Avoiding Shared Clocks in Networks of Timed Automata by Balaguer, Sandie & Chatain, Thomas
HAL Id: hal-00706608
https://hal.inria.fr/hal-00706608
Submitted on 11 Jun 2012
HAL is a multi-disciplinary open access
archive for the deposit and dissemination of sci-
entific research documents, whether they are pub-
lished or not. The documents may come from
teaching and research institutions in France or
abroad, or from public or private research centers.
L’archive ouverte pluridisciplinaire HAL, est
destinée au dépôt et à la diffusion de documents
scientifiques de niveau recherche, publiés ou non,
émanant des établissements d’enseignement et de
recherche français ou étrangers, des laboratoires
publics ou privés.
Avoiding Shared Clocks in Networks of Timed Automata
Sandie Balaguer, Thomas Chatain
To cite this version:
Sandie Balaguer, Thomas Chatain. Avoiding Shared Clocks in Networks of Timed Automata. [Re-






































in Networks of Timed
Automata





4 rue Jacques Monod
91893 Orsay Cedex
Avoiding Shared Clocks in Networks of Timed
Automata
Sandie Balaguer, Thomas Chatain∗
Project-Team MExICo
Research Report n° 7990 — June 2012 — 23 pages
Abstract: Networks of timed automata (NTA) are widely used to model distributed real-time
systems. Quite often in the literature, the automata are allowed to share clocks, i.e. the transitions
of one automaton may be guarded by a condition on the value of clocks reset by another automaton.
This is a problem when one considers implementing such model in a distributed architecture, since
reading clocks a priori requires communications which are not explicitly described in the model.
We focus on the following question: given a NTA A1 ‖ A2 where A2 reads some clocks reset by




2 without shared clocks with the same behavior as the initial
NTA?
For this, we allow the automata to exchange information during synchronizations only, in particular
by copying the value of their neighbor’s clocks.
We discuss a formalization of the problem and give a criterion using the notion of contextual
timed transition system, which represents the behavior of A2 when in parallel with A1. Finally,
we effectively build A′1 ‖ A
′
2 when it exists.
Key-words: networks of timed automata, shared clocks, implementation on distributed archi-
tecture, contextual timed transition system, behavioral equivalence for distributed systems
∗ This work is partially supported by the French ANR project ImpRo.
S’affranchir des horloges partagées dans les
réseaux d’automates temporisés
Résumé : Les réseaux d’automates temporisés sont largement utilisés dans la modélisation des
systèmes temps-réel distribués. Le plus souvent dans la littérature, le partage d’horloges entre
les différents automates est autorisé : les transitions d’un automate peuvent être conditionnées
par la valeur d’horloges remises à zéro par un autre automate. Cela pose problème lorsque
l’on envisage l’implantation d’un tel modèle sur une architecture distribuée, puisque la lecture
des horloges requiert a priori des communications qui ne sont pas décrites explicitement dans
le modèle. Nous nous intéressons à la question suivante : étant donné un réseau d’automates
temporisés A1 ‖ A2 où A2 lit des horloges remises à zéro par A1, existe-t-il un réseau d’automates
temporisés A′1 ‖ A
′
2 sans horloges partagées avec le même comportement que le réseau initial ?
Dans cette optique, nous autorisons les automates à échanger de l’information pendant les
synchronisations seulement, en copiant les valeurs des horloges de leur voisin.
Nous discutons d’abord d’une formalisation de ce problème, puis nous donnons un critère pour
décider de l’existence du système sans horloges partagées, en introduisant la notion de système
de transition temporisé contextuel. Ce système de transition représente le comportement de A2






Mots-clés : réseaux d’automates temporisés, horloges partagées, implantation sur une ar-
chitecture distribuée, système de transition temporisé contextuel, équivalence de comportement
pour les systèmes distribués
Avoiding Shared Clocks in NTA 3
1 Introduction
Timed automata [AD94] are one of the most famous formal models for real-time systems. They
have been deeply studied and very mature tools are available, like Uppaal [LPY97], Epsilon
[CGL93] and Kronos [BDM+98].
Networks of Timed Automata (NTA) are a natural generalization to model real-time dis-
tributed systems. In this formalism each automaton has a set of clocks that constrain its real-
time behavior. But quite often in the literature, the automata are allowed to share clocks, which
provides a special way of making the behavior of one automaton depend on what the others do.
Actually shared clocks are relatively well accepted and can be a convenient feature for modeling
systems. Moreover, since NTA are almost always given a sequential semantics, shared clocks
can be handled very easily even by tools: once the NTA is transformed into a single timed au-
tomaton by the classical product construction, the notion of distribution is lost and the notion
of shared clock itself becomes meaningless. Nevertheless, implementing a model with shared
clocks in a distributed architecture is not straightforward since reading clocks a priori requires
communications which are not explicitly described in the model.
Here we are concerned with the expressive power of shared clocks according to the distributed
nature of the system. We are not aware of any previous study about this aspect. Our purpose
is to identify NTA where sharing clocks could be avoided, i.e. NTA which syntactically use
shared clocks, but whose semantics could be achieved by another NTA without shared clocks.
To simplify, we look at NTA made of two automata A1 and A2 where only A2 reads clocks reset
by A1. The first step is to formalize what aspect of the semantics we want to preserve in this
setting. Then the idea is essentially to detect cases where A2 can avoid reading a clock because
its value does not depend on the actions that are local to A1 and thus unobservable to A2. To
generalize this idea we have to compute the knowledge of A2 about the state of A1. We show
that this knowledge is maximized if we allow A1 to communicate its state to A2 each time they
synchronize on a common action.
In order to formalize our problem we need an appropriate notion of behavioral equivalence
between two NTA. We explain why classical comparisons based on the sequential semantics, like
timed bisimulation, are not sufficient here. We need a notion that takes the distributed nature
of the system into account. That is, a component cannot observe the moves and the state of
the other and must choose its local actions according to its partial knowledge of the state of the
system. We formalize this idea by the notion of contextual timed transition systems (contextual
TTS).
Then we express the problem of avoiding shared clocks in terms of contextual TTS and we
give a characterization of the NTA for which shared clocks can be avoided. Finally we effectively
construct a NTA without shared clocks with the same behavior as the initial one, when this is
possible. A possible interest is to allow a designer to use shared clocks as a high-level feature in
a model of a protocol, and rely on our transformation to make it implementable.
Related work. The semantics of time in distributed systems has already been debated. The
idea of localizing clocks has already been proposed and some authors [ABG+08, DL07, BJLY98]
have even suggested to use local-time semantics with independently evolving clocks. Here we
stay in the classical setting of perfect clocks evolving at the same speed. This is a key assumption
that provides an implicit synchronization and lets us know some clock values without reading
them.
Many formalisms exist for real-time distributed systems, among which NTA [AD94] and time
Petri nets [MF76]. So far, their expressiveness was compared [BCH+05, BR08, CR06, Srb08]
essentially in terms of sequential semantics that forget concurrency. In [BCH12], we defined a
RR n° 7990
4 Balaguer & Chatain
concurrency-preserving translation from time Petri nets to networks of timed automata.
While partial-order semantics and unfoldings are well known for untimed systems, they have
been very little studied for distributed real-time systems [CCJ06, BHR06]. Partial order reduc-
tions for (N)TA were proposed in [Min99, BJLY98, LNZ05]. Behavioral equivalence relations for
distributed systems, like history-preserving bisimulations were defined for untimed systems only
[BDKP91, vGG01].
Finally, our notion of contextual TTS deals with knowledge of agents in distributed systems.
This is the aim of epistemic logics [HFMV95], which have been extended to real-time in [WL04,
Dim09]. Our notion of contextual TTS also resembles the technique of partitioning states based
on observation, used in timed games with partial observability [BDMP03, DLLN09].
Organization of the paper. The paper is organized as follows. Section 2 recalls basic notions
about TTS and NTA. Section 3 presents the problem of avoiding shared clocks on examples
and rises the problem of comparing NTA component by component. For this, the notion of
contextual TTS is developed in Section 4. The problem of avoiding shared clocks is formalized
and characterized in terms of contextual TTS. Then Section 5 presents our construction.
This paper details the proofs of the results published in [BC12].
2 Preliminaries
2.1 Timed Transition Systems
The behavior of timed systems is often described as timed transition systems.
Definition 1. A timed transition system (TTS) is a tuple (S, s0,Σ,→) where S is a set of states,
s0 ∈ Q is the initial state, Σ is a finite set of actions disjoint from R≥0, and → ⊆ S×(Σ∪R≥0)×S
is a set of edges.
For any a ∈ Σ∪R≥0, we write s
a
−→ s′ if (s, a, s′) ∈ →, and s
a
−→ if for some s′, (s, a, s′) ∈ →. A
path of a TTS is a possibly infinite sequence of transitions ρ = s
d0−→ s′0
a0−→ · · · sn
dn−→ s′n
an−−→ · · ·,
where, for all i, di ∈ R≥0 and ai ∈ Σ. A path is initial if it starts in s0. A path ρ = s
d0−→
s′0
a0−→ · · · sn
dn−→ s′n
an−−→ s′n · · · generates a timed word w = (a0, t0)(a1, t1) . . . (an, tn) . . . where,
for all i, ti =
∑i
k=0 dk. The duration of w is δ(w) = supi ti and the untimed word of w
is λ(w) = a0a1 . . . an . . ., and we denote the set of timed words over Σ and of duration d as
TW(Σ, d) = {w | δ(w) = d ∧ λ(w) ∈ Σ∗}. Lastly, we write s
w
−→ s′ if there is a path from s to s′
that generates the timed word w.
In the following definitions, we use two TTS T1 = (S1, s
0
1,Σ1,→1) and T2 = (S2, s
0
2,Σ2,→2),
and Σ 6εi denotes Σi \ {ε}, where ε is the silent action.
Product of TTS. The product of T1 and T2, denoted by T1 ⊗ T2, is the TTS
(




, where → is defined as:
• (s1, s2)
a
−→ (s′1, s2) iff s1
a




















−→1 s′1 and s2
a






Avoiding Shared Clocks in NTA 5
Timed Bisimulations. Let ≈ be a binary relation over S1 × S2. We write s1 ≈ s2 for
(s1, s2) ∈ ≈. ≈ is a strong timed bisimulation relation between T1 and T2 if s01 ≈ s
0
2 and s1 ≈ s2
implies that, for any a ∈ Σ ∪ R≥0, if s1
a




























• ∀a ∈ Σ, s
a







• ∀d ∈ R≥0, s
d










k=0 dk = d.
Then, ≈ is a weak timed bisimulation relation between T1 and T2 if s01 ≈ s
0
2 and s1 ≈ s2 implies
that, for any a ∈ Σ ∪R≥0, if s1
a









We write T1 ≈ T2 (resp. T1 ∼ T2) when there is a strong (resp. weak) timed bisimulation between
T1 and T2.
2.2 Networks of Timed Automata
The set B(X) of clock constraints over the set of clocks X is defined by the grammar g ::= x ⊲⊳
k | g ∧ g, where x ∈ X , k ∈ N and ⊲⊳ ∈ {<,≤,=,≥, >}. Invariants are clock constraints of the
form i ::= x ≤ k | x < k | i ∧ i.
Definition 2. A network of timed automata (NTA) [AD94] is a parallel composition of timed
automata (TA) denoted as A1 ‖ · · · ‖ An, with Ai = (Li, ℓ0i , Xi,Σi, Ei, Inv i) where Li is a finite
set of locations, ℓ0i ∈ Li is the initial location, Xi is a finite set of clocks, Σi is a finite set of
actions, Ei ⊆ Li × B(Xi) × Σi × 2Xi × Li is a set of edges, and Inv i : Li → B(Xi) assigns
invariants to locations.
If (ℓ, g, a, r, ℓ′) ∈ Ei, we also write ℓ
g,a,r
−−−→ ℓ′. For such an edge, g is the guard, a the action
and r the set of clocks to reset. Ci ⊆ Xi is the set of clocks reset by Ai and for i 6= j, Ci ∩ Cj
may not be empty.
Semantics. To simplify, we give the semantics of a network of two TA A1 ‖ A2. We denote by
((ℓ1, ℓ2), v) a state of the NTA, where ℓ1 and ℓ2 are the current locations, and v : X → R≥0, with
X = X1∪X2, is a clock valuation that maps each clock to its current value. A state is legal only if
its valuation v satisfies the invariants of the current locations, denoted by v |= Inv1(ℓ1)∧Inv2(ℓ2).
For each set of clocks r ⊆ X , the valuation v[r] is defined by v[r](x) = 0 if x ∈ r and v[r](x) = v(x)
otherwise. For each d ∈ R≥0, the valuation v + d is defined by (v + d)(x) = v(x) + d for each
x ∈ X . Then, the TTS generated by A1 ‖ A2 is TTS(A1 ‖ A2) = (S, s0,Σ1 ∪ Σ2,→), where S is




2), v0), where v0 maps each clock to 0, and → is defined by
• Local action: ((ℓ1, ℓ2), v)
a
−→ ((ℓ′1, ℓ2), v




−−−→ ℓ′1, v |= g, v
′ = v[r] and
v′ |= Inv1(ℓ′1), and similarly for a local action in Σ2 \ Σ
6ε
1,









−−−−→ ℓ′2, v |=
g1 ∧ g2, v′ = v[r1 ∪ r2] and v′ |= Inv1(ℓ′1) ∧ Inv2(ℓ
′
2),
• Time delay: ∀d ∈ R≥0, ((ℓ1, ℓ2), v)
d
−→ ((ℓ1, ℓ2), v + d) iff ∀d
′ ∈ [0, d], v + d′ |= Inv1(ℓ1) ∧
Inv2(ℓ2).
RR n° 7990




x ≥ 1, a, {x} x ≤ 2 ∧ y ≤ 3, b
Figure 1: A2 could avoid reading clock x which belongs to A1.
A run of a NTA is an initial path in its TTS. The semantics of a TA A alone can also be
given as a TTS denoted by TTS(A) with only local actions and delay. A TA is non-Zeno iff for
every infinite timed word w generated by a run, time diverges (i.e. δ(w) = ∞). This is a common
assumption for TA. In the sequel, we always assume that the TA we deal with are non-Zeno.
Remark 1. Let A1 ‖ A2 be such that X1 ∩X2 = ∅. Then TTS(A1)⊗ TTS(A2) is isomorphic to
TTS(A1 ‖ A2). This is not true in general when X1 ∩X2 6= ∅. For example, in Fig. 2, taking b
at time 0.5 and e at time 1 is possible in TTS(A1)⊗TTS(A2) but not in TTS(A1 ‖ A2), since b
resets x which is tested by e.
3 Need for Shared Clocks
3.1 Problem Setting
We are interested in detecting the cases where it is possible to avoid sharing clocks, so that the
model can be implemented using no other synchronization than those explicitly described by
common actions.
To start with, let us focus on the case of a network of two TA, A1 ‖ A2, such that A1 does
not read the clocks reset by A2, and A2 may read the clocks reset by A1. We want to know




2 could achieve the same
behavior as A1 ‖ A2 without using shared clocks.
A first remark is that our problem makes sense only if we insist on the distributed nature of
the system, made of two separate components. On the other hand, if the composition operator
is simply used as a convenient syntax for describing a system that is actually implemented on
a single sequential component, then a simple product automaton would perfectly describe the
system and every clock becomes local.
So, let us consider the example of Fig. 1, made of two TA, supposed to describe two separate
components. Remark that A2 reads clock x which is reset by A1. But a simple analysis shows
that this reading could be avoided: because of the condition on its clock y, A2 can only take
transition b before time 3; but x cannot reach value 2 before time 3, since it must be reset
between time 1 and 2. Thus, forgetting the condition on x in A2 would not change the behavior
of the system.
3.2 Transmitting Information during Synchronizations
Consider now the example of Fig. 2. Here also A2 reads clock x which is reset by A1, and here
also this reading could be avoided. The idea is that A1 could transmit the value of x when
synchronizing, and afterwards, any reading of x in A2 can be replaced by the reading of a new
clock x′ dedicated to storing the value of x which is copied on the synchronization. Therefore
A2 can be replaced by A
′
2 pictured in Fig. 2, while preserving the behavior of the NTA, but also
the behavior of A2 w.r.t. A1.
We claim that we cannot avoid reading x without this copy of clock. Indeed, after the
synchronization, the maximal delay in the current location depends on the exact value of x, and
even if we find a mechanism to allow A′2 to move to different locations according to the value of
Inria





























Figure 2: A2 reads x which belongs to A1 and A
′
2 does not.
x at synchronization time, infinitely many locations would be required (for example, if s occurs
at time 2, x may have any value in (1, 2]).
Coding Transmission of Information. In order to model the transmission of information
during synchronizations, we allow A′1 and A
′
2 to use a larger synchronization alphabet than A1
and A2. This allows A
′
1 to transmit discrete information like its current location, to A
′
2.
But we saw that A′1 also needs to transmit the exact value of its clocks. For this we allow
an automaton to copy its neighbor’s clocks into local clocks during synchronizations. This is
denoted as updates of the form x′ := x in A′2 (see Fig. 2). This is a special case of updatable
timed automata as defined in [BDFP04]. Moreover, as shown in [BDFP04], the class we consider,
with diagonal-free constraints and updates with equality (they allow other operators) is not
more expressive than classical TA for the sequential semantics (any updatable TA of the class is
bisimilar to a classical TA), and the emptiness problem is PSPACE-complete.
Semantics. TTS(A1 ‖ A2) can be defined as previously, with the difference that the synchro-










u is a partial function from X2 to X1, v |= g1 ∧ g2, v′ = (v[r1 ∪ r2])[u], and v′ |= Inv(ℓ′1)∧Inv (ℓ
′
2).
The valuation v[u] is defined by v[u](x) = v(u(x)) if u(x) is defined, and v[u](x) = v(x) otherwise.
Here, we choose to apply the reset r1 ∪ r2 before the update u, because we are interested
in sharing the state reached in A1 after the synchronization, and r1 may reset some clocks in
C1 ⊆ X1.
3.3 Towards a Formalization of the Problem
We want to know whether A2 really needs to read the clocks reset by A1, or if another NTA
A′1 ‖ A
′
2 could achieve the same behavior as A1 ‖ A2 without using shared clocks. It remains to
formalize what we mean by “having the same behavior” in this context.
First, we impose that the locality of actions is preserved, i.e. A′1 uses the same set of local
actions as A1, and similarly for A
′
2 and A2. For the synchronizations, we have explained earlier
why we allow A′1 and A
′
2 to use a larger synchronization alphabet than A1 and A2. The corre-
spondence between the two alphabets will be done by a mapping ψ (this point will be refined
later).
Now we have to impose that the behavior is preserved. The first idea that comes in mind is to






2) with synchronization actions
RR n° 7990





q1 y ≤ 2 q2y ≤ 2
q3 q4 q5 q6
A2
y ≤ 2































Figure 3: A2 needs to read the clocks of A1 and TTS(A1 ‖ A2) ∼ TTS(A1 ‖ A′2)
relabeled by ψ) and TTS(A1 ‖ A2). But this is not sufficient, as illustrated by the example of
Fig. 3 (where ψ is the identity). Intuitively A2 needs to read x when in q1 (and similarly in q2)
at time 2, because this reading determines whether it will perform a or b, and the value of x
cannot be inferred from its local state given by q1 and the value of y. Anyway TTS(A1 ‖ A′2) is
bisimilar to TTS(A1 ‖ A2), and A′2 does not read x. For the bisimulation relation R, it suffices
to impose (p1, q1) R (p1, r1) and (p2, q1) R (p2, r2).
What we see here is that, if we focus on the point of view of A2 and A
′
2, these two automata
do not behave the same. As a matter of fact, when A2 fires one edge labeled by c, it has not
read x yet, and there is still a possibility to fire a or b, whereas when A′2 fires one edge labeled
by c, there is no more choice afterwards. Therefore we need a relation between A′2 and A2, and
in the general case, a relation between A′1 and A1 also.
4 Contextual Timed Transition Systems
As we are interested in representing a partial view of one of the components, we need to in-
troduce another notion, that we call contextual timed transition system. This resembles the
powerset construction used in game theory to capture the knowledge of an agent about another
agent [Rei84].
Notations. S = Σ 6ε1 ∩ Σ
6ε
2 denotes the set of common actions. Q1 denotes the set of states of
TTS(A1). When s = ((ℓ1, ℓ2), v) is a state of TTS(A1 ‖ A2), we also write s = (s1, s2), where
s1 = (ℓ1, v|X1) is in Q1, and s2 = (ℓ2, v|X2\X1), where v|X is v restricted to X .
Definition 3 (UR(s)). Let TTS(A1) = (Q1, s0,Σ1,→1) and s ∈ Q1. The set of states of A1
reachable from s by local actions in 0 delay (and therefore not observable by A2) is denoted by
UR(s) = {s′ ∈ Q1 | ∃w ∈ TW(Σ1 \ Σ
6ε
2, 0) : s
w
−→1 s′}.
Contextual States. The states of this contextual TTS are called contextual states. They can
be regarded as possibly infinite sets of states of TTS(A1 ‖ A2) for which A2 is in the same location
and has the same valuation over X2 \X1. A2 may not be able to distinguish between some states
(s1, s2) and (s
′
1, s2). In TTSA1(A2), these states are grouped into the same contextual state.
However, when X2 ∩ X1 6= ∅, it may happen that A2 is able to perform a local action or delay
from (s1, s2) and not from (s
′
1, s2), even if these states are grouped in a same contextual state.
Inria
Avoiding Shared Clocks in NTA 9
Definition 4 (Contextual TTS). Let TTS(A1 ‖ A2) = (Q, q0,Σ1 ∪Σ2,⇒). Then, the TTS of
A2 in the context of A1, denoted by TTSA1(A2), is the TTS (S, s0, (Σ2 \S)∪ (S×Q1),→), where
• S = {(S1, s2) | ∀s1 ∈ S1, (s1, s2) ∈ Q},













• → is defined by




2) iff ∃s1 ∈ S1 : (s1, s2)
a
=⇒ (s1, s′2),
and S′1 = {s1 ∈ S1 | (s1, s2)
a
=⇒ (s1, s′2)}

























1 | ∃s1 ∈ S1, w ∈ TW(Σ1 \ Σ
6ε





For example, consider A1 and A2 of Fig. 3. The initial state is
(
{(p0, 0)}, (q0, 0)
)
. From
this contextual state, it is possible to delay 2 time units and reach the contextual state
(
{(p1, 2), (p2, 1)}, (q0, 2)
)
. Indeed, during this delay, A1 has to perform either e and reset
x, or d. Now, from this contextual state, we can take an edge labeled by c, and reach
(
{(p1, 2), (p2, 1)}, (q1, 2)
)
. Lastly, from this new state, a can be fired, because it is enabled by
((p2, 1), (q1, 2)) in the TTS of the NTA, and the reached contextual state is
(
{(p2, 1)}, (q3, 2)
)
.
We say that there is no restriction in TTSA1(A2) if whenever a local step is possible from
a reachable contextual state, then it is possible from all the states (s1, s2) that are grouped
into this contextual state. In the example above, there is a restriction in TTSA1(A2) be-
cause we have seen that a is enabled only by ((p2, 1), (q1, 2)), and not by all states merged in
(
{(p1, 2), (p2, 1)}, (q1, 2)
)
. Formally, we use the predicate noRestrictionA1(A2) defined as follows.
Definition 5 (noRestrictionA1(A2)). The predicate noRestrictionA1(A2) holds iff for any reach-
able state (S1, s2) of TTSA1(A2), both




2) ⇐⇒ ∀s1 ∈ S1, (s1, s2)
a
=⇒ (s1, s′2), and
• ∀d ∈ R≥0, (S1, s2)
d
−→ ⇐⇒ ∀s1 ∈ S1, ∃w ∈ TW(Σ1 \ Σ
6ε
2, d) : (s1, s2)
w
=⇒
Remark 2. If A2 does not read X1, then noRestrictionA1(A2).
Sharing of Information on the Synchronizations. Later we assume that during a synchro-
nization, A1 is allowed to transmit all its state to A2, that is why, in TTSA1(A2), we distinguish
the states reached after a synchronization according to the state reached in A1. We also label the
synchronization edges by a pair (a, s1) ∈ S×Q1 where a is the action and s1 the state reached
in A1.
For the sequel, let TTSQ1(A1) (resp. TTSQ1(A1 ‖ A2)) denote TTS(A1) (resp. TTS(A1 ‖
A2)) where the synchronization edges are labeled by (a, s1), where a ∈ S is the action, and s1 is
the state reached in A1.
We can now state a nice property of unrestricted contextual TTS that is similar to the
distributivity of TTS over the composition when considering TA with disjoint sets of clocks (see
Remark 1). We say that a TA is deterministic if it has no ε-transition and for any location ℓ
and action a, there is at most one edge labeled by a from ℓ.
RR n° 7990





x ≥ 1, b, {x}
Figure 4: TTSQ1(A1) ⊗ TTSA1(A2) ≈ TTSQ1(A1 ‖ A2), although there is a restriction in
TTSA1(A2)
Lemma 1. If there is no restriction in TTSA1(A2), then TTSQ1(A1) ⊗ TTSA1(A2) ≈
TTSQ1(A1 ‖ A2). Moreover, when A2 is deterministic, this condition becomes necessary.
The example of Fig. 4 shows that the reciprocal does not hold when A2 is not deterministic.
In order to prove Lemma 1, we first present two propositions. The first one relates the reachable
states of TTSA1(A2) with those of TTSQ1(A1)⊗ TTSA1(A2).
Proposition 1.
1. For any reachable state (S1, s2) of TTSA1(A2),
s1 ∈ S1 =⇒ (s1, (S1, s2)) is a reachable state of TTSQ1(A1)⊗ TTSA1(A2)
2. noRestrictionA1(A2) iff
for any reachable state (S1, s2) of TTSA1(A2),
s1 ∈ S1 ⇐⇒ (s1, (S1, s2)) is a reachable state of TTSQ1(A1)⊗ TTSA1(A2)
Proof. (1) For any reachable state (S1, s2), let us denote by P (S1, s2) the fact that for any s1 ∈ S1,
(s1, (S1, s2)) is reachable in TTSQ1(A1) ⊗ TTSA1(A2). We give a recursive proof. First, the
initial state (S01 , s
0



















−→ (s1, (S01 , s
0
2)). Then, assume some reachable state (S1, s2)




2) reachable in one step from




2). There can be three kinds of steps from (S1, s2) in TTSA1(A2).






























1), and for some















1), ∃w ∈ TW(Σ1 \ Σ
6ε






















2), then ∃d1 ≤ d : (S1, s2)





S11 , s1 ∈ S1 : (s1, s2)
d1=⇒ (s11, s
1

























1)}. That is, after some local actions that take no time, A1 is
able to perform a delay d1 during which no local action is enabled (such d1 exists because of the








1) for some s
1
1




2)) is reachable. Therefore, ∃w ∈ TW(Σ1\Σ
6ε

















Avoiding Shared Clocks in NTA 11
Since A1 is not Zeno, any delay in TTSA1(A2) can be cut into a finite number of such










(2, ⇒) (1) already gives that ∀s1 ∈ S1, (s1, (S1, s2)) is a reachable state. So it remains to
prove that, when noRestrictionA1(A2), if (s1, (S1, s2)) is a reachable state, then s1 ∈ S1. We say
that a reachable state s = (s1, (S1, s2)) satisfies P (s) iff s1 ∈ S1.
Assume noRestrictionA1(A2) and s = (s1, (S1, s2) is a reachable state that satisfies P (s).
Then, any state s′ reachable in one step from s by some local action or delay a ∈ (Σ1∪Σ2)\S∪R≥0
or by some synchronization (a, s′1) ∈ S×Q1 matches one of the following cases.
• if a ∈ Σ1 \ Σ
6ε
2, then s
′ = (s′1, (S1, s2)) such that s
′
1 ∈ UR(s1) ⊆ S1 (by construction,
s1 ∈ S1 =⇒ UR(s1) ⊆ S1),
• if a ∈ Σ2 \ Σ1, then s′ = (s1, (S1, s′2)),















∃q1 ∈ S1, w ∈ TW(Σ1 \ Σ
6ε





• if (a, s′1) ∈ (S×Q1), then s





Therefore, any state s′ reached in one step from s also satisfies P (s′), and recursively, since






2)) satisfies P (s0), any reachable state s of TTSQ1(A1) ⊗
TTSA1(A2) satisfies P (s).
(2, ⇐) By contradiction, assume there is a restriction in state (S1, s2) for local delay or action
a ∈ (Σ2 \Σ1)∪R≥0 i.e. a is possible from some state (s′1, s2) but not from another state (s1, s2)
such that s′1, s1 ∈ S1. Then, after performing a from (s1, (S1, s2)), that is reachable according




2)) such that s1 /∈ S
′
1.
Proposition 2. If noRestrictionA1(A2) then, for all timed word w over (Σ2 \ S) ∪ (S × Q1),






−→ (S1, s2) in TTSA1(A2) (i.e. S1 is
uniquely determined by w, whatever the structure of A2).




2) reachable in TTSA1(A2), for
any action or delay in (Σ2 \ S) ∪ (S×Q1) ∪R≥0, there is at most one S1 such that, for some s2,




2) by this action.
Indeed, by construction, and since there is no restriction,
• any successor of (S11 , s
1





• any successor of (S11 , s
1
2) by a synchronization (a, s
′





• any successor of (S11 , s
1
2) by a delay d is of the form (S1, s
′
2) with S1 = {s
′
1 | ∃w ∈ TW(Σ1 \





Therefore, for any possible action or delay, S1 does not depend on the state of A2, and is uniquely
determined by this action or delay.
Since (S01 , s
0
2) is unique, for any timed wordw over (Σ2\S)∪(S×Q1), either w does not describe








We can now prove Lemma 1.
RR n° 7990
12 Balaguer & Chatain





⇐⇒ s1 = s′1∧s2 = s
′
2, for any reachable states (s1, (S1, s2)) of TTSQ1(A1)⊗TTSA1(A2)
and (s′1, s
′
2) of TTSQ1(A1 ‖ A2). By Proposition 1, since (s1, (S1, s2)) is reachable, s1 ∈ S1. We
show that R is a strong timed bisimulation.








2). Then, if (s1, (S1, s2)) R
(s′1, s
′
2), four kinds of steps are possible:
• if for some a ∈ Σ1 \ Σ
6ε
2, (s1, (S1, s2))
a
−→ (s′1, (S1, s2)), then (s1, s2)
a
=⇒ (s′1, s2) and
(s′1, (S1, s2)) R (s
′
1, s2), and conversely.
• if for some a ∈ Σ2 \ Σ1, (s1, (S1, s2))
a
−→ (s1, (S1, s
′





(because noRestrictionA1(A2)), and in particular, (s1, s2)
a
















































Now assume A2 is deterministic. Let relation R be a strong timed bisimulation between
TTSQ1(A1)⊗ TTSA1(A2) and TTSQ1(A1 ‖ A2).
By contradiction, assume there is a restriction in TTSA1(A2). Then there is a reachable state
(S1, s2) of TTSA1(A2), and a local delay or action a ∈ (Σ2 \ Σ1) ∪ R≥0 such that, for some
s1, s
′
1 ∈ S1, (s1, s2) enables a in TTSQ1(A1 ‖ A2), whereas (s
′
1, s2) does not.




















does not enable a. Moreover, these states can be chosen so that they are reached by the same
timed word over (Σ2 \ S) ∪ (S×Q1), and since A2 is deterministic, p2 = p′2 = s2.
Now, we can assume that (S1, s2) is chosen so that it is the first state with a restriction along
an initial path. Then, the paths to (P1, s2) and (P
′
1, s2) generate the same timed word over
(Σ2 \ S) ∪ (S×Q1), and by Proposition 2, P1 = P
′
1 = S1.
Therefore, we have shown the existence of a state (p′1, (S1, s2)) in TTSQ1(A1)⊗ TTSA1(A2)
that does not enable a, which means that (S1, s2) does not enable a in TTSA1(A2). This con-
tradicts the fact that there exists s1 ∈ S1 such that (s1, s2) enables a.
4.1 Need for Shared Clocks Revisited
We have argued in Section 3.3 that the existence of a NTA A′1 ‖ A
′
2 without shared clocks




2)) ∼ TTSQ1(A1 ‖ A2) is not sufficient to capture the idea
that A2 does not need to read the clocks of A1. We are now equipped to define the relations
we want to impose on the separate components, namely ψ(TTSQ′
1
(A′1)) ∼ TTSQ1(A1) and
ψ(TTSA′
1
(A′2)) ∼ TTSA1(A2). And since we have seen the importance of using labeling the
synchronization actions in contextual TTS by labels in S×Q1 rather than in S, the correspondence
between the synchronization labels of A′1 ‖ A
′
2 with those of A1 ‖ A2 is now done by a mapping
ψ : S′ ×Q′1 → S×Q1.
This settles the problem of the example of Fig. 3 where TTSA1(A
′
2) 6∼ TTSA1(A2) (here
A′1 = A1), but as shown in Fig. 5, a problem remains. In this example, we can see that A2
needs to read clock x of A1 to know whether it has to perform a or b at time 2, and yet
TTSA1(A2) ∼ TTSA1(A
′
2) (here also A
′
1 = A1). The intuition to understand this is that the
Inria






y ≤ 2x = 1,
d
x = 1, e, {x}
y = 2 ∧ x
= 2, a
y = 2 ∧ x = 1, b
y = 2,
a
y = 2, b
Figure 5: A2 needs to read the clocks of A1 and TTSA1(A2) ∼ TTSA1(A
′
2).
contextual TTS merge too many states for the two systems to remain differentiable. However
we remark that here, the first condition that we have required in Section 3, namely the global
bisimulation between ψ(TTS(A′1 ‖ A
′
2)) and TTS(A1 ‖ A2), does not hold.
Now we show that the conjunction of global and local bisimulations actually gives the good
definition.
Definition 6 (Need for shared clocks). Given A1 ‖ A2 such that A1 does not read the clocks





clocks (but with clock copies during synchronizations), using the same sets of local actions and






2)) ∼ TTSQ1(A1 ‖ A2) and
2. ψ(TTSQ′
1




Notice that this does not mean that the clock constraints that readX1 can simply be removed
from A2 (see Fig. 2).




2 without shared clocks and that
satisfies items 2 and 3 of Definition 6 also satisfies item 1.
Proof. When noRestrictionA1(A2) holds, then by Lemma 1, TTSQ1(A1) ⊗ TTSA1(A2) ≈


















2)). Remark that applying ψ to the la-
bels before doing the product, allows more synchronizations than applying ψ on the TTS of the
system since ψ may merge different labels. We show that, in our case, the two resulting TTS are
bisimilar anyway.
For this, let R1 be a bisimulation relation between ψ(TTSQ′
1
(A′1)) and TTSQ1(A1), and R2
be a bisimulation relation between ψ(TTSA′
1
(A′2)) and TTSA1(A2). We will build inductively a








2)) such that for
any (q1, q2) and (r1, r2) such that (q1, q2) R (r1, r2), there exists a state s1 of TTSQ1(A1) and
a state s2 of TTSA1(A2) such that q1 R1 s1 and r1 R1 s1 and q2 R2 s2 and r2 R2 s2. The
inductive definition of R is as follows. The initial states (which are the same in both sides) are
in relation; R is preserved by delays; R is preserved by playing local actions. The key is the
treatment of synchronizations: when (q1, q2) R (r1, r2) and q1
a1−→ q′1 in TTSQ1(A1) and q2
a2−→ q′2
in TTSA1(A2) with ψ(a1) = ψ(a2) = a, then the existence of the s1 and s2 mentioned earlier























14 Balaguer & Chatain
We are now ready to give a criterion to decide the need for shared clocks.
Theorem 1. When noRestrictionA1(A2) holds, A2 does not need to read the clocks of A1. When
A2 is deterministic, this condition becomes necessary.
Proof of Theorem 1, necessary condition when A2 is deterministic. Like in the proof of
Lemma 2, we show that for any NTA A′1 ‖ A
′





2)) ∼ TTSQ1(A1) ⊗ TTSA1(A2). But, by Lemma 1, when A2 is determin-
istic and TTSA1(A2) has restrictions, TTSQ1(A1) ⊗ TTSA1(A2) is not timed bisimilar to
TTSQ1(A1 ‖ A2) (not even weakly timed bisimilar since there are no ε-transitions). Hence any
NTA A′1 ‖ A
′
2 satisfying items 2 and 3 of Definition 6, does not satisfy item 1.
We remark from the proof that when there is a restriction in TTSA1(A2), even infinite A
′
1
and A′2 would not help. Next section will be devoted to the constructive proof of the direct part
of this theorem.
The counterexample in Fig. 4 also works here to argue that the conditions of Lemma 2 and
Theorem 1 are not necessary when A2 is not deterministic. Indeed A
′
2 with only one unguarded
edge labeled by a and A′1 = A1 satisfy the three items of Definition 6 but there is a restriction
in TTSA1(A2).
5 Constructing a NTA without Shared Clocks
This section is dedicated to proving Theorem 1 by constructing suitable A′1 and A
′
2. To simplify,
we assume that in A2, the guards on the synchronizations do not read X1.
5.1 Construction
First, our A′1 is obtained from A1 by replacing all the labels a ∈ S on the synchronization edges of
A1 by (a, ℓ1) ∈ S×L1, where ℓ1 is the output location of the edge. Therefore the synchronization
alphabet between A′1 and A
′
2 will be S
′ = S× L1, which allows A′1 to transmit its location after
each synchronization.
Then, the idea is to build A′2 as a product A1,2 ⊗A2,mod (⊗ denotes the product of TA as it
is usually defined [AD94]), where A2,mod plays the role of A2 and A1,2 acts as a local copy of A
′
1,
from which A2,mod reads clocks instead of reading those of A
′
1. For this, as long as the automata
do not synchronize, A1,2 will evolve, simulating a run of A
′
1 that is compatible with what A
′
2
knows about A′1. And, as soon as A
′




2 updates A1,2 to the actual state
of A′1. If the clocks of A1,2 always give the same truth value to the guards and invariants of
A2,mod than the actual value of the clocks of A
′
1, then our construction behaves like A1 ‖ A2.
To check that this is the case, we equip A′2 with an error location, /, and edges that lead to it
if there is a contradiction between the values of the clocks of A′1 and the values of the clocks of
A1,2. The guards of these edges are the only cases where A
′
2 reads clocks of A
′
1. Therefore, if /
is not reachable, they can be removed so that A′2 does not read the clocks of A
′
1. More precisely,
a contradiction happens when A2,mod is in a given location and the guard of an outgoing edge
is true according to A1,2 and false according to A
′
1, or vice versa, or when the invariant of the
current location is false according to A′1 (whereas it is true according to A1,2, since A2,mod reads
the clocks of A1,2).
Namely, Smod = A
′






























x′ ≥ 1 ∧ x < 1







Figure 6: A1,2 and A2,mod for the example of Fig. 2
• each clock x′ ∈ X ′1 is associated with a clock c(x
′) = x ∈ X1 (c is a bijection from X ′1 to
X1). For any clock constraint γ, γ
′ denotes the clock constraint where any clock x of X1
is substituted by x′ of X ′1.




• E′1 = {ℓ1
g′,εa,r
′




−−−−−→ ℓ2 ∈ E1}
∪ {ℓ
⊤,(a,ℓ2),c
−−−−−−→ ℓ2 | ℓ ∈ L1 ∧ a ∈ S ∧ ∃ℓ1
g,a,r
−−−→ ℓ2 ∈ E1}
where ⊤ means true, and c denotes the assignment of any clock x′ ∈ X ′1 with the value of
its associated clock c(x′) = x ∈ X1 (written x
′ := x in Fig. 6).








• ∀ℓ ∈ L2, Inv
′
2(ℓ) = Inv2(ℓ)
′ and Inv ′2(/) = ⊤,
• E′2 = {ℓ1
g′,a,r
−−−→ ℓ2 | ℓ1
g,a,r
−−−→ ℓ2 ∈ E2 ∧ a /∈ S}
∪ {ℓ1
g,(a,ℓ),r
−−−−−→ ℓ2 | ℓ1
g,a,r
−−−→ ℓ2 ∈ E2 ∧ a ∈ S ∧ ℓ ∈ L1}
∪ {ℓ
¬Inv2(ℓ),ε,∅
−−−−−−−−→ / | ℓ ∈ L2}
∪ {ℓ
g′∧¬g,ε,∅
−−−−−−→ / | ℓ
g,a,r
−−−→ ℓ′ ∈ E2 ∧ a /∈ S}
∪ {ℓ
¬g′∧g,ε,∅
−−−−−−→ / | ℓ
g,a,r
−−−→ ℓ′ ∈ E2 ∧ a /∈ S}.
For the example of Fig. 2, A1,2 and A2,mod are pictured in Fig. 6.
We now prove the correspondence between a state of Smod and two states of TTS(A1 ‖ A2)
that are merged into the same state of TTSA1(A2). This is stated in the following proposition.
A state of Smod is denoted as (s1, s1,2, s2) =
(
(ℓ1, v|X1), (ℓ1,2, v|X′1), (ℓ2, v|X2\X1)
)
. For a given
state of A1,2, s1,2 = (ℓ1,2, v|X′
1
), we denote by s′1,2 the state (ℓ1,2, v
′), where v′ : X1 → R≥0 is
defined as: for any x ∈ X1, v′(x) = v(x′) (i.e. s′1,2 is a state of A1). Reciprocally, for a given
state of A1, s
′
1,2 = (ℓ1,2, v
′), s1,2 denotes the state (ℓ1,2, v), where v : X
′
1 → R≥0 is defined as:
for any x′ ∈ X ′1, v(x
′) = v′(x).
Proposition 3. Let (s1, s1,2, s2) be a state of Smod . If along one path that leads to (s1, s1,2, s2)
no edge leading to / is enabled, then there exists S1 such that (S1, s2) is a reachable state of
TTSA1(A2) and s1 and s
′
1,2 are both in S1.
Conversely, let (S1, s2) be a reachable state of TTSA1(A2), and s1 and s
′
1,2 be some states in
S1. Then (s1, s1,2, s2) is a state of Smod .
RR n° 7990
16 Balaguer & Chatain
Proof of Proposition 3. Let (s1, s1,2, s2) be a reachable state of Smod , such that there is a path




2) to (s1, s1,2, s2) that does not enable any edges leading to









1,2 are bot in S
0




2) is the initial state of TTSA1(A2).
Now, assume this is true for some (p1, p1,2, p2) visited along ρ. That is, there exists P1 such that
(P1, p2) is reachable and p1, p
′
1,2 ∈ P1. Then, the next state s
′ visited along ρ is reached after
one of the following steps:
• local action in A′1: s
′ = (q1, p1,2, p2) such that q1 ∈ UR(p1) ⊆ P1,
• local action in A1,2: s





• local action in A2: s
′ = (p1, p1,2, q2) such that there exists S
′
1 such that (S
′
1, q2) is reachable
from (P1, q2) by the same action, and, since no edge leading to / is enabled, both (p1, p2)





• synchronization: s′ = (q1, q1,2, q2) such that there exists S
′
1 = UR(q1) such that (S
′
1, q2) is





By recursion, (s1, s1,2, s2) also satisfies the property, that is, there exists S1 such that (S1, s2) is
reachable and s1, s
′
1,2 ∈ S1.
Conversely, let denote by P (S1, s2) the fact that for any reachable state (S1, s2) of TTSA1(A2),
for any states s1, s
′





1), (s1, s1,2, s
0
2) is a reachable state, because by construction, A1,2 can only mimic (as
long as there is no synchronization) one possible behavior of A1 to reach s1,2 from s
0
1, therefore
P (S01 , s
0
2) holds. Assume that for some reachable state (S1, s2) P (S1, s2) holds. Then any state
reachable in one step from (S1, s2) is reached by one of the following steps.



































1, (s1, s1,2, s
′
2) can be reached from some (p1, p1,2, s2) such that p1, p
′
1,2 ∈ S1.
Indeed, in Smod , synchronization ((a, ℓ′1), s
′
1) resets A1,2 in the same state as A1 and then
A1 performs some local actions while A1,2 also performs some local actions mimicking one













2), then we use the same reasoning as for a syn-
chronization. Since A1,2 is built so that it mimics any possible behavior of A1 between
synchronizations, any state s′1,2 ∈ S
′
1 reachable by A1 during this delay corresponds to a





By recursion, P (S1, s2) holds for any reachable state (S1, s2).
Lastly, the following lemma will be used to prove the direct part of Theorem 1.
Lemma 3. / is reachable in Smod iff there is a restriction in TTSA1(A2).
Proof. Assume / is not reachable in Smod . From Proposition 3, we know that for any
state (S1, s2) of TTSA1(A2), for any s1, s
′
1,2 in S1, there is a corresponding state s =
(
(ℓ1, v|X1), (ℓ1,2, v|X′1), (ℓ2, v|X2\X1)
)
= (s1, s1,2, s2) of Smod . Moreover, for any such s, if there
is an outgoing edge towards / from ℓ2, then this edge is never enabled. That is, for any time
Inria
Avoiding Shared Clocks in NTA 17
constraint γ read in ℓ2 in the original system S (invariant of ℓ2 or guard of an outgoing edge
with a local action), v|X2∪X1 |= γ ⇐⇒ v|(X2\X1)∪X′1 |= γ
′. Hence for any enabled step from
(S1, s2), s1 and s
′
1,2 are in the same restriction. Therefore, noRestrictionA1(A2).
Assume / is reachable in Smod . From Proposition 3, we know that for any state s =
(
(ℓ1, v|X1), (ℓ1,2, v|X′1), (ℓ2, v|X2\X1)
)
= (s1, s1,2, s2) of Smod , reached after a path that does not
enable edges leading to / (except maybe from this last state), there is a corresponding state
(S1, s2) of TTSA1(A2) such that s1 and s
′
1,2 are both in S1. If / can be reached, then consider
a path that reach / and such no edge leading to / was enabled before along the path. The last
state s of Smod visited before / is such that for some time constraint γ evaluated at s from ℓ2,
v|X2∪X1 |= γ and v|(X2\X1)∪X′1 6|= γ
′ (or conversely). Therefore, a local action or local delay is
possible from (s1, s2) and not from (s
′
1,2, s2). Hence (S1, s2) is a state with a restriction.
We now give a first simple case for which Theorem 1 can be proved easily. We say that A1 has
no urgent synchronization if for any location, when the invariant reaches its limit, a local action
is enabled. Under this assumption, we can show that A′2 = A1,2⊗A
′
2,mod , where A
′
2,mod is A2,mod
without location / (that is never reached according to Lemma 3) and its ingoing edges, is suitable.
Indeed, we can show that A′2 does not read X1 and is such that ψ(TTSA′1(A
′
2)) ∼ TTSA1(A2),
where for any ((a, ℓ1), s1) ∈ S′ ×Q′1, ψ(((a, ℓ1), s1)) = (a, s1). Obviously, item 2 of Definition 6
holds, and Lemma 2 says that item 1 also holds.
When A1 has urgent synchronizations, this construction allows one to check the absence of
restriction in TTSA1(A2), but it does not give directly a suitable A
′
2. We will give the idea of
the construction of A′2 for the general case later.
Proof of Theorem 1, direct part, when no urgent synchronization in A1. Assume
noRestrictionA1(A2). We consider A
′




2,mod is A2,mod without
/ (that is never reached according to Lemma 3) and its ingoing edges. Therefore, A′2,mod does




2,mod . Below we show that A
′
2 is a suitable candidate
because ψ(TTSA′
1
(A′2)) ∼ TTSA1(A2) (ψ(TTSQ′1(A
′
2)) ∼ TTSQ1(A1) obviously holds).
Let R be the relation such that for any reachable state (S1, s2) of TTSA1(A2), and any















s2 = (ℓ2, v2) and s
′
2 = ((ℓ1,2, ℓ2), v
′
2) s.t.




i.e. A2 and A
′
2,mod are both in ℓ2 and their local clocks have the same value, and A1 and A
′
1 are
in indistinguishable states (states merged in a same contextual state S1). Obviously, the initial






2 ), are R-related. Since there is no marked state in TTSA1(A2) (resp.
in TTSA′
1
(A′2)), for any state s = (S1, s2) (resp. s
′ = (S′1, s
′
2)) of this TTS, all time constraints
read by automaton 2 in ℓ2 (invariant of ℓ2 and guards of the outgoing edges) have the same truth
value for all the states (s1, s2) such that s1 ∈ S1 (resp. s1 ∈ S′1). In the sequel, we say that
valuation V of s (resp. V ′ of s′) satisfies constraint g, when the valuations of all states (s1, s2)





(S1, s2) R (S′1, s
′
2).
Local Action. If a ∈ Σ2 \ Σ1 is enabled from (S1, s2), then, there is an associated edge in
A2, ℓ2
g,a,r
−−−→ p2 such that guard g is satisfied by V . Let g′ be the guard on the corresponding
outgoing edge (ℓ1,2, ℓ2)
g′,a,r
−−−→ (ℓ1,2, p2) in A′2. g uses clocks in X2, and by construction, g
′ has
the same form but with clocks in (X2 \X1)⊎X
′




2) says that v2 and v
′
2 coincide
on X2 \ X1, and since / is never reached in Smod , V satisfies the constraints of g on X1 iff
RR n° 7990
18 Balaguer & Chatain
V ′ satisfies the constraints of g′ on X ′1. That is, V |= g ⇐⇒ V
′ |= g′. Therefore A′2 can also
perform a from (S1, s
′
2) and the states reached in both systems are R-related: (S1, q2) R (S1, q
′
2),
because q2 = (p2, v2[r]) and q
′
2 = ((ℓ1,2, p2), v
′
2[r]). This also holds reciprocally.
Synchronization. Assume for some (a, s′1) ∈ S ×Q1, (S1, s2)
a,s′
1−−→ (S′1, q2). That is, there is
an edge ℓ2
g2,a,r2
−−−−→ p2 in A2 such that v2 |= g2 and q2 = (p2, v2[r2]) and, for some (ℓ1, v1) ∈ S1,
an edge ℓ1
g1,a,r1





1) is also enabled from state (S1, s
′
2) because A2,mod is in the same location as A2, and
has the same clock values over X2 \X1, and A′1 is also in some state of S1, therefore, there is also
the same state (ℓ1, v1) ∈ S1 which enables (a, p1). We do not consider A1,2 because it is always
ready to synchronize. Moreover, the state reached in ψ(TTSA′
1
(A′2)) after this synchronization
is (S′1, q
′
2) such that (S
′












where c denotes the copy of the clocks of X1 into their associated clocks of X
′
1 and therefore c
modifies only clocks that we do not consider in relation R, and r2 ⊆ C2 ⊆ (X2 \X1) resets the
same clocks in both systems. And reciprocally.
Local Delay. Assume for some d ∈ R≥0, (S1, s2)
d
−→ (S′1, q2). Then, V + d |= Inv2(ℓ2), and
since / is never reached in Smod , V + d |= Inv2(ℓ2) ⇐⇒ V ′ + d |= Inv
′
2(ℓ2). That is, the same
delay is enabled from (S1, s
′















i=0 di = d, gi is a guards over X
′
1 and ri is a reset included
in X ′1. This works because we assumed that A1 has no urgent synchronization (and so does A
′
1).
Therefore, A1,2 cannot force a synchronization.
Reciprocally, if we can perform a delay d from (S1, s
′
2), then V
′ + d |= Inv ′2(ℓ2) ∧ Inv
′
1(ℓ1,2).
And since V + d |= Inv2(ℓ2) ⇐⇒ V ′ + d |= Inv
′
2(ℓ2), we can perform the same delay from
(S1, s2).
Moreover, we reach equivalent states in both systems. Indeed, A2 and A
′
2,mod stay in the
same location, the clocks in X2 \X1 increase their value by d, and the set of states of A1 and A′1




1 | ∃s1 ∈ S1, w ∈ TW(Σ1 \ Σ
6ε
2, d) : (s1, s2)
w
=⇒ (s′1, q2)}.
Therefore, R is a weak timed bisimulation and ψ(TTSA′
1





2)) ∼ TTSQ1(A1 ‖ A2) also, and A2 does not need to read X1.
In the example of Fig. 2, / is not reachable in Smod (see Fig. 6), therefore A2 does not need
to read X1. For an example where / is reachable, consider the same example with an additional
edge
⊤,f,{x}
−−−−−→ from the end location of A1 to a new location. Location / can now be reached
in Smod , for example consider a run where s is performed at time 2 leading to a state where
v(x) = 2 and v(x′) = 2, and then A1 immediately performs f and resets x, leading to a state
where the valuation v′ is such that v′(x) = 0 and v′(x′) = 2, and satisfies guard x′ ≥ 1 ∧ x < 1
in Smod . Therefore, with this additional edge in A1, A2 needs to read X1. Indeed, without this
edge, A2 knows that A1 cannot modify x after the synchronization, but with this edge, A2 does
not know whether A1 has performed f and reset x, while this may change the truth value of its
guard x ≥ 1.
5.2 Complexity
PSPACE-hardness. The reachability problem for timed automata is known to be PSPACE-
complete [AD90]. We will reduce this problem to our problem of deciding whether A2 needs to
read the clocks of A1. Consider a timed automaton A over alphabet Σ, with some location ℓ.
Inria
Avoiding Shared Clocks in NTA 19
Build the timed automaton A2 as A augmented with two new locations ℓ
′ and ℓ′′ and two edges,
ℓ
⊤,ε,∅
−−−→ ℓ′ and ℓ′
x=1,a,∅
−−−−−→ ℓ′′, where x is a fresh clock, and a is some action in Σ. Let A1 be
the one of Fig. 4 with an action b /∈ Σ. Then, ℓ is reachable in A iff A2 needs to read x which
belongs to A1. Therefore the problem of deciding whether A2 needs to read the clocks of A1 is
also PSPACE-hard.
PSPACE-membership. Moreover, we can show that when A2 is deterministic, our problem
is in PSPACE. Indeed, by Theorem 1 and Lemma 3, / is not reachable iff noRestrictionA1(A2)
iff A2 does not need to read the clocks of A1. Since the size of the modified system on which
we check the reachability of / is polynomial in the size of the original system, our problem is in
PSPACE.
5.3 Dealing with Urgent Synchronizations
If we use exactly the same construction as before and allow urgent synchronizations, the following




1 plays its actual
run. There is no reason why the two runs should coincide. Thus it may happen that the run
simulated by A1,2 reaches a state where the invariant expires and only a synchronization is
possible. Then A′2 is expecting a synchronization with A
′
1, but it is possible that the actual A
′
1
has not reached a state that enables this synchronization. Intuitively, A′2 should then realize that
the simulated run cannot be the actual one and try another run compatible with the absence of
synchronization.
But it is simpler to avoid this situation, which we can do by forcing A1,2 to simulate one of
the runs of A′1 (from the state reached after the last synchronization) that has maximal duration
before it synchronizes again with A2,mod (or never synchronizes again if possible).
1 This choice
of a run of A′1 is as valid as the others, and it prevents the system from having to deal with the
subtle situation that we described above.
For example, consider automaton A1 in Fig. 7 (it is the same as in Fig. 2 without the edge
labeled by c and with guard x ≤ 1 instead of x < 1). We can see that A1,2 has to fire b at time
1 and is able to wait 3 time units before synchronizing, although it is still able to synchronize at
any time (we add the same dashed edges as in Fig. 6). This can be generalized for any A1. The
idea is essentially to force A1,2 to follow the appropriate finite or ultimately periodic path in the
region automaton [AD94] of A1. The construction is illustrated by Fig. 8 and 9.
More precisely, A1,2 is now built over the region automaton [AD94] of A1. Transitions labeled
by some a ∈ S treated separately like in the original construction. The problem now is to
constrain A1,2 to take one of the most time consuming runs between two synchronizations.
Consider a state q in the region graph with synchronizations removed. If one of the paths
from q has a loop, then there is an infinite execution from q with local actions, and since we
considered non-Zeno TA, this implies that time diverges and we can impose this execution. If
no path from q contains a loop, then these paths are finite and there is a finite number of such
paths. It is possible to compute, for each path, the supremum of the time spent in this path
(including the time spent in the last location) and select the largest one (which may be infinite).
Assuming that this supremum is reached2, we can impose one of the most time consuming runs
1There may not be any maximum if some time constraints are strict inequalities, but the idea can be adapted
even to this case.
2If the supremum is finite and is not reached, then the construction can still be adapted. The idea is to follow
the path until the last region with some possible timing. When it is reached, A2,mod can stop using the values of
the clocks of A1,2 to evaluate the truth value of its time constraints over clocks of A1, but simply take their truth
value according to the last region. These truth values can be used by A2,mod since they correspond to a path of
RR n° 7990



















Figure 7: A1 has an urgent synchronization
using a fresh clock and the appropriate guards and invariants.
Lastly, for each synchronizing edge in A1, and each corresponding output state in the region
automaton, we add synchronizing edges from all locations, to the location associated with this
output state. These edges are labeled by “γ, (a, ℓ1), c”, where γ is the constraint that describes
the region associated with the target state, a is the synchronization label in A1, ℓ1 is the output
location of the synchronization in A1, and c is the copy of clock values.
Then we prove, in the same way as in Subsection 5.1, that, A′2 = A1,2 ⊗A
′
2,mod is a suitable
candidate even when urgent synchronization are allowed.
Indeed, with this construction, between two synchronizations, A1,2 models one specific execu-
tion, σ′1, of A1. And if / is never reached, then this means that any execution of A1 is equivalent
with this execution σ′1, w.r.t. what A2 tests. Hence, all executions of A1 are equivalent w.r.t.
what A2 tests.
Finally, for automaton A1 in Fig. 7, we get the region automaton of Fig. 8. After the
synchronizations are removed, 6 final states can be reached from the initial state, with 6 possible
paths. For each one of them, we compute the most time consuming one (we sum the maximal
delays in each location, so that the path is possible and we add the maximal delay in the last
location). All paths with action a have maximal duration of 3, and the path with action b has
























s s s s
s s
Figure 8: Region automaton of A1 of Fig. 7
A1 similar to but more time consuming than the simulated one.
Inria
Avoiding Shared Clocks in NTA 21
Therefore, we impose the firing of b at time 1 in A1,2, with adequate timing constraints, using
a new clock, z. Lastly we get the automaton A1,2 of Fig. 9.








2 < x < 3
(s, ℓ2), x ′ := x
x = 3, (s, ℓ2), x ′ := x
x = 2, (s, ℓ2), x
′ := x
2 < x < 3
(s, ℓ2), x
′ := x
x = 3, (s, ℓ2), x
′ := x
Figure 9: A1,2 associated with A1 of Fig. 7. Dotted lines denote edges that are not represented.
6 Conclusion
We have shown that in a distributed framework, when locality of actions and synchronizations
matter, NTA with shared clocks cannot be easily transformed into NTA without shared clocks.
The fact that the transformation is possible can be characterized using the notion of contextual
TTS which represents the knowledge of one automaton about the other. Checking whether the
transformation is possible is PSPACE-complete.
One conclusion is that, contrary to what happens when one considers the sequential semantics,
NTA with shared clocks are strictly more expressive if we take distribution into account. This
somehow justifies why shared clocks were introduced: they are actually more than syntactic
sugar.
Another interesting point that we want to recall here, is the use of transmitting information
during synchronizations. It is noticeable that infinitely precise information is required in general.
This advocates the interest of updatable (N)TA used in an appropriate way, and more generally
gives a flavor of a class of NTA closer to implementation.
Perspectives. Our first perspective is to generalize our result to the symmetrical case where
A1 also reads clocks from A2. Then of course we can tackle general NTA with more than two
automata.
Another line of research is to focus on transmission of information. The goal would be to
minimize the information transmitted during synchronizations, and see for example where are
the limits of finite information. Even when infinitely precise information is required to achieve
the exact semantics of the NTA, it would be interesting to study how this semantics can be
approximated using finitely precise information.
Finally, when shared clocks are necessary, one can discuss how to minimize them, or how to
implement the model on a distributed architecture and how to handle shared clocks with as few
communications as possible.
RR n° 7990
22 Balaguer & Chatain
References
[ABG+08] S. Akshay, Benedikt Bollig, Paul Gastin, Madhavan Mukund, and K. Narayan Ku-
mar. Distributed timed automata with independently evolving clocks. In Franck van
Breugel and Marsha Chechik, editors, CONCUR 2008, volume 5201 of LNCS, pages
82–97. Springer, Heidelberg, 2008.
[AD90] Rajeev Alur and David Dill. Automata for modeling real-time systems. In Michael
Paterson, editor, ICALP 1990, volume 443 of LNCS, pages 322–335. Springer, Hei-
delberg, 1990.
[AD94] Rajeev Alur and David Dill. A theory of timed automata. Theor. Comput. Sci.,
126(2):183–235, 1994.
[BC12] Sandie Balaguer and Thomas Chatain. Avoiding shared clocks in networks of timed
automata. In Maciej Koutny and Irek Ulidowski, editors, CONCUR 2012, Lecture
Notes in Computer Science, Newcastle, UK, September 2012. Springer, Heidelberg.
To appear.
[BCH+05] Béatrice Bérard, Franck Cassez, Serge Haddad, Didier Lime, and Olivier H. Roux.
Comparison of the expressiveness of timed automata and time Petri nets. In Paul
Pettersson and Wang Yi, editors, FORMATS 2005, volume 3829 of LNCS, pages
211–225. Springer, Heidelberg, 2005.
[BCH12] Sandie Balaguer, Thomas Chatain, and Stefan Haar. A concurrency-preserving trans-
lation from time Petri nets to networks of timed automata. FMSD, 2012.
[BDFP04] Patricia Bouyer, Catherine Dufourd, Emmanuel Fleury, and Antoine Petit. Updat-
able timed automata. Theor. Comput. Sci., 321(2-3):291–345, 2004.
[BDKP91] Eike Best, Raymond R. Devillers, Astrid Kiehn, and Lucia Pomello. Concurrent
bisimulations in petri nets. Acta Inf., 28(3):231–264, 1991.
[BDM+98] Marius Bozga, Conrado Daws, Oded Maler, Alfredo Olivero, Stavros Tripakis, and
Sergio Yovine. Kronos: a model-checking tool for real-time systems. In Alan J.
Hu and Moshe Y. Vardi, editors, CAV 1998, volume 1427 of LNCS, pages 546–550.
Springer, Heidelberg, 1998.
[BDMP03] Patricia Bouyer, Deepak D’Souza, P. Madhusudan, and Antoine Petit. Timed control
with partial observability. In Warren A. Hunt, Jr and Fabio Somenzi, editors, CAV
2003, volume 2725 of LNCS, pages 180–192. Springer, Heidelberg, 2003.
[BHR06] Patricia Bouyer, Serge Haddad, and Pierre-Alain Reynier. Timed unfoldings for
networks of timed automata. In Susanne Graf and Wenhui Zhang, editors, ATVA
2006, volume 4218 of LNCS, pages 292–306. Springer, Heidelberg, 2006.
[BJLY98] Johan Bengtsson, Bengt Jonsson, Johan Lilius, and Wang Yi. Partial order reduc-
tions for timed systems. In CONCUR 1998, volume 1466 of LNCS, pages 485–500.
Springer, Heidelberg, 1998.
[BR08] Marc Boyer and Olivier H. Roux. On the compared expressiveness of arc, place and
transition time Petri nets. Fundam. Inform., 88(3):225–249, 2008.
Inria
Avoiding Shared Clocks in NTA 23
[CCJ06] Franck Cassez, Thomas Chatain, and Claude Jard. Symbolic unfoldings for networks
of timed automata. In Susanne Graf and Wenhui Zhang, editors, ATVA 2006, volume
4218 of LNCS, pages 307–321. Springer, Heidelberg, 2006.
[CGL93] Karlis Cerans, Jens Chr. Godskesen, and Kim Guldstrand Larsen. Timed modal
specification - theory and tools. In Costas Courcoubetis, editor, CAV 1993, volume
697 of LNCS, pages 253–267. Springer, Heidelberg, 1993.
[CR06] Franck Cassez and Olivier H. Roux. Structural translation from time Petri nets to
timed automata. Jour. of Systems and Software, 2006.
[Dim09] Cătălin Dima. Positive and negative results on the decidability of the model-checking
problem for an epistemic extension of timed ctl. In TIME, pages 29–36. IEEE Com-
puter Society, 2009.
[DL07] Cătălin Dima and Ruggero Lanotte. Distributed time-asynchronous automata. In
Cliff B. Jones, Zhiming Liu, and Jim Woodcock, editors, ICTAC 2007, LNCS, pages
185–200. Springer, Heidelberg, 2007.
[DLLN09] Alexandre David, Kim G. Larsen, Shuhao Li, and Brian Nielsen. Timed testing under
partial observability. In ICST, pages 61–70. IEEE Computer Society, 2009.
[HFMV95] Joseph Y. Halpern, Ronald Fagin, Yoram Moses, and Moshe Y. Vardi. Reasoning
About Knowledge. MIT Press, 1995.
[LNZ05] Denis Lugiez, Peter Niebert, and Sarah Zennou. A partial order semantics approach
to the clock explosion problem of timed automata. Theor. Comput. Sci., 345(1):27–
59, 2005.
[LPY97] Kim G. Larsen, Paul Pettersson, and Wang Yi. Uppaal in a nutshell. Jour. on
Software Tools for Technology Transfer, 1(1-2):134–152, 1997.
[MF76] P. M. Merlin and David J. Farber. Recoverability of communication protocols –
implications of a theorical study. IEEE Transactions on Communications, 24, 1976.
[Min99] Marius Minea. Partial order reduction for model checking of timed automata. In
Jos C. M. Baeten and Sjouke Mauw, editors, CONCUR 1999, volume 1664 of LNCS,
Heidelberg, pages 431–446. Springer, 1999.
[Rei84] John Reif. The complexity of two-player games of incomplete information. Jour.
Computer and Systems Sciences, 29:274–301, 1984.
[Srb08] Jirí Srba. Comparing the expressiveness of timed automata and timed extensions
of Petri nets. In Franck Cassez and Claude Jard, editors, FORMATS 2008, volume
5215 of LNCS, pages 15–32. Springer, Heidelberg, 2008.
[vGG01] Rob J. van Glabbeek and Ursula Goltz. Refinement of actions and equivalence notions
for concurrent systems. Acta Inf., 37(4/5):229–327, 2001.
[WL04] Bozena Wozna and Alessio Lomuscio. A logic for knowledge, correctness, and real
time. In João Alexandre Leite and Paolo Torroni, editors, CLIMA 2004, volume 3487









Domaine de Voluceau - Rocquencourt
BP 105 - 78153 Le Chesnay Cedex
inria.fr
ISSN 0249-6399
