Abstract. Interrupt Timed Automata (ITA), an expressive timed model, has been introduced in order to take into account interruptions, according to levels. Due to this feature, this formalism is incomparable with Timed Automata. However several decidability results related to reachability and model checking have been obtained. We add auxiliary clocks to ITA, thereby extending its expressive power while preserving decidability of reachability. Moreover, we define a parametrized version of ITA, with polynomials of parameters appearing in guards and updates. While parametric reasoning is particularly relevant for timed models, it very often leads to undecidability results. We prove that various reachability problems, including robust reachability, are decidable for this model, and we give complexity upper bounds for a fixed or variable number of clocks, levels and parameters.
Introduction
Timed and hybrid models. In order to model timed systems, the expressive model of Hybrid Automata (HA) has been proposed [1] . Since its expressive power leads to the undecidability of most verification problems, several semi-decision procedures have been designed fo HA as well as subclasses with decidability results like Timed Automata (TA) [2] . The model of interrupt timed automata (ITA) [3, 4] was proposed as a subclass of hybrid automata, incomparable with the class of timed automata, where task interruptions are taken into account. Hence ITA are particularly suited for the modelling of scheduling with preemption.
Parametric verification. Getting a complete knowledge of a system is often impossible, especially when integrating quantitative constraints. Moreover, even if these constraints are known, when the execution of the system slightly deviates from the expected behaviour, due to implementation choices, previously established properties may not hold anymore. Additionally, considering a wide range of values for constants allows for a more flexible and robust design.
Introducing parameters instead of concrete values is an elegant way of addressing these three issues. Parametrisation however makes verification more difficult. Besides, it raises new problems like parameter synthesis, i.e., finding the set (or a subset) of values for which some property holds.
Parameters for timed models. Among quantitative features, parametric reasoning is particularly relevant for timing requirements, like network delays, timeouts, response times or clock drifts.
Pioneering work on parametric real time reasoning was presented in [5] for the now classical model of timed automata, with parameter expressions replacing the constants to be compared with clock values. Since then, many studies have been devoted to the parametric verification of timed models [6, 7, 8] , mostly establishing undecidability results for questions like parametric reachability, even for a small number of clocks or parameters. Relaxing completeness requirement or guaranteed termination, several methods and tools have been developed for parameter synthesis in timed automata [9, 10, 11] , as well as in hybrid automata [12, 13] . Another research direction consists in defining subclasses of parametric timed models for which some problems become decidable [14, 15, 16] . Unfortunately, these subclasses are severely restricted. It is then a challenging issue to define expressive parametric timed models where reachability problems are decidable.
Contributions. Our contributions are twofold. First we define a more expressive version of ITA, including auxiliary clocks. We prove that this new model is strictly more expressive than the former one but retains decidability for the reachability problem. With respect to the complexity issues, we provide upper bounds: 2-EXPTIME in the general case, PSPACE when the number of levels is fixed and PTIME when the number of clocks is fixed. We also give a PSPACE matching lower bound when the number of levels is fixed.
Our second contribution is to enrich ITA with parameters in the spirit above. A PITA is a parametric version of ITA where polynomial parameter expressions can be combined with clock values both as additive and multiplicative coefficients. Considering only additive parametrisation, we reduce reachability to the same problem in basic ITA. This reduction entails complexity upper bounds of respectively 2-EXPTIME, PSPACE when the number of levels is fixed and PTIME when the number of clocks and parameters is fixed. The multiplicative setting is much more expressive and also very useful in practice, for instance to model clock drifts. We prove that reachability in parametric ITA is decidable as well as its robust variant, an important property for implementation issues. To the best of our knowledge, this is the first time such a result has been obtained for a model including a multiplicative parametrization. Furthermore, we establish upper bounds for the computational complexity: 2-EXPSPACE and by u and v[u](x) = v(C x ) if x := C x is the update for x in u. For instance, let X = {x 1 , x 2 , x 3 } be a set of three clocks. For valuation v = (2, 1.5, 3) and update u defined by x 1 := 1 ∧ x 3 := x 3 − x 1 , applying u to v yields the valuation v[u] = (1, 1.5, 1).
Interrupt Timed Automata
Definitions. The behaviour of an ITA can be viewed as the one of an operating system with interrupt levels. With each level are associated a set of states and a set of clocks partitionned into a main clock and auxiliary clocks. In a state of a given level, exactly one clock of this level is active (rate 1), while the other clocks at lower or equal levels are suspended (rate 0), and the clocks at higher levels are not yet activated and thus contain value 0. The enabling conditions on transitions, called guards, are constraints over clocks of the current level or main clocks of lower levels (with some restrictions). Transitions can update the clock values. If the transition decreases (resp. increases) the level, then each clock which is relevant after (resp. before) the transition can (1) be left unchanged, (2) be updated with a linear expression of main clocks of strictly lower levels or (3) be updated with another clock at the same level (with some restrictions). Roughly speaking, the restrictions are introduced to forbid at some level any (direct or indirect) influence of the auxiliary clocks at lower levels on the behaviour of the ITA. Definition 1. An interrupt timed automaton (ITA) is a tuple A = Σ, n, Q, q 0 , Q f , λ, X, act, ∆ , where:
-Σ is a finite alphabet; -n is the number of levels; -Q is a finite set of states, q 0 is the initial state and Q f is a subset of Q of final states. The mapping λ : Q → {1, . . . , n} associates with each state its level. We denote by Q i = λ −1 (i) the set of states at level i; -X = n i=1 X i is the set of clocks partitionned according to the levels and X i = {x i } ⊎ Y i includes a main clock x i and a set of auxiliary clocks Y i . The set of main clocks of levels less than k is denoted by X <k = {x i | i < k} ; -act : Q → X with q ∈ Q i ⇒ act(q) ∈ X i associates with a state its active clock;
The guard ϕ is a constraint in C(X k , X <k ).
• if k ≤ k ′ then the update u is of the form
where, when z ∈ X i , • either C z = z, meaning that z is unchanged;
• or C z = j<i a j x j + b, i.e., z is updated by an expression over main clocks of lower levels;
, z is updated by another clock at the same level under the condition that z is not a main clock of level lower than the current one 5 .
The semantics of an ITA is described by a transition system, where a configuration (q, v) consists of a state q of the ITA and a clock valuation v.
Definition 2. The semantics of an ITA A is defined by the (timed) transition system T A = (S, s 0 , →). The set of configurations is S = (q, v) | q ∈ Q, v ∈ R X , with initial configuration s 0 = (q 0 , 0). The relation → on S consists of two types of steps:
Time steps: Only the active clock in a state can evolve, all other clocks are suspended. For a state q, a time step of duration d is defined by (q, v)
A run of A is a finite path in the transition system T A , which can be written as an alternating sequence of (possibly null) time and discrete steps. A state q ∈ Q is reachable from q 0 if there is a path in T A from (q 0 , 0) to (q, v), for some valuation v. A run with label d 1 a 1 d 2 a 2 . . . d n a n is accepting if it starts in (q 0 , 0) and ends in (q, v), for some q ∈ Q f and some valuation v. For such a run, the timed word w = (
where pairs with ε actions are removed) is said to be accepted by A. The timed language of A, denoted by L(A), is the set of timed words accepted by A. The untimed language of A is U ntime(L(A)).
We now show several properties of this model linked to the presence of auxiliary clocks.
Example 1 (Simulation of timing policies). The earlier definition of ITA from [4] is a restriction of Definition 1 without auxiliary clocks but with a policy, which can be either urgent, delayed or lazy, associated with each state. In a lazy state time may elapse, in an urgent state time may not elapse and in a delayed state time must elapse. We show in Figure 1 how to model timing policies with a dedicated auxiliary clock per level, say y i . When entering a state q of level i from a state q ′ of level j ≥ i, y i is updated with the active clock of q. By definition, when entering a state q of level i from a state q ′′ of level k < i, y i and the active clock of q are null. Thus checking whether time has elapsed in q is equivalent to check whether act(q) > y i . When q is a lazy state there is nothing to check. Figure 2 with a single level and single final state q 2 . The main clock x is active in all states and y is an auxiliary clock. Its untimed language is (ab) + . In the accepted timed words, there is an occurrence of a at each time unit and the successive occurrences of b come each time closer to the next occurrence of a than previously. More formally, its timed language L = L(A 1 ) is defined by:
It has been shown in [4] that this timed language cannot be accepted by an ITA without auxiliary clocks, which yields the next proposition.
Proposition 1.
There exists a timed language of an ITA with a single level and one auxiliary clock that cannot be accepted by an ITA without auxiliary clocks.
Adding auxiliary clocks also has an impact on the complexity of decision problems for ITA. In [4] , it is shown that the state reachability problem is in PTIME for a fixed number of levels without auxiliary clocks. The next proposition establishes a lower bound for this problem in ITA with a single level. Proof. We proceed by reducing the planification problem to our reachability problem. The planification problem is defined by n propositional variables p 1 , . . . , p n and a set R of m rules. Each rule r ∈ R is defined by a guard k j=1 l j , with litterals l j ∈ {p 1 , ¬p 1 , . . . , p n , ¬p n }, and an update h j=1 p αj := b j with b j ∈ {false, true}. Initially all propositions are false and the planification problem consists in deciding whether there exists a sequence of rules r 1 . . . r k applicable from the initial state and leading to the state where all propositions are true. The corresponding ITA has n auxiliary clocks y 1 , . . . , y n and two states q 0 (the initial one) and q 1 (the final one) both with active clock x 1 . Each rule yields a transition looping around q 0 and an additional transition from q 0 to q 1 "checking" that the goal has been reached. This reduction is illustrated in Figure 3 We prove in this section that the untimed language of an ITA is a regular language for which a finite automaton can effectively be built. Similarly to previous cases, the proof is based on the construction of a (finite) class graph which is time abstract bisimilar to the transition system T A . This result also holds for infinite words with standard Büchi conditions. As a consequence, we obtain decidability of the reachability problem, as well as decidability for plain CTL * model-checking. The construction of classes is much more involved than in the case of TA. More precisely, it depends on the expressions occurring in the guards and updates of the automaton (while in TA it depends only on the maximal constant occurring in the guards). Given an ITA A with n levels, we associate with each state q of A a set of expressions Exp(q) with the following meaning. The values of clocks giving the same ordering of these expressions correspond to a class. In order to define Exp(q), we first build a family of sets {E k } 1≤k≤n and set Exp(q) = k≤λ(q) E k . Finally we show in Theorem 1 how to build the class graph which proves the regularity of the untimed language. This immediately yields a reachability procedure given in Theorem 2.
Construction of {E k } k≤n
We first recall the normalization operation [4] , on expressions relative to some level. As explained below, this operation will be used to order expression values at a given level.
Definition 3 (Normalization). Let k ≤ n and C = i≤k a i x i + b be an expression over clocks in X <k+1 , the k-normalization of C, denoted by norm(C, k), is defined by:
Let C ⊲⊳ 0 be a guard occurring in a transition outgoing from a state q with level k and C = a k z + i<k a i x i + b with z ∈ X k (in the saturation procedure we do not consider guards of the form z − z ′ with z, z ′ in X k ). By rescaling the expression and if necessary changing the comparison operator we may assume that C is written as αz + i<k a i x i + b, with α ∈ {0, 1}.
The construction of {E k } k≤n must be adapted to handle auxiliary clocks. It proceeds top down from level n to level 1 after initialization E k = X k ∪ {0} for all k. When level k is handled, new terms are added to E i for 1 ≤ i ≤ k. These expressions are those needed to compute a (pre)order on the expressions in E k .
1. At level k, first for each expression αz + i<k a i x i + b (with α ∈ {0, 1} and z ∈ X k ) occurring in a guard of an edge leaving a state of level k, we add − i<k a i x i − b to E k . 2. Then the following procedure is iterated until no new term is added to any
Observe that due to our restrictions on updates C[u] is still either of the form z ∈ X k or of the form j<k a j x j + b.
, choosing an arbitrary order between C and C ′ in order to avoid redundancy. Let us write C ′′ as αx λ(q) + i<λ(q) a i x i + b with α ∈ {0, 1}. Then we add
Lemma 1. For an ITA A, let H be the number of constraints in the guards, U the number of updates in the transitions (we assume U ≥ 2) and M = max{card(X k ) | 1 ≤ k ≤ n}. The construction procedure of {E k } k≤n terminates and the size of every E k is bounded by (H + M )
Proof. Given some k, we prove the termination of the stage relative to k. Observe that step 2 of the iteration only adds new expressions to E h for h < k. Thus steps 1 and 2 can be ordered. Let us prove the termination of step 1. We define E 0 k as the set E k at the beginning of this stage and E i k as this set after insertion of the i th item in it. With each added item C[u] can be associated its father C. Thus we can view E k as an increasing forest with finite degree (due to the finiteness of the edges) and finitely many roots. Assume that this step does not terminate. Then we have an infinite forest and by König lemma, it has an infinite branch C 0 , C 1 , . . . where
Observe that updates of the form x := x ′ do not modify the set. Moreover, the number of updates that change the variables x ∈ X k is either 0 or 1 since once x disappears it cannot appear again. We split the branch into two parts before and after this update or we still consider the whole branch if there is no such update. In these (sub)branches, we conclude with the same reasoning that there is at most one update that change the variables x ∈ X k−1 . Iterating this process, we conclude that the number of updates is at most 2 k − 1 and the length of the branch is at most 2 k . The final size of E k is thus at most E 0 k × U 2 k since the width of the forest is bounded by U . In step 2, we add at most U × (|E k | × (|E k | − 1))/2 to E i for every i < k. This concludes the proof of termination.
We now prove by a backward induction that as soon as n ≥ 2,
. The doubly exponential size of E n (proved above) is propagated downwards by the saturation procedure. We define p k = |E k |.
n which is the claimed bound.
Inductive case. Assume that the bound holds for k < j ≤ n. Due to all executions of step 2 of the procedure at strictly higher levels, p 0 k expressions were added to E k , with:
(replacing all terms by the largest)
(here we use U ≥ 2 and n ≥ 2)
Taking into account step 1 of the procedure for level k, we have:
Let us consider the term δ = 2
In order to analyze the space requirements triggered by the saturation procedure, we establish the following lemma bounding the number of bits used for integers involved in the rational constants of expressions in all E k .
Lemma 2. Let A be an ITA, and let b 0 be the maximal number of bits for integers occurring in A. If b is the number of bits of an integer constant, occurring in an expression of some
Proof. Without loss of generality we assume that b 0 ≥ 2. We also assume that there is a single denominator s for the rationals occurring in updates since it only induces a polynomial blow up. Let b k be the number of bits of an integer occurring in some expression before operations of level n − k are performed. We establish a relation between b k and b k+1 . At level n−k, step 1 involves a normalization on guards. Thus a numerator is multiplied by a denominator to produce the new integers leading to a number of bits 2b k . For an expression that was already present in E n−k , its coefficients are modified in order to get a common denominator by taking the product of the original denominators. After this transformation the maximal number of bits is bounded by (n − k + 1)b k . Let C = i≤n−k a i x i + b be an expression built after step 2(a). Examining the successive updates, the coefficient a i can be expressed as d∈D j∈d c d,j where D is the set of subsets of {i, . . . , n − k} containing i and c d,j are either coefficients of the updates or coefficients of an expression built before this step. The same reasoning applies to b. Before summing the products over d ∈ D, the integers are transformed in order to get the same denominator by multiplying every denominator (and corresponding numerator) by s i with 0 ≤ i ≤ n − k. So the maximal absolute value of the numerator of such a coefficient is bounded
2 which implies a maximal number of bits equal to (n − k + 1)
2 (2b k + 1) for the numerators of the a i 's and b. The maximal absolute value of the denominator of such a coefficient is less than (2 (n−k+1)b k ) n−k+1 2 (n−k)b0 which implies a maximal number of bits bounded by (n − k + 1) 2 (2b k ) for the denominators of the a i 's and b.
requires to compute the lcm of two denominators (bounded by their product). So the difference operation leads to a bound (n − k + 1) 2 (4b k + 2) for the numerators of its coefficients and (n − k + 1)
2 (4b k ) for the denominators. The final step 2(b) consists in multiplying a numerator and a denominator of some coefficients leading to a bound (n − k + 1)
, which yields the desired bound.
Construction of the class automaton
In order to analyze the size of the class automaton defined below, we recall an adaptation of a classical result about partitions of n-dimensional Euclidian spaces.
Definition 4. Let {H k } 1≤k≤m be a family of hyperplanes of R n . A region defined by this family is a connected component of R n \ 1≤k≤m H k . An extended region defined by this family is a connected component of k∈I H k \ k / ∈I H k where I ⊆ {1, . . . , m} with the convention that k∈∅ H k = R n .
Proposition 3. Proof. Starting from an ITA A, and handling auxiliary clocks, we build a finite automaton which is time abstract bisimilar to the transition system T A and thus accepts U ntime(L(A)).
Class definition. A state of the automaton, called class, is a syntactical representation of a subset of reachable configurations. It is defined as a pair R = (q, { k } 1≤k≤λ(q) ) where q is a state and k is a total preorder over E k , for 1 ≤ k ≤ λ(q). The class R describes the set of configurations:
The initial state is the class R 0 such that [[R 0 ]] contains (q 0 , 0) and can be straightforwardly determined. The final states are all classes R = q, { k } 1≤k≤λ(q) with q ∈ Q f .
Observe that fixing a state, the set of configurations [[ R ]] of a non empty class R is exactly an extended region associated with the hyperplanes defined by the comparison of two expressions of some E k . An upper bound for the total number of expressions of any level is given by (H + M )
, hence an upper bound of the of the number of hyperplanes is obtained by squaring this number,
. Using Point 2. of Proposition 3, the number of semantically different classes for a given state is bounded by:
(1)
where K = n k=1 card(X k ) ≤ nM is the total number of clocks. Since semantical equality between classes can be tested in polynomial time w.r.t. their size [18] , we implicitely consider in the sequel of the proof classes modulo the semantical equivalence.
There are two kinds of transitions, corresponding to discrete steps and abstract time steps.
. This can be decided as follows.
Firability condition. For a transition e like above at level ℓ = λ(q), write ϕ = j∈J C j ⊲⊳ j 0. Since we assumed rescaled guards, for every j,
In the first case C ′ j = − i<ℓ a i x i − b and z belong to E ℓ and in the second case z, z ′ ∈ E ℓ both by construction. For each j ∈ J, we define a condition depending on ⊲⊳ j . For instance, in the first case if the constraint in ϕ is C j ≤ 0, we check that
The second case is handled similarly.
. Due to our restrictions on updates for i ≤ ℓ, x i [u] can only be equal to x i or j<i α j x j + β. Thus D can be written as 
, the time successor of R, which is defined as follows.
For every i < ℓ, we define
induced by the preorder. On equivalence classes, this (total) preorder becomes a (total) order. Let V be the equivalence class containing act(q).
1. Either V = {act(q)} and it is the greatest equivalence class. Then
From the properties above, this finite automaton accepts U ntime(L(A)).
Theorem 2. The reachability problem for Interrupt Timed Automata is decidable and belongs to 2-EXPTIME. It is in PTIME when the number of clocks is fixed and PSPACE-complete when the number of levels is fixed.
Proof. The reachability problem is solved by building the class graph and applying a standard reachability algorithm. The number of expressions in the E k 's is doubly exponential w.r.t the size of the model (see Lemma 1) . The size of an expression is exponential w.r.t. the size of the model (see Lemma 2) . So the size of a class representation is also doubly exponential in the size of the model. The size of the graph, bounded by the number of semantically different classes, is only polynomial w.r.t. the size of a class due to Point 2. of Proposition 3. This leads to a 2-EXPTIME complexity. Observe that no complexity gain can be obtained by a non deterministic search without building the graph. Again using these lemmas and Point 2. of Proposition 3, when the number of clocks is fixed the size of the graph is at most polynomial in the size of the problem, leading to a PTIME procedure. On the other hand, when the number of levels is fixed, the size of a class representation is polynomial while the number of classes is exponential (see K in Equation (1)). Thus a non deterministic search can be performed without building the graph, which yields a complexity in PSPACE. The PSPACE hardness is a consequence of Proposition 2.
Parametric ITA are similar to ITA but they include polynomials of parameters from a set P , in guards and updates. Given two sets F, G, we denote by Pol(F, G), the set of polynomials with variables in F and coefficients in G and by F rac(F, G), the set of rational functions with variables in F and coefficients in G (i.e. quotients of polynomials). Observe that Lin(F, G) can be seen as the subset of polynomials with degree at most one.
Definition 5. A parametric interrupt timed automaton (PITA) is a tuple A = P, Σ, n, Q, q 0 , Q f , λ, X, act, ∆ , where:
-P is a finite set of parameters, -all other elements are defined as for ITA except that expressions appearing in guards or updates belong to Lin(X, Pol(P, Q)): in such an expression z∈Z a z z + b, the a z 's and b are polynomials over P with coefficients in Q.
This definition implies that an ITA is a PITA with P = ∅. When all expressions occurring in guards and updates are in Lin(X ∪P, Q) (which can be seen as a subset of Lin(X, Pol(P, Q))), the PITA is said to be additively parametrised. In contrast, in the general case, it is called multiplicatively parametrised.
As in the unparametrized case, updates operate on expressions. For instance, for clocks in X = {x 1 , x 2 }, parameters in P = {p 1 , p 2 , p 3 }, expression C = p 2 x 2 − 2x 1 + 3p 1 and the update u defined by
Note that the use of multiplicative parameters for clocks may result in polynomial coefficients when updates are applied. Here a clock valuation is a mapping v : X → Pol(P, R). For a valuation v and an expression C ∈ Lin(X, Pol(P, Q)), v(C) ∈ Pol(P, R) is obtained by evaluating C w.r.t. v. Given an update u and a valuation v, the valuation v[u] is defined by v[u](x) = v(C x ) for x in X if x := C x is the update for x in u and v[u](x) = v(x) otherwise. For instance, let X = {x 1 , x 2 , x 3 } be a set of three clocks. For valuation v = (2p 2 , 1.5, 3p A parameter valuation is a mapping π : P → R. For a parameter valuation π and an expression C ∈ Lin(X, Pol(P, Q)), π(C) ∈ Lin(X, R) is obtained by evaluating C w.r.t. π. If C ∈ Pol(P, Q), then π(C) ∈ R. Given a parameter valuation π, a clock valuation v and an expression C ∈ Lin(X, Pol(P, Q)) we write π, v |= C ⊲⊳ 0 when π(v(C)) ⊲⊳ 0.
Given a parameter valuation π and a PITA A, substituting the parameters by their value according to π yields an ITA, denoted by A(π), where the coefficients of clocks are in R. So the semantics of A w.r.t. parameter valuation π is defined by the (timed) transition system T A(π) . A state q is reachable from q 0 for valuation π if q is reachable from q 0 in A(π).
Example 3.
A PITA A 2 is depicted in Fig. 4(a) , with two interrupt levels. Every level i has only a main clock x i . Fixing the parameter valuation π: p 1 = 5 and 4, 3) is obtained as follows. After staying in q 1 for 4 time units, a can be fired and the value of x 1 is then frozen in state q 2 , while x 2 increases. Transition b can be taken if x 1 + p 2 x 2 = 2, hence for x 2 = 2, after which x 2 is updated to x 2 = (p 1 − 4p 2 2 )4 + p 2 = 3. A geometric view of this run w.r.t. π is given (in bold) in Fig. 4(b) . Reachability problems. We consider several reachability problems for this class. Let A be a PITA with initial state q 0 and q be a state of A. The Existential (resp. Universal) Reachability Problem asks whether q is reachable from q 0 for some (resp. all) parameter valuation(s). Scoped variants of these problems are obtained by adding as input a set of parameter valuations given by a first order formula over the reals or a polyhedral constraint. The Robust Reachability Problem asks whether there exists a parameter valuation π and a real ε > 0 such that for all π ′ with π − π ′ ∞ < ε, q is reachable from q 0 for π ′ (where π ∞ = max p∈P |π(p)|). When satisfied, this property ensures that small parameter perturbations do not modify the reachability result. It is also related to parameter synthesis where a valuation has to be enlarged to an open region with the same reachability goal.
Reachability Analysis with Additive Parametrization
We start with the easier particular case of additive parametrization, i.e., expressions occurring in guards and updates are linear expressions on clocks and parameters with rational coefficients. We first prove that the existential parametrized reachability problem can be reduced to the reachability problem on (non-parametrized) ITA. there exists π such that q is reachable from q 0 in A for π iff q is reachable from q
Proof. For any additively parametrized PITA A with n levels, and k parameters p 1 , ..., p k , we build an equivalent ITA A ′ with n + k + 1 levels and then use the complexity results of section 3. The construction is shown in Fig. 5 . The ITA A ′ consists of a "prefix" (the first k + 1 levels) connected to the original automaton A (with its n levels). The main clocks of levels 1 to k encode the parameters p 1 , . . . , p k of A. In order to simplify further references, we also call these clocks p 1 , ..., p k . Similarly, the main clock of the first level is called p 0 . None of these k + 1 first level has any auxiliary clock. Since level numbers start at 1, each clock p i is active in level i + 1 in (the prefix of) A ′ . In the first level of A ′ , clock p 0 is active. After some arbitrary time, a transition, with no guard, is taken to the state of the second level and clock p 0 is frozen. In the second level, clock p 1 is active and the same procedure continues: after some time a transition to the next level is taken, and clock p 1 is frozen, and so on for the first k levels. In these first k levels, we any run of A ′ choses a non-negative fixed value for the clocks p 0 , . . . , p k−1 , and hence almost for the parameters of A. Parameters may however have negative values so level k + 1 serves as a technicality to choose the final sign of the corresponding clocks. This is done by assigning p i−1 or −p i−1 to clock p i , between each two consecutive states, for all i ∈ [1..k − 1], in a run without any delay in any of the states of level k+1 (the other runs, with delays in the states of level k+1, overlap on those corresponding to other parameter valuations and are therefore not a problem). In the last state of level k + 1, the frozen clocks p 1 , ..., p k can therefore have any arbitrary real value assigned. The automaton finally proceeds to the initial state of A keeping the values of these additional clocks. Since they correspond to levels lower than any level of A they can be used liberally enough in the guards and updates of A. The obtained automaton A ′ is an ITA and parameters of A are modeled as clocks in A ′ . Let X be the set of clocks in A and X ′ be the set of clocks in A ′ (thus X ′ = X ∪ {p 0 , ..., p k }). For any subset Y ⊆ X and a valuation v, we define the restriction of v to Y as the unique valuation v on Y such that v |Y (x) = v(x). We now show that a configuration s = (q, v) is reachable in A for some parameter valuation π (i.e., in A(π)) iff there exists some configuration
On the one hand, if there exists a path to reach s ′ in A ′ , then by construction this path goes through a configuration (q 0 , v 0 ) such that (q 0 , v 0|X ) is the initial configuration of A (i.e. v 0|X is the zero valuation). Let π be the parameter valuation such that for all i > 0, π(p i ) = v 0 (p i ), then s is reachable in A(π). On the other hand, let π be a parameter valuation and v be a clock valuation on X such that (q, v) is reachable in A(π). Then using an appropriate run in the prefix one reaches (q 0 , v 0 ) with v 0|X is the zero valuation and for all i > Using Proposition 4 and Theorem 2, we can now give the main result of this section.
Theorem 3. The (polyhedral scoped) existential reachability problem is decidable for additively parametrised PITA, and belongs to 2-EXPTIME. It belongs to PTIME when the number of clocks and parameters is fixed. It is PSPACEcomplete when the number of levels and parameters is fixed.
Proof. Following Proposition 4, every additively parametrised PITA can be transformed into an equivalent ITA, and the (unscoped) reachability problem of additively parametrised PITA is thus reduced to the reachability problem of ITA, already known to be decidable. The complexity results follow from the complexity results for ITA given in Theorem 2, since the size of A ′ is only linear in the size of A: if there are n levels, N clocks, k parameters, x states and y transitions in A, the number of levels, clocks, states and transitions in A ′ are n + k + 1, N + k + 1, x + 2k + 1 and y + 3k + 1, respectively. With a polyhedral scope, given as a finite union of polyhedra, we need to guard the transition between the last state of the prefix and the initial state of A, in A ′ , by the given polyhedra (each polyhedra of the union could guard a different transition, as well).
Reachability Analysis with Multiplicative Parametrization
We now focus on the multiplicative case and this section is devoted to the proof of the following result:
Theorem 4. The (scoped) existential, universal and robust reachability problems for PITA are decidable and belong to 2-EXPSPACE. The complexity reduces to PSPACE when the number of levels is fixed.
We first present the main ideas underlying the proof, which is based on the proof of Theorem 2 but extends it by the handling of parameters. Given a PITA A, the first step is to build a finite partition of the set R P of parameter valuations. An element Π of this partition is specified by a satisfiable first-order formula over (R, +, ×), with the parameters as variables. Intuitively, inside Π the qualitative behaviour of A does not depend on the precise parameter valuation. In a second step, we build a finite automaton R(Π) for each non empty Π. In R(Π), a state R, again called a class, defines a set [[R]] π of reachable configurations of T A(π) for a valuation π ∈ Π. The transition relation of R(Π) contains discrete steps R e − → R ′ (for a transition e of A) and abstract time steps R − → P ost(R) with the following properties:
Hence, we obtain a finite family of abstract time bisimulations of the transition systems T A(π) , for all parameter valuations, which gives the decidability result.
Although the construction of R(Π) is similar to the one for ITA, expressions in the sets {E k } k≤n now contain polynomials of parameters. The main difference is the normalization operation of an expression i≤k a i x i + b which depends on the polynomial a k . For instance, consider expression p 2 x 2 + x 1 − 2 which appear in automaton A 2 of Fig. 4(a) with a comparison to 0. For a valuation where p 2 = 0, a normalization should yield x 1 − 2. If p 2 = 0, the operation should yield − x1−2 p2 . In addition, the case p 2 = 0 should be split depending on the sign of p 2 , since the operation could change the comparison operator involved in a guard. Therefore, we also need to define a set P olP ar of polynomials appearing in the denominators like p 2 .
Construction of P olP ar and expressions {E k } k≤n
In the spirit of normalization, we define three operations on expressions, relatively to a level k, to help building the elements in E k to which the active clock on level k will be compared. Definition 6. Let k ≤ n be some level and let C be an expression in Lin(X <n+1 , F rac(P, Q)), C = i≤n a i x i + b with a k = r k s k , for some r k and s k in Pol(P, Q). We associate with C the following expressions:
In the previous example, comp corresponds to x 1 − 2 while compnorm corresponds to − x1−2 p2 . More examples are given after the construction of P olP ar and {E k } k≤n . This construction proceeds top down from level n to level 1 after initialising P olP ar to ∅ and E k to X k ∪ {0} for all k. When handling level k, we add new terms to E i for 1 ≤ i ≤ k.
1. At level k the first step consists in adding new expressions to E k and new polynomials to P olP ar. More precisely, let C be any expression occurring in a guard of an edge leaving a state of level k. We add lead(C, k) to P olP ar when it does not belong to Q and we add comp(C, k) and compnorm(C, k) to E k when they are defined. 2. The second step consists in iterating the following procedure until no new term is added to any
, choosing an arbitrary order between C and C ′ . This step ends by handling C ′′ w.r.t. λ(q) as done for C w.r.t. k in step 1 above.
Example 4. For the automaton of Fig. 4(a) , initially, we have P olP ar = ∅, E 1 = {x 1 , 0} and E 2 = {x 2 , 0}. Starting with level k = 2, we consider in step 1 the expression C 2 = p 2 x 2 +x 1 −2 appearing in the guard of the single edge leaving q 2 . We compute lead(C 2 , 2) = p 2 , comp(C 2 , 2) = x 1 − 2, and compnorm(C 2 , 2) = − x1−2 p2 . We obtain P olP ar = {p 2 } and E 2 = {x 2 , 0, x 1 −2, − x1−2 p2 }. For step 2(a) and the same edge, we apply its update to the expressions of E 2 that contain x 2 , add them to E 2 , and thus obtain E 2 = {x 2 , 0,
In step 2(b), considering the single edge from q 1 to q 2 , we compute the differences between any two expressions from E 2 (after applying update which means here substituting 0 to x 2 and letting x 1 unchanged) and the resulting expressions lead, comp and compnorm, which yields:
We proceed with level 1. Since expression C 1 = x 1 −p 1 occurring in the guard of the considered edge has leading coefficient equal to 1, there is no term to add to P olP ar. We add compnorm(C 1 , 1) = p 1 to E 1 , hence the final result is:
Lemma 3 below is used for the class automata construction. Its proof is obtained by a straightforward examination of the above procedure.
Lemma 3. Let C belong to E k for some k and c = r s be a coefficient of C with s / ∈ Q. Then there exists polynomials P 1 , . . . , P ℓ ∈ P olP ar and some constant K ∈ Q \ {0} such that s = K. 1≤i≤ℓ P i .
Lemma 4 is the parametrized version of Lemma 1 and its (omitted) proof is almost identical.
Lemma 4. For a PITA A, let H be the number of constraints in the guards, U the number of updates in the transitions (we assume U ≥ 2) and M = max{card(X k ) | 1 ≤ k ≤ n}. The construction procedure of {E k } k≤n terminates and the size of every E k is bounded by (H + M )
Lemma 5 is the parametrized version of Lemma 2. However since the coefficients are now rational functions, the degree of the polynomials must also be analyzed.
Lemma 5. Let A be a PITA, and let b 0 be the maximal total number of bits for integers of an expression in A and d 0 the maximal degree of polynomials, occurring in A. If b is the total number of bits of the integer constants and d the degree of a polynomial, occurring in an expression of P olP ar or some
Proof. W.l.o.g. we assume that there is a single denominator for the rationals occurring in updates since it only induces a polynomial blow up. Assume that before the level n − k is performed, the total number of bits for integers occurring in some expression is b k . We establish by induction that
The basis case is trivial. At level n − k, step 1 does induces an increasing only when operation compnorm is applied on a original guard whose coefficients are polynomials (instead of rational fractions). After this operation the number of bits is bounded by (n−k+1)b 0 ≤ (n−k+1)b k . For an expression that was already present in E n−k , its coefficients are modified in order to get a common denominator by taking the product of the original denominators. After this transformation the total number of bits is bounded by (n − k + 1)2b k . Examining one update applied on an expression, the total number of bits of the coefficients of the updated expression is increased by (n − k + 1)b 0 . Since an expression built after step 2(a) has been obtained by less than 2 n−k updates, the total number of bits is less than (n − k
requires to compute the lcm of two denominators (bounded by their product). So the difference operation leads to a bound (n − k + 1)4b k + 2 n−k+1 (n − k + 1)b 0 for the total number of bits. The final step 2(b) consists in multiplying a numerator and a denominator of some coefficients leading to a bound:
for the number of bits.
Assume that before the level n − k is performed, the degree of a polynomial (of parameters) occurring in some expression is at most d k . We establish a relation between d k and d k+1 . At level n − k, step 1 does not induce any increasing when operation compnorm is applied on a original guard whose coefficients are polynomials (instead of rational fractions). More precisely the numerators of rational fractions are unchanged while the denominators are numerators of some previous expressions. For an expression that was already present in E n−k , its coefficient are modified in order to get a common denominator by taking the product of the original denominators. After this transformation the maximal degree is bounded by (n − k + 
requires to compute the lcm of two denominators (bounded by their product). So the difference operation leads to a bound (n−k+1)(2d k +d 0 ) for the numerators of its coefficients and (n−k+1)2d k for the denominators. The final step 2(b) consists in multiplying a numerator and a denominator of some coefficients leading to a bound (n−k+1)(4d k +d 0 ). So d k+1 ≤ (n−k+1)5d k yielding the desired bound.
We now explain the partition construction. Starting from the finite set P olP ar, we split the set of parameter valuations in parameter regions specified by the result of comparisons to 0 of the values of the polynomials in P olP ar. For instance, for the set P olP ar computed above, the inequalities p 2 < 0, p 2 + 1 = 0, 1 − p 2 − 4p The set of such constraints yielding non empty regions can be computed by solving an existential formula of the first-order theory of reals.
Then, given a non empty parameter region preg, we consider the following subset of E k for 1 ≤ k ≤ n: E k,preg = {C ∈ E k | the denominators of coefficients of C are non null in preg}. Due to Lemma 3, these subsets are obtained by examining the specification of preg.
Observe that expressions in E 1,preg \ X 1 belong to F rac(P, Q) and that, depending on the parameter valuation, the values of two expressions can be differently ordered. We refine preg according to a linear pre-order 1 on E 1,preg \X 1 which is satisfiable within preg. We denote this refined region by Π = (preg, 1 ) and we now build a finite automaton R(Π).
Construction of the class automata
In this paragraph, we fix a non empty parameter region Π = (preg, 1 ).
Class definition. A state of R(Π), called a class like before, is defined as a pair R = (q, { k } 1≤k≤λ(q) ) where q is a state of A and k is a total preorder over E k,preg , for 1 ≤ k ≤ λ(q). For a parameter valuation π ∈ Π, the class R describes the following subset of configurations in T A,π :
[
] π , which can be straightforwardly determined by extending 1 to E 1,preg with x 1 0 and 0 1 x for all x ∈ X 1 , and closing 1 by transitivity.
Transitions in R(Π) consist of the following discrete and time steps:
) be two classes and let e : q ϕ,a,u
For this, we prove in the sequel that the existence of transition R e − → R ′ is independent of π ∈ Π and of (q, v) ∈ [[R]] π . It can be seen as follows. We note ℓ = λ(q) for the level of transition e. Firability condition. We write ϕ = j∈J C j ⊲⊳ j 0 with, for each j, either
We consider three subcases of the first case.
• Subcase a ℓ = 0. Then C j = comp(C j , ℓ) ∈ E ℓ,preg and using the positions of 0 and C j w.r.t. ℓ , we can decide whether C j ⊲⊳ j 0.
• Subcase a ℓ ∈ Q\{0}. Then compnorm(C j , ℓ) ∈ E ℓ,preg , hence using the sign of a ℓ and the positions of z and compnorm(C j , ℓ) w.r.t. ℓ , we can decide whether C j ⊲⊳ j 0.
• Subcase a ℓ / ∈ Q. According to the specification of preg, we know the sign of a ℓ as it belongs to P olP ar. In case a ℓ = 0, we decide as in the first subcase. Otherwise, we decide as in the second subcase. The second case C j = z − z ′ is handled similarly.
Successor definition. To build the successor
There are again three subcases.
• Subcase a ℓ = 0. Then D = comp(D, ℓ) ∈ E ℓ,preg , so we can decide whether . According to the specification of preg, we know the sign of a ℓ since r ℓ belongs to P olP ar and s ℓ is a product of items in P olP ar. In case a ℓ = 0, we decide g ′ ′ k h ′ as in the first case. Otherwise, we decide in a similar way as in the second case. For instance if a ℓ > 0 and
is the time successor of R, defined as follows. Intuitively, all preorders below ℓ = λ(q) are fixed, so ′ i = i for each i < ℓ. On level ℓ, the value of the active clock simply progresses along the one dimensional time line, where the expressions are ordered. More precisely, let ∼ be the equivalence relation ℓ ∩ −1 ℓ induced by the preorder. A ∼-equivalence class groups expressions yielding the same value, and on these classes, the (total) preorder becomes a (total) order. Let V be the ∼-equivalence class containing act(q).
1. Either V = {act(q)}. If V is the greatest ∼-equivalence class, then ′ ℓ = ℓ (and P ost(R) = R). Otherwise, let V ′ be the next ∼-equivalence class. Then ′ ℓ is obtained by merging V = {act(q)} and V ′ , and preserving ℓ elsewhere. 2. Or V is not a singleton. Then we split V into V \ {act(q)} and {act(q)} and "extend" ℓ by V \ {act(q)} ′ ℓ {act(q)}. To conclude, observe that the automaton R(Π) defined above has the properties (DS) and (TS) mentionned previously, and is hence a finite time abstract bisimulation of T A,π , for all parameter valuations π ∈ Π.
We are now in position to prove Theorem 4.
Proof. Starting from a PITA A, we use the above construction, whose termination is guaranteed by lemma 4, to design a non deterministic procedure for existential reachability of a given state q:
1. Build P olP ar and {E k } 1≤k≤n . 2. Guess a parameter region (preg, 1 ). 3. Check non emptiness of (preg, 1 ). 4. Build the class automaton R(preg, 1 ) and check whether q occurs in some class.
For universal reachability of q, in step 4, one checks whether q does not occur in any class. This gives us a non deterministic procedure for the complementary problem. For robust reachability in step 2, one guesses an open parameter region i.e., only specified by strict inequalities. We now analyse the complexity of these procedures. Due to lemmas 4 and 5, the first step is performed in 2-EXPTIME and in PTIME when the number of clocks is fixed. Guessing a parameter region has the same complexity. The satisfiability problem for a first-order formula is in PSPACE [20] . Due to lemma 4, the number s of (in)equalities specifying the region fulfills s = O((H + M )
) with the previous notations. Let b be the total number of bits of the integers occurring in a constraint of the specification of the region. Due to lemma 5, b ≤ ((n + 1)!)the polynomials occurring in the specification of the region. Due to the same lemma, d ≤ (n + 1)!5 n d 0 . So the emptiness problem for a region is decided in 2-EXPSPACE which becomes PSPACE when the number of levels is fixed. Observe now that the class automaton R(preg, 1 ) is isomorphic to the class automaton of the ITA A(π) that would be obtained from A with any parameter valuation π in Π = (preg, 1 ). It has been proved in Section 3 that this automaton can be built in polynomial time w.r.t. the size of the representation of any class. As the size of the representation of a class of a PITA has the same order as the one of the corresponding ITA (dominated by the doubly exponential number of expressions) and the construction algorithms perform similar operations, this yields a complexity of 2-EXPTIME and PSPACE when the number of levels is fixed. So the dominating factor of this non deterministic procedure is the emptiness check done in 2-EXPSPACE. By Savitch theorem this procedure can be determinised with the same complexity.
Example 5. The construction of R(Π) is illustrated on the automaton A 2 from Fig. 4(a) , for the region Π = (preg, 1 ), where preg was defined above by: p 2 < 0, p 2 +1 = 0, 1−p 2 −4p p2 , p 1 } and we consider the ordering on E 1,preg \ {x 1 } specified by the line below. A part of the resulting class automaton R(Π), including the run corresponding to the one in Fig. 4(b) , is depicted in Fig. 6 , where dashed lines indicate (abstract) time steps.
The initial class is R 0 = (q 0 , Z 0 ) where Z 0 is 1 extended with x 1 = 0. Denoting (slightly abusively) extensions with the symbol ∧, the time successors of the initial state are obtained by moving x 1 to the right along the line: R where the constraint x 1 < p 1 is not satisfied). In Fig. 6 , we represent only the one from R 5 0 = (q 0 , Z 1 ) with Z 1 = 1 ∧ 2 < x 1 < p 1 , corresponding to the run in Fig. 4(b) .
Along this run, the ordering 2 is determined by region Π and Z 1 , on E 2,preg \ {x 2 } = {0, x 1 − 2, − 
Conclusion
While seminal results on parametrised timed models leave little hope for decidability in the general case, we provide here an expressive formalism for the analysis of parametric reachability problems. Our setting includes a restricted form of stopwatches and polynomials in the parameters occurring as both additive and multiplicative coefficients of the clocks in guards and updates. We plan to investigate which kind of timed temporal logic would be decidable on PITA.
