However, problems of this sort have occurred in practice. One influ-
ential example is due to the work of Bouyer [35, 36]. One notational variant of
a timed automaton used in tools is the allowing of clock constraints comparing
clock differences. When model checking was proven correct in Alur et al. [9, 12],
this version, the typical Alur-Dill version, did not allow clock differences. How-
ever, various tools used these clock differences. To insure that the model checking
tool terminated after a finite amount of time, it would use a widening algorithm.
Without clock differences in constraints, this widening algorithm is correct. While
assumed to be correct (and used in tools) for over 5 years, in Bouyer [35, 36] it was
proven to be incorrect when clock differences are allowed and the automaton had
4 or more clocks! As a result, model-checking tools used in practice did not have
the correctness assumed of a model checker.
Hence, a more powerful widening method had to be invented. Two such
methods (which are correct but much more complex) are in Bengtsson and Yi
[27], Bouyer et al. [43]. However, no theoretical work has yet been done on the ex-
pressive power of these two variants. The only theoretical work (which was done
1.4. Contributions 10
prior to this discovery) is a statement and conversion between these two vari-
ants without a good definition describing the kind of equivalence the conversion
provides. This statement and conversion was done in Bérard et al. [28].
1.4 Contributions
The contributions of my research in my dissertation are as follows.
• It provides equivalence conversions and proofs for many of the timed au-
tomata variants used throughout the literature (Chapter 3).
• It provides additional expressivity proofs for Lν,µ and Lrelν,µ, including expres-
sions for all TCTL formulas in Lrelν,µ (Chapter 4).
• It completes the implementation of the Predicate Equation System (PES)
model-checking engine for alternation-free Lν,µ formulas on timed automata,
started by Zhang [165], Zhang and Cleaveland [167], as well as extend the
implementation to model-check alternation-free Lrelν,µ formulas (Chapter 5).
• It extends the research of vacuity checking in the untimed setting to the
timed setting by leveraging proofs to detect vacuous subformulas as well as
enhances the model-checking tool to determine if any formula is vacuously
satisfied by the proof generated by the tool. (Chapter 6).
11
Chapter 2
Background and Related Work
This chapter both reviews relevant background knowledge for understanding this
proposal as well as discussing previous work and the framework it has estab-
lished. Review of background will discuss the model checking problem as well as
additional material providing context and a framework to build up, which sub-
sequent chapters of this proposal do. This framework includes the definition of
timed automata. After providing crucial definitions for understanding this work,
this dissertation continues by discussing previous work, providing citations to
references.
2.1. Context: Logics and Model Checking 12
2.1 Context: Logics and Model Checking
In this section we review the concept of model checking. For formal definitions
of these terms, see a logic book such as Enderton [70] or a model checking book
such as Baier and Katoen [17], Clarke et al. [55].
2.1.1 Logics and Models
To reason about objects, we use a logic, or a mathematical way to both write down
(express) properties and to reason about them. Different logics can represent dif-
ferent formulas, and different logics write them down differently. Each property
in a logic is a formula.
Furthermore, we wish to reason about objects. When reasoning about objects,
we will use a collection of objects or a collections of models, where each object is a
model. Often a model is an object, but in another sense it can be a particular world.
Definition 2.1.1 (M satisfies φ (M |= φ or M ∈ JφK)). Let M be a model from a
collection of models and φ be a formula in logic L. if M has property φ, we say that
M satisfies φ, notated as M |= φ. If M does not satisfy φ, that is notated as M 6|= φ.
For notational purposes, JφK = {M | M |= φ}; hence M |= φ iff M ∈ JφK. 
2.1.2 Model Checking
Now we can in broad terms define the model checking problem.
Definition 2.1.2 (Model checking problem). Given a model M and a property φ
specified in a logic L, the model checking problem is the following problem: does M
satisfy property φ (does M |= φ)? 
In this dissertation, a program is often abstracted to a model M. Using a spe-
2.1. Context: Logics and Model Checking 13
cific logic L, write properties down that we want M to have (or not have). By
solving the model-checking problem, we can determine if M has a desired prop-
erty. If we discover that M does not have a property we intended it to have, we
have identified an error, either in the encoding of M or the design of the original
program or system.
Depending on the collection of possible models for M and the logic L, the
difficulty of this problem varies. While in general it is undecidable [145], since
asking if a certain program can terminate is the undecidable Halting problem (see
Sipser [145]), it is decidable for certain collections of models and certain logics L
[55]. For more on the motivation and history of model checking, see Clarke [53].
2.1.3 Satisfiability
Definition 2.1.3 (The satisfiability property). Given a formula φ from a logic L
and a collection of models, the satisfiability problem is: does there exist a model M
such that M |= φ (also notated as is M ∈ JφK)? 
This problem is more difficult than the model checking problem, because we
have to determine if a model M exists, often having to find a model M that satisfies
φ, as well as verifying that M |= φ.
2.1.4 Model Checking for Propositional Logic
Let us consider a more familiar context: propositional logic.
Definition 2.1.4 (Propositional logic formula φ). Given a ground set of proposi-
tions P (containing propositions such as p and q), a propositional logic formula φ is
2.1. Context: Logics and Model Checking 14
constructed as follows:
φ ::= p | ¬φ | φ ∧ φ

These operators are ¬ (not) and ∧ (and). Propositional logic also has the
derived operators φ1 ∨ φ2 ≡ ¬(¬φ1 ∧ ¬φ2) (or) and φ1 → φ2 ≡ (¬φ1) ∨ φ2
(if...then). A proposition can be assigned either true (tt) or false (ff), and φ1 ∧ φ2
is true if and only if both φ1 and φ2 are true. The definition of its semantics are
omitted. For a more formal definition of propositional (also called sentential) logic,
see Enderton [70] or Epp [71].
Given a set of propositions, a model M is an assignment of tt or ff to each
proposition p ∈ P. We assume that P contains at least each proposition that ap-
pears in φ.
The model checking problem is the following question: given a propositional
logic formula φ and an assignment of truths to a set of atomic propositions P,
does M |= φ, or is the formula φ, after assigning the values of each proposition,
true? This problem can be solved in polynomial time by substituting the truths of
the propositions into φ and then evaluating φ.
The satisfiability problem is given a propositional logic formula φ, does there
exist an assignment of true and false to all the atomic propositions in φ such that
φ is true? This is one of the well-known NP-complete problems. See Cormen et al.
[58], Sipser [145].
2.2. Timed Automata: Baseline Definition 15
2.2 Timed Automata: Baseline Definition
Throughout this dissertation, we use a timed automaton as our model, and the
collection of models is the collection of all possible timed automata. We define
this baseline timed automaton, giving its syntax and its semantics. This model is
referred to the Alur-Dill model, and is based on the model in the paper by Alur
and Dill [7] as well as the papers Alur [4, 5], Alur et al. [9, 12]. We use this version
as the baseline version due to its clean modeling representation and its use in
theoretical papers.
2.2.1 Syntax
Timed automata involve clocks. Also, timed automata will use clock constraints
to reason with these clocks.
Definition 2.2.1 (Clock constraint φ ∈ Φ(CX)). Given a nonempty finite set of
clocks CX (often CX = {x1, x2, . . . , xn}) and c ∈ Z≥0 (a non-negative integer), a
clock constraint φ may be constructed constructed using the following grammar:
φ ::= xi < c | xi ≤ c | xi > c | xi ≥ c | φ ∧ φ
Φ(CX) is the set of all possible clock constraints over CX. We also use the follow-
ing abbreviations: true (tt) for x1 ≥ 0, false (ff) for x1 < 0,and xi = c as xi ≤ c
and xi ≥ c. 
With the definition of clock constraints, we now provide the syntax for a timed
automaton.
Definition 2.2.2 (Timed automaton). A timed automaton TA = (L, L0, Lu, Σ, CX, I, E)
2.2. Timed Automata: Baseline Definition 16
is a tuple where:
• L is the finite set of locations (nodes).
• L0 ⊆ L is the nonempty set of initial locations.
• Lu ⊆ L is the set of urgent locations.
• Σ is the finite set of action symbols.
• CX is the nonempty finite set of clocks. (In this dissertation, often CX =
{x1, x2, . . . , xn}.)
• I : L −→ Φ(CX) gives a clock constraint for each location l. I(l) is referred
to as the invariant of l.
• E ⊆ L× Σ×Φ(CX)× 2CX × L is the set of edges. In an edge e = (l, a, φ, λ, l′)
from l to l′ with action a, φ ∈ Φ(CX) is the guard of e, and λ ∈ 2CX represents
the set of clocks to reset to 0.
When considering the satisfaction of logical formula, we will assume that L0
is at most one location. We will refer to this initial location as l0. Additionally,
when convenient, we will augment a timed automaton with a set of atomic propo-
sitions AP and a labeling function Lab : L −→ 2AP where Lab(l) gives the subset
of atomic propositions that location l satisfies. While one can often represent an
atomic proposition p by p = {l | p ∈ Lab(l)}, the notation of AP and Lab will
prove useful when comparing two timed automata to each other. 
A timed automaton has a set of locations, some of which are urgent, and some
of which (usually just one) are initial. The invariant of each location describes the
constraints on the clocks that must be satisfied in order to remain in that location.
For each edge e = (l, a, φ, λ, l′), whenever the guard φ is true, an execution can
2.2. Timed Automata: Baseline Definition 17
transition from location l to location l′ with action symbol a. During this transition,
all the clocks in λ are reset to 0. Urgent locations are locations where time is not
allowed to advance, not even for 0 time units.
Example 2.2.1 (Example of a timed automaton). Consider the timed automaton
in Figure 2.1, which is similar to a model of a train in the generalized railroad
crossing (GRC) protocol [85].
There are four locations: 0: far (initial location), 1: near, 2: in and 3: out, with
one clock x1, initial location 0: far and urgent location 3: out. There are the ac-
tions approach, enter, exit, and return in Σ. Here, location 1 has the invariant
x1 ≤ 4 while location 0 has the vacuous invariant tt. The edge (1: near, in, x1 =
4, {x1}, 2: in) has the guard x1 = 4 and resets x1 to 0.
Written out formally, this timed automaton TAGT is:
• L = {0: far, 1: near, 2: in, 3: out}
• L0 = {0: far}
• Lu = {3: out}
• Σ = {approach, enter, exit, return}
• CX = {x1}
• I : L −→ Φ(CX) is the function where I(0: far) = tt, I(1: near) = x1 ≤ 4,
I(2: in) = x1 ≤ 15 and I(3: out) = tt
• E = {(0: far, approach, tt, {x1}, 1: near), (1: near, enter, x1 = 4, {x1}, 2: in),
(2: in, exit, x1 ≥ 1, ∅, 3: out), (3: out, return, tt, ∅, 0: far)}
In figures, any location without an invariant has the default invariant of true
(tt) and any edge without a guard has the default guard of tt. 
2.2. Timed Automata: Baseline Definition 18











Figure 2.1: Timed automaton TAGT, a model similar to the model of a train in the
generalized railroad crossing (GRC) protocol.
2.2.2 Semantics
We represent the semantics of a timed automaton as a transition system. We do
this by using valuations to give real values to the clocks and by augmenting loca-
tions with these valuations.
Definition 2.2.3 (Clock valuation ν ∈ V). Given a finite set of clocks CX, a clock
valuation or clock interpretation ν is a function ν : CX −→ R≥0 where ν(x) is the
current time value of clock x. A valuation is an assignment of a time (or time
value) to each clock in CX. VCX is the set of all valuations over clocks CX. When
clear from context, the CX is omitted and the set of valuations is notated as V .
• Let ν[Y := c] denote the assignment of time c to all the clocks in Y ⊆ CX in
the valuation ν (all other clocks’ values are unchanged). Formally,
(ν[Y := c])(x) =

ν(x) x 6∈ Y
c x ∈ Y
(2.1)
Note that ν[Y := 0] assigns 0 to every clock in Y in ν, leaving all other clocks’
values unchanged.
• Let ν + δ denote an increment to all clocks in the valuation ν by an amount
2.2. Timed Automata: Baseline Definition 19
of δ, where δ ∈ R≥0. Formally,
(ν + δ)(x) = ν(x) + δ for all x ∈ CX. (2.2)
• Let [CX := 0] denote the assignment of 0 to each clock.

With valuations, we now can define whether a valuation of clocks satisfies a
clock constraint.
Definition 2.2.4 (Valuation satisfying a clock constraint (ν |= φ)). A valuation ν
satisfies a clock constraint φ (ν |= φ), iff for each inequality in φ, where xi, xj ∈ CX:
• ν |= xi < c if and only if ν(xi) < c
• ν |= xi ≤ c if and only if ν(xi) ≤ c
• ν |= xi > c if and only if ν(xi) > c
• ν |= xi ≥ c if and only if ν(xi) ≥ c
• ν |= φ1 ∧ φ2 if and only if ν |= φ1 and ν |= φ2

When modeling timed automata, we make the transitions explicit and define
the semantics of a timed automaton by describing it as an infinite (timed) transi-
tion system, or automaton. The definition of a transition system is below.
Definition 2.2.5 (Transition system TS = (Q, Q0, Σ,−→)). A transition system TS =
(Q, Q0, Σ,−→) is a tuple where:
2.2. Timed Automata: Baseline Definition 20
• Q is the set of states.
• Q0 ⊆ Q is the set of initial states.
• Σ is the set of actions, labels or action symbols.
• −→ ⊆ Q× Σ× Q is the transition relation (need not be a function) that if
(q, a, q′) ∈ →, then the TS can transition from state q to state q′ on label a.
Here q a−→ q′ is a notation for (q, a, q′) ∈ −→. A transition system is also
called a labeled transition system (LTS) or concrete transition system (CTS). Ad-
ditionally, when convenient, we will augment a timed automaton with a set
of atomic propositions AP and a labeling function Lab : Q −→ 2AP where Lab(q)
gives the subset of atomic propositions that state q satisfies.

Now using the above definition, we give the semantics of a timed automaton
by associating an infinite transition system to a timed automaton.
Definition 2.2.6 (Semantics of a timed automaton TS(TA)). The semantics of a
timed automaton TA = (L, L0, Lu, ΣTA, CX, I, E) is a transition system TS(TA) =
(Q, Q0, Σ,−→) given as follows:
• Q = L× V , where q = (l, ν) is a state.
• Q0 = L0 × [CX := 0] (all clocks are initially 0).
• Σ = R≥0 ∪ ΣTA.
• −→ ⊆ Q× Σ×Q is defined as follows:
Time advancement: (l, ν) δ−→ (l, ν + δ) if
l ∈ L, l 6∈ Lu and δ ∈ R≥0 and ∀t ∈ R≥0, 0 ≤ t ≤ δ : ν + t |= I(l).
2.2. Timed Automata: Baseline Definition 21
Action execution: (l, ν) a−→ (l′, ν[λ := 0]) if
∃φ such that (l, a, φ, λ, l′) ∈ E, ν |= φ and ν[λ := 0] |= I(l′).
We may sometimes refer to this transition system as the timed transition system
(as Bouyer and Laroussinie [38] also does) or concrete transition system for the timed
automaton TA. If we consider timed automata augmented with a set of atomic
propositions AP and a labeling function Lab, the timed transition system has the
same set of atomic propositions and the labeling function Lab, where Lab(l, ν) =
Lab(l). 
In the above definition, there are two kinds of transitions. The first kind, time
advancement, models the transitions where time advances (elapses) in a single
location. The second kind, action execution, models the transitions where edges
in the timed automaton are taken.
The semantics give a conversion from a timed automaton to an infinite transition
system, both with an infinite number of states and an infinite number of action
symbols. The transition relation −→ encompasses time advances and action ex-
ecutions, where each state is a (location, valuation) pair. This definition specifies
the clocks to all be 0 initially.
Remark 2.2.1 (Time advances of 0 units). In the semantics of timed automata (Def-
inition 2.2.6), all non-urgent locations have a time advance of 0 units, assuming
that the invariant is true. Although no time advances, the modeling allows tran-
sitions of 0−→. This feature is present in all sources we consulted, including Alur
[5], Baier and Katoen [17], Clarke et al. [55], Wang et al. [161]. Note that for many
timed temporal formulas (such as TCTL formulas), any execution that takes a 0
time advance is equivalent to the same execution without the 0 time advance. This
is not the case though for all formulas in a timed modal-mu calculus of Laroussinie
2.2. Timed Automata: Baseline Definition 22
et al. [108], Sokolsky and Smolka [147], Zhang and Cleaveland [168]. For example,
if we ask the formula “there exists a time advances where afterwards x1 = 0”,
assuming x1 is initially 0 is only true if we allow time advances of 0 time units.
Timed automata can also be composed in parallel (||), much like transition
systems. Parallel composition is defined for timed automata so that for two timed
automata TA1 and TA2, TS(TA1||TA2) = TS(TA1)||TS(TA2). See Section 2.3 for a
definition of parallel composition.
Example 2.2.2 (Example 2.2.1 continued). Again consider the timed automaton in
Figure 2.1. With this timed automaton, one sequence of transitions is the sequence
(0: far, x1 = 0)
1.2−→ (0: far, x1 = 1.2)
approach−→ (1: near, x1 = 0) 4−→
(1: near, x1 = 4)
enter−→ (2: in, x1 = 0) 5.713−→ (2: in, x1 = 5.713) exit−→
(3: out, x1 = 5.713)
return−→ (0: far, x1 = 5.713).
Notice that when elapsing 4 time units in the location 1:near that the invariant
of location 1 is always true. Also, when x1 = 4, we can execute the action in be-
cause the guard of the outgoing edge from location 1 is satisfied. Since location 3 is
urgent, time cannot advance and the action return must be immediately executed.

2.2.3 Timed Runs
We formally define an execution of a timed automaton (useful when discussing
timed logics in Chapter 4). An execution will often be called a timed run or a run
of the timed automaton.
Definition 2.2.7 (Timed execution (run) πtr). A timed execution (run) πtr is a finite
2.2. Timed Automata: Baseline Definition 23
or infinite sequence of transitions q0
σ−→ q1 σ−→ q2 . . . (ending at qn if finite) where
qi = (li, νi) is a state, σ ∈ Σ∪R≥0 and for all i ≥ 0, qi σ−→ qi+1 is a valid transition.
We will time-stamp each position qi with a time ti. We set t0 = 0, ti+1 = ti + δ
if δ ∈ R≥0 and qi δ−→ qi+1, and ti+1 = ti otherwise. If qn is the last state in the run,
then for convenience tn+1 = tn.
A timed run πtr is time-divergent if and only if for every time t ∈ R≥0 there
exists a position i such that ti ≥ t. 
We use this definition of timed run as opposed to a time-abstract run where
qi
δ−→ a−→ qi+1 so we have an explicit list of the time advance transitions taken.
This contrasts with the definition of timed runs in Baier and Katoen [17] which
defines a timed run as a sequence of δ−→ a−→ transition sequences. The former
definition is used because in our semantic framework, 2−→6= 1−→ 1−→ in some cir-
cumstances.
2.2.4 Urgent Locations
Some sources including Behrmann et al. [23], Dong et al. [65], Olderog and Dierks
[131] find it convenient to allow urgent locations in timed automata. In such loca-
tions, time is not allowed to advance (hence, only non-urgent locations allow time
advance transitions in Definition 2.2.6). UPPAAL [23] supports the implementa-
tion of urgent locations. Note that we can give an urgent location an invariant,
since the invariant would then prevent action transitions into that location.
Example 2.2.3. Consider the timed automaton in Figure 2.2 where location 1 is an
urgent location. When any execution enters location 1, because location 1 is urgent,
time cannot advance and the edge going to location 2 must be taken immediately.

2.3. Networks of Timed Automata: Parallel Composition 24











Figure 2.2: Timed automaton with location 1 as urgent. Figure is used and adapted
from Fontana and Cleaveland [74] with permission.
Remark 2.2.2 (Why urgent locations?). We can get rid of most of the urgency by
following the idea in Behrmann et al. [23], as follows:
1. Add an extra clock xu. This clock can be used for all urgent locations.
2. Give all urgent locations the invariant xu = 0.
3. Reset xu on all incoming edges to each urgent location lu.
4. Then make each urgent location non-urgent.
This is almost equivalent, but allows time advances of 0 time units. To get the
power of having unsatisfied invariants being urgent locations, we must use urgent
locations to prevent time advances of 0 time units. Though seemingly insignificant,
these time advances influence formulas written in the timed modal-mu calculus
of Laroussinie et al. [108], Sokolsky and Smolka [147]. See Remark 2.2.1.
2.3 Networks of Timed Automata: Parallel Composition
Much like transition systems, timed automata can be composed in parallel (||).
This operator allows one to build networks of timed automata consisting of the
2.3. Networks of Timed Automata: Parallel Composition 25
parallel composition of the timed automata. Here we formalize a variant of paral-
lel composition allowing both asynchronous actions and synchronization on com-
mon actions.
Definition 2.3.1 (Parallel composition TA1||TA2). Consider two timed automata
TA1 = (L1, L0,1, Lu,1, Σ1, CX1, I1, E1) and TA2 = (L2, L0,2, Lu,2, Σ2, CX2, I2, E2) where
L1 ∩ L2 = ∅ and CX1 ∩ CX2 = ∅. The parallel (or product) composition automaton,
denoted TA1||TA2, is TA1||TA2 = (L, L0, Σ, CX, I, E) where:
• L = L1 × L2
• L0 = L0,1 × L02
• Lu = (Lu,1 × L2) ∪ (L1 × L2,u)
• Σ = Σ1 ∪ Σ2
• CX = CX1 ∪ CX2
• I : L −→ Φ(CX) is defined as: for any l ∈ L where l = (l1, l2),
I(l) = I1(l1) ∧ I2(l2).
• E ⊆ L× Σ×Φ(CX)× CX× L is defined as E = Ea1 ∪ Ea2 ∪ Es where:
Asynchronous edges for TA1 (Ea1): Ea1 = {((l1, l2), a, φ1, λ1, (l′1, l2) |
a ∈ Σ1 − Σ2 ∧ (l1, a, φ1, λ1, l′1) ∈ E1}
Asynchronous edges for TA2 (Ea2): Ea2 = {((l1, l2), a, φ2, λ2, (l1, l′2) |
a ∈ Σ2 − Σ1 ∧ (l2, a, φ2, λ2, l′2) ∈ E2}
Synchronous edges (Es): Es = {((l1, l2), a, φ1 ∧ φ2, λ1 ∪ λ2, (l′1, l′2) |
(l1, a, φ1, λ1, l′1) ∈ E1 ∧ (l2, a, φ2, λ2, l′2) ∈ E2}

2.3. Networks of Timed Automata: Parallel Composition 26
Whenever two automata both have an action symbol a, they synchronize on a
and produce an action a. An action symbol in one automaton but not the other
happens asynchronously. Since TA1||TA2 is itself a timed automaton, it may be
composed with other timed automata as well. By repeatedly taking compositions,
and compositions of compositions, etc., any finite number of timed automata may
be integrated into a single timed automaton reflecting the parallel execution of the
individual automata.
Another common variant of parallel composition assumes that actions are di-
vided into inputs (?a) and outputs (!a), with inputs and outputs on the same
channel (e.g. ?a and !a) synchronizing. These are called communicating timed au-
tomata. In communicating timed automata, Σ denotes the set of channels and each
channel a ∈ Σ has two complementary events: ?a and !a. In parallel composi-
tion, synchronization occurs when a ?a and a !a produce either a τ, an a, or an !a
(the action produced depends on the model). If there were no action labels, then
communicating timed automata would be isomorphic to timed automata. This
notation is used in some tools including UPPAAL [23] and CWB-RT [167], and in
many other sources [46, 47, 78, 115, 131, 158].
Example 2.3.1. Again consider timed automata TAGT in Figure 2.1 and the simpli-
fied model of a gate, TAgate, in Figure 2.3.
From the diagrams, CXGT = {x1}, and CXgate = {x2}, which are disjoint sets.
Also, ΣGT = {approach, enter, exit, return} and Σgate = {approach, low, exit, high}.
Hence, the action events that are synchronized on are approach and exit.
The parallel composition, TAGT||TAgate, is given in Figure 2.4. Because the
train location 3: out is urgent, time cannot advance until the composed automaton
leaves that location. Furthermore, the gate requires 2 time units to raise the gate,
and x2 is reset to 0 when entering location (3: out, 3: raise). As a consequence,
2.3. Networks of Timed Automata: Parallel Composition 27













Figure 2.3: The model of the gate, timed automaton TAgate. Figure is used and
adapted from Fontana and Cleaveland [74] with permission.
the component location (3: out, 0: up) is not reachable. Notice that given the time
constraints of the automaton, component location (2: in, 1: lower) is also not reach-
able. This is because the transition to location (1: near, 1: lower) resets both x1 and
x2, forcing the value of x1 to be the same as the value for x2. Hence, when x1 = 4,
x2 = 4, making the invariant conjunct x2 ≤ 2 false. Therefore, that edge cannot be
taken. 
The following claim given in Olderog and Dierks [131] states that the semantics
of the composed system is equal (isomorphic) to the parallel composition of the
semantics (the transition systems).
Claim 2.3.1 (From Olderog and Dierks [131]). Let TA1 and TA2 be two timed
automata. Then
TS(TA1||TA2) = TS(TA1)||TS(TA2).
Although the notion of parallel composition considered in Olderog and Dierks
[131] is different than ours, their result can be adapted to our setting.
By definition, a network of timed automata formed by parallel composition is
2.3. Networks of Timed Automata: Parallel Composition 28

























Figure 2.4: Timed automaton TAGT||TAgate. Dashed lines are used to represent
synchronous edges. Unreachable locations are not shown. Note that the loca-
tions (2: in, 1: lower) and (3: out, 0: up), though shown, are unreachable; all other
shown locations are reachable. Figure is used and adapted from Fontana and
Cleaveland [74] with permission.
also a single (much larger) timed automaton. Because of this fact, all of our results
apply to timed automata formed via parallel composition. In addition, this parallel
composition notion can be adapted to the variants considered in this paper such
that we can convert the automata before or after composing them in parallel.
2.4. Timelocks, Actionlocks and Zeno Executions 29
2.4 Timelocks, Actionlocks and Zeno Executions
When modeling programs, an assumption is often made: the program runs for-
ever. If it is running, then after some number of actions, time is able to advance.
Also, actions take some small amount of time. While the time is assumed to be
negligible, this means that for a realistic execution, only a finite number of actions
should be executed in a finite amount of time.
However, timed automata have no such assumptions, and it is possible to
model a program that gets stuck at some point and cannot advance in time (the
program stops) as well as model a program that can execute an infinite number of
actions in a finite amount of time. For timed automata, these phenomenon come
up in three different ways: timelocks, actionlocks and zeno executions.
Often, we wish to only consider time-divergent executions in a timed automa-
ton, and we wish to avoid timelocks and zeno executions. While not as problem-
atic, we should be aware of executions where time diverges but cannot have any
more actions, called pure actionlocks. (In actionlocks that are not pure action-
locks, we can neither allow time to diverge or execute an action.) Since pure ac-
tionlocks can be states in time-divergent paths, we should check these paths with
pure actionlock states where time diverges but only a finite number of actions are
executed.
The goal is to use these definitions and then find ways to both detect these
as well as to bypass these unrealistic executions when model checking a timed
automaton.
2.4.1 Definitions
The definitions come from Bowman and Gómez [47] (which is a continuation of
the work in Bowman [46]) as well as from Baier and Katoen [17].
2.4. Timelocks, Actionlocks and Zeno Executions 30
Definition 2.4.1 (Time-convergent execution). A time-convergent execution is an ex-
ecution that only takes a finite amount of time. A time-convergent execution can
have an infinite number of time advances or an infinite number of actions. 
Note that time-convergent executions need not have a finite number of actions.
One such time-convergent execution is 1−→ 1/2−→ 1/4−→ . . ., since there are an infinite
number of time advances in this execution, but only 2 time units are elapsed.
Note that because 0-unit time advances are allowed, time-convergent paths with
an infinite number of 0−→ time advances exist.
Definition 2.4.2 (Time-divergent execution). A time-divergent execution is any exe-
cution where time goes to infinity (diverges). 
Hence, any execution that is not time-convergent is time-divergent and vice
versa.
Definition 2.4.3 (timelock). A state (l, ν) in a timed automaton is in a timelock iff
there is no time-divergent execution from that state. 
Timelocks often arise from mismatched synchronization or parallel composi-
tion of automata. See Bowman [46] or Bowman and Gómez [47] for an example.
Remember that any automata that share a symbol must synchronize to transition
with that symbol.
Definition 2.4.4 (Timelock-free). A timed automaton is timelock-free iff all states
reachable from the initial state do not have a timelock. 
Definition 2.4.5 (Zeno execution). An execution is a zeno execution iff it has an
infinite number of action transitions (events) in a finite amount of time. 
2.4. Timelocks, Actionlocks and Zeno Executions 31
Note that here a zeno execution is a time-convergent execution, but it is given
its own category. Likewise, executions involving timelocks are considered a sep-
arate category. We separate out these two kinds of executions because the other
time-convergent executions are easier to deal with.
Definition 2.4.6 (Nonzeno). A timed automaton is nonzeno if it has all states reach-
able from the initial state do not have a zeno execution. 
Definition 2.4.7 (Actionlock). A state (l, ν) in a timed automaton is an actionlock
if no action can be performed from that state or from any future time advance
from that state. A state is a pure actionlock if it is an actionlock but is not in a
timelock. 
Actionlocks are not considered to be as bad as timelocks because they do not
propagate globally when composed with other systems [47] as well as because
actionlocks where time can diverge still form time-divergent paths. This sort of
actionlock may be interpreted as a terminal state. Tripakis [150] refers to an ac-
tionlock as a deadlock, since a deadlock in the discrete sense is an actionlock in the
timed sense. In general, timelocks and actionlocks are seen as kinds of deadlocks,
or situations where certain progress cannot be made.
One can go further to classify timelocks and actionlocks as a pure actionlock
(time can diverge but no action may be taken), a zeno timelock (time cannot diverge
but an infinite number of actions can happen, so only zeno executions can happen)
and an action timelock (time cannot diverge and no action can be perform), as is
done in Bowman and Gómez [47]. Note that there can be zeno runs even in states
that are not timelocked. For more information on timelocks, actionlocks and zeno
runs, see Baier and Katoen [17], Bowman [46], Bowman and Gómez [47].
2.5. Bisimulation and Region Equivalence 32
2.5 Bisimulation and Region Equivalence
We discuss two kinds of equivalences that are foundational to timed automata:
bisimulation and region equivalence. Region equivalence is the relation that allows
one to represent the semantics of a timed automaton as a finite transition system.
When constructing the equivalences, a foundational goal is to determine reach-
ability of states. By constructing equivalence relations, we can evaluate reachabil-
ity over a smaller representation of the timed automata.
2.5.1 Bisimulation
For two transition systems we can define bisimulation [124] as follows.
Definition 2.5.1 (Bisimilarity ∼). Let TS1 = (Q1, Q01 , Σ1,−→1) and
TS2 = (Q, Q02 , Σ2,−→2) be two transition systems with Σ1 = Σ2. A bisimulation R
is a relation on Q1 ×Q2, such that for q1 ∈ Q1 and q2 ∈ Q2, q1Rq2 implies:
1. ∀q′1 ∈ Q1, q1
a−→1 q′1 : ∃q′2 ∈ Q2 : q2
a−→2 q′2 ∧ q′1Rq′2, and
2. ∀q′2 ∈ Q2, q2
a−→2 q′2 : ∃q′1 ∈ Q1 : q1
a−→1 q′1 ∧ q′1Rq′2.
If only condition 1) holds, then we say that the relation is a simulation.
We say that TS1 is bisimilar to TS2, (TS1 ∼ TS2) if and only if there is a bisim-
ulation R between TS1 and TS2 with the following additional properties:
1. ∀q1 ∈ Q01 : ∃q2 ∈ Q02 : q1Rq2, and
2. ∀q2 ∈ Q02 : ∃q1 ∈ Q01 : q1Rq2.
It can be shown that bisimilarity on transition systems is an equivalence rela-
tion. 
We mention bisimulation because it has desirable properties, including:
2.5. Bisimulation and Region Equivalence 33
1. Bisimulation implies language equivalence. This means that two bisimilar
(timed) automata accept the same set of (timed) languages. Timed languages
are outside the scope of this dissertation and are discussed in Alur and Dill
[7].
2. We can use bisimulation to simplify reachability checking. Since the bisimu-
lation relation R is an equivalence relation, we can partition states into their
equivalence classes with respect to R. Reachability over these equivalence
classes is preserved: states in the same equivalence class can reach states in
the same equivalence classes.
3. Many (timed) logics, including TCTL are bisimulation invariant; this means
that two bisimilar (timed) automata satisfy the exact same formulas in such
a (timed) logic.
Following Larsen and Wang [111], Tripakis and Yovine [152], we extend the
notion of bisimulation to timed automata.
Definition 2.5.2 (Bisimulation for timed automata (∼)). Let TA1 and TA2 be
timed automata. TA1 ∼ TA2 if and only if TS(TA1) ∼ TS(TA2). 
One notion for weaker equivalences involves the abstracting of time. Here the
amount of time advanced is abstracted away. In these time-abstract transitions:
q a=⇒ q′ if and only if ∃q′′ ∈ Q, δ ∈ R≥0 : q δ−→ q′′ a−→ q′. (2.3)
Using this notion, one can convert the transition system of a timed automaton
into a time-abstract transition system and can weaken bisimulation to time-abstract
bisimulation. The notion of a time-abstract transition is described in Alur [5], Larsen
and Wang [111], Tasiran et al. [149] and the notion of time-abstract bisimulation
2.5. Bisimulation and Region Equivalence 34
is described in Alur [5], Larsen and Yi [110], Larsen and Wang [111], Tasiran et al.
[149], Tripakis and Yovine [152].
2.5.2 Region Equivalence
When defining region equivalence, we follow the definitions in Alur [5].
Definition 2.5.3 (Region equivalence relation ≈c). Given a function c : CX −→N
where c(x) denotes the largest constant used for clock x, then the region equivalence
relation ≈c⊆ V × V is defined such that ν1 ≈c ν2 if and only if all of the following
hold:
1. For all x ∈ CX, either bν1(x)c = bν2(x)c or ν1(x), ν2(x) > c(x).
2. For all x, y ∈ CX with ν1(x) ≤ c(x), ν1(y) ≤ c(y), f r(ν1(x)) ≤ f r(ν1(y)) ↔
f r(ν2(x)) ≤ f r(ν2(y))
3. For all x ∈ CX with ν1(x) ≤ c(x), f r(ν1(x)) = 0↔ f r(ν2(x)) = 0
For any valuation ν, we let [ν]≈c denote the equivalence class of states that ν is
in considering the equivalence relation ≈c.
For any number n, f r(n) = n− bnc, denotes the fractional value of n. 
Applying the axioms in the above definition, if we consider clocks x, y ∈ CX
with ν1(x) ≤ c(x), ν1(y) ≤ c(y), f r(ν1(x)) = f r(ν1(y)) ↔ f r(ν2(x)) = f r(ν2(y)).
This follows from plugging in f r(ν1(x)) ≤ f r(ν1(y)) and f r(ν1(y)) ≤ f r(ν1(x)).
Sometimes, rather than having a maximum constant function c, one will have
a maximum constant, maxc, where maxc is the maximum of the constants for each
clock. Formally, maxc = max{(c(x) | x ∈ CX}.
We illustrate clock regions with two examples.
2.5. Bisimulation and Region Equivalence 35












Figure 2.5: The set of equivalent regions for two clocks x1, x2 ∈ CX where c(x1) =
2 and c(x2) = 1. There are 8 area regions, 6 point regions, and 14 line regions,
totaling 28 clock regions.
Example 2.5.1. If we have two, clocks, it splits the sets of clocks into regions as
shown in Figure 2.5, which is based off of the similar figure in Alur [5]. In the
figure c(x1) = 2 and c(x2) = 1.
The regions are the following shapes/areas (a similar example is presented in
Baier and Katoen [17]):
• The 6 corner points (such as the value (x1 = 2, x2 = 1)).
• The 9 open line segments that form the edges of the triangles but do not
contain the corner points.
• The 5 rays (such as the ray (x1 = 2, x2 > 1) that do not contain the corner
points.
• The 4 triangular areas, which do not include the boundaries.
• The 4 half-rectangular areas, which do not include the boundaries.
Thus forming a total of 28 clock regions. 
Example 2.5.2. If c(x1) = 3 and c(x2) = 2, we get a total of 60 clock regions. There
2.5. Bisimulation and Region Equivalence 36












Figure 2.6: The set of equivalent regions for two clocks x1, x2 ∈ CX where c(x1) =
3 and c(x2) = 2. There are 60 clock regions.
are 18 area regions, 12 point regions and 30 line regions, totaling 60 clock regions.
These clock regions are shown in Figure 2.6. 
This region equivalence results in a finite number of regions. This follows from
a claim in given in Alur [5] that bounds the maximum number of regions.
Claim 2.5.1. Let |CX| = k. Then the number of regions is at most
k! ∗ 2k ∗ ∏
xi∈CX
(2c(xi) + 2).
Remark 2.5.1 (Region equivalence on timed automata with clock difference con-
straints.). In Section 3.4.2, we will introduce different timed automata variants.
One of them allows constraints to compare differences of clocks (xi − xj < c or
xi − xj ≤ c). In order to have a sound region equivalence when clock difference
constraints are allowed, a stronger region equivalence is needed. See Olderog and
Dierks [131] for the stronger region equivalence.
Definition 2.5.4 (Clock region). Let ν ∈ V and ≈c be a region equivalence relation.
Then r = [ν]≈c , the equivalence class of valuations equivalent to ν is called a clock
2.5. Bisimulation and Region Equivalence 37
region, and ν ∈ r. Let R denote the set of all clock regions. 
This groups all clock valuations into one region. We can then use each region
as the new clock component. Concerning regions, there are two other regions that
we are concerned about:
Definition 2.5.5 (Successor clock region). Let ν ∈ V and r = [ν]≈c denote the
clock region containing ν. Then the clock region r′ is the successor clock region of r
if and only if:
∀ν ∈ r : ∃δ ≥ 0 :
(




∀δ′, 0 ≤ δ′ ≤ δ : ν + δ ∈ (r ∪ r′)
)

Definition 2.5.6 (Boundary region). Let ν ∈ V . Then r = [ν]≈c is a boundary region
if and only if:
∀ν ∈ [ν]≈c : ∀δ > 0 : ν + δ 6∈ [ν]≈c

From this region equivalence of clock valuations, we can extend it to form re-
gion automata: the finite equivalent to timed automata base on the region equiva-
lence abstraction. In both cases, we work with the transition system representing
the semantics of the timed automaton. Note that a different function of maximum
constants for clocks will yield a slightly different region automaton.
Definition 2.5.7 (Region automaton Reg(TA)c). Given a timed automaton TA =
(L, L0, Lu, ΣTA, CX, I, E), its semantics TS(TA) = (Q, Q0, Σ,−→), and a region
2.5. Bisimulation and Region Equivalence 38
equivalence relation ≈c on valuations and a region equivalence relation ∼c on
states, the region automaton of the timed automaton,Reg(TA)c = (Q, Q0, Σ,→) is as
follows:
• Q = {(l, [ν]≈c) | (l, ν) ∈ Q and ν ∈ V} = L×R.
• Q0 = {(l0, [ν]≈c) | (l0, ν) ∈ Q0 and ν ∈ V} = L0 ×R
• Σ = ΣTA ∪ {δ}
• → ⊆ Q× Σ×Q is defined as follows:
(l, [ν]≈c)
δ−→ (l, [ν + δ]≈c) if
l ∈ L and if there is a d ∈ R≥0 and [ν + d]≈c is a successor clock region
of [ν]≈c
(time advancement to region successor).
(l, [ν]≈c)
a−→ (l′, [ν[λ := 0]]≈c) if and only if
∀ν ∈ [ν]≈c : ∃ν′ ∈ [ν[λ := 0]]≈c : (l, ν)
a−→ (l′, ν′)
(action or edge). (Here, a ∈ ΣTA)

In the region automaton, we represent a set of region-equivalent valuations.
From this definition, (l1, ν1) ∼c (l2, ν2) if and only if l1 = l2 and ν1 ≈c ν2.
Each state is a location coupled with a clock region, since all the possible
clock valuations have been compressed to the set of clock regions, and there is no
compressions of locations. We then allow an action transition if and only if it was
allowed in the Timed Kripke Structure, and we also allow a δ transition, which
represents a time advance from a region to its successor region.
2.5. Bisimulation and Region Equivalence 39
2.5.3 Region Equivalence is a Bisimulation
The power from region equivalence comes from the fact that region equivalence
is time-abstract bisimulation. We state the result as the following theorem and
present part of the proof omitting some details. The full proof is provided in
Clarke et al. [55].
Theorem 2.5.2 (Region equivalence is a time-abstract bisimulation). Let
TA = (L, L0, Lu, ΣTA, CX, I, E) be a timed automaton with its semantics as the
transition system TS(TA) = (Q, Q0, Σ,−→) and let c : CX −→N be the func-
tion giving maximum constants for each clock and ≈c be the region equiva-
lence relation. Then the relation ∼c ⊆ Q×Q where q = (l, ν), q′ = (l′, ν′) and
q ∼c q′ ⇔ (l = l′ ∧ ν ≈c ν′), is a time-abstract bisimulation.
To prove this theorem, we will break its proof up into the proofs of some
lemmas. We start with the hardest lemma: showing that we can always have a
time advance when needed.
Lemma 2.5.3 (Picking the proper time advance.). Let TA = (L, L0, Lu, ΣTA, CX, I, E)
be a timed automaton with its semantics as the transition system TS(TA) =
(Q, Q0, Σ,−→), c : CX −→ N be the function giving maximum constants for each
clock, ν1, ν2 ∈ V and ≈c be the region equivalence relation. Suppose ν1 ≈c ν2. Then
for every i ∈ R≥0, there is a j ∈ R≥0 such that ν1 + i ≈c ν2 + j.
This lemma is the heart of region equivalence. This lemma states that for every
time advance made by a state, there is an equivalent (though possibly a different
amount of time) time advance that every region-equivalent state can take to reach
a state region-equivalent to the new state.
2.5. Bisimulation and Region Equivalence 40
Proof of Lemma 2.5.3. We first sketch the proof, and then provide more of the
details required to prove the lemma.
Proof sketch: It suffices to prove the result for 0 < i < 1 (where ν′1 = ν1 + i)
because for region equivalent valuations the integer part of the time advance is
matched by advancing the same amount of time for the second valuation. Next,
we sort clocks by their fractional orderings, creating a permutation of the clock
valuations. When ν1 advances i units, this time advance produces a new ordering
of valuations based on their fractional values (some fractions get smaller because
those clocks are one integer larger). We then choose a time advance j for ν2 to pro-
duce the same final fractional ordering of the clocks. The key idea is that adding a
fractional time is like applying a cycle on the fractions, so the fractional ordering
is cycled around. Thus, when a fraction i is advanced, pick a j that applies the
same cyclic shift.
More detailed proof: Let i ∈ R≥0 . Since for every clock x ∈ CX, if ν1(x) > c(x),
then ν1(x) + i ≥ c(x). Furthermore, by the premise premise ν1 ≈c ν2, ν2(x) > c.
As a result, we have that for every j ≥ 0, ν2(x) + j > c(x).
Because of this, we can now assume that the value of every x ∈ CX for each
valuation is at most c(x). Furthermore, since there is less to prove if adding time
to a clock causes the value for that clock x to exceed its maximum constraint c(x),
we will assume that all values for each clock x are still less than their maximum
constraints c(x) after the time advance.
There are the following cases on i:
Case 1: i ∈ Z
Then choose j = i. Assuming no value for a clock x exceeds its maximum c(x)
(we have less to prove if it does) because the integral parts matched before, the
2.5. Bisimulation and Region Equivalence 41
integral parts will still match.
Case 2: i /∈ Z, i > 1
This case reduces to Case 3, since in the worst case, no clock value for clock
x exceeds its maximum constraint c(x), and given that the integral parts of all
valuations match before, they will all still match if Case 3 is true when considering
f r(i) = i′ = i− bic. After obtaining the j from Case 3, the proper time advance for
ν2 is bic+ j.
Case 3: i /∈ Z, 0 < i < 1 Let |CX| = k.
Sort the clocks in non-decreasing order of their fractional values for both ν1
and ν2, using lexicographical ordering if two clocks have equal fractional values.
Without loss of generality, we will assume that the fractional values are origi-
nally in the order of the clock indicies. Hence,
f r(ν1(x1)) ≤ f r(ν1(x2)) ≤ . . . ≤ f r(ν1(xk))
Since ν1 ≈c ν2 and by the definition of region equivalence, it follows that
f r(ν2(x1)) ≤ f r(ν2(x2)) ≤ . . . ≤ f r(ν2(xk)),
meaning that the original fractional ordering is the same for ν2.
Now consider ν1 + i. By the property of addition, this will form a new order-
ing of fractions that is a cyclic permutation of the original ordering of fractions.
Say that ν1(xi) + i is the smallest fractional-valued clock to have its integral part
2.5. Bisimulation and Region Equivalence 42
increased. We then have:
f r(ν1(xi) + i) ≤ f r(ν1(xi+1) + i) ≤ . . . ≤
f r(ν1(xk) + i) ≤ f r(ν1(x1) + i) ≤ f r(ν1(xi−1) + i)
We now have two cases. In each case, we want ν2(xi) to have the same fractional
ordering. Since ν1(xi+1) is either not an integer or the same value of ν1(xi), we
want the same for ν2(xi+1).
Case 3a: f r(ν1(xi) + i) = 0 (ν1(xi) is on the line.) Here, choose j = 1− f r(ν2(xi)),
this way ν2(xi) is an integer, and the fraction orderings match.
Case 3b: f r(ν1(xi) + i) > 0 (ν1(xi) crossed the integer line.) Here, choose any
1− f r(ν2(xi)) < j < 1− f r(ν2(xi+1)
(
or the smallest clock with fractional value
larger than f r(ν2(xi)) if f r(ν2(xi)) = f r(ν2(xi+1)
)
.









In both cases, we get the same cyclic ordering making sure that the same
number of fractions cross the line. Therefore, in all cases, ν1 + i ≈c ν2 + j.
This next lemma states that region-equivalent valuations satisfy the same clock
constraints (with integer constants up to the maximum clock constants).
Lemma 2.5.4. Let ν1, ν2 ∈ V , φ ∈ Φ(CX), c : CX −→ N be the function giving
maximum constants for each clock and let ≈c be a Region Equivalence relation.
Suppose ν1 ≈c ν2. Then ν1 |= φ ↔ ν2 |= φ.
2.5. Bisimulation and Region Equivalence 43
Proof of Lemma 2.5.4. This proof can be done using structural induction on the
set of clock constraints, Φ(CX) (by inducting on the number of literals in the
constraint). See Clarke et al. [55].
This next lemma allows one to construct time abstract transitions from region-
equivalent states to region-equivalent states. This is the key property of a time-
abstract bisimulation.
Lemma 2.5.5. Let TA = (L, L0, Lu, ΣTA, CX, I, E) be a timed automaton with se-
mantics TS(TA) = (Q, Q0, Σ,−→), c : CX −→ N be the function as described
above, and ν1, ν2 ∈ V . Suppose ν1 ≈c ν2. Then for all l, l′ ∈ L, ν′1 ∈ V , If there
exists a δ1 ≥ 0 s.t. (l, ν1) δ1,a−→ (l′, ν′1) Then there is a ν′2 ∈ V and δ2 ≥ 0 where
(l, ν2)
δ2,a−→ (l′, ν′2) and ν′1 ≈c ν′2.
Proof of Lemma 2.5.5. Let l, l′ ∈ L, a ∈ Σ and let δ1 ≥ 0 such that (l, ν1) δ1,a−→
(l′, ν′1). Also let ν1, ν2 ∈ V where ν1 ≈c ν2.
By definition of
δ1,a−→, then this means:
(l, ν1)
δ1→ (l, ν1 + δ1) a→ (l′, (ν1 + δ1)[λ := 0]).
Here, ν′1 = (ν1 + δ1)[λ := 0].
By Lemma 2.5.3 there is some ν2 + δ2 where v1 + δ1 ≈c ν2 + δ2. Lemma 2.5.4
guarantees that ν2 |= I(l) (Since ν1 |= I(l)). Now, use the same edge for (l, ν2 + δ2)
that is used to transition (l, ν1 + δ1)
a→ (l′, ν′1). Let ν′2 = (ν2 + δ2)[λ := 0]. By
Lemma 2.5.4, ν′2 |= φ, and hence we can take that edge.
Since the same clocks are reset, the clocks that reset are the same and hence
satisfy the conditions for region equivalence. The clocks that do not reset are
equivalent since ν1 + δ1 ≈c ν2 + δ2 and their values are unchanged by the action
2.6. Untimed Logics 44
transition.
Therefore, ν′1 ≈c ν′2. (Furthermore, by Lemma 2.5.4, ν′1 |= I(l′) if and only if
ν′2 |= I(l′).)
Now with these lemmas, we can now prove the desired theorem.
Proof of Theorem 2.5.2. By definition of ≈c, ∼c is an equivalence relation. Utiliz-
ing Lemma 2.5.5 (and the case that the relation is symmetric), the time-abstract
bisimulation property of ∼c is proven.
2.6 Untimed Logics
This section provides definitions of Computation Tree Logic (CTL) and the un-
timed modal-mu calculus. CTL is a branching-time logic, and is a subset of the
logic CTL*. For more information on CTL, see Clarke et al. [54, 55]. For more
information on the untimed mu-calculus, see Bradfield and Stirling [49], Clarke
et al. [55]. In this section, we use transition systems as our model. As with timed
automata, we will augment transition systems with a set of atomic propositions
AP and a labeling function µ. These augmented transition systems are sometimes
referred to as Kripke structures.
2.6.1 Computation Tree Logic (CTL)
We begin by presenting the syntax of CTL.
Definition 2.6.1 (CTL syntax). A CTL formula φ can be constructed using the fol-
lowing grammar:
φ ::=p |¬φ | φ1 ∧ φ2 | EXa (φ) | AXa (φ) | E [[φ1]U [φ2]] | A [[φ1]U [φ2]]
2.6. Untimed Logics 45
Here, p ∈ AP is an atomic proposition and a ∈ Σ is an action. 
CTL augments propositional logic with two path quantifiers: E (there exists a
path) and A (for all paths), and two temporal operators: X (next) and U (until).
Additionally, CTL requires that every temporal operator is preceded by a path
quantifier, and that every path quantifier is followed by a state operator. This
makes CTL easier to model check.
Similar with timed automata, we have paths over transition systems. We use
these paths to describe the semantics of these formulas.
Definition 2.6.2 (Execution (path) π). An execution (path) π is a finite or infinite
sequence of transitions q1
σ−→ q2 σ−→ q3 . . . (ending at qn if finite) where qi is a
state, σ ∈ Σ and for all i, qi σ−→ qi+1 is a valid transition. 
When defining CTL, researchers sometimes assume that every path is infinite,
and that every state has at least one outgoing transitions. In this situation, one will
make a dead state (a state that transitions to itself) to represent getting stuck in a
transition system.
Now with the definition of paths, we can provide the semantics of CTL.
Definition 2.6.3 (CTL semantics). Let TS be a transition system with atomic propo-
sition set AP and labeling function Lab, and φ be a CTL formula. Then the seman-
tics of φ (denoted JφKTS), the set of states in TS that satisfy φ, is:
• JpKTS = {q ∈ Q | p ∈ Lab(q)}.
• J¬φKTS = Q− JφKTS.
• Jφ1 ∧ φ2KTS = Jφ1KTS ∩ Jφ2KTS.
2.6. Untimed Logics 46
• JEXa (φ)KTS = {q | there is a state q′ such that q a−→ q′ and q′ ∈ JφKTS}.
• JAXa (φ)KTS = {q | for all states q′ such that q a−→ q′, q′ ∈ JφKTS}.
• JE [[φ1]U [φ2]]KTS = {q | there is some path π starting at q where ∃i : qi ∈
Jφ2KTS ∧ ∀j < i : qj ∈ Jφ1KTS}.
• JA [[φ1]U [φ2]]KTS = {q | for all paths π starting at q, ∃i : qi ∈ Jφ2KTS ∧ ∀j <
i : qj ∈ Jφ1KTS}.
TS satisfies φ iff the initial state q0 satisfies φ. 
We also use the following abbreviations: ff for ¬tt, φ1 ∨ φ2 for ¬(¬φ1 ∧
¬φ2), and φ1 → φ2 for ¬φ1 ∨ φ2. Abbreviations for commonly-used derived
temporal operators include: E [[σ1] R [σ2]] for ¬(A [[¬σ1]U [¬σ2]]), A [[σ1] R [σ2]]
for ¬(E [[¬σ1]U [¬σ2]]) (release), EF [σ] for E [[tt]U [σ]], AF [σ] for A [[tt]U [σ]]
(eventually), AG [σ] for ¬EF [¬σ], EG [σ] for ¬AF [¬σ] (always), E [[φ1]W [φ2]]
for ¬(A [[¬φ2]U [¬φ1 ∧ ¬φ2]]), and A [[φ1]W [φ2]] for ¬(E [[¬φ2]U [¬φ1 ∧ ¬φ2]])
(weak until). Additionally, we can make derived operators that are not concerned
with the specific action symbols used. These are AX (φ) for
∧
a∈ΣTA AXa (φ) (for
all next actions) and EX (φ) for
∨
a∈ΣTA EXa (φ) (there exists a next action). These
operators are also used for systems that do not use actions symbols.
The formula E [[φ1] R [φ2]] means “there exists a path where φ1 releases φ2” (φ2
has to also be true when φ1 releases φ2 from being true).
CTL has the nice property that formulas can be expressed simply. For instance,
AG [a] is the safety property “always a” and AF [a] is the liveness property “in-
evitably a.” Additionally, CTL can be verified in polynomial time (polynomial in
the produce of the size of the formula and the size of the state machine) [54].
2.6. Untimed Logics 47
2.6.2 Untimed Modal Mu-Calculus
We define the mu-calculus used over transition systems. To express the mu-calculus,
we will use a set of variables Var to represent sets of states.
Definition 2.6.4 (Untimed mu-calculus syntax). The syntax of an untimed mu-
calculus formula can be constructed with the following grammar:
φ ::=p | ¬p | tt | ff | cc | Y | φ ∧ φ | φ ∨ φ | 〈a〉(φ) | [a](φ)
Here, p ∈ AP is an atomic proposition, a ∈ Σ is an action, Y ∈ Var is a proposi-
tional variable, and µY.[φ] and νY.[φ] are the least and greatest fixpoint operators
over variable Y, respectively. 
Notice that this version of the logic does not have the negation ( 6) operator. As
a result, we are providing all of the dual operators. This keeps formulas in positive
normal form, which will make many model-checking results easy to prove. While
this mu-calculus could be defined using negation (¬), because this logic is closed,
negation adds no additional expressive power. Additionally, we would need to
add the restriction that that every occurrence of each variable Y occurs within an
even number of negations.
To interpret the meaning of a mu-calculus formula, we use an environment,
which maps propositional variables to sets of states.
Definition 2.6.5 (Environment θ). An environment θ : Var −→ 2Q is a function that
assigns a set of states to each variable, where θ(Y) represents the set of states that
2.6. Untimed Logics 48
make the formula Y true. For notation, we have:
θ[Y := Q′](Z) =
 θ(Z) if Z 6= YQ′ if Z = Y

Now with the environment, we can define the semantics.
Definition 2.6.6 (Untimed mu-calculus semantics). Given transition system TS
(with labeling function Lab), and initial environment θ, the semantics of an untimed
mu-calculus formula φ, denoted JφKTS,θ , is (easier ones omitted):
• JpKTS,θ = {q ∈ Q | p ∈ Lab(q)}.
• J¬pKTS,θ = {q ∈ Q | p 6∈ Lab(q)}.
• JttKTS,θ = Q.
• JffKTS,θ = ∅.
• JYKTS,θ = θ(Y).
• Jφ1 ∧ φ2KTS,θ = Jφ1KTS,θ ∩ Jφ2KTS,θ .
• J〈a〉(φ1)KTS,θ = {q ∈ Q | ∃q′ ∈ Q : q a−→ q′ and q′ ∈ Jφ1KTS,θ}.
• J[a](φ1)KTS,θ = {q ∈ Q | ∀q′ ∈ Q : if q a−→ q′ then q′ ∈ Jφ1KTS,θ}.
• JµY.[φ]K = the least fixpoint of the function φ(Y′) = JφKTA,θ[Y:=Y′]
• JνY.[φ]K = the greatest fixpoint of the function φ(Y′) = JφKTA,θ[Y:=Y′]
Transition system TS satisfies φ iff the initial state q0 satisfies φ.
2.6. Untimed Logics 49
A formula with a propositional variable can be viewed as a monotonic function
on a complete lattice [56]. Due to Cousot and Cousot [59] we obtain an iterative
semantics for fixpoints. Specifically, by treating the formula φ as a function on Y








See Kozen [100] for details. 
The logic supports two derived operators: [− ](φ) for ∧a∈ΣTA [a](φ) (for all next
actions) and 〈−〉(φ) for ∨a∈ΣTA〈a〉(φ) (there exists a next action). These operators
are also used for systems that do not use actions symbols.
The modal mu-calculus is strong enough to express all of CTL [55]. By defi-
nition, AXa (φ) ≡ [a](φ) and EXa (φ) ≡ 〈a〉(φ). We can write the until operators
with the following equations:
E [[φ1]U [φ2]] ≡ µY.[φ2 ∨ (φ1 ∧ 〈−〉(Y))] (2.4)
A [[φ1]U [φ2]] ≡ µY.[φ2 ∨ (φ1 ∧ [− ](Y))]. (2.5)
Furthermore, here are equations in the modal mu-calculus for some of the com-
2.7. Related Work I: Untimed Systems and Untimed Logics 50
mon CTL derived operators:
E [[φ1] R [φ2]] ≡ νY.[φ2 ∧ (φ1 ∨ 〈−〉(Y))] (2.6)
A [[φ1] R [φ2]] ≡ νY.[φ2 ∧ (φ1 ∨ [− ](Y))] (2.7)
EF [φ] ≡ µY.[φ ∨ 〈−〉(Y)] (2.8)
AF [φ] ≡ µY.[φ ∨ [− ](Y)] (2.9)
EG [φ] ≡ νY.[φ ∧ 〈−〉(Y)] (2.10)
AG [φ] ≡ νY.[φ ∧ [− ](Y)]. (2.11)
These equivalences are taken from Clarke et al. [55]. Additionally, the modal mu-
calculus is more expressive than CTL [55].
2.7 Related Work I: Untimed Systems and Untimed Logics
Now we begin to discuss related work in the following sections. This related work
includes both related work on untimed systems and untimed logics, which also
provide a rich theory to draw from and apply to timed systems (some of it has al-
ready been applied), as well as current work on timed automata. This related work
will include the related work that has begun to set the framework for the theory
that we plan to develop further. The theory for untimed systems is useful because
much of the concepts, ideas and operations can be extended to timed automata,
saving the time of developing a new theory. Two books that give expositions of
much of the related work are Baier and Katoen [17], Clarke et al. [55].
2.7.1 Untimed Systems: Automata and Kripke Structures
The baseline untimed sytstem used is a finite automaton. A finite automaton is a
collection of nodes, referred to as states, with labeled transitions between states.
2.7. Related Work I: Untimed Systems and Untimed Logics 51
When a transition is executed, the label is often referred to as the action or event.
Using each state as a current snapshot of a system and transitions to signify a
change in the program or the model, automata provide a simple model of a pro-
gram. With automata, many questions about them can be asked. A common one is
reachability: can the automaton reach a certain state from a given initial state? An-
other question asks about the possible sequences of actions that can happen. These
collection of action sequences form a language, which can be reasoned about as
well. Detailed expositions of automata and many of their properties can be found
in Hopcroft et al. [93], Sipser [145].
For model checking purposes, automata are augmented so that each state is la-
belled with a set of atomic propositions that each state satisfies. These augmented
automata form Kripke structures (see Clarke et al. [55]). With these propositions,
we can now ask questions such as: It is always the case that proposition is p is
true? To do this, we will use untimed logics, described in the next section (Section
2.7.2).
2.7.2 Untimed Logics
Now with finite automata and Kripke structures, we wish to reason with them.
The logics discussed here give ways of reasoning with these structures. They in-
volve temporal and modal operators, which allow users to ask questions about
Kripke structure executions. Through these formulas, users can ask about the cur-
rent state, the next state and future states.
A common branching-time logic for model checking Kripke Structures is CTL
(Computational Tree Logic), with a polynomial time model checking algorithm
given in Clarke et al. [54]. Two additional temporal logics include LTL (Linear
Temporal Logic) (see Clarke et al. [54]) and CTL*. We know that CTL* is a superset
of both CTL and LTL [55]. However, CTL and LTL are expressibly incomparable:
2.8. Related Work II: Timed Systems 52
see Clarke and Draghicescu [52], Emerson and Halpern [68], Lamport [104]. These
logics provide temporal-based ways of expressing properties with operators such
as “until,” “in the next state”, “for all paths,” etc.
An additional logic includes the modal mu-calculus. It is a powerful fixpoint-
based logic (see Clarke et al. [55]) that can express all of CTL* [31]. Additionally,
a substantial fragment, called the alternation-free fragment (see Emerson and Lei
[69]), can both express all of CTL [55] as well as be model-checked efficiently in
practice. Different efficient ways to model check the modal mu-calculus come from
and are discussed in Andersen [15], Cleaveland and Steffen [57], Mader [121], Ma-
teescu and Sighireanu [123]. These efficient algorithms use Tarski’s Theorem [148],
the Tarski-Knaster Theorem [69] and Kleene’s fixpoint theorem (see Emerson and
Lei [69]) A more detailed exposition of the modal mu-calculus is in Bradfield and
Stirling [48, 49].
With these logics, two subsets of interesting properties include safety proper-
ties and liveness properties. A safety property is “is p always true”? A liveness
property is “is p inevitably true?”. There are other interesting properties as well.
2.8 Related Work II: Timed Systems
In order to model real-time constraints, timed systems were developed. While the
complexity of model checking is harder, these systems were developed to express
real-time constraints yet still be able to be model checked.
2.8.1 Timed Automata Variants
The first system is the timed automaton, formally defined in Section 2.2. This
model is the Alur-Dill model, based off of the work of Alur and Dill [7], which
uses clocks and constraints on clocks to specify real-time constraints. A different
2.8. Related Work II: Timed Systems 53
model used is where the automata are given a set of timed trajectories, and the
set of timed trajectories is restricted, providing implicit constraints. This model
is defined by Lynch and Vaandrager [118] (Part II is Lynch and Vaandrager [120]
and additional versions include Lynch and Vaandrager [117, 119]). This model was
extended to handle timed I/O (Input/Output) automata in Kaynar et al. [95, 96].
Even with the Alur-Dill, model, there are many variants. Many of these are
discussed in Chapter 3. These variants make it easier to represent timed automata
in model checking tools, and are used in tools such as UPPAAL [23]. Some variants
change the syntax; others the semantics. We will examine one of the semantic
variants here, which is the differences on how to address an unsatisfied invariant.
More details are provided in Section 3.4.1.
Let us again consider the semantics of −→ in the transition system for the base
version of timed automata:
−→ ⊆ Q× Σ×Q is defined as follows:
Time advancement:(l, ν) δ−→ (l, ν + δ) if
l ∈ L, l 6∈ Lu and δ ∈ R≥0 and ∀t ∈ R≥0, 0 ≤ t ≤ δ : ν + t |= I(l).
Action execution:(l, ν) a−→ (l′, ν[λ := 0]) if
(l, a, φ, λ, l′) ∈ E, ν |= φ and ν[λ := 0] |= I(l′).
In the above version of the semantics, it is required that the invariant of the
entering location will be true in order for the transition to be allowed. This version
is used in Bengtsson and Yi [27], Bouyer and Laroussinie [38], Olderog and Dierks
[131], Tripakis [151], Wang [159], Yovine [164] (some of these sources do not use
urgent locations).
However, we could choose to not require the invariant to be true after per-
forming an action. This yields the semantics:
−→ ⊆ Q× Σ×Q is defined as follows:
2.8. Related Work II: Timed Systems 54
Time advancment: (l, ν) δ−→ (l, ν + δ) if
l ∈ L, l 6∈ Lu and δ ∈ R≥0 and ∀t ∈ R≥0, 0 ≤ t ≤ δ : ν + t |= I(l).
Action execution: (l, ν) a−→ (l′, ν[λ := 0]) if
(l, a, φ, λ, l′) ∈ E and ν |= φ.
This interpretation is used in sources including Alur [5], Baier and Katoen
[17], Behrmann et al. [23], Beyer and Noack [29], Clarke et al. [55], Zhang and
Cleaveland [167]. Thus, according to the definition, if a location is entered where
the invariant is false (say, x1 < 0), the transition is allowed and the automaton
can transition out of that location, but no time is allowed to elapse. This is the
semantic equivalent of urgency (see Section 2.2.4). Both interpretations are used.
2.8.2 Other Real-Time Systems Models
One real-time system model is the guarded-command program, used in Henzinger
et al. [88], Zhang and Cleaveland [167], as well in Henzinger et al. [87], the earlier
conference version of Henzinger et al. [88]. A contribution of this dissertation,
also in Fontana and Cleaveland [74], shows that a guarded-command program is
isomorphic to a timed automaton. Thus, both models are completely equivalent.
This is discussed in Section 3.3.3.
Another real-time system model extending timed automata is a parametric
timed automata. A parametric timed automaton is a timed automaton that also
has parameters in the constraints, allowing one to ask questions such as “for what
values of these parameters is location q reachable?” Parametric timed automata
are described and used in Alur et al. [13], Zhang and Cleaveland [167].
In addition to timed models, for more complex systems the model of a hy-
brid system is used. Instead of clocks, hybrid automata extend expressiveness to
allow the variables to grow and shrink at different rates. The variable rates are
2.8. Related Work II: Timed Systems 55
represented as differential equations. Timed automata are a special case of hybrid
automata (one kind of hybrid system). While even more expressive than timed
systems, hybrid systems models are harder to model check, and in some cases
(including some hybrid automata), even reachability is undecidable [91]. See Hen-
zinger [86], Henzinger et al. [91], Platzer [137] for more information on hybrid
systems.
2.8.3 Model-Checking Data Structures
In order to more efficiently model check automata, data structures have been used.
For untimed systems, the BDD (Binary Decision Diagram) (see Clarke et al. [55])
allowed a compact representation of variables to reduce the time of model check-
ing.
For timed systems, two abstractions were developed: region equivalence and
clock zones. These abstractions allowed timed automata to be reduced to a fi-
nite representation and thus able to be model-checked in a finite amount of time.
Clock regions are equivalence classes that group all valuations that satisfy the
same clock constraints together. Clock zones provide an even larger abstraction
that still preserves reachability by grouping regions together when there is no con-
straint in the automaton that distinguishes the two zones. Due to their convexity,
clock zones are easy to manipulate in practice. See Alur [5], Bengtsson and Yi [27].
The first implementation for a clock zone is a DBM (difference bound matrix) (see
Dill [64]). Clock zones, DBMs and other implementations are described in Chapter
5.
While good abstractions, clock regions are too hard to model check in practice
(there are possibly an exponential number of clock regions [5]) and clock zones
are not a guaranteed abstraction for all logical formulas [159]. Thus, one some-
times has to use a union of clock zones. The simplest is to use a list of DBMs.
2.9. Related Work III: Timed Logics 56
Inspired by BDDs, two implementations were developed: the CRD (Clock Restric-
tion Diagram) [153, 154, 155] and the CDD (Clock Difference Diagram) [21, 110].
Additional implementations developed include the Difference Detection Diagram
(DDD) [126] and the Constraint Matrix Diagram (CMD) [67].
2.9 Related Work III: Timed Logics
Given a collection of models, specifications must be developed to express prop-
erties that we wish to verify. While we can verify reachability without a logic, we
will discuss and work with logics that can write reachability questions as safety
properties. These logics can also express other properties.
2.9.1 Extensions of CTL and LTL
The first logic is TCTL (Timed Computation Tree Logic), which is an extension of
CTL. TCTL extends CTL to allow questions of timing intervals. The first variant
adds interval timing constraints to the “until” operators while the second variant.
See Alur et al. [9, 12], Penczek and Pólrola [135] for more information on TCTL, as
well as Section 4.1. TCTL is used due to its ease of expressiveness for safety and
liveness properties as well as its ease to verify in practice.
There are two timed extensions to LTL (Linear Temporal Logic): MTL (Metric
Temporal Logic) (see Bouyer [37]) and TPTL (Timed Propositional Temporal Logic)
(see Alur and Henzinger [8]). MTL extends the timing by allowing timing intervals
in the “until” operators, and TPTL extends LTL by allowing freeze quantification.
In Bouyer et al. [42, 44] it was shown that TPTL is strictly more expressive than
MTL, which as a corollary, shows that the freeze-quantification variant of TCTL
is more expressive than the variant with interval timing constraints. See Bouyer
[37], Bouyer et al. [44], Pandya and Shah [133] for more information.
2.9. Related Work III: Timed Logics 57
2.9.2 Extensions of the Modal Mu-Calculus
Extensions of the untimed modal mu-calculus have begun. The first variant of a
timed modal mu-calculus is provided by Henzinger et al. [88], called Tµ. While
it can express all of TCTL in theory, it cannot express all of TCTL practically
(including AF<∞ [φ]) [88]. The Tµ expression for AF [φ] requires the user to guess
an upper bound of when φ will be true, and this upper bound may need to be
much larger than the region equivalence constant maxc. While it does have lots of
theoretical properties proven about it, lacking a practical way to model check all
of TCTL is a drawback.
Another variant of the timed modal-mu calculus, given in modal equation
system form, in introduced (independently) by Sokolsky and Smolka [147] and
by Aceto and Laroussinie [2], but little was said in terms of expressiveness of
this variant in Sokolsky and Smolka [147]. This logic considering only greatest
fixpoints was also introduced in Laroussinie et al. [108]. This variant is called Lν,µ
(taken from Aceto and Laroussinie [2]), and the variant with greatest fixpoints
only is called Lν. Lν is shown to be a characteristic for bisimulation in Laroussinie
et al. [108]. In Aceto and Laroussinie [2], it is shown that Lν,µ is EXPTIME-complete
to model check. An additional operator is added in Bouyer et al. [41] and Bouyer
et al. [41] proves that the relativized operator adds expressive power to the logic
Lν. We call the relativized variant Lrelν,µ. However, many desirable expressivity results,
such as expressing TCTL were not proven about Lν,µ and Lrelν,µ. Since Lν,µ is used
in Zhang and Cleaveland [168], and Zhang and Cleaveland [167, 168] use a proof-
rule scheme to model check safety properties expressible in the alternation-free
fragment of the timed modal-mu calculus (though the formula to express a safety
property is not provided in Zhang and Cleaveland [168]), this logic is not only
general but has the potential to be model checked efficiently in practice. If we
2.10. Related Work IV: Surveys, Uses, and Tools 58
combine the results of Aceto and Laroussinie [2] and Bouyer et al. [41], model
checking of the Lrelν,µ is shown to be EXPTIME-complete.
We discuss these logics more in Chapter 4. There we also fill in some of the
missing theory.
2.10 Related Work IV: Surveys, Uses, and Tools
We continue the discussion of related work by listing some surveys involving
timed automata, timed automata algorithms, and modeling of timed systems.
Then we list some papers that use timed automata to model systems. We con-
clude this section with a list of timed automata model checking tools.
2.10.1 Surveys, Books and Book Chapters
Book chapters covering timed automata and real-time model checking include
Baier and Katoen [17], Bouyer and Laroussinie [38], Clarke et al. [55], Olderog
and Dierks [131]. Fahrenberg et al. [72] presents a survey of timed automata that
also includes model checking reachability. Bouyer [37] surveys different logics that
can be checked by timed automata. Penczek and Półrola [134] gives a survey of
verification techniques for timed automata and timed petri nets.
Furia et al. [76] surveys different models of time and timed systems. A survey
of various ways to timed systems is Wang [156]. Hassine et al. [83] discusses differ-
ent notations for modeling timed scenarios, and it touches upon but does not focus
on using timed automata. Deligiannis and Manesis [61] discusses various types of
automata, including timed automata and then discusses some points about them
concerning using them to model phenomena. Another survey of different ways to
model systems of timing constraints is Furia et al. [76].
2.10. Related Work IV: Surveys, Uses, and Tools 59
2.10.2 Uses of Timed Automata
Sloth and Wisniewski [146] discusses a technique for using timed automata as an
abstraction of continuous dynamical systems. Another technique for using timed
automata to over-approximate continuous systems is discussed in Maler and Batt
[122]. Hassine et al. [82] discusses how to use timed automata to model timed use
case maps. Abdeddaïm et al. [1] discuses how to model and solve some schedul-
ing problems with timed automata. Khatib et al. [97] discuss how to map a models
used in the Heuristic Scheduling Testbed System (HSTS) planner into timed au-
tomata. Largouët et al. [106] uses timed automata to model ecosystems, Koltuksuz
et al. [98] uses timed automata to model and verify a security protocol, Kourkouli
and Hassapis [99] uses timed automata to model and verify an online transac-
tion processing system, and Lindahl et al. [116] uses timed automata to verify
a prototype gear controller. Ravn et al. [140] uses timed automata to verify the
Business Agreement with Coordinator Completion (BAwCC) protocol within the
WS-Business Activity (WS-BA) standard, which provides protocols used for long-
lived business activities [140]. Herber et al. [92] uses timed automata to verify
some SystemC designs.
2.10.3 Tools
Tools to model check timed automata include UPPAAL [22, 23, 24, 27, 113], KRO-
NOS [60, 163, 164], CWB-RT/CWB-PRT [167, 168] (updated in [73]), MCTA [103],
a SAT solver to model check timed automata ([130]), CMC [107], TMV [143] (also
see the technical report [144]) (which is a fully symbolic model checker that can
check any TCTL property), DDDLib [125] (which uses difference decision dia-
grams to store clock valuations when model-checking), SGM [160] (a tool that can
check real-timed systems for untimed property and has a focus on requiring less
2.11. Related Work V: Vacuity 60
technical knowledge of model-checking to use), Synthia [136] (can check saftey
properties of timed game automata), VerICS [94], a prototype (tool not named)
[67] (which model checks safety and bounded liveness properties using clock ma-
trix diagrams (see Ehlers et al. [67]) ), a prototype (tool not named) [127] (that
can check safety properties by converting timed automata to finite state machines
with time) and a prototype (tool not named) [34] (which can model check TCTL).
Tools that can also model check linear hybrid automata as well as timed automata
include RED [154, 155, 162] (with its library, REDLIB [157]), and HyTech [14, 90].
Tools that model check timed systems but use discrete-time representations in-
clude Rabbit [29, 30] and an unnamed tool [105]. The tool UPP2SF [132] does not
model check timed automata; instead, it translates them into Stateflow models,
which can be used by MATLAB Simulink.
2.11 Related Work V: Vacuity
2.11.1 Untimed Systems with Temporal Logics
The first kind of work on vacuity involves determining if a model vacuously satis-
fies a formula. For (untimed) temporal logics, one key paper is Beer et al. [20] (and
its conference version Beer et al. [19]). Beer et al. [20] focuses its work on CTL*.
Dong et al. [66] extends this work to handle the untimed modal mu-calculus.
Kupferman and Vardi [102] extends the work on vacuity for CTL*, extending
vacuity to also finding interesting witnesses.
An implementation of a vacuous model checker for CTL is VaqUoT, which is
described in Gheorghiu and Gurfinkel [77]. The theory used by Gheorghiu and
Gurfinkel [77] is described more in Gurfinkel and Chechik [80]. Di Guglielmo
et al. [63] also discusses an implementation to detect vacuity, and this paper also
refines some of the techniques discussed in previous works.
2.11. Related Work V: Vacuity 61
In the untimed setting, researchers have utilized proof-based model checkers to
check for vacuity. Namjoshi [128] uses a proof-based model checker and develops
the notion of a vacuous proof as well as an algorithm to develop a proof that
indicates whether a formula is vacuously satisfied or not. This work is extended
in Namjoshi [129]. One of the contributions of Namjoshi [129] is identifying a way
to distinguish when between two kinds of vacuity related to proofs: whether a
formula is vacuous within a single proof, or whether a formula is vacuous within
every proof.
Ball and Kupferman [18] applies vacuity to software testing. Chockler and
Strichman [50] extends the vacuity on untimed systems to handle mutual vacuity:
multiple subformulas can be vacuous within a formula. This paper provides ways
to find a maximal subset of sub formulas that can be substituted out and the
formula remains satisfied. Kupferman [101] serveys the work on untimed vacuity
and relates it to the notion of coverage in testing.
Extending this notion of formula vacuity, Gurfinkel and Chechik [81] discusses
the notion of bisimulation vacuity, which aims to be more robust than the syntac-
tic vacuity that is defined in Beer et al. [20]. The paper then applies it to CTL
and CTL*. Samer and Veith [141] discusses different notions of vacuity over the
untimed setting. Its contribution is relating these different notions at the semantic
level.
Notice that all of these papers work only in the untimed setting.
2.11.2 Work Involving Real-Time Systems
Although Post et al. [138] is relevant to vacuity and works with real-time require-
ments, its goal for vacuity is different. Rather than determining if a model satis-
fies a specification vacuously, it takes a set of specifications and determines if any
specifications are redundant due to vacuity. For instance, if a set of specifications
2.11. Related Work V: Vacuity 62
contained AG [p → AF [q]] and AG [¬p], the first specification would be redun-
dant and deemed vacuous. Additionally, while not vacuity, Cimatti et al. [51] tries
to gain more information than just a yes or no answer. Cimatti et al. [51] model
checks hybrid automata and tries to explain why a certain property, explained in
a message sequence chart (MSC), is infeasible.
To our knowledge, our work is the first to both extend the theory of vacuous




Timed Automata: Definitions, Variants and Equivalences
The baseline variant of timed automata is the Alur-Dill variant based off of Alur
and Dill [7]. For this specific variant, strong theoretical claims have been proven,
including a proof that both reachability and TCTL model checking are PSPACE-
complete [12] and that reachability and TCTL model checking are preserved by
region equivalence [5, 55]. This variant has strong theoretical properties. However,
for ease of model checking, many tools represent this variant differently. Some of
these representation changes are syntactic; others are semantic.
With these new representations, it is not clear which results proven in theory
carry over. Having these theoretical results supports tools because these results can
provide correctness results for algorithms used in tools. However, if the variant is
changed, does the result still hold? Bouyer [36] proved that a commonly used al-
gorithm in timed automata model checking was incorrect if timed automata were
extended in a seemingly innocuous fashion. This subtlety had eluded detection
for several years, and indeed the (incorrect) algorithm had been in use in several
tools. The detection of this subtlety motivates a need for a cohesive framework for
understanding the various versions of timed automata.
In this chapter, we not only formally define many of these variants but provide
formal equivalence proofs and conversions, with the equivalences of different
strengths. While the strongest equivalence is semantic isomorphism (Definition
3.1.2), all of the equivalences are strong enough to be congruences for bisimulation
(Definition 2.5.2). All equivalence proofs are on the semantic level.
3.1. Types of Equivalence 64
3.1 Types of Equivalence
In this chapter, we will show how different variants of timed automata can be
converted into the baseline theory and vice versa. To argue for the correctness
of these conversions, we will use various equivalences at the level of the transi-
tions systems corresponding to the different automata; in particular, we will show
that the transition system corresponding to a given automaton is equivalent, in a
precisely defined sense, to the transition system for the translated version of that
automaton.
A natural question presents itself in this setting: which equivalence should one
use for these arguments? In general, our view is that the equivalence that is shown
should be as strong as possible, so that one may conclude that the conversion
routines at the level of timed automata preserve as much semantic information as
possible.
We focus on two kinds of equivalence: bisimulation, and isomorphism. In particu-
lar, we use the equivalences of: label-preserving isomorphism (sometimes referred
to as isomorphism), reachable subsystem isomorphism, and non-label-preserving
isomorphism. By definition, a label-preserving isomorphism and a reachable sub-
system isomorphism are bisimulations, and a non-label preserving isomorphism
has most of the desirable properties of a bisimulation. The formal definition of
bisimulation is given in Section 2.5.1.
3.1.1 Label-Preserving Isomorphism
A stronger equivalence than bisimulation is a label-preserving isomorphism. Two
systems have a label-preserving isomorphism if we can convert one system to the
other by renaming the states of the first system. A label-preserving isomorphism
requires that the transitions have the same labels.
3.1. Types of Equivalence 65
Definition 3.1.1 (Isomorphism, transition systems (TS1 ∼= TS2)). Consider two
transition systems TS1 = (Q1, Q01 , Σ1,−→1) and TS2 = (Q, Q02 , Σ2,−→2) where
Σ1 = Σ2. The two transition systems are label-preserving isomorphic (isomorphic),
(TS1 ∼= TS2), iff there exists a bijection f : Q1 −→ Q2 where :
q1
a−→1 q′1 ⇔ f (q1)
a−→2 f (q′1)
and q1 ∈ Q01 if and only if f (q1) ∈ Q02 . When clear from context, we will refer to
a label-preserving isomorphism as an isomorphism. 
This definition may be extended to timed automata as follows.
Definition 3.1.2 (Isomorphism of timed automata (TA1 ∼= TA2)). Let TA1 and TA2
be two timed automata. The two timed automata are label-preserving isomorphic
(isomorphic) (TA1 ∼= TA2), if and only if TS(TA1) ∼= TS(TA2). When clear from
context, we will refer to a label-preserving isomorphism as an isomorphism. 
3.1.2 Reachable Subsystem Isomorphism
A relaxation of ∼= that is still stronger than bisimulation may be obtained by con-
sidering only the reachable states of a timed transition system. Intuitively, the
reachable subsystem of a timed transition system contains only those states and
transitions reachable from an initial state.
Definition 3.1.3 (Reachable subsystem (Reach(TS))). Given a transition system
TS, we form its reachable subsystem, Reach(TS), which is a transition system
Reach(TS) = (Qr, Q0r , Σ,−→r), specified as follows.
• Qr = {q | ∃q0 ∈ Q0 s.t. q0 −→∗ q}. Here −→∗ means there is a sequence of
(zero or more) transitions from q0 to q.
3.1. Types of Equivalence 66
• Q0r = Q0, since all initial states are reachable.
• −→r= {(q, a, q′) | q, q′ ∈ Qr and (q, a, q′) ∈−→}.

Thus, Qr is the set of all states obtained after executing all possible transitions
starting from the initial states and continuing with new transitions until there are
no more transitions available.
Definition 3.1.4 (Isomorphism of reachable subsystems (TA1 ∼=r TA2)). Two timed
automata TA1 and TA2 are reachable subsystem isomorphic, denoted TA1 ∼=r TA2 or
TS(TA1) ∼=r TS(TA2), iff Reach(TS(TA1)) ∼= Reach(TS(TA2)). 
Note that an isomorphism of reachable subsystems induces a bisimulation.
3.1.3 Non-Label-Preserving Isomorphism
Now we define a non-label-preserving isomorphism. The intuition is that we use
two independent bijections: a bijection for the states and a bijection for the action
labels. The transition relation is preserved if we relabel the states and the action
symbols.
Definition 3.1.5 (Non-label-preserving isomorphism, (TS1 ∼=nl TS2)). Let TS1 =
(Q1, Q01 , Σ1,−→1) and TS2 = (Q, Q02 , Σ2,−→2) be two transition systems where
Σ1 = Σ2. We say that the two transition systems are non-label-preserving isomor-
phic (TS1 ∼=nl TS2), if and only if there exists two bijections fq : Q1 −→ Q2, and
fσ : Σ1 −→ Σ2 where
q1
a−→1 q′1 ⇔ fq(q1)
fσ(a)−→2 fq(q′1)
3.2. Variants and Conversions: An Overview 67
and q1 ∈ Q01 if and only if fq(q1) ∈ Q02 . 
Definition 3.1.6 (Non-label-preserving isomorphism, (TA1 ∼=nl TA2)). Let TA1
and TA2 be two timed automata. We say that the two automata systems are non-
label-preserving isomorphic (TA1 ∼=nl TA2), if and only if TS(TA1) ∼=nl TS(TA2).

While not a bisimulation, a non-label-preserving isomorphism makes strong
assertions about behavior of equivalent systems. After we relabel one of the timed
automaton, the relabeled automaton is isomorphic to the other timed automaton.
Another equivalence used in many algorithms is region equivalence. We for-
mally define region equivalence in Section 2.5.2. Recall that region equivalence
groups clock valuations into regions whose valuations enforce the same clock con-
straints (up to a certain constant maxc). Applying the region equivalence relation
to a timed automaton creates a new automaton, the region timed automaton (see
Definition 2.5.7). The region automaton is both bisimilar to its timed automaton
and finite (see Sections 2.5.2 and 2.5.3). This equivalence allows many properties,
including reachability of timed automata, to be decidable. For more information,
see Sections 2.5.2 and 2.5.3, or see Alur [5], Alur and Dill [7], Clarke et al. [55].
3.2 Variants and Conversions: An Overview
In this section, we overview the various variants and equivalence conversions.
The details are provided in the remainder of this chapter as well as in Fontana
and Cleaveland [74].
3.2. Variants and Conversions: An Overview 68
3.2.1 Variants
Here we summarize the variants discussed throughout this Chapter. The variants
are classified according to the kind of equivalence each variant has with the base-
line version (Definition 2.2.2).
First we summarize the variants semantically isomorphic (Definition 3.1.2) to
the base version.
• Disjunctive guard constraints. Sources using this variant include Bérard
et al. [28]. A disjunction of constraints for a guard on an edge is converted
to a set of edges, where each disjunct of the guard constraint is converted to
one edge.
• Timed automata with variables. Sources using this variant include Zhang
and Cleaveland [167]. Sources and (especially) tool implementers like to aug-
ment timed automata with finitely-valued integer (or boolean) variables that
can be assigned on edge transitions and compared on edge guards and
checked in invariants. This is a useful implementation shorthand that can
make model generation and model checking easier. The variables do not add
expressive power because the set of variable assignments can be represented
with a finite number of locations (one location per assignment).
• Guarded-command programs. Sources using this variant include Henzinger
et al. [88]. A guarded-command program is a model used by Henzinger
et al. [88] and others to represent real-time programs. Guarded-command
programs do not use action symbols but can be easily augmented to allow
them. Guarded-command programs are equivalent to timed automata with
variables without using action symbols by converting the guards to edges
(some being self loops). Since timed automata with variables are equiva-
3.2. Variants and Conversions: An Overview 69
lent to timed automata without variables, guarded-command programs are
equivalent to timed automata.
Next, we describe some variants whose equivalence becomes isomorphism if
we reduce both timed automata (the original and the converted) to the subsys-
tem that can be reached from their initial states. The reachable-subsystem isomor-
phism equivalence is formally defined in Definition 3.1.4. Again, a summary list
is provided here.
• Unsatisfied invariants. Sources using this variant include Alur [5] (unsatis-
fied invariants result in urgent states) and Bengtsson and Yi [27] (unsatisfied
invariants prevent transitions). While a time advance always requires the in-
variant to be true, this requirement of a true invariant is sometimes waived
for action transitions. The following two variants of automata are equivalent:
having urgent locations and preventing action executions when invariants
are unsatisfied and not having urgent locations but allowing action execu-
tions when invariants are false. Urgent locations are not needed in the latter
case since they can be encoded as a location with a false invariant.
• Clock difference inequalities in clock constraints. Sources using this vari-
ant include Bérard et al. [28] (gives conversion of timed automata with clock
difference inequalities in constraints to timed automata that do not have
clock difference inequalities in constraints) and Bouyer [36] (shows that a
model checking technique of widening a set of clock valuations defined by
a clock constraint need to be refined for automata with clock difference in-
equalities). Some sources allow timed automata constraints to contain in-
equalities on clock differences. While we can always convert a timed au-
tomaton to eliminate these clock difference inequalities [28], the conversion
3.2. Variants and Conversions: An Overview 70
yields an exponential blowup in terms of the number of inequalities con-
verted. What makes clock difference inequalities hard to deal with is that the
standard widening method for model checking is not always sound when
we allow clock difference inequalities in clock constraints [36].
Lastly, we discuss a variant that has an equivalence, but is not isomorphism.
This equivalence require re-labelings to show an isomorphism, or that if we take
the converted system and re-label the time advance labels, the system with the
changed labels is isomorphic to the original automaton. A summary with one
source is provided here.
• Rational clock constraints. Sources using this variant include Alur [5]. Most
clock constraints allow only non-negative integers, but this is expressively
equivalent to allowing non-negative rational constraints, since we can con-
vert a timed automaton with rational constraints to one without rational
constraints. This equivalence differs because it requires time advance labels
to be mapped to different values to obtain the equivalence.
• Clock assignments. Sources using this variant include Yovine [164]. This
variant extends edges to allow a clock to be assigned the current value of
another clock; hence on an edge each clock can be reset to 0 or set to the pre-
edge value of another clock. Bouyer et al. [39] showed that we can convert
each such automaton to a bisimilar timed automaton without clock assign-
ments.
3.2.2 Establishing Equivalence
For each variant V, we go through the following steps to establish its equivalence
to the baseline variant:
3.2. Variants and Conversions: An Overview 71
1. Define a syntactic conversion that takes a timed automaton of variant V and
convert it to the baseline variant (removing the feature). This conversion is
well defined in that given a timed automaton of variant V always yields a
timed automaton.
2. Formalize the conversion on the semantic level. By the definition of timed
automata semantics, the timed automaton’s semantics are well defined.
3. Prove the proper equivalence on the semantic level. To show isomorphism,
given TAV and its converted timed automaton CONV(TA), define a func-
tion f that maps states of TS(TAV) to states in the converted automaton,
TS(CONV(TAV)). This function operates on the semantic level. Then prove
it is an invertible bijection and that it has the morphism property. The mor-
phism property means for all states q, q′ of the original timed automaton:
q δ−→ q′ ⇔ f (q) δ−→ f (q′) ∀δ ∈ R≥0 and
q a−→ q′ ⇔ f (q) a−→ f (q′) ∀a ∈ Σ
For reachable subsystem isomorphism, we utilize the fact that only reachable
states are considered.
3.2.3 Composition of Variant Conversions
In the previous sections we discuss many variants of timed automata and show
how each individual variant can be “translated away” when added to the formal-
ism. In practice, it is possible to have a timed automaton that has many of these
variant features, such as data variables, disjunctive guard constraints and clock
difference inequalities allowed in clock constraints.
We can perform the conversions on extended timed automata (with more of
3.3. Timed Automata Equivalences: (Label-Preserving) Isomorphism 72
these variants and some other features) and compose the conversions. Further-
more, the composition preserves the minimum equivalence of the conversions and
that for these conversions, their composition is commutative and associative for
the semantics of the final automaton (the syntax is not necessarily commutative or
associative). We also give conditions on other extensions not defined in this paper
that allow our conversion functions to remove our variants from these extended
timed automata. The formal theorem is given as Theorem 3.6.5.
Furthermore, we generalize this framework to consider other possible variants.
Three common features, atomic propositions (see Alur [5]), labeling functions
(see Alur [5]), and clock assignments (see Yovine [164]) can be added to timed
automata without hindering this composition framework.
Full details are in Section 3.6.4.
3.3 Timed Automata Equivalences: (Label-Preserving) Iso-
morphism
This section considers several additions to the base timed automaton formalism
and shows that for every timed automaton using one of these new features, there
is a label-preserving isomorphic automaton (see Definition 3.1.2) in the baseline
version.
3.3.1 Disjunctive Guard Constraints
The first extension considered allows disjunctions within transition guards.
Definition 3.3.1 (Disjunctive clock constraint φ ∈ Φ∨(CX)). Given a nonempty
finite set of clocks CX = {x1, x2, . . . , xn} and c ∈ Z≥0, a disjunctive clock constraint
3.3. Timed Automata Equivalences: (Label-Preserving) Isomorphism 73
φ may be constructed using the following grammar:
φ ::= xi < c | xi ≤ c | xi > c | xi ≥ c | φ ∧ φ | φ ∨ φ
Φ∨(CX) is the set of all possible disjunctive clock constraints over CX. 
Definition 3.3.2 (Timed automaton with disjunctive constraints). A timed automa-
ton with disjunctive clock constraints TA = (L, L0, Lu, Σ, CX, I, E∨) is a tuple where:
• L, L0 ⊆ L, Lu ⊆ L, Σ, CX, and I : L −→ Φ(CX) are as in Definition 2.2.2.
• E∨ ⊆ L×Σ×Φ∨(CX)× 2CX× L is the set of edges. In an edge e = (l, a, φ, λ, l′)
from l to l′ with action a, φ ∈ Φ∨(CX) is the guard of e, and λ represents the
set of clocks to reset to 0.

This definition differs from that of Definition 2.2.2 in that disjunctive clock
constraints are permitted in guards and transitions but not in location invariants.
The semantics of timed automata with disjunctive clock constraints in guards is
the expected adaptation of the semantics of the baseline automata (see Definition
2.2.6).
Conversion to Base Formalism
This approach is from Bérard et al. [28]. Given an edge with a guard φ that con-
tains a disjunction of constraints, we first use logical equivalences to convert φ
in a disjunction of conjunctive clauses (disjunctive normal form) and then convert
the edge to a set of edges such that each clause is the guard of some edge. For
more information on disjunctive normal form and how to convert a formula to
3.3. Timed Automata Equivalences: (Label-Preserving) Isomorphism 74
disjunctive normal form, see Enderton [70]. For the remainder of this conversion,
we assume that φ is in disjunctive normal form.
Formally, let e = (l, a, φ, λ, l′) be an edge where φ =
∨m
i=1 φi, is a clock con-
straint in disjunctive normal form with clauses φ1, φ2 . . . φm ∈ Φ(CX) (no disjunc-
tions in each φj). Then we remove the edge e and add each edge ej = (l, a, φj, λ, l′)
for each j from 1 to m to the edge set E. If we take a timed automaton TA that
has disjunctive guard constraints and apply this conversion, the resulting timed
automaton is called DIS(TA). DIS(TA) is a timed automaton of the base variant.
We now show that the timed automaton with disjunctive edge constraints is
label-preserving isomorphic to the timed automaton with the set of edges.
Theorem 3.3.1. Let TA = (L, L0, Lu, Σ, CX, I, E) be a timed automaton with
disjunctive constraints on its guards and let DIS(TA) = (L, L0, Lu, Σ, CX, I, E′)
be the converted timed automaton. Then TS(TA) ∼= TS(DIS(TA)) (TS(TA)
is label-preserving isomorphic to TS(DIS(TA))).
Proof of Theorem 3.3.1. Consider the function:






f is the identity function; therefore, f is a bijection.
We claim f is the isomorphism required by Definition 3.1.1. Consider a state
(l, ν) in QTS(TA) = QTS(DIS(TA)), and suppose (l, ν)
a−→ (l′, ν′) in TS(TA). In the
original automaton it took some edge e with guard φ =
∨m
i=1 φi. This can happen iff
there is an e = (l, a, φ, λ, l′) ∈ E such that ν |= φ and ν[λ := 0] |= I(l′). Assuming
3.3. Timed Automata Equivalences: (Label-Preserving) Isomorphism 75
φ =
∨m
i=1 φi is in DNF, this is true iff ν |= φi for some i. But e = (l, a, φ, λ, l′) ∈ E′
and (l, ν) a−→ (l′, ν′) in TS(DIS(TA)). Thus, we know that ν |= φ if and only if
there is some i where ν |= φi.
Remark 3.3.1 (Disjunctive constraints on invariants). Given the ease of converting
out disjunctive constraints on guards, one may try to apply a similar procedure
to remove disjunctions from invariants. However, this is not as easy. Consider the
constraint x1 ≤ 2 ∨ x2 ≤ 3. The set of clock valuations satisfying this constraint
forms a non-convex region. One initial attempt would be to have two locations, one
whose invariant is x1 ≤ 2 and the other whose invariant is x2 ≤ 3. However, in the
original automaton, time advances that preserve the disjunction may invalidate
one or the other of the disjuncts. Reflecting this in the new automaton would
require the introduction of actions symbols to change location. This introduction
of new action transitions fundamentally changes the semantics.
3.3.2 Timed Automata with Variables
Many sources, including Behrmann et al. [23], Ben Salah et al. [25], Bowman and
Gómez [47], Gómez and Bowman [78], Morbé et al. [127], Zhang and Cleave-
land [167, 168], allow timed automata to have finitely many variables whose val-
ues are drawn from a finite subset of the integers. These variables can be used
in constraints and assigned new values on action executions. Morbé et al. [127]
refers to these extended automata as timed automata with integer variables, while
Ben Salah et al. [25] extends the definition further by distinguishing between input
and output variables. In this section we show how the formalism of Morbé et al.
[127] can be converted to our base formalism.
3.3. Timed Automata Equivalences: (Label-Preserving) Isomorphism 76
Definitions
For a timed automaton with variables, we augment each location with a data val-
uation: a function assigning each variable to some integer in a finite subset of
integers.
Definition 3.3.3 (Data valuation νd ∈ DVd). Let VR be a finite set of variables
with VR ∩ CX = ∅, and let Z f ⊆ Z be such that |Z f | < ∞. A data valuation, or
an interpretation of data variables, is a function νd : VR −→ Z f . νd(p) is the value of
variable p assigned by νd. DVd is the set of all data valuations.
We use the following terminology and notation:
• If V ⊆ VR, then we refer to dA : V −→ Z f as an assignment function. For
such a dA, we use dA[V] to denote that V is the domain of dA. We use DA
to represent the set of all data assignments.
• If νd is a data valuation and dA an assignment function, then νd[dA] (or
νd[dA[V]]) denotes the data valuation after applying the assignment function
dA with domain V. This changes the values of all variables in V ⊆ VR and
leaves all values of variables not in V unchanged. Formally,
νd[dA](p) =

dA(p) p ∈ V
νd(p) p 6∈ V
(3.1)

Definition 3.3.4 (Clock constraint with variables). Given a nonempty finite set
of clocks CX = {x1, x2, . . . , xn}, a set of variables VR (CX ∩ VR = ∅), c, d ∈
Z≥0, and p ∈ VR, a clock constraint with variables φ may be constructed with the
following grammar. Note that such a constraint segregates the data-variable part
3.3. Timed Automata Equivalences: (Label-Preserving) Isomorphism 77
of the property (φd) from the clock part (φc).
φ ::=(φd ∧ φc)
φc ::=xi ≤ c | xi ≥ c | xi < c | xi > c | φc ∧ φc
φd ::=tt | ff | pj < d | pj > d | pj ≤ d | pj ≥ d | φd ∧ φd | φd ∨ φd
Φ(CX ∪VR) is the set of all clock constraints with variables. Recall that for clock
constraints φc, we have the following abbreviations: true (tt) for x1 ≥ 0, false (ff)
for x1 < 0, and xi = c for xi ≤ c ∧ xi ≥ c. 
As defined in Definition 2.2.1, φc is a regular clock constraint. The intuition
of the construction of clock constraints with variables is to restrict transitions by
adding data constraints to the clock constraints. Thus, satisfaction of constraints
is now (νd, ν) |= φ where νd is a data valuation and ν is a clock valuation, and is
defined similar to the satisfaction of clock constraints (Definition 2.2.4).
We separate clock and data constraints because data constraints can be more
permissive with respect to disjunction. (In the grammar above, we allow disjunc-
tion on data constraints.) In particular, when constraints are used as location in-
variants, disjunctions on clock constraints propose translational problems. See Re-
mark 3.3.1.
Definition 3.3.5 (Timed automaton with variables). A timed automaton with vari-
ables TAV = (L, L0, Lu, VR, VR0, Σ, CX, I, E) is a tuple where:
• L, L0, Lu, Σ, and CX are as in Definition 2.2.2.
• VR is the set of data variables.
• VR0 ⊆ DVd is the set data valuations representing the possible initial val-
3.3. Timed Automata Equivalences: (Label-Preserving) Isomorphism 78
ues of the data variables (often the single assignment of 0 for all variables,
provided 0 ∈ Z f ).
• I : L −→ Φ(CX ∪VR) gives the invariant for each location l.
• E ⊆ L × Σ × Φ(CX ∪ VR)× 2CX × DA× L is the set of edges. In an edge
e = (l, a, φ, λ, dA[V], l′) from l to l′ with action a, φ ∈ Φ(CX∪VR) is referred
to as the guard of e which has constraints both on clocks and variables. λ
represents the set of clocks to reset and dA[V] represents the data assignment
function which gives new values to the data variables in V ⊆ VR.
In this definition we require CX ∩VR = ∅. 
Definition 3.3.6 (Timed automaton with variables semantics). The semantics of a
timed automaton with variables TAV = (L, L0, Lu, VR, VR0, ΣTA, CX, I, E) is a transi-
tion system TS(TAV) = (Q, Q0, Σ,→) where:
• Q = L×DVd ×V is the set of states and q = (l, νd, ν) is a state consisting of
a location, data valuation, and clock valuation.
• Q0 = L0 × VR0 × [CX := 0] (clocks are 0 and variables are at their initial
values).
• Σ = R≥0 ∪ ΣTA.
• → ⊆ Q× Σ×Q is defined as follows:
Time advancement (l, νd, ν)
δ−→ (l, νd, ν + δ) iff
l ∈ L, l 6∈ Lu, δ ∈ R≥0, and ∀t ∈ R≥0, 0 ≤ t ≤ δ : (νd, ν + t) |= I(l).
Action execution (l, νd, ν)
a−→ (l′, νd[dA], ν[λ := 0]) iff
∃φ such that (l, a, φ, λ, dA〉, l′) ∈ E, (νd, ν) |= φ, and (νd[dA], ν[λ :=
0]) |= I(l′).
3.3. Timed Automata Equivalences: (Label-Preserving) Isomorphism 79









Figure 3.1: Timed automaton with variables TAV1 with variable p1. Figure is used
and adapted from Fontana and Cleaveland [74] with permission.

For each timed automaton with variables, the set of variables must be speci-
fied, and each variable must be given an initial value. Guards and invariants are
also allowed to contain constraints on variables, and edges can assign variables
new values. Assignment functions encode the changing of variables on transition
executions.
For simplicity, these automata only allow variable assignments to constants.
Should one wish to encode transitions such as variable pi transitions to pi + 1,
since pi only has a finite number of values, we can enumerate over all possible
values of pi and convert this expression into a set of transitions.
Example 3.3.1. Consider the timed automaton with variables TAV1 in Figure 3.1
with VR = {p1}, VR0 = {p1 = 0} and Σ = {a} (a’s omitted in diagram). If we
examine the edge (1, a, p1 ≥ 1, {x1, x2}, p1 := 0, 0), p1 ≥ 1 is the guard (note the
clock constraint is trivially true in this case and is omitted) and p1 := 0 is the
assignment function with dom(p1 := 0) = {p1}. 
3.3. Timed Automata Equivalences: (Label-Preserving) Isomorphism 80
Conversion to Base Formalism
Any timed automaton is a timed automaton with variables where VR = ∅. To con-
vert a timed automaton with variables to a timed automaton, we create more loca-
tions by replacing each location with a set of (location, variable assignment) pairs.
We then restrict edges to locations that satisfy the variable constraints: source loca-
tions must satisfy the variable constraints in the guard, and destination locations
are restricted to the source locations after executing the variable assignments on
the edges.
Definition 3.3.7 (Substituted variable constraint φ[VR 7→ νd]). Suppose variable
set VR, clock constraint with variables φ ∈ Φ(CX ∪ VR), and data valuation νd.
Because by construction, φ = φd ∧ φc, we define the substituted variable constraint
φ[VR 7→ νd] as φ[VR 7→ νd] = (φd[VR 7→ νd] ∧ φc[VR 7→ d]). We call φd[VR 7→ νd]
a substituted data constraint. Since φd is a conjunction of variable inequalities (p
denotes a variable), using ./∈ {<,≤,>,≥}, φd[VR 7→ νd] is formally defined as
follows:
φd[VR 7→ νd] =

tt φd = p ./ c and νd(p) ./ c
ff φd = p ./ c and νd(p) 6./ c
φ1[VR 7→ νd] ∧ φ2[VR 7→ νd] φd = φ1 ∧ φ2
(3.2)
The constraint is then simplified using logical equivalences, which by construc-
tion, will simplify to tt or ff. Since φc contains no data variables, φc[VR 7→ νd] =
φc. In summary, φ[VR 7→ νd] = φc if νd |= φd and φ[VR 7→ νd] = ff otherwise
(νd 6|= φd). 
3.3. Timed Automata Equivalences: (Label-Preserving) Isomorphism 81
The translation procedure from a timed automaton with variables to a timed
automaton is formalized as follows.
Convert a timed automaton with variables TAV to a timed automaton TA
Given TAV = (LV , L0V , LuV , VR, VR0, ΣV , CXV , IV , EV), Construct timed automa-
ton TA(TAV) = (L, L0, Lu, Σ, CX, I, E) as follows:
• L = LV × DA[VR]. Each location can be seen as a pair (l, νd), which is a
location and a data valuation.
• L0 = {(lv, νd0) | lv ∈ L0V and νd0 ∈ VR0} the set of locations with an initial
location and the initial variable assignment.
• Lu = LuV ×DVd.
• Σ = ΣV .
• CX = CXV .
• I : L −→ Φ(CX), with I(l = (lp, νd)) = I(lp)[VR 7→ νd].
(Note: I(lp) ∈ Φ(CX ∪VR); hence, I(lp)[VR 7→ νd] ∈ Φ(CX).)
• E = {((lp, νd), a, φ[VR 7→ νd], λ, (lp, νd[dA])) | (lp, a, φ, λ, dA[V], l′p) ∈ EV , νd ∈
DVd, and φ[VR 7→ νd] 6= ff}. Because multiple valuations νd result in
guards that are not false, a single edge ev ∈ EV may be converted to multiple
edges in E (Note: if a guard simplifies to ff, the edge is removed.)
The conversion makes a location for each possible (location, variable assign-
ment) pair. The new edges are similar to the original edges except that the assign-
ment function dA and the variable assignments are substituted into the guards,
invariants, and locations of the edges.
Example 3.3.2 (Converting example 3.3.1). Again consider the timed automaton













Figure 3.2: Timed automaton TA(TAV1). Only locations reachable from the initial
location are shown. Figure is used and adapted from Fontana and Cleaveland [74]
with permission.
with variables in Figure 3.1 with VR = {p1} and VR0 = {p1 = 0}. The con-
verted timed automaton is given in Figure 3.2. There are three reachable locations:
(0, p1 = 0), (1, p1 = 1), and (1, p1 = 2). (Unreachable locations are not shown.) 
The correctness of the conversion follows from Theorem 3.3.2, where TA(TAV)
is the timed automaton after applying the conversion to eliminate the variables
from timed automaton with variables TAV.
Theorem 3.3.2. Let TAV be a timed automaton with variables and
TA(TAV) be the timed automaton from our conversion. Then TS(TAV) ∼=
TS(TA(TAV)) (TS(TAV) is label-preserving isomorphic to TS(TA(TAV))).
Proof of Theorem 3.3.2. From our conversion, both automata have the same event
3.3. Timed Automata Equivalences: (Label-Preserving) Isomorphism 83
set Σ. Consider the function f :





= (l × νd, ν) = (l, νd, ν)
or the identity function. The function f maps Q0TS(TAV) to Q0TS(TA(TAV)) , preserving
initial states. Here f maps the variable assignment of νd to a component of the lo-
cation. This results states with different data variable assignments having different
locations.
Part 1: f is a bijection.
Because f is the identity function, f is a bijection. Here is the definition of f−1:
f−1 : QTS(TA(TAV)) −→ QTS(TVA)
f−1
(
(l × νd, ν)
)
= (l, νd, ν)
We move the assignments of variables from locations to data valuations.
Part 2: f preserves the transition relation.
We need to show:
(l, νd, ν)
δ−→ (l′, ν′d, ν′)⇔ f ((l, νd, ν))
δ−→ f ((l′, ν′d, ν′)) ∀δ ∈ R≥0 and
(l, νd, ν)
a−→ (l′, ν′d, ν′)⇔ f ((l, νd, ν))
a−→ f ((l′, ν′d, ν′)) ∀a ∈ Σ
Showing f does not eliminate transitions, we prove the ⇒ direction. We omit the
proof of the other (⇐) direction; its proof is similar and (one proof) uses f−1
instead of f .
3.3. Timed Automata Equivalences: (Label-Preserving) Isomorphism 84
Part 2a: Time advances: (l, νd, ν)
δ−→ (l′, ν′d, ν′)⇒ f ((l, νd, ν))
δ−→ f ((l′, ν′d, ν′)).
Suppose we have a transition (l, νd, ν)
δ−→ (l, νd, ν + δ) in TS(TVA), for some
δ ∈ R≥0. By the definition of the transition system semantics of TS(TVA) (Def-
inition 3.3.6), ∀t, 0 ≤ t ≤ δ : (l, νd, ν) + t |= I(l). By our definition of f , it fol-
lows that ∀t, 0 ≤ t ≤ δ : f ((l, ν + t)) |= I(l) iff (l, ν + t) |= I(l). If I(l) has no
variables in the constraint this is already true. If it has variable constraints, then
we know, by the definition of f , those variables satisfy the constraints in I(l)
if and only if the converted constraint I(l)[VR 7→ νd] is satisfied by f (l, νd, ν).
Thus, by the definition of timed transition system semantics, we have the edge
f ((l, νd, ν))
δ−→ f ((l, νd, ν + δ)).
Part 2b: Edge executions: (l, νd, ν)
a−→ (l′, ν′d, ν′)⇒ f ((l, νdν))
a−→ f ((l′, ν′d, ν′)).
Now suppose for some action a, (l, νd, ν)
a−→ (l′, νd, ν′), where (ν′d, ν′) =
(νd[dA], ν[λ := 0]). By the definition of the timed automaton with variables se-
mantics, this transition corresponds to an edge in the timed automaton with vari-
ables (l, a, φ, λ, dA[V], l′) such that (νd, ν) |= φ and (νd[dA], ν[λ := 0] |= I(l′).
By our conversion algorithm, the converted timed automaton has the edge (lt =
(l, νd), a, φ′, λ, l′) with φ′ = φ[VR 7→ νd]. By our definition of f , f ((l, νd, ν)) |= φ′
and f ((l′, νd[dA], ν[λ := 0])) |= I(l[VR 7→ νd)). The state f ((l′, νd[dA], ν[λ := 0]))
corresponds to f ((l, νd, ν))[λ := 0, dA[V]]. Therefore, by the definition of timed
automaton semantics, we have f ((l, νd, ν))
a−→ f ((l′, ν′d, ν′)).
Implementation Implications
While theoretically equivalent, variables provide a compact and clean notation for
states. Variables are used many in tool implementations [27, 154, 168].
3.3. Timed Automata Equivalences: (Label-Preserving) Isomorphism 85
3.3.3 Guarded-Command Programs
Guarded-command programs are a notation for real-timed systems used in Hen-
zinger et al. [87, 88], Zhang and Cleaveland [167]. Using the equivalence of timed
automata with variables to timed automata (see Section 3.3.2), it suffices to con-
vert guarded-command programs to and from timed automata with variables. The
conversion is based on the one given in Henzinger et al. [88].
Syntax
Definition 3.3.8 (Guarded-command program GP). A guarded-command program
GP = (CX, VR, G, φ0, φ2) is a tuple where:
• CX is the finite set of clocks.
• VR is the finite set of variables, each of which can take one of finitely many
integer values. We require CX ∩VR = ∅.
• G ⊆ Φ(CX ∪ VR) × 2CX × DA is a set of guarded commands where each
guarded command g = (ψ, Y, dA[V]), represented as g = ψ −→ (Y, dA[V]),
has a clock constraint ψ ∈ Φ(CX ∪ VR) (see Definition 3.3.4) as a guard,
clocks in Y ⊆ CX to reset and the variables V ⊆ VR to assign to the inte-
ger values specified by the data assignment function dA(V) (see Definition
3.3.3).
• φ0 ⊆ DVd is the set of initial variable values.
• φ2 ∈ Φ(CX ∪ VR) is a constraint representing the invariant of the en-
tire guarded-command program, containing both clock constraints and con-
straints on variables.

3.3. Timed Automata Equivalences: (Label-Preserving) Isomorphism 86
To represent the semantics of guarded-command programs, we use clock val-
uations and data valuations (Definition 3.3.3).
Semantics
Intuitively, each guarded command g ∈ G represents an action whose guard ψ
must be true in order to execute. When this happens, the assignment function
resets the subset of clocks Y ⊆ CX to 0 and also assigns the subset of variables V ⊆
VR to values specified by the assignment function dA. The assignment function
can also choose to do nothing. Formally, we can encode the guarded-command
program as a transition system as follows.
Definition 3.3.9 (Guarded-command program semantics). Consider a guarded-
command program GP = (CX, VR, G, φ0, φ2). Then the semantics can be repre-
sented as a transition system, TS(GP), where TS(GP) = (Q, Q0, Σ,−→) and:
• Q = DVd × V . Each state is represented as (νd, ν), a data valuation (Defini-
tion 3.3.3) and a clock valuation, since each state is an assignment of clock
and variable values.
• Q0 = dA[VR := φ0]× V [CX := 0], where all data variables have their initial
assignment and clock variables are 0.
• Σ = R≥0 ∪ {a}.
• −→⊆ Q× Σ×Q is defined as follows:
Time advancement (νd, ν)
δ−→ (νd, ν + δ) iff
δ ∈ R≥0 and ∀t ∈ R≥0, 0 ≤ t ≤ δ : (νd, ν + t) |= φ2.
Action execution (νd, ν)
a−→ (νd[dA], ν[Y := 0]) iff
(ψ, Y, dA[V]) ∈ G, (νd, ν) |= ψ, and νd[dA], ν[Y := 0] |= φ2.
3.3. Timed Automata Equivalences: (Label-Preserving) Isomorphism 87

Converting a Guarded-Command Program to a Timed Automaton with Vari-
ables
Given a guarded-command program GP = (CX, VRG, G, φ0, φ2), construct the
timed automaton with variables TAV = (L, L0, Lu, VR, VR0, Σ, CX, I, E) as follows:
• L = {l}. Make a single “generic” location l.
• L0 = {l}.
• Lu = ∅; guarded-command programs do not have urgency.
• VR = VRG.
• VR0 = φ0.
• Σ = {a}; a is the generic action symbol.
• I : L −→ Φ(CX×VR) where I(l) = φ2. There is only one location l, and φ2
handles the invariants of the variables.
• E = {(l, a, ψ, Y, dA[V], l) | (φ, Y, dA[V]) ∈ G}. The source and target location
of each edge are both l.
We give the timed automaton with variables one location l, and give it the same
set of variables as the guarded-command program. Each guard of the guarded-
command program becomes a self-loop edge with the same guard and assignment
function.
Converting a Timed Automaton to a Guarded-Command Program
Given a timed automaton TA = (L, L0, Lu, Σ, CX, I, E) (assuming L ⊆ Z, Σ = {a}
or Σ = ∅ since the events are abstracted out, and assuming Lu = ∅), construct the
3.3. Timed Automata Equivalences: (Label-Preserving) Isomorphism 88
guarded-command program GP = (CX, VRG, G, φ0, φ2) as follows:





(loc = l ∧ ψ) −→ Y, dA′[loc]
)
, where dA′[loc] is defined to
be the variable assignment function with domain loc such that the variable
loc is assigned to the value of location l′ (dA′(loc) = l′).




(loc = l ∧
∧
l′ 6=l
(loc 6= l′) ∧ I(l)).
This conversion takes the timed automaton and introduces a variable loc to
represent the location as an integer variable. Transitions change location by chang-
ing the value of variable loc. This conversion also ignores actions.
Correctness of Conversions
The correctness of the conversions follow from these two theorems that show
there is a label-preserving isomorphism between the semantics of the two sys-
tems. These theorems assume that the timed automaton with variables has a sin-
gle action symbol a ∈ Σ to accommodate the restriction of guarded-command
programs not having events. The conversions still hold (with similar theorems) if
guarded-command programs are augmented to have action symbols.
Theorem 3.3.3. Let GP be a guarded-command program and TAV(GP) be
the timed automaton with variables from the conversion. Then TS(GP) =
TS(TAV(GP)) (TS(GP) is label-preserving isomorphic to TS(TAV(GP))).
Proof of Theorem 3.3.3. From our conversion, both automata have the same the
3.3. Timed Automata Equivalences: (Label-Preserving) Isomorphism 89
event set Σ = {a, δ} with δ ∈ R≥0. Consider the function f :





= (l × νd, ν)
The function f preserves the variable assignment and maps to the generic location
l (which is the generic location loc). In the guarded-command program, the vari-
able assignments and clock assignments contain all of the state information. The
function f maps Q0TS(GP) to Q0TS(TVA(GP)) , preserving initial states. Each state q in
QGP represents a location, an assignment to each variable, and an assignment to
each clock. f (q) gives us the state in QTS(TVA(GP)), with the variable assignments
corresponding to νd and the clock assignments corresponding to ν.
Part 1: f is a bijection.
We know that f is a bijection because our conversion converts each state in
QTS(GP) to one and only one state in QTS(TVA(GP)) (the function is like the identity
but adds on a “dummy” location l). Here is the definition of f−1:
f−1 : QTS(TVA(GP)) −→ QTS(GP)
f−1
(
(l × νd, ν)
)
= (νd, ν)
Here, f−1 removes the extraneous single-valued variable l encoding a location.
Part 2: f preserves the transition relation.
We need to show:
(νd, ν)
δ−→ (ν′d, ν′)⇔ f ((νd, ν))
δ−→ f ((ν′d, ν′)) ∀δ ∈ R≥0 and
(νd, ν)
a−→ (ν′d, ν′)⇔ f ((νd, ν))
a−→ f ((ν′d, ν′)) ∀a ∈ Σ
3.3. Timed Automata Equivalences: (Label-Preserving) Isomorphism 90
Showing f does not eliminate transitions, we prove the ⇒ direction. We omit the
proof of the other (⇐) direction; its proof is similar and (one proof) uses f−1
instead of f .
Part 2a: Time advances: (νd, ν)
δ−→ (ν′d, ν′)⇒ f ((νd, ν))
δ−→ f ((ν′d, ν′)).
Since the location is an encoding of νvr[VR], and νd has the same variable
assignments as f ((νd, ν)), this holds.
Part 2b: Edge executions: (νd, ν)
a−→ (ν′d, ν′)⇒ f ((νd, ν))
a−→ f ((ν′d, ν′)).
Since the location is an encoding of νd and (νd, ν) = f ((νd, ν)), this holds. Each
guard in the guarded-command program is an edge in the transition system, and
that same guard is a self-loop in the timed automaton with variables (which its
transition system represents as an edge).
Theorem 3.3.4. Let TA be a timed automaton with Σ = {a} and GP(TAV)
be the the guarded-command program from the conversion. Then TS(TA) ∼=
TS(GP(TA)).
Proof of Theorem 3.3.4. The proof is similar to the proof of Theorem 3.3.3.
Remark 3.3.2 (Past closed invariants). Henzinger et al. [88] restricts guarded-command
program invariant clock constraints to be past-closed. A clock constraint φ is past-
closed if and only if for all ν ∈ V and for all δ > 0, (ν + δ |= φ) ⇒ (ν |= φ).
This restriction is a modeling convenience. The provided conversions are correct
regardless of whether the guarded-command program is past closed or not. Fur-
thermore, any past-closed guarded-command program will be converted into a
3.4. Timed Automata Equivalences: Isomorphism of Reachable Subsystems 91
past-closed timed automaton and vice versa. For generality, we present guarded-
command programs without the restriction of past-closed invariants.
3.4 Timed Automata Equivalences: Isomorphism of Reach-
able Subsystems
This section discusses variants with a slightly weaker equivalence to the baseline
timed automaton: reachable subsystem isomorphism (Definition 3.1.4).
3.4.1 Unsatisfied Invariants
When timed automata are defined, the transition semantics are influenced by the
invariants of the source and target locations, and these invariants are used differ-
ently in different timed automata variants. While invariants can always prevent
time advances in a location, invariants can only sometimes restrict action execu-
tions. Throughout the literature, there are two common variants: either the target
locations’ invariant must be true after an execution, or the target locations’ invari-
ant does not affect an action execution. Both invariant interpretations are widely
used.
To examine this difference, consider the baseline automaton’s semantics of
−→:
−→ ⊆ Q× Σ×Q is defined as follows:
Time advancement (l, ν) δ−→ (l, ν + δ) iff
l ∈ L, l 6∈ Lu, δ ∈ R≥0 and ∀t ∈ R≥0, 0 ≤ t ≤ δ : ν + t |= I(l).
Action execution (l, ν) a−→ (l′, ν[λ := 0]) iff
there is a φ such that (l, a, φ, λ, l′) ∈ E, ν |= φ, and ν[λ := 0] |= I(l′).
This interpretation is used in Bengtsson and Yi [27], Bouyer and Laroussinie
3.4. Timed Automata Equivalences: Isomorphism of Reachable Subsystems 92
[38], Olderog and Dierks [131], Tripakis [151], Wang [159], Yovine [164]. In the
above version, for actions to be executed, the target locations’ invariants must be
satisfied.
Alternatively, we could allow action executions to enter states whose location
invariants are unsatisfied. This yields the semantics:
−→ ⊆ Q× Σ×Q is defined as follows:
Time advancement (l, ν) δ−→ (l, ν + δ) iff
l ∈ L, l 6∈ Lu, δ ∈ R≥0, and ∀t ∈ R≥0, 0 ≤ t ≤ δ : ν + t |= I(l).
Action execution (l, ν) a−→ (l′, ν[λ := 0]) iff
there is a φ such that (l, a, φ, λ, l′) ∈ E, and ν |= φ.
This interpretation is used in Alur [5], Baier and Katoen [17], Behrmann et al.
[23], Beyer and Noack [29], Clarke et al. [55], Zhang and Cleaveland [167]. Accord-
ing to the above definition, if a target location’s invariant is not satisfied, action
executions into it are allowed, but no time is allowed to elapse from that state.
Actions can then be executed from that location. Assuming 0-unit time-advances
are disallowed in urgent locations, this is the semantic equivalent of urgency (see
Section 2.2.4 and Section 3.4.1).
Example 3.4.1 (Unsatisfied invariant). Consider the timed automaton in Figure
3.3. Let us examine the difference between the two interpretations of invariants.
If we forbid actions into states with unsatisfied invariants, then no execution can
enter location 1. On the other hand, if we treat each state with an unsatisfied in-
variant as urgent and allow action executions, some executions can enter location 1
and then immediately transition into location 2. From location 2, those executions
can transition at will into location 3. 
3.4. Timed Automata Equivalences: Isomorphism of Reachable Subsystems 93











Figure 3.3: Timed automaton where the invariant is always initially unsatisfied
at location 1. Figure is used and adapted from Fontana and Cleaveland [74] with
permission.
Our baseline theory uses the first interpretation of invariants: the target lo-
cation’s invariant must be satisfied for an action execution to occur. The variant
presented in this section uses the second interpretation: the target location’s in-
variant does not influence action executions.
Unlike other variants, the baseline variant is not a special case of this variant.
Consequently, we not only present the conversion to the baseline formalism but
also present the conversion from the baseline formalism to this variant. Because
both conversions rely on the reset predecessor operator, we define this operator first.
Reset Predecessor Definition
When computing the reset predecessor operator, we perform substitution into
clock constraints. Similar to substituted variable constraints (Definition 3.3.7), we
define an operation that allows clocks in a clock constraint to be replaced with a
constant.
Definition 3.4.1 (Substituted clock constraint φ[Y 7→ D]). Given a clock constraint
φ ∈ Φ(CX), subset of clocks Y ⊆ CX, and constant vector D ∈ (Z≥0)|Y|, the
3.4. Timed Automata Equivalences: Isomorphism of Reachable Subsystems 94
substituted clock constraint φ[Y 7→ D] is a clock constraint (φ[Y 7→ D] ∈ Φ(CX))
where each clock xi in Y is replaced with its relevant constant D(xi). Formally for
./∈ {<,≤,>,≥,=}:
φ[Y 7→ D] =

xi ./ c φ = xi ./ c and xi 6∈ Y
tt φ = xi ./ c, xi ∈ Y, and D(xi) ./ c
ff φ = xi ./ c, xi ∈ Y, and D(xi) 6./ c
φ1[Y 7→ D] ∧ φ2[Y 7→ D] φ = φ1 ∧ φ2
The resulting formula is then simplified using logical equivalences to yield a clock
constraint. If the vector D is a single constant d for all clocks Y, we will write
φ[Y 7→ d].
While this substitution operator is a syntactic operator on a clock constraint, a
clock constraint will often be interpreted as a set of valuations and this operator
may be interpreted as changing a set of valuations into another set of valuations.

With this substituted clock constraint, given a clock constraint φ in Φ(CX) and
a set of clocks Y to reset to 0, the reset predecessor operator, resetPred(φ, Y) is
defined (and computed) as resetPred(φ, Y) = φ[Y 7→ 0]. This operator converts
the clock constraint φ to the clock constraint representing the precondition for φ
with respect to the reset operations on the clocks in Y.
In order to handle substitution with clock difference constraints, we extend
substitution on clock constraints to handle clock difference constraints.
Definition 3.4.2 (Substituted clock difference constraint φ[Y 7→ d]). Given clock
constraint φ ∈ Φ−(CX), constant d ∈ Z≥0 and a subset of clocks Y ⊆ CX, the
3.4. Timed Automata Equivalences: Isomorphism of Reachable Subsystems 95
substituted clock difference constraint φ[Y 7→ d] is a clock constraint (φ[Y 7→ d] ∈
Φ−(CX)) where each clock xi in Y is replaced with the constant d. Formally,
φ[Y 7→ d] =

xi ./ c φ = xi ./ c and xi 6∈ Y
d ./ c φ = xi ./ c and xi ∈ Y
xi − xj ./ c φ = xi − xj ./ c and xi, xj /∈ Y
xi − d ./ c φ = xi − xj ./ c and xi 6∈ Y, xj ∈ Y
d− xj ./ c φ = xi − xj ./ c and xi ∈ Y, xj /∈ Y
0 ./ c φ = xi − xj ./ c and xi, xj ∈ Y
φ1[Y 7→ d] ∧ φ2[Y 7→ d] φ = φ1 ∧ φ2
Inequalities involving only constants are simplified to tt or ff. The constraint
is then simplified using logical equivalences to yield a clock constraint. Within
resetPred(φ, Y), we will commonly use d = 0.
While this substitution operator is a syntactic operator on a clock constraint, a
clock constraint will often be interpreted as a set of valuations and this operator
may be interpreted as changing a set of valuations into another set of valuations.

Hence, the extended reset predecessor operator is the same substitution as the
operator when φ is not a clock difference constraint: resetPred(φ, Y) = φ[Y 7→ 0].
We prove the correctness of the extended version of resetPred(φ, Y). Since
the non-extended version is a subset of these cases, its proof of correctness follows
directly from this proof.
The proofs for both conversions depend on the correctness of resetPred(φ, Y),
which is proven in Theorem 3.4.1. When reading this theorem, note that a clock
3.4. Timed Automata Equivalences: Isomorphism of Reachable Subsystems 96
constraint can be interpreted as the set of valuations that satisfy the constraint.
Theorem 3.4.1. For any clock valuation ν, any clock set Y ⊆ CX, and any
clock constraint φ, ν |= resetPred(φ, Y) if and only if ν[Y := 0] |= φ.
Proof of Theorem 3.4.1. Let ν be an arbitrary valuation and Y be a subset of clocks
(assuming the dummy clock x0 6∈ Y). We prove this by structural induction of φ.
Case 1: φ = x ≤ c.
If x 6∈ Y, then the claim is true. If x ∈ Y, then resetPred(φ, Y) ≡ c ≥ 0. We
have ν[Y := 0] |= φ if and only if c ≥ 0.
Case 2: φ = x < c.
Similar to Case 1, after replacing c ≥ 0 with c > 0.
Case 3: φ = x ≥ c.
Similar to Case 1. If x 6∈ Y, then the constraint is unchanged. If x ∈ Y, then the
preset is equivalent to c ≤ 0.
Case 4: φ = x > c.
Similar to Case 3, after replacing c ≤ 0 with c < 0.
Case 5: φ = xi − xj ≤ c.
If xi, xj /∈ Y, then since the constraint is unchanged, the claim is true.
If xi, xj ∈ Y, then ν[Y := 0] |= φ if and only if c ≥ 0. Consequently, the value
of resetPred(φ, Y) ≡ c ≥ 0: the same constraint.
Now assume xi ∈ Y, xj 6∈ Y. We know ν[Y := 0] |= φ if and only if −ν(xj) ≤ c.
resetPred(φ, Y) ≡ −xj ≤ c; hence, this case is true.
3.4. Timed Automata Equivalences: Isomorphism of Reachable Subsystems 97
Now assume xi 6∈ Y, xj ∈ Y. We know ν[Y := 0] |= φ if and only if ν(xi) ≤ c.
resetPred(φ, Y) ≡ xi ≤ c; hence, this case is true.
Case 6: φ = xi − xj < c.
Similar to Case 5, after replacing ≤ with <.
Case 7: φ = φ1 ∧ φ2.
By the Induction Hypothesis, ν |= resetPred(φ1, Y) if and only if ν[Y := 0] |=
φ1, and ν |= resetPred(φ2, Y) if and only if ν[Y := 0] |= φ2. By our algorithm,
resetPred(φ1 ∧ φ2, Y) = resetPred(φ1, Y) ∧ resetPred(φ2, Y). After applying
the definition of |= for clock valuations, this case is true.
We use the previous Theorem to prove a useful Corollary.
Corollary 3.4.1. For all clock valuations ν, clock sets Y ⊆ CX, clock constraints
φ and location l′, ν |= φ ∩ resetPred(I(l′), Y) if and only if (ν |= φ and ν[Y :=
0] |= I(l′)). Likewise, ν |= φ ∩ ¬resetPred(I(l′), Y) if and only if (ν |= φ and
ν[Y := 0] 6|= I(l′))
Proof of Corollary 3.4.1.
ν |= φ ∩ resetPred(I(l′), Y)⇔ (3.3)
ν |= φ and ν |= resetPred(I(l′), Y)⇔ by definition of |= (3.4)
ν |= φ and ν[Y := 0] |= resetPred(I(l′), Y) by Theorem 3.4.1 (3.5)
The proof of the likewise statement is similar.
3.4. Timed Automata Equivalences: Isomorphism of Reachable Subsystems 98
Conversion 1: Conversion to Baseline Version
We take the variant that treats any state with an unsatisfied invariant as urgent
and convert it to our baseline version, which forbids action executions into states
having unsatisfied invariants. The original and converted timed automata have
isomorphic reachable subsystems. This conversion, for convenience, assumes that
the automaton we are converting has no urgent locations. Because giving a lo-
cation the invariant ff is equivalent to making that location urgent, we lose no
expressive power.
Conversion Idea: The idea underlying the construction is to make a copy of
each location l (named lu), which represents the urgent version of l. Make the
invariant of lu tt. Each edge now becomes four edges: two outgoing edges from
location l, and two outgoing edges from location lu. For location l, one edge goes
to its destination l′ and a second goes to the urgent copy of l′, l′u. To the edges
going to l′, we add a constraint establishing I(l′) will be true when we enter l′. On
the other hand, to the edges going to l′, we add a constraint establishing I(l′) will
be false when we enter l′u. By design, the constraint we add to the second copy is
the negation of the first constraint. To avoid disjunctive constraints on guards, any
edge with such a constraint is converted to a set of edges (as is done in Section
3.3.1).
Formal Conversion: Given TA = (L, L0, Σ, CX, I, E) we produce
TA′ = (L′, L′0, L
′
u, Σ, CX, I′, E′) as follows:
• L′ = L ∪ {l′u | l ∈ L}.
• L′0 is defined as follows. First, consider the set Linv = {l0 | l0 ∈ L0 and
(l0, ν0) |= I(l0)}. The valuation ν0 is the initial valuation where all clocks are
0. Let Ld be |L0| − |Linv| copies of a dead state l′d. Then L′0 = Linv ∪ Ld.
3.4. Timed Automata Equivalences: Isomorphism of Reachable Subsystems 99
• L′u = {l′u | l ∈ L}.
• CX′ = CX.
• I′ : L′ −→ Φ(CX′) is the function: I′(l′) = I(l′) if l′ ∈ L, I(l′d) = ff, and
I(l′) = tt otherwise (l′ ∈ {lu | l ∈ L}). For these urgent locations, we make
the invariant true to allow all proper action executions.
• E′ = is the set of edges defined as follows. For each edge (l, a, φ, λ, l′) ∈ E,
the set of edges in E′ includes:
(l, a, ψl,l , λ, l′), where ψl,l = φ ∧ resetPred(I(l′), λ)
(l, a, ψl,u, λ ∪ {xu}, l′u), where ψl,u = φ ∧ ¬resetPred(I(l′), λ)
(lu, a, ψu,l , λ, l′), where ψu,l = φ ∧ resetPred(I(l′), λ)
(lu, a, ψu,u, λ, l′u) where ψu,u = φ ∧ ¬resetPred(I(l′), λ).
Disjunctive guard constraints may arise from negating resetPred(I(l′), λ).
Following the process used in Section 3.3.1, any disjunctive guard constraints
is eliminated by converting the edge with such a constraint to a set of edges.
Any edge with a guard constraint logically equivalent to ff is removed from
E′. Note: E′ has no outgoing edges from the dead locations l′d.
If every initial state satisfies its location’s invariant, then L′0 = L0. This defini-
tion of L0 replaces initial states that do not satisfy their invariants with the same
number of dead states. (We need to add an equal number of missing states to
ensure that the function mapping converted states to original states is a bijection.)
Additionally, the above conversion illustrates the (subtle) need for urgency to dis-
allow 0-time unit advances; if urgency were to allow 0-time unit advances, then
urgent states would have additional transitions: 0-unit time advances.
3.4. Timed Automata Equivalences: Isomorphism of Reachable Subsystems 100
The converted automaton has twice as many locations and up to four times
as many edges as the original automaton plus the edges that come from elim-
inating disjunctive guard constraints. While in theory, the negation of the reset
predecessor may have up to 2|CX| disjunctions (consider negating the constraint
x1 = 3 ∧ x2 = 3 ∧ . . . ∧ xn = 3 using xi = 3 ≡ xi ≤ 3 ∧ xi ≥ 3), in practice the
negation of a reset predecessor usually has no more than a few disjuncts; hence,
in practice, the number of additional edges is small.
Example 3.4.2 (Continuation of Example 3.4.1). We convert the timed automaton
in Figure 3.3 to our baseline formalism and add urgent copies of additional loca-
tions to represent states with unsatisfied invariants as urgent. We know that
resetPred(x1 < 2 ∧ x2 > 2, {x2}) = ff and we also know that
¬resetPred(x1 < 2 ∧ x2 > 2, {x2}) = tt; hence, we add the urgent location 1u
to mimic location 1. The converted automaton (only reachable locations shown)
is in Figure 3.4. Notice that location 1 is unreachable from the initial state, and is
therefore omitted, as are the urgent versions of 2 and 3. 
Because we introduce states that are never reached when we convert the timed
automaton, the original and converted automata are not isomorphic. Nevertheless,
if we restrict the transition systems to only the states reachable from initial states,
we can establish isomorphism. Thus, we show that the original and converted
automata have a reachable subsystem isomorphism.
3.4. Timed Automata Equivalences: Isomorphism of Reachable Subsystems 101











Figure 3.4: Timed automaton from Figure 3.3 converted into our baseline formal-
ism with urgent location 1u. Only locations with states reachable from the initial
state are shown. Figure is used and adapted from Fontana and Cleaveland [74]
with permission.
Theorem 3.4.2. Let TA be a timed automaton having the semantics of allow-
ing action executions into states with unsatisfied invariants and let INV(TA)
be the converted automaton having semantics disabling action executions into
states with unsatisfied invariants. Their reachable subsystems are isomorphic
(TS(TA) ∼=r TS(INV(TA))).
Proof of Theorem 3.4.2. Each initial state of TA that does not satisfy its location’s
invariant has its location replaced with its own dead state ld. As a result, the
states with unsatisfied invariants are mapped to the dead states. Having an equal
number of dead states ensures that our function is a bijection. Also, these dead
states can reach no other states because their invariants are ff. Hence, for the
remainder of the proof, we assume that all initial states satisfy their locations’
invariants.
From our conversion, both automata have the same event set Σ. Consider the
3.4. Timed Automata Equivalences: Isomorphism of Reachable Subsystems 102
function f over the reachable states:







(l, ν), if ν |= I(l)
(lu, ν) otherwise.
The function f maps Q0TS(TA) to Q0TS(INV(TA)) , preserving initial states (here we use
the premise that all initial states satisfy their invariants; hence, they are reachable).
When the invariant is false, f maps a location to its urgent copy in the converted
automaton.
Part 1: f is a bijection.
From the definition of f , f is one-to-one.
Suppose we have a state (linv, νinv) in INV(TA) that is not mapped to by f .
We claim (linv, νinv) is not reachable from an initial state. By the definition of f ,
if linv is not an urgent copy and νinv |= I(linv), then (linv, νinv) is covered by f .
Likewise, if linv is an urgent copy location lu and (l, νinv) 6|= I(l), then (linv, νinv)
is covered by f . If linv is an urgent copy location lu and (l, νinv) |= I(l), then by
the construction of INV(TA), this state is not reachable. If linv is not an urgent
copy and νinv 6|= I(linv), then (linv, νinv) is not reachable by the definition of the
semantics of INV(TA). Note: in this case we use the assumption that all initial
states satisfy their invariants. Thus, f is onto.
Here is the definition of f−1:










= (l, ν) lu the urgent copy of l,
3.4. Timed Automata Equivalences: Isomorphism of Reachable Subsystems 103
From the proof of f being a bijection, we know either a state or its urgent copy
(possibly both) is not reachable.
Part 2: f preserves the transition relation.
We need to show:
(l, ν) δ−→ (l′, ν′)⇔ f ((l, ν)) δ−→ f ((l′, ν′)) ∀δ ∈ R≥0
(l, ν) a−→ (l′, ν′)⇔ f ((l, ν)) a−→ f ((l′, ν′)) ∀a ∈ Σ
Showing f does not eliminate transitions, we prove the ⇒ direction. We omit the
proof of the other (⇐) direction; its proof is similar and (one proof) uses f−1
instead of f .
Part 2a: Time advances: (l, ν) δ−→ (l′, ν′)⇒ f ((l, ν)) δ−→ f ((l′, ν′)).
Suppose we have the transition (l, ν) δ−→ (l, ν + δ). By definition of transition
system semantics, ν |= I(l), ν + δ |= I(l) and ∀t, 0 ≤ t ≤ δ : ν + t |= I(l). Thus,
by our definition of f and our conversion, f ((l, ν)) = (l, ν) and ν |= I(l) and
∀t, 0 ≤ t ≤ δ : f ((l, ν + t)) = (l, ν + t) and ν + t |= I(l). (To prove the⇐ direction,
utilize that time cannot advance in an urgent state. This utilizes that urgent states
prevent 0-unit time advances.)
Part 2b: Edge executions: (l, ν) a−→ (l′, ν′)⇒ f ((l, ν)) a−→ f ((l′, ν′)).
Now suppose we have the transition (l, ν) a−→ (l′, ν[λ := 0]). By the definition
of transition system semantics, TA has the edge e = (l, a, φ, λ, l′), and ν |= φ. We
have two cases: either ν[λ := 0] |= I(l′) or it does not.
Case 2b1: ν[λ := 0] |= I(l′). Suppose ν[λ := 0] |= I(l′). Now we have two
cases: ν |= I(l) or ν 6|= I(l). Assume ν |= I(l). By our conversion, we have
the edge e = (l, a, φ ∩ resetPred(I(l′), λ), λ, l′) in INV(TA). By our conversion,
3.4. Timed Automata Equivalences: Isomorphism of Reachable Subsystems 104
f ((l′, ν[λ := 0])) = (l′, ν[λ := 0]). Since we assume ν[λ := 0] |= I(l′) and ν |= φ,
by Corollary 3.4.1, we know ν |= φ∩ resetPred(I(l′), λ). Therefore, INV(TA) has
the transition f ((l, ν)) a−→ f ((l′, ν[λ := 0])).
Now assume ν 6|= I(l). Thus, f (l, ν) = (lu, ν[xu := 0]). By our conversion, we
use the edge eu = (lu, a, φ ∩ resetPred(I(l′), λ), λ, l′) in INV(TA). Otherwise, the
proof is the same as the previous case’s.
Case 2b2: ν[λ := 0] 6|= I(l). Now suppose ν[λ := 0] 6|= I(l′). We have two cases:
ν |= I(l) or ν 6|= I(l). Assume ν |= I(l). By our conversion, f ((l′, ν[λ := 0])) =
(l′u, ν[λ := 0]). Since l′u is the urgent copy of l′, we know ν[λ := 0] |= I(l′u). Since
ν |= φ, by Corollary 3.4.1, we know that ν |= φ ∩ ¬resetPred(I(l′), λ). By the
definition of transition system semantics, INV(TA) has the transition f ((l, ν)) a−→
f (l′, ν[λ := 0]).
Now assume ν 6|= I(l). Thus, f (l, ν) = (lu, ν). By our conversion, we use the
edge eu = (lu, a, φ∩¬resetPred(I(l′), λ), λ, l′u) in INV(TA). Otherwise, the proof
is the same as the previous case’s.
Conversion 2: Conversion from Baseline Version
In this instance, the baseline version has different semantics than the other version
and cannot be considered a special case of that variant. Hence, we provide the
conversion from the baseline formalism.
Conversion Idea: This conversion takes an automaton that disallows actions
into states with unsatisfied invariants and converts the automaton to one whose
semantics allow action executions into states with unsatisfied invariants. The con-
version works by adding the reset predecessor of the destination state’s invariant
to each edge. In addition, this conversion also eliminates urgent locations from
the baseline version and replaces those locations with locations with the invariant
ff.
3.4. Timed Automata Equivalences: Isomorphism of Reachable Subsystems 105
Formal Conversion: Given TA = (L, L0, Lu, Σ, CX, I, E) we produce TA′ =
(L, L′0, Σ, CX, I, E
′) as follows:
• L′0 is defined as follows. First, consider the set Linv = {l0 | l0 ∈ L0 and (l0, ν0) |=
I(l0)}. The valuation ν0 is the initial valuation where all clocks are 0. Let Ld
be |L0| − |Linv| copies of a dead state l′d. Then L′0 = Linv ∪ Ld.
• I′ : L −→ Φ(CX) is the function: I(l′) = I(l′) if l′ 6∈ Lu, I(l′d) = ff and
I(l′) = ff if l′ ∈ Lu. We give the invariant ff to previously-urgent locations
to prevent all time advances (even those of 0 units).
• E′ = {(l, a, φ ∧ resetPred(I(l′), λ), λ, l′) | (l, a, φ, λ, l′) ∈ E}. Note: E′ has no
outgoing edges from the dead locations l′d.
Again, if every initial state satisfies its location’s invariant, then L′0 = L0. This
definition of L0 replaces initial states that do not satisfy invariants with the same
number of dead states. (We need to add an equal number of missing states to
ensure that the function mapping converted states to original states is a bijection.)
Notice that the converted automaton has no urgent locations; the invariant ff
handles the urgency. Given that an invariant is a clock constraint in Φ(CX), the
reset predecessor will also be a clock constraint in Φ(CX); as a result, there are
no disjunctive guard constraints. Thus, the converted automaton has the same
number of locations and the same number of edges as the original automaton.
The correctness follows from this theorem.
3.4. Timed Automata Equivalences: Isomorphism of Reachable Subsystems 106
Theorem 3.4.3. Let TA be a timed automaton having the semantics of
disabling action executions into states with unsatisfied invariants and let
URG(TA) be the converted automaton having the semantics of allowing ac-
tion executions into states with unsatisfied invariants. Their reachable subsys-
tems are isomorphic (TS(TA) ∼=r TS(URG(TA))).
Proof of Theorem 3.4.3. For each initial state of TA that does not satisfy its loca-
tion’s invariant, it is mapped to a dead state l′d in URG(TA). Having an equal
number of states allows the function to be a bijection, and by construction, neither
of these states can advance time or execute an action. Hence, for the rest of the
proof, we assume that all the initial states of TA satisfy their locations’ invariants.
From our conversions, both automata have the same event set Σ. Consider the
function f over the reachable states:






or the identity function. The function f maps Q0TS(TA) to Q0TS(URG(TA)) , preserving
initial states (here we use the premise that all initial states satisfy their invariants;
hence, they are reachable). Since we are only concerned with reachable states, we
are not worried about covering every state in QTS(URG(TA)); states with unsatisfied
invariants are not reachable.
Part 1: f is a bijection. By definition of f , f is one-to-one. Since all initial states
satisfy their invariants, all reachable states in Q and Qurg satisfy their invariants.
Because we restrict ourselves to reachable states, f is onto. Therefore, f is a bijec-
3.4. Timed Automata Equivalences: Isomorphism of Reachable Subsystems 107
tion.
Here is the definition of f−1:






Again, every reachable state in QTS(URG(TA)) satisfies its invariant.
Part 2: f preserves the transition relation.
We need to show:
(l, ν) δ−→ (l′, ν′)⇔ f ((l, ν)) δ−→ f ((l′, ν′)) ∀δ ∈ R≥0 and
(l, ν) a−→ (l′, ν′)⇔ f ((l, ν)) a−→ f ((l′, ν′)) ∀a ∈ Σ
Showing f does not eliminate transitions, we prove the ⇒ direction. We omit the
proof of the other (⇐) direction; its proof is similar and (one proof) uses f−1
instead of f .
Part 2a: Time advances: (l, ν) δ−→ (l′, ν′)⇒ f ((l, ν)) δ−→ f ((l′, ν′)).
First assume (l, ν) δ−→ (l, ν + δ). By definition of the transition system seman-
tics, ∀t, 0 ≤ t ≤ δ : ν + t |= I(l). By our conversion, ∀t, 0 ≤ t ≤ δ : ν + t |= I(l) is
true in URG(TA). Hence, we have the transition f ((l, ν)) δ−→ f ((l, ν + δ)).
Part 2b: Edge executions: (l, ν) a−→ (l′, ν′)⇒ f ((l, ν)) a−→ f ((l′, ν′)).
Now suppose (l, ν) a−→ (l, ν[λ := 0]). By definition of the transition system,
we have an edge e = (l, a, φ, λ, l′), ν |= φ, and ν[λ := 0] |= I(l′). By Corollary 3.4.1,
ν |= φ ∩ resetPred(I(l′), λ) and by the definition of f , f ((l, ν)) = (l, ν). Thus, we
have the transition f ((l, ν)) a−→ f ((l, ν[λ := 0])) in URG(TA).
3.4. Timed Automata Equivalences: Isomorphism of Reachable Subsystems 108
Subtleties with Urgency
Urgency is used for cleaner modeling and is supported in tools. Some sources
using urgency include Behrmann et al. [23], Dong et al. [65], Olderog and Dierks
[131]. The version used in Behrmann et al. [23] allows 0-unit time advances while
our version does not. On the one hand, these versions are operationally equivalent.
On the other hand, this difference does affect the satisfaction of certain logical
formulas.
If we wish to have the kind of urgency used in Behrmann et al. [23], we can
use the following conversion:
1. Add an extra clock xu. This clock can be used for all urgent locations.
2. Give all urgent locations the invariant xu = 0.
3. Reset xu on all incoming edges to each urgent location lu.
4. Make each urgent location non-urgent.
While seemingly insignificant, disallowing 0-unit time advances in urgent lo-
cations is necessary to give urgent locations enough power to represent timed au-
tomata that allow action executions into locations with unsatisfied invariants (see
Section 3.4.1). In addition, these 0-unit time advances influence formulas written
in the timed modal-mu calculus of Laroussinie et al. [108], Sokolsky and Smolka
[147]. For example, consider the formula, “there exists a time advance to a state
where x1 = 0.” When x1 is initially 0, the formula is true if and only if we allow
time advances of 0 time units. When invariants are satisfied, all sources the au-
thors consulted, including Alur [5], Baier and Katoen [17], Clarke et al. [55], Wang
et al. [161], allow 0-unit time advances in non-urgent locations.
3.4. Timed Automata Equivalences: Isomorphism of Reachable Subsystems 109
3.4.2 Clock Difference Inequalities in Clock Constraints
Some sources, including Bengtsson and Yi [27], Yovine [164], allow inequalities
on clock differences in clock constraints. Timed automata without clock difference
inequalities in clock constraints are often called diagonal-free automata [27, 43].
First, we extend clock constraints to support clock difference inequalities. These
constraints are called clock difference constraints.
Definition 3.4.3 (Clock difference constraint φ ∈ Φ−(CX)). Given a nonempty
finite set of clocks CX = {x1, x2, . . . , xn} and c ∈ Z≥0 (a non-negative integer), a
clock difference constraint φ may be constructed using the following grammar:
φ ::= xi < c | xi ≤ c | xi > c | xi ≥ c | xi − xj < c | xi − xj ≤ c | φ ∧ φ
Φ−(CX) is the set of all possible clock difference constraints over CX. We use the
following abbreviations: xi − xj > c for xj − xi < −c, xi − xj ≥ c for xj − xi ≤ −c,
and xi − xj = c for xi − xj ≤ c ∧ xi − xj ≥ c. 
With these clock constraints, we can extend timed automata to support clock
difference inequalities in both the invariants and the guards.
Definition 3.4.4 (Timed automaton with clock difference constraints). A timed
automaton with clock difference constraints TA = (L, L0, Lu, Σ, CX, I, E) is defined as
a timed automata (Definition 2.2.2) with the following differences:
• I : L −→ Φ−(CX) gives a clock difference constraint for each location l. I(l)
is referred to as the invariant of l.
• E ⊆ L×Σ×Φ−(CX)× 2CX × L is the set of edges. Edges are the same except
that guards can be clock difference constraints.
3.4. Timed Automata Equivalences: Isomorphism of Reachable Subsystems 110

To define satisfaction of a clock difference constraint, we extend the definition
of ν |= φ (Definition 2.2.4) to say that ν |= xi − xj ./ c (./∈ {<,≤,>,≥}) if and
only if ν(xi)− ν(xj) ./ c. The semantics of these timed automata is then defined
in a similar manner to the semantics of the baseline version (Definition 2.2.6).
In our conversion, we will often replace an inequality in a clock constraint
with tt or ff. If the inequality is xi ./ c or xi − xj ./ c, we use φ[xi ./ c 7→ tt] or
φ[xi − xj ./ c 7→ ff] to replace an inequality in φ with tt or ff. If the constraint
is not in φ, then this operator leaves φ unchanged. This definition is similar to the
definition of clock constraint substitution (Definition 3.4.1).
Conversion
We can convert any timed automaton with clock difference inequalities in its con-
straints to an equivalent timed automaton without clock difference inequalities.
This conversion is taken from Bérard et al. [28].
Conversion Idea: Clock difference inequalities are invariant under time-passage
transitions. Since these transitions cannot induce a location change in a timed au-
tomaton, it suffices to enrich the location set to have each location encode which
clock differences are true. Transitions that are incident on these locations would
then combine this information with any clock resets in order to determine the new
target location.
Formal Conversion. Let TA = (L, L0, Lu, ΣTA, CX, I, E) be a timed automaton
with clock difference constraints. We convert out one inequality at a time, repeat-
ing the same procedure on the resulting automaton with the next inequality. Since
all inequality types are similar, throughout the conversion denote the inequality
in TA that we convert out as x− y ./ c (./∈ {<,≤,>,≥}).
3.4. Timed Automata Equivalences: Isomorphism of Reachable Subsystems 111
Given an inequality x − y ./ c, we produce two location components: ct, rep-
resenting x − y ./ c is true; and c f , representing x − y ./ c is false. We use the
notation cb (b ∈ {t, f }) as a variable whose value is ct or c f . With the location
components ct and c f , we replace each location l with the two locations (l, ct) and
(l, c f ). Throughout executions, ct and c f are used to correctly encode the truth of
x− y ./ c.
To write this in shorthand, we use the reset predecessor operator resetPred(φ, Y)
from Section 3.4.1 extended to handle clock differences. The operation is still sub-
stitution with resetPred(φ, Y) = φ[Y 7→ 0], and its extended definition was given
in Definition 3.4.2.
Thus, we convert the timed automaton TA = (L, L0, Lu, Σ, CX, I, E) to the
timed automaton DF(TA) = (Ld f , L0d f , Lud f , Σ, CX, Id f , Ed f ) given as follows:
• Ld f = {(l, ct) | l ∈ L} ∪ {(l, c f ) | l ∈ L}.
• L0d f = {(l, ct) | l ∈ L0} if [CX := 0] |= x − y ./ c and {(l, c f ) | l ∈ L0}
otherwise ([CX := 0] 6|= x− y ./ c).
• Lud f = {(l, ct) | l ∈ Lu} ∪ {(l, c f ) | l ∈ Lu}.
• Id f : Ld f −→ Φ(CX) where I((l, ct)) = I((l, c f )) = I(l) if x − y ./ c is
not contained in I(l). Otherwise, I((l, ct)) = I(l)[(x − y ./ c) 7→ tt] and
I((l, c f )) = I(l)[(x− y ./ c) 7→ ff].
• Ed f is constructed as follows. For each edge e = (l, a, φ, λ, l′), we construct
the following edges based on φ, λ, and the constraint x− y ./ c. The set Ed f
3.4. Timed Automata Equivalences: Isomorphism of Reachable Subsystems 112
includes the following edges:
(
(l, ct), a, ψt,t, λ, (l, ct)
)
where ψt,t = φ[x− y ./ c 7→ tt]∧
resetPred(x− y ./ c, λ)(
(l, ct), a, ψt, f , λ, (l, c f )
)
where ψt, f = φ[x− y ./ c 7→ tt]∧
resetPred(¬(x− y ./ c), λ)(
(l, c f ), a, ψ f ,t, λ, (l, ct)
)
where ψ f ,t = φ[x− y ./ c 7→ ff]∧
resetPred(x− y ./ c, λ)(
(l, c f ), a, ψ f , f , λ, (l, c f )
)
where ψ f , f = φ[x− y ./ c 7→ ff]∧
resetPred(¬(x− y ./ c), λ)
All edges that result in the new guard constraint being ff are removed.
To explain the construction, consider what happens during an execution. Dur-
ing a time advance, the value of x − y ./ c remains unchanged during time ad-
vances; hence, we always correctly stay in the same location component cb during
a time advance. Invariants need to be changed if and only if x− y ./ c is in the in-
variant. In this case, we replace that constraint with its value based on the location
component ct or c f . (Invariants are not addressed in Bérard et al. [28].)
Now consider action executions. To enforce that ct and c f correctly encode the
value of x− y ./ c during action executions, we split edges containing x− y ./ c
in their guards and we choose the proper destination component: ct or c f . In more
detail, for every edge e = (l, a, φ, Y, l′), if x − y ./ c appears in φ we only allow
transitions from (l, ct) and replace φ with φ[x− y ./ c 7→ tt]. For all edges, if the
edge resets x or y or both, then we do the following:
• If x, y ∈ Y, then (l, cb, ν) a−→ (l′, ci, ν′). Here ci represents the correct value
for 0 ./ c. After this transition, x and y are both reset to 0; hence, x− y = 0.
3.4. Timed Automata Equivalences: Isomorphism of Reachable Subsystems 113
• If y ∈ Y, x 6∈ Y, then the transition we take depends on the current valuation.
For these transitions, the new value of x − y ./ c becomes x ./ c. Thus, we
make two edges for each edge e. The first edge conjuncts x ./ c to the guard
and transitions to the component ct, and the second edge conjuncts ¬(x ./ c)
(which is a single inequality) to the guard and transitions to the component
c f .
• If x ∈ Y, y 6∈ Y, then the transition we take depends on the current valuation.
For these transitions, the new value of x− y ./ c becomes −y ./ c. Thus, we
make two edges for each edge e. The first edge conjuncts −y ./ c to the
guard and transitions to the component ct, and the second edge conjuncts
¬(−y ./ c) (which is a single inequality) to the guard and transitions to the
component c f .
Since we double the number of locations per inequality we remove, the conver-
sion is exponential in the number of clock difference inequalities in the automa-
ton. There can be as many inequalities as the size of the timed automaton, which
results in this conversion producing a new automaton potentially exponentially
larger than the original.
For notation, when we consider the final converted timed automaton (after
converting out multiple constraints), we let ldi f f be the location component of
l that represents the truths of each clock-difference inequality. Thus, for every
location ld ∈ Ld f , ld = (l, ldi f f ), l ∈ L, ldi f f = (c1b, c2b, . . . cib), and cib says that the
ith inequality xj − xk ./ c has current boolean truth b.
In this work, we assume that all of the clock-difference constraints are in canon-
ical form, meaning that all implied constraints are explicitly represented. For ex-
ample, if the constraint has x1− x2 < 0 and x2− x3 < 0, canonical form forces the
constraint x1− x3 < 0 to be explicitly specified. Using all-pairs shortest paths, one
3.4. Timed Automata Equivalences: Isomorphism of Reachable Subsystems 114








Figure 3.5: Timed automaton TAd with clock difference constraint x1 − x2 < 3.
Figure is used and adapted from Fontana and Cleaveland [74] with permission.











Figure 3.6: Diagonal-free timed automaton DF(TAd) equivalent to TAd. Figure is
used and adapted from Fontana and Cleaveland [74] with permission.
can convert any constraint into canonical form in O(|CX|3) time [27].
Example 3.4.3. Consider the timed automaton TAd in Figure 3.5, where initially
x1 = x2 = 0. As a result, initially x1 − x2 < 3. Notice that the edge from location
1 to location 0 has the clock difference constraint x1 − x2 < 3. We wish to convert
the automaton to a diagonal-free automaton.
The resulting equivalent diagonal-free automaton is in Figure 3.6. The location
(0, c f ) is not reachable in the new automaton from the initial state and is omitted
from the figure. Notice that ct encodes x1 − x2 < 3, so there is now no edge from
(1, c f ) to location(0, ct) since the guard x1 − x2 < 3 would be violated. 
3.4. Timed Automata Equivalences: Isomorphism of Reachable Subsystems 115
While the conversion is provided in Bérard et al. [28], no proof is given. Since
the converted automaton has locations with components ct and c f , this conversion
is not isomorphic to the original automaton. As a result, we prove the equivalence
of reachable subsystem isomorphism.
Theorem 3.4.4. Let TA be a timed automaton and DF(TA) be the diagonal-
free automaton obtained from converting TA to eliminate all of the clock dif-
ference constraints. Their reachable subsystems are isomorphic (TS(TA) ∼=r
TS(DF(TA))).
Proof of Theorem 3.4.4. From the conversion, both automata have the same event
set Σ. Consider the function f over the reachable states:





= ((l, ldi f f ), ν)
The function f maps Q0TS(TA) to Q0TS(DF(TA)) , preserving initial states (here we use
the premise that all initial states satisfy their invariants; hence, they are reachable).
The location component ldi f f represents the location components indicating the
truths of clock differences. By design, for all reachable states, the correct ldi f f is
paired with each valuation ν.
Part 1: f is a bijection.
Given our conversion, for all reachable states, ldi f f can be constructed from
(l, ν). Consequently, we are guaranteed to cover each state in the reachable sub-
system of TS(DF(TA)). Thus f is a bijection.
3.4. Timed Automata Equivalences: Isomorphism of Reachable Subsystems 116
Here is the definition of f−1:
f−1 : QTS(DF(TA)) −→ QTS(TA) reachable states
f−1
(
((l, ldi f f ), ν)
)
= (l, ν)
Again, assuming (l, ν) is reachable, ldi f f can be constructed from (l, ν).
Part 2: f preserves the transition relation.
We need to show:
(l, ν) δ−→ (l′, ν′)⇔ f ((l, ν)) δ−→ f ((l′, ν′)) ∀δ ∈ R≥0 and
(l, ν) a−→ (l′, ν′)⇔ f ((l, ν)) a−→ f ((l′, ν′)) ∀a ∈ Σ
Showing f does not eliminate transitions, we prove the ⇒ direction. We omit the
proof of the other (⇐) direction; its proof is similar and (one proof) uses f−1
instead of f .
Part 2a: Time advances: (l, ν) δ−→ (l′, ν′)⇒ f ((l, ν)) δ−→ f ((l′, ν′)).
Suppose (l, ν) δ−→ (l, ν + δ). By the definition of timed automata semantics,
∀t, 0 ≤ t ≤ δ : ν + t |= I(l). By our conversion, ∀t, 0 ≤ t ≤ δ : f ((l, ν + t)) |= I(l) =
I( f ((l, ν))). To elaborate, by our conversion we substitute in the clock difference
constraints. If ν+ t |= I(l), then f ((l, ν+ t)) |= I(l× ldi f f ) for all 0 ≤ t ≤ δ because
ν + t has the same values for the clock differences for all 0 ≤ t ≤ δ. Thus, we have
the transition f ((l, ν)) δ−→ f ((l, ν + δ)).
Part 2b: Edge executions: (l, ν) a−→ (l′, ν′)⇒ f ((l, ν)) a−→ f ((l′, ν′)).
Let (l, ν) a−→ (l′, ν[λ := 0]). By the definition of timed automata semantics, we
have an edge (l, a, φ, λ, l′) with ν |= φ and ν[λ := 0] |= I(l′). By our conversion,
3.5. Timed Automata Equivalences: Other Equivalences 117
f ((l, ν)) = (l × ldi f f , ν) and f ((l′, ν[λ := 0])) = (l′ × l′di f f , ν[λ := 0]). Since ldi f f
stores the values of all clock difference inequalities, we know ν[λ = 0] |= φ. From
our conversion and based on the clocks reset, we transition to the proper l′di f f
(reasoning is described in the conversion process). Hence, l′di f f properly reflects
the truths of the clock difference inequalities of the assignments of ν[λ := 0]. Given
we have the proper destination f ((l′, ν[λ := 0])), f ((l′, ν[λ := 0])) |= I(l′ × l′di f f ).
Therefore, we have f ((l, ν)) a−→ f ((l′, ν[λ := 0])).
Algorithmic Ramifications
Although clock difference constraints do not add expressive power to the theory
of timed automata, they influence the computational techniques used for model
checking. One particularly affected algorithm is the widening (normalization) al-
gorithm. In model checking, widening is a common operation used to guarantee
termination. Surprisingly, this particular widening algorithm no longer works if
there are more than three clocks and clock difference inequalities in clock con-
straints. The full proof is given in Bouyer [35, 36], and more complex algorithms
are given in Bengtsson and Yi [27], Bouyer et al. [43].
3.5 Timed Automata Equivalences: Other Equivalences
3.5.1 Rational Clock Constraints
Rather than restricting clock constants to be non-negative integers, Alur [5] allows
non-negative rational (Q≥0) constants. Using non-negative integer constraints makes
model checking easier; however, using rational numbers makes modeling easier.
Equality of expressiveness is remarked on in Alur [5], and we formalize that re-
mark. During this formalization we prove that the two models are equivalent with
a non-label-preserving isomorphism.
3.5. Timed Automata Equivalences: Other Equivalences 118
Conversion to Base Formalism
Following the approach of Alur [5], we convert each timed automaton with ratio-
nal constants to one with integer constants.
To perform this conversion, we find the least common positive integer, denoted
ld, such that for all constants c in constraints in the timed automaton, ld ∗ c is an
integer. (This integer ld will be the least common multiple of the denominators
of the reduced fractions of the rationals in the constraints.) We form the new
automaton by multiplying each constraint by ld in the invariants and the guards.
This process converts each rational constraint to an integer constraint. If TA is our
original timed automaton with non-negative rational constraints, then INT(TA)
is the converted timed automaton with only non-negative integer constraints.
In the conversion of rational clock constraints, we extend the definition of clock
constraint substitution (Definition 3.4.1). Our extension extends the vector D to a
function that can substitute each clock with a clock times a rational constant. The
typical extended substitution used is φ[CX 7→ CX/ld].
Formal Conversion: Given timed automaton TA = (L, L0, Lu, Σ, CX, I, E) and
positive integer ld, form timed automaton INT(TA) = (L, L0, Lu, Σ, CX, IINT, EINT)
as:
• IINT : L −→ Φ(CX), such that IINT(l) = I(l)[CX 7→ CX/ld].
• EINT = {(l, a, φ[CX 7→ CX/ld], λ, l′) | (l, a, φ, λ, l′) ∈ E}.
The locations, initial locations, urgent locations, set of action symbols, and set of
clocks are the same. In the invariant, each constraint x ./ c (./∈ {<,≤,>,≥}, c ∈
Q≥0) is replaced with x ./ (ld ∗ c). For each edge in E, each constraint x ./ c in the
guard is replaced with with x ./ (ld ∗ c).
Remark 3.5.1. This conversion transforms a timed automaton with rational clock
3.5. Timed Automata Equivalences: Other Equivalences 119
constraints to a timed automaton with integer clock constraints by re-scaling time
advances. When model checking satisfaction of a formula on such an automaton,
one must also re-scale the constraints in the formula. Furthermore, because most
model-checking algorithms work better with integer constraints, the choice for ld
should consider the clock constraints in the formula and be chosen such that the
constants in both the converted automaton and the converted formula are non-
negative integers.
Because we need to map labels with a function other than the identity function,
we cannot establish a label-preserving isomorphism. However, we prove a non-
label-preserving isomorphism between the two automata.
Theorem 3.5.1. Let TA be a timed automaton with rational constraints and
ld be some positive integer such that for all constants c in TA, c ∗ ld ∈ Z.
Also let INT(TA) be the converted automaton where each constant in a con-
straint is multiplied by the ld (and thus all constants have non-negative in-
teger values). There is a non-label-preserving isomorphism between TS(TA)
and TS(INT(TA)) (TS(TA) ∼=nl TS(INT(TA))).
Proof of Theorem 3.5.1. From our conversion, both automata have the same event
3.5. Timed Automata Equivalences: Other Equivalences 120
Σ. Consider f : the pair of functions fq and fσ:



























= δ ∗ ld δ ∈ R≥0
The function f preserves the location (though I( f (l)) = I( fq(l)) = I(l)[CX 7→
CX/ld])), multiplies each clock’s value in ν by ld, preserves the action labels, and
maps each time advance label δ to ld ∗ δ. The function f maps Q0TS(TA) to Q0TS(INT(TA))
(0 ∗ ld = 0), preserving initial states.
Part 1: f is a bijection.
Because the real numbers are dense, fq, fσ, and f are bijections. Here is the
definition of f−1, which is a pair of functions f−1q and f−1σ :



























= δ/ld δ ∈ R≥0
The function f−1 preserves the location, divides each clock’s value in ν by ld (we
know ld 6= 0), preserves the action labels, and maps each time advance label δ to
δ/ld.
3.5. Timed Automata Equivalences: Other Equivalences 121
Part 2: f preserves the transition relation.
We need to show:
(l, ν) δ−→ (l′, ν′)⇔ f ((l, ν)) f (δ)=δ∗ld−→ f ((l′, ν′)) ∀δ ∈ R≥0 and
(l, ν) a−→ (l′, ν′)⇔ f ((l, ν)) f (a)=a−→ f ((l′, ν′)) ∀a ∈ Σ
Showing f does not eliminate transitions, we prove the ⇒ direction. We omit the
proof of the other (⇐) direction; its proof is similar and (one proof) uses f−1
instead of f .
The function f defines an implicit edge morphism f→ from the edges of
TS(TA) to the edges of TS(INT(TA)), where the edge (q, a, q′) is mapped as
follows: f→((q, a, q)′) = ( fq(q), fσ(a), fq(q′)).
Part 2a: Time advances: (l, ν) δ−→ (l′, ν′)⇒ f ((l, ν)) f (δ)=δ∗ld−→ f ((l′, ν′)).
If we have (l, ν) δ−→ (l′, ν′) and a time advance of δ ∗ ld from f ((l, ν)), then
we know that f ((l, ν))
f (δ)=δ∗ld−→ f ((l′, ν′)). Now we must show that the transition
exists. By the definition of the transition system, given the transition (l, ν) δ−→
(l′, ν′), we know that ∀t ∈ R, 0 ≤ t ≤ δ : ν+ t |= I(l). Because I( f (l)) = I(l)[CX 7→
CX/ld]), when we map each state, we get the expression ∀t ∈ R, 0 ≤ t ≤ δ : (ν +
t)[CX 7→ CX/ld] |= I(l)[CX 7→ CX/ld]. This expression is equivalent to (factoring
out constants) ∀t ∈ R, 0 ≤ t ≤ δ ∗ ld : (ν[CX := CX ∗ ld] + t |= I(l)[CX 7→ CX/ld]
or ∀t ∈ R, 0 ≤ t ≤ δ ∗ ld : f (ν) + t |= I( f (l)). Hence, we have f ((l, ν)) f (δ)=δ∗ld−→
f ((l′, ν′)).
Part 2b: Edge executions: (l, ν) a−→ (l′, ν′)⇒ f ((l, ν)) f (a)=a−→ f ((l′, ν′)).
Suppose (l, ν) a−→ (l′, ν′). By the definition of the transition system, there is
some edge e = (l, a, φ, λ, l′) with ν |= φ and ν′ = ν[λ := 0]. By our conversion,
f ((l, ν)) = (l, ν[CX := CX/ld]) and ν[CX := CX : ld] |= φ[CX 7→ CX/ld]. Ad-
3.5. Timed Automata Equivalences: Other Equivalences 122
ditionally, we have the edge eINT = (l, a, φ[CX 7→ CX/ld], λ, l′) and the transition
(l, ν[CX := CX ∗ ld] a−→ (l′, (ν[CX := CX ∗ ld])[λ := 0]). By our definition of f ,
this is the action execution f ((l, ν))
f (a)=a−→ f ((l′, ν′)).
The corollary below illustrates the strength of a non-label-preserving isomor-
phism.
Corollary 3.5.1. Let TA1 and TA2 be two timed automata (TA1 ∼ TA2), and let
INT(TA1) and INT(TA2) be the converted automaton using the same integer ld
(pick a positive integer ld such that both converted automata have only integral
constraints. One such integer is the product of any valid ld1 and any valid ld2.).
Then TA1 ∼ TA2 if and only if INT(TA1) ∼ INT(TA2).
Proof of Corollary 3.5.1. We show the ⇒ direction; the other direction is similar.
Let TA1 and TA2 be bisimilar timed automata. By Theorem 3.5.1 and the mapping
f (δ) = δ ∗ ld, TA1 is equivalent to INT(TA1) and TA2 is equivalent to INT(TA2).
We then show that INT(TA1) ∼ INT(TA2). We use the bisimulation of TA1
and TA2 as well as f and f−1 in the proof of Theorem 3.5.1 to extract the bisimilar
transitions. Let q1 be a state in INTTA1 . Apply f
−1(q1) and then use the bisimilarity
between TA1 and TA2 to get a state s2 in TA2. We then know q1 is similar to
f (s2). We follow the reverse path to show the other direction. The paths taken are
sketched in Figure 3.7.
This specific variant has a specific non-label preserving isomorphism: all of the
action labels are the same and the time transitions are uniformly scaled. This spe-
cific mapping, while not a label-preserving isomorphism, is quite strong because
only a scaling of time advances is required to convert the automaton to one that
is label-preserving isomorphic. As a result, when model checking formulas, both
3.5. Timed Automata Equivalences: Other Equivalences 123






Figure 3.7: Diagram illustrating preservation of bisimulation. The top bisimulation
can be obtained by following the other path using the bisimulation between TA1
and TA2. Figure is used and adapted from Fontana and Cleaveland [74] with
permission.
the automaton and the formula constraints can be rescaled to both be integers.
3.5.2 Clock Assignments
A clock assignment gives an edge the additional power to assign a clock to the
current value of another clock. We follow the definitions in Yovine [163, 164].
Definition 3.5.1 (Clock assignments [164]). The edge syntax replaces the set of
clocks λ with an assignment function γ, where γ assigns each clock to itself (this
“no change” in value makes γ a total function), 0, or another clock x′ ∈ CX.
γ(x) = x′ indicates the assignment x := x′, where clock x is assigned the value of
clock x′. Assignments, like resets, are executed simultaneously.
These are the semantics of a clock assignment as provided in Yovine [164]
(notation changed to match the symbols in this paper):
Let ν ∈ V and γ be an assignment function. We denote by ν[γ] the
3.5. Timed Automata Equivalences: Other Equivalences 124
clock valuation such that for all x ∈ CX,
ν[γ](x) =

ν(γ(x)) if γ(x) ∈ CX,
0 otherwise

By definition, a clock cannot be both reset to 0 and given a value of another
clock on the same edge; however, that clock’s value can be given to another clock
before it is reset to 0. In a timed automaton with clock assignments, the set of
clocks λ in each edge is replaced with an assignment function γ.
Definition 3.5.2 (Timed automaton with clock assignments). A timed automaton
with clock assignments TA = (L, L0, Lu, CX, I, E) is the same as the baseline timed
automaton except for the following difference:
• E ⊆ L× Σ×Φ(CX)× (CX ∪ {0})CX × L is the set of edges. In an edge e =
(l, a, φ, γ, l′) has assignment function γ : CX −→ CX ∪ {0}.
A set of clocks λ to reset to 0 can be encoded as the following assignment function:
γ(xi) = 0 if xi ∈ λ and γ(xi) = xi otherwise. 
Concerning timed automata with clock assignments, Bouyer et al. [39] shows
two properties: the decidability of reachability, and the ability to convert these
automata to bisimilar automata without clock assignments. (Bouyer et al. [39]
give the conversion and the bisimulation relation and claim that the proof of the
relation follows from the conversion).
3.5. Timed Automata Equivalences: Other Equivalences 125
Conversion to Base Form
We use the conversion given in Bouyer et al. [39]. They apply their conversion
to automata without invariants, but their conversion also handles updates of the
form x := c where c ∈ Z0. We take their conversion and present an adapted
version that converts the previously defined variant to the baseline version.
When removing clock assignments, we extend clock constraint substitution
(Definition 3.4.1) to allow a clock index to be substituted for another clock index.
For example, φ[{xi} 7→ {xj}] replaces every appearance of the term xi in φ with
xj.
Conversion Idea: Given that time elapses at the same rate for all clocks, after
a clock assignment, the clock with the assigned value is equal to the clock it is
assigned to until one of those clocks is reset. As a result, instead of performing
a clock assignment, the timed automaton notes that the assigned clock is repre-
sented by the clock it was assigned. Mathematically, the locations of each timed
automaton are enriched with a mapping of clocks σ : CX −→ CX with σ(xi) de-
noting the clock that currently represents clock xi. The mapping is changed at
each transition to handle additional clock assignments and clock resets.
Formal Conversion: We introduce the location component set CXCX that stores
clock mappings. This component, denoted σ, can also be viewed as a function
σ : CX −→ CX where σ(xi) denotes the clock that currently represents clock
xi. Hence, location component σ, also sometimes denoted (xi1 , . . . , xin), means
clock xj is currently represented by clock xij . The identity location component
is (x1, x2, . . . , xn).
To handle a clock assignment xi := xk, instead of performing the assignment
we set σ(xi) = xk and use clock xk to represent clock xi in future transitions.
Guards of outgoing edges and invariants become substituted clock constraints
3.5. Timed Automata Equivalences: Other Equivalences 126
where clocks are substituted with the clocks in their location components. (Invari-
ants are not addressed in Bouyer et al. [39].) Resets and assignments on incoming
edges are changed. Note that after the clock assignment, while clock xi does have
a value, it is ignored, and the clock xi is treated as a spare clock.




xj if γ(xi) = xj (if xi := xj)
xi otherwise
(3.6)
The function σa handles edges without resets. To address the more complicated
case of clock resets, we define a function Γr : CXCX × CX −→ CX that takes in a




xc if γ(xi) = 0, xc 6∈ σ(CX), and ∀xj 6= xi, Γr(σ, xj) 6= xc
σ(xi) if γ(xi = 0) and σ(CX) = [CX]
σ(xi) otherwise
(3.7)
For notational purposes, Γr(σ) denotes the function Γr(σ) : CX −→ CX such that
Γr(σ)(x) = Γr(σ, x). For each σ, there may be multiple functions Γr because there
may be multiple clocks xc to choose from in the first case. Additionally, the choice
of clocks xc is chosen such that for each σ, clock xc is the output of Γr(σ) for at
most one clock xc. This constraint is represented by the third conjunct of the first
case. The clocks xc are the “spare” clocks that were not currently representing any
clock. These clocks can be used to represent clocks after a reset.
3.5. Timed Automata Equivalences: Other Equivalences 127
For each edge, given the current mapping σcx, the function we obtain from σcx
is σ′cx : CX −→ CX where σ′cx(xi) = Γr(σa ◦ σ, xi). The timed automaton uses sub-
stitution for invariant and guard constraints in the new locations and the edges.
Using σ′cx, given a timed automaton with clock assignments
TA = (L, L0, Lu, Σ, CX, I, E), we form the timed automaton
ASN(TA) = (LASN , L0ASN , LuASN , Σ, CX, IASN , EASN) as follows:
• LASN = L× CX|CX|, and each location is (l, σcx), l ∈ L, and σcx ∈ CX|CX|. We
will refer to a state as (l, σcx, ν).
• L0ASN = L0 × {(x1, x2, . . . , xn)}
• LuASN = Lu × {(x1, x2, . . . , xn)}
• IASN : LASN −→ Φ(CX), such that IASN(l × σcx) = I(l)[CX 7→ σcx].
• EASN = {((l, σcx), a, φ[CX 7→ σcx], λ[CX 7→ σ′cx], (l′, σ′cx)) | (l, a, φ, γ, l′) ∈ E}.
For each edge, σ′cx = Γr(σa ◦ σcx). Note that σ′cx is based off γ but is computed
before λ.
We define function composition f ◦ g as ( f ◦ g)(x) = f (g(x)).
From the conversion, the resulting automaton has a number of states that is
exponential in the number of clocks in the timed automaton. To illustrate the
conversion we provide two examples.
Example 3.5.1. Consider the timed automaton TA5 in Figure 3.8 (top). The con-
verted timed automaton is ASN(TA5) in Figure 3.8 (bottom).
Consider the edge e = (0, a, x2 ≥ 2, (x1 := 0, x2 := x1), 1). To determine σ′cx, we
first compute σa. For this edge, σa(x1) = x2 and σa(x2) = x2. Then, we compute
Γr(σa, x1) = x2 and Γr(σa, x2) = x1. In this case x1 is the “spare clock” we can use
3.5. Timed Automata Equivalences: Other Equivalences 128





















Figure 3.8: Timed automaton TA5 with clock assignments (top) and the timed au-
tomaton ASN(TA5) after performing the conversion (bottom). In ASN(TA5), only
the states reachable from the initial state are shown. Figure is used and adapted
from Fontana and Cleaveland [74] with permission.
to track x2 after x2 is reset to 0. Hence, for that edge, σ′cx(x1) = x2 and σ′cx(x2) = x1.

Example 3.5.2. Consider the timed automaton TA6 in Figure 3.9 (left). The con-
verted timed automaton is ASN(TA6) in Figure 3.9 (right).

Bouyer et al. [39] give the conversion, the bisimulation relation, and from the
construction claim (without proof) that the relation is indeed a bisimulation. We
3.5. Timed Automata Equivalences: Other Equivalences 129




















Figure 3.9: Timed automaton TA6 with clock assignments (left) and the timed
automaton ASN(TA6) after performing the conversion (right). In ASN(TA6), only
the states reachable from the initial state are shown. Figure is used and adapted
from Fontana and Cleaveland [74] with permission.
present the relation from Bouyer et al. [39] and prove that it is a bisimulation.
Theorem 3.5.2. Let TA be a timed automaton, and ASN(TA) be the timed
automaton obtained from converting TA to eliminate all clock assignments.
Then they are bisimilar (TS(TA) ∼=r TS(ASN(TA))).
Proof of Theorem 3.5.2. Both timed automata have the same event set Σ. Consider
the relation R on QTS(TA) ×QTS(ASN(TA)) defined as follows:
R = {((l, ν), (l, σ, ν ◦ σ))}
In this definition, ν ◦ σ is defined as (ν ◦ σ)(xi)) = ν(σ(xi)). By definition, since
the initial σ is the identity function, initial states in TS(TA) are mapped to initial
3.5. Timed Automata Equivalences: Other Equivalences 130
states in TS(ASN(TA)).
Now we show that R is the bisimulation relation. To show that R is a bisimu-
lation, we are only concerned with the states reachable from an initial state.
We need to show for all ((l, ν), (lR, σR, νR)) ∈ R:
⇒:
∀δ ∈ R≥0 : (l, ν) δ−→ (l′, ν′)⇒
(lR, σR, νR)
δ−→ (l′R, σ′R, ν′R) and ((l′, ν′), (l′R, σ′R, ν′R)) ∈ R
∀a ∈ Σ : (l, ν) a−→ (l′, ν′)⇒
(lR, σR, νR)
a−→ (l′R, σ′R, ν′R)) and ((l′, ν′), (l′R, σ′R, ν′R)) ∈ R
⇐:
∀δ ∈ R≥0 : (lR, σR, νR) δ−→ (l′R, σ′R, ν′R)⇒
(l, ν) δ−→ (l′, ν′) and ((l′, ν′), (l′R, σ′R, ν′R)) ∈ R
∀a ∈ Σ : (lR, σR, νR) a−→ (l′R, σ′R, ν′R))⇒
(l, ν) a−→ (l′, ν′) and ((l′, ν′), (l′R, σ′R, ν′R)) ∈ R
We prove the⇒ direction. We omit the similar proof of the other (⇐) direction.
Part 1a: Time advances: ((l, ν), (lR, σR, νR)) ∈ R and (l, ν) δ−→ (l′, ν′)⇒
(lR, σR, νR)
δ−→ (l′R, σ′R, ν′R) and ((l′, ν′), (l′R, σ′R, ν′R)) ∈ R.
Suppose ((l, ν), (lR, σR, νR)) ∈ R and (l, ν) δ−→ (l, ν + δ). By definition of R,
lR = l and νR = ν ◦ σR. By construction, I((lR, σR)) = I(l)[CX 7→ σR(CX)]. Hence,
for all δ′, 0 ≤ δ′ ≤ δ, ν+ δ′ |= I(l) if and only if νr + δ′ = (ν+ δ′) ◦ σR |= I(l)[CX 7→
σR]. Furthermore, by definition, (ν + δ) ◦ σ = (ν ◦ σ) + δ. Hence, (lR, σRνR) δ−→
(lR, σRνR + δ) and ((l, ν + δ), (lR, σR, νR + δ)) ∈ R.
3.6. Composition of Variant Conversions 131
Part 1b: Edge executions: ((l, ν), (lR, σR, νR)) ∈ R and (l, ν) a−→ (l′, ν′)⇒
(lR, σR, νR)
a−→ (l′R, σ′R, ν′R) and ((l′, ν′), (l′R, σ′R, ν′R)) ∈ R.
Suppose ((l, ν), (lR, σR, νR)) ∈ R and (l, ν) a−→ (l′, ν′). By definition, since
the transition was taken, ν′ = ν ◦ γ, ν |= φ, and ν′ |= I(l′). By definition of R,
(lR, σR, νR) = (l, σR, ν ◦ σR). Since ν |= φ, ν ◦ σR |= φ[CX 7→ σR]. Now we examine
σ′ formed by the construction, which is σ′ = Γr(σa ◦ σR). By definition σa ◦ σR and
γ agree on all clocks that are not reset. For any clocks xi that are reset, if σa ◦ σR
is onto, then (σa ◦ σR)(xi) = σR(xi). Else, then we know there is at least one spare
clock xc and σ′(xi) = xc. Since all clocks xc were not in any constraints, this clock
can be set to 0 and used for future states. Because ν ◦ σ′ |= I(l′)[CX 7→ σ′], we
have the transition (l, σR, ν ◦ σR) a−→ (l′, σ′, ν′ ◦ σ′).
3.6 Composition of Variant Conversions
Throughout this chapter we discuss many variants of timed automata and show
how each individual variant can be “translated away” and converted to the base-
line formalism. In practice, it is possible to have timed automata with a com-
bination of these variants. One combination is: data variables, disjunctive guard
constraints, and clock difference inequalities allowed in clock constraints. In this
section we show how to utilize the conversions discussed in this paper to convert
an automaton with a combination of these features into the baseline automaton.
The key: compose the conversions. Furthermore, we show that the compositions
of these functions preserve the minimum equivalences of the conversions and that
their compositions are commutative and associative. The commutativity and as-
sociativity is argued at the semantic level (commutativity does not always hold at
the syntactic level). We also remark on applying these conversions to timed au-
tomata that contain features in addition to the variants we convert out. Two such
3.6. Composition of Variant Conversions 132
extensions are atomic propositions and clock assignments.
3.6.1 Extending the Conversion Functions
For each variant, the conversion function has the domain of set of timed au-
tomata with that variant and has the range of the set of baseline timed automata.
(Guarded-command programs are the exception: that function’s range is the set
of timed automata with variables.) However, we can take the same conversion
function and extend the domain and range. By changing the domain to the set
of automata of interest and the range as the set of automata with the one spec-
ified variant converted out, we can extend our conversion functions to handle
extended automaton. While we may occasionally have to alter a conversion func-
tion to handle an extension, in many cases the functions can be used unchanged.
When extending the function, be sure that the domain is well defined, the range
is well defined, and the conversion converts an element of the domain into an
element in the range.
3.6.2 Extended Functions Preserve Equivalence
Here we take each variant and discuss extended functions. The typical extension
is extending the function to handle automata with a combination of the variants
we discussed in this paper. Because the conversion is (mostly) unchanged, we can
apply the previously-discussed proofs of equivalence to the extended functions.
To use the same proof for the additional variants, there may be some conditions
we need to be aware of. These conditions for each variant are:
• Disjunctive guard constraints: There must be a way to convert each guard




i , each φ
′
i
is disjunction free, and each φi has the following property: for any state
(l, ν), (l, ν) |= φ′ if and only if there is some i where (l, ν) |= φ′i . For
3.6. Composition of Variant Conversions 133
disjunctive guard constraints, one defines resetPred(φ, Y) to first convert
φ to disjunctive normal form (φ =
∨k
i=1 φi) form and resetPred(φ, Y) =∨k
i=1 resetPred(φi, Y).
• Timed automata with variables: For every data valuation vd and every con-
straint φ in the automaton, we must be able to compute φ[VR := νd]. Fur-
thermore, φ[VR := νd] must have no variables in it.
• Guarded-command program: Guarded-command programs are a different
notation for timed automata with variables; hence, they require the same
conditions.
• Unsatisfied invariants: First, the reset predecessor method resetPred(φ, Y)
must be well-defined and computable. Second, we must have urgent loca-
tions (that also prevent 0-unit time advances), such as those in the baseline
version, in the automaton.
• Clock difference inequalities: Time-elapses preserve clock-differences (clocks
must elapse at the same rate). Furthermore, when converting out clock dif-
ferences, edges must be ”updated” and/or changed to correctly encode
which clock difference inequalities are true and which are false. (This is a
condition on additional variants; no combination of these variants requires
a changed in this aspect of the conversion.)
• Rational clock constraints: First, we use the density of real numbers for our
time advances. Second, if we can make a time advance of δ from a state, then
we must be able to advance any time δ′, 0 ≤ δ′ ≤ δ.
Remark 3.6.1 (Atomic propositions and clock assignments). One common feature is
atomic propositions. Since atomic propositions are semantic shorthand for sets of
3.6. Composition of Variant Conversions 134
locations, when we have automata that have atomic propositions and whenever we
copy (duplicate) a state, we also copy over the atomic propositions that it satisfies.
Thus, for any labeling function µ, location l and copy lc, µ(lc) = µ(l). We do not
change the atomic propositions for unchanged locations. For the added location
components ct and c f in the clock-difference conversion, we define µ((l, ct)) =
µ((l, c f )) = µ(l).
Another commonly-used variant is clock assignments. They are described in
Section 3.5.2. The details of the clock-difference inequalities conversion must be
changed to accommodate the changing of clock difference inequalities when clocks
assignments are executed on a transition. Furthermore, for unsatisfied invariants,
the resetPred(φ, Y) must be augmented to handle the predecessor of clock as-
signments.
3.6.3 Composition Preserves Equivalences
Because label-preserving isomorphism is an equivalence relation (reflexive, sym-
metric and transitive) [75], if we compose two or more label-preserving isomor-
phic conversions, then the original and the final automaton are semantically label-
preserving isomorphic.Therefore, we have the following claims:
Claim 3.6.1. Let us apply (compose) two or more conversion functions for label-
preserving isomorphic variants (apply the functions compositionally in any or-
der). Then the original automaton is semantically label-preserving isomorphic to
the final converted automaton.
Proof of Claim 3.6.1. Follows from transitivity of label-preserving isomorphism.
Claim 3.6.2. Let us apply (compose) two or more conversion functions for variants
3.6. Composition of Variant Conversions 135
with label-preserving isomorphism or (label-preserving) reachable subsystem iso-
morphism (apply the functions compositionally in any order). Then the reachable
subsystem of the original automaton is semantically label-preserving isomorphic
to the reachable subsystem of the final converted automaton.
Proof of Claim 3.6.2. Follows from transitivity of isomorphism of reachable sub-
systems, which comes from transitivity of isomorphism.
Claim 3.6.3. Suppose we have a timed automaton with rational clock constraints
and other label-preserving isomorphic variants. Then the original automaton is
non-label-preserving isomorphic to the final converted automaton.
Proof of Claim 3.6.3. By applying the rational-clock constraints conversion first,
we get a non-label preserving isomorphism, which is a transitive relation (com-
pose the label changes). Since all of the other conversions are label-preserving
isomorphic, they are also non-label-preserving (with the identity mapping of la-
bels). Hence, by transitivity, we have a non-label preserving isomorphism.
Claim 3.6.4. Suppose we have a timed automaton with rational clock constraints
and other variants for which we provided conversion functions. Then the reach-
able subsystem of the original automaton after a label remapping is semantically
isomorphic to the reachable system of the final converted automaton. I.e. the
reachable subsystems are non-label-preserving isomorphic.
Proof of Claim 3.6.4. By applying the rational-clock constraints conversion first,
we get a non-label preserving isomorphism. By definition, any reachable sub-
system isomorphism is a non-label-preserving reachable subsystem isomorphism
(use the identity mapping for the labels), by transitivity the reachable subsys-
3.6. Composition of Variant Conversions 136
tems of the original and converted automata have a non-label-preserving isomor-
phism.
3.6.4 Commutativity and Associativity of Semantics
When we apply multiple conversions to convert out multiple variants, we are
equivalently applying the function that is the composition of the applied con-
version functions. We show that for these variants and these conversion functions
on the semantic level (transition systems of the timed automata), the composi-
tion of these commutative and associative. (Depending on the composition order,
the syntax may not be the same). We denote the function composition f ◦ g as
( f ◦ g)(x) = f (g(x)).
Theorem 3.6.5 (Commutativity and associativity). Let f , g, h be three ex-
tended conversion functions (extended properly when needed) for three dif-
ferent variant features that have conversion functions in this paper. Then:
f ◦ g = g ◦ f (Commutativity)
( f ◦ g) ◦ h = f ◦ (g ◦ h) (Associativity)
Proof of Theorem 3.6.5. The proof is done, at the semantic level, on a case-by-case
basis of the different variants.
First, any function is commutative and associative with itself.
Second, for disjunctive guard constraints, timed automata with variables and
guarded-command programs, the conversion function is the identity function. By
definition, any function composed with the identity function is the original func-
3.6. Composition of Variant Conversions 137
tion. Hence, any case involving the identity function is either commutative and
associative or reduces to a simpler case. We start with commutativity.
Commutativity Case 1: Unsatisfied Invariants (f) and Clock Difference Inequali-
ties (g). Let f be the conversion function that eliminates unsatisfied invariants and
g be the conversion function that eliminates clock difference constraints. Thus:
f ((l, ν)) =

(l, ν) if ν |= I(l)
(lu, ν) otherwise
g((l, ν)) =(l × ldi f f , ν)
Applying the compositions:
( f ◦ g)(l, ν) =

(l × ldi f f , ν) if ν |= I(l)
((l × ldi f f )u, ν) otherwise
(g ◦ f )(l, ν) =

(l × ldi f f , ν) if ν |= I(l)
(lu × ldi f f , ν) otherwise
which are the same. By definition, the u represents an “urgent copy.” Furthermore,
if any component of a location is urgent, then the location is urgent. (Note: while
the compositions are semantically equivalent, these compositions have different
labeling (syntax) in which different locations have urgent copies.)
Commutativity Case 2: Unsatisfied Invariants (f) and Rational Clock Constraints
(g) Let f be the conversion function that eliminates unsatisfied invariants, g be
the conversion function that eliminates rational clock constraints, and ld be the
3.6. Composition of Variant Conversions 138
positive integer used in the relabeling of g.
f ((l, ν)× σ) =

(l, ν)× σ if ν |= I(l)
(lu, ν)× σ otherwise
g((l, ν)× σ) =

(l, ν[CX := CX ∗ ld])× σ ∗ ld if σ ∈ R≥0
(l, ν[CX := CX ∗ ld])× σ otherwise (σ ∈ Σ)
Applying the compositions:
( f ◦ g)((l, ν)× σ) =

(l, ν[CX := CX ∗ ld])× σ ∗ ld if ν |= I(l) and σ ∈ R≥0
(lu, ν[CX := CX ∗ ld])× σ ∗ ld if ν 6|= I(l) and σ ∈ R≥0
(l, ν[CX := CX ∗ ld])× σ if ν |= I(l) and σ ∈ Σ
(lu, ν[CX := CX ∗ ld])× σ otherwise
(g ◦ f )((l, ν)× σ) =

(l, ν[CX := CX ∗ ld])× σ ∗ ld if ν |= I(l) and σ ∈ R≥0
(lu, ν[CX := CX ∗ ld])× σ ∗ ld if ν 6|= I(l) and σ ∈ R≥0
(l, ν[CX := CX ∗ ld])× σ if ν |= I(l) and σ ∈ Σ
(lu, ν[CX := CX ∗ ld])× σ otherwise
which are the same. Since f only alters the location l, and g alters only the valua-
tion ν and the action symbol σ, commutativity follows .
Commutativity Case 3: Rational Clock Constraints (f) and Clock Difference
Inequalities (g). Let f be the conversion function that eliminates rational clock
constraints, ld be the positive integer used in the relabeling of f , and g be the
3.6. Composition of Variant Conversions 139
conversion function that eliminates clock difference constraints.
f ((l, ν)× σ) =

(l, ν[CX := CX ∗ ld])× σ ∗ ld if σ ∈ R≥0
(l, ν[CX := CX ∗ ld])× σ otherwise (σ ∈ Σ)
g((l, ν)× σ) =(l × ldi f f , ν)× σ
Applying the compositions:
( f ◦ g)((l, ν)× σ) =

(l × ldi f f , ν[CX := CX ∗ ld])× σ ∗ ld if σ ∈ R≥0
(l × ldi f f , ν[CX := CX ∗ ld])× σ otherwise
(g ◦ f )((l, ν)× σ) =

(l × ldi f f , ν[CX := CX ∗ ld])× σ ∗ ld if σ ∈ R≥0
(l × ldi f f , ν[CX := CX ∗ ld])× σ otherwise
which are the same. Since f only alters the valuation ν and the action symbol σ,
and g only alters the location l, commutativity follows .
Associativity Case: Rational Clock Constraints (f), Unsatisfied Invariants (g) and
Clock Difference Inequalities (h). Using commutativity proofs of f , g and h and
using the fact that the identity function is associative, we can reduce all other cases
of associativity to the commutativity cases or to this case.
Let f be the conversion function for rational clock constraints, ld be the positive
integer used in the relabeling of f , g be the conversion function for unsatisfied
3.6. Composition of Variant Conversions 140
invariants, and h be the conversion function for clock difference inequalities.
f ((l, ν)× σ) =

(l, ν)× σ if ν |= I(l)
(lu, ν)× σ otherwise
g((l, ν)× σ) =

(l, ν[CX := CX ∗ ld])× σ ∗ ld if σ ∈ R≥0
(l, ν[CX := CX ∗ ld])× σ otherwise (σ ∈ Σ)
h((l, ν)× σ) =(l × ldi f f , ν)× σ
Computing ( f ◦ g) ◦ h is, we get from composing f ◦ g
(( f ◦ g) ◦ h)((l, ν)× σ) =

(l, ν[CX := CX ∗ ld])× σ ∗ ld if ν |= I(l) and σ ∈ R≥0
(lu, ν[CX := CX ∗ ld])× σ ∗ ld if ν 6|= I(l) and σ ∈ R≥0
(l, ν[CX := CX ∗ ld])× σ if ν |= I(l) and σ ∈ Σ
(lu, ν[CX := CX ∗ ld])× σ otherwise (ν 6|= I(l) and σ ∈ Σ)

◦ h
3.6. Composition of Variant Conversions 141
yielding
(( f ◦ g) ◦ h)((l, ν)× σ) =

(l × ldi f f , ν[CX := CX ∗ ld])× σ ∗ ld
if ν |= I(l) and σ ∈ R≥0
(lu × ldi f f , ν[CX := CX ∗ ld])× σ ∗ ld
if ν 6|= I(l) and σ ∈ R≥0
(l × ldi f f , ν[CX := CX ∗ ld])× σ
if ν |= I(l) and σ ∈ Σ
(lu × ldi f f , ν[CX := CX ∗ ld])× σ
otherwise (ν 6|= I(l) and σ ∈ Σ)
Now computing f ◦ (g ◦ h), we get from composing g ◦ h
( f ◦ (g ◦ h))((l, ν)× σ) = f ◦


(l × ldi f f , ν)× σ if ν |= I(l)
((l × ldi f f )u, ν)× σ otherwise

3.6. Composition of Variant Conversions 142
yielding
( f ◦ (g ◦ h))((l, ν)× σ) =

(l × ldi f f , ν[CX := CX ∗ ld])× σ ∗ ld
if ν |= I(l) and σ ∈ R≥0
((l × ldi f f )u, ν[CX := CX ∗ ld])× σ ∗ ld
if ν 6|= I(l) and σ ∈ R≥0
(l × ldi f f , ν[CX := CX ∗ ld])× σ
if ν |= I(l) and σ ∈ Σ
((l × ldi f f )u, ν[CX := CX ∗ ld])× σ
otherwise (ν 6|= I(l) and σ ∈ Σ)
which is the same as the previous composition.
Remark 3.6.2 (Guarded-command programs). Guarded-command programs are a
syntactic relabeling of timed automata with variables and the conversion functions
to and from guarded-command programs and timed automata with variables are
both the identity function. As a consequence of the results in this section, we
can both extend guarded-command programs to have the features we can convert
out as well as convert those features out of guarded-command programs. We can
choose to first convert a guarded-command program to a timed automaton with
variables and then convert out the features or we can choose to first convert out the
features and then convert the guarded-command program to a timed automaton.
From either order, we will end up with (semantically) the same automaton.
3.6.5 Putting it All Together
We give an example showing how to convert out multiple variants.
3.7. Summary of Established Equivalences 143
Example 3.6.1. Let TA be a timed automaton with the following three extensions:
disjunctive clock constraints in guards, variables, and clock difference inequalities
in clock constraints. We will convert these out one variant at a time. Given that the
extended functions are commutative and associative, we can apply them in any
order.
We start by eliminating the variables and converting them to locations. The
semantic conversion function is f ((l, νd, ν)) = ((l, νd), ν) The other properties of
the automaton do not influence this and are thus left unchanged. Then we wish to
get rid of the disjunctive clock constraints. We now apply the syntactic conversion
of converting the edges to set of edges. The semantic function f2((l, ν)) = (l, ν)
and is unchanged.
Lastly, we now have the timed automaton in our base form with the sole exten-
sion of clock difference inequalities. We apply the conversion in Section 3.4.2. 
3.7 Summary of Established Equivalences
We summarize the equivalences established in this chapter in Table 3.1.
3.8 Dissertation Contributions
3.8.1 Contributions
These are my contributions discussed in this chapter:
• We gave a formal baseline definition for a timed automata based on defini-
tions of others.
• We provided formal definitions for the following variants: disjunctive guard
constraints, timed automata with variables and different semantics for un-
satisfied invariants.
3.8. Dissertation Contributions 144
Table 3.1: Summary of timed automata variants and their equivalences.





Map each edge to a set of
edges going, mapping each












Convert the guards to edges,
making a timed automata






Disable transitions by push-
ing the reset predecessor of
the entering location’s invari-





Encode the truth of a clock
different constraint in the lo-
cations by adding a location
component representing the
truth of each clock-difference
constraint.
Rational constants non-label preserving
isomorphism
Uniformly scale the con-
stants by multiplying them
all by some integer such that
all constants become non-
negative integers.
Clock assignments bisimulation Keep track of clock assign-
ments by augmenting loca-
tions with a record of which
clocks in the automata are
representing multiple other
clocks.
• For timed automata with disjunctive guard constraints, timed automata with
variables, and guarded-command programs, we show those variants are iso-
morphic to the baseline formalism and give a conversion translating out each
variant.
• For the different unsatisfied invariant semantics and allowing clock differ-
3.8. Dissertation Contributions 145
ences in clock constraints, we show that the reachable subsystems of those
variants are isomorphic to the reachable subsystem of the baseline formalism
and give a conversion translating out each variant.
• For rational clock constraints, we give a non-label preserving isomorphism
to the baseline formalism (uses integer constants only) and give a conversion
translating out the rational constants.
• We showed how the above conversions are composable, not only for timed
automata with these features but also for timed automata with even more
features. We give a framework, a composable timed automata, that give suffi-
cient conditions describing extensions that still allow the equivalent variants
to be converted out. We then showed that these conversions are commutative
and associative at the semantic level.
3.8.2 Future Work
Future work includes allowing the initial state to have clock values other than 0,
and potentially to allow a set of initial states whose clock values are defined by a
clock zone or a union of clock zones. Additionally, future work includes handling
disjunctive constraints in invariants. While these constraints cannot be converted
in a fashion similar to converting out disjunctive constraints in guards, future
work involves determining the expressiveness of this additional feature. Disjunc-
tive constraints in invariants are used to express timed automata with deadlines
(see Bornot and Sifakis [32], Bornot et al. [33], Bowman [46], Bowman and Gómez
[47], Gómez and Bowman [78]).
3.8. Dissertation Contributions 146
147
Chapter 4
Timed Logics and Expressivity Results
With a timed automaton defined, we can now begin to ask properties about it.
To do this, we work with relevant timed logics. The goal is to expand upon their
theory, allowing us to say more about timed automata. The most commonly used
timed logic is TCTL (Timed Computation Tree Logic) Alur et al. [12], a timed ex-
tension of CTL (Computation Tree Logic). It is the logic used to describe properties
in various tools including both UPPAAL [23] and RED [157]. There are also two
timed modal-mu calculi that were developed. The first is Tµ, developed by Hen-
zinger et al. [88]. While Tµ is expressive, it is impractical to write an unbounded
liveness formulas in Tµ (writing a liveness formula in Tµ requires the bound to
be guessed [88]). This makes Tµ sometimes undesirable. The second timed modal-
mu calculus developed is Lν,µ, introduced independently by Sokolsky and Smolka
[147] and Aceto and Laroussinie [2] (the version with just greatest fixpoints was
introduced in Laroussinie et al. [108]). To provide additional power, a relativized
operator was added by Bouyer et al. [41] and was shown to give additional power.
This logic is called Lrelν,µ. While this logic is promising to model check, many ex-
pressiveness properties, including expressions of TCTL formulas, have not been
obtained. This chapter focuses on studying TCTL, Tµ, Lν,µ and Lrelν,µ and compares
their expressive powers by (in many cases) showing whether we can write any
formula in one logic in another logic or not. Among other properties, by proving
that Lrelν,µ can express any TCTL formula (which includes any safety and liveness
property), we add the theory that provides the ability for Lrelν,µ to be used.
4.1. Timed Computation Tree Logic (TCTL) 148
4.1 Timed Computation Tree Logic (TCTL)
Timed computation tree logic (TCTL), is a branching-time logic used for a dense-
time representation of properties.
Following the definition in Alur et al. [12], we present the branching-time logic
Timed Computation Tree Logic (TCTL).
Definition 4.1.1 (TCTL syntax). A TCTL formula can be constructed with the fol-
lowing grammar:
φ ::=p | cc | tt | ¬φ | φ1 ∧ φ2 | E [[φ1]U./c [φ2]] | E [[φ1] R./c [φ2]]
Here, p ∈ 2L is an atomic proposition (a subset of locations); cc ∈ Φ(CX) is
a clock constraint; ./ is any one of the operators =,<,>,≤,≥; and c ∈ Z≥0 ∪
{∞}. 
Definition 4.1.2 (TCTL semantics). Let TA be a timed automaton and φ be a TCTL
formula. Then the semantics of φ (denoted JφKTA), the set of states in TA that satisfy
φ, is:
• JpKTA = {(l, ν) ∈ Q | l ∈ p}.
• JccKTA = {(l, ν) ∈ Q | ν |= cc}.
• JttKTA = Q.
• J¬φKTA = Q− JφKTA.
• Jφ1 ∧ φ2KTA = Jφ1KTA ∩ Jφ2KTA.
• JE [[φ1]U./c [φ2]]KTA = {(l, ν) ∈ Q | ∃ time-divergent run πtr : q0 = (l, ν)∧
∃i ≥ 0 :
(
∃d, ti ≤ d ≤ ti+1 :
(
d ./ c ∧ (li, (νi + (d− ti)) |= φ2) and
4.1. Timed Computation Tree Logic (TCTL) 149
∀d′ < d, ti ≤ d′ ≤ ti+1 :
(
(li, νi + (d′ − ti)) |= φ1
)
and ∀j ≤ i :
(
∀d′ ≤ d, tj ≤
d′ ≤ tj+1 :
(
(lj, νj + (d′ − tj)) |= φ1
))))
}.
• JE [[φ1] R./c [φ2]]KTA = {(l, ν) ∈ Q | ∃ time-divergent run πtr : q0 = (l, ν)∧
∀i ≥ 0 :
(
∀d, ti ≤ d ≤ ti+1 : d ./ c → (li, (νi + (d− ti)) |= φ2) or
∃d′ < d, ti ≤ d′ ≤ ti+1 :
(
(li, νi + (d′ − ti)) |= φ1
)
or ∃j ≤ i :
(
∃d′ ≤ d, tj ≤
d′ ≤ tj+1 :
(
(lj, νj + (d′ − tj)) |= φ1
)))
}.
TA satisfies φ iff the initial state (l0, ν0) satisfies φ. 
We also use the following abbreviations: ff for ¬tt, φ1 ∨ φ2 for ¬(¬φ1 ∧ ¬φ2),
and φ1 → φ2 for ¬φ1 ∨ φ2. Abbreviations for commonly-used derived tempo-
ral operators include: A [[σ1]U./c [σ2]] for ¬(E [[¬σ1] R./c [¬σ2]]), A [[σ1] R./c [σ2]] for
¬(E [[¬σ1]U./c [¬σ2]]) (all paths operators), EF./c [σ] for E [[tt]U./c [σ]], AF./c [σ] for
A [[tt]U./c [σ]] (eventually), AG./c [σ] for ¬EF./c [¬σ], EG./c [σ] for ¬AF./c [¬σ] (al-
ways), E [[φ1]W [φ2]] for ¬(A [[¬φ2]U [¬φ1 ∧ ¬φ2]]), and A [[φ1]W [φ2]] for
¬(E [[¬φ2]U [¬φ1 ∧ ¬φ2]]) (weak until).
The formula E [[φ1] R./c [φ2]] means “there exists a path where φ1 releases φ2”
(φ2 has to also be true when φ1 releases φ2 from being true).
In the semantics of E [[φ1]U./c [φ2]], the i is the state in the timed run corre-
sponding after i− 1 transitions are taken (some of them action executions, some
time advances), and d is the amount of time elapsed before φ2 is true. d ./ c means
that d satisfies the constraint ./ c. d− ti is the amount of time elapsed in the ith
transition before φ2 is satisfied.
To explain the intuition of the TCTL E [[φ1]U./c [φ2]] semantics, we refer to
Figure 4.1 and its two path prefixes. In the first (upper) path, φ2 becomes true
immediately after an action is executed. The first state where φ2 is true is the state
at position i, (li, νi). Notice that φ1 must be true up until time ti−1 (in position
4.1. Timed Computation Tree Logic (TCTL) 150























Figure 4.1: Two path-prefix types satisfying TCTL formula E [[φ1]U [φ2]].
i − 1). Since no time elapses during action executions, ti−1 = ti and φ1 must be
true before the action into position i. In the second (lower) path, φ2 becomes true
during a time advance. State i is the state before the time advance, the state i + 1 is
the state after the entire time advance, and the state (li, νi + d) at global time ti + d
is the first state (at the first time instance) when φ2 is true. Notice that φ1 has to be
true for all times ti to ti + d except the time ti + d.
TCTL has the nice property that formulas can be expressed simply. For in-
stance, AG<∞ [a] is the safety property “always a” and AF<∞ [a] is the liveness
property “inevitably a.”
Remark 4.1.1 (On the definition of A [[φ1]U [φ2]] and E [[φ1]U [φ2]]). For the un-
til (A [[φ1]U [φ2]], E [[φ1]U [φ2]]) operator semantics, we keep φ1 as the required
precursor formula following, Alur et al. [12] as opposed to φ1 ∨ φ2 as is used
by Baier and Katoen [17], Henzinger et al. [88]. Note that in CTL, A [[φ1]U [φ2]] ≡
A [[(φ1 ∨ φ2)]U [φ2]] and E [[φ1]U [φ2]] ≡ E [[(φ1 ∨ φ2)]U [φ2]], but in TCTL when
clock constraints are allowed in φ1 and φ2, this no longer holds. If one wishes to
use the other semantics, simply change the formula to A [[(φ1 ∨ φ2)]U./c [φ2]] or
4.2. Timed Modal-Mu Calcului Lν,µ and Lrelν,µ 151
E [[(φ1 ∨ φ2)]U./c [φ2]] as desired.
4.2 Timed Modal-Mu Calcului Lν,µ and Lrelν,µ
The modal mu-calculus Lν,µ is discussed in Sokolsky and Smolka [147]; its greatest
fixpoint fragment, Lν, is discussed in Bouyer et al. [45], Laroussinie et al. [108, 109];
and the relativized greatest fixpoint fragment, Lrelν , is discussed in Bouyer et al.
[45].
4.2.1 Lrelν,µ Syntax and Semantics
Definition 4.2.1 (Lν,µ and Lrelν,µ syntax). The syntax of a Lν,µ formula can be con-
structed with the following grammar:
φ ::=p | ¬p | tt | ff | cc | Y | φ ∧ φ | φ ∨ φ | 〈a〉(φ) |
[a](φ) | ∃(φ) | ∀(φ) | z.(φ) | µY.[φ] | νY.[φ]
Here, p ∈ 2L is an atomic proposition, cc ∈ Φ(CX) is a clock constraint, Y ∈
Var is a variable (Var is the set of formula variables), a ∈ ΣTA is an action, and
µY.[φ] and νY.[φ] are the least and greatest fixpoint operators over variable Y,
respectively. For freeze quantification, z is a clock in CX f = {z, z1, z2, . . .}. We
assume CX f ∩ CX = ∅.
The relativized timed modal mu-calculus Lrelν,µ syntax replaces ∃(φ) and ∀(φ) with
∃φ1(φ2) and ∀φ1(φ2), where φ1 is also a Lrelν,µ formula. 
To handle the clocks used in freeze quantification (z.(φ)), we extend the timed
automaton’s states (l, ν) to extended states (l, ν, ν f ) using the additional valuation
component ν f : CX f −→ R≥0. This formalism comes from Bouyer et al. [45]. When
clear from context, we will refer to an extended state as (l, ν) and omit the explicit
4.2. Timed Modal-Mu Calcului Lν,µ and Lrelν,µ 152
notation of ν f .
Definition 4.2.2 (Environment θ). An environment θ : Var −→ 2Q is a function that
assigns a set of states to each variable, where θ(Y) represents the set of states that
make the formula Y true. For notation, we have:
θ[Y := Q′](Z) =
 θ(Z) if Z 6= YQ′ if Z = Y

Definition 4.2.3 (Lrelν,µ semantics). Given freeze clock set CX f = {z, z1, z2, . . .},
timed automaton TA (with extended states), and initial environment θ, the se-
mantics of a Lν,µ formula φ, denoted JφKTA,θ , is (easier ones omitted):
• JpKTA,θ = {
(
l, ν, ν f
)
∈ Q | l ∈ p}.
• JYKTA,θ = θ(Y).
• Jφ1 ∧ φ2KTA,θ = Jφ1KTA,θ ∩ Jφ2KTA,θ .
• J〈a〉(φ1)KTA,θ = {
(
l, ν, ν f
)
∈ Q | ∃l1 ∈ L, (ν1, ν1 f ) ∈ V :(
l, ν, ν f
) a−→ (l1, ν1, ν1 f ) and (l1, ν1, ν1 f ) ∈ Jφ1KTA,θ}.
• J[a](φ1)KTA,θ = {
(
l, ν, ν f
)
∈ Q | ∀l1 ∈ L, (ν1, ν1 f ) ∈ V :
if
(
l, ν, ν f
) a−→ (l1, ν1, ν1 f ) then (l1, ν1, ν1 f ) ∈ Jφ1KTA,θ}.
• J∃(φ1)KTA,θ = {
(
l, ν, ν f
)
∈ Q | ∃δ ≥ 0 :
(
l, ν, ν f
) δ−→ (l, ν + δ, ν f + δ)
and
(
l, ν + δ, ν f + δ
)
∈ Jφ1KTA,θ}.
• J∀(φ)1KTA,θ = {
(
l, ν, ν f
)
∈ Q | ∀δ ≥ 0 : if
(
l, ν, ν f
) δ−→ (l, ν + δ, ν f + δ)
then
(
l, ν + δ, ν f + δ
)
∈ Jφ1KTA,θ}.
4.2. Timed Modal-Mu Calcului Lν,µ and Lrelν,µ 153
• Jz.(φ1)KTA,θ = {
(




l, ν, ν f [z := 0]
)
∈ JφKTA,θ}.
• JµY.[φ]K = the least fixpoint of the function φ(Y′) = JφKTA,θ[Y:=Y′]
The semantics of a relativized formula in Lrelν,µ is:
• J∃φ1(φ2)KTA,θ = {(l, ν, ν f ) ∈ Q | ∃δ ≥ 0 :
(
(l, ν + δ, ν f + δ) |= φ2 ∧ ∀δ′, 0 ≤
δ′ < δ : (l, ν + δ′, ν f + δ′) |= φ1
)
}
• J∀φ1(φ2)KTA,θ = {(l, ν, ν f ) ∈ Q | ∀δ ≥ 0 :
(
(l, ν + δ, ν f + δ) |= φ2 ∨ ∃δ′, 0 ≤
δ′ < δ : (l, ν + δ′, ν f + δ′) |= φ1
)
}
Timed automaton TA satisfies φ iff the initial (extended) state (l0, ν0, [CX f :=
0]) satisfies φ.
A formula with a propositional variable can be viewed as a monotonic function
on a complete lattice (monotonicity follows from extending the proof of Cleave-
land [56] to handle the timed operators). Due to Cousot and Cousot [59] we ob-
tain an iterative semantics for fixpoints. Specifically, by treating the formula φ as








Here ∞ may be transfinite to handle the case when the function φ(Y′) is not
continuous. See Kozen [100] for details. 
The logic supports two derived operators: [− ](φ) for ∧a∈ΣTA [a](φ) (for all next
actions) and 〈−〉(φ) for ∨a∈ΣTA〈a〉(φ) (there exists a next action). These operators
are also used for systems that do not use actions symbols. Furthermore, ∃tt(φ) is
the same formula as ∃(φ), and ∀ff(φ) is the same formula as ∀(φ).
The formula ∃φ1(φ2) means, “there exists a time advance where φ2 is true and
φ1 is true for all previous times”, and ∀φ1(φ2) means, “either φ2 is true for all time
4.2. Timed Modal-Mu Calcului Lν,µ and Lrelν,µ 154
advances or φ1 releases φ2 from being true after some time advance.” We define
∀φ1(φ2) as ¬(∃¬φ1(¬φ2)), the dual of ∃φ1(φ2).
The definitions of ∃φ1(φ2) and ∀φ1(φ2) are subtle. In ∃φ1(φ2), φ1 is not required
to be true the time instant φ2 is true, and in ∀φ1(φ2), both φ1 and φ2 must be true
at the time instant φ1 releases φ2 from being true. To illustrate these subtleties,
consider a state q = (l, x1 = 0) that allows time to diverge; q satisfies ∃x1<2(x1 ≥
2), q does not satisfy ∀x1≥2(x1 < 2), and q satisfies ∃x1<2(x1 ≥ 2) ∨ ∀(x1 < 2).
We define ∃φ1(φ2) to have the definition of φ1 [δ〉s φ2 in Bouyer et al. [45]. Using
the derivation in Bouyer et al. [45], we can derive φ2 [δ〉w φ1 of Bouyer et al. [45] as
∃φ2(φ1) ∨ ∀(φ2) (note the inverted positions of φ1 and φ2 in φ2 [δ〉w φ1).
4.2.2 Lrelν,µ Modal Equation Systems
For shorthand, we often write formulas as a system of equations. We write X1
ν
=
φ for νX1.[φ] and X1
µ
= φ for µX1.[φ], putting the outermost fixpoints on top.
This form is called a modal equation system (MES). Using the same proof as for
the untimed modal mu-calculus (see Bradfield and Stirling [49], Cleaveland and
Steffen [57]), the modal equation system form is equally as expressive.
When defining MES for Lrelν,µ, we leverage the definitions of Lrelν,µ in the previous
subsection. The following definition of Lrelν,µ uses the modal-equation system (MES)
format used in Cleaveland and Steffen [57] for untimed systems and in Zhang and
Cleaveland [167, 168] for Lν,µ.
The idea is that we separate Lrelν,µ formulas into two components: basic formulas
(the formulas without fixpoints) and equation systems. The basic formulas are the
operations excluding the fixpoints, and the equations embed the fixpoints.
Definition 4.2.4 (Lν,µ, Lrelν,µ basic formula syntax). Let CX = {x1, x2, . . .} and CX f =
{z, z1, . . .} be disjoint sets of clocks. Then the syntax of a Lν,µ basic formula is given
4.2. Timed Modal-Mu Calcului Lν,µ and Lrelν,µ 155
by the following grammar:
φ ::=p | ¬p | tt | ff | cc | Y | φ ∧ φ | φ ∨ φ | 〈a〉(φ)
| [a](φ) | ∃(φ) | ∀(φ) | z.(φ)
Here, p ∈ 2L is an atomic proposition, cc ∈ Φ(CX) is a clock constraint over
clock set CX, Y ∈ Var is a propositional variable (Var is the set of propositional
variables), and a ∈ ΣTA is an action. In formula z.φ the z. operator is often referred
to as freeze quantification, and each z is a clock in CX f .
The relativized timed modal-mu calculus Lrelν,µ syntax replaces ∃(φ) and ∀(φ) with
∃φ1(φ2) and ∀φ1(φ2). 
As with Lrelν,µ in the original form, formulas are interpreted with respect to
states (i.e. (location, clock valuation) pairs) of a timed automaton and an environ-
ment θ.
Lrelν,µ MESs are mutually recursive systems of equations whose right-hand sides
are basic formulas as specified above. The formal definition of the equation sys-
tems follows.
Definition 4.2.5 (Lrelν,µ MES syntax). Let X1, X2, . . . , Xv be propositional variables,
and let φ1, . . . φv all be Lrelν,µ basic formulae. Then a Lrelν,µ modal equation system (MES)
is an ordered system of equations as follows, where each equation is labeled with








In our MES, we will assume that all variables are bound (every variable in the
right of the equation appears as some left-hand variable). 
When defining MES, we follow the definitions found in Zhang and Cleaveland
4.3. Timed Modal-Mu Calculus Tµ 156
[167, 168]; we also leverage the semantics of these formulas. We use the same lat-
tice interpretation as for the inline form. We now treat each equation in the system
as a function over this lattice. As with the inline form, each function is monotonic.
The parity of the equation is the fixpoint type that we interpret the equation over.
Specifically, given MES X1
µ/ν
= φ1, . . . , Xv
µ/ν
= φv, we may construction a function
that, given a set of states for X1, returns the set of states satisfying φ1, where the
values for X2, . . . , Xv have been computed recursively. This function is monotonic,
and therefore has a unique least and greatest fixpoint. If the parity for X1 is µ,
then the set of states satisfying X1 is the least fixpoint of this function, while if
the parity is ν then the set of states satisfying X1 is the greatest fixpoint. By con-
vention, the meaning of a MES is the set of states associated with X1, the first
left-hand-side in the sequence of equations. However, in the MES, each variable
Xi can be interpreted as its own subformula; this interpretation will prove useful
constructing proofs that a state satisfies a MES.
In this dissertation, we often consider MESs that are alternation-free. Intuitively,
an MES is alternation free if there is no mutual recursion involving variables of
different parities. For more information on the notion, see Emerson and Lei [69].
We denote the alternation-free fragment of Lrelν,µ as L
rel,a f
ν,µ . This restriction is not
prohibitive because for any timelock-free nonzeno timed automaton (see Bowman
and Gómez [47]), we can express any TCTL formula into a Lrel,a fν,µ MES. See Section
4.7 of this dissertation.
4.3 Timed Modal-Mu Calculus Tµ
We now define Tµ, the timed modal mu-calculus of Henzinger et al. [88]; see
Henzinger et al. [88], Penczek and Pólrola [135] for details.
Definition 4.3.1 (Tµ syntax and semantics). The syntax of a Tµ formula is con-
4.4. Region and Logical Equivalence 157
structed with the following grammar:
φ ::=p | cc | Y | φ ∧ φ | ¬(φ) | φ1  φ2 | z.(φ) | µY.[φ]
Except φ1  φ2, all syntactic terms are the same as in Lν,µ (see Definition 4.2.4).
Given the ¬, formulas are restricted to be monotonic. The semantics of  is:
• Jφ1  φ2KTA,θ = {(l, ν, ν f ) ∈ Q | ∃(l′, ν′, ν′f ) ∈ Q, ∃a ∈ ΣTA, and ∃δ ≥ 0 :
((l, ν, ν f )
δ−→ (l′, ν′, ν′f ) or (l, ν, ν f )
δ−→ a−→ (l′, ν′, ν′f )) ∧ (l, ν′, ν′f ) |= φ2 ∧
∀δ′, 0 ≤ δ′ ≤ δ : (l, ν + δ′, ν f + δ′) |= φ1 ∨ φ2}

The intuition of φ1  φ2 is as follows: after some time advance (possibly zero)
and (possibly) a single action, φ2 is true, and at φ1 ∨ φ2 is true for all states up to
and including the state φ2 is satisfied.
4.4 Region and Logical Equivalence
To show that one logic is as expressive or more expressive than another logic, we
use the notion of logical equivalence.
Definition 4.4.1 (Logical equivalence (φ1 ≡M φ2) and logical expressiveness
(L1 ⊆M L2), from Bouyer et al. [45]). Two formula φ1 and φ2 are logically equiva-
lent for a set of models M (φ1 ≡M φ2) if and only if for all M ∈ M, M |= φ1 iff
M |= φ2. Over a set of models M, a logic L1 is as least as expressive as a logic L2
(L1 ⊆M L2) if for all formulas φ1 ∈ L1, there exists a formula φ2 ∈ L2 such that
φ1 ≡M φ2. We say L1 =M L2 iff L1 ⊆M L2 and L2 ⊆M L1. 
In order to establish logical equivalence over timed automata, we would like
4.4. Region and Logical Equivalence 158
to establish a finite search space. Since logical formulas are commonly interpreted
over the lattice of sets of states, our goal is to group the states into a finite set
so that the lattice formulas search over is finite To establish a finite lattice, we
use region equivalence, which is formally defined in Section 2.5.2. As a summary,
region equivalence groups clock valuations into regions where all valuations in the
same region enforce the same clock constraints (up to a certain constant maxc).
Applying the region equivalence relation to a timed automaton creates a new
automaton, the region timed automaton. The region automaton is both bisimilar
to its timed automaton and finite; finite means that the semantics, the transition
system, has a finite number of states and transitions, providing us the finite lattice
that we desire. In this chapter, we leverage the finiteness of this lattice to establish
continuity of monotonic functions over that lattice. This continuity allows us to
use the constructive fixpoint semantics, making the search space finite and the
proofs executable.
We now define a notion of invariance to a relation to provide a means of show-
ing that the region automaton satisfies the same logical formulas as the original
timed automaton.
Definition 4.4.2 (Logic invariance). A logic L is invariant with respect to equivalence
relation R, or R invariant, if for all formulas φ in logic L and for any models M1, M2
such that M1RM2, M1 |= φ⇔ M2 |= φ. 
In this definition, R is a generic relation, and throughout the chapter, we will
substitute a relation such as region equivalence for R and we will use terms such
as bisimulation invariant and region equivalence invariant when R is replaced with
bisimulation or region equivalence, respectively. For M, we typically use the set
of all possible timed automata (T A).
4.5. Lrelν,µ is Region Equivalence Invariant 159





Figure 4.2: Timed automaton with CX = {x1} and a coarse bisimulation.
4.5 Lrelν,µ is Region Equivalence Invariant
Definition 4.5.1 (Respects φ). For any formula φ, we say a bisimulation R respects
clock constraints in φ iff for all states q1, q2, if q1Rq2 then for all clock constraints
cc that are subformulae of φ, q1 |= cc ⇔ q2 |= cc. Furthermore, a bisimulation
R respects φ if R respects clock constraints in φ and for all atomic propositions p,
q1Rq2 implies q1 |= p⇔ q2 |= p. 
In the above definition, the set of atomic propositions are assumed to represent
bisimilar states: i.e. the set of states represented by p in TA1 are the set of states
bisimilar to those represented by p in TA2.
Due to subtleties with formulas allowing (possibly unobservable) atomic propo-
sitions and clock constraints, many logics are not invariant over all bisimulations.
However, this subtlety is handled by using a bisimulation that respects φ.
Claim 4.5.1. Lν,µ, Lrelν,µ, or any timed logic that allows direct expression of clock
constraints using timed automata clocks is not bisimulation invariant.
Proof of Claim 4.5.1. Consider the timed automaton with clock x1 in Figure 4.2.
This timed automaton is bisimilar to one with a single state where every action ex-
ecution and every time advance is a self loop. However, only some of the bisimilar
states satisfy x1 ≤ 2.
However, this is a subtlety handled by using a specific bisimulation. If we
4.5. Lrelν,µ is Region Equivalence Invariant 160
assume that the bisimulation respects all clock constraints, then we prove that Lrelν,µ
is invariant with respect to that bisimulation. Furthermore, while bisimulations
also need to respect all atomic propositions (labels for subsets of locations) in a
formula, bisimulations are often constructed to have bisimilar states satisfy the
same propositions.
Theorem 4.5.2. Let φ be any Lrelν,µ formula, and let TA1 and TA2 be timed
automata with states q1, q2, respectively, such that q1Rq2 in a bisimulation
that respects φ. Then q1 |= φ if and only if q2 |= φ.
Proof of Theorem 4.5.2. We induct on the size of the formula φ. From Bradfield
and Stirling [49], we know that the untimed modal mu-calculus is bisimulation
invariant. This handles all cases (including greatest and least fixpoints) except
for atomic propositions, clock constraints, and the operators ∃(φ), ∀(φ), ∃φ1(φ2),
∀φ1(φ2), 〈−〉(φ), [− ](φ), 〈a〉(φ), [a](φ) and z.(φ).
The proofs for clock constraints and atomic propositions hold because the
bisimulation respects all clock constraints and all atomic propositions. We prove
bisimulation invariance for ∃φ1(φ2); the other operators are similar.
Let q1 = (l1, ν1), q2 = (l2, ν2) and q1 ∼ q2. Suppose q1 |= ∃φ1(φ2). By definition
of ∃φ1(φ2), ∃δ ≥ 0 : (l1, ν1 + δ) |= φ2 ∧ ∀δ′, 0 ≤ δ′ < δ : (l, ν + δ′) |= φ1. Since
q1 ∼ q2, we know q2 δ−→ (l2, ν2 + δ) and (l1, ν1 + δ) ∼ (l2, ν2 + δ) and by the
definition of ∼, (l1, ν1 + δ′) ∼ (l2, ν2 + δ′). By our inductive hypothesis, we are
done, since if (l1, ν1 + δ) |= φ2, then (l2, ν2 + δ) |= φ2. The same reasoning can be
used to show that φ1 is true for all states (l, ν + δ′) for all time advances δ′ < δ.
(When proving φ1 holds for all time advances δ′ < δ, we use that ∼ respects all
clock constraints). If q1 6|= ∃φ1(φ2), the proof that q2 6|= ∃φ1(φ2) is similar.
4.6. Tµ ⊆T A Lrelν,µ 161
Even though region equivalence is a time-abstract bisimulation, because it re-
spects all clock constraints (assuming we pick a large enough maximum constant)
and all atomic propositions, we can adapt this theorem to get this corollary:
Corollary 4.5.1. Let φ be an Lrelν,µ formula, TA be a timed automaton, ∼r be the
region equivalence relation, and TAR be its region automaton (formed using a
constant large enough such that ∼r respects φ). For all states q1 ∈ TA, q2 ∈ TAR,
if q1 ∼r q2 then q1 |= φ if and only if q2 |= φ.
Proof of Corollary 4.5.1. Similar to the proof of Theorem 4.5.2 with the following
adaptation. Whenever there is a time advance δ in a run on one timed automaton,
instead of just advancing δ, use the region equivalence relation to advance a proper
amount of time. Selecting this time advance is exactly the same as in the proof of
Lemma 44 of Clarke et al. [55].
4.6 Tµ ⊆T A Lrelν,µ
Henzinger et al. [88] give a TCTL formula for the Tµ operator φ1  φ2. While we
could use that TCTL representation and then embed it into Lrelν,µ using the Lrelν,µ
equivalents of TCTL formulas in Section 4.7, by embedding φ1  φ2 directly into
Lrelν,µ, we can get a simpler expression.
Claim 4.6.1. Tµ ⊆T A Lrelν,µ, using:
φ1  φ2 ≡ ∃φ1 ∨ φ2(φ2 ∨ ((φ1 ∨ φ2) ∧ 〈−〉(φ2))) (4.1)
Proof of Claim 4.6.1. Follows from the operators’ definitions.
4.7. TCTL ⊆T A Lrelν,µ 162
Likewise, the dual of  has the analogous Lrelν,µ expression ∀φ1 ∧ φ2(φ2 ∧ ((φ1 ∧
φ2) ∨ [− ](φ2))).
4.7 TCTL ⊆T A Lrelν,µ
4.7.1 Incorrect Attempts to Show TCTL ⊆T A Lrelν,µ
When trying to write TCTL formulas in Lrelν,µ, based on the ease of expressing anal-
ogous untimed CTL formulas in the modal mu-calculus, the following reasonable












= φ ∨ (∀(Y) ∧ [− ](Y)) (4.4)
EG [φ]






?≡T A Y ν= φ2 ∨ (φ1 ∧ (∀(Y) ∧ [− ](Y))) (4.6)
E [[φ1]W [φ2]]
?≡T A Y ν= ∃φ1(φ2 ∨ 〈−〉(Y)) (4.7)
While these attempts are reasonable, they are all incorrect.
Example 4.7.1 (Need to check in-between time advances). Consider the timed
automaton TA1 in Figure 4.3 and the TCTL formula E [[EF=0 [l1]]U [l2]].
To see that the initial state (l0, x1 = 0) of TA1 does not satisfy E [[EF=0 [l1]]U [l2]],
notice that at the state (l0, x1 = 4.2), EF=0 [l1] is false; that state cannot immedi-
ately transition to location l1. Also, because no state in location l0 can transition to
location l2 until x1 ≥ 5, every path from location l0 that reaches location l2 must
pass through (l0, x1 = 4.2).
Now, we show that the initial state of TA1 satisfies the formula written using
4.7. TCTL ⊆T A Lrelν,µ 163


























Figure 4.3: Timed automata TA1 and TA2.
Equation 4.2. The reasoning to show that the initial state of TA1 satisfies the for-
mula written using Equation 4.3, is similar. The formulation using Equation 4.2,
assuming an oracle Lrelν,µ formula for EF=0 [l1], is:
Y
µ
= l2 ∨ (EF=0 [l1] ∧ ∃(EF=0 [l1] ∧ 〈−〉(Y)) (4.8)
Consider the path prefix (l0, x1 = 0)
5−→ (l0, x1 = 5) a−→ (l2, x1 = 5). By construc-
tion of Equation 4.8, the premise EF=0 [l1] is only checked at time 0 and time 5,
and at those two times,EF=0 [l1] is true. Then, at time 5, the action a is executed
and location l2 is reached. As a result, the initial state of TA1 does satisfy Equation
4.8.
Intuition Summary: φ1 must be checked in between the initial time and the final
time. 
Example 4.7.2 (Need to handle time-convergent circularities). Now consider the
timed automaton TA2 in Figure 4.3 and the TCTL formula AF [l1].
To see that the initial state (l0, x1 = 0) of TA2 satisfies AF [l1], note that because
4.7. TCTL ⊆T A Lrelν,µ 164
of the invariant x1 < 6, all time-divergent paths must leave location l0. Since there
is no guard on the edge to location l1, there is a path that can transition to l1.
Hence, all time-divergent paths take that edge and eventually transition to location
l1.
Now, we show that the initial state of TA2 satisfies the formula written using
Equation 4.4. The formulation written using Equation 4.4 is:
Y
µ
= l1 ∨ (∀(Y) ∧ [− ](Y)) (4.9)
Consider the following time-convergent path: (l0, x1 = 0)
0−→ (l0, x1 = 0) 0−→
(l0, x1 = 0)
0−→ . . .. While not time-divergent, because of the ∀(Y) branch of
Equation 4.9, the state (l0, x1 = 0) will be visited again. This results in a least
fixpoint circularity, which indicates a false path. Since we are conjuncting over a
least-fixpoint circularity, this formula returns ff.
Intuition Summary: the time-convergent execution 0−→ 0−→ . . . creates a ff cir-
cularity in a, ∧ formula.

Example 4.7.3 (Need to exclude time-convergent paths). Again, consider the timed
automaton TA2 in Figure 4.4 but consider the TCTL formula EG [l0 ∧ x1 < 6].
To see that the initial state of TA2 does not satisfy EG [l0 ∧ x1 < 6], notice that
for time to diverge, any path must leave location 0. Time cannot diverge in location
l0.
However, the initial state of TA2 satisfies the formula written using Equation
4.5. Written out, we get the formula:
Y ν= ∃(l0 ∧ x1<6)
(
(l0 ∧ x1 < 6) ∧ 〈−〉(Y)
)
∨ ∀((l0 ∧ x1 < 6)) (4.10)
4.7. TCTL ⊆T A Lrelν,µ 165




















Figure 4.4: Timed automata TA3 and TA4.
Consider the time convergent path from the initial state (l0, x1 = 0)
3−→ (l0, x1 =
3) 3/2−→ (l0, x1 = 4.5) 3/4−→ . . .. This path satisfies ∀(l0 ∧ x1 < 6), and due to the
invariant of l0, the state (l0, x1 = 0) satisfies ∀(l0 ∧ x1 < 6). Because this path is
time-convergent, it should be rejected (but it is not).
Intuition Summary: Paths in locations where time cannot advance are consid-
ered valid paths, but due to being time-convergent should be rejected. 
Example 4.7.4 (Need to check in-between time advances (ii)). Consider timed au-
tomaton TA3 in Figure 4.4 and the TCTL formula A [[x1 < 6]W [5 ≤ x1 ≤ 6 ∨ l1]].
Using Equation 4.6, the Lrelν,µ formula is:
Y ν= (5 ≤ x1 ≤ 6 ∨ l1) ∨ (x1 < 6 ∧ (∀(Y) ∧ [− ](Y))) (4.11)
While TA3 satisfies A [[x1 < 6]W [5 ≤ x1 ≤ 6 ∨ l1]], TA3 does not satisfy Equation
4.11.
Intuition Summary: during the transition 7−→, after 6 time units the run is re-
leased from needed φ1 or φ2 to be true. 
4.7. TCTL ⊆T A Lrelν,µ 166
Example 4.7.5 (Need to check before and after action executions). Now consider
timed automaton TA4 in Figure 4.4 and the TCTL formula E [[AG=0 [l0]]W [l1]].
The Lrelν,µ formula formed using Equation 4.7 is:
Y ν= ∃AG=0[l0](l1 ∨ 〈−〉(Y)) (4.12)
TA4 does not satisfy E [[AG=0 [l0]]W [l1]]. Assuming an oracle Lrelν,µ formula for
AG=0 [l0], TA4 satisfies Equation 4.12.
Intuition Summary: φ1 needs to be checked after the time advance but before
the action is executed (the definition of ∃φ1(φ2) does not check φ1 at the final time).

4.7.2 Converting Interval Timing Bounds
The first component of encoding TCTL is to write timing constraints using freeze
quantification. Bouyer et al. [44] showed that freeze quantification is strictly more
expressive than timing constraints. They did this in the context of timed extensions
of LTL: MTL (Metric Temporal Logic), which uses timing interval constraints; and
TPTL (Timed Propositional Temporal Logic), which uses freeze quantification. We
use their [44] solution to express timing constraints with freeze quantification,
which is as follows.
Introduce a freeze quantification clock z. Then, given ./∈ {=,<,≤,>,≥} and
c ∈ Z≥0 ∪ {∞}, write:
E [[φ1]U./c [φ2]] ≡T A z.(E [[φ1]U<∞ [(φ2 ∧ z ./ c)]])
E [[φ1] R./c [φ2]] ≡T A z.(E [[φ1] R<∞ [(z 6./ c ∨ φ2)]])
In these formulas, z 6./ c is the negated inequality of z ./ c. The constraint is
4.7. TCTL ⊆T A Lrelν,µ 167
negated before it is put in the formula.
4.7.3 Expressing TCTL in Lrelν,µ
We can embed TCTL into Lrelν,µ; here ./∈ {=,<,≤,>,≥} and c ∈ Z≥0 ∪ {∞}. We
first provide simpler Lrelν,µ formulas with the timelock-free and nonzeno assump-
tions. We remove these assumptions in Section 4.7.4.
Theorem 4.7.1. For any timed automaton TA, any of its states (l, ν), and any
TCTL formulas φ1 and φ2:
if TA is timelock-free, then
(l, ν) |= E [[φ1]U./c [φ2]]⇔









(φ2 ∧ z ./ c) ∨ (φ1 ∧ 〈−〉(Y2))
)
(4.13)
and if TA is timelock-free and nonzeno, then
(l, ν) |= E [[φ1] R./c [φ2]]⇔







= ∃z1 6./c∨ φ2
(
(φ1 ∧ (z1 6./ c ∨ φ2))∨
((z1 6./ c ∨ φ2) ∧ 〈−〉(Y2))
)
∨(
∀(z.(∃(z ≥ 1))) ∧ ∀(z1 6./ c ∨ φ2)
)
(4.14)
4.7. TCTL ⊆T A Lrelν,µ 168
Here are the Lrelν,µ formulas for E [[φ1]U [φ2]] and E [[φ1] R [φ2]] without timing
constraints:




φ2 ∨ (φ1 ∧ 〈−〉(Y))
)
(4.15)
E [[φ1] R [φ2]] ≡T A Y ν= ∃φ2
(
(φ1 ∧ φ2) ∨ (φ2 ∧ 〈−〉(Y2))
)
∨(
∀(z.(∃(z ≥ 1))) ∧ ∀φ1(φ2)
)
(4.16)
and here are Lrelν,µ formulas for some other TCTL operators:




(φ1 ∨ φ2) ∧ (φ2 ∨ [− ](Y2))
)
∧(
∃(z.(∀(z < 1))) ∨ ∃φ1(φ2)
)
(4.17)
A [[φ1] R [φ2]] ≡T A Y ν= ∀φ1
(
φ2 ∧ (φ1 ∨ [− ](Y))
)
(4.18)
EF [φ1] ≡T A Y
µ
= ∃(φ1 ∨ 〈−〉(Y)) (4.19)






∀(z.(∃(z ≥ 1))) ∧ ∀(φ1)
)
(4.20)








∃(z.(∀(z < 1))) ∨ ∃(φ1)
)
(4.21)
AG [φ1] ≡T A Y ν= ∀(φ1 ∧ [− ](Y)) (4.22)
To prove our embedding of E [[φ1] R [φ2]] in Lrelν,µ, we use the following three
lemmas:
Lemma 4.7.2. Let TA be a timed automaton and (l, ν) be one of TA′s states. Then
(l, ν) 1−→ 1−→ 1−→ . . . if and only if (l, ν, [CX f := 0]) |= ∀(z.(∃(z ≥ 1))).
The formula ∀(z.(∃(z ≥ 1))) means: “time can elapse in the current location
4.7. TCTL ⊆T A Lrelν,µ 169
by an infinite amount.”
Proof of Lemma 4.7.2. Time can diverge in (l, ν) if and only if (l, ν) has the (infi-
nite) sequence of time advances (l, ν) 1−→ 1−→ 1−→. This is true if and only if for all
δ ≥ 0, (l, ν + δ) 1−→ (l, ν + δ + 1), which by definition of timed automata invari-
ants and time advance transitions is true if and only if there is a δ′ ≥ 0 such that
(l, ν + δ) 1+δ
′
−→ (l, ν + δ + 1 + δ′).
Lemma 4.7.3. In TCTL, E [[φ1] R [φ2]] ≡T A E [[φ2]U [φ1 ∧ φ2]] ∨ EG [φ2]
Proof of Lemma 4.7.3. Similar to the proof in Clarke et al. [55] for the analogous
derivation of E [[φ1] R [φ2]] in CTL.
Lemma 4.7.4. For any timed automaton TA, any of its states (l, ν), and any TCTL
formula φ1: if TA is nonzeno, then
(l, ν) |= EG [φ1]⇔






∀(z.(∃(z ≥ 1))) ∧ ∀(φ1)
)
(4.23)
Proof of Lemma 4.7.4. We use the same premises and the same region automaton
construction from TA as in Theorem 4.7.1. This proof is inspired by the analogous
CTL proof in Clarke et al. [55].
Proving EG [φ1]:






∀(z.(∃(z ≥ 1))) ∧ ∀(φ1)
)
(4.24)
4.7. TCTL ⊆T A Lrelν,µ 170
Fixpoint: First, we show that EG [φ1] is a fixpoint; i.e.
EG [φ1] =∃φ1(φ1 ∧ 〈−〉(EG [φ1])) ∨ (∀(z.(∃(z ≥ 1))) ∧ ∀(φ1)) (4.25)
⇒
(
EG [φ1] ⊆ ∃φ1(φ1 ∧ 〈−〉(EG [φ1])) ∨ (∀(z.(∃(z ≥ 1))) ∧ ∀(φ1))
)
: Suppose
(l, ν) |= EG [φ1]. By definition of EG [φ1], we have a time-divergent path from
(l, ν) where φ1 is always true, which by definition means: either the path diverges
to ∞ in location l, or the path takes a time advance and an action to a state
(l′, ν′) that satisfies EG [φ1]. By Lemma 4.7.2, the first path occurs if and only if
(l, ν) |= (∀(z.(∃(z ≥ 1))) ∧ ∀(φ1)). The second path occurs if and only if (l, ν) |=
∃φ1(φ1 ∧ 〈−〉(EG [φ1])).
⇐
(




Greatest fixpoint: Now we show that EG [φ1] is the greatest such fixpoint.
To do this, we use the constructive semantics of ν. Defining our fixpoint func-












: similar to the proof of (
⋃∞
i=0 φ




i(2Q) ⊆ EG [φ1]
)
: Suppose (l, ν) ∈ ⋂∞i=0 φi(2Q). Because our lattice
is finite, there exists some iteration f such that φ f+1(2Q = φ f (2Q) Because (l, ν)
is in every iteration i, (l, ν) ∈ φ f+1(2Q) and (l, ν) ∈ φ f (2Q). By definition of our
function φ, since (l, ν) ∈ φ(φ f (2Q)), lν |= ∃φ1(φ1 ∧ 〈−〉(φ f (2Q))) ∨ (∀(z.(∃(z ≥
1))) ∧ ∀(φ1)). Using the definitions of the formulas, this means that (l, ν) |= φ1,
and there exists a δ and an action a such that for all δ′ ≤ δ, (l, ν + δ′) |= φ1 and
(l, ν + δ) a−→ (l′, ν′) and (l′, ν′) ∈ φ f (2Q). Because f is the fixpoint iteration and φ
is monotonic, (l′, ν′) ∈ ⋂∞i=0 φi(2Q). Hence, by repeating iterations, we have found
an infinite sequence of states starting at (l, ν) that always satisfies φ1. Since this
4.7. TCTL ⊆T A Lrelν,µ 171
infinite sequence contains an infinite number of actions, by the nonzeno assump-
tion, this sequence is a time-divergent path. Hence, (l, ν) |= EG [φ1].
The formulations are subtle, especially for EG [φ] (and hence E [[φ1] R [φ2]]).
From the definition of EG [φ], there are two different types of time-divergent paths
that can be chosen to satisfy EG [φ].
1. The path allows time to diverge in a single location.
2. The path visits some state infinitely often.
Even assuming that the timed automaton is timelock-free and nonzeno, ensuring
that the formula always finds a time-divergent path is subtle.
To detect paths of condition (1), we utilize the formula in Lemma 4.7.2, which
determines if there is a time-divergent path that never leaves the current location
(not state). With this formula, the partial formula ∀(z.(∃(z ≥ 1))) ∧ ∀(φ) deter-
mines that if such a time-divergent path exists, φ is always true. While ∀(φ) may
seem sufficient, it considers additional time-convergent paths that stay in that
current location. Using this simplification would result in our formula giving a
time-convergent path instead of a time-divergent path. Example 4.7.3 in Section
4.7.1 is a counterexample showing that ∀(φ) is not sufficient for this purpose.
The other disjunct, ∃φ1(φ1 ∧ 〈−〉(Y)) covers paths of condition (2). Many of
the subtleties that resulted in this formulation requiring the relativization operator
are demonstrated and discussed in the previously discussed counterexamples in
Section 4.7.1. (These subtleties also apply to E [[φ1]U [φ2]].)
Now, using the above Lemmas, we prove Theorem 4.7.1.
Proof of Theorem 4.7.1. This proof is inspired by the analogous CTL proof given
in Clarke et al. [55]. The correctness for handling the timing constraints ./ c is
4.7. TCTL ⊆T A Lrelν,µ 172
argued in Section 4.7.2; therefore, we show the correctness for formulas without
time bounds.
Establishing the finite lattice: Let TA be an arbitrary timed automaton and
φ1, φ2 be arbitrary TCTL formulas. Because Lrelν,µ is region equivalence invariant,
by Corollary 4.5.1, TA and its region automaton TAR (TAR is formed using a con-
stant high enough to respect ./ c, φ1 and φ2) either both satisfy the given Lrelν,µ
formula or they both do not. Since TCTL properties also respect region equiv-
alence (assuming TAR also respects the formula’s constants) [152], showing TA
satisfies the TCTL formula if and only if TA satisfies the corresponding Lrelν,µ for-
mula is equivalent to showing TAR satisfies the TCTL formula if and only if TAR
satisfies the corresponding Lrelν,µ formula. Because all region timed automata are
finite [5] and Lrelν,µ formulas are monotonic, the lattice is finite and all monotonic
functions over the lattice are continuous. Hence, we can use the iterative semantics
in Definition 4.2.3 where iterations only need to go up to order ω (finitely many
iterations suffice) to establish the equivalence.
In these proofs, we assume there are no urgent locations in TA. We handle
urgent locations in Remark 4.7.1.
Proving E [[φ1]U [φ2]] (Equation 4.15):
Fixpoint: We show that E [[φ1]U [φ2]] is a fixpoint; i.e.
E [[φ1]U [φ2]] = ∃φ1(φ2 ∨ (φ1 ∧ 〈−〉(E [[φ1]U [φ2]]))) (4.26)
⇐
(
∃φ1(φ2 ∨ (φ1 ∧ 〈−〉(E [[φ1]U [φ2]]))) ⊆ E [[φ1]U [φ2]]
)
: Suppose (l, ν) |=
∃φ1(φ2 ∨ (φ1 ∧ 〈−〉(E [[φ1]U [φ2]]))). If (l, ν) |= ∃φ1(φ2), then by definition this
means that there is a time advance δ such that (l, ν + δ) |= φ2 and for all previous
times δ′ < δ, (l, ν + δ′) |= φ1. By the timelock-free assumption, there is a time-
4.7. TCTL ⊆T A Lrelν,µ 173
divergent path from (l, ν) with this path prefix. Hence, (l, ν) |= E [[φ1]U [φ2]].
Else, (l, ν) |= ∃φ1(φ1 ∧ 〈−〉(E [[φ1]U [φ2]])). Hence, there is some path prefix with
a (possibly 0) time-advance δ and an action a such that for all δ′ ≤ δ (l, ν +
δ′) |= φ1 and after taking the action a, the resulting state satisfies E [[φ1]U [φ2]].
By definition, this path prefix concatenated with the path from the state satisfying
E [[φ1]U [φ2]] satisfies E [[φ1]U [φ2]].
⇒
(
E [[φ1]U [φ2]] ⊆ ∃φ1(φ2 ∨ (φ1 ∧ 〈−〉(E [[φ1]U [φ2]])))
)
: similar to⇐. (Note:
the⇒ direction does not require the timelock-free assumption.)
Least fixpoint: Now we show that E [[φ1]U [φ2]] is the least such fixpoint. To
do this, we use the constructive semantics of µ, define φ(Y) = ∃φ1(φ2 ∨ (φ1 ∧







i ⊆ E [[φ1]U [φ2]]
)




E [[φ1]U [φ2]] ⊆
⋃∞
i=0 φ
i): Let (l, ν) |= E [[φ1]U [φ2]]. By definition and the
finiteness of region automata, there is some time-divergent path that satisfies
E [[φ1]U [φ2]] and φ2 is satisfied within a finite number of actions. We induct on
the number of these action executions.
Proof by Strong Induction on k, the number of actions.
Base case: k = 0. Proof omitted.
Strong Induction Hypothesis: For all states (l, ν) satisfying E [[φ1]U [φ2]] with a




Induction step. Let (l, ν) |= E [[φ1]U [φ2]], and let it have a time-divergent path
that satisfies E [[φ1]U [φ2]] with a prefix of exactly k action steps to the state that
satisfies φ2 (here k ≥ 1). By definition of E [[φ1]U [φ2]], (l, ν) satisfies E [[φ1]U [φ2]]
in k steps (actions) iff (l, ν) |= φ2 or there is a δ where (l, ν + δ) |= φ2 and for all
δ′, 0 ≤ δ′ < δ, (l, ν + δ′) |= φ1 or there is a δ and an action a where (l, ν + δ) a−→
4.7. TCTL ⊆T A Lrelν,µ 174
(l′, ν′) such that (l′, ν′) |= E [[φ1]U [φ2]] in k − 1 action execution steps and for
all δ′, 0 ≤ δ′ ≤ δ, (li, νi + δ′) |= φ1. After distributing the wording, we get: either
(l, ν) |= φ2; or there exists a δ where (l, ν + δ) |= φ2 and for all δ′ < δ, (l, ν +
δ′) |= φ1); or (l, ν + δ) a−→ (l′, ν′) such that (l′, ν′) |= E [[φ1]U [φ2]] in k − 1 or
fewer action executions, and for all δ′, 0 ≤ δ′ ≤ δ, (l, ν + δ′) |= φ1. By definition,
the first two disjuncts are the subformula ∃φ1(φ2), and the third disjunct is the
subformula ∃φ1(φ1 ∧ 〈−〉(Y)). Our formula in Equation 4.13 is the disjunct of
these two formulas, which by definition, is the wording above. By the strong
induction hypothesis, if (l′, ν′) |= E [[φ1]U [φ2]] in k − 1 or fewer action steps,
then (l′, ν′) ∈ ⋃∞i=0 φi.
Proving E [[φ1]R [φ2]] (Equation 4.16):
We reduce this formulation to the disjunction of E [[φ2]U [φ1 ∧ φ2]] ∨ EG [φ2]
by utilizing logical equivalences. We begin with using absorption (p ≡ p ∨ (p ∧
q)) to add a least fixpoint variable Y2 as follows:
Y ν= ∃φ2
(
(φ1 ∧ φ2) ∨ (φ2 ∧ 〈−〉(Y)) ∨ (φ2 ∧ 〈−〉(Y2))
)





(φ1 ∧ φ2) ∨ (φ2 ∧ 〈−〉(Y2))
)
If we examine Y2 and (for now) ignore the fixpoints on the variables of Y and
Y2, we notice that Y2 is a subformula of Y. Therefore, if Y2 were a ν fixpoint, we
would be done. By Tarski’s theorem [148] and the construction of our lattice, the
greatest fixpoint of any formula φ contains all of the states of the least fixpoint of
φ. Hence, (φ2 ∧ 〈−〉(Y2)) with a least fixpoint is a subformula of (φ2 ∧ 〈−〉(Y2))
with a greatest fixpoint, which is a subformula of (φ2 ∧ 〈−〉(Y)).
4.7. TCTL ⊆T A Lrelν,µ 175
Using additional logical equivalences, we get:
Y′
µ/ν













(φ1 ∧ φ2) ∨ (φ2 ∧ 〈−〉(Y2))
)
By the first part of this Theorem and by the timelock-free assumption, Y2 ≡T A
E [[φ2]U [φ1 ∧ φ2]]. By Lemma 4.7.4 and by the nonzeno assumption, Y ≡T A
EG [φ2]. Therefore, Y′ ≡T A E [[φ2]U [φ1 ∧ φ2]] ∨ EG [φ1]. By Lemma 4.7.3, Y′ ≡T A
E [[φ1] R [φ2]].
Remark 4.7.1 (Handling urgent locations). For urgent locations, there are no time
advances. Technically, we must add the subformula inside the ∃ (of E [[φ1]U [φ2]]
or E [[φ1] R [φ2]]) as a disjunct outside of the ∃. This would result in the formulas
becoming the longer formulas below.









φ2 ∨ (φ1 ∧ 〈−〉(Y))
)
(4.27)
E [[φ1] R [φ2]] ≡T A Y ν=
(





(φ1 ∧ φ2) ∨ (φ2 ∧ 〈−〉(Y2))
)
∨(
∀(z.(∃(z ≥ 1))) ∧ ∀φ1(φ2)
)
(4.28)
However, since tools can handle the urgency internally by removing the ∃ and
examining the subformula when encountering an urgent state, such a subtlety
is addressed without having to further complicate the formula. Hence, the proof
assumes no urgent locations and allows the simpler formulas.
4.7. TCTL ⊆T A Lrelν,µ 176
























Figure 4.5: Timed automaton TAtl with a timelock and zeno timed automaton TAz
with zeno timed runs.
In Theorem 4.7.1, the formula for E [[φ1]U./c [φ2]] requires that the timed au-
tomaton be timelock-free and the formula for E [[φ1] R./c [φ2]] requires that the
timed automaton be timelock-free and nonzeno. We give examples illustrating
that for these formulas, these assumptions are necessary.
Example 4.7.6 (Necessity of assumptions). Consider timed automata TAtl and
TAz in Figure 4.5, and consider the following TCTL formulas and their Lrelν,µ equiv-
alents from Theorem 4.7.1:
E [[l0]U [l1]] ≡T A Y
µ
= ∃l0(l1 ∨ (l0 ∧ 〈−〉(Y))) (4.29)
E [[l1] R [l0 ∨ x1 ≤ 0]] ≡T A Y ν= ∃l0 ∨ x1≤0((l1 ∧ (l0 ∨ x1 ≤ 0))
∨ ((l0 ∨ x1 ≤ 0) ∧ 〈−〉(Y))) ∨ (∀(z.(∃(z ≥ 1))) ∧ ∀(l0 ∨ x1 ≤ 0)) (4.30)
EG [l0] ≡T A Y ν= ∃l0(l0 ∧ 〈−〉(Y)) ∨ (∀(z.(∃(z ≥ 1))) ∧ ∀(l0))) (4.31)
While TAtl does not satisfy E [[l0]U [l1]], TAtl satisfies Equation 4.29 with the time
locked execution (l0, x1 = 0)
5−→ (l0, x1 = 5) a−→ (l1, x1 = 0) . . .. Likewise, while
TAtl does not satisfy E [[l1] R [l0 ∨ x1 = 0]], TAtl satisfies Equation 4.30 with the
4.7. TCTL ⊆T A Lrelν,µ 177
time locked execution (l0, x1 = 0)
5−→ (l0, x1 = 5) a−→ (l1, x1 = 0) . . . (at this point
x1 = 0 and l1 are true). TAz does not satisfy EG [l0], but TAz satisfies Equation 4.31
with the zeno execution (l0, x1 = 0)
a−→ (l0, x1 = 0) a−→ (l0, x1 = 0) . . . (repeated
a actions).
Intuition Summary: In all three cases, the only executions satisfying the proper-
ties are time-convergent, yet the fixpoint formulas consider these executions valid
(circularity does not consider time-divergence of the rest of the path). 
4.7.4 Removing Timelock-free and Nonzeno Assumptions
Theorem 4.7.5. TCTL ⊆T A Lrelν,µ.
Proof of Theorem 4.7.5. Theorem 4.7.1 showed how to encode TCTL formulas for
timed automata satisfying timelock-free and nonzeno assumptions. Consider the
TCTL-like formula EG [z.(F [z = 1])] from Henzinger et al. [88]. This formula






= (z = 1 ∧ Yt) ∨ ∃(Y2 ∨ 〈−〉(Y2)) (4.32)
To remove the need for the timelock-free assumption: replace φ2 in E [[φ1]U./c [φ2]]
with φ2 ∧ Yt, and replace φ1 in E [[φ1] R./c [φ2]] with φ1 ∧ Yt.
Here we eliminate the need for the nonzeno assumption for E [[φ1] R./ [φ2]]
(E [[φ1]U./ [φ2]] does not assume the nonzeno property). Our formula is YA ∨
(YB ∧ YC). YA is E [[φ1] R./c [φ2]] with the fixpoint inverted from a ν to a µ. YB is
4.8. Lν,µ 6⊆T A TCTL and TCTL 6⊆T A Lν,µ 178
our formula for E [[φ1] R./ [φ2]], and YC is the MES:
YC
ν
= z.(φ2 ∧ Yc2)
Yc2
µ
= (φ2 ∧ z = 1 ∧ YC) ∨ ∃(Yc2 ∨ 〈−〉(Yc2)) (4.33)
YC, similar to EG [φ2 ∧ z.(F [z = 1])], means, “there exists a cycle of time advances
and actions such that: φ2 is always true and time can always advance by one unit”
(proof omitted).
To sketch the correctness of YA ∨ (YB ∧ YC): subformula YA is true if and only
if E [[φ1] R./c [φ2]] is true from finding a path using φ1 to release φ2, or φ2 is always
true in a path ending in a state where time diverges to ∞. If YA is true, then this
path is non-zeno by construction and we are done (YB will also be true). Else, we
check our original formula E [[φ1] R./ [φ2]]. Given YA is false, YB is true if and only
if we have a cycle (involving action executions) where φ2 is always true. If YB is
false, then the formula is false and we are done. If YB is true, then the satisfying
path is a cycle (involving action transition) such that φ2 is always true. Such a
nonzeno path or cycle exists if and only if YC is true.
4.8 Lν,µ 6⊆T A TCTL and TCTL 6⊆T A Lν,µ
4.8.1 Expressive power of fixpoints: Lν,µ 6⊆T A TCTL







= z ≤ 0 ∧ ∀(z ≤ 0 ∧ [− ](Y2)) (4.34)
4.8. Lν,µ 6⊆T A TCTL and TCTL 6⊆T A Lν,µ 179







Figure 4.6: The left timed automaton with invariant x1 ≥ 0 does not allow time to
advance; the right timed automaton with invariant x1 ≥ 1 does.
Proof of Claim 4.8.1. The formula in Claim 4.8.1 means “for all executions, time
never advances.” Consider the two timed automata in Figure 4.6. The left automa-
ton satisfies the formula, but the right automaton does not. Since there are no
time-divergent paths, TCTL can only ask about the initial state (l1, x1 = 0), which
is the same for both automata.
There is another non-constructive way to show that TCTL 6⊆T A Lν,µ that fol-
lows from specification complexity results in Aceto and Laroussinie [2]. The spec-
ification complexity of the model-checking problem is the complexity of model-
checking any formula on the single-location nil timed automaton: a timed automa-
ton with one location l0 with the invariant tt and no edges. There can be an ar-
bitrary number of clocks. The following claim is proven in Aceto and Laroussinie
[2].
Claim 4.8.2 (Specification complexity results [2]). The model-checking problem for
Lν overnil timed automata is PSPACE-complete. The model-checking problem for
Lν,µ over nil timed automata is EXPTIME-complete.
Hence, even over an extremely simplified space of models, model-checking
Lν,µ formulas is still EXPTIME-complete. The complexity arises from the power of
freeze-quantification with the time -advance modal operators. Without fixpoints,
these alone can be used to ask whether exact integer time-unit time advances
4.8. Lν,µ 6⊆T A TCTL and TCTL 6⊆T A Lν,µ 180
happened. Somewhat surprisingly, as shown in Aceto and Laroussinie [2], these
formulas with these transitions can be used to encode the a quantified boolean
formula, which is a PSPACE-complete problem. Allowing fixpoints makes the
formulas even more powerful.
While model-checking a Lν,µ formula over the nil automaton is EXPTIME-
complete, the problem is much simpler for TCTL formulas without freeze quan-
tifications. This yields a non-constructive proof of the above claim, expressed in the
following corollary:
Corollary 4.8.1. Lν,µ 6⊆ TCTL
Proof of Corollary 4.8.1. Without action transitions, there is only one path: wait-
ing. Since TCTL only involves path operators involving location constraints, any
location constraint is either true or false, regardless of the amount of time spent.
Hence, over these nil automata, waiting neither makes a property true or false.
Therefore, model-checking TCTL over nil automata is in P. Since there is only
one path, the path operator E or A can be ignored. Since waiting cannot help,
[[φ1]U [φ2]] is equivalent to φ2 regardless of the timing operator.
By Claim 4.8.2 [2], the model-checking problem for Lν,µ over nil automata is
EXPTIME-complete. Since P 6= EXPTIME by the Deterministic Time Hierarchy
Theorem (see Arora and Barak [16]), we know that the model-checking problem
over nil automata for Lν,µ is harder than for TCTL formulas. Hence, there exists a
formula that Lν,µ can say that TCTL cannot.
4.8.2 Necessity of Relativization for TCTL: TCTL 6⊆T A Lν,µ
Claim 4.8.3. Lν,µ cannot express ∀〈b〉(tt)([a](ff)); therefore, Lν,µ 6=T A Lrelν,µ.
Proof Sketch of Claim 4.8.3. Bouyer et al. [45], show that Lν cannot express the
4.9. Proving Lν,µ 6=T A Lrelν,µ 181
formula ∀〈b〉(tt)([a](ff)). We adapted their proof to cover least fixpoints by strength-
ening Gluing Everything of Bouyer et al. [45]. See Section 4.9 for details.
Theorem 4.8.4. There exist Lν,µ formulas φ1 and φ2 such that Lν,µ cannot
express A [[φ1] R [φ2]]. Hence, TCTL 6⊆T A Lν,µ.
Proof of Theorem 4.8.4. Suppose not. Then consider φact, defined as ¬ l0 ∨ (z >
0 ∧ ∨xi∈CX(xi ≤ 0)), and the formula: z.(A [[φ1 ∨ φact] R [φ2 ∨ φact]]).
(l0, ν0, [CX f := 0]) |= z.(A [[φ1 ∨ φact)] R [φ2 ∨ φact]]) iff (l0, ν0, [CX f := 0]) |=
∀φ1(φ2). This contradicts Claim 4.8.3. Since this formula can be used for all timed
automata (details omitted), TCTL 6⊆T A Lν,µ.
4.9 Proving Lν,µ 6=T A Lrelν,µ
4.9.1 Summary of Previous Work
Bouyer et al. [40, 45] proved that Lrelν 6= Lν by showing that one cannot write
∀〈b〉(tt)([a](ff)) in Lν. We adapt this proof. In order to show which parts need
to be adapted when least fixpoints are added, we summarize the proof given in
Bouyer et al. [40, 45], following the version presented in Bouyer et al. [40]. In
Section 4.9.2 we prove the components of this proof that need to be proven when
least fixpoints are added.
The proof of Bouyer et al. [40] begins by constructing two families of timed
automata. Any automaton in the former satisfies ∀〈b〉(tt)([a](ff)), but no automa-
ton in the latter family does. Note: these automata uses rational constants in the
automata’s clock constraints.
They then suppose that there is a Lν formula φ that is equivalent to the formula
4.9. Proving Lν,µ 6=T A Lrelν,µ 182
∀〈b〉(tt)([a](ff)) over timed automata. As a result, it is equivalent for the subclass
of the two families of timed automata.
Given the particular families of automata, through a series of lemmas and
arguments (the proofs of the lemmas are mostly omitted), they argue that there
must be a formula Ψ ≡ φ for this class of automata, where Ψ is constructed from
the following simplified grammar:
Ψ ::= p | tt | ff | [a](ff) | 〈a〉(tt) | Ψ ∧ Ψ | Ψ ∨ Ψ | G+Ψ | F+Ψ | Y
In this grammar, p is a proposition, Y is an equation variable, F+Ψ means Ψ is
true in some time successor, and G+Ψ means Ψ is true in any time successor. The
argument in Bouyer et al. [40] does not involve circularity or fixpoints.
Since the previous argument uses region equivalence and successor regions to
simplify the language, F+ and G+ are operators nearly identical in function to ∃()
and ∀(), respectively. Note that any region is a time successor of itself. Note that
[a](tt) ≡ tt and 〈a〉(ff) ≡ ff.
At this point, no part of the proof relied on circularity or fixpoints, and can be
used without adaptation when least fixpoints are added to the logic.
The next part, Gluing Everything from Bouyer et al. [40], is part of the proof
of Bouyer et al. [40] that handles the fixpoints and needs to be adapted for least
fixpoints.
[Copied verbatim (sic) from Bouyer et al. [40].]
Gluing everything. The formula Ψ can be written in normal form as a system of
equations (Xi = fi(X1, ..., Xn))1≤i≤n and Ψ = X1. We assume that each formula
fi(X1, ..., Xn) is a boolean combination of subformulas α
j
i (which can be either
some formula F+βji, or G
+β
j
i, or some atomic-like formula 〈a〉(tt), [a](ff), tt or
4.9. Proving Lν,µ 6=T A Lrelν,µ 183
ff, or some fix-point variable X ji ):





Xn =ν bn(α1n, . . . , α
k1
n )
Without loss of generality, we assume that no subformula αji is a fix-point variable.
The following lemma justifies this fact:
Lemma 7. We assume that αji = Xk (with i 6= k). Then the new formula obtained by
replacing Xk by its definition formula is equivalent to the previous formula. If α
j
i = Xi,
then the new formula obtained by replacing this variable Xi by tt is equivalent to the
initial formula.
Thus, each αji is either an atomic proposition, or its negation, or a formula F
+φ or
a formula Gφ.
[End of quote of Bouyer et al. [40].]
This is the portion of the proof of Bouyer et al. [40] that needs to be adopted
and proven when least fixpoints are added. Since this lemma eliminates the cir-
cularity by simplifying the logic to one without circularity, The remainder of the
proof of Bouyer et al. [40] does not contain circularity and can be adopted without
change. After this adaptation, we know that Lν,µ 6≡T A Lrelν,µ.
4.9.2 Adaptation of Proof
To handle least fixpoints (and alternations that result), we strengthen and prove
the Gluing Everything and Lemma 7 of Bouyer et al. [40]. We strengthen the Lemma
in order for it to be applied without change in the remainder of the proof of Bouyer
et al. [40].
4.9. Proving Lν,µ 6=T A Lrelν,µ 184
First, by arguing that the βji subformulas do not have fixpoint variables in
them, we make the lemma stronger. Given Lemma 8 in the paper (it is not proven
in Bouyer et al. [40]), we think that the condition we argue above is argued by
them. While it may not be, for us to use Lemma 8 without adopting the proof, we
must argue this condition.
As a result, the Lemma is changed. When we substitute circularity, we substi-
tute tt when we see a ν variable Xi, and ff when we see a µ variable Xi.
We use the following replacement algorithm:
When Xk has parity ν (greatest fixpoint):
• αji = Xi ≡ tt.
• βji = G+φ ≡ G+φ′, and φ′ = φ[Xi 7→ RHS(Xi)[Xi 7→ tt]], which is φ after
each Xi is replaced with its right hand side equation after substituting tt
where Xi occurs in its own formula.
• βji = F+φ ≡ F+φ′, and φ′ = φ[Xi 7→ tt], which is φ with every instance of Xi
substituted with tt, replacing Xi with its formula.
When Xk has parity µ (least fixpoint):
• αji = Xi ≡ ff.
• βji = G+φ ≡ G+φ′, and φ′ = φ[Xi 7→ ff], which is φ with every instance of
Xi substituted with ff, replacing Xi with its formula.
• βji = F+φ ≡ F+φ′, and φ′ = φ[Xi 7→ RHS(Xi)[Xi 7→ ff]], which is φ after
each Xi is replaced with its right hand side equation after substituting ff
where Xi occurs in its own formula.
We first replace the α subformulas and then replace the β subformulas. The
lemma we now get is:
4.9. Proving Lν,µ 6=T A Lrelν,µ 185
Lemma 4.9.1. Suppose αji = Xk, β
j
i = G
+φ, or βji = F
+φ (with i 6= k and Xk
within φ). Then the new formula obtained by replacing each instance of Xk with




or βji = F
+φ where Xi is within φ, then the new formula obtained by the algorithm
is equivalent to the initial formula.
Proof of Lemma 4.9.1. We argue each case for each subformula in the above algo-
rithm.
First, we suppose Xi is a greatest fixpoint ν variable.
• Case 1: αji = Xi. Since Xi is outside of a time modality, if we execute it again
we will reach Xi and obtain a circularity. For a ν variable, a circularity means
tt.
• Case 2: βji = G+φ. By reaching Xi in the G+φ formula, we consider all suc-
cessor states in the subformula Xi. Thus, we must unravel the formula once.
If we do not reach Xi, then circularity is not used. That means that the un-
raveling of Xi correctly solved the formula. If we do reach Xi, then we have
a ν circularity, which results in Xi being tt.
• Case 3: βji = F+φ. Since F+ always allows a transition to the same region (the
same set of states), for all subformula we can choose the 0-unit advance and
return to the same formula. Since all α terms were already substituted for,
by definition we will return to the Xi within the β
j
i subformula and obtain a
ν circularity.
Now we suppose Xi is a least fixpoint µ variable.
• Case 1b: αji = Xi. Similar to Case 1. Since Xi is outside of a time modality, if
we execute it again we will reach Xi and obtain a circularity. For a µ variable,
a circularity means ff.
4.9. Proving Lν,µ 6=T A Lrelν,µ 186
• Case 2b: βji = G+φ. Similar to Case 3. Since G+ includes a transition to the
same region (the same set of states), for all subformula we examine the 0-unit
advance and return to the same formula. Since all α terms were already sub-
stituted for, by definition we will return to the Xi within the β
j
i subformula
and obtain a µ circularity.
• Case 3b: βji = F+φ. Similar to Case 2. The change in the formula is that with
the ∃, if we reach a circularity if means that that trace is ff. Since any finite
sequence of time elapses can be simulated by a single time advance, we only
need to unroll once.
Without alternations,we can start at the head variable X1 (assumed to be the
head variable without loss of generality) and unroll the formula. Since the algo-
rithm renders circularity without expressive power, even with alternations, the cir-
cularity has no additional expressive power. Hence, the variables can be replaced
(details omitted).
There are two keys to the correctness of this lemma:
1. The logic is simplified and has no [a](Y) or 〈a〉(Y). Furthermore, it is impossible
for a variable Y to be inside an action modality. Y can only appear outside
time and action modalities or inside a time modality.
2. These time modalities equate to a sequence of time advances. Due to time additivity
where
δ1−→ + δ2−→≈δ1+δ2−→ , whenever a sequence wishes to perform two time
elapses of δ1 followed by δ2 units, it can equivalently perform a time elapse of
δ1 + δ2 units. Because the operators are not relativized, we are not concerned
with what happens in-between the advances.
With Lemma 4.9.1, the Lν,µ formula now has no circularity and is in the form
of the equivalent Lν formula. The remainder of the proof of Bouyer et al. [40] goes
4.10. Additional Expressivity Results 187
through. Hence, Lν,µ 6≡T A Lrelν,µ.
4.10 Additional Expressivity Results
Here we give additional expressivity results we have shown involving TCTL, Tµ,
Lν,µ and Lrelν,µ.
4.10.1 Set of Next States
The key idea is that while timed automata do not have a “next state”, we can give
a definition of a set of next states by looking at the concrete transition systems that
represents the semantics.
Theorem 4.10.1. Let TA be a timed automaton and let TS(TA) be the tran-
sition system representing the semantics of TA, and let (l, ν) be a state
of TA. Then we have the assertion of the timed modal equation system
(l, ν) |= X µ/ν= ∀(φ) ∧ [− ](φ) with respect to TA if and only we have the
assertion of the untimed modal equation system (l, ν) |= X µ/ν= [− ](φ) with
respect to the transition system TS(TA).
Proof of Theorem 4.10.1.
(l, ν) |= X = [− ](φ) in TS(TA)⇔
∀σ ∈ Σ, (l, ν) σ−→ (l′, ν′) : (l′, ν′) |= X µ/ν= φ⇔
4.10. Additional Expressivity Results 188
(Definition of [− ](φ) for untimed MES)
(
∀δ ∈ R≥0, (l, ν) δ−→ (l′, ν′) : (l′, ν′) |= X µ/ν= φ
)
∧(





(Enumeration over σ in TS(TA), distributivity of ∧ )
(l, ν) |= X = ∀(φ) ∧ [− ](φ) in TA
(Definition of ∀(φ) and [− ](φ) in timed MES)
Theorem 4.10.2. Let TA be a timed automaton and let TS(TA) be the tran-
sition system representing the semantics of TA, and let (l, ν) be a state
of TA. Then we have the assertion of the timed modal equation system
(l, ν) |= X µ/ν= ∃(φ) ∨ 〈−〉(φ) with respect to TA if and only we have the
assertion of the untimed modal equation system (l, ν) |= X µ/ν= 〈−〉(φ) with
respect to the transition system TS(TA).
Proof of Theorem 4.10.2.
(l, ν) |= X = [− ](φ) in TS(TA)⇔
∃σ ∈ Σ, (l, ν) σ−→ (l′, ν′) : (l′, ν′) |= X µ/ν= φ⇔
4.10. Additional Expressivity Results 189
(Definition of 〈−〉(φ) for untimed MES)
(
∃δ ∈ R≥0, (l, ν) δ−→ (l′, ν′) : (l′, ν′) |= X µ/ν= φ
)
∨(





(Enumeration over σ in TS(TA), distributivity of ∨ )
(l, ν) |= X = ∃(φ) ∧ 〈−〉(φ) in TA
(Definition of ∃(φ) and 〈−〉(φ) in timed MES)
From Theorem 4.10.1 and Theorem 4.10.2, we now can emulate [− ](φ) and
〈−〉(φ) on TS(TA), thus covering ”for all next actions” or “there is some next
action.” With this, the timed version thus covers the “set of states after one action.”
Keep in mind that using these subformulas will cover all executions, including
time-convergent paths. Thus, when expressing TCTL, we are careful so that these
potential time-convergent executions are excluded.
4.10.2 Detecting and Bypassing Timelocks and Actionlocks
As motivated in Section 2.4, there are three kinds of situations that are undesir-
able: timelocks, actionlocks and zeno executions. We discuss how to handle time-
locks and actionlocks, both to detect them as well as to bypass them when model
checking formulas.
Using an alternation, we can detect timelock freedom by using the formula
(taken from Henzinger et al. [88]):
νX.[z.(EF [z = 1 ∧ X])] ≡ νX.[z.(µY.[(z = 1 ∧ X) ∨ (tt Y)])]
4.11. Summary of Established Expressiveness Results 190






= (t = 1 ∧ Y1) ∨ ∃(Y2 ∨ 〈−〉(Y2))
Notice that this formula has an alternation, and that it is similar to the formula
used to eliminate the timelock assumption in Section 4.7.4.
Any state that satisfies the above formula is timelock free. To remove the time-
lock assumption, in E [[φ1]U./c [φ2]] , replace φ2 with “timelock-free”∧ φ2. For
E [[φ1] R./c [φ2]], replace φ1 with “timelock-free”∧ φ1 (notice that with correcting
for timelocks, duality is no longer preserved).
More simply and without alternation, we can detect actionlocks. The formula
X
µ/ν
= ∀([− ](ff)) (4.35)
returns the set of action-locked states, and X
µ/ν
= ∃(〈−〉(tt)) returns the set of
states that are not action-locked. The equation X
µ
= ∀([− ](X)) returns the set of
states that can reach an action-locked state. To ignore actionlocks for the formulas
E [[φ1]U./c [φ2]], and for E [[φ1] R./c [φ2]], replace φ2 with “not action-locked”∧ φ2.
4.11 Summary of Established Expressiveness Results
We summarize the logical equivalences established in this chapter in Table 4.1.
4.12 Dissertation Contributions
4.12.1 Contributions
These are my contributions discussed in this chapter:
4.12. Dissertation Contributions 191




Tµ ⊆ Lrelν,µ none Utilize the definition of  of Tµ to
write the  operator using Lrelν,µ oper-
ators. No additional fixpoint variables
are needed for the conversion.




Utilize region automata to establish a
finite search space, and then extend
the result that CTL is a subset of the
alternation-free untimed mu-calculus.
TCTL ⊆ Lrelν,µ none Utilize alternations to write the con-
straints for nonzeno and timelock-
free.
La fν,µ 6⊆ TCTL none Give a La fν,µ formula that cannot be
written in TCTL.
Lrel,a fν,µ 6⊆ La fν,µ none Adapt the proof of Bouyer et al. [40,
45] to handle least fixpoints.
Lrelν,µ 6⊆ Lν,µ none Adapt the proof of Bouyer et al. [40,
45] to handle least fixpoints and alter-
nations.
TCTL 6⊆ Lν,µ none Utilizing that Lrelν,µ 6⊆ Lν,µ Show that
if we can write the TCTL formula
A [[φ1] R [φ2]] in Lν,µ then we can write
the relativization operators of Lrelν,µ in
Lν,µ.
Lν ⊆ La fν,µ none Follows from definitions of fixpoints.
• With a common assumption regarding atomic propositions, we show that
Lrelν,µ, Lν,µ and Tµ are bisimulation invariant. Additionally, for the region
equivalence relation, we show that Lrelν,µ is invariant.
• We show Tµ ⊆ Lrelν,µ Furthermore, we show this result without requiring
additional fixpoints, thus keeping the complexity simple.
• We show TCTL ⊆ Lrelν,µ For E [[φ1]U./c [φ2]] we assume the timelock-free
assuption and for E [[φ1] R./c [φ2]] (and its dual, A [[φ1]U./c [φ2]]), we assume
both a timelock-free assumption and a nonzeno assumption.
4.12. Dissertation Contributions 192
We then show, using a formula from Henzinger et al. [88] that with an al-
ternation, we can both detect timelocks as well as bypass timelocked states,
thus removing the need for the timelock-free assumption.
• We show Lν,µ 6⊆ TCTL.
• We show TCTL 6⊆ Lν,µ, showing that expressing all of TCTL requires the
additional power of the relativization.
• We give a way of writing the set of next states of TS(TA) in Lν,µ.
4.12.2 Future Work
Future work includes answering some of the unanswered expressivity questions
of various timed logics:
• Can we detect zeno executions in Lrelν,µ? Can we write formulas to bypass
zeno executions?
• Is Lrelν,µ ⊆ Tµ? We conjuecture no, but are not sure.
• Is TPTL ⊆ Lrelν,µ? Since TPTL is MTL with freeze quantification instead of
timing intervals, determining if TPTL ⊆ Lrelν,µ is similar to determining if
MTL ⊆ Lrelν,µ.
• Is Lrelν,µ ⊆ TPTL? What about Lν,µ and Tµ?
Answers to these items will allow us to better decide if Lrelν,µ can verify the formulas




Model Checking Lrelν,µ with Predicate Equation Systems (PES)
Now that we have formalized a time automata model (Chapter 3) and shown that
Lrel,a fν,µ can express properties we want to express (Chapter 4), we now wish to
implement a tool that can model check Lrel,a fν,µ formula over timed automata. To
implement this verifier, we take the model checking framework using Predicate
Equation Systems (PES) from Zhang [165], Zhang and Cleaveland [167, 168] and
build upon it. First, we provide an implementation implementation for all the
proof rules in Zhang [165], Zhang and Cleaveland [167, 168], resulting in a timed
automata model checker supporting all of La fν,µ. To verify additional properties,
we develop sound and complete proof rules for the relativization operators, com-
pleting the proof-rule theory for Lrel,a fν,µ . When we implement these proof rules, we
use select derived proof rules to improve the performance. We discuss some other
implementation details, the most substantial being the choice of data structure to
store and encode clock values in.
With these implementations we give two preliminary evaluations: the first
compares our PES tool to UPPAAL, the most widely-used timed automata model
checker. We compare our tool to theirs on the properties both support and then
give a sampling of properties that UPPAAL cannot verify (the PES tool can verify
any property that UPPAAL can). The second evaluation compares the different
implementations of the clock data structures within the PES tool to each other.
5.1. Predicate Equation Systems 194
5.1 Predicate Equation Systems
Predicate Equation System (PES) are a first-order logic invented independently
by Groote and Willemse [79] (as parameterized boolean equation systems) and
by Zhang and Cleaveland [167, 168]. PES have the advantage of being general
enough to represent a variety of systems including timed automata [167], para-
metric timed automata [168] and presburger systems [166], yet efficient enough
to check formulas in practice [165, 167, 168]. Currently sound and complete rules
are available for Lν,µ only and the system was only implemented to check safety
properties.
Predicate Equation Systems are in modal equation form (see Section 4.2.2 for
more information on modal equation systems). PES use a fixpoint logic more
general than, but similar to Lν,µ. It differs from a Lν,µ formula in that unlike a
logic, it encodes both the property and the system. Hence, a PES represents a
timed automaton and an Lν,µ formula. A PES is defined to be true if and only if
the initial states of the timed automaton satisfy the Lν,µ formula. For the formal
PES syntax and semantics, see Zhang [165], Zhang and Cleaveland [167, 168].
This dissertation only utilize them for timed automatas, but PES have been
used to model check timed automata. Since our tool handles the special case of
using the PES framework to encode a timed automata and an MES, we do not de-
scribe PES in detail. However, the model checking algorithm is extremely similar.
5.2 Model-Checking Algorithm
We discuss the model-checking algorithm for timed automata and MES. We begin
by describing the PES algorithm that was provided to us from Zhang [165], Zhang
and Cleaveland [167, 168]. This briefly describes the PES framework and how the
PES system can encode the formula and the timed automaton in one PES.
5.2. Model-Checking Algorithm 195
Then, we describe how we specialize the framework to model check timed au-
tomata and La fν,µ formulas. By specializing, we can leverage specific optimizations
to improve the performance of the tool.
5.2.1 PES Model Checking Algorithm
We begin with the predicate equation systems to model-check Lrelν,µ formulas for
timed automata. In this case, the model checking algorithm takes a timed automa-
ton (with variables) and an alternation-free Lrelν,µ formula and converts it to a PES.
Model checking Lrelν,µ formulas on timed automata with PES is as follows:
1. We take a timed automaton TA and an La fν,µ formula and convert it to a
predicate equation system.
2. We now ask if we have a true predicate equation system. The PES starts with
the initial state and using proof rules, asks if it has a true PES.
3. From the theory of fixpoints we can correctly terminate when we find a
circularity. Additionally, we use caching to efficiently and correctly utilize
previously proven sequents as well as to speed up circularity detection.
This process is equivalent to taking the timed automaton, starting from the
initial state and applying proof rules on the alternation-free La fν,µ formula using
fixpoint knowledge to correctly terminate when reaching circularity. Given the
complexity of Lν,µ we restrict model checking to the alternation-free fragment,
La fν,µ.
5.2.2 Conversion to PES
Here is the overview of the conversion:
5.2. Model-Checking Algorithm 196
1. For each location l in the timed automaton and each variable Y in the Lν,µ
formula, we will make a variable Vl,Y and an equation with that of the left
hand variable.
2. With these larger variables, we construct the PES environment θ using this
larger set of variables.
3. We embed the timed automaton into the PES by converting its states to
proposition variable assignments, using substitution in the PES to account
for transitions.
4. We then convert each Lν,µ formula into the PES inductively. We enumer-
ate the possible transitions (since the TA is presumed to be finite) between
locations to eliminate the [− ](), 〈−〉(), [a]() and 〈a〉() operators.
For initial model-checking, as is done in Zhang and Cleaveland [167], the con-
version is done prior to model checking. Hence, all of the transitions are enu-
merated and put on the stack when dealing with the [− ](), 〈−〉(), [a]() and 〈a〉()
operators. One way we plan to improve performance is when model-checking is to
convert the PES on the fly (or equivalently use Lrelν,µ proof rules similar to the PES
rules) and then (conservatively) eliminate many transitions. For instance, when
making a transition, we only care about the edges coming from the location we
are leaving. Not including other transitions will shrink the PES.
Conversion details for Lν,µ formulas and timed automata are in Zhang and
Cleaveland [167, 168].
Remark 5.2.1 (PES equation variables vs. locations). Zhang and Cleaveland [167,
168] give one PES variable per location. Alternatively, we could convert the timed
automaton to a PES using propositions for variable assignments and thus have
fewer predicate equation variables. However, both are equivalent.
5.2. Model-Checking Algorithm 197
Therefore, in the conversion process, we can either give one predicate variable
per (location, Lν,µ variable) pair or we can give one predicate variable per Lν,µ
variable and use more location variables to separate the location. It is not known
which conversion leads to faster model checking in practice.
5.2.3 Timed Automata Model Checker: Adaptations from PES Tool
The proof rule framework in Zhang and Cleaveland [167, 168] used the general
framework called Predicate Equation Systems (PES). PES involved fixpoint equa-
tions over first-order predicates and used the proof-search to establish the validity
of a PES. For practical reasons, however, one generally wishes to avoid the con-
struction of the PES explicitly; this dissertation adopts this point of view, and the
proof rules that it presents involve explicit mention of timed-automata notions,
including location and edge. Hence, rather than converting a timed automaton
and an La fν,µ formula to a PES and then checking if the PES is true, with mini-
mal changes we adapt the proof rules to be for La fν,µ over timed automata. Conse-
quently, all proof rules are written in the timed automata framework.
The adaptation is as follows:
1. We encode locations as proposition variables rather than equation variables,
as described in Remark 5.2.1.
2. Given the definitions of PES and La fν,µ formulas, the conversion is mostly a
syntactic change. The first semantic change is that the operators [− ](φ) and
〈−〉(φ) are encoded by enumerating over all the transitions. The PES handles
transitions through assignments of proposition variables and assignments of
clock variables to 0.
3. We represent the freeze operator z.(φ) as φ[z := 0], the reset operator.
5.3. The Proof-Based Approach and Proof Rules 198
4. While ∀ and ∃ in PES are general operators, in the MES framework they only
encode time advances. Hence, we replace the variable substitution with the
advancement of time, grouping times together for improved performance.
5. The fixpoint logic for PES and MES is identical, so no change to the fixpoint
logic is necessary.
This adaptation allows for the following enhancements:
• We can directly encode [− ](φ) and 〈−〉(φ) as formula operators rather than
having to encode the enumeration of the transitions in the PES conversion.
• This allows us to separate the model description and the formula descrip-
tion, because the transitions can now be provided outside of the equation.
This also lets the tool optimize the model checking for transitions.
• This also allows us to separate out comparisons from the invariant and the
guards from the PES formula. As a result, the invariants are separated from
the PES formula and their model-checking is accounted for during time ad-
vances.
5.3 The Proof-Based Approach and Proof Rules
We describe the proof-based model checking approach that we use and extend
to model check timed automata against Lrel,a fν,µ specifications. The L
rel,a f
ν,µ model-
checking problem for timed automata may be specified as follows: given timed
automaton TA = (L, l0, ΣTA, CX, I, E), atomic-proposition interpretation function
Lab, and Lrel,a fν,µ formula φ with initial environment θ, determine if the initial state
of TA satisfies φ, i.e.: is (l, ν) ∈ JφKTA,θ?
To answer this question posed in the notation of denotational semantics, we
aim to construct a proof. The proof consists of proof-rules, or sequences of judg-
5.3. The Proof-Based Approach and Proof Rules 199
ments (i.e. the statements that can be proved using the proof system). Judgments
are sequents of the form (l, cc) ` φ, where l ∈ L is a location, cc ∈ Φ(CX ∪ CX f )
is a clock constraint, and φ is a Lrel,a fν,µ formula. Note that cc includes clocks
from the timed automaton as well as any clocks used in freeze quantification
(such as z). A clock constraint cc can also be viewed as the set of valuations
cc = {ν | ν |= cc}; likewise, we can encode a valuation ν as the clock constraint
ccν = x1 = ν(x1) ∧ . . . ∧ xn = ν(xn) (we also intersect the values of the clocks
used in freeze quantification). A proof rule is one or more premise sequents and
a conclusion sequent. In this dissertation we will write a proof rule as:
Premise 1 . . . Premise n (Rule Name)
Conclusion
Each premise, and the conclusion, is a judgment; the intended reading of the
rule is that if each premise is valid, then so is the conclusion. Some proof rules,
leaves, have no premises and only require a check on the sequent. The verifier
then builds a proof by chaining these proof rules together. A proof is valid if the
proof rules are applied properly, meaning that the premise of the previous rule
is the conclusion of the next rule. The proof rules are designed to be sound and
complete, meaning: (l, ν) ∈ JφKTA,θ if and only if there is a valid proof for (l, ccν) `
φ. Notice that a set of sound and complete proof rules can form a specification
similar to an operational semantics definition. For performance reasons, the proof
rules involve small steps, similar to a small-step operational semantic definition.
Because the proof rules involve small steps, this involves the prover to explore the
state machine locally and “on-the-fly” as the prover verifies the formula.
Sound and complete PES proof rules for the alternation-free Lν,µ calculus are
developed in Zhang and Cleaveland [167, 168]. However, only those for safety
properties were implemented. Furthermore, there are currently no proof rules for
the relativized operators of Lrelν,µ. We take the proof-rule framework of Zhang and
5.4. La fν,µ Proof Rules 200
Cleaveland [167, 168] and adapt it for timed automata and Lrel,a fν,µ MES.
5.4 La fν,µ Proof Rules
This section contains the proof rules for La fν,µ, which are adapted from Zhang and
Cleaveland [167, 168]; the proof rules for the relativization operators are in Section
5.5.1.
Several comments are in order.
1. Each rule is intended to relate a conclusion sequent involving a formula with
a specific outermost operator to premise sequents involving the maximal
subformula(e) of this formula. The name of the rule is based on this operator.
2. The premises also involve the use of functions succ and pred. Intuitively,
succ((l, cc)) represents all states that are time successors of any state whose
location component is l and whose clock valuation satisfies cc; pred((l, cc))
is the time predecessors of these same states. These operators may be com-
puted symbolically; that is, for any (l, cc) there is a cc′ such that (l, cc′) is
equivalent to succ((l, cc)).
3. Some of the rules involve placeholders, which are (potentially) unions of clock
constraints, given as (subscripted versions of) ρ. Given a specific placeholder,
the premise sequent (l, cc), φ is semantically equivalent to (l, cc ∧ ρ); how-
ever, for notational and implementation ease, the placeholder ρ is tracked
separately from the clock constraint cc. Rules such as ∨c involve new clock
constraints in the premises that are not present in the conclusion. Placehold-
ers represent these new clock constraints.
The complete set of La fν,µ proof rules is given in Figures 5.1 and 5.2. Figure 5.1
contains the adaptations of the rules without placeholders, and Figure 5.2 contains
5.4. La fν,µ Proof Rules 201
Premise 1 . . . Premise n (Rule Template)
Conclusion
(p), p ∈ Lab(l)
(l, cc) ` p
(cc′), cc |= cc′
(l, cc) ` cc′
(l, cc) ` φi
(p), Xi
ν/µ
= φi(l, cc) ` Xi
(Empty)
(l, ff) ` φ
(l, cc) ` φ1 (∨l)
(l, cc) ` φ1 ∨ φ2
(l, cc) ` φ2 (∨r)
(l, cc) ` φ1 ∨ φ2
(l, cc) ` φ1 (l, cc) ` φ2 (∧)
(l, cc) ` φ1 ∧ φ2
(l, cc), ρs ` φ1 (l, cc),¬ρs ` φ2 (∨c)
(l, cc) ` φ1 ∨ φ2
succ((l, cc)) ` φ
(∀t1)
(l, cc) ` ∀(φ)
succ((l, cc)), ρs ` φ (l, cc) ` pred(ρs) (∃t1)
(l, cc) ` ∃(φ)
(l, post(cc, λ := 0)) ` φ
([])
(l, cc) ` φ[λ := 0]
(l1, cc ∧ g1) ` φ[λ1 := 0] . . . (ln, cc ∧ gn) ` φ[λn := 0] ([a]Act), cond[a](l, cc) ` [a](φ)
cond[a]:
⋃
i{(gi, λi, li)} = {(l′, g′, λ′) | (l, a, g′, λ′, l′) ∈ E}
(l, cc) ` [a1](φ) . . . ((l, cc) ` [an](φ) ([− ]Act), Σ = {a1, . . . , an}(l, cc) ` [− ](φ)
(ln, cc ∧ g) ` φ[λ := 0] (〈a〉Act), (l, a, g, λ, l′) ∈ E, cc ∧ g is satisfiable
(l, cc) ` 〈a〉(φ)
((l, cc) ` 〈ai〉(φ) (〈−〉Act), ai ∈ Σ
(l, cc) ` 〈−〉(φ)
Figure 5.1: Proof rules (without placeholders) adapted for timed automata and
MES.
the adaptations of the rules involving placeholders. Conditions on the proof rules
are given after the rule label; the rule labels are in (), and the conditions are outside
parentheses.
A note about clock resets (substations of clocks to 0 in φ or ρ). The formal
5.4. La fν,µ Proof Rules 202
succ((l, cc)), ρs ` φ succ((l, cc), ρ∀) ` succ((l, cc)) ∧ ρs (∀t2)
(l, cc), ρ∀ ` ∀(φ)
succ((l, cc)), ρs ` φ ρ∃ ` pred(ρs) (∃t2)
(l, cc), ρ∃ ` ∃(φ)
(l, post(cc, λ := 0)), ρs ` φ ρ[] ` ρs[λ := 0] ([]p)
(l, cc), ρ[] ` φ[λ := 0]
Figure 5.2: Proof rules (involving placeholders) adapted for timed automata and
MES.
definition uses the post operator from Zhang and Cleaveland [167, 168], defined
as:




λ = (e[λ := v]) ∧ cc[λ := v]
)
(5.1)
In the special case of resetting clocks to 0, computing post results in one of two
cases:
1. If the original clock constraint cc is unsatisfiable, post((l, cc), λ := 0) pro-
duces (l, cc′) where cc′ is logically equivalent to ff.
2. Otherwise, cc is a satisfiable clock constraint, and post((l, cc), λ := 0) be-
comes (l, reset(cc, λ := 0)), where reset(cc, λ := 0) is the clock zone reset
operator given in Bengtsson and Yi [27].
More comment on placeholders (ρ) is in order. Placeholders encode a set of
clock valuations that will make a sequent valid; in practice, we are interested in
computing the largest such set. To understand their use in practice, consider the
operator ∃. To check ∃, we need to find some time advance δ such that ψ is sat-
isfied after δ time units. Rather than non-deterministically guessing δ, we use a
placeholder φ in the left premise in rule ∃t1 to encode all the time valuations
5.4. La fν,µ Proof Rules 203
that ensure satisfaction of φ. The right premise then checks that the placeholder
ρs is some δ-unit time elapse from (l, cc). The placeholder allows us to delay the
non-deterministic guess of the value of ρs until it is no longer required to guess.
Additionally, for performance reasons, we use new placeholders to handle time ad-
vance operators for sequents with placeholders. An example may be found in Rule
∃t2, where a new placeholder ρ∃ is introduced in the right premise. While useful
for performance, this choice results in subtle implementation complexities, which
we discuss in Section 5.6.2.
Given judgments and proof rules, proofs now may be constructed in a goal-
directed fashion. For a given judgment to be proved, rules whose conclusion
matches the form of the judgment, yielding as subgoals the corresponding premises
of the rule. These subgoals may then recursively be proved, with subgoals involv-
ing given placeholders selected first for proof so that they may be solved for as
the proof progresses. If a sequent may be proved using a rule with no premises,
then the proof is complete; similarly, if a sequent is encountered a second time
(because of loops in the timed automaton and recursion in an MES), then the
second occurrence is also a leaf. Details may be found in Zhang and Cleaveland
[167, 168]. If the recurrent leaf involves an MES variable with parity µ, then the
leaf is unsuccessful; if it involves a variable with parity ν, it is successful. A proof
is valid if all its leaves are successful.
Example 5.4.1 (A simple proof). To illustrate the proof rules, consider the timed
automaton in Figure 5.3. Suppose we wish to prove the sequent (2: in, x1 ≤ 3) `
[exit](0: far). Utilizing the proof rule [a]Act in Figure 5.1, we get the proof:
(0: far, 1 ≤ x1 ≤ 3) ` 0: far
(2: in, x1 ≤ 3) ` [exit](0: far)
Following this proof rule, we intersect the clock constraint with the guard x1 ≥ 1
5.5. Extended Tool: Verifying Lrel,a fν,µ 204











Figure 5.3: A timed automaton of the Alur-Dill model. This is the same figure as
Figure 1.1 in Chapter 1.
(if x1 < 1, then there are no possible actions so the formula is true) make the
destination location the new sequent, and ask if the destination state satisfies the
formula. Since the location is 0: far, we have a terminal proof rule and have con-
structed a proof. 
5.5 Extended Tool: Verifying Lrel,a fν,µ
Our first enhancement of the tool CWB-RT CWB-RT, from Zhang and Cleaveland
[167] is the implementation of the placeholder proof rules for La fν,µ. The provided
tool converted timed automaton and safety properties of Lν,µ into a PES and model
checked the PES. Proof Rules for the ∃(φ) operator was not implemented, as well
as any placeholder rule.
Additionally, we develop the theoretical proof rules for the relativization op-
erators ∃φ1(φ2) and ∀φ1(φ2) as well as implement them. This results in an imple-
mentation for a timed automata model checker that can verify all of Lrel,a fν,µ .
5.5.1 New Lrel,a fν,µ Proof Rules
We now introduce the new rules for handling the relativized time-passage modal-
ities in Lrel,a fν,µ . We provide the proof rules for the relativized operator ∃φ1(φ2) in
5.5. Extended Tool: Verifying Lrel,a fν,µ 205
(l, cc), ρs1 ` φ1 (l, cc), ρs2 ` φ2 (l, cc) ` ρs1 ∨ ρs2 (∨s)
(l, cc) ` φ1 ∨ φ2
(l, cc), ρs1 ` φ1 (l, cc), ρs2 ` φ2 (l, cc), ρ∨ ` ρs1 ∨ ρs2 (∨s2)
(l, cc), ρ∨ ` φ1 ∨ φ2
succ((l, cc)), ρs ` φ2 succ((l, cc)), pred<(ρs) ` φ1 (l, cc) ` pred(ρs) (∃r1)
(l, cc) ` ∃φ1(φ2)
succ((l, cc)), ρs′ ` φ2
succ((l, cc)), pred<(ρs′) ` φ1
(l, cc), ρs ` pred(ρs′) (∃r2)
(l, cc), ρs ` ∃φ1(φ2)
Figure 5.4: Proof Rules for ∨ and ∃φ1(φ2).
Figure 5.4. To model check the ∀φ1(φ2) operator, we use the derivation given in
Lemma 5.5.1. We discuss optimized proof rules for ∀φ1(φ2) in Section 5.5.4. Fig-
ure 5.4 also contains an alternative proof rule for ∨: rule ∨s. In order to format
the proof rules, we sometimes stack premises without any proof lines, such as for
rule ∃r2. The consequent has three premises, two of which are stacked instead of
placed horizontally in order to diagram the rule within the page margins.
Here is an explanation of the proof rule ∃r1; the proof rule ∃r2 is similar. The
idea is for the placeholder ρs to encode the δ time advance needed for φ1 to be
true. The proof-rule premises enforce that this placeholder has three properties:
1. Left premise: This premise checks that after the time advance taken by ρs, φ2
is satisfied.
2. Middle premise: This premise checks that until all δ time-units have elapsed,
that φ1 is indeed true. The pred<(ρs) encodes the times before ρs.
3. Right premise: This premise checks that ρs encodes some range of time elapses
δ, ensuring that the state can elapse to valuations in ρs.
To implement this rule, we implement the premises in left-to-right order. Some
5.5. Extended Tool: Verifying Lrel,a fν,µ 206
subtleties involving the middle premise are discussed in Section 5.6.2.
By proving some lemmas, we prove the correctness of these new proof rules.
This first lemma is a corrected version of a similar lemma in Bouyer et al. [45].
Lemma 5.5.1. ∀φ1(φ2) is logically equivalent to ∀(φ2) ∨ ∃φ2(φ1 ∧ φ2).
Proof of Lemma 5.5.1. We prove both directions of the lemma. Let TA be an arbi-
trary timed automaton and let (l, ν, ν f ) be an arbitrary (extended) state in TA.
First, suppose that (l, ν, ν f ) |= ∀φ1(φ2). By definition, ∀δ ≥ 0 :
(
(l, ν + δ, ν f +
δ) |= φ2 ∨ ∃δ′, 0 ≤ δ′ < δ : (l, ν + δ′, ν f + δ′) |= φ1
)
. Notice that the entire quan-
tification is inside the ∀δ. Now for each time instance, one of the two disjunctions
inside the ∀ is true. We split the cases into two cases:
Case 1: The φ2 disjunct is always true.
Then the formula reduces to ∀δ ≥ 0 :
(
(l, ν + δ, ν f + δ) |= φ2. By definition,
this means that (l, ν, ν f ) |= ∀(φ2).
Case 2: The ∃ disjunct is satisfied for at least one such δ.
While R≥0 is not well-ordered with respect to ≤, we utilize that there are a
finite number of constraints involving a finite number of (possibly not integer)
constants. We can then group all δ values into groups of consecutive values based
on whether the group of δ values satisfy φ1, φ2, both, or neither. By construction
of φ1 and φ2, the finest-grained groups are clock regions (the same regions used in
region equivalence) and each time advance δ appears in exactly one group. Hence,
we have a finite number of groups of δ, which are well ordered. (We can well order
the groups by the largest δ in each group. Also note that δ ∈ R≥0.)
Let δs be a time advance in the smallest such group. Since the disjunct is sat-
isfied at time δs, there is some time δp < δs, (l, ν + δp, ν f + δp) |= φ1. Let δp be
5.5. Extended Tool: Verifying Lrel,a fν,µ 207
the time when φ1 is satisfied (there may be many of these, but for this defi-
nition, we do not care.) Likewise, since δs is the in smallest such δ group, we
know that all smaller δ (smaller than the group of δ values that δs is in) sat-
isfy the left disjunct, meaning that ∀δ ≥ 0 : (δ′′ < δs)(l, ν + δ′′, ν f + δ′′) |= φ2.
Since δp < δs (and δp is smaller than any delta in the group of δs), we have
(l, ν + δp, ν f + δp) |= φ1 ∧ φ2 ∧ ∀δ ≥ 0 : (δ′ < δp)(l, ν + δ′, ν f + δ′) |= φ2. Using
δp as the chosen delta for ∃, we have that (l, ν, ν f ) |= ∃φ2(φ1 ∧ φ2).
Now we suppose that (l, ν, ν f ) |= ∀δ ≥ 0 : (φ2) ∨ ∃φ2(φ1 ∧ φ2). This direction is
similar to the previous direction. We break the case on which disjunct is satisfied.
Case 1: (l, ν, ν f ) |= ∀(φ2).
By definition, (l, ν, ν f ) |= ∀φ1(φ2). (The above case is the special case with
φ1 = ff, which is harder to satisfy.)
Case 2: (l, ν, ν f ) |= ∃φ2(φ1 ∧ φ2).
Let δe be the chosen time when φ1 ∧ φ2 is true. Now we handle all time ad-
vances δ. For all time advances δ > δe. Since φ1 is true, ∀φ1(φ2) is satisfied for
those times. For all times δ < δe, since φ2 is true, ∀φ1(φ2) is satisfied for those
times. When δ = δe, we need φ2 to be true, which it is.
Hence, for all time advances δ, the definition of ∀φ1(φ2) is satisfied. Hence
(l, ν, ν f ) |= ∀φ1(φ2).
When concerning a system of proof rules, we wish to prove them sound and
complete. A proof system is sound if every proof is correct (this is the if direction
of the theorem). A proof system is complete if every true formula has some proof
of correctness (this is the only if direction of the theorem).
5.5. Extended Tool: Verifying Lrel,a fν,µ 208
Theorem 5.5.2 (Soundness and Completeness). The additional Lrel,a fν,µ proof
rules are sound and complete. I.e. for any timed automaton state (l, ν) and
any Lrel,a fν,µ φ, it is the case that (l, ν) |= φ if and only if (l, ccν) ` φ.
Proof of Theorem 5.5.2. We use the soundness and completeness proofs of rules
in Zhang and Cleaveland [167, 168]. Hence, we only need to prove the correctness
of the proof rules we provided in this paper.We now prove the soundness and
completeness of the ∃φ1(φ2) and the ∨s. proof rules.
First, we start with the proof rule for ∨s.
Soundness: Suppose this rule is true. Then φs1 acts as the placeholder φs. Given
that z∞ ⊆ (φs1 ∨ φs2), we know that ¬φs ⊆ φs2 , since ¬φs = z∞ − φs by definition
of complement.
Completeness: Suppose the conclusion is indeed true. Then by the complete-
ness of ∨s, we can use that rule. Choose φs1 = φs and φs2 = ¬φs By definition of
¬, z∞ ⊆ (φs1 ∨ φs2) = (φs ∨ ¬φs) = z∞.
Now we prove the correctness of the remaining ∃φ1(φ2) proof rules. We start
with Rule ∃r1.
Soundness: Suppose this rule is true. By the correctness of ∃t1 in Zhang and
Cleaveland [167, 168], we know that Γ ` ∃(φ2). We now need to argue that φ1
is true until φ2 is true. Examine the valuation set succ(Γ) ∩ ρs. By construction,
succ(Γ) gives all possible valuations after some time advance from Γ. By the con-
straint Γ ` pred(ρs), we know that Γ must be able to time-lapse to each valuation
in the clock set ρs. Hence, succ(Γ) ∩ pred(ρs) is the set of valuations that elapses
to succ(Γ) ∩ ρs, and succ(Γ) ∩ pred<(ρs) is that set of valuations requiring some
non-zero time elapse to ρs. From the truth of this second premise, φ1 is must be
5.5. Extended Tool: Verifying Lrel,a fν,µ 209
true for all of those times.
Completeness: Suppose the conclusion is indeed true; suppose Γ ` ∃φ1(φ2).
Therefore, there is a time advance t such that after elapsing t units, φ2 is true, and
for all times until (and not including t), t, φ1 is true. Choose ρs to be a placeholder
such that succ(Γ)∧ ρs is the sequent Γ after t units has elapsed. By the correctness
of the proof for the rule ∃t1 in Zhang and Cleaveland [167, 168], we know that
succ(Γ), ρs ` φ2. Because for all times until the times ρs, φ1 is true, this set of
times by definition is succ(Γ) ∧ pred<(ρs). Therefore, succ(Γ) ∧ pred<(ρs) ` φ1 By
definition of the time elapse, since this is true we know that Γ ` pred(ρs).
We now examine rule ∃r2. Its proof of soundness and completeness is similar
to ∃r1. The difference is that we are elapsing from Γ ∩ ρs. In ∃t2, the third clause
shrinks ρs to ensure that the time-elapse relation holds.
Soundness: Suppose this rule is true. By the correctness of ∃t2, the first and
third premise show that ∃(φ2) is true. Let that time advance be δ units. We now
need to argue that φ1 is true until φ2 is true. Examine the valuation set succ(Γ)∩ ρs′ .
By construction, succ(Γ) gives all possible valuations after some time advance
from Γ. By the constraint ρs ` pred(ρs′), we know that Γ, ρs must be able to time-
lapse to each valuation in the clock zone ρs′ . Hence, succ(Γ) ∩ pred(ρs′) is the
set of valuations that elapses to succ(Γ) ∩ ρs′ , and succ(Γ) ∩ pred<(ρs′) is that set
of valuations requiring some non-zero time elapse to ρs′ . From the truth of this
second premise, φ1 is must be true for all of those times.
Completeness: Suppose the conclusion is indeed true; suppose Γ, ρs ` ∃φ1(φ2).
Therefore, there is a time advance t such that after elapsing t units, φ2 is true, and
for all times until (and not including t) t, φ1 is true. Choose ρs′ to be a placeholder
such that succ(Γ) ∧ ρs′ is the sequent Γ, ρs after t units has elapsed. By the correct-
ness of the proof for the rule ∃t2 in Zhang and Cleaveland [167, 168], we know
5.5. Extended Tool: Verifying Lrel,a fν,µ 210
that succ(Γ), ρs′ ` φ2. Because for all times until the times ρs′ , φ1 is true, this set of
times by definition is succ(Γ)∧ pred<(ρs′). Therefore, succ(Γ)∧ pred<(ρs′) ` φ1 By
definition of the time elapse, since this is true we know that ρs ` pred(ρs′).
Remark 5.5.1 (Establishing invalidity). Consider timed automaton TA with state
(l, ν), and consider logical formula φ. Concerning soundness and completeness,
we establish validity (showing that (l, ν) |= φ) by providing a proof that (l, ccν) `
φ. Because the proof system is sound, we know that (l, ν) |= φ. Showing invalidity
is different. To show invalidity, we enumerate over all our options and show that
no such proof is possible. (At each step, we address the outermost logical operator
of φ; hence, there are only a small number of proof rules to consider) Then, by
completeness, if we have no proof that (l, ccν) ` φ, then we know that (l, ν) 6|= φ.
5.5.2 Performance Optimization: Derived Proof Rules
Typically, computers reason best with small baseline proof rules. However, we can
improve the performance by having the computer work with derived proof rules.
We describe two such situations where we use derived proof rules.
5.5.3 Optimizing ∨
For performance reasons we replace a rule for ∨ in Zhang and Cleaveland [167,
168]. Those papers use the proof rule ∨c given in Figure 5.1. We instead use the
proof rule ∨s, which we give in Figure 5.4. By pushing fresh placeholders for
both branches, we avoid computing the complementation operator, which often
results in forming a placeholder involving a union of clock constraints. This rule’s
soundness and completeness is proven in Theorem 5.5.2.
5.5. Extended Tool: Verifying Lrel,a fν,µ 211
(l, cc) ` ∀(φ2) (∀ro1)
(l, cc) ` ∀φ1(φ2)
(l, cc) ` φ1 ∧ φ2 (∀ro2)
(l, cc) ` ∀φ1(φ2)
succ((l, cc)), ρs1 ` φ1
succ((l, cc)), ρs2 ` φ2
succ((l, cc)), pred(ρs1) ` succ((l, cc)), ρs2
ρ∃ ` pred(ρs1)
succ((l, cc), ρ∀) ` succ((l, cc)) ∧ ρs2
(l, cc) ` ρ∃ ∨ ρ∀ (∀ro3)
(l, cc) ` ∀φ1(φ2)
Figure 5.5: Derived proof rules for ∀φ1(φ2).
5.5.4 Optimizing ∀φ1(φ2)
Recall the derived formula for ∀φ1(φ2) from Lemma 5.5.1: ∀φ1(φ2) is equivalent to
∀(φ2) ∨ ∃φ2(φ1 ∧ φ2). This formula requires φ2 to be checked twice. However, by
deriving the proof rule, we notice that we can perform the checking of φ2 only once.
The key is to compute the largest placeholder that satisfies φ2, and then to reason
with this placeholder (and its time predecessor) to find the placeholders needed to
satisfy the two branches of the derived formula. This reasoning allows the tool to
reason with the sub formula φ2 only once, reusing the obtained information. This
technique is memoization, the same technique used in dynamic programming. By
making a memo of φ2, we need only compute it once rather than multiple times.
The derived proof rules are in Figure 5.5; the proof and the derivation are given
in Section 5.5.4. The first two handle the simpler cases when either φ2 is always
true (or when φ1 is always false) or φ1 is immediately true (such as when φ1 is an
atomic proposition), and the third rule (∀ro3) is the more complex case. The proof
rules involving placeholders are similar.
Derivation of Derived Proof Rules
To derive an optimized proof for ∀φ1(φ2), we first will derive a slightly different
version for ∃φ2(φ1 ∧ φ2), rewriting the proof rule for this special case slightly. This
version will allow us to get the same premise to appear twice in the proof.
5.5. Extended Tool: Verifying Lrel,a fν,µ 212
The ∃φ1(φ1 ∧ φ2) can be slightly rewritten as follows:
succ((l, cc)), ρs1 ` φ1
succ((l, cc)), pred(ρs1) ` φ2
ρ∃ ` pred(ρs1)
(∃r2 rewrite)
(l, cc), ρ∃ ` ∃φ2(φ1 ∧ φ2)
∃ ph rewrite
Hence, we look more closely at the rewrite rule, comparing the derivation that
is obtained, we get the following proof rule, ∃rw:
succ((l, cc)), ρs1 ` φ1; succ((l, cc)), pred(ρs1) ` φ2; ρ∃ ` pred(ρs1) (∃rw)succ((l, cc)), ρs1 ` φ1 ∧ φ2; succ((l, cc)), pred<(ρs1) ` φ2; ρ∃ ` pred(ρs1)
This rule has three conclusions that are written as three premises.
Lemma 5.5.3. The ∃rw rule is sound and complete.
Proof of Lemma 5.5.3. Soundness: Assume that the three top premises are true.
Since the third conclusion is the same as the third premise, that is true. Now we
must argue that succ((l, cc)), ρs1 ` φ1 ∧ φ2 and succ((l, cc)), pred<(ρs1) ` φ2. Since
we have succ((l, cc)), pred(ρs1) ` φs2 and pred<(phis1) ⊆ pred<(phis1), we know
succ((l, cc)), pred(ρs1) ` φs2 . Furthermore, since ρs1 ⊆ pred(ρs1), succ((l, cc)), ρs1 `
φ2. Therefore, succ((l, cc)), ρs1 ` φ1 ∧ φ2.
Completeness: Assume that the three bottom conclusions are true. Since the
third premise is the same as the third conclusion, that is true. Now we must
argue that succ((l, cc)), ρs1 ` φ1 and succ((l, cc)), pred(ρs1) ` φ2. Since we have
succ((l, cc)), ρs1 ` φ1 ∧ φ2, we have succ((l, cc)), ρs1 ` φ1. Furthermore, since ρs1 ∪
pred<(ρs1) = pred(ρs1), we know that succ((l, cc)), pred(ρs1) ` φs2 .
Now, with the rule ∃rw, we utilize the formulation in Lemma 5.5.1 to derive a
proof for ∀φ1(φ2). Here is the derivation for ∀φ1(φ2).
5.5. Extended Tool: Verifying Lrel,a fν,µ 213
succ((l, cc)), ρs1 ` φ1
succ((l, cc)), pred(ρs1) ` φ2
ρ∃ ` pred(ρs1)
(∃rw)succ((l, cc)), ρs1 ` φ1 ∧ φ2; succ((l, cc)), pred<(ρs1) ` φ2; ρ∃ ` pred(ρs1) (∃r2)
(l, cc), ρ∃ ` ∃φ2(φ1 ∧ φ2)
∃ ph
succ((l, cc)), ρs2 ` φ2 succ((l, cc), ρ∀) ` succ((l, cc)) ∧ ρs2
(∀t2)
(l, cc), ρ∀ ` ∀(φ2)
∀ ph
See ∃ ph
(l, cc), ρ∃ ` ∃φ2(φ1 ∧ φ2)
See ∀ ph
(l, cc), ρ∀ ` ∀(φ2) (l, cc) ` ρ∃ ∨ ρ∀
(∨sr )(l, cc) ` ∃φ2(φ1 ∧ φ2) ∨ ∀(φ2) Lemma 5.1
(l, cc) ` ∀φ1(φ2)
We stop the derivation here and examine the derived sequents. Notice that we
are computing a placeholder for φ2 twice. We can perform this computation once
and save ourselves a good amount of computation time. We can compute things
in this order:
1. Find the placeholder for φ1. Utilize simpler proof rules if φ1 is one of the
easier cases.
2. Find the placeholder for φ2. (Copy this value for the other branch.) Now
using this, solve the ∀t2 rule to obtain a placeholder ρ∀.
3. After solving ρ∀, use the solved φ2 placeholder to solve for ρ∃. (This is the
hard step that yields the optimization.)
4. Now solve the ∨ s placeholder rule.
Using this insight, we now give the optimized proof rules. These rules are:
5.5. Extended Tool: Verifying Lrel,a fν,µ 214
(l, cc) ` ∀(φ2) (∀ro1)
(l, cc) ` ∀φ1(φ2)
(l, cc) ` φ1 ∧ φ2 (∀ro2)
(l, cc) ` ∀φ1(φ2)
succ((l, cc)), ρs1 ` φ1
succ((l, cc)), ρs2 ` φ2
succ((l, cc)), pred(ρs1) ` succ((l, cc)), ρs2
ρ∃ ` pred(ρs1)
succ((l, cc), ρ∀) ` succ((l, cc)) ∧ ρs2
(l, cc) ` ρ∃ ∨ ρ∀ (∀ro3)
(l, cc) ` ∀φ1(φ2)
The first proof rule is used when φ1 is never satisfied for any time advance.
Such as case is when φ1 is a false atomic proposition. The second proof rule is
when φ1 is immediately true without a time advance, such as a true atomic propo-
sition. The third proof rule uses the expanded derived proof rule to enforce that
φ2 is only computed once. The premise pred(ρs1) ⊆ ρs2 ensures that all of the
predecessor of ρ1 satisfies φ2. The last premise of (∀ ph1) is mostly solved by
checking that pred(ρs1) ⊆ ρs2 ; we require the intersection with the successor for
completeness, since we need not require times before (l, cc) to satisfy φ2.
If a placeholder is involved, we use the following analogous optimized proof
rules:
(l, cc), ρs ` ∀(φ2) (∀rop1)
(l, cc), ρs ` ∀φ1(φ2)
(l, cc), ρs ` φ1 ∧ φ2 (∀rop2)
(l, cc), ρs ` ∀φ1(φ2)
succ((l, cc)), ρs1 ` φ1
succ((l, cc)), ρs2 ` φ2
succ((l, cc)), pred(ρs1) ` succ((l, cc)), ρs2
ρ∃ ` pred(ρs1)
succ((l, cc), ρ∀) ` succ((l, cc)) ∧ ρs2
(l, cc), ρs ` ρ∃ ∨ ρ∀ (∀rop3)
(l, cc), ρs ` ∀φ1(φ2)
5.5. Extended Tool: Verifying Lrel,a fν,µ 215
Notice that due to the fresh placeholder generated by ∨sr , that the placeholder
rule is similar to the rule without the placeholder.
Also notice that the implementation complexity of ∃r2 is placed in the third
premise of (∀ ph1): succ((l, cc)), pred(ρs1) ` succ((l, cc)), ρs2 . The catch is to make
ρs1 as large as possible such that all the proof rules go through. yet ensuring that
all of pred(ρs1) satisfies φ2.
Lemma 5.5.4. The optimized proof rules for ∀φ1(φ2) are sound and complete.
Proof of Lemma 5.5.4. Given the correctness of ∨sr , the soundness and complete-
ness of the proof rules with and without placeholders are the same. Hence, we
only give the soundness and completeness proof rules when placeholders are not
used. Note that the soundness and completeness heavily depends on the deriva-
tion and the correctness of ∃rw; we only need argue the changes to the derivation.
Soundness: The soundness of ∀ro1 and ∀ro2 follow from the definition of ∀φ1(φ2).
In the first case, φ2 is always true (relativization not needed) and in the second
rule, φ1 is immediately satisfied. Hence we examine rule ∀ro3. Suppose that the
premises are true. Given that the derived proof rule is correct, we only need show
that the proof rule succ((l, cc), ρ∀) ` succ((l, cc)) ∧ ρs2 results in the correct place-
holders φs1 and ρs2 . We then invoke the soundness of the derived proof. Since we
have succ((l, cc)), pred(ρs1) ` succ((l, cc)), ρs2 , we know that by definition of ⊆
and ` and the premise succ((l, cc)), ρs2 ` φs2 that succ((l, cc)), pred(ρs1) ` φ2. Now
we have all the premises from the derived rule (including the rule ∃rw). Hence, the
proof is sound.
Completeness: The proof rules ∀ro1 and ∀ro2 cover the corner cases when ρs1
is either empty or all possible clock values. We now address the completeness
using rule ∀ro3. Suppose that the conclusion is true; that (l, cc) ` ∀φ1(φ2). From
5.5. Extended Tool: Verifying Lrel,a fν,µ 216
the soundness and completeness of the derived proof rules, the only premise that
is different is succ((l, cc), ρ∀) ` succ((l, cc)) ∧ ρs2 . Using the derived proof rules
(including rule ∃rw), we get two placeholders based on φs2 : succ((l, cc)), pred(ρs1) `
φs2 and succ((l, cc)), ρs2 ` φs2 . Using soundness and completeness, choose ρs2 to
be the largest such placeholder (since the proof rules can be solved exactly with
unions of clock zones, one such largest placeholder exists). Since ρs1 and ρs2 are
clock constraints (unions of clock zones independent of location), The choices
of pred(ρs1) and ρs2 do not change the discrete state, and only the clock state.
Since both clock states are contained in the set of clock states that satisfy φ2, both
depend on clock constraints. Since ρs2 was chosen to be the largest possible such
placeholder when intersection with succ((l, cc)), we know succ((l, cc)), pred(ρs1) `
succ((l, cc)), ρs2 . (Note that the proof requires the intersection with succ((l, cc)) on
both sides.) Hence, we have found placeholders that satisfy all the premises.
5.5.5 Optimizing the Handling of Invariants
In order to prove properties of timed automata with invariants, whenever a time
advance or an action execution occurs, the prover must account for the invari-
ant. Formally, the prover must utilize the definition of the invariant and include
it as a logical subformula of the right hand sequent (invariants are clock con-
straints, which are valid Lrel,a fν,µ formulas) and then execute proof rules to handle
the expanded formula. However, by taking the sequence of proof rules needed to
handle invariants, we can form derived proof rules that reduce handling an invari-
ant to some computations. As a result, we can handle the proofs computationally
rather than including invariants as part of the formulas in the right-hands of the
sequents of the proofs.
We represent an invariant with Inv. To handle invariants, we add them to the
formula (similar to how invariants are handled when they are converted to a PES
5.5. Extended Tool: Verifying Lrel,a fν,µ 217
in Zhang and Cleaveland [167, 168]). We incorporate invariants into MES as fol-
lows: ∃(φ) becomes ∃(Inv ∧ φ) and ∀(φ) becomes ∀(¬Inv ∨ φ). These encodings
require that the invariants are past closed: if the invariant is true at some time, then
the invariant must be true at all previous times. Using these derived proof rules,
we can reduce computation by specializing the proof tree by substituting in Inv
(or ¬Inv) for the relevant placeholders. Since we know the value of Inv, which
is a specific clock constraint, rather then using the general-purpose rules to solve
for the placeholders, we input in these values and specialize the rules. Invariants in
action operators 〈−〉(φ) and [− ](φ) are handle as guards are handled in Zhang
and Cleaveland [167, 168].
To optimize the implementation of invariants, we derive the rules that are
formed when using invariants. Here, we let Inv represent the invariant. Now
using the invariant, we derive the proof rules:
succ((l, cc)), ρs ` Inv succ((l, cc)), ρs ` φ
(∧)
succ((l, cc)), ρs ` Inv ∧ φ (l, cc) ` ρs (∃t1)
(l, cc) ` ∃(Inv ∧ φ)
From this derivation, we know that for ∃, the proper thing to do concern-
ing invariants is to intersect the invariants with the placeholder ρs and not with
succ((l, cc)).
succ((l, cc)), ρs ` Inv succ((l, cc)), ρs ` φ
(∧)
succ((l, cc)), ρs ` Inv ∧ φ (l, cc), ρ∃ ` ρs (∃t2)
(l, cc), ρ∃ ` ∃(Inv ∧ φ)
This above derivation for ∃ is similar to the one without the placeholder.
Hence, we know to intersect the invariants with the placeholder ρs and not with
succ((l, cc)).
Now we derive the invariant for ∀:
5.5. Extended Tool: Verifying Lrel,a fν,µ 218
succ((l, cc)), ρs ` ¬Inv succ((l, cc)),¬ρs ` φ (∨c)succ((l, cc)) ` ¬Inv ∨ φ
(∀t1)
(l, cc) ` ∀(¬Inv ∨ φ)
Since ρs = ¬Inv, this rule reduces to:
succ((l, cc)), Inv ` φ
(∨c d)succ((l, cc)) ` ¬Inv ∨ φ
(∀t1)
(l, cc) ` ∀(¬Inv ∨ φ)
From this derivation, since there is no placeholder, we intersect the invariant
Inv with succ((l, cc)). In the proof rules, a “d” in the label indicates a derived rule.
Now we consider ∀ with a placeholder:
succ((l, cc)), ρs ` ¬Inv succ((l, cc)), ρ∨ − ρs ` φ (∨c)succ((l, cc)), ρ∨ ` ¬Inv ∨ φ
∀t2 inv1
see ∀t2 inv1
succ((l, cc)), ρ∨ ` ¬Inv ∨ φ succ((l, cc), ρ∀) ` succ((l, cc)) ∧ ρ∨ (∀t2)
(l, cc), ρ∀ ` ∀(¬Inv ∨ φ)
This derivation is more complex, due to the placeholder in the ∀. Here we use
the version of ∨c that uses the complement of the placeholder. After doing some
set operations and solving the left (ρs = ¬Inv), we get the cleaned up version of
∀ with a placeholder:
succ((l, cc)), Inv, ρ∨ ` φ
(∨cd)succ((l, cc)), ρ∨ ` ¬Inv ∨ φ succ((l, cc), ρ∀) ` succ((l, cc)) ∧ ρ∨ (∀t2)
(l, cc), ρ∀ ` ∀(¬Inv ∨ φ)
This means that the Invariant is not part of the placeholder, ρ∨. Hence, we
still intersect Inv with succ(Γ), and not the placeholder, and we might to allow
valuations that do not satisfy the invariant in the placeholder ρ∨. Furthermore, to
get the largest placeholder ρ∨, we have to include all of ¬Inv in ρv. This means
5.6. Additional Implementation Details 219
that to get all possible valuations for the placeholders, we union the complement
of the invariant (¬Inv) with the placeholder ρ∨ and then use ρv to find ρ∀.
To illustrate this point, we derive the ∀ rule with a placeholder using the ∨s
proof rule from this paper. The alternative derivation is:
succ((l, cc)), ρs1 ` ¬Inv
succ((l, cc)), ρs2 ` φ
succ((l, cc)), ρ∨ ` ρs1 ∨ ρs2 (∨s)succ((l, cc)), ρ∨ ` ¬Inv ∨ φ
Inv2
see Inv2
succ((l, cc)), ρ∨ ` ¬Inv ∨ φ succ(((l, cc), ρ∀)) ` succ((l, cc)) ∧ ρ∨ (∀t2)
(l, cc), ρ∀ ` ∀(¬Inv ∨ φ)
Using that ρs1 = ¬Inv, we get the cleaned up rule for ∀ with a placeholder:
succ((l, cc)), ρs ` φ succ((l, cc)), ρ∨ ` ρs ∨ ¬Inv
(∨s derived)succ((l, cc)), ρ∨ ` ¬Inv ∨ φ
Inv3
see Inv3
succ((l, cc)), ρ∨ ` ¬Inv ∨ φ succ(((l, cc), ρ∀)) ` succ((l, cc)) ∧ ρ∨ (∀t2)
(l, cc), ρ∀ ` ∀(¬Inv ∨ φ)
which is the same as the previous derivation using the rule ∨c.
How we included the invariant Inv in the proof rules depends on the definition
of the time advance operators. Also note that these uses of Inv require that Inv is
past closed. Note that Inv → φ is equivalent to ¬Inv ∨ φ; since → is not fully
supported, we encode the invariant with (¬Inv) ∨ φ and use the derived results
to handle the negation over the invariant.
5.6 Additional Implementation Details
The proof rules encode the algorithm: the implementation checks the consequent
by proving the premises and uses leafs (rules with no premises) to terminate the
5.6. Additional Implementation Details 220
proof. As a result, the bulk of the algorithm follows from the construction of the
proof rules.
However, there are some additional lower-level details that can result in better
performance. These vary from using simpler formulas when possible to handling
the placeholder implementation in subtle cases. The implementation details of the
data structures is discussed in Section 5.8.
5.6.1 Addressing Performance: Simpler PES Formulas
When writing safety and liveness properties, we can use the formulas from Sec-
tion 4.7.3 of this dissertation. However, in the common case where there are no
nested temporal operators and the formula does not involve clock constraints, we
can simplify the formulations considerably. In these cases, the subformula is a
conjunction and disjunction of atomic propositions, and is represented by p or q.
Here are some simplifications:
AG [p] ≡ Y ν= p ∧ ∀([− ](Y)) (5.2)
AF [p] ≡ Y µ= p ∨
(
∀([− ](Y)) ∧ ∃(z.(∀(z < 1)))
)
(5.3)
EF [p] ≡ Y µ= p ∨ ∃(〈−〉(Y)) (5.4)
EG [p] ≡ Y ν= p ∧
(
∃(〈−〉(Y)) ∨ ∀(z.(∃(z ≥ 1)))
)
(5.5)
The TCTL operators here are: AG [p] (always p), AF [p] (inevitably p), EG [p]
(there exists a path where always p), and EF [p] (possibly p). One noticeable fea-
ture is that these simplified liveness properties do not require relativization. An-
other noticeable feature is that the ∨ can be simplified to not use placeholders
if one side is an atomic proposition; consequently, AG [p] and AF [p] do not re-
quire placeholders. This feature is a reason why the correct formulations were
hard to get: easier formulas can be used in tools. Additionally, our tool directly
5.6. Additional Implementation Details 221
implements ∃(z.(∀(z < 1))) and ∀(z.(∃(z ≥ 1))).
Correctness of Simplified PES Formulas
If φ1 is an atomic proposition, conjunction, or disjunction of them (it has no fix-
point variables, transitions, time advances or clock constraints), the the relativized
formulas can be simplified. Let the conjunction and disjunctive constraint (normal
form not required) of atomic propositions be pp. We can construct pp with the
following grammar:
pp ::= p | ¬p | tt | ff | pp ∧ pp | pp ∨ pp (5.6)
where p ∈ 2L is an atomic proposition.
We represent such atomic literals with p and q. If we only consider subfor-
mulas with this specified grammar, we also give simplified formulas for common
TCTL operators.
5.6. Additional Implementation Details 222
Theorem 5.6.1. Let p and q be a combinations of conjunctions and disjunc-
tions of atomic propositions constructed using Equation 5.6. Then we have
the following simplified TCTL formulas:
AG [p] ≡ Y ν= p ∧ ∀([− ](Y)) (5.7)
AF [p] ≡ Y µ= p ∨
(
∀([− ](Y)) ∧ ∃(z.(∀(z < 1)))
)
(5.8)
EF [p] ≡ Y µ= p ∨ ∃(〈−〉(Y)) (5.9)
EG [p] ≡ Y ν= p ∧
(
∃(〈−〉(Y)) ∨ ∀(z.(∃(z ≥ 1)))
)
(5.10)
AG [p → AF [q]] ≡ Y ν= (¬p) ∨ ∀(Y2 ∧ [− ](Y))
Y2
µ
= q ∨ (∀([− ](Y2)) ∧ ∃(z.(∀(z < 1)))) (5.11)
The last operator is the “leads to” operator. Here we use the simplified AF [q]
but use the regular AG [p] formula. Also recall that the tool has operators to han-
dle the subpaths with the freeze quantifiers.
To prove this operators, we will rely on some of the properties of formulas
involving only atomic propositions. The proofs rely on the following property:
if p is true, then ∀(p) is true. Also, for all previous times, p is true. Hence, the
semantics of the formula is equivalent regardless of whether a continuous or a
pointwise semantics is used for p. As a result, we have the equivalences in the
following lemma:
Lemma 5.6.2 (Properties of atomic proposition formulas). Let p be a combination
5.6. Additional Implementation Details 223
of conjunctions and disjunctions of atomic propositions. Then:
p ≡ ∃(p) ≡ ∀(p) (5.12)
p ∨ ∀(φ) ≡ ∀p(p ∨ φ) for any formula φ (5.13)
p ∧ ∃(φ) ≡ ∃p(p ∧ φ) for any formula φ (5.14)
Proof of Lemma 5.6.2. From the definitions of the Lrelν,µ operators. For some insight
into the second and third equivalences, try using φ = ff and φ = tt.
Proof of Theorem 5.6.1. Here we show AG [p] and AF [p]. The proofs for EG [p]
and EF [p] are similar, and the proof of the last equivalence follows from the
proofs for AG [p] and AF [p].
Proof of AG [p]:
AG [p] ≡Y ν= ∀(p ∧ [− ](Y)) (Original Formula)
Y ν= ∀(p) ∧ ∀([− ](Y)) (Distributivity ∀, ∧)
Y ν= p ∧ ∀([− ](Y)) (p ≡ ∀(p))
5.6. Additional Implementation Details 224
Proof of AF [p]:
AF [p] ≡Y µ= ∀p
(









= (p ∨ ∀([− ](Y))) ∧
(
∃(z.(∀(z < 1))) ∨ ∃(p)
)
(p ∨ ∀(φ) ≡ ∀p(p ∨ φ))
Y
µ
= (p ∨ ∀([− ](Y))) ∧
(











∀([− ](Y)) ∧ ∃(z.(∀(z < 1)))
)
(Distributivity ∧, ∨)
5.6.2 Placeholder Implementation Complexities
Consider the two placeholder premises in the ∀(φ) and ∃φ1(φ2) proof rules in
Figures 5.2 and 5.4. The placeholder sequents are given here:
succ((l, cc), ρ∀) ` succ((l, cc)) ∧ ρs and succ((l, cc)), pred<(ρs) ` φ1 (5.15)
In soundness and completeness proofs, we use soundness to give us a place-
holder to show that the formula holds, and with completeness, we argue that
some placeholder exists. Given the complexities of the formulas, the tool needs to
find the largest such placeholder. The rules are designed for the tool to implement
them in a left-to-right fashion, where placeholders are tightened by right-hand
rules. However, as the placeholders are tightened, we need to make sure that the
tightened placeholder still satisfies the left-hand premise. For instance, consider
5.7. Clock Zones 225
the second of the above placeholders. As we tighten the placeholder to satisfy φ1,
we need to check that this placeholder is the predecessor< of the placeholder that
satisfies φ2. These checks take extra algorithmic work.
5.7 Clock Zones
Before discussing the implementation of the clock data structures, we discuss the
conceptual data structure: clock zones.
For model checking, we have to deal with an infinite number of states (given
an infinite number of valuations) and terminate in a finite amount of time. To do
this, we need an abstraction or a way of grouping states together to form a finite
number of state collections or abstract states. One commonly used abstraction is
to group sets of valuations into clock zones.
For model checking, one abstraction to aid in reachability and model checking
is to model check a convex set of clock valuations at once. Thus instead of checking
states (l, ν) individually, we can group valuations together into clock zones and
then reason on clock zones. Clock zones have the property of being convex sets of
valuations. This definition of a clock zone is taken from Alur [5], Clarke et al. [55].
Definition 5.7.1 (Clock zone). A clock zone is a convex combination of single-clock
inequalities. Each clock zone can be constructed using the following grammar,
where xi and xj are arbitrary clocks and c ∈ Z:
Z ::= xi < c | xi ≤ c | xi > c | xi ≥ c| xi − xj < c | xi − xj ≤ c | Z ∧ Z (5.16)

5.7. Clock Zones 226
Example 5.7.1. The following are examples of clock zones:
z1 = x1 ≥ 3 ∧ 5 ≤ x2 − x1 ≤ 7
z2 = x1 < 6 ∧ x1 − x2 ≤ 3 (notice it is x1 − x2 here)
z3 = x2 > 1 ∧ 5 < x2 − x1 < 8
z4 = 1 ≤ x1 ≤ 2 ∧ 1 ≤ x2 ≤ 2 ∧ x2 − x1 ≥ 0
For these clock zones, CX = {x1, x2}. 
Clock zones extend clock constraints with inequalities of clock differences.
These inequalities are used for model checking even though clock difference in-
equalities are not used in timed automata. However, in general, clock zones are
not unique. To make model checking easier, we use a standardized, or canonical,
form for clock zone representations. We use shortest path closure [27]. This form
makes every implicit constraint explicit. This can be implemented in O(n3) time
using Floyd-Warshall all-pairs shortest path algorithm, described in Ahuja et al.
[3], Cormen et al. [58]. Other standard forms exist [112, 154].
While converting to a canonical form takes a considerable amount of time, it is
needed to simplify and standardize the algorithms for the zone operations includ-
ing time successor (succ(z)) computations and subset checks. For time successor,
having the zone in canonical form allows the time elapse operation to simply set
all single-clock upper bound constraints to < ∞. Different standard forms require
different algorithms for clock zone operators.
5.7.1 Clock Zone Operations
There are a variety of clock zone operations that are desirable for timed automata
model checking. Here we proved the operation as well as a sketch of the imple-
5.7. Clock Zones 227
mentation for the DBM data structure. Given clock zones, we define some com-
monly used operators on clock zones. We will want any representation of a clock
zone to implement these.
The following operators work on clock zones and ouptput clock zones:
Canonical Form—cf(z): Given a clock zone z ∈ Z , cf(z) produces the canonical
form of the zone z, which gives a representation where any implicit con-
straints are made explicit, including making constraints that can be more
strict strict.
Valuation Search—search(z, ν): Given clock zone z ∈ Z and valuation ν ∈ V ,
search(z, ν) tells you if ν ∈ z.
Get Clock Constraint—getConstraint(z, xi, xj):
getConstraint(z, xi, xj) returns the exact lower bound constraint (< or
≤) of xi − xj within clock zone z.
Giving x0 is equivalent to giving 0 as a clock value, and will thus give you
the single-clock constraint (which could be a lower bound or upper bound).
Emptiness—isEmpty(z): Given clock zone z ∈ Z , isEmpty(z) returns true if the
zone is empty (has no valuations in it) and false otherwise.
Intersection, ∧—intersect(z1,z2): Let z1, z2 ∈ Z . Then the intersection of the two
clock zones, intersect(z1,z2) denoted z1 ∧ z2 is the clock zone equivalent
to the clock zone z′ = z1 ∧ z2 formed by the clock zone grammar which
denotes the set of clock valuations in both of those clock zones.
Contains, z1 ⊆ z2—contains(z1, z2): Given two clock zones z1, z2, contains(z1,
z2) returns tt if z1 is a subset (or equal to) the zone z2 and ff otherwiwse.
5.7. Clock Zones 228
Equality, z1 == z2—equals(z1, z2): Given two clock zones z1, z2, contains(z1,
z2) returns tt if z1 is equal to the zone z2 and ff otherwiwse.
Time Successor, z⇑—succ(z): Given a clock zone z, succ(z) returns the set of
valuations (clock zone) formed when any amount of time δ is allowed to
elapse from z. I.e.
z⇑ = {ν | ν− δ ∈ z, ∃ δ ≥ 0} ≡ {ν | ν ∈ z + δ, ∃δ ≥ 0} ≡ {ν | ν |= ∃δ ≥
0 : ν ∈ z + δ}.
Time Predecessor, z⇓—pred(z): Given a clock zone z, this returns all the possible
valuations that are predecessors, which are valuations that would be in this
clock zone after some amount δ of time-elapse. I.e
z⇓ = {ν | ν + δ ∈ z, ∃ δ ≥ 0}
Reset Successor, z[Y := 0]—resetSuc(z, Y): Given a clock zone z and a set of
clocks Y to reset to 0 resetSuc(z, Y) gives the new clock zone (of all valua-
tions) where the set of clocks Y are all reset to 0. This is notated as z[Y := 0].
Assignment Successor, z[xi := xj]—assignSuc(z, xi, xj): Given a clock zone z,
a clock xi and a clock xj, assignSuc(z, xi, xj) gives the new clock zone (of
all valuations) where the clock xi is reset (or assigned to) the current value
of the clock xj.
Reset Predecessor—resetPred(z, Y): Given a clock zone z and a set of clocks Y
to reset to 0 resetPred(z, Y) gives the clock zone (of all valuations) that
would become z after the clocks Y are reset to 0.
This operator assumes that all the clocks Y are exactly 0 in the zone z, i.e.
z[Y := 0] = z or that a reset immediately happens. This operator may not
make sense if the zone z does not meet this assumption.
5.7. Clock Zones 229
Assignment Predecessor—assignPred(z, xi, xj): Given a clock zone z, a clock
xi and a clock xj, assignPred(z, xi, xj) gives the clock zone z′ (of all val-
uations) that becomes z when the clock xi in z′ is reset (or assigned to) the
current value of the clock xj in z′.
This operator assumes that in z, xi = xj, which is equivalent to the assign-
ment xi = xj just happening in z. This operator may not make sense if the
zone z does not meet this assumption.
Clock Constraint Normalization—normalize(z, c): Given a clock zone z ∈ Z
and a function c : CX −→ N where c(x) denotes the largest constant in a
constraint for clock x, normalize(z, c) normalizes the clock zone by relax-
ing constraints so all constraints are treated as if the constants from c are the
largest constants.
There are other operators that are desirable but do not always return clcok
zones. Some may even operate on other sets of clock valuations (or specific rep-
resentations of them). Those specific to certain representations will be described
when that valuation data structure is described. Some of these are:
Union—union(z1, z2): Given two clock zones z1, z2 ∈ Z , union(z1, z2) gives
the disjunction of the two clock zones.
Complementation (z)—comp(z1): Given a clock zone z ∈ Z , comp(z) gives the
complementation of the clock zone, z which is the set of all valuations not in
z.
Some of the operators (including the reset predecessor and the time predeces-
sor operators are described in Yovine [164]) (Though we deviate some from the
versions in that paper). The normalization operator is described in Bengtsson and
Yi [27].
5.7. Clock Zones 230
5.7.2 Clock Zone Operation Details
We now describe the specifics for some of the operations in more detail. These
specifics decribe the meaning of the operator and which constraints are changed;
these apply to all implementations of a clock zone.
Definition 5.7.2 (Clock Zone Reset, z[Y := 0]). Let z be a clock zone. Then the
clock zone after the clocks Y ⊆ CX are reset is denoted z[Y := 0], and denotes the
set of clock valuations that arise after the clocks Y are reset in z.
Here is how the constraints are changed:
• Any single clock-constraint y ∈ Y is deleted and replaced by y ≤ 0 ∧ 0 ≤ y.
(Since y has to be 0)
• Any clock-difference constraint involving y1, y2 ∈ Y is deleted and replaced
by y1 − y2 ≤ 0 ∧ y2 − y1 ≤ 0 (Since both y1 and y2 are 0, their difference
must be exactly 0).
• Any clock-difference constraint involving y ∈ Y, x ∈ CX − Y is deleted.
(Note that the difference constraints will then be implicitly limited by the
single-bound constraints involving x).

An insightful visualization, taken from Sokolsky and Smolka [147] is to imag-
ine that the constraints (or set of valuations) is projected to the hyperplane Y = 0.
Definition 5.7.3 (Time-Elapsed Clock Zones (Time Successors), z⇑). Let z be a
clock zone. Then the time-elapsed clock zone or Time Successor zone, z⇑ denotes the
set of valuations formed when any amount of time is allowed to elapse from z. I.e.
5.7. Clock Zones 231
z⇑ = {ν | ν− δ ∈ z, ∃ δ ≥ 0}.
In other words (from Clarke et al. [55]), any clock valuation ν that satisfies
∃δ ≥ 0 : ν ∈ z + δ will be in z⇑.
A clock zone z after specific time elapse δ is a specific time-elapsed clock zone
denoted z + δ.
Here is how the constraints are changed for a specific time-elapsed clock zone
of δ units (the ⇑ operator would make a different zone for each time elapse):
• For any clock x ∈ CX, any constraint of x < c or x ≤ c becomes x < c + δ or
x ≤ c + δ.
• Likewise, for any clock x ∈ CX, any constraint of c < x or c ≤ x becomes
c + δ < x or c + δ ≤ x.
• All constraints involving the difference of clocks are unchanged.
For the set of all possible time elapses, this means that every single-clock upper
bound is set to be < ∞ and all other constraints remain unchanged. 
As a visualization, take each point in the current zone and draw a line with
slope 1 (in all dimensions). All points in these lines are possible valuations after
some arbitrary time advance.
For elapsing of time, here we are not concerned with invariants or guards.
When we want to be concerned, we can intersect this with clock zones represent-
ing the invariants or guards when desired.
Definition 5.7.4 (Clock Constraint Normalization—normalize(z, c):). Given a
clock zone z ∈ Z and a function c : CX −→ N where c(x) denotes the largest
5.7. Clock Zones 232
constant in a constraint for clock x, normalize(z, c) normalizes the clock zone
by relaxing constraints so all constraints are treated as if the constants from c are
the largest constants.
This means that all upper bounds higher than c(x) are relaxed to be (∞,<)
and all lower bounds higher than c(x) are lowered (relaxed) to be > c(x). For
clock difference constraints xi − xj, they are normalized so the upper bound is
loosened to (∞,<) if it exceeds c(xi) and the lower bound of xi − xj is lowered to
be > −c(xj) (Which means that the upper bound on xj − xi > c(xj)).
Note. As discussed in previous sections, this algorithm only works if clock differ-
ence constraints are not allowed in the timed automata. While the clock zones can
encode such constraints, the automata cannot for this algorithm to work.

The reason that clock zones are normalized is in order to make sure that a
timed automaton can be represented by a finite number of clock zones. While
normalization does add valuations to the set of clock zone (information is lost),
we do not care about the information that is lost, since all the properties of region
equivalence still hold because of the following condition in the definition of region
equivalence (See Definition 2.5.3):
• For all x ∈ CX, either bν1(x)c = bν2(x)c or ν1(x), ν2(x) > c(x).
Thus, if any value exceeds c(x) for that specific clock, it does not matter by
how much. In differences xi − xj, if the upper bound exceeds c(xi), that can only
be possible if xi > c(xi) since all clocks are at least 0. For lower bounds, if the
lower bound exceeds −c(xj), then it is only possible when xj > c(xj).
5.7. Clock Zones 233
Thus, by eliminating the distinguishing between ∞ and values of clocks larger
than their largest constants, we can compress our representation into a finite
number of zones and still have those zones preserve the Reachability and Model-
Checking properties we want them to preserve.
Example 5.7.2. Suppose CX = {x1, x2}. If we consider the following clock zones:
z1 = x1 ≥ 3 ∧ 5 ≤ x2 − x1 ≤ 7
z2 = x1 < 6 ∧ x1 − x2 ≤ 3 (notice it is x1 − x2 here)
z3 = x2 > 1 ∧ 5 < x2 − x1 < 8
z4 = 1 ≤ x1 ≤ 2 ∧ 1 ≤ x2 ≤ 2 ∧ x2 − x1 ≥ 0
Here are some of the intersections of the clock zones:
z1 ∧ z2 = 3 ≤ x1 < 6 ∧ 5 ≤ x2 − x1 ≤ 7
z1 ∧ z3 = x1 ≥ 3 ∧ x2 ≥ 1 ∧ 5 < x2 − x1 ≤ 7
z1 ∧ z2 ∧ z3 = 3 ≤ x1 < 6 ∧ 1 ≤ x2 ∧ 5 < x2 − x1 ≤ 7
Note that in z1, x1 − x2 ≤ 3 ≡ x2 − x1 ≥ −3.
Here are some of the zones after some clock resets.
z1[x1 := 0] = 0 ≤ x1 ≤ 0 ∧ 8 ≤ x2
z4[x1 := 0] = 0 ≤ x1 ≤ 0 ∧ 1 ≤ x2 ≤ 2
z4[x2 := 0] = 1 ≤ x1 ≤ 2 ∧ 0 ≤ x2 ≤ 0∧
z4[{x1, x2} := 0] = 0 ≤ x1 ≤ 0 ∧ 0 ≤ x2 ≤ 0
5.7. Clock Zones 234
and here are some clock zones after some specific time elapses:
z1 + 0 = z1
z1 + 2 = x1 ≥ 5 ∧ 5 ≤ x2 − x1 ≤ 7
z4 + 3 = 4 ≤ x1 ≤ 5 ∧ 4 ≤ x2 ≤ 5 ∧ x2 − x1 ≥ 0

Implementations for these operators will be discussed in more detail when the
various representations of clock zones are discussed, so the implementations can
be representation-specific.
Sometimes in a clock zone, given constraints on one clock and a difference
of two clocks, there will be implicit constraints on the other clock (or given con-
straints on two clocks there will be implicit constraints on their differences). These
constraints must be persevered even if they are not explicitly written.
Intersection is closed by the definition of the grammar for a clock zone. The
closure for the other operators, except for union, is a corollary to the following
Claim, proved in Clarke et al. [55].
Claim 5.7.1 (Lemma 46 of Clarke et al. [55]). If z is a clock zone with free clock
variable x, then ∃x : z is also a clock zone.
The above claim can be used on any clock zone z. We illustrate it for the reset
operator for resetting one clock x. By definition, the reset operator converts z to
z[x 7→ 0], which by definition, is the weakest precondition, or ∃x : z[x := 0]. The
above lemma establishes that it is a clock zone.
5.8. Clock Zone Implementations 235
i
{ j︷ ︸︸ ︷. . . . . . . . .. . . . . . . . .
. . . . . . xi − xj ≤ uij

Figure 5.6: DBM: a matrix with constraint xi − xj ≤ uij in entry (i, j).
5.8 Clock Zone Implementations
Clock zones are an abstract data structure. The standard implementation is the
difference bound matrix (DBM), a matrix form that stores every clock constraint.
To improve performance, we designed two sparser implementations (based off
of ideas of others), the sparse linked-list CRDZone and the sparse array-list CR-
DArray. Their name comes from their inspiration, the clock restriction diagram
(CRD), which is from Wang [154, 155].
5.8.1 Difference Bound Matrix (DBM)
The basic way to implement a clock zone is a difference bound matrix (DBM), de-
scribed in Definition 5.8.1. See Bengtsson and Yi [27], Dill [64] for a more thorough
description.
Definition 5.8.1 (Difference bound matrix (DBM)). Let n − 1 be the number of
clocks. A DBM is an n × n matrix where entry (i, j) is the upper bound of the
clock constraint xi − xj, represented as xi − xj ≤ uij or xi − xj < uij. The 0th index
is reserved for a dummy clock x0, which is always 0, allowing bounds on single
clocks to be represented by the clock differences xi − x0 and x0− xj. See Figure 5.6
for a picture of the DBM structure and Example 5.8.1 for a concrete example. 
5.8. Clock Zone Implementations 236
5.8.2 Alternative Implementations, CRDZone and CRDArray
When implementing clock zones, we can implement them densely, where we store
the value of every constraint, or we can implement them sparsely, where we can
implicitly store vacuous clock inequalities. One advantage of the dense implemen-
tation is that determining the value of any constraint on a single clock difference
can be found in O(1) time and that we do not need to store clock indices, since
they are implicitly encoded in their location. The advantage of a sparser imple-
mentation is that we can store fewer clock constraints and thus traverse through
all clock constraints faster. The sparser the clock zone is, the more value there is
likely to a sparse implementation.
However, we consider a sparser implementations. Rather than storing the value
for every xi − xj, we can omit storing vacuous constraints (like xi − xi ≤ 0 and
xi − xj < ∞) and thus save space. To do this, we use a linked-list implementation
of a clock zone, called a CRDZone. The constraints are stored in lexicographi-
cal order on (i, j) and vacuous constraints such as xi − xi ≤ 0 and xi − xj < ∞
are omitted, since they are considered implicit. We can also implement this as a
statically allocated array list. This version is the CRDArray. Using a dynamic al-
location instead of our static allocation for the CRDArray array list is conjectured
to save space at the expense of time. An example of the CRDZone and CRDArray
is given in Example 5.8.1.
For more details on the DBM, CRDZone and CRDArray, see Fontana and
Cleaveland [73].
Example 5.8.1 (Clock zone in various representations). Consider the clock zone
z = 1 ≤ x1 < 3 ∧ 0 ≤ x2 ≤ 5 ∧ x2 − x1 ≤ 4.
5.8. Clock Zone Implementations 237
DBM representation of z:

x0 − x0 ≤ 0 x0 − x1 ≤ −1 x0 − x2 ≤ 0
x1 − x0 < 3 x1 − x1 ≤ 0 x1 − x2 < ∞
x2 − x0 ≤ 5 x2 − x1 ≤ 4 x2 − x2 ≤ 0

CRDZone representation of z:
x0 − x0 ≤ 0 −→ x0 − x1 ≤ −1 −→ x0 − x2 ≤ 0
−→ x1 − x0 < 3 −→ x2 − x0 ≤ 5 −→ x2 − x1 ≤ 4
CRDArray representation of z:
[x0 − x0 ≤ 0|x0 − x1 ≤ −1|x0 − x2 ≤ 0
|x1 − x0 < 3|x2 − x0 ≤ 5|x2 − x1 ≤ 4]

Remark 5.8.1 (On DBM vs. CRDZone and CRDArray methods). Due to the sparse
implementation and removal of implicit nodes, the CRDZone and CRDArray can
improve time by reducing the number of nodes, and thus the number of nodes
looked at during a full traversal. This can speed up traversal-based algorithms
such as intersect and subset check. However, algorithms like clock reset, emptiness
check and canonical form use O(1) access of middle nodes in DBMs (the CRDZone
and CRDArray do not have O(1) access for all nodes), resulting in a performance
slowdown for those CRDZone and CRDArray methods. For space, the CRDZone
and CRDArray can store fewer nodes but must store the explicit indices, resulting
in more space per node.
5.9. Unions of Clock Zones and More Complex Data Structures 238
5.9 Unions of Clock Zones and More Complex Data Struc-
tures
For reachability and many properties, clock zones provide a sufficient abstraction.
However, for certain properties including ∨, clock zones are not sufficient. This is
because clock zones are convex, and properties like x1 < 2 ∨ x1 ≥ 4 is not convex.
To solve this problem, we use a union of clock zones. There are some implemen-
tations and different data structures out there; three potential implementations
are:
1. Lists of Clock Zones (typically DBMs). One take represent a clock zone
directly as a DBM and represent a union of clock zones as a list of DBMs
(or other clock zone implementation). If we have a list of zones z1, z2 . . . zn,
it represents the union of zones z1 ∨ z2 ∨ . . . ∨ zn.
2. Clock Difference Diagrams (CDD) [21, 114]. The clock difference diagram
stores the union of zones as a tree, inspired by a binary decision diagram
(BDD) (see Clarke et al. [55]), where each path is a clock zone. This structure
is labeled with tt and ff leaves, where if a valuation reaches a tt node then
it is in the union of zones. Each node has edges representing an upper bound
and a lower bound on some clock difference xi − xj.
3. Clock Restriction Diagrams (CRD) [154, 155]. Similar to a CDD, this struc-
ture only stores paths that are in the zone. Also, it only uses upper bound
constraints and represents lower bound constraints with a different node.
Behrmann et al. [21], Wang [155] show that the BDD-like tree-like representa-
tion of a union of clock zones can result in time and space savings for unions of
zones. However, these are quite complex to implement. Thus, for simplicity, we
will begin using a list of clock zones for our implementation.
5.10. Preliminary Evaluation I: Clock Zone Implementation Performance 239
5.10 Preliminary Evaluation I: Clock Zone Implementation
Performance
We did a preliminary analysis [73] analyzing the time and space performances of
the three clock zone implementations.
5.10.1 Experimental Setup
We compare the DBM implementation to the CRDZone and CRDArray imple-
mentations. Each implementation uses shortest path closure to compute canonical
form. The only difference in the DBM, CRDZone and CRDArray versions is the
data structure implementation. The benchmark choice was modeled off of Zhang
and Cleaveland [167], with the addition of a model of the generalized railroad
crossing (GRC) protocol [85]. We also used all the protocols in Zhang and Cleave-
land [167], which are the Carrier Sense, Multiple Access with Collision Detection
(CSMA/CD), the Fiber Distributed Data Interface (FDDI), Fischer’s Mutual Exclu-
sion (FISCHER), the Leader Election protocol (LEADER and LBOUND) and the
PATHO Operating System (PATHOS) protocol, where each of these protocols is
described some in Zhang and Cleaveland [167]. There are 53 benchmarks that ran
on each implementation.
Experiments were run on a Linux machine with a 3.4 GHz Intel Pentium 4 Dual
Processor (each a single core) with 4 GB RAM. Time and space measurements
(maximum space used) were made using the memtime (http://www.update.uu.
se/~johanb/memtime/) tool [26] (using time elapsed and Max VSize). The data
tables are in Section 5.10.2.
For the experiments, we use three kinds of examples:
• Valid A Examples (in Tables 5.1 and 5.2): Correct system implementations
with valid safety specifications.
5.10. Preliminary Evaluation I: Clock Zone Implementation Performance 240
Table 5.1: Experiment Results—A Examples—Time (s): correct system, correct
specification.
Example DBM CRDZone CRDArray
CSMACD-3-a 0.10 0.20 (200%) 0.20 (200%)
CSMACD-4-a 3.16 4.48 (142%) 6.50 (206%)
FDDI-20-a 2.04 3.03 (149%) 4.66 (228%)
FDDI-40-a 58.49 79.2 (135%) 126.82 (217%)
FDDI-50-a 169.66 230.7 (136%) 370.71 (219%)
MUX-5-a 1.22 2.14 (175%) 2.75 (225%)
MUX-6-a 35.49 74.44 (210%) 98.08 (276%)
MUX-7-a 2623.61 5742.55 (219%) 7383.73 (281%)
LEADER-6-a 0.41 0.71 (173%) 0.92 (224%)
LEADER-7-a 12.99 25.89 (199%) 34.22 (263%)
LBOUND-6-a 0.51 1.02 (200%) 1.32 (259%)
LBOUND-7-a 17.36 37.07 (214%) 49.64 (286%)
PATHOS-4-a 13.7 35.23 (257%) 50.58 (369%)
GRC-3-a 0.92 1.63 (177%) 2.12 (230%)
GRC-4-a 252.05 431.63 (171%) 748.01 (297%)
• Invalid B Examples (in Tables 5.3 and 5.4): A examples with invalid speci-
fications.
• Invalid C Examples (in Tables 5.5 and 5.6): A examples with buggy imple-
mentations of the systems that do not satisfy the A specifications.
5.10.2 Experimental Data
The experimental data for the 53 example benchmarks is provided in Tables 5.1,
5.2, 5.3, 5.4, 5.5 and 5.6, with the best entry(ies) in each row bolded and percent-
age change relative to the DBM, to the nearest %, in parenthesis. Time data is
given to the nearest 0.01s (second) and space data is given to the nearest 0.01MB
(Megabyte). Given the percentage rounding, sometimes an example with slightly
different performance may still have a 100% value.
5.10. Preliminary Evaluation I: Clock Zone Implementation Performance 241
Table 5.2: Experiment Results—A Examples—Space (MB): correct system, correct
specification.
Example DBM CRDZone CRDArray
CSMACD-3-a 2.88 7.55 (262%) 11.02 (382%)
CSMACD-4-a 209.97 104.47 (50%) 179.53 (86%)
FDDI-20-a 5.96 9.00 (151%) 13.57 (227%)
FDDI-40-a 27.55 57.24 (208%) 100.30 (364%)
FDDI-50-a 53.91 116.79 (217%) 209.29 (388%)
MUX-5-a 14.57 12.73 (87%) 18.55 (127%)
MUX-6-a 84.05 116.35 (138%) 168.38 (200%)
MUX-7-a 625.42 1667.94 (267%) 2302.39 (368%)
LEADER-6-a 3.57 6.59 (185%) 7.82 (219%)
LEADER-7-a 20.98 104.02 (496%) 133.39 (636%)
LBOUND-6-a 3.93 8.66 (220%) 10.39 (264%)
LBOUND-7-a 27.89 157.54 (565%) 199.99 (717%)
PATHOS-4-a 40.73 38.11 (94%) 57.45 (141%)
GRC-3-a 10.48 7.87 (75%) 11.23 (107%)
GRC-4-a 318.22 220.64 (69%) 355.02 (112%)
5.10.3 Histograms and Descriptive Statistics
Running the different data structure implementations with the same examples
yields paired data. Hence, we can take the two implementations and pair them
example-by-example on their time and space differences to analyze their perfor-
mance. When we pair the DBM − CRDZone samples, we take the DBM mea-
surement and subtract the CRDZone measurement for the same example to get
a DBM − CRDZone paired data point. For instance, the MUX-5-a paired point is
-0.92s, 1.94MB, since the DBM point is 1.22s, 14.67MB, and the CRDZone point is
2.14s, 12.73MB. Pairings are likewise done to obtain the paired samples for DBM
− CRDArray and CRDZone − CRDArray. For more information, see a Statistics
text such as Devore [62].
Tables 5.7, 5.8 and 5.9 contain descriptive statistics on the paired difference in
example-by-example performance of the DBM, CRDZone and CRDArray. Figures
5.10. Preliminary Evaluation I: Clock Zone Implementation Performance 242
Table 5.3: Experiment Results—B Examples—Time (s): correct system, invalid
specification.
Example DBM CRDZone CRDArray
CSMACD-4-b 0.10 0.10 (100%) 0.20 (200%)
CSMACD-5-b 0.51 0.51 (100%) 0.71 (139%)
CSMACD-6-b 3.35 2.73 (81%) 3.97 (119%)
FDDI-30-b 1.53 1.53 (100%) 2.23 (146%)
FDDI-40-b 4.66 4.58 (98%) 6.60 (142%)
FDDI-60-b 8.64 5.07 (59%) 5.48 (63%)
MUX-20-b 0.41 0.41 (100%) 0.51 (124%)
MUX-30-b 0.92 0.91 (99%) 1.21 (132%)
MUX-40-b 1.93 1.73 (90%) 2.23 (116%)
LEADER-10-b 0.10 0.10 (100%) 0.10 (100%)
LEADER-20-b 0.10 0.20 (200%) 0.20 (200%)
LBOUND-10-b 0.10 0.10 (100%) 0.20 (200%)
LBOUND-40-b 6.82 17.46 (256%) 29.54 (433%)
PATHOS-7-b 0.10 0.10 (100%) 0.10 (100%)
PATHOS-8-b 0.10 0.10 (100%) 0.10 (100%)
PATHOS-9-b 0.10 0.10 (100%) 0.10 (100%)
GRC-3-b 0.10 0.10 (100%) 0.10 (100%)
GRC-4-b 0.51 0.61 (120%) 0.82 (161%)
GRC-5-b 9.75 13.4 (137%) 19 (195%)
5.7, 5.8 and 5.9 have histograms that plot the overall time and space differences
between the DBM, CRDZone and CRDArray implementations. Bin colors and are
changed to help more easily find the -0.001 to 0.001 (equal performance, since our
measurement precision is 0.01 units), and -0.25 to -0.001 and 0.001 to 0.25 bins
(slight differences).
We do not use 95% confidence intervals, paired two-sample hypothesis (z)
tests or ANOVA (Analysis of Variance) because the independence assumption of
the samples (the example benchmarks) does not hold. Furthermore, we do not use
a Wilcoxon signed-rank test for the median because the symmetry assumption of
the distribution is not believed to hold, and thus we cannot analyze the hypo-
5.10. Preliminary Evaluation I: Clock Zone Implementation Performance 243
Table 5.4: Experiment Results—B Examples—Space (MB): correct system, invalid
specification.
Example DBM CRDZone CRDArray
CSMACD-4-b 2.88 2.89 (100%) 13.67 (474%)
CSMACD-5-b 144.14 72.38 (50%) 123.52 (86%)
CSMACD-6-b 1134.30 553.21 (49%) 961.90 (85%)
FDDI-30-b 9.60 9.06 (94%) 19.08 (199%)
FDDI-40-b 17.19 16.03 (93%) 39.00 (227%)
FDDI-60-b 27.85 14.53 (52%) 63.52 (228%)
MUX-20-b 19.37 11.15 (58%) 16.96 (88%)
MUX-30-b 28.28 16.87 (60%) 28.58 (101%)
MUX-40-b 43.01 21.85 (51%) 42.81 (100%)
LEADER-10-b 2.88 2.89 (100%) 2.89 (100%)
LEADER-20-b 2.88 4.59 (159%) 5.69 (197%)
LBOUND-10-b 2.88 2.89 (100%) 3.38 (117%)
LBOUND-40-b 18.29 15.23 (83%) 30.73 (168%)
PATHOS-7-b 2.88 2.89 (100%) 2.89 (100%)
PATHOS-8-b 2.88 2.89 (100%) 2.89 (100%)
PATHOS-9-b 2.88 2.89 (100%) 2.89 (100%)
GRC-3-b 2.88 2.89 (100%) 2.89 (100%)
GRC-4-b 58.74 32.08 (55%) 53.42 (91%)
GRC-5-b 717.21 379.44 (53%) 648.00 (90%)
thetical benchmark distribution referred to in Remark 5.10.1. We do use paired
sampling since we have its only requirement—perfect correlation of the samples.
More information is in Devore [62].
To get an better idea of the distribution of the benchmark examples themselves
and to put some light on the differences, histograms of the time and space used for
the DBM implementation to check the example benchmarks are given in Figure
5.10.
5.10.4 Analysis of Results
Remark 5.10.1 (On our analysis approach). We ask: what does it mean for an imple-
mentation to perform better than another? We consider consider better to be mea-
5.10. Preliminary Evaluation I: Clock Zone Implementation Performance 244
Table 5.5: Experiment Results—C Examples—Time (s): buggy system, correct
specification.
Example DBM CRDZone CRDArray
CSMACD-6-c 0.51 0.41 (80%) 0.51 (100%)
CSMACD-7-c 2.03 1.82 (90%) 2.03 (100%)
CSMACD-8-c 9.55 8.42 (88%) 9.55 (100%)
FDDI-30-c 0.51 0.41 (80%) 0.41 (80%)
FDDI-40-c 1.52 0.92 (61%) 1.01 (66%)
FDDI-60-c 6.71 3.98 (59%) 4.17 (62%)
MUX-6-c 139.02 258.32 (186%) 401.84 (289%)
LEADER-60-c 6.81 3.96 (58%) 4.06 (60%)
LEADER-70-c 14.42 8.12 (56%) 8.13 (56%)
LEADER-100-c 82.94 45.78 (55%) 45.88 (55%)
LBOUND-6-c 0.10 0.10 (100%) 0.20 (200%)
LBOUND-7-c 0.61 0.81 (133%) 1.12 (184%)
LBOUND-8-c 12.48 32.00 (256%) 52.9 (424%)
PATHOS-5-c 0.10 0.10 (100%) 0.10 (100%)
PATHOS-6-c 0.10 0.10 (100%) 0.10 (100%)
PATHOS-7-c 0.10 0.10 (100%) 0.10 (100%)
GRC-3-c 0.10 0.10 (100%) 0.10 (100%)
GRC-4-c 0.51 0.81 (159%) 1.02 (200%)
GRC-5-c 9.65 13.31 (138%) 18.88 (196%)
sured in the number (or percentage) of examples that one system outperforms
another in. The larger aim is for any implementation, if we were to know all the
examples that it would run (including and beyond the experiment examples), we
would like one implementation to perform (strictly) better for at least 51% of this
hypothetical set. This influences our analysis.
Given our meaning of better in Remark 5.10.1, we consider the median, 25%
and 75% percentile values as insights into typical examples and use the histograms
to get a bigger picture of the sample distribution of the performance differences
for the experiment, and weigh these more heavily than the mean and standard
deviation values. The mean and the standard deviation provide us with an alter-
5.10. Preliminary Evaluation I: Clock Zone Implementation Performance 245
Table 5.6: Experiment Results—C Examples—Space (MB): buggy system, correct
specification.
Example DBM CRDZone CRDArray
CSMACD-6-c 85.32 18.53 (22%) 79.30 (93%)
CSMACD-7-c 337.43 191.84 (57%) 320.89 (95%)
CSMACD-8-c 1369.07 787.75 (58%) 1338.62 (98%)
FDDI-30-c 4.88 4.60 (94%) 9.93 (203%)
FDDI-40-c 9.55 6.41 (67%) 19.63 (206%)
FDDI-60-c 24.07 14.24 (59%) 55.57 (231%)
MUX-6-c 1607.73 1047.64 (65%) 1723.25 (107%)
LEADER-60-c 29.24 10.79 (37%) 63.66 (218%)
LEADER-70-c 51.18 15.30 (30%) 108.80 (213%)
LEADER-100-c 203.89 40.65 (20%) 431.71 (212%)
LBOUND-6-c 2.88 2.89 (100%) 4.48 (155%)
LBOUND-7-c 12.52 10.34 (83%) 14.42 (115%)
LBOUND-8-c 75.66 59.23 (78%) 90.48 (120%)
PATHOS-5-c 2.88 2.89 (100%) 2.89 (100%)
PATHOS-6-c 2.88 2.89 (100%) 2.89 (100%)
PATHOS-7-c 2.88 2.89 (100%) 2.89 (100%)
GRC-3-c 2.88 2.89 (100%) 2.89 (100%)
GRC-4-c 58.74 35.94 (61%) 59.47 (101%)
GRC-5-c 717.29 379.35 (53%) 647.94 (90%)
native picture of the overall performance and give hints of either a unusual sample
distribution (since in a symmetric distribution the mean equals the median) or the
presence of potential outliers.
DBM vs. CRDZone
The CRDZone performs slower for 45% of the tested examples (at least as slow
for 74%) with a median difference of 0.00s slower, while the CRDZone has a mean
difference of 67.55s slower. Thus, we infer the CRDZone is either slightly slower
or competitive to the DBM for this benchmark, but due to insufficient evidence
(45% of the examples is not enough) do not infer that the DBM performs strictly
faster than the CRDZone.
5.10. Preliminary Evaluation I: Clock Zone Implementation Performance 246
Table 5.7: Descriptive Statistics for paired DBM − (minus) CRDZone examples,
for time (s) and space (MB).





Standard Deviation 428.35 212.65
25% Percentile -1.24 0.00
Median 0.00 1.85
75% Percentile 0.06 25.70
Table 5.8: Descriptive Statistics for paired DBM − (minus) CRDArray examples,
for time (s) and space (MB).





Standard Deviation 655.65 235.63
25% Percentile -3.16 -20.54
Median -0.29 -2.81
75% Percentile 0.00 -0.01
The CRDZone takes less space for 57% of the tested examples (at most as much
space for 57%) with a median amount of 1.85MB less space and a mean amount
of 34.96MB less space. The CRDZone takes at least 0.25MB less space for 28 such
examples and more than 0.25MB space for only 11 examples. Thus (even though
57% is not a large majority), we infer the CRDZone takes less space overall for this
benchmark.
DBM vs. CRDArray
The CRDArray performs slower for 64% of the tested examples (at least as slow
for 87%) with a median difference of 0.29s slower and a mean difference of 112.95s
slower. Thus we infer the CRDArray performs slower overall for this benchmark.
The CRDArray takes more space for 79% (at least as much space for 79%) of
5.10. Preliminary Evaluation I: Clock Zone Implementation Performance 247
Table 5.9: Descriptive Statistics for paired CRDZone − (minus) CRDArray exam-
ples, for time (s) and space (MB).





Standard Deviation 229.06 160.91
25% Percentile -2.02 -52.67
Median -0.21 -19.35
75% Percentile -0.03 -1.63
the examples with a median amount of 2.81MB more space and mean amount
of 47.75MB more. Thus we infer the CRDArray takes more space overall for this
benchmark.
CRDZone vs. CRDArray
The CRDArray performs slower for 77% of the tested examples (at least as slow
for 100%) with a median difference of 0.21s slower and a mean difference of 45.40s
slower. Thus we infer the CRDArray is slower overall for this benchmark.
The CRDArray takes more space for 100% of the examples with a median
amount of 19.35MB more space and a mean amount of 82.71MB more. Thus we
infer the CRDArray takes more space overall for this benchmark.
5.10.5 Conclusions
Here are the conclusions:
1. Time: (DBM ≤t CRDZone) <t CRDArray). For this benchmark, we infer
that the DBM is either competitive with or slightly faster than the CRDZone
and both perform faster than the CRDArray. There is insufficient evidence
to conclude that the DBM is strictly faster.
2. Space: (CRDZone <s DBM) <s CRDArray. For this benchmark, we infer































































































































































































































































































DBM – CRDZone Space (MB)	

Figure 5.7: Histograms comparing the DBM − (minus) CRDZone time (s) (top)
and space (MB) (bottom) differences.
that the CRDZone takes the least amount of space and the DBM takes less
space than the CRDArray for this experiment.
Remark 5.10.2 (On DBM vs. CRDZone and CRDArray methods). Due to the sparse
implementation and removal of implicit nodes, the CRDZone and CRDArray can
improve time by reducing the number of nodes, and thus the number of nodes
looked at during a full traversal. This can speed up traversal-based algorithms
such as intersect and subset check. However, algorithms like clock reset, emptiness
check and canonical form use O(1) access of middle nodes in DBMs (the CRDZone
and CRDArray do not have O(1) access for all nodes), resulting in a performance
slowdown for those CRDZone and CRDArray methods. For space, the CRDZone


























































































































































































































































































DBM – CRDArray Space (MB)	

Figure 5.8: Histograms comparing the DBM − (minus) CRDArray time (s) (top)
and space (MB) (bottom) differences.
and CRDArray can store fewer nodes but must store the explicit indices, resulting
in more space per node.
See Fontana and Cleaveland [73] for more information.
5.11 Preliminary Evaluation II: PES Tool Implementation
We present the results of a experimental evaluation of our method that demon-
strates the types of timed automata and specifications the system can model check.
Furthermore, on the subset of specifications that UPPAAL supports, we compare
our tool’s time performance to their tools’s time performance.
















































































































































































































































































CRDZone – CRDArray Space (MB)	

Figure 5.9: Histograms comparing the CRDZone − (minus) CRDArray time (s)
(top) and space (MB) (bottom) differences.
Experiments were run on a Mac OS 10.7 machine with a single 2.0 GHz Intel
Core i7 (quad core) processor with 8 GB RAM. Time and space measurements
(maximum space used) were made using the UNIX time command (using the real
time as the output time).
5.11.1 Methods: Evaluation Design
In our case study, we use four different models: Carrier Sense, Multiple Access
with Collision Detection (CSMA); Fischer’s Mutual Exclusion (FISCHER); Gener-
alized Railroad Crossing (GRC); and Leader election (LEADER). Here is a brief
description of them:






















































































































Figure 5.10: Histograms illustrating the DBM Time (s) (top) and Space (MB) (bot-
tom) distributions.
1. Carrier Sense, Multiple Access with Collision Detection (CSMA). There are n
processes sharing who one bus. The bus can only send one message at a
time. At various times processes will try to transmit a message. If the process
detects that the bus is busy, then the process will wait a random amount of
time before retrying.
2. Fischer’s Mutual Exclusion (FISCHER) This protocol involves n processes vy-
ing for access to a critical section. Each process asks for the critical section
and then waits until it gets it, re-requesting for access if it is not granted it
for a period of time. The critical section identifies which process currently
5.11. Preliminary Evaluation II: PES Tool Implementation 252
has access to it.
3. Generalized Railroad Crossing (GRC). This protocol has n trains, a gate and
a controller. The trains cross a region that intersects a road, and the gate
goes down to prevent cars from driving on the road when a train is passing
through. When no train is nearby, the gate raises or remains up to allow cars
to safely drive through.
4. Leader election (LEADER). This protocol involves involves n processes that
are electing a leader amongst themselves. To elect a leader, at each step one
process asks another process to be its parent. In our model, the smaller-
numbered process always becomes the parent. When finished, the process
with no parent is the leader.
For more information on these models, see Heitmeyer and Lynch [84], Zhang
and Cleaveland [167, 168].
For each model, we start at 4 processes and scale the model up by adding more
processes (up to 8 processes). For each model we model-checked one valid safety
specification (as), one invalid safety specification (bs), one valid liveness specifica-
tion (al), and one invalid liveness specification (bl). Each of these cases involves
only one temporal operator: φ1 involves conjunctions and disjunctions of atomic
propositions and clock constraints. In addition we tested 4 additional specifica-
tions on each property (M1, M2, M3, and M4). Out of these specifications, at least
one (usually M4) is a property with no known equivalent TCTL formula. The
specifications checked are listed below. The specifications that are not supported
by UPPAAL are in italics and are marked with a ∗.
The specifications checked on the CSMA protocol are:
• AS∗: At most one process is in a transmission state for less than 52 (2σ) units.
5.11. Preliminary Evaluation II: PES Tool Implementation 253
(Valid)
• BS: At any time, a third process can retry while two are already in transmis-
sion status. (Invalid)
• AL: It is inevitable that all processes are waiting. (Valid)
• BL: It is inevitable that some process needs to retry transmitting a message.
(Invalid)
• M1: It is always the case that if the first process needs to retry that it will
inevitably transmit. (Invalid)
• M2: It is always the case that if a bus experiences a collision that it will
inevitably become idle. (Valid)
• M3∗: The bus is always idle until a process is active. (Invalid)
• M4∗: For all paths with an infinite number of actions, the bus is always idle until a
process is active (Valid)
The specifications checked on the FISCHER protocol are:
• AS: At any time, at most one process is in the critical section. (Valid)
• BS: At any moment, at most four processes in their waiting state at the same
time. (Valid for four processes, Invalid for five or more processes)
• AL: It is inevitable that all processes are idle. (Valid)
• BL: It is inevitable that some process accesses the critical section. (Invalid)
• M1: It is always the case that if the first process is not idle, it will eventually
access the critical section. (Invalid)
5.11. Preliminary Evaluation II: PES Tool Implementation 254
• M2: It is always the case that if the third process is not idle, it will eventually
access the critical section. (Invalid)
• M3∗: It is possible for the first process to enter the critical section without waiting.
(Invalid)
• M4∗: After at most five action transitions, some process will enter the critical sec-
tion. (Invalid)
The specifications checked on the GRC protocol are:
• AS: It is always the case that if at least one train (process) is in the track
region, the gate is always down. (Valid)
• BS: It is always the case that if the gate is raising then the controller (when
one train is approaching or in) will not want to lower the gate. (Invalid)
• AL: It is inevitable that the gate is up. (Valid)
• BL: It is inevitable that the train is near the gate. (Invalid)
• M1: It is always the case that if the gate is down, then it will inevitably come
up (Invalid).
• M2∗: It is always the case that if the gate is down, then it will inevitably come up
after 30 seconds (Invalid).
• M3: It is always the case that at most one train is in the region at one time
(Invalid).
• M4∗: For all paths with an infinite number of actions, the gate is up until a train
approaches (Valid).
• M4ap∗: For all paths, the gate is up until a train approaches (Invalid).
5.11. Preliminary Evaluation II: PES Tool Implementation 255
The specifications checked on the LEADER protocol are:
• AS: At any time, each process either has no parent or has a parent with
a smaller process id (and thus the first process has no parent at all times).
(Valid)
• BS: At any moment, at least three processes do not have parents. (Invalid)
• AL: It is inevitable that the first process is elected the leader. (Valid)
• BL: It is inevitable that the third processes’ parent is the second process.
(Invalid)
• M1∗: For all paths, a the second process cannot have a child until it has a parent.
(Invalid)
• M2: It is always the case that if the third process is assigned a parent (chosen
to not be leader), then it will not be the leader. (Valid)
• M3∗: It is possible that it takes longer than 3 time units to elect a leader. (Valid)
• M4∗: For all paths, in at most three votes, a leader is elected. (Valid for four or fewer
processes, invalid for five or more processes.)
The experiments were run on an Intel Mac with 8GB ram and a quad-core 2 GHz
Intel Core i7 processor running OS 10.7. Times were measured with the UNIX
utility time.
5.11.2 Data and Results
The data is provided in Tables 5.10, 5.11, and 5.12. Table 5.10 contains the remain-
ing specifications that are not supported by UPPAAL. Tables 5.11 and 5.12 (split
due to horizontal space constraints) contain the examples that are supported both
5.11. Preliminary Evaluation II: PES Tool Implementation 256
Table 5.10: Examples that UPPAAL does not support. All times are in seconds (s).
File PES4 PES5 PES6 PES7 PES8
CSMA-as 0.29 4.62 139.16 6696.08 TO
CSMA-M3 0.01 0.03 0.14 0.80 3.99
CSMA-M4 0.01 0.03 0.14 0.71 3.66
FISCHER-M3 0.14 2.51 79.17 TO TOsm
FISCHER-M4 0.00 0.00 0.00 2.04 2.42
GRC-M2 0.01 0.01 0.01 0.02 0.03
GRC-M4 0.00 0.00 0.01 0.02 0.01
GRC-M4ap 0.00 0.00 0.01 0.01 0.01
LEADER-M1 0.00 0.00 0.00 0.01 0.01
LEADER-M3 0.01 0.08 2.12 79.05 4242.97
LEADER-M4 0.00 0.00 0.04 0.03 0.01
by our tool (PES) and by UPPAAL (UPP). In these three tables, we use the fol-
lowing abbreviations: TO (timeout: the example took longer than 2 hours), TOsm
(the example timed out with fewer process), and O/M (out of memory). Since our
tool supports a superset of the specifications that UPPAAL can support, there are
specifications that UPPAAL supports that our tool does not. A scatter plot of the
data in Tables 5.11 and 5.12 is given in Figure 5.11. In that figure, any example
with O/M, TO or TOsm had its time set to 7200s (2 hours).
5.11.3 Analysis and Discussion
After analyzing the data, we conclude three points. First, on the examples that
both our PES tool and UPPAAL support, we acknowledge that UPPAAL’s perfor-
mance is faster than ours; however, our tool performs faster on some examples.
Additionally, while our tool does time out more often than UPPAAL does, most
examples are verified quickly by both tools.
Second, our tool can quickly verify specifications that UPPAL cannot. We sug-
gest this after noticing that our tool verifies most of the examples in Table 5.10
quickly, and that every specification in Table 5.10 is not supported by UPPAAL.
5.11. Preliminary Evaluation II: PES Tool Implementation 257
Table 5.11: Time performance in seconds (s) on examples comparing PES and
UPPAAL (Table 1 of 2).
File PES4 UPP4 PES5 UPP5 PES6 UPP6
CSMA-al 0.01 1.45 0.03 0.24 0.13 0.25
CSMA-bl 0.01 0.26 0.03 0.27 0.13 0.27
CSMA-bs 0.01 0.33 0.05 0.27 0.22 0.27
CSMA-M1 0.01 0.29 0.03 0.27 0.14 0.28
CSMA-M2 0.33 0.35 5.21 7.00 154.56 1194.74
FISCHER-al 0.00 0.51 0.00 0.27 0.00 0.28
FISCHER-as 0.07 0.27 0.51 0.28 13.44 0.67
FISCHER-bl 0.00 0.26 0.00 0.26 0.00 0.28
FISCHER-bs 0.04 0.28 0.01 0.27 0.02 0.32
FISCHER-M1 0.00 0.26 0.00 0.26 0.00 0.28
FISCHER-M2 0.00 0.26 0.00 0.26 0.00 0.27
GRC-al 0.00 0.27 0.01 0.28 0.47 0.59
GRC-as 53.09 0.36 TO 7.11 TOsm 940.51
GRC-bl 0.00 0.27 0.00 0.27 0.01 0.27
GRC-bs 0.11 0.41 1.91 0.41 433.59 1.76
GRC-M1 0.01 0.27 0.04 0.27 0.01 0.29
GRC-M3 0.00 0.27 0.00 0.31 0.01 0.56
LEADER-al 0.00 0.28 0.01 0.33 0.17 4.30
LEADER-as 0.00 0.27 0.01 0.27 0.22 0.33
LEADER-bl 0.00 0.28 0.00 0.27 0.01 0.28
LEADER-bs 0.00 0.27 0.00 0.28 0.01 0.28
LEADER-M2 0.00 0.28 0.02 0.31 0.38 3.05
Third, we noticed that the for these examples, the performance bottleneck
seems be safety properties. Even with the additional complexity of supporting
the more complicated specifications (in both tables), they were often verified more
quickly than safety properties. Here is one possible explanation: while a verifier
must check the entire state space for a valid safety property, for a liveness property,
often only a subset of the state space must be checked. When a liveness property
is true, once the desired state is found in each path, the remainder of the path
need not be explored. Conversely, when a liveness property is invalid, only one
path needs to be explored.
5.12. Dissertation Contributions 258
Table 5.12: Time performance in seconds (s) on examples comparing PES and
UPPAAL (Table 2 of 2).
File PES7 UPP7 PES8 UPP8
CSMA-al 0.72 0.26 3.65 0.26
CSMA-bl 0.73 0.28 3.53 0.33
CSMA-bs 1.14 1.33 5.09 4.66
CSMA-M1 0.73 0.27 3.69 0.27
CSMA-M2 TO TO TOsm TOsm
FISCHER-al 0.00 0.40 0.00 0.27
FISCHER-as 864.04 0.96 TO 4.26
FISCHER-bl 0.00 0.34 0.00 0.26
FISCHER-bs 0.39 0.47 0.39 0.90
FISCHER-M1 0.00 0.28 0.00 0.25
FISCHER-M2 0.00 0.30 0.03 0.28
GRC-al 0.07 0.44 0.08 5.45
GRC-as TOsm 3433.14 TOsm TO
GRC-bl 0.01 0.61 0.01 0.66
GRC-bs O/M 16.19 O/M 52.03
GRC-M1 0.05 0.35 0.03 0.32
GRC-M3 0.04 1.23 0.01 3.85
LEADER-al 5.80 747.82 573.84 TO
LEADER-as 6.23 0.86 649.52 8.21
LEADER-bl 0.17 0.32 4.25 0.29
LEADER-bs 0.03 4.99 0.40 1.57
LEADER-M2 13.53 504.89 1570.37 TO
5.12 Dissertation Contributions
5.12.1 Contributions
These are my contributions discussed in this chapter:
• Fine-tuned the PES Model Checker, and specialized it to model check La fν,µ
formulas over timed automata
• Created the clock zone implementations CRDZone and CRDArray, which
can be seen as alternative sparse DBM implementations.
5.12. Dissertation Contributions 259




















PES Tool time vs. UPPAAL Tool Time 








Figure 5.11: Figure comparing the PES tool time performance with UPPAAL time
performance. Points are colored by the specification category. All timed out (TO)
examples or examples that ran out of memory (O/M) have their time set to 7200s,
the value of the dashed lines.
• Implemented the CRDZone and CRDArray as well as fined-tuned the DBM
implementation, and ran an experiment comparing the performance of the
current PES tool on all three data structure implementation.
• Implemented the previously-developed proof rules for La fν,µ.
• Design sound, complete and implementable additional proof rules to give a
full set of proof rules for Lrel,a fν,µ , as well as proved those rules to be sound
and complete.
• Implemented the timed automata model checker to model check any Lrel,a fν,µ
5.12. Dissertation Contributions 260
formula over any timed automata.
• Utilized derived proof rules to optimize the performance of this model
checker.
5.12.2 Future Work
Future work is to further optimize the performance. One such future work is to
utilize different standard forms (which other sources have designed considered)
and to implement a more modern all-pairs shortest path algorithm; these should
help the performance of the tool.
261
Chapter 6
Timed Vacuity in Model Checking
The typical model checking tool gives a yes or no answer when asked if a program
satisfies a property. This is the current state with timed automata model checking
(some tools generate counterexamples), but we would like get more information
from the model checker.
Once such type of information is the identification of formulas that are satisfied
vacuously: examples include formulas containing an if-then statement that the
model satisfies but satisfies by always having the “if” premise false. For instance,
consider the formula AG [p → AF [q]]; this formula is vacuously satisfied if it is
always true but p is always false. This vacuity becomes useful, since the formula
AG [p → AF [q]] is asked with the intent that p will be sometimes true. If this
formula is satisfied such that AF [q] is vacuous, we know that p is never true
and have found a bug in our model. Previous work has been done to identify
vacuity for untimed systems over untimed logics, including the untimed modal
mu-calculus [20, 66]. We extend this research to support timed vacuity over timed
automata, providing both the theory and a preliminary implementation. We also
leverage Namjoshi [128, 129], which uses a proof to gain understanding of vacuity.
By extending the work of Beer et al. [20], Dong et al. [66], Namjoshi [128, 129]
to timed automata, we are able to identify some vacuous formulas without any
increase in the amount of time or space needed to model check Lrel,a fν,µ formulas.
If we allow for some performance delay, we can identify all vacuous subformulas
within an Lrel,a fν,µ formula.
6.1. Vacuity: Definitions 262
6.1 Vacuity: Definitions
We take many of our definitions from Beer et al. [20]. These definitions involve a
formula φ in some logic and over a model M. In this dissertation, we will often
use that φ is a logical formula in some logic and that the model M is some state q.
In the untimed setting, q will be a state of a transition system TS, and in the timed
setting, q = (l, ν) will be a state in a timed automaton TA. Also, when examining
the satisfaction of logical formulas in the timed setting, we might extend a state
with freeze quantification ν f to form an extended state q = (l, ν, ν f ). When clear
from context, we will omit the ν f . This concept of an extended state is in Section
4.2. Furthermore, recall that a timed automaton satisfies a formula if and only if
its initial state satisfies a formula. Although we often use states as our models,
because some important results concerning vacuity are model independent, we
give most definitions with respect to an arbitrary model M.
6.1.1 Vacuous Formulas
Definition 6.1.1 (Affect [20]). A subformula ψ affects logic formula φ with respect
to a model M iff there exists a formula ψ′ such that M |= φ if and only if M |=
φ[ψ 7→ ψ′]. 
This means that if we replace a subformula ψ with some other formula ψ′
(including tt or ff) and ψ′ changes the truth of φ, then that subformula ψ is
relevant to the satisfaction of φ. If that is the case, then we say that ψ affects φ.
In this definition, ψ is an instance of a sub formula. When one asks if ψ affects
φ, the definition determines whether a specific instance of ψ affects φ.
Definition 6.1.2 (Vacuous formula [20]). A formula φ is vacuous for model M. iff
there is a subformula ψ such that ψ does not affect φ in M.
6.1. Vacuity: Definitions 263












Figure 6.1: Two models of a gate, TAdown and TAup, illustrate that some properties
can be satisfied in different ways.
If the formula φ is true in M and is vacuous, we say that φ is vacuously satisfied
by M. Likewise, if φ is false in M and is vacuous, we say that φ is vacuously
unsatisfied by M. If ψ is a sub formula of φ and ψ does not affect φ with respect to
M, then we say that ψ is a vacuous subformula of φ. 
Example 6.1.1 (Illustrating vacuous satisfaction with gates). Consider the two
models for an up-down in Figure 6.1, TAdown and TAup. Notice that the second
model has a major glitch that the first does not: the gate is never down in TAup
(the first model is also imperfect but does not have this bug).
Consider the property: “It is always the case that if the gate is down then it
will inevitably be raised up,” written as AG [down → AF [up]] in TCTL (or CTL).
Both TAdown and TAup satisfy this property. However, TAdown gives a much more
“satisfying” solution. For TAdown, there is a path where the gate is lowered down,
then raised up (by force due to the invariant), and the switching repeats over time.
This path illustrates the desired property. However, in TAup the property is still
true because the gate is never down. Here, TAup vacuously satisfies the formula,
and the subformula AF [up] is vacuous because it is never checked. 
6.1. Vacuity: Definitions 264
6.1.2 Polarity
Given a transition system TS or timed automaton TA, consider the complete lat-
tice whose elements are subsets of states of the transition system or of the timed
automaton. If we consider the logical operators to be functions on this lattice, we
can formalize the notion of polarity. If we consider timed automata states as mod-
els, we would denote the set of satisfying states as JφKTA. Using a generic model
M, we will denote the satisfaction set as JφKM.
Definition 6.1.3 (Polarity [20]). Let σ be an n-ary operator in some logic, and let
ψ1, ψ2 be two formulas. The ith operand of σ has positive polarity iff for every formula
φ1, . . . φi−1, φi+1, . . . φn, if Jψ1KM ⊆ Jψ2KM, then:
Jσ(φ1, . . . φi−1, ψ1, φi+1, . . . φn)KM ⊆ Jσ(φ1, . . . φi−1, ψ2, φi+1, . . . φn)KM
Likewise, the ith operand of σ has negative polarity iff for every formula φ1, . . . φi−1,
φi+1, . . . φn, if Jψ2KM ⊆ Jψ1KM, then:
Jσ(φ1, . . . φi−1, ψ1, φi+1, . . . φn)KM ⊆ Jσ(φ1, . . . φi−1, ψ2, φi+1, . . . φn)KM
An operator has positive polarity if every one of its operands has positive po-
larity. Likewise, an operator has negative polarity iff ever one of its operands has
negative polarity. 
The idea of positive polarity is that for each of the i subformulas within a
logical operator, if we fix all but one of those subformulas and if the remain-
ing subformula is enlargened to satisfy additional states, then the superformula
satisfies additional states. In this definition, each logical operation is denoted as
a generic logcial operator σ. One such logical operator is conjunction; φ1 ∧ φ2
6.1. Vacuity: Definitions 265
would notated as ∧(φ1, φ2).
Definition 6.1.4 (Logic with polarity). We say that a logic has polarity if every op-
erator in that logic has either positive or negative polarity. 
For a logic to have polarity, it is allowable that some operators have positive
polarity and other operators have negative polarity. Typically most operators have
positive polarity, while negation has negative polarity
We can also define the polarity of a subformula.
Definition 6.1.5 (Polarity of a subformula). The polarity of a subformula ψ of φ is
defined recursively is follows:
• ψ = φ has positive polarity.
• If ψ = σ(ψ1, . . . ψn) and ψ is of positive (negative) polarity, then ψi has posi-
tive polarity if the ith operand of σ has a positive (negative) polarity, and ψi
has negative polarity otherwise.

Note that if a logic always has positive polarity, then by definition, every sub-
formula has positive polarity.
In Beer et al. [20], the polarity of a logic was used to prove a useful claim,
which we will use to show monotonicity of Lrelν,µ over the lattice of sets of timed
automata states.
Claim 6.1.1 (Lemma 12 of Beer et al. [20]). In a logic with polarity, if ψ is a sub-
formula of φ and ψ has a positive (negative) polarity and if [[ψ]]M ⊆ [[ψ′]]M
([[ψ′]]M ⊆ [[ψ]]M), then [[φ]]M ⊆ [[φ[ψ 7→ ψ′]]]M.
6.1. Vacuity: Definitions 266
6.1.3 Mutual Vacuity
When one examines a formula, one may find many subformulas on their own that
are vacous within a larger formula; however, a combination of them may not be
vacuous. We formalize this concept with the definition of mutual vacuity, taken
from Gurfinkel and Chechik [80].
Definition 6.1.6 (Mutual vacuity). A formula φ is mutually vacuously in a model
M in subformulas ψ1, . . . ψn iff for all formulas γ1, . . . , γn, M |= φ if and only if
M |= φ[ψ1 7→ γ1, . . . , ψn 7→ γn]. 
Knowing subformulas that are vacuous is useful; knowing when subformulas
are mutually vacuous (or not mutually vacuous) is even more useful.
Example 6.1.2. Again consider TAup in Figure 6.1, and consider the subformula
AG [down → AF [up]]. Since the gate is always up in TAup, we have two vacuous
subformulas: down, and AF [up]. However, these are not mutually vacuous: for
the formula to be true, we either need the subformula ¬down or the subformula
AF [up]. 
Example 6.1.3. We present an example from Namjoshi [129] which is used to illus-
trate proof vacuity and use it to illustrate both proof vacuity and mutual vacuity.
We discuss the mutual vacuity now, and discuss the implications on proof vacuity
in Example 6.4.2. Consider the automaton in Figure 6.2, and consider the formula
AX (AF [p] ∨ AF [q]).
In this formula, AF [p] is a vacuous subformula, and AF [q] is a vacuous sub-
formula. However, they are not mutually vacuous. Because at each branch, either
p is eventually true and q is eventually true, either one can be chosen.
6.2. Vacuity and Untimed Temporal Logics 267











Figure 6.2: Timed (or untimed) automaton illustrating that formula vacuity can be
subtle and complex.

6.2 Vacuity and Untimed Temporal Logics
In order to detect vacuous formulas in the timed mu-calculus, we leverage and ex-
tend results concerning vacuity for the untimed mu-calculus. Furthermore, results
for the untimed mu-calculus leverage results of other untimed temporal logics, in-
cluding CTL*. One important result is the following claim, proven in Beer et al.
[20].
Claim 6.2.1 (Polarity of CTL*). The untimed logic CTL* has polarity.
Since CTL is a sublogic of CTL*, the untimed logic CTL has polarity.
From the claim: ¬ has negative polarity; ∧ , X (φ) , [[φ1]U [φ2]] , and Eφ all have
positive polarity. The operator ∨ also has positive polarity.
6.2. Vacuity and Untimed Temporal Logics 268
There is a similar claim for the untimed modal mu-calculus, which is proven
in Dong et al. [66].
Claim 6.2.2 (Polarity of the untimed mu-calculus [66]). The modal mu-calculus is
a logic with polarity.
From the proof of the claim in Dong et al. [66]: ∧ , [a](φ), and νY.[φ] all have
positive polarity. We use this claim and the equivalents of the derived operators
to prove a slightly stronger claim:
Claim 6.2.3 (The untimed mu-calculus has positive polarity). Given that the un-
timed modal-mu calculus is in positive normal form (all operators dualized), then
every operator in the untimed mu-calculus has positive polarity.
As a reminder, a formula is in positive normal form positive normal form iff a all
the negations are pushed as far inwards as possible. This means that all negation
operators appear immediately next to propositions (or states).
Proof of Claim 6.2.3. From Claim 6.2.2 and Claim 6.2.1, we know that the opera-
tors ∧ , ∨ , [φ](), and νY.[φ] all have positive polarity. We show the proof for the
other two operators: 〈a〉(φ) and µY.[φ].
Proof of 〈a〉(φ): Let φ1 and φ2 be formulas such that Jφ1K ⊆ Jφ2K. One can either
proof positive polarity directly from the formula definitions or through using the
derivations. We will show this way using the definition of 〈a〉(φ). By definition,
J〈a〉(φ1)K = {l | l a−→ l′ and l ∈ Jφ1K} and J〈a〉(φ2)K = {l | l a−→ l′ and l ∈ Jφ2K}.
Since Jφ1K ⊆ Jφ2K, at least as many states can transition via some action a to a state
satisfying φ2 as to a state satisfying φ1.
Proof of µY.[φ]: We prove this using the definition of the derivation. Let
6.2. Vacuity and Untimed Temporal Logics 269
Jφ1K ⊆ Jφ2K. By the derivation, µY.[φ] ≡ ¬νY.[¬φ]. Since Jφ1K ⊆ Jφ2K and ¬ has
negative polarity, we know that J¬φ2K ⊆ J¬φ1K. Since νY.[φ1] has positive polarity,
JνY.[¬φ2]K ⊆ JνY.[¬φ1]K. Because ¬ has negative polarity, we have J¬νY.[φ1]K ⊆
J¬νY.[φ2]K. Therefore, JµY.[φ1]K ⊆ JµY.[φ2]K.
Utilizing the definitions of derived operators, one can show that the operators
all have positive polarity.
Remark 6.2.1 (Mu-calculus identifies different vacuous subformuals). Compared to
the branching time logic CTL the modal mu-calculus formula writes formulas dif-




= p ∨ [− ](X1)
Here the “eventually” is written out over a disjunction. Because vacuity involves
identifying disjunctions whose truths are irrelevant (when the other disjunct is al-
ways true), here the modal mu-calculus may identify a modality as vacuous rather
than a proposition. This phenomenon is similar in the timed setting when com-
paring TCTL to the timed mu-calculus. We illustrate this remark in the following
example.
Example 6.2.1 (Vacuity in the mu-calculus subtleties). Again consider Example
6.1.3 and Figure 6.2, but consider the slightly different formula AX (AF [p ∨ q]).






= (p ∨ q) ∨ [− ](X2)
6.3. Detecting Vacuity in Untimed Systems 270
From this formula we can say that p is a vacuous subformula, and q is a vacuous
subformula. However, using the vacuity of disjuncts, the entire right disjunct of X2
is vacuous. Translated to the formula, this means that the AF modality is vacuous,
and that the formula could also be simplified to AX (p ∨ q). In this case, the
calculus uses a vacuous disjunct to simplify the translated formula. 
6.3 Detecting Vacuity in Untimed Systems
With these definitions, one can utilize the polarity of the logic to detect vacuous
formulas with respect to a Model M. First, to detect vacuity, we wish to minimize
the number of possible subformulas that we examine, and the number of formulas
we need to substitute each formula with. To help with these, we will present more
definitions and results from Beer et al. [20], Dong et al. [66].
Definition 6.3.1 (Vacuity with respect to a set of subformulas). Let S be a set of
subformulas of φ. We say that φ is S-vacuous in model M if there exists a ψ ∈ S
such that ψ is a vacuous subformula. 
Definition 6.3.2 (Minimal subformulas). Let S be the set of subformulas. Then
the minimal subformulas of S, denoted min(S), are:
min(S) = {ψ ∈ S | there is no ψ′ ∈ S such that ψ′ is a subformula of ψ} (6.1)

With the result below from Beer et al. [20], we can determine S vacuity by
examining only the minimal subformulas in S.
Claim 6.3.1 (From Beer et al. [20]). φ is S-vacuous if and only if φ is min(S)-
6.3. Detecting Vacuity in Untimed Systems 271
vacuous.
The lemma below also allows us, in certain cases, to only examine larger sub-
formulas.
Lemma 6.3.2 (From Beer et al. [20]). Let φs be a subformula of φl , and let φl be a
subformula of φ. If φl does not affect φ in M, then φs does not affect φ in M.
With more work, we can reduce the formulas needed to substitute into vacuous
subformulas to either tt or ff. This follows from the following results from Beer
et al. [20].
Claim 6.3.3 (From Beer et al. [20]). Let ψ be a subformula of φ in a logic with
polarity. Then for every model M, the following are equivalent:
1. ψ does not affect φ in M.
2. M |= φ ⇔ M |= φ[ψ 7→ X] where X = ff if M |= φ and ψ is of positive
polarity, or M 6|= φ and ψ is of negative polarity. Otherwise, X = tt.
Combining these together, Beer et al. [20] get a usefulcorollary:
Corollary 6.3.1 (Corollary of Claim 6.3.3 from Beer et al. [20]). In a logic with
polarity, for a formula φ and a set S of subformulas of φ, for every model M, the
following are equivalent:
1. φ is S-vacuous in M
2. There is a ψ ∈ min(S) such that M |= φ ⇔ φ[ψ 7→ X] where X = ff if
M |= φ and ψ is of positive polarity, or M 6|= φ and ψ is of negative polarity.
Otherwise, X = tt.
6.4. Vacuity and Proofs 272
6.4 Vacuity and Proofs
Some model checkers verify formulas by constructing proofs that the model sat-
isfies the formula. Utilizing these proofs, additional vacuity information can be
obtained. Recall that a proof is undeniable evidence that a model satisfies (or does
not satisfy) a formula, and that it is possible to have multiple proofs. Given these
proofs, there are various notions of vacuity, two of which are:
1. Given one proof that M |= φ (or M 6|= φ), some subformula ψ is unused. In
this case, ψ is vacuous in some proof.
2. Considering all proofs of M |= φ (or M 6|= φ), some subformula ψ is not
included in any of the proofs. In this case, ψ is vacuous in all proofs.
These two notions were taken from Namjoshi [129], which discusses these
notions for untimed systems. We formalize these two notions with the definitions
below.
Definition 6.4.1 (Vacuous within a proof). A subformula φ is vacuous within a
proof if and only if for the given proof, replacing φ with any formula ψ does not
invalidate the proof. 
Definition 6.4.2 (Vacuous for all proofs). A subformula φ is vacuous for all proofs
if regardless of the proof generated, replacing φ with any formula ψ does not
invalidate the proof. 
The first notion, vacuity within a proof, allows us to detect vacuous subformu-
las. This follows from the following Lemma.
Lemma 6.4.1 (Relating proof vacuity to formula vacuity.). Let M be a model and φ
be a logical formula with subformula ψ. If we have a sound proof P such that M |=
6.4. Vacuity and Proofs 273
φ and ψ is vacuous within proof P, then ψ is a vacuous subformula. Likewise, if
we have a sound proof P such that M 6|= φ and ψ is vacuous within proof P, then
ψ is a vacuous subformula.
Proof of Lemma 6.4.1. We prove this lemma when M |= φ. The proof is similar
when M 6|= φ. Suppose we have a proof P such that ψ is vacuous within P. Because
we have a sound proof P for M |= φ and because ψ does not influence the validity
of the proof, we know that ψ does not affect φ; regardless of the truth of ψ, we still
have the sound proof P that M |= φ.
This Lemma is powerful; it states that any subformula ψ is vacuous if and only
if we can show that ψ is vacuous for a single proof. So we can find is some proof
where it does not matter what ψ is, we can tell that ψ is vacuous. Likewise, if ψ is
not a vacuous subformula, then every proof utilizes ψ in some manner.
Recall that our tool is a proof-search tool: in order to determine if a timed au-
tomaton satisfies a formula, it constructs a proof. If a formula is valid (or invalid),
there may be multiple proofs for the satisfaction of that formula, and different
proofs might find different subformulas vacuous. As a result, the two above no-
tions are useful to distinguish vacuity.
To illustrate these different notions of vacuity, consider the following example.
Example 6.4.1 (The chosen proof influences vacuity). Consider the timed automa-
ton TAdown in Figure 6.1 and the formula EG [down → AF [up]], where the first
allows the verifier to choose the path. TAdown satisfies this formula. However, there
are two different proofs for this formula:
1. The prover chooses a path where the gate is lowered down, and then due to
the invariant, is raised up.
6.4. Vacuity and Proofs 274
2. The prover waits in the location up forever. (Note: This waiting is a time-
divergent path of the automaton).
In the first proof, no subformula is vacuous, since every subformula is needed
to establish truth. However, in the second proof, the automaton chooses the path
where the light is never turned on. In this path, down is never true, making the
subformula AF [up] vacuous.
In this case, we know that the formula is vacuously satisfied by TAdown, and
that there exists a proof where AF [up] is vacuous, but AF [up] is not vacuous for
all proofs. 
In addition, the length of the proof can make different subformulas vacuous;
we present an example from Namjoshi [129].
Example 6.4.2 (Example 6.1.3 continued). Again consider the automaton in Figure
6.2 and the formula AX (AF [p] ∨ AF [q]). The automaton satisfies this formula,
but there are a variety of proofs, different formulas are vacuous in each. Here are
some of the proofs:
1. Proof 1: fewest transitions. Because of the AX, the prover must take both the
left and right transitions and AF [p] ∨ AF [q] for both. The prover takes the
left branch, notices that p, and hence AF [p] is true, and produces a proof for
that branch. The prover then takes the right branch, notices that q, and hence,
AF [q] is true, and produces a proof. No subformula is vacuous (although
this proof is identical for the proof of the simpler formula AX (p ∨ q).
2. Proof 2: find p. In the left branch, p is immedaitely true, and the prover
stops for the left branch. For the right branch, the prover prooves that AF [p]
is true; it shows that in the next state, p is true. In this case, AF [q] is unused
6.5. Timed Vacuity: Theoretical Results 275
in the proof.
3. Proof 3: find q. The prover ignores AF [p] and looks to prove AF [q] in both
branches. This requires taking two transitions in the left branch, and taking
one transition in the right branch.
These proofs have different lengths. Depending on the proof strategy and the
desired proof (sometimes the shortest proof is sought first), different subformulas
are vacuous. Furthermore, a formula can be vauous but require a longer proof if
that subformula is removed. See Namjoshi [129] for additional discussion. 
6.5 Timed Vacuity: Theoretical Results
In this section we discuss how we detect vacuity for Lrel,a fν,µ formulas over timed
automata. This extends the previously discussed work for untimed vacuity over
transition systems. In order to utilize previous vacuity work, we first show that
our timed logic, Lrelν,µ is a logic of polarity. We then leverage the previous work and
develop two techniques for detecting vacuity over timed automata: one that is fast
and sound but incomplete, and one that is slower but incomplete.
The fast technique utilizes the one proof produced by the tool and identifies
any subformulas that are not used in that proof. Because any unused formula
does not influence the proof, we know that any detected subformula is vacuous
(vacuous for some proof). However, because this proof may use a subformula that
is vacuous for an alternative proof, not all vacuous subformulas are detected.
The complete technique searches all possible proofs, and generates a tree that
stores all of the possible proofs. By searching this tree of proofs, the algorithm
can detect all vacuous subformulas. This vacuity includes vacuous subformulas,
which are subformulas that are vacuous for some proof, and formulas that are
vacuous for all proofs.
6.5. Timed Vacuity: Theoretical Results 276
6.5.1 Polarity of Lrelν,µ
First, we extend the results of Beer et al. [20], Dong et al. [66] to show that Lrelν,µ is
a logic of polarity.
Theorem 6.5.1. Lrelν,µ is a logic with polarity. Furthermore, every operator has
positive polarity.
Proof of Theorem 6.5.1. We show that each operator has positive polarity.
From Claim 6.2.2 (proven in Dong et al. [66]), the operators ∧ , ∨ , µY.[φ],
νY.[φ], 〈a〉(φ), [a](φ) all have positive polarity. We only need to show that the
timed operators have positive polarity. Let φ1, and φ2 be formulas such that [[φ1]]M ⊆
[[φ2]]M.
We show the proofs for the operators ∃(φ) and ∃φ1(φ2). The proofs for the
other operators are similar.
Consider the operator ∃(φ). Recall that by definition,
[[∃(φ)]] = {(l, ν) | ∃δ ≥ 0s.t.(l, ν) δ−→ (l, ν + δ) and (l, ν + δ) |= φ}.
Now let Hence, [[∃(φ1)]] = {(l, ν) | ∃δ ≥ 0s.t.(l, ν) δ−→ (l, ν + δ) and (l, ν + δ) |=
φ1} Because [[φ1]] ⊆ [[φ2]], (l, ν + δ) |= φ2. Since (l, ν)
(−→ l, ν + δ), we know that
(l, ν) |= ∃(φ2).
Now consider the operator ∃φa(φb). To show positive polarity, we fix each
operand and show positive polarity.
Fixing φa: Suppose (l, ν) |= ∃φa(φ1) for some formula φa. This means that
there is some δ such that (l, ν + δ) |= φ1 and for all 0 ≤ δ′ < δ, (l, ν + δ′) |= φa.
Because [[φ1]] ⊆ [[φ2]], we know that (l, ν+ δ) |= φ2. Since φa is fixed, by definition,
6.5. Timed Vacuity: Theoretical Results 277
(l, ν) |= ∃φa(φ2).
Fixing φb: The proof is similar to when φa is fixed. Suppose (l, ν) |= ∃φ1(φb) for
some formula φa. This means that there is some δ such that (l, ν + δ) |= φb and for
all 0 ≤ δ′ < δ, (l, ν+ δ′) |= φ1. Because [[φ1]] ⊆ [[φ2]], we know that (l, ν+ δ′) |= φ2
for all 0 ≤ δ′ < δ. Since φb is fixed, by definition, (l, ν) |= ∃φ2(φb).
Since we have fixed each of the operands and shown positive polarity for each
operand of the operator, the operator has positive polarity, as a corollary, we get
Lrelν,µ formulas are all monotonic. To model check timed automata, we use the lattice
over sets of states of timed automata.
Corollary 6.5.1 (Monotonicity of Lrelν,µ). Over the lattice of sets of states of timed
automata, each Lrelν,µ formula is a monotonic function.
Proof of Corollary 6.5.1. By Theorem 6.5.1, each operator has positive polarity.
Therefore, for any two sets of states Q1, Q2, we know that Q1 ⊆ Q2. Let the
subformula ψ be the set of states Q1 (the predicate variable whose states are the
set of states Q1) and let ψ′ be the set of states Q2. Let φ be the formula that is
representing the monotonic function. Because Q1 ⊆ Q2. By Theorem 6.5.1, every
operator is of positive polarity, and by definition of a polarity of a subformula
Q1 and Q2 are subformulas of positive polarity, as is φ. Therefore, by Claim 6.1.1,
[[φ(Q1)]] ⊆ [[φ(Q2)]].
Notice that we defined all of the Lrelν,µ all of the operators to have positive
polarity (¬ is not a valid operator in this version; all formulas are dualized).
6.5.2 Using the Proof Paradigm for Fast Vacuity Checking
This subsection describes the theorems required for fast but limited algorithm for
vacuity checking. This fast algorithm examining the proof output by the model
6.5. Timed Vacuity: Theoretical Results 278
checker and determining if there are any vacuous subformulas within that proof.
Because any subformula vacuous for a proof is a vacuous subformula, this method
is sound; however, it is incomplete since there might be a subformula that is vac-
uous but required for this particular proof.
Recall that we are given a timed automaton with an initial state and an Lrel,a fν,µ
formula, and we are asked if there are any vacuous subformulas. Note that in
order to dualize the logic, any p → q formula is converted to ¬p ∨ q. Our notion
of vacuity then, in the simplest cases, reduces to finding branches in ∨ or ∧ that
are not used.
The first approach utilizes short circuiting; if, for all states, we can prove a
property without ever examining that subformula, then that subformula is vacu-
ous.
Theorem 6.5.2 (Missing subtrees indicate formula substitution). Let TA be
a timed automaton with initial state (l, ν, ν f ) and φ be a Lrelν,µ formula. If there
exists a proof where ψ never appears as the right-side of a sequent in the
proof, the ψ is vacuous for that proof. Likewise, if every appearance of ψ in
this proof is the sequent ∅ ` ψ, then ψ is vacuous for that proof.
Note that the sequent ∅ ` ψ is a valid leaf; it is one of the proof rules in Figure
5.1. The case concerning this sequent (∅ ` ψ) handles the [a](φ) formula when
some actions cannot be taken.
Proof of Theorem 6.5.2. If ψ never appears in the proof, then regardless of what ψ
is substituted with, the proof remains unchanged and φ is still satisfied. Hence, by
definition, ψ is vacuous. If the only time ψ appears is the empty sequent ∅ ` ψ,
then in those instances, ψ does not affect that proof because ψ can be substituted
6.5. Timed Vacuity: Theoretical Results 279
with any other formula and those sequents are still true.
If we combine this Theorem with Lemma 6.4.1, we know that if ψ is vacuous
for that proof, then ψ is a vacuous subformula, meaning that ψ does not affect the
satisfaction of φ for our model. The above Theorem extremely useful in certain
cases; if we can identify that a subformula was never examined, then we have
detected vacuity without any extra work. The downside is that for vacuity to be
detected in the above fashion, the tool needs to guess the right branch to check
first. In special cases, the user can write the formula to have the tool check the non-
vacuous branch first, but this also limits the tool to only detect certain subformula
as vacuous. A downside is that this Theorem is dependent on the order that the
tool checks the branches; in our tool, all the left branches are examined before the
right branch.
6.5.3 Using the Proof Paradigm for Additional Vacuity Checking
With the proof paradigm, if we can represent all possible proofs, we can then ask
which subformulas are used within each proof. When proving theorems, rather
than short-circuiting branches, we will prove all branches, and then store the re-
sults of all branches in a tree. This tree will have the results of every possible
branch for the formulas. We can use this tree to detect two kinds of vacuity:
1. We can find each vacuous subformula φ, and
2. We can determine if a formula φ is vacuous over all proofs.
The second item is exactly the definition of a vacuous subformula over all
proofs. The first one comes from the following fact: if there is a vacuous subfor-
mula, then there must be some proof in which that subformula is vacuous. We
show this with the following Lemma.
6.5. Timed Vacuity: Theoretical Results 280
Lemma 6.5.3. Let TA be a timed automaton with initial state q0, φ be a L
rel,a f
ν,µ
formula, and ψ be a subformula of φ. If ψ is a vacuous subformula of φ, then there
exists a sound proof such that ψ is vacuous within that proof.
This Lemma is the converse of Lemma 6.4.1 when applied to our framework
of timed automata and Lrel,a fν,µ formulas; this argues that any vacuous subformula
must be vacuous within some proof, meaning that searching the tree of proofs is
a complete way of detecting every vacuous subformula.
Proof of Lemma 6.5.3. We prove the contrapositive: if ψ appears as the right-hand
of some sequent within each sound proof, then ψ is not vacuous. We argue the
case when q0 |= φ; the case when q0 6|= ψ is similar.
Let ψ be a vacuous subformula. Consider all of the proofs for q0 6|= φ. Now,
within each proof, replace ψ with ff. Since ψ is a vacuous subformula. By Claim
6.3.3, we know that q0 |= φ[ψ 7→ ff]. Hence, there must be some proof that
q0 |= φ[ψ 7→ ff].
Examine that proof, noting all the sequents where the right-hand side is ff
where the formula ψ would have been. If there are no such sequents, then we
have found a proof that does not involve ψ, and we are done. Else, examine each
sequent (l, cc) ` ff. Since the proof only contains valid sequents, this branch must
be valid. The only valid proof rule for a right-hand side of ff is the empty rule
∅ ` ff. In this case, since the right-hand side can be anything, replacing ff with ψ
does not invalidate the proof. Hence, if we substitute ψ back in to replace each of
the ff sequents, we still have a valid proof that does not depend on ψ. Therefore,
we have a proof that q0 |= ψ where ψ is vacuous within that proof.
As a result, if we can construct every single possible proof that the model
satisfies φ (or every proof that the model does not satisfy φ).
6.6. Implementation 281
When we discuss the implementation in Section 6.6.2, we discuss how we
represent the set of all proofs as a tree, and then utilize this tree of proof trees
to answer both kinds of vacuity: vacuity within any proof and vacuity for all
proofs. We call this structure the tree of proofs.
6.6 Implementation
With the results in Section 6.5, we now discuss our algorithms and implementa-
tions of these results. In our implementation, vacuity is focused on identifying ∧
or ∨ branches that are not needed by the prover. This follows because any branch
not needed by the prover does not affect some proof, and hence is a vacuous
subformula.
We fast implementation checks only one proof and uses boolean flags to iden-
tify subformulas that do not affect that proof, and hence are vacuous. While quick,
this misses some vacuous subformulas. The complete method tells the prover to
examine additional proofs. In this case, the tool examines all possible branches to
produce a tree of all possible proofs while it is proving the formula true or false.
This structure is the tree of proofs. With this tree of proofs, it finds all vacuous
subformulas. Computing the additional proofs is extra work; however, the vacuity
work is not large outside of computing the proofs.
6.6.1 Fast Vacuity: Finding Unneeded Subformulas Within One Proof
We run the model checker as usual, but we augment each subformula (each in-
stance of each subformula) with one boolean variable that indicates if that sub-
formula has been checked by the prover by some state. If the subformula has not,
then we have found a proof where the formula is not used. By Theorem 6.5.2, we
know that this subformula is vacuous.
6.6. Implementation 282
The tool is implemented in a left-to-right fashion: with every ∧ and ∨ branch,
the left branch is examined before the right branch. If the left branch of a ∨ is tt
or if the left branch of a ∧ is false, the prover does not examine the other branch.
This implementation works well for detecting vacuity of AF [q] in the formula
AG [p → AF [q]]; the prover checks p first, and if p is never true then AF [q] is
never checked and hence is vacuous.
However, based on how the formula is written, the tool may not identify vacu-
ity. First, a vacuous subformula may be needed for the proof we chose. See Ex-
ample 6.4.2 for such an example. As a result, the vacuity checking is sound but
incomplete. However, we get this vacuity checking with little performance overhead.
We give an evaluation of the performance of this implementation in Section 6.7.
6.6.2 Complete Vacuity: Building and Searching the Tree of Proofs
To get additional vacuity, first we tell the tool to not short-circuit an ∧ or a ∨,
making the tool always try to produce proofs for both branches. In some cases,
this enumeration can greatly increase the time required for verification because a
more complex subformula that could be ignored must now be proven.
As we enumerate all possible branches, we store the tree of sequents. This tree
is our tree of proofs, since it contains all the sequents for each possible proof. This
tree contains the sequents, the logical operations, and the truths of each leaf. We
then reason with this tree of proofs to determine vacuity. For implementation ease,
as we generate the proof tree, we store the truth of that instance of the subformula
in the proof. (Hence, every node, not just a leaf, contains the truth of the proofs).
With this tree of proofs, we can detect both kinds of vacuity: the subformulas
that are vacuous for some proof, and the subformulas that are vacuous for every
proof. For this discussion of vacuity, we discuss the case when the formula is
satisfied. The concept is similar when the formula is false (and vacuity is over ∧
6.6. Implementation 283
nodes instead of ∨ nodes). For this discussion, let φ1 ∨ φ2 be the subformula in
question.
The easier vacuity to check is vacuity over all proofs. By definition, φ1 is vacu-
ous over all proofs if and only if there is no proof that uses φ1. To determine this,
we search the tree of proofs only considering nodes that are true. If any of them
involve the subformula φ, then φ is not vacuous over all proofs because we can
construct a proof using that instance as part of the proof. If we never encounter φ
in our search, then φ is a vacuous subformula.
The harder vacuity to check is whether a formula is vacuous (vacuous for some
proof). To do this, we examine the tree of proofs and search bottom-up from all
the leaves that are true. We then at each node, construct sets of subformulas Ai,
where each Ai is the set of subformulas that are required for this proof. After we
compute the set of subformulas, we mark each subformula φ that does not appear
in some set Ai as vacuously true.
Here is the algorithm for constructing those sets:
1. Initial Case: Each leaf has one set whose element is that subformula.
2. Recursive Case: Unary Operators: Given a set of sets S = {A1, . . . Am}, we
add the current subformula to each set Ai.
3. Recursive Case: Binary ∨: Given the sets S1 = {A1, . . . An } and S2 =
{B1, . . . Bm} of the two children nodes, we construct the set for the par-
ent node by unioning the two sets. This operation produces the set S =
{A1, . . . , An, B1, . . . Bm}. We then add this node into each of the sets.
4. Recursive Case: Binary ∧: Given the sets S1 = {A1, . . . An } and S2 =
{B1, . . . Bm} of the two children nodes, we construct the set for the parent
node by unioning each set Ai with each set Bj to produce a set. This produces
6.6. Implementation 284
Vacuity Algorithm Trees 
39*
 
{A1, . . . , An} {A1, . . . , An}{B1, . . . , Bm} {B1, . . . , Bm}
{A1, . . . , An, B1, . . . , Bm} {Ai   Bj | 1   i   n   1   j   m}
Figure 6.3: Diagrams illustrating how to compute the sets of subformulas needed
for ∧ and ∨ branches of the proof-trees structure.
the set S = {Ai ∪ Bj | 1 ≤ i ≤ n ∧ 1 ≤ j ≤ m}. We then add this node into
each of the sets.
The last two cases are illustrated in Figure 6.3.
Then, given these sets, we examine the set of sets S = {A1, . . . An} for the
root node. A formula φ is vacuous if and only if there is some Ai ∈ S such that
φ 6∈ Ai. The idea behind the correctness is that each Ai represents a single proof
(proof tree) in the tree of proofs, and Ai is the set of all subformulas used in the
short-circuiting proof Ai. Hence, if φ is not in Ai, then we have a proof that does
not use φ. Therefore, by definition, φ is vacuous. Since we enumerate over all true
branches bottom-up, we cover all such proofs.
6.6.3 Handling Placeholders and Splitting Rules
Extending these techniques to the timed setting has some complications. One com-
plication is handling the proof rule ∨s, which splits the set of states to involve both
branches. With the ∨s proof rule, neither branch is unnecessary: some states of the
sequent satisfy the left branch, and the remainder satisfy the right branch (some
states may satisfy both branches). This complicates the checking because we must
account for both branches being relevant in such a proof. However, this is fixable:
we note when an ∨ branch is proven with the split rule instead of choosing a
6.7. Performance Evaluation: One-Proof Vacuity 285
branch, noting that both branches are required for that proof.
For placeholders, when constructing a proof, since the placeholders only give
the states that the proof needs, we can continue the proof as is until we have
established a placeholder and need to return a placeholder to the parent rule.
Whenever we use a union of placeholders from two branches, this is similar to a
∨s rule: the subformula is then valid for some states and invalid for others.
Given this complexity, these rules might make our implementation sound but
incomplete when we need to handle placeholders. To guarantee completeness in
proofs, the proof may need to return up a placeholder that is larger that what may
have been needed, requiring it to union two placeholders when a union might not
be unnecessary.
6.7 Performance Evaluation: One-Proof Vacuity
We give a performance evaluation comparing the PES tool without vacuity to
the PES tool with the vacuity implementation for free: the implementation that
examines the current proof and determines if a subformula is vacuous. We do two
evaluations. The first evaluation evaluates the performace of the additional vacuity
implementation, and the second illustrates the power of this implementation to
detect vacuity. We evaluate the vacuity that implements with variable flags and
does not significantly slow down the system.
6.7.1 Evaluation on PES Tool Implementation Examples
This evaluation uses the same models and specifications as the evaluation in Sec-
tion 5.11. Experiments were run on a Mac OS 10.9 machine with a single 2.0 GHz
Intel Core i7 (quad core) processor with 8 GB RAM. Time and space measure-
ments (maximum space used) were made using the UNIX time command (using
6.7. Performance Evaluation: One-Proof Vacuity 286
the real time as the output time). Given that the machine is slightly different, the
performance for the baseline PES tool is not necessarily the same as it was for the
experiments in 5.11.
The data is provided in Tables 6.1 and 6.2 (split due to horizontal space con-
straints) contain the examples that are supported both by our tool (PES) and by
UPPAAL. The original tool is PES, and the tool with the vacuity implementation
is PVac.
In these tables, we use the following abbreviations: TO (timeout: the example
took longer than 2 hours), TOsm (the example timed out with fewer process),
TOp (the example timed out in the evaluation in Section 5.11.2), and O/M (out
of memory). A scatter plot of the data in Tables 6.1 and 6.2 is in Figure 6.4. This
scatter plot only includes examples that finished. The scatterplot was produced
using the R programming language [139]. Furthermore, each example where the
tool detected a vacuous subformula is in italics and is marked with a ∗.
Additionally, Table 6.1 has the column “Vac,” which describes the kind of vacu-
ity with a code. If the entry is blank, then there were no vacuous subformulas.
The codes used have the following meaning: NT (No transition), meaning that the
modality operators are vacuous because no transitions need to be taken; TS (time
simplified), meaning that the encodings of the modality operators did not need
all of the subtleties and could have used simpler encodings of them; and UC (un-
necessary constraints), meaning that we have a vacuous constraint, either a clock
constraint or a constraint involving location variables.
From the scatterplot, the performance of the two implementations are similar.
Concerning vacuity, 12 out of the 33 instances (36.36%) have vacuous subformu-
las detected. Examining the kinds of vacuity, there are 6 formulas with vacuity
type NT, 4 formulas with vacuity type TS, and 3 formulas with vacuity type UC.
6.7. Performance Evaluation: One-Proof Vacuity 287
Table 6.1: Table comparing PES tool without vacuity (PES) and PES tool with
performance-light vacuity (PVac). Times are reported in seconds (s). (Table 1 of 2.)
File Vac PES4 PVac4 PES5 PVac5 PES6 PVac6
CSMA-al∗ NT 0.01 0.03 0.03 0.03 0.18 0.17
CSMA-as 0.44 0.52 5.64 5.88 183.31 195.44
CSMA-bl∗ NT 0.01 0.01 0.03 0.03 0.14 0.14
CSMA-bs∗ UC 0.02 0.04 0.09 0.09 0.30 0.36
CSMA-M1 0.01 0.01 0.05 0.06 0.15 0.16
CSMA-M2 0.41 0.41 6.80 6.74 213.16 223.49
CSMA-M3∗ TS 0.01 0.04 0.07 0.08 0.48 0.28
CSMA-M4 0.04 0.06 0.04 0.03 0.14 0.19
FISCHER-al∗ NT 0.00 0.00 0.00 0.01 0.00 0.01
FISCHER-as 0.09 0.09 0.72 0.76 17.95 18.41
FISCHER-bl∗ NT 0.00 0.00 0.00 0.01 0.00 0.01
FISCHER-bs 0.05 0.04 0.02 0.07 0.05 0.07
FISCHER-M1 0.00 0.00 0.00 0.01 0.00 0.01
FISCHER-M2 0.00 0.00 0.00 0.01 0.00 0.01
FISCHER-M3 0.14 0.14 2.87 2.91 86.71 88.60
FISCHER-M4 0.00 0.01 0.01 0.05 0.03 0.04
GRC-al∗ NT 0.01 0.01 0.01 0.04 0.11 0.06
GRC-as 72.64 75.47 TOp TOp TOp TOp
GRC-bl∗ NT 0.00 0.00 0.01 0.01 0.01 0.04
GRC-bs 0.20 0.24 2.80 2.84 O/M O/M
GRC-M1 0.01 0.01 0.01 0.01 0.02 0.03
GRC-M2∗ TS 0.01 0.02 0.01 0.01 0.02 0.02
GRC-M3 0.00 0.04 0.01 0.01 0.02 0.01
GRC-M4 0.00 0.01 0.00 0.00 0.01 0.01
GRC-M4ap∗ UC, TS 0.00 0.01 0.01 0.01 0.01 0.05
LEADER-al 0.01 0.01 0.01 0.01 0.24 0.26
LEADER-as 0.06 0.02 0.04 0.07 0.28 0.39
LEADER-bl 0.01 0.01 0.00 0.01 0.03 0.05
LEADER-bs∗ UC 0.01 0.01 0.01 0.00 0.03 0.03
LEADER-M1∗ TS 0.00 0.01 0.00 0.00 0.01 0.01
LEADER-M2 0.01 0.01 0.03 0.03 0.52 0.58
LEADER-M3 0.01 0.01 0.10 0.10 2.47 2.74
LEADER-M4 0.01 0.00 0.01 0.01 0.07 0.09
Because one formula, GRC-M4ap, had two independently vacuous subformulas
(UC and TS), the total codes add up to one more than the number of formulas. In
6.7. Performance Evaluation: One-Proof Vacuity 288
Table 6.2: Table comparing PES tool without vacuity (PES) and PES tool with
performance-light vacuity (PVac). Times are reported in seconds (s). (Table 2 of 2.)
File PES7 PVac7 PES8 PVac8
CSMA-al∗ 0.80 0.75 3.71 3.74
CSMA-as TO TO TOsm TOsm
CSMA-bl∗ 0.80 0.74 3.72 3.71
CSMA-bs∗ 1.50 1.25 5.56 5.58
CSMA-M1 0.76 0.75 3.89 3.88
CSMA-M2 TO TO TOsm TOsm
CSMA-M3∗ 0.80 0.78 3.75 3.77
CSMA-M4 0.79 0.75 3.77 3.76
FISCHER-al∗ 0.00 0.00 0.01 0.00
FISCHER-as 1130.02 1119.79 TO TO
FISCHER-bl 0.00 0.00 0.00 0.00
FISCHER-bs 0.44 0.40 0.07 0.07
FISCHER-M1 0.00 0.00 0.00 0.00
FISCHER-M2 0.03 0.01 0.04 0.03
FISCHER-M3 TOp TOp TOsm TOsm
FISCHER-M4 0.01 0.00 0.01 0.01
GRC-al∗ 0.06 0.03 0.02 0.03
GRC-as TOp TOp TOp TOp
GRC-bl∗ 0.01 0.01 0.01 0.01
GRC-bs O/M O/M O/M O/M
GRC-M1 0.03 0.03 0.04 0.04
GRC-M2∗ 0.03 0.03 0.05 0.05
GRC-M3 0.14 0.04 0.01 0.01
GRC-M4 0.01 0.01 0.01 0.01
GRC-M4ap∗ 0.02 0.01 0.01 0.01
LEADER-al 8.57 8.65 955.83 969.97
LEADER-bl 0.22 0.23 6.40 6.64
LEADER-bs∗ 0.03 0.01 0.04 0.04
LEADER-M1∗ 0.01 0.01 0.03 0.01
LEADER-M2 19.81 20.16 2738.11 2805.19
LEADER-M3 94.20 92.92 TO TO
LEADER-M4 0.09 0.34 0.03 0.14
the NT and TS instances, the vacuous subformulas translate to simplifications in
detection that could be used. These result from the formal translations requiring
many subtleties that do not appear in most models; nevertheless, some of the vac-
6.7. Performance Evaluation: One-Proof Vacuity 289



























PES  Tool  Time  vs.  PESVac  Tool  Time
Figure 6.4: Figure comparing the PES tool time performance with the PES tool
with vacuity time performance. Each example is a point, and the line drawn is the
y = x line, or the line where the performance of the PES tool and the PVac tool
are the same.
uous subformulas are not these subtleties. Notice that the vacuity checking detects
vacuous subformulas for valid and invalid examples.
6.7. Performance Evaluation: One-Proof Vacuity 290
Table 6.3: Table comparing PES tool without vacuity (PES) and PES tool with
performance-light vacuity (PVac) on examples to illustrate vacuity. Times are re-
ported in seconds (s). Any example with a vacuous subformula is in italics and










6.7.2 Evaluation on Additional Vacuity Examples
To further illustate the power of the nearly-free vacuity checking (only using flags
to detect unexamined formulas), we run both tools on six small examples. The
performance setup is the same as the experiment in the previous subsection, and
the performance numbers are in Table 6.3. Since the performance is quick on
these examples for both tools, there is no scatterplot. The focus is on the vacuity
power of the examples. The eight examples are described here. For purposes of
illustration, the example has no vacuous subformulas. Every example that had
at least one vacuous subformula had some subformula detected as vacuous, but
most examples with many (independently) vacuous subformulas only had one of
the subformulas detected as vacuous.
1. LEADER-4-M5. This model is the same leader election protocol as for all
the LEADER examples in the previous section. For this version, we have
four processes. The specification given is: It is always the case that if the first
process has a parent, then the third process will inevitably have a parent, ex-
6.7. Performance Evaluation: One-Proof Vacuity 291
pressed in TCTL as AG [p1 = 0 → AF [p3 6= 0]]. In this case, the first process
never has a parent (the vacuous subformula), which the tool detects.
2. VacuityTestAXAF1. The model is the model in Figure 6.2 (augmented with
an initial invariant that does not affect the formula). The specification asked
is: for all next actions, it is inevitable that p or q is true, written as the
formula [− ](AF [p ∨ q]). There are three vacuous subformulas: p, q, and
the inevitably (AF []) modality. The tool detects that the inevitably (AF [])
modality is vacuous.
3. VacuityTestAXAF2. The model is in Figure 6.5, which removes the proposi-
tions from the two bottom locations. In this case, the only vacuous subfor-
mula is the inevitably (AF []) modality, which is detected by the tool.
4. VacuityTestAXAF3. The model is in Figure 6.2, which is the same model
as for VacuityTestAXAF1. However, the specification asked is [− ](AF [p] ∨
AF [q]). Here there are three choices for vacuity: claiming AF [p] is vacuous,
claiming AF [q] is vacuous, or claiming that both inevitably (AF []) modali-
ties are vacuous. The tool detects that AF [q] is vacuous.
5. SimpleGate1. The model is the left model of Figure 6.1. The specification
asked is: the gate is not down or the gate will inevitably be up, written
as down → AF [up]. For this model, either down is vacuous, or AF [up] is
vacuous, and the tool detects that AF [up] is vacuous.
6. SimpleGate2. The model is the same as the previous example, but the spec-
ification asked is: AG [down → AF [up]]. In this case no subformula is vac-
uous, and the tool correctly notes this.
7. BrokenGate1. The model is the right model of Figure 6.1, and the specifica-
tion is the same as for SimpleGate1. In this case, either down is vacuous or












Figure 6.5: Timed (or untimed) automaton used as the model for VacuityTes-
tAXAF2.
AF [up] is vacuous, and the tool detects that AF [up] is vacuous.
8. BrokenGate2. The model is the right model of Figure 6.1, and the specifica-
tion is the same as for SimpleGate2. In this case, both down and AF [up] are
vacuous (independently); the tool detects that AF [up] is vacuous.
6.8 Dissertation Contributions
6.8.1 Contributions
These are my contributions discussed in this chapter:
• Extended the concepts of vacuity for untimed systems to timed automata
• Showed that every operator of Lrelν,µ has positive polarity, and hence that Lrelν,µ
is a logic of polarity.
6.8. Dissertation Contributions 293
• Extended the concept of whether a proof is vacuous to the Lrel,a fν,µ timed au-
tomata model checker.
• Implemented the vacuity check that allows the tool to identify any vacuous
subformulas within the proof without running slower.
6.8.2 Future Work
Future work includes further extending the vacuity. Specifically, to extend the the-
ory and the implementation to generate multiple proofs and examine if a formula
is vacuous over all proofs (this is extending this aspect of the theory in Namjoshi
[128, 129]).
6.8. Dissertation Contributions 294
295
Chapter 7
Conclusions and Future Work
This concludes my dissertation. We hope you enjoyed reading it (or scanning
through it), and we hope you got something out of it. This section summarizes
the contributions of the dissertation and summarizes potential future work.
7.1. Straightforward By Design 296
7.1 Straightforward By Design
An objection that one might raise is, “this research is a straightforward extension
of the research in untimed systems,” and one might dismiss the work because of
its straightforward nature. While some of the extensions are straightforward, there
are two points concerning this objection of being straightforward:
1. Some formulas are subtle. Like Induction, once one has the right formula,
the proof is straightforward, but coming up with the formula may not be.
In order to get the correct formulas, many subtleties were identified and
addressed.
2. Some results are straightforward by design. The research in this disserta-
tion was designed to be straightforward. The formulas were written in order
that straightforward proof rules could be designed, the proof rules were de-
signed so that algorithms to implement them would be straightforward, and
the algorithm was designed so that the implementation of it is straightfor-
ward.
Consequently, while the work may seem to be straightforward, the work should
not be dismissed as trivial or irrelevant because of its seemingly-straightforward
appearance.
7.2 Contributions
Here is a list of all of the current completed contributions from all of the chapters:
1. We gave a formal baseline definition for a timed automata based on defini-
tions of others.
2. We provided formal definitions for the following variants: disjunctive guard
7.2. Contributions 297
constraints, timed automata with variables and different semantics for un-
satisfied invariants.
3. For timed automata with disjunctive guard constraints, timed automata with
variables, and guarded-command programs, we show those variants are iso-
morphic to the baseline formalism and give a conversion translating out each
variant.
4. For the different unsatisfied invariant semantics and allowing clock differ-
ences in clock constraints, we show that the reachable subsystems of those
variants are isomorphic to the reachable subsystem of the baseline formalism
and give a conversion translating out each variant.
5. For rational clock constraints, we give a non-label preserving isomorphism
to the baseline formalism (uses integer constants only) and give a conversion
translating out the rational constants.
6. We showed how the above conversions are composable, not only for timed
automata with these features but also for timed automata with even more
features. We give a framework, a composable timed automata, that give suffi-
cient conditions describing extensions that still allow the equivalent variants
to be converted out. We then showed that these conversions are commutative
and associative at the semantic level.
7. With a common assumption regarding atomic propositions, we show that
Lrelν,µ, Lν,µ and Tµ are bisimulation invariant. Additionally, for the region
equivalence relation, we show that Lrelν,µ is invariant.
8. We show Tµ ⊆ Lrelν,µ Furthermore, we show this result without requiring
additional fixpoints, thus keeping the complexity simple.
7.2. Contributions 298
9. We show TCTL ⊆ Lrelν,µ For E [[φ1]U./c [φ2]] we assume the timelock-free
assuption and for E [[φ1] R./c [φ2]] (and its dual, A [[φ1]U./c [φ2]]), we assume
both a timelock-free assumption and a nonzeno assumption.
We then show, using a formula from Henzinger et al. [88] that with an al-
ternation, we can both detect timelocks as well as bypass timelocked states,
thus removing the need for the timelock-free assumption.
10. We show Lν,µ 6⊆ TCTL.
11. We show TCTL 6⊆ Lν,µ, showing that expressing all of TCTL requires the
additional power of the relativization.
12. We give a way of writing the set of next states of TS(TA) in Lν,µ.
13. Fine-tuned the PES Model Checker, and specialized it to model check La fν,µ
formulas over timed automata
14. Created the clock zone implementations CRDZone and CRDArray, which
can be seen as alternative sparse DBM implementations.
15. Implemented the CRDZone and CRDArray as well as fined-tuned the DBM
implementation, and ran an experiment comparing the performance of the
current PES tool on all three data structure implementation.
16. Implemented the previously-developed proof rules for La fν,µ.
17. Design sound, complete and implementable additional proof rules to give a
full set of proof rules for Lrel,a fν,µ , as well as proved those rules to be sound
and complete.
18. Implemented the timed automata model checker to model check any Lrel,a fν,µ
formula over any timed automata.
7.3. Future Work 299
19. Utilized derived proof rules to optimize the performance of this model
checker.
20. Extended the concepts of vacuity for untimed systems to timed automata
21. Showed that every operator of Lrelν,µ has positive polarity, and hence that Lrelν,µ
is a logic of polarity.
22. Extended the concept of whether a proof is vacuous to the Lrel,a fν,µ timed au-
tomata model checker.
23. Implemented the vacuity check that allows the tool to identify any vacuous
subformulas within the proof without running slower.
7.3 Future Work
Here is the future work from the previous chapters.
Future work includes allowing the initial state to have clock values other than
0, and potentially to allow a set of initial states whose clock values are defined by a
clock zone or a union of clock zones. Additionally, future work includes handling
disjunctive constraints in invariants. While these constraints cannot be converted
in a fashion similar to converting out disjunctive constraints in guards, future
work involves determining the expressiveness of this additional feature. Disjunc-
tive constraints in invariants are used to express timed automata with deadlines
(see Bornot and Sifakis [32], Bornot et al. [33], Bowman [46], Bowman and Gómez
[47], Gómez and Bowman [78]).
Future work includes answering some of the unanswered expressivity ques-
tions of various timed logics:
• Can we detect zeno executions in Lrelν,µ? Can we write formulas to bypass
zeno executions?
7.3. Future Work 300
• Is Lrelν,µ ⊆ Tµ? We conjuecture no, but are not sure.
• Is TPTL ⊆ Lrelν,µ? Since TPTL is MTL with freeze quantification instead of
timing intervals, determining if TPTL ⊆ Lrelν,µ is similar to determining if
MTL ⊆ Lrelν,µ.
• Is Lrelν,µ ⊆ TPTL? What about Lν,µ and Tµ?
Answers to these items will allow us to better decide if Lrelν,µ can verify the formulas
we want or if we have to leverage properties of additional logics when verifying
Lrelν,µ formulas.
Future work is to further optimize the performance. One such future work is to
utilize different standard forms (which other sources have designed considered)
and to implement a more modern all-pairs shortest path algorithm; these should
help the performance of the tool.
Future work includes further extending the vacuity. Specifically, to extend the
theory and the implementation to generate multiple proofs and examine if a for-




[1] Yasmina Abdeddaïm, Eugene Asarin, and Oded Maler. Scheduling with
timed automata. Theoretical Computer Science, 354(2):272–300, 2006. doi: http:
//dx.doi.org/10.1016/j.tcs.2005.11.018.
[2] Luca Aceto and François Laroussinie. Is your model checker on time? On
the complexity of model checking for timed modal logics. Journal of Logic
and Algebraic Programming, 52–53(0):7–51, 2002. ISSN 1567-8326. doi: http:
//dx.doi.org/10.1016/S1567-8326(02)00022-X.
[3] Ravindra K. Ahuja, Thomas L. Magnanti, and James B. Orlin. Network Flows:
Theory, Algorithms and Applications. Prentice-Hall, Upper Saddle River, NJ,
USA, 1993.
[4] Rajeev Alur. Timed automata. NATO-ASI 1998 Summer School on Verifica-
tion of Digital and Hybrid Systems, 1998.
[5] Rajeev Alur. Timed automata. In Nicolas Halbwachs and Doron Peled, edi-
tors, Proceedings of the 11th International Conference on Computer Aided Verifica-
tion (CAV ’99), volume 1633 of Lecture Notes in Computer Science, pages 8–22,
Trento, Italy, July 1999. Springer Berlin Heidelberg. ISBN 3-540-66202-2. doi:
http://dx.doi.org/10.1007/3-540-48683-6_3.
[6] Rajeev Alur and David L. Dill. Automata for modeling real-time systems.
In Michael S. Paterson, editor, Proceedings of the 17th International Colloquium
on Automata, Languages and Programming (ICALP ’90), volume 443 of Lecture
Notes in Computer Science, pages 322–335, Trento, Italy, July 1990. Springer
Berlin Heidelberg. ISBN 978-3-540-52826-5. doi: http://dx.doi.org/10.1007/
BFb0032042.
[7] Rajeev Alur and David L. Dill. A theory of timed automata. Theoretical
Computer Science, 126(2):183–235, April 1994. ISSN 0304-3975. doi: http:
//dx.doi.org/10.1016/0304-3975(94)90010-8.
[8] Rajeev Alur and Thomas A. Henzinger. A really temporal logic. Journal of
the ACM (JACM), 41(1):181–203, January 1994. ISSN 0004-5411. doi: http:
//doi.acm.org/10.1145/174644.174651.
[9] Rajeev Alur, Costas Courcoubetis, and David Dill. Model-checking for real-
time systems. In Proceedings of the Fifth Annual IEEE Symposium on Logic
Bibliography 302
in Computer Science (LICS ’90), pages 414–425, Philadelphia, PA, USA, June
1990. IEEE Computer Society. doi: http://dx.doi.org/10.1109/LICS.1990.
113766.
[10] Rajeev Alur, Costas Courcoubetis, and David Dill. Verifying automata spec-
ifications of probabilistic real-time systems. In Jaco W. de Bakker, Cor-
nelis Huizing, Willem-Paul de Roever, and Grzegorz Rozenberg, editors,
Real-Time: Theory in Practice, volume 600 of Lecture Notes in Computer Sci-
ence, pages 28–44, Mook, The Netherlands, 1992. Springer Berlin Heidelberg.
ISBN 978-3-540-55564-3. doi: http://dx.doi.org/10.1007/BFb0031986.
[11] Rajeev Alur, Costas Courcoubetis, David Dill, Nicolas Halbwachs, and
Howard Wong-Toi. An implementation of three algorithms for timing verifi-
cation based on automata emptiness. In Proceedings of the Real-Time Systems
Symposium (RTSS ’92), pages 157–166, Phoenix, AZ, USA, December 1992.
IEEE Computer Society. doi: http://dx.doi.org/10.1109/REAL.1992.242667.
[12] Rajeev Alur, Costas Courcoubetis, and David Dill. Model-checking in dense
real-time. Information and Computation, 104(1):2–34, May 1993. doi: http:
//dx.doi.org/10.1006/inco.1993.1024.
[13] Rajeev Alur, Thomas A. Henzinger, and Moshe Y. Vardi. Parametric real-
time reasoning. In Proceedings of the twenty-fifth annual ACM symposium on
Theory of computing (STOC ’93), pages 592–601, San Diego, CA, USA, 1993.
ACM. ISBN 0-89791-591-7. doi: http://doi.acm.org/10.1145/167088.167242.
[14] Rajeev Alur, Thomas A. Henzinger, and Pei-Hsin Ho. Automatic symbolic
verification of embedded systems. IEEE Transactions on Software Engineering,
22(3):181–201, March 1996. ISSN 0098-5589. doi: http://dx.doi.org/10.1109/
32.489079.
[15] Henrik Reif Andersen. Model checking and boolean graphs. Theoretical
Computer Science, 126(1):3–30, 1994. ISSN 0304-3975. doi: http://dx.doi.org/
10.1016/0304-3975(94)90266-6.
[16] Sanjeev Arora and Boaz Barak. Computational Complexity: A Modern Ap-
proach. Cambridge University Press, New York, NY, USA, 2009.
[17] Christel Baier and Joost-Pieter Katoen. Principles of Model Checking. The MIT
Press, Cambridge, MA, USA, 2008.
[18] Thomas Ball and Orna Kupferman. Vacuity in testing. In Bernhard Beckert
and Reiner Hähnle, editors, Proceedings of the 2nd International Conference on
Bibliography 303
Tests and Proofs, volume 4966 of Lecture Notes in Computer Science, pages 4–17,
Prato, Italy, 2008. Springer Berlin Heidelberg. ISBN 3-540-79123-X, 978-3-
540-79123-2. doi: http://dx.doi.org/10.1007/978-3-540-79124-9_2.
[19] Ilan Beer, Shoham Ben-David, Cindy Eisner, and Yoav Rodeh. Efficient de-
tection of vacuity in ACTL formulas. In Orna Grumberg, editor, Proceed-
ings of the International Conference on Computer Aided Verification (CAV ’97),
volume 1254 of Lecture Notes in Computer Science, pages 279–290, Haifa,
Israel, 1997. Springer Berlin Heidelberg. ISBN 978-3-540-63166-8. doi:
http://dx.doi.org/10.1007/3-540-63166-6_28.
[20] Ilan Beer, Shoham Ben-David, Cindy Eisner, and Yoav Rodeh. Efficient de-
tection of vacuity in temporal model checking. Formal Methods in System De-
sign, 18(2):141–163, 2001. ISSN 0925-9856. doi: http://dx.doi.org/10.1023/
A:1008779610539.
[21] Gerd Behrmann, Kim G. Larsen, Justin Pearson, and Wang Yi. Efficient
timed reachability analysis using clock difference diagrams. In Nicholas
Halbwachs and Doron Peled, editors, Proceedings of the 11th International Con-
ference on Computer Aided Verification (CAV ’99), volume 1633 of Lecture Notes
in Computer Science, Trento, Italy, 1999. Springer Berlin Heidelberg. ISBN
978-3-540-66202-0. doi: http://dx.doi.org/10.1007/3-540-48683-6_30.
[22] Gerd Behrmann, Johan Bengtsson, Alexandre David, Kim G. Larsen, Paul
Pettersson, and Wang Yi. Uppaal implementation secrets. In Werner Damm
and Ernst-Rüdiger Olderog, editors, Proceedings of 7th International Sympo-
sium on Formal Techniques in Real-Time and Fault Tolerant Systems (FTRTFT
’02), volume 2469 of Lecture Notes in Computer Science, pages 3–22, Old-
enburg, Germany, September 2002. Springer Berlin Heidelberg. doi: http:
//dx.doi.org/10.1007/3-540-45739-9_1.
[23] Gerd Behrmann, Alexandre David, and Kim G. Larsen. A tutorial on Up-
paal. In Marco Bernardo and Flavio Corradini, editors, Formal Methods for
the Design of Real-Time Systems, International School on Formal Methods for the
Design of Computer, Communication and Software Systems (SFM-RT ’04), vol-
ume 3185 of Lecture Notes in Computer Science, pages 200–236, Bertinoro, Italy,
September 2004. Springer Berlin Heidelberg. ISBN 978-3-540-23068-7. doi:
http://dx.doi.org/10.1007/b110123.
[24] Gerd Behrmann, Alexandre David, Kim Guldstrand Larsen, Paul Petters-
son, and Wang Yi. Developing Uppaal over 15 years. Software Prac-
Bibliography 304
tice and Experience, 41(2):133–142, February 2011. ISSN 0038-0644. doi:
http://dx.doi.org/10.1002/spe.1006.
[25] Ramzi Ben Salah, Marius Dorel Bozga, and Oded Maler. Compositional
timing analysis. In Proceedings of the seventh ACM international conference
on Embedded software (EMSOFT ’09), pages 39–48, Grenoble, France, Octo-
ber 2009. ACM. ISBN 978-1-60558-627-4. doi: http://doi.acm.org/10.1145/
1629335.1629342.
[26] Johan Bengtsson. Memtime download page, 2002. URL http://www.
update.uu.se/~johanb/memtime/.
[27] Johan Bengtsson and Wang Yi. Timed automata: Semantics, algorithms
and tools. In Jörg Desel, Wolfgang Reisig, and Grzegorz Rozenberg, ed-
itors, Lectures on Concurrency and Petri Nets, volume 3098 of Lecture Notes
in Computer Science, pages 87–124. Springer Berlin Heidelberg, 2004. doi:
http://dx.doi.org/10.1007/978-3-540-27755-2_3.
[28] Béatrice Bérard, Antoine Petit, Volker Diekert, and Paul Gastin. Char-
acterization of the expressive power of silent transitions in timed au-
tomata. Fundamenta Informaticae, 36(2–3):145–182, November 1998. doi:
http://dx.doi.org/10.3233/FI-1998-36233.
[29] Dirk Beyer and Andreas Noack. Can decision diagrams overcome state
space explosion in real-time verification? In Hartmut Köonig, Monika
Heiner, and Adam Wolisz, editors, Proceedings of the 23rd International Confer-
ence on Formal Techniques for Networked and Distributed Systems (FORTE ’03),
volume 2767 of Lecture Notes in Computer Science, pages 193–208, Berlin, Ger-
many, 2003. Springer Berlin Heidelberg. doi: http://dx.doi.org/10.1007/
978-3-540-39979-7_13.
[30] Dirk Beyer, Claus Lewerentz, and Andreas Noack. Rabbit: A tool for BDD-
based verification of real-time systems. In Warren A. Hunt Jr and Fabio
Somenzi, editors, Proceedings of the 15th Internation Conference on Computer
Aided Verification (CAV ’03), volume 2725 of Lecture Notes in Computer Science,
pages 122–125, Boulder, CO, USA, 2003. Springer Berlin Heidelberg. doi:
http://dx.doi.org/10.1007/978-3-540-45069-6_13.
[31] Girish Bhat and Rance Cleaveland. Efficient model checking via the equa-
tional µ-calculus. In Proceedings of the 11th Annual IEEE Symposium on Logic
and Computer Science (LICS ’96), pages 304–312, New Brunswick, NJ, USA,
July 1996. IEEE Computer Society. doi: http://dx.doi.org/10.1109/LICS.
1996.561358.
Bibliography 305
[32] Sébastien Bornot and Joseph Sifakis. On the composition of hybrid systems.
In Thomas Henzinger and Shankar Sastry, editors, First International Work-
shop in Hybrid Systems: Computation and Control (HSCC ’98), volume 1386 of
Lecture Notes in Computer Science, pages 49–63. Springer Berlin Heidelberg,
1998. doi: http://dx.doi.org/10.1007/3-540-64358-3_31.
[33] Sébastien Bornot, Joseph Sifakis, and Stavros Tripakis. Modeling urgency
in timed systems. In Willem-Paul de Roever, Hans Langmaack, and Amir
Pnueli, editors, International Symposium on Compositionality: The Significant
Difference (COMPOS), volume 1536 of Lecture Notes in Computer Science,
pages 103–129. Springer Berlin Heidelberg, 1998. doi: http://dx.doi.org/
10.1007/3-540-49213-5_5.
[34] Ahmed Bouajjani, Stavros Tripakis, and Sergio Yovine. On-the-fly symbolic
model checking for real-time systems. In The 18th IEEE Proceedings on Real-
Time Systems Symposium (RTSS ’97), pages 25–34, San Francisco, CA, USA,
December 1997. IEEE Computer Society. doi: http://dx.doi.org/10.1109/
REAL.1997.641266.
[35] Patricia Bouyer. Timed automata may cause some troubles. Technical Report
RS-02-35, BRICS-Aalborg University, August 2002.
[36] Patricia Bouyer. Untameable timed automata! In Helmut Alt and Michel
Habib, editors, Proceedings of the 20th Annual Symposium on Theoretical Aspects
of Computer Science (STACS ’03), volume 2607 of Lecture Notes in Computer
Science, pages 620–631. Springer Berlin Heidelberg, 2003. doi: http://dx.
doi.org/10.1007/3-540-36494-3_54.
[37] Patricia Bouyer. Model-checking timed temporal logics. Electronic Notes in
Theoretical Computer Science, 231(0):323–341, March 2009. ISSN 1571-0661.
doi: http://dx.doi.org/10.1016/j.entcs.2009.02.044. Proceedings of the 5th
Workshop on Methods for Modalities (M4M5 2007).
[38] Patricia Bouyer and François Laroussinie. Model checking timed automata.
In Stephan Merz and Nicolas Navet, editors, Modeling and Verification of Real-
Time Systems, chapter 4, pages 111–140. ISTE, London, UK, 2010. doi: http:
//dx.doi.org/10.1002/9780470611012.ch4.
[39] Patricia Bouyer, Catherine Dufourd, Emmanuel Fleury, and Antoine Petit.
Updatable timed automata. Theoretical Computer Science, 321(2–3):291–345,
2004. ISSN 0304-3975. doi: http://dx.doi.org/10.1016/j.tcs.2004.04.003.
Bibliography 306
[40] Patricia Bouyer, Franck Cassez, and François Laroussinie. Modal logics for
timed control. Technical Report RI-2005-2, IRCCyN/CNRS, Nantes, March
2005. URL http://www.lsv.ens-cachan.fr/~fl/cmcweb.html.
[41] Patricia Bouyer, Franck Cassez, and François Laroussinie. Modal logics for
timed control. In Martín Abadi and Luca de Alfaro, editors, Proceedings of the
16th International Conference on Concurrency Theory (CONCUR ’05), volume
3653 of Lecture Notes in Computer Science, pages 81–94, San Francisco, CA,
USA, August 2005. Springer Berlin Heidelberg. doi: http://dx.doi.org/10.
1007/11539452_10.
[42] Patricia Bouyer, Fabrice Chevalier, and Nicolas Markey. On the expressive-
ness of TPTL and MTL. In Sundar Sarukkai and Sandeep Sen, editors, Pro-
ceedings of the 25th International Conference on the Foundations of Software Tech-
nology and Theoretical Computer Science (FSTTCS ’05), volume 3821 of Lecture
Notes in Computer Science, pages 432–443, Hyderabad, India, 2005. Springer
Berlin Heidelberg. doi: http://dx.doi.org/10.1007/11590156_35.
[43] Patricia Bouyer, François Laroussinie, and Pierre-Alain Reynier. Diagonal
constraints in timed automata: Forward analysis of timed systems. In Paul
Pettersson and Wang Yi, editors, Proceedings of the 3rd International Conference
on Formal Modeling and Analysis of Timed Systems (FORMATS ’05), volume
3829 of Lecture Notes in Computer Science, pages 112–126. Springer Berlin
Heidelberg, 2005. doi: http://dx.doi.org/10.1007/11603009_10.
[44] Patricia Bouyer, Fabrice Chevalier, and Nicolas Markey. On the expressive-
ness of TPTL and MTL. Information and Computation, 208(2):97–116, 2010.
ISSN 0890-5401. doi: http://dx.doi.org/10.1016/j.ic.2009.10.004.
[45] Patricia Bouyer, Franck Cassez, and François Laroussinie. Timed modal
logics for real-time systems. Journal of Logic, Language and Information,
20(2):169–203, 2011. ISSN 0925-8531. doi: http://dx.doi.org/10.1007/
s10849-010-9127-4.
[46] Howard Bowman. Time and action lock freedom properties for timed au-
tomata. In Myungchui Kim, Byoungmoon Chin, Sungwon Kang, and Dan-
hyung Lee, editors, Proceedings of the 21st International Conference on Formal
Techniques for Networked and Distributed Systems (FORTE ’01), volume 69 of
IFIP: International Federation for Information Processing, pages 119–134, De-
venter, The Netherlands, 2001. Springer US. ISBN 0-7923-7470-3. doi:
http://dx.doi.org/10.1007/0-306-47003-9_8.
Bibliography 307
[47] Howard Bowman and Rodolfo Gómez. How to stop time stopping. Formal
Aspects of Computing, 18(4):459–493, December 2006. doi: http://dx.doi.org/
10.1007/s00165-006-0010-7.
[48] Julian Bradfield and Colin Stirling. Modal logics and mu-calculi: An intro-
duction. In Jan A. Bergstra, A. Ponse, and Scott A. Smolka, editors, Hand-
book of Process Algebra, chapter 4, pages 293–330. Elsevier Science, 2001. doi:
http://dx.doi.org/10.1016/B978-044482830-9/50022-9.
[49] Julian Bradfield and Colin Stirling. Modal mu-calculi. In Patrick Black-
burn, Johan Van Benthem, and Frank Wolter, editors, Handbook of Modal
Logic, volume 3, chapter 12, pages 721–756. Elsevier Science, 2007. doi:
http://dx.doi.org/10.1016/S1570-2464(07)80015-2.
[50] Hana Chockler and Ofer Strichman. Before and after vacuity. Formal Methods
in System Design, 34(1):37–58, 2009. ISSN 0925-9856. doi: http://dx.doi.org/
10.1007/s10703-008-0060-y.
[51] Alessandro Cimatti, Sergio Mover, and Stefano Tonetta. Proving and ex-
plaining the unfeasibility of message sequence charts for hybrid systems.
In Proceedings of the International Conference on Formal Methods in Computer-
Aided Design (FMCAD ’11), pages 54–62, Austin, TX, USA, 2011. ISBN 978-0-
9835678-1-3. URL http://dl.acm.org/citation.cfm?id=2157654.2157666.
[52] Edmund Clarke and I. A. Draghicescu. Expressibility results for linear-time
and branching-time logics. In J. de Bakker, W. de Roever, and G. Rozenberg,
editors, Linear Time, Branching Time and Partial Order in Logics and Models
for Concurrency, volume 354 of Lecture Notes in Computer Science, pages 428–
437. Springer Berlin Heidelberg, 1989. ISBN 978-3-540-51080-2. doi: http:
//dx.doi.org/10.1007/BFb0013029.
[53] Edmund M. Clarke. The birth of model checking. In Orna Grumberg
and Helmut Veith, editors, 25 Years of Model Checking: History, Achievements,
Perspectives, volume 5000 of Lecture Notes in Computer Science, pages 1–
26. Springer Berlin Heidelberg, 2008. ISBN 978-3-540-69849-4. doi: http:
//dx.doi.org/10.1007/978-3-540-69850-0_1.
[54] Edmund M. Clarke, E. Allen Emerson, and A. Prasad Sistla. Automatic
verification of finite-state concurrent systems using temporal logic specifi-
cations. ACM Transactions on Programming Languages and Systems (TOPLAS),
8(2):244–263, 1986. ISSN 0164-0925. doi: http://doi.acm.org/10.1145/5397.
5399.
Bibliography 308
[55] Edmund M. Clarke, Orna Grumberg, and Doron A. Peled. Model Checking.
The MIT Press, Cambridge, MA, USA, 1999.
[56] Rance Cleaveland. Tableau-based model checking in the propositional mu-
calculus. Acta Informatica, 27(8):725–747, 1990. ISSN 0001-5903. doi: http:
//dx.doi.org/10.1007/BF00264284.
[57] Rance Cleaveland and Bernhard Steffen. A linear-time model-checking algo-
rithm for the alternation-free modal mu-calculus. Formal Methods in System
Design, 2(2):121–147, 1993. ISSN 0925-9856. doi: http://dx.doi.org/10.1007/
BF01383878.
[58] Thomas H. Cormen, Clarles E. Leiserson, Ronald L. Rivest, and Clifford
Stein. Introduction to Algorithms. MIT Press, Cambridge, MA, USA, second
edition, 2001.
[59] Patrick Cousot and Radhia Cousot. Constructive versions of tarski’s fixed
point theorems. Pacific Journal of Mathematics, 82(1):43–57, 1979. URL http:
//projecteuclid.org/euclid.pjm/1102785059.
[60] Conrado Daws, Alfredo Olivero, Stavros Tripakis, and Sergio Yovine. The
tool KRONOS. In Rajeev Alur, Thomas A. Henzinger, and Eduardo D.
Sontag, editors, Hybrid Systems III, volume 1066 of Lecture Notes in Com-
puter Science, pages 208–219. Springer Berlin Heidelberg, 1996. doi: http:
//dx.doi.org/10.1007/BFb0020947.
[61] Vasileios Deligiannis and Stamatis Manesis. A survey on automata-based
methods for modelling and simulation of industrial systems. In IEEE Con-
ference on Emerging Technologies and Factory Automation (EFTA ’07), pages
398–405. IEEE, September 2007. doi: http://dx.doi.org/10.1109/EFTA.2007.
4416795.
[62] Jay L. Devore. Probability and Statistics for Engineering and the Sciences.
Brooks/Cole—Thomson Learning, Belmont, CA, USA, sixth edition, 2003.
[63] Luigi Di Guglielmo, Franco Fummi, and Graziano Pravadelli. Vacuity anal-
ysis for property qualification by mutation of checkers. In Proceedings of
the Conference on Design, Automation and Test in Europe (DATE ’10), pages
478–483. European Design and Automation Association, 2010. ISBN 978-3-
9810801-6-2. URL http://dl.acm.org/citation.cfm?id=1870926.1871041.
[64] David L. Dill. Timing assumptions and verification of finite-state concurrent
systems. In Joseph Sifakis, editor, Proceedings of the International Workshop on
Bibliography 309
Automatic Verification Methods for Finite State Systems, volume 407 of Lecture
Notes in Computer Science, pages 197–212. Springer Berlin Heidelberg, June
1990. ISBN 3-540-52148-8. doi: http://dx.doi.org/10.1007/3-540-52148-8_
17.
[65] Jin Song Dong, Ping Hao, Shengchao Qin, Jun Sun, and Wang Yi. Timed
automata patterns. IEEE Transactions on Software Engineering, 34(6):844–
859, November–December 2008. ISSN 0098-5589. doi: http://dx.doi.org/
10.1109/TSE.2008.52.
[66] Yifei Dong, Beata Sarna-Starosta, C. R. Ramakrishnan, and Scott A. Smolka.
Vacuity checking in the modal mu-calculus. In Proceedings of the 9th Interna-
tional Conference on Algebraic Methodology and Software Technology (AMAST
’02), volume 2422 of Lecture Notes in Computer Science, pages 147–162.
Springer Berlin Heidelberg, 2002. ISBN 3-540-44144-1. doi: http://dx.doi.
org/10.1007/3-540-45719-4_11.
[67] Rüdiger Ehlers, Daniel Fass, Michael Gerke, and Hans-Jörg Peter. Fully
symbolic timed model checking using constraint matrix diagrams. In Pro-
ceedings of the 31st IEEE Real-Time Systems Symposium (RTSS ’10), pages
360–371, San Diego, CA, USA, November–December 2010. IEEE. doi:
http://dx.doi.org/10.1109/RTSS.2010.36.
[68] E. Allen Emerson and Joseph Y. Halpern. “Sometimes” and “not never”
revisited: on branching versus linear time temporal logic. Journal of the ACM
(JACM), 33(1):151–178, January 1986. ISSN 0004-5411. doi: http://doi.acm.
org/10.1145/4904.4999.
[69] E. Allen Emerson and Chin-Laung Lei. Efficient model checking in frag-
ments of the propositional mu-calculus. In Proceedings of the 1st Symposium
on Logic in Computer Science (LICS ’86), pages 267–278. IEEE Computer Soci-
ety, June 1986.
[70] Herbert B. Enderton. A Mathematical Introduction to Logic. Har-
court/Academic Press, San Diego, CA, USA, second edition, 2001.
[71] Susanna S. Epp. Discrete Mathematics with Applications. Brooks/Cole—
Thomson Learning, Belmont, CA, USA, third edition, 2004.
[72] Uli Fahrenberg, Kim Larsen, and Claus Thrane. Verification, performance
analysis and controller synthesis for real-time systems. In Farhad Arbab and
Marjan Sirjani, editors, Fundamentals of Software Engineering, volume 5961 of
Bibliography 310
Lecture Notes in Computer Science, pages 34–61. Springer Berlin Heidelberg,
2010. doi: http://dx.doi.org/10.1007/978-3-642-11623-0_2.
[73] Peter Fontana and Rance Cleaveland. Data structure choices for on-the-fly
model checking of real-time systems. In Malay Ganai and Armin Biere,
editors, Proceedings of the First International Workshop on Design and Imple-
mentation of Formal Tools and Systems (DIFTS ’11), volume 832 of CEUR
Workshop Proceedings, pages 13–21, Austin, TX, USA, November 2011. URL
http://ceur-ws.org/Vol-832/Difts11Proceedings.pdf#page=17.
[74] Peter Fontana and Rance Cleaveland. A menagerie of timed automata. ACM
Computing Surveys, 46(3):40:1–40:56, January 2014. doi: http://dx.doi.org/
10.1145/2518102.
[75] John B. Fraleigh. A First Course in Abstract Algebra. Addison-Wesley, Boston,
MA, USA, sixth edition, 1999.
[76] Carlo A. Furia, Dino Mandrioli, Angelo Morzenti, and Matteo Rossi. Mod-
eling time in computing: A taxonomy and a comparative survey. ACM
Computing Surveys, 42(2):6:1–6:59, February 2010. ISSN 0360-0300. doi:
http://doi.acm.org/10.1145/1667062.1667063.
[77] Mihaela Gheorghiu and Arie Gurfinkel. Vaquot: A tool for vacuity detec-
tion. Tool and Poster Track of the 14th International Symposium on Formal
Methods, August 2006. URL http://fm06.mcmaster.ca/VaqUoT.pdf.
[78] Rodolfo Gómez and Howard Bowman. Efficient detection of zeno runs in
timed automata. In Jean-Francois Raskin and P.S. Thiagarajan, editors, Pro-
ceedings of the 5th International Conference on the Formal Modeling and Analy-
sis of Timed Systems (FORMATS ’07), volume 4763 of Lecture Notes in Com-
puter Science, pages 195–210. Springer Berlin Heidelberg, October 2007. doi:
http://dx.doi.org/10.1007/978-3-540-75454-1_15.
[79] Jan Friso Groote and Tim A.C. Willemse. Parameterised boolean equation
systems. Theoretical Computer Science, 343(3):332–369, 2005. ISSN 0304-3975.
doi: http://dx.doi.org/10.1016/j.tcs.2005.06.016.
[80] Arie Gurfinkel and Marsha Chechik. How vacuous is vacuous? In Kurt
Jensen and Andreas Podelski, editors, Tools and Algorithms for the Construc-
tion and Analysis of Systems, volume 2988 of Lecture Notes in Computer Science,
pages 451–466. Springer Berlin Heidelberg, 2004. ISBN 978-3-540-21299-7.
doi: http://dx.doi.org/10.1007/978-3-540-24730-2_34.
Bibliography 311
[81] Arie Gurfinkel and Marsha Chechik. Robust vacuity for branching tempo-
ral logic. ACM Transactions on Computational Logic (TOCL), 13(1):1:1–1:32,
January 2012. ISSN 1529-3785. doi: http://doi.acm.org/10.1145/2071368.
2071369.
[82] Jameleddine Hassine, Juergen Rilling, and Rachida Dssouli. Formal verifi-
cation of use case maps with real time extensions. In Emmanuel Gaudin,
Elie Najm, and Rick Reed, editors, 13th International System Design Lan-
guages (SDL) Forum (SDL ’07), volume 4745 of Lecture Notes in Computer Sci-
ence, pages 225–241, Paris, France, 2007. Springer Berlin Heidelberg. doi:
http://dx.doi.org/10.1007/978-3-540-74984-4_14.
[83] Jameleddine Hassine, Juergen Rilling, and Rachida Dssouli. An evaluation
of timed scenario notations. Journal of Systems and Software, 83(2):326–350,
2010. ISSN 0164-1212. doi: http://dx.doi.org/10.1016/j.jss.2009.09.014.
[84] Constance Heitmeyer and Nancy Lynch. The generalized railroad crossing:
a case study in formal verification of real-time systems. In Proceedings of
the Real-Time Systems Symposium (RTSS ’94), pages 120–131. IEEE, December
1994. doi: http://dx.doi.org/10.1109/REAL.1994.342724.
[85] Constance L. Heitmeyer, Bruce G. Labaw, and Ralph D. Jeffords. A bench-
mark for comparing different approaches for specifying and verifying real-
time systems. Technical Report ADA462244, Naval Research Laboratory,
1993. URL http://handle.dtic.mil/100.2/ADA462244.
[86] Thomas A. Henzinger. The theory of hybrid automata. In Proceedings of
the IEEE Symposium on Logic in Computer Science (LICS ’96), pages 278–292,
Los Alamitos, CA, USA, July 1996. IEEE Computer Society. doi: http://doi.
ieeecomputersociety.org/10.1109/LICS.1996.561342.
[87] Thomas A. Henzinger, Xavier Nicollin, Joseph Sifakis, and Sergio Yovine.
Symbolic model checking for real-time systems. In Proceedings of the Seventh
Annual IEEE Symposium on Logic in Computer Science (LICS ’92), pages 394–
406. IEEE, June 1992. doi: http://dx.doi.org/10.1109/LICS.1992.185551.
[88] Thomas A. Henzinger, Xavier Nicollin, Joseph Sifakis, and Sergio Yovine.
Symbolic model checking for real-time systems. Information and Computation,
111(2):193–244, 1994. doi: http://dx.doi.org/10.1006/inco.1994.1045.
[89] Thomas A. Henzinger, Peter W. Kopke, Anuj Puri, and Pravin Varaiya.
What’s decidable about hybrid automata? In Proceedings of the Twenty-
seventh Annual ACM Symposium on Theory of Computing (STOC ’95), pages
Bibliography 312
373–382, Las Vegas, Nevada, USA, 1995. ACM. ISBN 0-89791-718-9. doi:
http://doi.acm.org/10.1145/225058.225162.
[90] Thomas A. Henzinger, Pei-Hsin Ho, and Howard Wong-Toi. HyTech: a
model checker for hybrid systems. International Journal on Software Tools
for Technology Transfer (STTT), 1(1):110–122, 1997. ISSN 1433-2779. doi:
http://dx.doi.org/10.1007/s100090050008.
[91] Thomas A. Henzinger, Peter W. Kopke, Anuj Puri, and Pravin Varaiya.
What’s decidable about hybrid automata? Journal of Computer and System Sci-
ences, 57(1):94–124, 1998. ISSN 0022-0000. doi: http://dx.doi.org/10.1006/
jcss.1998.1581.
[92] Paula Herber, Joachim Fellmuth, and Sabine Glesner. Model checking Sys-
temC designs using timed automata. In Proceedings of the 6th IEEE/ACM/IFIP
international conference on Hardware/Software codesign and system synthesis
(CODES+ISSS ’08), pages 131–136, Atlanta, GA, USA, 2008. ACM. ISBN
978-1-60558-470-6. doi: http://doi.acm.org/10.1145/1450135.1450166.
[93] John E. Hopcroft, Rajeev Motwani, and Jeffrey D. Ullman. Introduction to
Automata Theory, Languages, and Computation. Addison-Wesley, Boston, MA,
USA, second edition, 2001.
[94] Magdalena Kacprzak, Wojciech Nabiałek, Artur Niewiadomski, Wojciech
Penczek, Agata Półrola, Maciej Szreter, Bożzena Woźna, and Andrzej
Zbrzezny. VerICS 2007 - a model checker for knowledge and real-time.
Fundamenta Informaticae, 85(1-4):313–328, 2008. ISSN 01692968. URL http:
//iospress.metapress.com/content/aju14j810h82w141/.
[95] Dilsun K. Kaynar, Nancy Lynch, Roberto Segala, and Frits Vaandrager.
Timed I/O automata: a mathematical framework for modeling and ana-
lyzing real-time systems. In Proceedings of the 24th IEEE Real-Time Sys-
tems Symposium (RTSS ’03), pages 166–177. IEEE, December 2003. doi:
http://dx.doi.org/10.1109/REAL.2003.1253264.
[96] Dilsun K. Kaynar, Nancy Lynch, Roberto Segala, and Frits Vaandrager. The
Theory of Timed I/O Automata. Synthesis Lectures on Distributed Computing
Theory. Morgan & Claypool, San Raftel, CA, USA, second edition, 2010. doi:
http://dx.doi.org/10.2200/S00310ED1V01Y201011DCT005.
[97] Lina Khatib, Nicola Muscettola, and Klaus Havelund. Mapping temporal
planning constraints into timed automata. In Proceedings of the 8th Interna-
tional Symposium on Temporal Representation and Reasoning (TIME ’01), pages
Bibliography 313
21–27, Cividale del Friuli, Italy, June 2001. IEEE Computer Society. doi:
http://dx.doi.org/10.1109/TIME.2001.930693.
[98] Ahmet Koltuksuz, Brucu Kulahcioglu, and Murat Ozkan. Utilization of
timed automata as a verification tool for security protocols. In Proceedings
of the 4th International Conference on Secure Software Integration and Reliability
Improvement, Companion Volume (SSIRI-C ’10), pages 86–93. IEEE Computer
Society, June 2010. doi: http://dx.doi.org/10.1109/SSIRI-C.2010.27.
[99] Maria Kourkouli and George Hassapis. Application of the timed au-
tomata abstraction to the performance evaluation of the architecture of a
bank on-line transaction processing system. In George Eleftherakis, edi-
tor, Proceedings of the 2nd South-East European Workshop on Formal Methods
(SEEFM), pages 142–153. South-East European Research Centre (SEERC),
2006. ISBN 960-87869-8-3. URL http://www.seefm.info/seefm05/book/
11-C5-SEEFM05.pdf.
[100] Dexter Kozen. Results on the propositional µ-calculus. Theoretical Com-
puter Science, 27(3):333–354, 1983. ISSN 0304-3975. doi: http://dx.doi.org/
10.1016/0304-3975(82)90125-6.
[101] Orna Kupferman. Sanity checks in formal verification. In Christel Baier and
Holger Hermanns, editors, Proceedings of the 17th International Conference on
Concurrency Theory (CONCUR ’06), volume 4137 of Lecture Notes in Computer
Science, pages 37–51, Bonn, Germany, August 2006. Springer Berlin Heidel-
berg. ISBN 978-3-540-37376-6. doi: http://dx.doi.org/10.1007/11817949_3.
[102] Orna Kupferman and Moshe Y. Vardi. Vacuity detection in temporal
model checking. International Journal on Software Tools for Technology Transfer
(STTT), 4(2):224–233, 2003. ISSN 1433-2779. doi: http://dx.doi.org/10.1007/
s100090100062.
[103] Sebastian Kupferschmid, Martin Wehrle, Bernhard Nebel, and Andreas
Podelski. Faster than Uppaal? In Aarti Gupta and Sharad Malik, editors,
Proceedings of the 20th International Conference on Computer Aided Verification
(CAV ’08), volume 5123 of Lecture Notes in Computer Science, pages 552–555,
Princeton, NJ, USA, 2008. Springer Berlin Heidelberg. ISBN 978-3-540-70543-
7. doi: http://dx.doi.org/10.1007/978-3-540-70545-1_53.
[104] Leslie Lamport. “Sometime” is sometimes “not never”: on the temporal
logic of programs. In Proceedings of the 7th ACM SIGPLAN-SIGACT sympo-
sium on Principles of programming languages (POPL ’80), pages 174–185, Las
Bibliography 314
Vegas, Nevada, 1980. ACM. ISBN 0-89791-011-7. doi: http://doi.acm.org/
10.1145/567446.567463.
[105] Leslie Lamport. Real-time model checking is really simple. In Dominique
Borrione and Wolfgang Paul, editors, Proceedings of the Advanced Research
Working Conference on Correct Hardware-like Design and Verification Methods
(CHARME ’05), volume 3725 of Lecture Notes in Computer Science, pages
162–175. Springer Berlin Heidelberg, 2005. doi: http://dx.doi.org/10.1007/
11560548_14.
[106] Christine Largouët, Marie-Odile Cordier, Yves-Marie Bozec, Yulong Zhao,
and Guy Fontenelle. Use of timed automata and model-checking to explore
scenarios on ecosystem models. Environmental Modelling & Software, 30:123–
138, 2012. ISSN 1364-8152. doi: http://dx.doi.org/10.1016/j.envsoft.2011.
08.005.
[107] François Laroussinie and Kim Guldstrand Larsen. CMC: A tool for compo-
sitional model-checking of real-time systems. In Stan Budkowski, Ana Cav-
alli, and Elie Najm, editors, Proceedings of the Joint International Conference on
Formal Description Techniques and Protocol Specification, Testing and Verification
(FORTE/PSTV ’98), The International Federation for Information Processing
(IFIP), pages 439–456, Paris, France, 1998. Springer US. ISBN 0-412-84760-4.
doi: http://dx.doi.org/10.1007/978-0-387-35394-4_27.
[108] François Laroussinie, Kim Larsen, and Carsten Weise. From timed automata
to logic — and back. In Jirí Wiedermann and Petr Hájek, editors, Proceedings
of the 20th Annual Symposium on the Mathematical Foundations of Computer
Science (MFCS ’95), volume 969 of Lecture Notes in Computer Science, pages
529–539, Prague, Czech Republic, August 1995. Springer Berlin Heidelberg.
doi: http://dx.doi.org/10.1007/3-540-60246-1_158.
[109] François Laroussinie, Kim G. Larsen, and Carsten Weise. From timed au-
tomata to logic - and back. Technical Report BRICS RS-95-2, BRICS-Aalborg
University, 1995. URL http://www.brics.dk/RS/95/2/.
[110] Kim Larsen and Wang Yi. Time abstracted bisimulation: Implicit specifica-
tions and decidability. In Stephen Brookes, Michael Main, Austin Melton,
Michael Mislove, and David Schmidt, editors, Proceedings of the 9th In-
ternational Conference on Mathematical Foundations of Programming Semantics
(MFPS ’94), volume 802 of Lecture Notes in Computer Science, pages 160–
176, New Orleans, LA, USA, April 1994. Springer Berlin Heidelberg. doi:
http://dx.doi.org/10.1007/3-540-58027-1_8.
Bibliography 315
[111] Kim G. Larsen and Yi Wang. Time-abstracted bisimulation: Implicit speci-
fications and decidability. Information and Computation, 134(2):75–101, 1997.
ISSN 0890-5401. doi: http://dx.doi.org/10.1006/inco.1997.2623.
[112] Kim G. Larsen, Fredrik Larsson, Paul Pettersson, and Wang Yi. Efficient
verification of real-time systems: Compact data structure and state-space
reduction. In Proceedings of the 18th IEEE Real-Time Systems Symposium (RTSS
’97), pages 14–24. IEEE Computer Society, December 1997. doi: http://dx.
doi.org/10.1109/REAL.1997.641265.
[113] Kim G. Larsen, Paul Pettersson, and Wang Yi. Uppaal in a nutshell. Interna-
tional Journal on Software Tools for Technology Transfer (STTT), 1(1–2):134–152,
1997. doi: http://dx.doi.org/10.1007/s100090050010.
[114] Kim G. Larsen, Justin Pearson, Carsten Weise, and Wang Yi. Clock differ-
ence diagrams. Nordic Journal of Computing, 6(3):271–298, 1999. ISSN 1236-
6064. URL http://www.cs.helsinki.fi/njc/References/larsenpwy1999:
271.html.
[115] Huimin Lin. Symbolic transition graph with assignment. In Ugo Montanari
and Vladimiro Sassone, editors, Proceedings of the 7th International Confer-
ence on Concurrency Theory (CONCUR ’96), volume 1119 of Lecture Notes in
Computer Science, pages 50–65. Springer Berlin Heidelberg, 1996. ISBN 3-
540-61604-7. doi: http://dx.doi.org/10.1007/3-540-61604-7_47.
[116] Magnus Lindahl, Paul Pettersson, and Wang Yi. Formal design and anal-
ysis of a gear controller. In Bernhard Steffen, editor, Proceedings of the
International Conference on the Tools and Algorithms for the Construction and
Analysis of Systems (TACAS ’98), volume 1384 of Lecture Notes in Com-
puter Science, pages 281–297. Springer Berlin Heidelberg, 1998. doi: http:
//dx.doi.org/10.1007/BFb0054178.
[117] Nancy Lynch and Frits Vaandrager. Forward and backward simulations for
timing-based systems. In Jaco de Bakker, Cornelis Huizing, Willem-Paul
de Roever, and Grzegorz Rozenberg, editors, Proceedings of the Workshop on
Research and Education in Concurrent Systems (REX), volume 600 of Lecture
Notes in Computer Science, pages 397–446. Springer Berlin Heidelberg, 1992.
doi: http://dx.doi.org/10.1007/BFb0032002.
[118] Nancy Lynch and Frits Vaandrager. Forward and backward simulations part
I: Untimed systems. Information and Computation, 121(2):214–233, 1995. ISSN
0890-5401. doi: http://dx.doi.org/10.1006/inco.1995.1134.
Bibliography 316
[119] Nancy Lynch and Frits Vaandrager. Forward and backward simulations part
II: Timing systems. Technical Report MIT-LCS-TM-458, MIT Laboratory for
Computer Science, 1995. URL http://groups.csail.mit.edu/tds/papers/
Lynch/MIT-LCS-TM-458.pdf.
[120] Nancy Lynch and Frits Vaandrager. Forward and backward simulations: II.
timing-based systems. Information and Computation, 128(1):1–25, 1996. ISSN
0890-5401. doi: http://dx.doi.org/10.1006/inco.1996.0060.
[121] Angelika Mader. Verification of Modal Properties Using Boolean Equation Sys-
tems. Edition versal 8. Bertz Verlag, Berlin, Germany, 1997. URL http:
//doc.utwente.nl/64253/.
[122] Oded Maler and Grégory Batt. Approximating continuous systems by timed
automata. In Jasmin Fisher, editor, Proceedings of the First International Work-
shop on Formal Methods in Systems Biology (FMSB ’08), volume 5054 of Lecture
Notes in Computer Science, pages 77–89, Cambridge, UK, June 2008. Springer
Berlin Heidelberg. doi: http://dx.doi.org/10.1007/978-3-540-68413-8_6.
[123] Radu Mateescu and Mihaela Sighireanu. Efficient on-the-fly model-checking
for regular alternation-free mu-calculus. Science of Computer Programming,
46(3):255–281, 2003. ISSN 0167-6423. doi: http://dx.doi.org/10.1016/
S0167-6423(02)00094-1.
[124] Robin Milner. Communication and Concurrency. Prentice-Hall, Inc., Upper
Saddle River, NJ, USA, 1989. ISBN 0131149849.
[125] Jesper Møller. DDDLIB: a library for solving quantified difference inequal-
ities. In Andrei Voronkov, editor, Proceedings of the 18th International Con-
ference on Automated Deduction (CADE ’02), volume 2392 of Lecture Notes in
Computer Science, pages 221–241, Copenhagen, Denmark, July 2002. Springer
Berlin Heidelberg. URL http://dx.doi.org/10.1007/3-540-45620-1_9.
[126] Jesper Møller, Jakob Lichtenberg, Henrik Andersen, and Henrik Hulgaard.
Difference decision diagrams. In Jörg Flum and Mario Rodriguez-Artalejo,
editors, Proceedings of the 13th Annual Workshop of Computer Science Logic
(CSL ’99), volume 1683 of Lecture Notes in Computer Science, pages 826–
826. Springer Berlin Heidelberg, September 1999. doi: http://dx.doi.org/
10.1007/3-540-48168-0_9.
[127] Georges Morbé, Florian Pigorsch, and Christoph Scholl. Fully symbolic
model checking for timed automata. In Ganesh Gopalakrishnan and Shaz
Qadeer, editors, Proceedings of the 23rd International Conference on Computer
Bibliography 317
Aided Verification (CAV ’11), volume 6806 of Lecture Notes in Computer Sci-
ence, pages 616–632. Springer Berlin Heidelberg, 2011. doi: http://dx.doi.
org/10.1007/978-3-642-22110-1_50.
[128] Kedar S. Namjoshi. Certifying model checkers. In Gérard Berry, Hubert
Comon, and Alain Finkel, editors, Proceedings of the 13th International Confer-
ence on Computer Aided Verification (CAV ’01), volume 2102 of Lecture Notes in
Computer Science, pages 2–13. Springer Berlin Heidelberg, July 2001. ISBN
978-3-540-42345-4. doi: http://dx.doi.org/10.1007/3-540-44585-4_2.
[129] Kedar S. Namjoshi. An efficiently checkable, proof-based formulation of
vacuity in model checking. In Rajeev Alur and DoronA. Peled, editors,
Proceedings of the 16th Annual Conference on Computer Aided Verification (CAV
’04), volume 3114 of Lecture Notes in Computer Science, pages 57–69, Boston,
MA, USA, July 2004. Springer Berlin Heidelberg. ISBN 978-3-540-22342-9.
doi: http://dx.doi.org/10.1007/978-3-540-27813-9_5.
[130] Peter Niebert, Moez Mahfoudh, Eugene Asarin, Marius Bozga, Oded Maler,
and Navendu Jain. Verification of timed automata via satisfiability check-
ing. In Werner Damm and Ernst Olderog, editors, Proceedings of the 7th
Annual Symposium on Formal Techniques in Real-Time and Fault-Tolerant Sys-
tems (FTRTFT ’02), volume 2469 of Lecture Notes in Computer Science, pages
225–243. Springer Berlin Heidelberg, 2002. doi: http://dx.doi.org/10.1007/
3-540-45739-9_15.
[131] Ernst-Rüdiger Olderog and Henning Dierks. Real-Time Systems: Formal Spec-
ification and Automatic Verification. Cambridge University Press, New York,
NY, USA, 2008.
[132] Miroslav Pajic, Insup Lee, Rahul Mangharam, and Oleg Sokolsky. UPP2SF:
Translating UPPAAL models to simulink, technical report. Technical Report,
2011. URL http://www.seas.upenn.edu/~pajic/TEMP/UPP2SF_report.pdf.
[133] Paritosh Pandya and Simoni Shah. On expressive powers of timed logics:
Comparing boundedness, non-punctuality, and deterministic freezing. In
Joost-Pieter Katoen and Barbara König, editors, Proceedings of the 22nd Inter-
national Conference on Concurrency Theory (CONCUR ’11), volume 6901 of Lec-
ture Notes in Computer Science, pages 60–75. Springer Berlin Heidelberg, 2011.
ISBN 978-3-642-23216-9. doi: http://dx.doi.org/10.1007/978-3-642-23217-6_
5.
[134] Wojciech Penczek and Agata Półrola. Specification and model checking of
temporal properties in time petri nets and timed automata. In Jordi Cor-
Bibliography 318
tadella and Wolfgang Reisig, editors, Proceedings of the 25th International Con-
ference on the Applications and Theory of Petri Nets (ICATPN ’04), volume 3099
of Lecture Notes in Computer Science, pages 37–76. Springer Berlin Heidelberg,
June 2004. doi: http://dx.doi.org/10.1007/978-3-540-27793-4_4.
[135] Wojciech Penczek and Agata Pólrola. Advances in Verification of Time Petri
Nets and Timed Automata, volume 20 of Studies in Computational Intelligence.
Springer Berlin Heidelberg, Secaucus, NJ, USA, 2006. doi: http://dx.doi.
org/10.1007/978-3-540-32870-4.
[136] Hans-Jörg Peter, Rüdiger Ehlers, and Robert Mattmüller. Synthia: Ver-
ification and synthesis for timed automata. In Ganesh Gopalakrishnan
and Shaz Qadeer, editors, Proceedings of the 23rd International Conference
on Computer Aided Verification (CAV ’11), volume 6806 of Lecture Notes in
Computer Science, pages 649–655. Springer Berlin Heidelberg, 2011. doi:
http://dx.doi.org/10.1007/978-3-642-22110-1_52.
[137] André Platzer. Logical Analysis of Hybrid Systems: Proving Theorems for Com-
plex Dynamics. Springer, Berlin, Germany, 2010. doi: http://dx.doi.org/10.
1007/978-3-642-14509-4.
[138] Amalinda Post, Jochen Hoenicke, and Andreas Podelski. Vacuous real-
time requirements. In Proceedings of the 19th IEEE International Conference on
Requirements Engineering (RE ’11), pages 153–162. IEEE, August–September
2011. doi: http://dx.doi.org/10.1109/RE.2011.6051657.
[139] R Core Team. R: A Language and Environment for Statistical Computing. R
Foundation for Statistical Computing, Vienna, Austria, 2012. URL http:
//www.R-project.org/.
[140] Anders Ravn, Jiří Srba, and Saleem Vighio. Modelling and verification of
web services business activity protocol. In Parosh Aziz Abdulla and K. Rus-
tan M. Leino, editors, Proceedings of the 17th International Conference on Tools
and Algorithms for the Construction and Analysis of Systems (TACAS ’11), vol-
ume 6605 of Lecture Notes in Computer Science, pages 357–371. Springer Berlin
Heidelberg, 2011. ISBN 978-3-642-19834-2. doi: http://dx.doi.org/10.1007/
978-3-642-19835-9_32.
[141] Marko Samer and Helmut Veith. On the notion of vacuous truth. In Nachum
Dershowitz and Andrei Voronkov, editors, Proceedings of the 14th International
Conference on Logic for Programming, Artificial Intelligence, and Reasoning (LPAR
’07), volume 4790 of Lecture Notes in Computer Science, pages 2–14. Springer
Bibliography 319
Berlin Heidelberg, 2007. ISBN 978-3-540-75558-6. doi: http://dx.doi.org/10.
1007/978-3-540-75560-9_2.
[142] Edward R. Scheinerman. Mathematics: A Discrete Introduction.
Brooks/Cole—Thomson Learning, Pacific Grove, CA, USA, first edi-
tion, 2000.
[143] Sanjit Seshia and Randal Bryant. Unbounded, fully symbolic model check-
ing of timed automata using boolean methods. In Warren A. Hunt Jr.
and Fabio Somenzi, editors, Proceedings of the 15th International Conference
on Computer Aided Verification (CAV ’03), volume 2742 of Lecture Notes in
Computer Science, pages 154–166. Springer Berlin Heidelberg, 2003. doi:
http://dx.doi.org/10.1007/978-3-540-45069-6_16.
[144] Sanjit A. Seshia and Randal E. Bryant. A boolean approach to un-
bounded, fully symbolic model checking of timed automata. Technical
Report CMS-CS-03-117, Carnegie Mellon University, 2003. URL http:
//www.eecs.berkeley.edu/~sseshia/pubdir/tr-03-117.ps.
[145] Michael Sipser. Introduction to the Theory of Computation. Thompson Course
Technology, Boston, MA, USA, second edition, 2006.
[146] Christoffer Sloth and Rafael Wisniewski. Verification of continuous dy-
namical systems by timed automata. Formal Methods in System Design, 39
(1):1–36, August 2011. ISSN 0925-9856. doi: http://dx.doi.org/10.1007/
s10703-011-0118-0.
[147] Oleg V. Sokolsky and Scott A. Smolka. Local model checking for real-time
systems. In Pierre Wolper, editor, Proceedings of the 7th International Confer-
ence on Computer Aided Verification (CAV ’95), volume 939 of Lecture Notes in
Computer Science, pages 211–224. Springer Berlin Heidelberg, July 1995. doi:
http://dx.doi.org/10.1007/3-540-60045-0_52.
[148] Alfred Tarski. A lattice-theoretical fixpoint theorem and its appli-
cations. Pacific Journal of Mathematics, 5(2):285–309, 1955. URL
http://www.projecteuclid.org/DPubS?verb=Display&version=1.
0&service=UI&handle=euclid.pjm/1103044538&page=record.
[149] Serdar Tasiran, Rajeev Alur, Robert P. Kurshan, and Robert K. Brayton. Ver-
ifying abstractions of timed systems. In Ugo Montanari and Vladimiro Sas-
sone, editors, Proceedings of the 7th International Conference on Concurrency
Theory (CONCUR ’96), volume 1119 of Lecture Notes in Computer Science,
Bibliography 320
pages 546–562. Springer Berlin Heidelberg, 1996. ISBN 3-540-61604-7. doi:
http://dx.doi.org/10.1007/3-540-61604-7_75.
[150] Stavros Tripakis. Verifying progress in timed systems. In Joost-Pieter Ka-
toen, editor, Formal Methods for Real-Time and Probabilistic Systems, volume
1601 of Lecture Notes in Computer Science, pages 299–314. Springer Berlin
Heidelberg, 1999. doi: http://dx.doi.org/10.1007/3-540-48778-6_18.
[151] Stavros Tripakis. Checking timed büchi automata emptiness on simulation
graphs. ACM Transactions on Computational Logic, 10(3):1–19, 2009. ISSN
1529-3785. doi: http://doi.acm.org/10.1145/1507244.1507245.
[152] Stavros Tripakis and Sergio Yovine. Analysis of timed systems using
time-abstracting bisimulations. Formal Methods in System Design, 18(1):25–
68, January 2001. ISSN 0925-9856 (Print) 1572-8102 (Online). doi: http:
//dx.doi.org/10.1023/A:1008734703554.
[153] Farn Wang. Clock restriction diagram: Yet another data-structure for fully
symbolic verification of timed automata. Technical Report TR-IIS-01-002,
Institute of Information Science, Academia Sinica, 2001.
[154] Farn Wang. Efficient verification of timed automata with BDD-like data-
structures. In Lenore D. Zuck, Paul C. Attie, Agostino Cortesi, and Supratik
Mukhopadhyay, editors, Proceedings of the 4th International Conference on Ver-
ification, Model Checking, and Abstract Interpretation (VMCAI ’03), volume
2575 of Lecture Notes in Computer Science, pages 189–205. Springer Berlin
Heidelberg, 2003. ISBN 3-540-00348-7. doi: http://dx.doi.org/10.1007/
3-540-36384-X_17.
[155] Farn Wang. Efficient verification of timed automata with BDD-like data
structures. International Journal on Software Tools for Technology Trans-
fer, 6(1):77–97, 2004. ISSN 1433-2779. doi: http://dx.doi.org/10.1007/
s10009-003-0135-4.
[156] Farn Wang. Formal verification of timed systems: A survey and perspective.
Proceedings of the IEEE, 92(8):1283–1307, 2004. doi: http://dx.doi.org/10.
1109/JPROC.2004.831197.
[157] Farn Wang. Redlib for the formal verification of embedded systems. In
Proceedings of the Second Internation Symposium on Leveraging Applications of
Formal Methods, Verification and Validation (ISoLA ’06), pages 341–346. IEEE
Computer Society, November 2006. doi: http://dx.doi.org/10.1109/ISoLA.
2006.68.
Bibliography 321
[158] Farn Wang. Specification formalisms and models. In Benjamin Wah, editor,
Wiley Encyclopedia of Computer Science and Engineering, pages 2775–2789. John
Wiley & Sons, Inc., 2007. doi: http://dx.doi.org/10.1002/9780470050118.
ecse410.
[159] Farn Wang. Time-progress evaluation for dense-time automata with con-
cave path conditions. In Sungdeok Cha, Jin-Young Choi, Moonzoo Kim,
Insup Lee, and Mahesh Viswanathan, editors, Proceedings of the 6th In-
ternational Symposium on Automated Technology for Verification and Analysis
(ATVA ’08), volume 5311 of Lecture Notes in Computer Science, pages 258–
273, Seoul, Korea, October 2008. Springer Berlin Heidelberg. doi: http:
//dx.doi.org/10.1007/978-3-540-88387-6_24.
[160] Farn Wang and Pao-Ann Hsiung. Efficient and user-friendly verification.
IEEE Transactions on Computers, 51(1):61–83, January 2002. ISSN 0018-9340.
doi: http://dx.doi.org/10.1109/12.980017.
[161] Farn Wang, Geng-Dian Huang, and Fang Yu. TCTL inevitability analysis
of dense-time systems: From theory to engineering. IEEE Transactions on
Software Engineering, 32(7):510–526, July 2006. ISSN 0098-5589. doi: http:
//dx.doi.org/10.1109/TSE.2006.71.
[162] Farn Wang, Li-Wei Yao, and Ya-Lan Yang. Efficient verification of dis-
tributed real-time systems with broadcasting behaviors. Real-Time Sys-
tems, 47(4):285–318, 2011. ISSN 0922-6443. doi: http://dx.doi.org/10.1007/
s11241-011-9122-0.
[163] Sergio Yovine. KRONOS: a verification tool for real-time systems. Interna-
tional Journal on Software Tools for Technology Transfer, 1(1–2):123–133, 12 1997.
doi: http://dx.doi.org/10.1007/s100090050009.
[164] Sergio Yovine. Model checking timed automata. In Grzegorz Rozenberg
and Frits W. Vaandrager, editors, Lectures on Embedded Systems, volume 1494
of Lecture Notes in Computer Science, pages 114–152. Springer Berlin Heidel-
berg, November 1998. ISBN 3-540-65193-4. doi: http://dx.doi.org/10.1007/
3-540-65193-4_20.
[165] Dezhuang Zhang. Model Checking for Data-Based Concurrent Systems.
PhD thesis, State University of New York at Stony Brook, Decem-
ber 2005. URL http://proquest.umi.com/pqdweb?did=1092095351&sid=
1&Fmt=6&clientId=41143&RQT=309&VName=PQD.
Bibliography 322
[166] Dezhuang Zhang and Rance Cleaveland. Efficient temporal-logic query
checking for presburger systems. In Proceedings of the 20th IEEE/ACM in-
ternational Conference on Automated software engineering (ASE ’05), pages 24–
33, Long Beach, CA, USA, 2005. ACM. ISBN 1-59593-993-4. doi: http:
//doi.acm.org/10.1145/1101908.1101915.
[167] Dezhuang Zhang and Rance Cleaveland. Fast generic model-checking
for data-based systems. In Farn Wang, editor, Proceedings of the Interna-
tional Conference on the Formal Techniques for Networked and Distributed Sys-
tems (FORTE ’05), volume 3731 of Lecture Notes in Computer Science, pages
83–97. Springer Berlin Heidelberg, 2005. ISBN 978-3-540-29189-3. doi:
http://dx.doi.org/10.1007/11562436_8.
[168] Dezhuang Zhang and Rance Cleaveland. Fast on-the-fly parametric real-
time model checking. In Proceedings of the 26th IEEE International Real-Time
Systems Symposium (RTSS ’05), pages 157–166. IEEE Computer Society, 2005.
ISBN 0-7695-2490-7. doi: http://dx.doi.org/10.1109/RTSS.2005.22.
