From Scenarios to Optimally Allocated Timed Automata by Vuppula, Sandeep
From Scenarios to Optimally Allocated Timed Automata
A THESIS
SUBMITTED TO THE FACULTY OF THE GRADUATE SCHOOL
OF THE UNIVERSITY OF MINNESOTA
BY
Sandeep Vuppula
IN PARTIAL FULFILLMENT OF THE REQUIREMENTS
FOR THE DEGREE OF
MASTER OF SCIENCE
Dr. Neda Saeedloei
June 2017
© Sandeep Vuppula 2017
Acknowledgements
I would first like to thank my advisor Dr. Neda Saeedloei for her constant guidance and
support in completing my thesis. Without her motivation and careful supervision, this work
would never have taken shape.
I would like to thank my committee members, Dr. Haiyang Wang, and Dr. Ping Zhao
for their time and valuable comments to better my work. I would like to thank my graduate
instructors Dr. Peter Peterson, Dr. Neda Saeedloei, Dr. Ted Pedersen, and Dr. Richard
Maclin for sharing their vast knowledge and helping me understand the theoretical and
practical concepts in Computer Science. I would also like to thank Lori Lucia, Clare Ford
and Jim Luttinen for their assistance.
I would like to thank the members of my research group, Swathi Vallabhajosyula and
Vaclav Hasenohrl for their ideas and discussions during the completion of my thesis.
Finally, I would like to thank my parents and my sister for their unconditional love
and trust during all times of my life. Without them, none of my success would have been
achieved.
i
Dedication
I dedicate this thesis to
my mom,
Mrs. Praveena Devi Vuppula,
my dad,
Mr. Ramachandram Vuppula,
my sister,
Ms. Swetha Vuppula,
and all of my friends.
ii
Abstract
Our contribution is twofold. First, we develop a new method for synthesizing a formal
model for real-time systems from scenarios. Scenarios describe partial behaviours of real-
time systems during some time interval. We propose Timed Event Sequences to formally
express scenarios. Given a set of scenarios as Timed Event Sequences, along with a mode
graph, we propose amethod to automatically construct aminimal, acyclic, and deterministic
timed automaton that models the specified aspects of the system.
Second, we consider the problem of optimally allocating clocks in timed automata. Re-
ducing the number of clocks in a timed automaton is important, as it directly affects the
complexity of the verification problem. Given a timed automaton, it is undecidable, in gen-
eral, to check whether there exists another timed automaton that accepts the same language
but has fewer number of clocks [9]. We identify a fairly general class of timed automata
and propose an algorithm (polynomial time) for optimally allocating clocks to timed au-
tomata in this class. The previous approaches [10, 6], changed the shape of the graph of the
original timed automaton by constructing bisimilar timed automata. Our method does not
change the graph of timed automata. The cost of our algorithm is quadratic in the size of
the underlying graph of the timed automaton.
iii
Contents
Contents iv
List of Figures vi
1 Introduction 1
2 Background 4
2.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.1.1 Modeling Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.1.2 Finite State Automata . . . . . . . . . . . . . . . . . . . . . . . . 6
2.1.3 !-automata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.1.4 Timed Automata . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.1.5 Model Checking . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.1.6 UPPAAL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
3 Synthesis of Timed Automata from Scenarios 14
3.1 Formal Description of Mode Graphs and Timed Event Sequences . . . . . 15
3.1.1 Mode Graph . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3.1.2 Timed Event Sequences . . . . . . . . . . . . . . . . . . . . . . . 16
3.2 Generating Timed Automata from Scenarios . . . . . . . . . . . . . . . . . 19
iv
3.2.1 Constructing a Time Annotated Graph from Scenarios . . . . . . . 21
3.2.2 Constructing a Timed Automaton from Time Annotated Graph . . . 23
4 Optimal Clock Allocation of Timed Automata 28
4.1 Liveness Analysis of Clocks . . . . . . . . . . . . . . . . . . . . . . . . . 31
4.2 Clock Allocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
5 Case Studies 45
5.0.1 Automated Teller Machine . . . . . . . . . . . . . . . . . . . . . . 45
5.0.2 Light Control System . . . . . . . . . . . . . . . . . . . . . . . . . 50
5.0.3 Fuel Management System . . . . . . . . . . . . . . . . . . . . . . 52
5.0.4 Train and Railroad Crossing System . . . . . . . . . . . . . . . . . 53
5.0.5 Traffic Light System . . . . . . . . . . . . . . . . . . . . . . . . . 54
5.0.6 CSMA/CD Protocol . . . . . . . . . . . . . . . . . . . . . . . . . 55
6 Conclusions 58
Bibliography 60
v
List of Figures
2.1 Timed automaton . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.2 Overview of UPPAAL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
3.1 Mode Graph for ATM . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
3.2 A mode graph and a scenario satisfying the dominance assumption . . . . . 18
3.3 Two TES corresponding to the ATM machine . . . . . . . . . . . . . . . . 19
3.4 Time annotated graph synthesized from two TES in Figure 3.3 . . . . . . . 24
3.5 Timed automaton constructed from time annotated graph in Figure 3.4 . . . 26
4.1 A simple timed automaton . . . . . . . . . . . . . . . . . . . . . . . . . . 30
4.2 A simple optimally allocated timed automaton . . . . . . . . . . . . . . . . 30
4.3 A timed automaton satisfying the dominance assumption . . . . . . . . . . 32
4.4 A timed automaton with problematic states and families . . . . . . . . . . . 37
4.5 A timed automaton with problematic states . . . . . . . . . . . . . . . . . 37
5.1 Timed Event Sequences of the ATM . . . . . . . . . . . . . . . . . . . . . 46
5.2 The timed automaton synthesized from Scenario 1 and Scenario 2 . . . . . 46
5.3 Mode graph of the ATM . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
5.4 Timed Event Sequences of the ATM with withdraw and deposit options . . 48
5.5 The synthesized timed automaton of the ATM . . . . . . . . . . . . . . . . 49
vi
5.6 Mode graph of the Light Control System . . . . . . . . . . . . . . . . . . . 50
5.7 Timed Event Sequences of the Light Control System . . . . . . . . . . . . 50
5.8 Timed automaton of the Light Control System . . . . . . . . . . . . . . . . 51
5.9 Mode graph of the Fuel Management System . . . . . . . . . . . . . . . . 52
5.10 Timed Event Sequences of the Fuel Management System . . . . . . . . . . 52
5.11 Timed automaton of the Fuel Management System . . . . . . . . . . . . . 52
5.12 Mode graph of the Train And Railroad Crossing System . . . . . . . . . . 53
5.13 Timed Event Sequences of the Train And Railroad Crossing System . . . . 53
5.14 Timed automaton of the Train And Railroad Crossing System . . . . . . . 53
5.15 Timed automaton of the Traffic Light . . . . . . . . . . . . . . . . . . . . 54
5.16 The optimally allocated timed automaton of the Traffic Light . . . . . . . . 54
5.17 The timed automaton for the sender in CSMA/CD protocol . . . . . . . . . 56
5.18 The optimally allocated timed automaton for the sender in CSMA/CDprotocol 57
vii
1 Introduction
Model-based design is a very effective method for designing real-time systems. Build-
ing a formal model is very useful in the process of analysis, design and verification of com-
plex systems. A formal model of a system will give us a better realization of how the final
implementation of the system will behave in real world. However, building formal models
for systems is challenging because of the lack of good formal requirements specifications.
The requirements are often given in low level or they are incomplete and ambiguous. Low
level requirements are hard to understand and cannot be used for modeling. Moreover, in-
complete and ambiguous requirements often lead to unwanted behaviours. Inmost real-time
systems, where safety is critical, such unwanted behaviours are not acceptable. Modeling
a system formally can help us to understand the desired and undesired behaviours of the
system. Thus, modeling is crucial in the process of constructing real-time systems due to
the lack of satisfactory formal requirements. Before building the model of a system, the
following questions should be answered first:
1. How the requirements should be expressed formally, and
2. How the formal model of a real-time system can be constructed from requirements.
One approach for building a formal model is using scenarios. A scenario is a partial
description of the behaviour of a system. Building a formal model from scenarios will help
us to build a model of the system and understand the intricacies involved in developing
such systems. The formal model that we will build is timed automata [2]. Our method for
constructing such automata includes two steps:
1
1. First, we synthesize a timed automaton from a set of scenarios.
2. Second, we optimally allocate clocks in the constructed timed automaton.
Scenarios should be expressed formally for constructing a formal model of a real-time
system. We introduce Timed Event Sequences (TES) to represent scenarios formally. We
use mode graphs to specify the legal events that can occur in the system. The mode graph
depicts the interaction between various modes of a system. A set of scenarios represented
as Timed Event Sequences (TES) and a mode graph are used to generate a deterministic,
acyclic timed automaton, with minimum number of states.
Most of the work for building a formal model from requirements has been done in the
context of non-timed systems. Notmuchwork has been done on synthesizing formalmodels
of real-time systems from scenarios [17, 16, 5]. The closest work to our method is the work
of Somé et al. [15]. The proposed algorithm introduces non-determinism to the constructed
automaton. Moreover, many concepts such as “super states” (sup-states) and “characteristic
conditions” are not formally defined. Allocating clocks and generating clock constraints
and clock resets are not described formally. More importantly, the number of clocks in the
constructed automaton is not optimal.
On the contrary, our work clearly defines a set of criteria for a set of scenarios in order to
make the construction of a minimal, acyclic and deterministic timed automaton from a set
of scenarios feasible. Moreover, we propose a method for optimally allocating clocks in the
constructed timed automaton. Our timed automaton belongs to a class of timed automata
that satisfies the following properties:
• A clock tj can be reset only on the transitions emanating from a state labelled j and,
• A clock in a clock constraint on a transition r from a state q can only refer to a clock
that has been reset on a transition leaving a state that dominates q. We call this dom-
inance assumption.
2
It is well known that, the number of clocks in a given timed automaton has a direct
impact on verification of the system. The more number of clocks, the harder it is to verify
the system modeled as a timed automaton. Moreover, as the number of clocks increases,
the complexity of the system increases and sometimes, it is impossible to verify a system
without approximating methods.
Given a timed automatonA, the problem of deciding whether there exists another timed
automaton B that accepts the same language as that of A but with fewer number of clocks
is undecidable [9]. However, for our class of timed automata, we propose an optimal clock
allocation algorithm whose complexity is quadratic.
Given a timed automaton that belongs to our class, we use liveness analysis of clocks
to determine the minimum number of clocks, and then use this results to optimally allocate
clocks. Liveness analysis of clocks helps us to reuse the clocks: if two clocks have disjoint
liveness ranges, we can substitute those two clocks by only one clock.
To show the effectiveness of our approach, we apply our synthesis and optimal clock
allocation methods to some real-life examples.
3
2 Background
As part of the background chapter, timed automata is presented with syntax and se-
mantics. Then, a brief introduction of temporal logics, which is used for specifying and
verifying the properties of concurrent systems is given. We also present a brief introduc-
tion of UPPAAL, a model checker for timed automata.
2.1 Background
A real-time system takes input from its surrounding environment and produces results
within a stipulated amount of time. The temperature controller, anti lock breaking system
and aircraft controller are some of the examples of real-time systems. The correctness of
such systems depend not only on the correctness of the output but also on the satisfiability
of timing constraints. For example the response of a program must be generated within a
predefined amount of time. Thus, most of the systems used for the mission critical appli-
cations are real-time systems, where the time at which the response is produced should be
within a certain timeline, else the system is said to have failed.
In the real world, the behaviour of almost every system changes according to time. For
example, in a reactive system such as a controller, time is the most important factor to
consider while modeling the behaviour of the controller. To model such real-time systems,
Rajeev Alur and David L.Dill introduced the theory of timed automata by extending the
finite state automata with clock variables [2]. Before describing timed automata, we present
a brief overview of different approaches for modeling time, finite state automata and !-
4
automata.
2.1.1 Modeling Time
There are three approaches for modeling time [2].
Discrete time model: It considers time to be a monotonically increasing sequence of inte-
gers. That is, time is viewed as a discrete variable. For example, in a digital clock each
tick can be associated with an integer value whose value increases by one at every step.
This kind of model can be easily transformed into formal language by inserting a silent
event between the events so that the time of occurrence of each event will be the same as
its position, there by discarding the time sequence. But this in turn limits the preciseness
with which real-time systems can be modeled, where, all the events do not occur at integer
times.
Fictitious-clock model: It is similar to that of discrete time model except that it assumes
sequence of times to be non decreasing integers. Even if the events occur at real valued
clock times, only the integer values with respect to a digital clock are considered in the time
trace. These models can be transformed into formal languages by representing time in an
approximate sense. But, this limits accuracy in modeling the physical systems as exact time
values at which the events occur are not considered.
Dense time model: In this model, the domain of time is considered as a dense set and the
time of occurrences of events as real numbers, which increase monotonically without any
limit. Due to the difficulties in transforming dense time traces into formal languages, timed
automata was developed for analysing such systems.
5
2.1.2 Finite State Automata
A finite state automaton (FSA) or a finite state machine (FSM) is an abstract machine
which has a finite number of states. On an input, the machine changes from one state to
another state: this is called a transition.
Definition (Finite State Automata): A finite state automaton is a 5 tuple (Q;; q0; F; )
where,
• Q is a set of states,
•  is a finite set of input alphabets,
• q0  Q is a set of start states,
• F is a set of final states,
•  : Q ! Q is a transition function.
The set of final states F can be an emptyset (), which implies that, the automaton does
not have any accepting states.
2.1.3 !-automata
An !-automaton is elucidated as follows. An !-automaton accepts infinite words. The
language accepted by an !-automaton is called an !- language. An !- language over a
finite alphabet  is a subset of ! – the set of all infinite words over .
Definition (!-automata): An !-automaton A is a tupple (S; S0;; E) where,
• S is a set of states,
• S0  S, is a set of start states,
•  is a finite set of input alphabets.
6
• E  S  S   is a set of edges,
If there is a state change from s to s1 on input symbol a then it is represented as (s; s1; a),
i.e., (s; s1; a) 2 E.
A run r of A over  = 123::: where i 2 ; i  1 is
r : s0
1! s1 2! s2 3! :::
where s0 2 S0 and (si 1; si; i) 2 E; 8 i  1.
The set inf(r) for such a run r consists of states si where si 2 S for infinitely many
i  0. Different notions of acceptance are defined for !-automa. We only consider Buchi
and Muller automaton [2].
Buchi Automaton: ABuchi automatonA accepts exactly those runs r for which inf(r)\F
is not empty where F is a set of accepting states, i.e. there is an accepting state that occurs
infinitely often in r.
Muller Automaton: A Muller automaton A with an acceptance family F  2S accepts
exactly those runs r for which inf(r) 2 F .
2.1.4 Timed Automata
In automata theory, a timed automaton is a finite state automaton extended with a finite
set of real-valued clocks. During a run of a timed automaton, all clock values increase with
the same speed. The transition tables used in timed automata are timed transition tables
which read timed words. Upon a transition the selection of next state is based not only on
the input symbol but also on the time of the current symbol with respect to the formerly read
symbols. The time of the current symbol is stored in a clock variable and it is compared to
a time constant. Moreover, the clock values can be reset along those transitions.
Definition (Timed Automata): A timed automatonA is a tuple (; S; S0; C; E) [2] where,
•  is a finite alphabet,
7
• S is a finite set of states,
• S0  S is a set of start states,
• C is a finite set called the clocks of A,
• E  S  S  2C (C) is a set of edges, called transitions ofA, where the set
(C) of boolean clock constraints  is defined by,
 := c  x j c  x j c = x j :  j 1 ^ 2
where c is a clock in C and x is a constant in the set of non-negative rationals Q.
A clock interpretation v for a set C of clocks assigns a real value to each clock; that is,
it is a mapping from C to R.
An edge (s; s0; a; ; ) 2 E is a transition from state s to s0 on input symbol a.   C
gives the clocks to be reset with this transition and  is a clock constraint over C.
Timed Sequence is an infinite series of time values  = 12:::: where i 2 R with i  0
satisfying:
1. Monotonicity:  monotonically increases, i.e., i+1 > i; 8i  1,
2. Progress: 8t 2 R, there is some i  1, such that i  t.
Timed words are infinite sequences in which each symbol is associated with a real valued
time of occurrence. A timed word over an alphabet  is a pair (; ) where  = 1; 2::: is
an infinite word over  and  is a timed sequence.
A run r of A over a timed word (; ) is of the form
r :< s0; v0 >
1 !
1
< s1; v1 >
2 !
2
< s2; v2 >
3 !
3
:::
where si 2 S and vi 2 [C ! R+]; 8i  0, satisfying the following conditions:
• Initiation condition: s0 2 S0 and v0(x) = 0; 8x 2 C,
8
• Consecution condition: An edge of the form (si 1; si; i; i; i) exists, such that
(vi 1 + i   i 1) satisfies i and vi equals [i 7! 0](vi 1 + i   i 1).
Example: Consider the alphabet set fx; yg. A timed language L1 which consisits of all the
timed words (; ) such that, there is no y after 4 units of time is given by
L1 = f(; )j8i; ((i > 4)! (i = x))g
Example: Consider the timed automaton of Figure 2.1.
Figure 2.1: Timed automaton
(a; 2); (b; 2:7); (c; 2:8); (d; 5); ::: is a timed word accepted by this automaton.
An example of a run of the automaton over this timed word is given by:
< s0; [0; 0] >
a !
2
< s1; [0; 2] >
b !
2:7
< s2; [0:7; 0] >
c !
2:8
< s3; [0:8; 0:1] >
d !
5
< s4; [3; 2:3] > :::
2.1.5 Model Checking
Model checking is a technique for automatically verifying concurrent systems having
finite number of states [4]. The process of model checking involves three steps: modeling,
specification and verification. Modeling is the process of transforming a given sys-
tem design into a formal model that is acceptable by a model checking tool. Then the set
of properties that the model should satisfy are specified in some temporal logic. In order to
verify whether a given system satisfies the specification or not, the model checker performs
an exhaustive search on the system’s state space. If the system, does not satisfy a given
specification, an error trace is generated by the tool to determine the cause of the error.
9
Temporal Logic:
Temporal logic is a formalism which is used for specifying the properties of concurrent
systems, such as reactive systems which respond to external events [4]. For these systems,
the correctness of the system depends not only on the input or output but also on the times
during which that input or output occurs. Temporal logics are very useful because, they
help us describe the ordering of events according to time without actually introducing the
time explicitly into the system. Based on the assumption whether the time is linear or
branching, temporal logic can be classified as two types Linear Temporal Logic (LTL) and
Computation Tree Logic (CTL).
Kripke Structure:
A Kripke Structure is a labelled state-transition, where each node is mapped to a set of
properties that should hold in that state. An atomic proposition is a statement that is true or
false in a state. Assume AP is a set of atomic propositions.
Definition (Kripke Structure): A Kripke structure is a 4-tuple,M = (S; I; R; L), where
• S is a finite set of states,
• I  S is a set of initial states,
• R  SS is a transition relation, where (s; s0) 2 R, if there is a transition from s to
s0 inM .
• L is a labelling function, from the set of states to the power set of atomic propositions
(AP ), i.e., L : S ! 2AP .
Temporal operators:
In a labelled state transition system (e.g., a Kripke structure), a computation tree is
used to represent the paths starting from each of the initial states. In temporal logics we
discuss here, we do not mention time explicitly. Instead we use a formula, that specifies that
10
eventually some state is reached or some error state is never reached. Temporal operators
are the special operators used to describe the properties like eventually or never [4]. The
temporal operators are as follows.
• X (NeXt time) specifies that a property holds in the next state of the path,
• F (Future) specifies that a property eventually holds at some future state in the path,
• G (Globally) specifies that a property holds at each and every state in the path,
• U (Until) specifies that the first property holds on every preceeding state in the path
until the second property is true at some state in the path,
• R (Release) specifies that the second property holds at every state in the path up to
and including the state at which the first property holds.
Future, Globally, and Until can alternatively be denoted as follows:
F - 
G - 
U -
The temporal operators  and  can be combined to form new temporal operators as fol-
lows:
•   ' - infinitely often '
•   ' - eventually forever '
Linear Temporal Logic:
In Linear Temopral Logic (LTL) time is considered to be linear. There may be infinite
number of states but, at any point of time there will be a unique successor. Let a be an
11
atomic proposition, the syntax of LTL [1] is given by,
' ::= a j (' ^ ') j (: ') j (X ') j (' U ')
2.1.6 UPPAAL
UPPAAL is a popular model checking tool for timed automata [11]. It is widely being
used for automatically verifying the properties of real-time systems. It is pertinent in areas
where timing details are critical, for example controllers. UPPAAL is used to verify reacha-
bility, safety and bounded liveness properties by modeling the system as networks of timed
automata. The tool is first of its kind developed for model checking of timed automata.
Figure 2.2: Overview of UPPAAL.
The system descriptions, represented as networks of timed automata can be defined
using a textual (.ta) format or a graphical (.atg) format.The descriptions in graphical format
are automatically compiled to a textual representation using atg2ta compiler. UPPAAL can
also be used for analysing certain types of hybrid automata called linear hybrid automata.
The linear hybrid automaton is converted to timed automata using hs2ta translator. checkta
program performs syntax checking. It checks whether the clocks, variables and channels
12
are in harmony with the given declaration. The program verifyta performs model checking
in UPPAAL. It also generates a diagnostic trace whenever the system fails in real time,
making it easy for us to debug.
13
3 Synthesis of Timed Automata from
Scenarios
Our contributions are as follows:
1. Synthesis of timed automata from a set of scenarios and
2. Optimally allocating clocks for the constructed timed automata
Our first contribution involves developing and implementing an algorithm for construct-
ing a timed automaton from a set of scenarios. The second contribution involves an algo-
rithm for reducing the number of clocks in the constructed automaton.
We use an invariant of an Automated Teller Machine (ATM) as an example to explain
scenarios and our synthesis method. In its initial state, the ATM machine waits for a user
to insert his bank card. Once the card is inserted, the user can either cancel the transaction
within 4 seconds or enter his PIN within 5 to 60 seconds. If the transaction is cancelled, the
ATM ejects the card within 2 to 3 seconds and returns to its initial state. Once the user enters
the PIN, the ATM requests the bank to verify the user’s PIN. If the PIN is correct, the ATM
displays the menu to the user within 5 seconds. If the PIN is incorrect, the ATM asks for
correct PIN again. The user has to enter correct PIN in 3 attempts. If not, the ATM ejects
the card and returns to its initial state. After the menu is displayed by the ATM, the user can
choose from the available options e.g., deposit or withdrawl. For a withdrawl operation, the
user has to enter the amount he wishes to withdraw. After entering the amount, the bank
verifies the user details and returns a success message if the details are correct. Similarly,
14
the user enters the amount to deposit into account and then the ATM returns a success
message if the deposit has been successful.
3.1 Formal Description ofModeGraphs and Timed Event
Sequences
All the definitions and algorithms in this section are taken directly from [13].
3.1.1 Mode Graph
A mode graph is formally defined as a deterministic state machine in which the states
are called modes and the transitions from one mode to the other are triggered by the events
in the system. A mode graph is a tupleM = (M;m0;mf ;; T ), whereM is a finite set of
modes, m0 is the initial mode, mf is the final mode (which can be identical to m0),  is a
set of events, and T : M !M is a transition function. A triple (mi; ek;mj) represents
a transition between two modesmi andmj on an event ek.
In themode graph of Figure 3.1 there are fifteen different modes. m0 (card-not-inserted)
is both the initial mode and the final mode. An event enter-pin triggers the transition from
card-inserted to pin-entered, and is respresented as (card-inserted, enter-pin, pin-entered).
For any given two modesmi andmj ,mi is said to be the dominating mode ofmj iff all
the paths tomj from the initial mode in the mode graph pass throughmi [12]. We call this
the Dominance relation and denote it as mi DOM mj . The same relation can be extended
to events as well. We say that an event e is dominated by mode mi iff, mj is the source
mode for e andmiDOMmj . For example, in the mode graph of Figure 3.1, the mode card-
inserted is a dominating mode of pin-entered and event request-data-for-bank is dominated
by all the modes which dominate the mode user-verified.
15
A clock variable ti chosen from a set of clock variables V = ft1; t2::::g, indicates the
time of leaving modemi. If the modemi is part of a cycle then, ti indicates the time of first
event occurrence at modemi .
3.1.2 Timed Event Sequences
The scenarios describing the partial behaviours of a real-time system are expressed for-
mally in the form of Timed Event Sequences (TES). A TES contains
1. The initial mode of the scenario,
2. The final mode of the scenario,
3. A set of events and their corresponding time annotations.
Each event in a TES represents an interaction between the system and the user or be-
tween the environment and the system or an internal action within the system. A TES is
meaningless without a mode graph.
Given a mode graph M = (M;m0;mf ; E; T ), a Timed Event Sequence  is denoted
by a tuple


minitial;	;mfinal

where, minitial and mfinal are the initial and final modes
in the TES and 	 = [ 1;  2; :::;  n] is a non empty sequence of timed events of the form
(ei; i), where ei 2 E and i is the set of time annotations corresponding to event ei. A
time annotation is of the form W   tj  a, where W is the wall clock time, tj is a time
variable from V , 2 f6;>; <;>;=g and a 2 Q. InW  tj  a, tj is the time of leaving
a mode mj , such that mj DOM mi. We call this assumption the dominance assumption
and this assumption ensures the time variables are well-defined. That is, a time variable can
only be used in a time annotation on a transition iff, that time variable is defined on every
path to that transition.
16
card-not-inserted
m0
card-inserted
m1
pin-entered
m2
incorrect-pin-entered
m3
user-verified
m4
waiting-for-bank
m5
menu-displayed
m6
cancelled
m7
withdraw-option
m8
deposit-option
m9
withdraw-amount
m10
deposit-amount
m11
details-verified
m12
amount-withdrawed
m13
amount-deposited
m14
insert-card
enter-pin
cancel
incorrect-pin
enter-pin
return-card
correct-pin
request-data-from-bank
display-menu
cancel
return-card
withd
raw deposit
enter-amount
verify-details
successful
return-card
enter-amount
successful
return-card
Figure 3.1: Mode Graph for ATM
17
For a TES , the initial_mode() = minitial, final_mode = mfinal and events() =
	. The set modes() is the set of modes that can be reached from initial_mode() by
performing some non-empty contiguous sequence of events in .
m0
m1
m2
m3
m4
m5
m6
a
b
c
d
e
f
g
minitial : m0
(a; fg)
(d; fW   t0 < 3g)
(e; fW   t1 > 1g)
(f; fg)
(g; fW   t0 > 3;W   t1  3g)
mfinal : m6
Figure 3.2: A mode graph and a scenario satisfying the dominance assumption
Figure 3.2 shows a mode graph and a scenario where the dominance assumption is
satisfied. The initial mode of the mode graph is m0 and the final mode is m6. The modes
m0, m1 and m3 are dominating modes of m6 and moreover, transition g is dominated by
all the modes that dominate m3. Notice that there are two paths to reach the final mode
from the initial mode. The clocks t0 and t1, on transition g refer to the modes m0 and m1
respectively, which are the dominating modes ofm3.
The TES of scenario 1 in Figure 3.3 describes the behaviour of an ATM machine in
which, the user enters an incorrect pin in the first attempt and later enters the correct pin.
In the TES of scenario 2 the user enters the correct pin in his very first attempt. In scenario
1, the ATM waits in its initial mode card   not   inserted until an user inserts the card.
The user inserts the card at time t0 and then, the system requests the pin. The user enters
the pin at a time W such that the time difference between two events insert   card and
18
minitial: card-not-inserted
( insert-card, fg)
( enter-pin, fW   t0  5; W   t0  60g)
( incorrect-pin, fg)
( re-enter-pin, fW   t0  5; W   t0  60g)
( correct-pin, fg)
( request-data-from-bank, fg)
( display-menu, fW   t4  5g)
mfinal: menu-displayed
TES of Scenario 1
minitial: card-not-inserted
( insert-card, fg)
( enter-pin, fW   t0  5; W   t0  60g)
( correct-pin, fg)
( request-data-from-bank, fg)
( display-menu, fW   t4  5g)
mfinal: menu-displayed
TES of Scenario 2
Figure 3.3: Two TES corresponding to the ATM machine
enter  pin (W   t0) is within [5; 60] seconds. Upon receiving the pin, the system notifies
that the pin is incorrect and then the user enters the correct pin. Then, the user is verified at
a time t4 and the menu is displayed to the user within 5 seconds, i.e.,W   t4 <= 5.
3.2 Generating Timed Automata from Scenarios
Our goal is to generate a deterministic timed automaton with minimal number of states
from a given mode graph and a set of scenarios that are expressed as TES. The synthesis
method includes two algorithms:
1. The first algorithm takes a set of TES and a mode graph as input and constructs a
graph with states, transitions and time annotations.
2. The second algorithm takes the time annotated graph generated by the previous algo-
rithm as input and assigns clocks, clock resets and clock constraints to transitions.
To construct a deterministic timed automaton with minimal number of states, the timed
automaton should have one initial state, only one transition should be triggered at any given
time and also, the timed automaton should be connected. A connected timed automaton
19
implies that, every state in the automaton is reachable from the initial state and that there
should exist a path from every state to the final state.
We introduce four criteria that a set of TES f1; 2; ::; ng must satisfy in order to make
generation of such an automaton feasible. A set of scenarios expressed as TES that comply
with these criteria are said to be complete.
Given a mode graphM = (M;m0;mf ;; T ), a set of TES  is complete if:
1. For every  2 , either initial_mode() = m0 or there exist 1; 2; :::; j 2 , such
that j =  and:
• initial_mode(1) = m0,
• initial_mode(k) 2 modes(k 1), for each k; 1 < k  j.
2. For every  2 , either final_mode() = mf or there exist 1; 2; :::; j 2 , such
that  = 1 and :
• final_mode(j) = mf ,
• for each k; 1 < k  j, final_mode(k 1) 2 modes(k).
3. Every  2  is compatible withM: for each scenario iwhere events(i) = e1e2 : : : en,
there is a partial run s1
e1 ! s2 e2 ! s3 : : : en ! sn+1 ofM.
4. All TES in  are compatible with each other: if two TES contain the same transition
(between the same two modes), then the time annotations corresponding to the tran-
sition in both TES should not be mutually exclusive (which is easy to check, given
the restricted form of constraints).
20
3.2.1 Constructing a Time Annotated Graph from Scenarios
Let P be a set of atomic propositions, strings, etc. A time annotated graph is a tuple of
the form G = (E;Q; q0; qf ; R; L) where:
• E is a finite set of alphabets,
• Q is set of states,
• q0 is the initial state,
• qf is the final state,
• R  QQE  2(V ) is a set of transitions of the form (q; q0; a; ) where  is the
set of time annotations over V,
• L : Q! P? is a function that maps each state to a label.
Given a mode graphM and a set of Timed Event Sequences f1; 2; ::; kg as inputs,
Algorithm 1 synthesizes a time annotated graph (TAG) G [13]. The algorithm initially
starts with an empty TAG, G0 and builds a partial graphG1 using the first scenario 1. The
algorithm repeatedly takes a partially built graph Gk, and a scenario k+1 (1 < k < n) and
then generates a new partial graph Gk+1. During the construction of Gk+1 decision has to
be made on whether to create new states and transitions. This is resolved with the help of
state labels (modes). A new state s is created and labelled with a mode mj if there is an
event e from state q such that L(q) = mi and (mi; e;mj) 2 T . New states and transitions
are generated and added to the graph Gk+1 if the transitions of k+1 cannot be simulated.
The graph constructed by Algorithm 1 has the following properties:
1. It is acyclic: as we do not introduce a transition from a state to it’s previous states.
2. Its graph is connected, because the input set of TES is complete.
21
Algorithm 1:Building states and transitions with time annotations from scenarios
Input : A mode graphM = (M;m0;mf ;; T ), and a complete set of TES
 = f1; :::; ng
Output: Time-annotated graph Gn = hEn; Qn; q0; qf ; Rn; Lni
k := 0; Ek := ;; Qk := ;; Rk := ;; Lk := ;;
foreach Timed Event Sequence i = hminitiali ;  1 2::: l;mfinali i in  do
Ek+1 := Ek; Qk+1 := Qk; Rk+1 := Rk; Lk+1 := Lk;
// Find or create the first state for this scenario:
if there is a state such that L(s) = minitiali then
sc := the earliest such state; // “earliest”: see property (3), p. 23
else
create a new state s;
Qk+1 := Qk+1 [ fsg;
add labelminitiali to state s: Lk+1 := f(s;minitiali )g [ Lk+1;
sc := s; // sc always indicates the current source state.
// Find or create the other states:
foreach  j of the form (e; ), where (m; e;m0) 2 T do
if there is a transition of the form r = (sc; q; e; 0) in Rk+1 and
L(sc) = m and L(q) = m0 then
00 :=  ^ 0; // see criterion 4 for completeness of scenarios
Rk+1 := Rk+1 n frg [ f(sc; q; e; 00)g;
sc := q;
else
Ek+1 := Ek+1 [ feg;
if there is no state q 2 Qk+1 such that L(q) = m0 and q is not a
predecessor of sc then
create a new state q;
Qk+1 := Qk+1 [ fqg;
add labelm0 to state q: Lk+1 := f(q;m0)g [ Lk+1;
create a new transition: r := (sc; q; e; );
else
choose the earliest state q such that L(q) = m0 and q is not a
predecessor of sc; // “earliest”: see property (3), p. 23
create a new transition r := (sc; q; e; );
Rk+1 := frg [Rk+1;
sc := q;
k := k + 1;
qf := f , where f is the state with no outgoing transitions; // property (4)
22
3. By construction, two states have the same label only if one is a predecessor of the
other. We create a new state with the same label only to avoid introducing a transition
from a state to it’s predecessor.
4. There must be at least one state with no outgoing transitions, because the graph is
finite.
5. The graph is deterministic: we only add a new transition only if it does not exist from
state s.
6. The graph is minimal, because:
• We do not add additional states if the state with mode information mi already
exists. We only add in cases when the addition of a new transition creates a
cycle.
• In case of multiple existing states, we choose the state that was created first.
7. After construction, every scenario is a partial run of the constructed graph.
8. Every path in the final graph is identical to that of the mode graph because our algo-
rithm adds a new state or transition based on the mode and transition information in
the mode graph.
Given the two TES of Figure 3.3, the synthesized time annotated graph by Algorithm 1
is shown in Figure 3.4.
3.2.2 Constructing a Timed Automaton from Time Annotated Graph
After the time annotated graph is generated in the first step, we have to assign clock
resets and clock constraints to the transitions to convert time annotated graph to a timed
automaton.
23
S0[m0]
S1[m1]
S2[m2]
S3[m3]
S4[m2]
S5[m4]
S6[m5]
S7[m6]
insert-card
enter-pin [W−t0  5;W−t0  60]
incorrect-pin
enter-pin [W−t0  5;W−t0  60]
correct-pin
request-data-from-bank
display-menu [W−t4  5]
correct-pin
Figure 3.4: Time annotated graph synthesized from two TES in Figure 3.3
24
The three steps required to convert the constructed time annotated graph to a timed
automaton are:
1. Determining the required number of clocks,
2. Adding clock resets,
3. Replacing the time annotations with the clock constraints.
Algorithm 2 performs the three steps mentioned above. During the execution of the
algorithm, each transition of the graph is visited twice. At first, each transition is visited
and a clock variable is mapped to each time variable that occurs in its time annotations.
That is, a clock variable cj is assigned to a time variable tj on a transition, if the transition
has a time annotation of the formW   tj  a. At the end of first visit, we will have a list
of all the clock variables that are mapped to their corresponding time variables. During the
second visit of the graph, the algorithm will add clock constraints and add clock resets to
the transitions wherever applicable. For example, if there is a time annotationW   t0 > 5
on a transition r1, then the clock constraint c0 > 5 is added to r1. This implies that, clock c0
repalces the time variable t0 in the time annotation. Because of our dominance assumption,
whenever there is a time annotationW   tj  a that appears on a transition r, every path
that leads to the transition r must have already passed through a state labelledmj . So clock
variable cj mapped to tj is initialized or reset before it is used on the transition r. Hence
the clock cj will be well-defined at r.
The timed automaton generated by applying Algorithm 2 to the time annotated graph
of Figure 3.4 is shown in Figure 3.5.
25
S0
S1
S2
S3
S4
S5
S6
S7
insert-card [c0 := 0]
enter-pin [c0  5; c0  60]
incorrect-pin
enter-pin [c0  5; c0  60]
correct-pin
request-data-from-bank [c4 := 0]
display-menu [c4  5]
correct-pin
Figure 3.5: Timed automaton constructed from time annotated graph in Figure 3.4
26
Algorithm 2: Generating clock operations from a time annotated graph
Input : A time-annotated graph G = hE;Q; q0; qf ; R; Li
Output: A timed automaton A = hE ;Q; fq0g; fqfg; C;i
C := ;; // the set of clocks
 := ;; // the set of transitions
ca := ;; // the set of clock assignments
foreach transition r = (s; q; e; ) 2 R do
foreach time annotationW   ti  a 2  do
if (ti; ci) /2 ca then
generate a new clock ci;
C := C [ fcig;
ca := ca [ f(ti; ci)g;
 := ;; // set of clocks to be reset in a transition
 := ;; // set of clock constraints in a transition
foreach transition r = (s; q; e; ) 2 R do
if (ti; ci) 2 ca and L(s) = mi then
 := fcig;
foreach time annotationW   tj  a 2  do
 =  [ fcj  ag, where (tj; cj) 2 ca;
ra = (s; q; e; ; );
 :=  [ frag;
27
4 Optimal Clock Allocation of Timed
Automata
All the algorithms, definitions, lemmas and theorms along with their proofs appearing
in this section are taken directly from [14].
In this section, we consider the problem of optimally allocating clocks to timed au-
tomata. The timed automaton constructed as a result of the synthesis method belongs to the
class of timed automata that satisfies these properties:
1. The automaton has a unique initial state s0. Every state is reachable from s0,
2. A clock constraint on a transition ‘r’ can only refer to the times of transitions from
states that dominate the transition ‘r’, we call this dominance assumption,
3. A clock tj can only be reset on a transition leaving a state s, where label is j, that is
L(s) = j.
The dominance assumption, guarantees that if a clock tj is used in a constraint on some
transition r, then tj is well-defined on all the paths from the initial state to r. We also
assume that, at most one clock can be reset on a transition. This assumption follows from
the property (3) above. As clock tj can only be reset on a transition leaving the state labelled
j. The timed automaton of Figure 4.3 satisfies the properties mentioned above.
Reducing the number of clocks in a timed automaton is very crucial, as it directly affects
the complexity of the verification problem. Given a timed automaton, it is undecidable to
28
check whether there exists another timed automaton that accepts the same language but has
fewer clocks [9]. We propose an optimal clock allocation algorithm to the class of timed
automata that satisfies the aforementioned properties. Our method does not change the
graph of the original timed automaton. Moreover, the cost of our algorithm is quadratic
in the size of the graph. The proposed algorithm reduces the number of clocks in a timed
automaton whithout checking the satisfiability of clock constraints.
Our algorithm performs liveness analysis of clocks to determine on every transition
which clocks are active. With the help of liveness analysis we can decide which clocks are
no longer required and can be reused. A single new clock can be used to replace multiple
clocks, only if the liveness ranges of those old clocks are disjoint. That is, the clock ranges
do not share a transition. Consider the timed automaton of Figure 4.1. There are three clock
resets [t0 := 0; t2 := 0; t4 := 0] on transitions r0; r2 and r4 and three clock constraints
[t0 < 2; t2 < 2; t4 < 2] on transitions r1; r3 and r5 respectively. Clock t0 is never used after
transition r1. So, t0 can be re-allocated and re-assigned. Similarly t2 is never used after t4
is reset. In this automaton, all the three clocks can be replaced by a single clock e.g., c0.
The resulting automaton is shown in Figure 4.2.
Given a timed automaton A, to transform it to an equivalent timed automaton A0 with
minimal number of clocks, we need to perform the following steps in order:
1. Calculate the liveness ranges of clocks in the timed automaton A,
2. Replace the original clocks in A with a set of new clocks,
3. Rewrite the clock constraints and clock resets in A in terms of new clock variables.
29
S0
S1
S2
S3
S4
S5
S6
r0, [t0 := 0]
r1, [t0 < 2]
r2, [t2 := 0]
r3, [t2 < 2]
r4, [t4 := 0]
r5, [t4 < 2]
Figure 4.1: A simple timed automaton
S0
S1
S2
S3
S4
S5
S6
r0, [c0 := 0]
r1, [c0 < 2]
r2, [c0 := 0]
r3, [c0 < 2]
r4, [c0 := 0]
r5, [c0 < 2]
Figure 4.2: A simple optimally allocated timed automaton
30
4.1 Liveness Analysis of Clocks
Liveness analysis of clocks is performed by Algorithm 3. Before presenting the algo-
rithm, we introduce some terms and definitions.
LetA= (E;Q; fq0g; Qf ; V; R; L) be the timed automaton and r = (s; s0; e; r; r) 2 R
be a transition. Let N = fj j tj  a 2  _ tj 2 , where (s; s0; e; r; r) 2 Rg, be a set
of clock numbers used to denote subscripts of the clocks on all the transitions in R. Let
p = r1:::rk be a path, we define transitions(p) = fr1; :::; rkg. The following are a set of
functions used to calculate the liveness ranges.
• clock_ref : R ! 2N maps transition r to the set fj j tj  a 2 rg. Intuitively,
clock_ref(r) is the set of clocks which are referred to in the clock constraints on r.
• born : R ! 2N maps transition r to the set fj j tj 2 r and there exists a path
rr1:::rk; k  1, such that j 2 clock_ref(rk). Intuitively, born(r) identifies a clock
that is reset on r whose value can be used on some transition reachable from r.
• active : R! 2N maps transition r to the set fj j there is a path rr1:::rk, k  1, such
that j 2 clock_ref(rk)g. Intuitively, active(r) identifies clocks that are “alive” on r
(i.e., their values may be subsequently used). Notice that born(r)  active(r).
• needed : R! 2N maps transition r to active(r) [ clock_ref(r).
If there are any cycles in the graph then transitions r and rk can be the same in the born
and active definitions.
Both active and needed are important for liveness analysis as they help us to determine
which clocks can be reused in the target timed automaton (A0).
31
S0
S1
S2 S3
S4 S5
S6
S7
r0 [t0 := 0]
r1 [t1 := 0] r2 [t1 := 0]
r3 [t1  2] r4 [t1  2]
r5 r6
r7 [t0  5]
Figure 4.3: A timed automaton satisfying the dominance assumption
Definition 1. Apath p = r0:::rn is a path for clock tj iff born(r0) = fjg and j 2 needed(ri)
for 0  i  n.
In the automaton of Figure 4.3, there are two paths for clock t0; r0r1r3r5r7 and r0r2r4r6r7
and two paths for clock t1; r1r3 and r2r4.
Definition 2. range : N  R ! 2R maps (j; r) to fr0 j r0 2 transitions(p), where p is a
path for clock tj that starts at rg. Intuitively, range of tj , where j 2 born(r), is the set of
all transitions that belong to all the paths for clock tj that begin at r.
In the automaton of Figure 4.3, clock t1 will not be used in any path reachable from r3 or
r4. So the range of t1 ends at r3 and r4.
Given a timed automatonA, Algorithm 3 determines the liveness ranges of the clocks in
the automaton. It is a fixpoint iteration algorithmwhose complexity is quadratic in the num-
32
ber of edges. It constructs an intermediate automaton which is an extension of A wherein,
each transition is of the form (r; born(r); active(r)). For insance, in the automaton of Fig-
ure 4.3, transition r1 will be extended to (r1; born = f1g; active = f0; 1g). Similarly for
transition r7 the extended transition will be (r7; born = ;; active = ;).
Algorithm 3: Building the liveness ranges for clocks
Input : A timed automaton A = hE;Q; fq0g; Qf ; V; R; Li.
Output: An extended timed automaton Ae = hE;Q; fq0g; Qf ; V; Re; Li, where
Re is the set of extended transitions.
Re := ;;
foreach transition r = (s; q; e; ) 2 R in A do
born(r) := active(r) := ;;
repeat
foreach transition r = (s; q; e; ; ) 2 R in A do
foreach ro 2 out(q) do
active(r) := active(r) [ ((active(ro) [ clock_ref(ro)) n born(ro));
if L(s) = j and j 2 active(r) then
born(r) := fjg;
Re := Re [ f(r; born(r); active(r))g;
until there were no changes;
The following lemma can be formulated from the above definitions.
Lemma 1. For a timed automaton A with its set of states Q, we have
8q2Q8ri;rk2in(q) active(ri) = active(rk).
Proof. Assume j 2 active(ri). Therefore there is a transition r in out(q) such that j 2
needed(r) (i.e., tj is referenced in r or one of its successors). But r can be reached from rk,
therefore j 2 active(rk). The rest of the proof follows from symmetry.
33
4.2 Clock Allocation
The liveness analysis algorithm generates the extended transitions of the original au-
tomaton. In the extended automaton, each transition has the born and active values associ-
ated with it. Here on, by transitions, we refer to the extended transitions. After finding the
liveness ranges of clocks, we have to use those ranges to reuse the clocks and minimize the
number of clocks in the final automaton A0. Our method to minimize the number clocks
based on liveness ranges of clocks revolves around the idea that: a clock can be reused if
the active range of the clock has ended. The clock cannot be reused on a transition if the
transition belongs to active range of that clock.
To understand the clock allocation algorithm and its properties, we introduce the fol-
lowing terminology:
Let A;B and C be sets and let r  A  B  C. The relation r can be applied to an
argument a 2 A by using the operator “:”: r:a = f(b; c) j (a; b; c) 2 rg. Similarly, for
b 2 B, r:a:b = fc j (a; b; c) 2 rg. The application operator associates to the left.
If, for every (a; b) 2 A  B, r:a:b is either a singleton or the empty set, then r is a
function of two arguments: r : AB ! C.
We assume P0 to be a set of new clock variables, disjoint from V, and jP0j = jRj. That
is because, the number of clocks in a timed automatonA can at most be equal to the number
of transitions in A, since there is at most one reset per transition.
Definition 3. Given a timed automaton A with the set R of (extended) transitions and the
set N of clock numbers, a clock allocation for A is a relation alloc  R  P0  N such
that (r; c; j) 2 alloc) j 2 active(r).
The presence of a tuple (r; c; j) 2 alloc implies that on transition r, the old clock tj will
be replaced with the new clock c in the final automaton.
34
Definition 4. A clock allocation alloc is inconsistent iff there exist two overlapping paths
for some clock tj , p and p0 (which need not be different), some c 2 P0 and
rk; rl 2 transitions(p) [ transitions(p0) such that
j 2 active(rk) ^ j 2 active(rl) ^ (rk; c; j) 2 alloc ^ (rl; c; j) /2 alloc.
alloc is consistent iff it is not inconsistent.
Definition 5. A clock allocation alloc is correct if:
• alloc is a function, i.e., alloc : R P0 ! N ;
• alloc is consistent.
If the tuple (r; c; j) 2 alloc, this means that, clock c is associated with clock tj and clock
tj is active on transition r.
Definition 6. A clock allocation is lean if it is an injective function.
After allocating the clocks, a new clock c on transition r is not associated with more
than one old clock.
Definition 7. The clock allocation alloc is complete iff, for every transition r 2 R and
every j 2 active(r), there is a clock c 2 P0 such that (r; c; j) 2 alloc.
Observation 1. Let A be a timed automaton with the set of transitions R, and let alloc be
a complete, correct and lean clock allocation. Then the following holds:
8r2R jalloc:rj = jactive(r)j:
Definition 8. We define the number of clocks used in an allocation by:
cost(alloc) = jfc 2 P0 j 9r2R9j2N (r; c; j) 2 allocgj.
Definition 9. LetA be a timed automaton and let alloc be a complete correct clock alloca-
tion for A. The allocation alloc is optimal if there is no complete correct allocation alloc0
for A such that cost(alloc0) < cost(alloc).
35
Theorem 1. Given a timed automaton A with the set of states Q and a correct complete
clock allocation alloc, the following holds:
8s2Q8ri;rk2in(s) alloc:ri = alloc:rk:
Proof. alloc:ri = alloc:rk is equivalent to
8j2N8c2P0((ri; c; j) 2 alloc, (rk; c; j) 2 alloc).
Let j and c be such that (ri; c; j) 2 alloc. This implies that j 2 active(ri). But then, from
Lemma 1, we have j 2 active(rk). Therefore there is some r 2 out(s) such that both rir
and rkr belong to paths for clock tj (because j is needed at r). Since the paths overlap at
r, from consistency of alloc we must have (rk; c; j) 2 alloc. The rest of the proof follows
from symmetry.
In the timed automaton of Figure 4.3, alloc = f(r0; c0; 0); (r1; c0; 0); (r2; c0; 0); (r3; c0; 0);
(r4; c0; 0); (r5; c0; 0); (r6; c0; 0); (r1; c1; 1); (r2; c1; 1)g is an example of a clock allocation for
the automaton.
Before presenting our clock allocation algorithm, we explain a situation which needs
a special care in order for the clock allocation in the final automaton to be consistent. In
Figure 4.5, clock tj is initialized on all transitions originating at s. But transitions r1 and r3
meet at state q and transitions r2 and r4 meet at state n. If clock tj is assigned a different
clock on each transition originating from s, then, the alloc values of all incoming transitions
of states q and n will be different (Theorem 1 does not hold). So, the states q and n are
problematic states. The clock allocation should be such that, same clock is assigned to j on
all the outgoing transitions of state s that lead to the same problematic state q.
Definition 10. Ranges : N ! 22R maps j to frange(j; r) j j 2 born(r)g. Intuitively,
Ranges(j) is the set of all the ranges for clock tj .
Definition 11. Given a clock tj , we define relj = f(a; b) 2 Ranges(j) Ranges(j)
j a \ b 6= ;g.
36
The relation relj is reflexive and symmetric; relj is its transitive closure.
Definition 12. Let j 2 N and a 2 Ranges(j). We define Rel(j; a) = fb 2
Ranges(j) j a relj bg.
One can think of Rel(j; a) as the set of ranges to which range a for clock tj is directly or
indirectly “related”. The ranges are related, because they share some transitions, so on all
of these ranges tj must be represented by the same clock. Naturally, b 2 Rel(j; a) implies
Rel(j; a) = Rel(j; b).
Definition 13. Let j 2 N and a 2 Ranges(j). The set fr 2 SS2Rel(j;a) S j j 2 active(r)g
will be called a family for tj .
s
q n
j
! j needed ! j needed
...
r1 r2 r3 r4
r5
...
Figure 4.4: A timed automaton with
problematic states and families
s
q
n
j
j needed ! j needed... ...
r1 r2
r3 r4
...
Figure 4.5: A timed automaton with
problematic states
Let there be two transitions ri; rk from a state S such that, L(S) = j, i.e., born(ri) =
j; born(rk) = j. These two transitions will belong to the same family F if there is a state Sp
such that, Sp is reachable from ri; rk and clock j is needed in the outgoing transitions of Sp.
Thus Sp is a problematic state. In Figure 4.4, transitions r2 and r4 belong to the same family
and the state q is a problematic state. In figure 4.5, transitions r1 and r3 should belong to
37
one family and transitions r2 and r4 should belong to the same family. Thus, r1; r3 should
be assigned the same clock. And r2; r4 should be assigned the same clock.
Observation 2. Let F be a family for some clock tj , and let alloc be a complete correct
allocation. Then there must exist a clock variable c 2 P0 such that alloc:r:c = fjg for
every transition r 2 F such that j 2 active(r). Otherwise alloc would be inconsistent. We
say that c is allocated to F .
Observation 3. The number of families to which a transition r belongs is jactive(r)j.
Proof. Assume the number of families to which transition r belongs is n. Therefore, there
are exactly n families for different clocks that share transition r (two families for the same
clock cannot share r, or they would be the same family). Since a family for some clock tj
has the property that j is active on all the transitions of the family, it follows that active(r)
contains exactly one element for each of the n families.
Definition 14. Two families, F1 and F2, belong to the same cluster iff F1 \ F2 6= ;. A
cluster cl is a maximal set of such families, i.e., every family outside cl does not overlap
with at least one of the families in cl.
We say transition r belongs to cluster F , if there is a family F 2 F , such that r 2 F .
Observation 4. Every family in a cluster must be allocated a different clock.
In the automaton of Figure 4.3, all the transitions belong to one cluster, and there are 2
families in the cluster. For clock t0 : fr0; r1; r2; r3; r4; r5; r6g and for clock t1 : fr1; r2g.
Definition 15. The size of a cluster is the cardinality of the set of families that form the
cluster.
Theorem 2. LetA be a timed automaton and alloc be a complete correct allocation forA.
Then cost(alloc) cannot be smaller than the size of the largest cluster in A.
38
Proof. This is a direct consequence of Observations 2 and 4.
Before a detailed presentation of our clock allocation algorithm, we introduce two func-
tions that are used in the algorithm.
• reachable : Q ! 2Q maps state q to the set of states that are reachable from q by
some non-empty path.
• reachable_from : Q ! 2Q maps state q to the set of states from which it can be
reached by some non-empty path.
In the automaton of Figure 4.3, reachable(s1) = fs2; s3; s4; s5; s6; s7g and reach-
able_from (s6) = fs0; s1; s2; s3; s4; s5g.
All the new clocks are taken from the pool of new clock variables P0.
The algorithm to optimally allocate a timed automaton is a sequence of procedures. We
invoke the procedure compute  allocation with the automaton obtained from Algorithm
3 and the set of available clocks in the pool P0. Each state is tagged as Unseen or Seen or
V isited. Initially all states are Unseen. When we visit the state for the first time, we try
to annotate all it’s immedeiate successors. Once all it’s successors are annotated, the state
becomes Seen. The state is tagged V isited if all it’s successors have been annotated and
it is Seen. We start visiting the states from the initial state and then explore all the paths
reachable from it. We will explore the complete automaton when we start from the initial
state because of our assumption is that, every state is reachable from the initial state.
All the transitions emerging from a state (out(s)) are grouped into mother and other
transitions. A transition r 2 mothers iff fr 2 out(s) j j 2 born(r)g. All the other
transitions are grouped into others, i.e., fr 2 out(s) j born(r) = ;g. For example, in the
automaton of Figure 4.3, r0; r1 and r2 are mother transitions, whereas r3; r4; r5; r6 and r7 are
other transitions. The partition of transitions into mothers and others helps us to handle
problmatic states (if they exist).
39
If there is a problematic state s, then a clock tj on all the transitions in
reachable_from(s) should be assigned the same (new) clock c. A clock c is picked such
that, it is the smallest clock available in the pool of clocksP0. We partition all the transitions
leading to a problematic state into sets of groups using the procedure partition   into  
set of  groups. All the transitions belonging to a group will be assigned the same clock
c for a clock tj . Initially, we add all themothers in out(q)1 into a group. Then for each of
the state s reachable from target(r)2, we check if L(q) 2 active(in(s)3). If yes, then we
add all such states into a set of problematic states PP . All the states in the set PP , which
can be reached from more than twomothers transitions are tagged as problematic states.
After the complete execution of the procedures compute-allocation, annotate, visit,
annotate-immediate-successors-of, propagate, partition-into-a-set-of-groups, find-clock,
each state of the target automaton has the following information:
• set of available clocks,
• set of clock assignments of the form (c; i). The tuple (c; i) implies that, a new clock
c has been assigned to the old clock ti in the target automaton.
During the execution of the algorithm, at each step, we annotate a state with all the
available clocks in the pool and the clock assignments. We then carry forward those an-
notations to all the successors of the state. At each state, we check if any clock range has
ended and then update the clock pool P0 and assignements accordingly. A clock c on a
transition r is freed and added back to the pool if there is an assignemt (c; j) such that,
(c; j) 2 assigmnents(q) but j /2 active(ri) where ri 2 out(q).
The runtime complexity of the algorithm is quadratic in the size of the graph. The only
heavy operation is due to the presence of the routine partition  into set of  groups.
1out(q) is the set of all transitions emanating from q.
2target(r) is the state at which r ends.
3in(s) is the set of all incoming transitions of s.
40
Wherein, for each transition r 2 mothers, the routine looks upto jQj states to partition
them. There are atmost jRj tansitions and we lookup each transition inmothers only once.
Procedure compute-allocation(timed automaton Ae, set of clocks P0)
Input : An extended timed automaton Ae = hE;Q; fq0g; Qf ; V; Re; Li
and the initial pool of available clocks, P0.
Output: An extended timed automaton A0e = hE;Qe; fq0g; Qf ; V; Re; Li,
where Qe = Q 2P0  2P0N .
foreach state s 2 Q do
Set the status of s to Unseen;
annotate(q0;P0; ;);
visit(q0);
Procedure annotate(state q, set of clocks p, set of assignments a)
// Invoked only when status of q is Unseen.
pool(q) := p;
assignments(q) := a;
Set the status of q to Seen;
Procedure visit(state q)
// Invoked only when the status of q is Seen or Visited.
if status of q is not Visited then
Set the status of q to Visited;
annotate-immediate-successors-of (q);
foreach r 2 out(q) do
visit(target(r));
41
Procedure annotate-immediate-successors-of(state q)
Partition out(q) into mothers and others;
foreach r 2 others do
if status of target(r) is Unseen then
propagate(q; r; ;);
// Otherwise target(r) is already properly annotated
if mothers 6= ; then
Groups := partition-into-a-set-of-groups(q;mothers);
foreach group 2 Groups do
c := find-clock(q; group);
foreach r 2 group do
// The target of r is Unseen (by the dominance assumption).
propagate(q; r; fcg);
Procedure propagate(state q, transition r, set of clocks sc)
// q is the source of r. Propagate pool(q) and assignments(q) to target(r), taking
into account that some clock ranges
// may end on r. If sc is not empty, it must be a singleton: in that case assign its
member to clock number L(q).
// Invoked only when the target of r is Unseen.
freed_assignments := f(d; j) j (d; j) 2 assignments(q) ^ j /2 active(r)g;
freed_clocks := fd j (d; j) 2 freed_assignmentsg;
tmp_pool := pool(q) [ freed_clocks;
tmp_assignments := assignments(q) n freed_assignments;
if sc 6= ; then
tmp_pool := tmp_pool n sc;
tmp_assignments := tmp_assignments [ f(c; L(q))g, where c 2 sc;
annotate(target(r); tmp_pool; tmp_assignments);
The following theorems hold for the algorithm:
Theorem 3. The computed allocation is correct and lean.
Proof. Observe that all the paths for a clock tj begin at the same state. The initial transi-
tions of these paths, i.e., the “mother” transitions, are prtitioned into groups. The “mother”
transitions belonging to a group are exactly the initial transitions of a family for tj . The
algorithm associates some clock with a group: the association is propagated to all the tran-
42
Procedure partition-into-a-set-of-groups(state q, set of transitions mothers)
mother_targets := ftarget(r) j r 2 mothersg;
// Initially, each mother is in its own group.
Groups := ;;
foreach r 2 mothers do
Groups := Groups [ frg;
PP := ;; // potentially problematic states
foreach r 2 mothers do
foreach s 2 reachable(target(r)) do
if L(q) 2 active(r0), where r0 is an arbitrary transition of in(s) then
PP := PP [ fsg;
// Those states in PP that can be reached from more than one mother are the
problematic states.
foreach s 2 PP do
targets := reachable_from(s) \ mother_targets;
Merge those members of Groups that contain transitions whose target is in
targets;
return Groups;
Procedure find-clock(state q, set of transitions group)
// Find a clock for L(q) on transitions in group.
live_on_entry := fj j (c; j) 2 assignments(q)g;
dying_all :=
T
r2group(live_on_entry n active(r));
// The set of clocks whose liveness ranges end in all the transitions in group:
released_all := fc j (c; j) 2 assignments(q) ^ j 2 dying_allg;
available := released_all [ pool(q);
Return the clock variable with the smallest number in available;
sitions of the paths for tj that begin in the group, therefore there is no pair of transitions that
satisfies the definition of inconsistency.
When some clock c is assigned to j on the transitions of a group, tj is the only clock that
is born, so c is not, on those transitions, assigned to any i such that i 6= j. Moreover, after
c is assigned to j, it is removed from the pool and returned only on transitions on which
tj is not active. Therefore c cannot be assigned to any other i on any transition r such that
j 2 active(r). So the allocation is always an injective function, i.e., it is lean.
43
Lemma 2. Assume alloc is a complete, correct and lean allocation. Then, for any transition
r, the number of clocks in alloc:r is not greater than the size of the largest cluster to which
r belongs.
Proof. Assume cluster F with size n is the largest cluster to which r belongs. Assume that
jalloc:rj > n. By Observation 1, jactive(r)j = n0 > n. By Observation 3, the number of
families to which r belongs is n0. This implies that there is a cluster F 0, whose size is n0,
to which r belongs. But this contradicts the assumption that F is the largest cluster that
includes r.
Theorem 4. The computed allocation is optimal.
Proof. This is a direct consequence of Lemma 2, Theorem 2, Theorem 3 and the fact that
the algorithm always allocates that of the available clocks which has the smallest number,
i.e., a new clock is added to the set of used clocks only when none of those already in the
set will do.
44
5 Case Studies
Our results include, synthesizing a timed automaton from a given set of scenarios and
optimally allocating clocks in the resulting timed automaton. Our synthesis alogirthm takes
user scenarios expressed in Timed Event Sequences and a mode graph as input and gener-
ates a minimal, deterministic and acyclic timed automaton. The optimal clock allocation
algorithm takes the synthesized automaton and optimally allocates the clocks.
To illustrate our approach for synthesizing timed automata and optimally allocating
clocks to them, we present several real-world examples in the next few sub sections.
5.0.1 Automated Teller Machine
We use an invariant of an Automated Teller Machine (ATM) to illustrate our synthesis
algorithm. The mode graph of the ATM is shown in Figure 5.3. In its initial state, the ATM
machine waits for a user to insert his bank card. Once the card is inserted, the user can
either cancel the transaction within 4 seconds or enter his PIN within 5 to 60 seconds. If the
transaction is cancelled, the ATM ejects the card within 2 to 3 seconds and returns to it’s
initial state. Once the user enters the PIN, the ATM requests the bank to verify the user’s
PIN. If the PIN is correct, the ATM displays the menu to the user within 5 seconds. If the
PIN is incorrect, the ATM asks for correct PIN again. The user has to enter correct PIN in 3
attempts. If not, the ATM ejects the card and returns to its initial state. The two TES shown
in Figure 5.1 describe the partial behaviour of the ATM system explained above. The timed
automaton synthesized from these two scenarios is shown in Figure 5.2.
45
minitial: card-not-inserted
( insert-card, fg)
( enter-pin, fW   t0  5; W   t0  60g)
( incorrect-pin, fg)
( re-enter-pin, fW   t0  5; W   t0  60g)
( correct-pin, fg)
( request-data-from-bank, fg)
( display-menu, fW   t4  5g)
mfinal: menu-displayed
TES of Scenario 1
minitial: card-not-inserted
( insert-card, fg)
( enter-pin, fW   t0  5; W   t0  60g)
( correct-pin, fg)
( request-data-from-bank, fg)
( display-menu, fW   t4  5g)
mfinal: menu-displayed
TES of Scenario 2
Figure 5.1: Timed Event Sequences of the ATM
S0 S1 S2
S3 S4
S5
S6S7
insert-card
c0 := 0
enter-pin
c0  5; c0  60
inc
orr
ect
-pi
n
enter-pin
c0  5; c0  60 correct-pin
correct-pin
reque
st-da
ta-fro
m-ba
nk
c4 :
= 0
display-menu
c4  5
Figure 5.2: The timed automaton synthesized from Scenario 1 and Scenario 2
46
card-not-inserted
m0
card-inserted
m1
pin-entered
m2
incorrect-pin-entered
m3
user-verified
m4
waiting-for-bank
m5
menu-displayed
m6
cancelled
m7
withdraw-option
m8
deposit-option
m9
withdraw-amount
m10
deposit-amount
m11
details-verified
m12
amount-withdrawed
m13
amount-deposited
m14
insert-card
enter-pin
cancel
incorrect-pin
enter-pin
return-card
correct-pin
request-data-from-bank
display-menu
cancel
return-card
withd
raw deposit
enter-amount
verify-details
successful
return-card
enter-amount
successful
return-card
Figure 5.3: Mode graph of the ATM
47
Now consider an extended behaviour of the ATMmachine. After the menu is displayed
by the ATM, assume that the user can choose from the two options available: deposit
or withdraw. For a withdrawl operation, the user has to enter the amount he wishes to
withdraw. After entering the amount, the bank verifies the user details and returns a success
message if the details are correct. Similarly, the user enters the amount to deposit into
account and then the ATM returns a success message if the deposit has been successful.
The TES representing the withdraw and deposit operations are shown in Figure 5.4. The
timed automaton synthesized by using the mode graph in Figure 5.3 and the TES in Figures
5.1 and 5.4 is shown in Figure 5.5.
minitial: menu-displayed
( deposit, fg)
( enter-amount, fW   t6  20g)
( successful, fW   t9  10g)
( return-card, fg)
mfinal: card-not-inserted
TES of Scenario 3
minitial: menu-displayed
( withdraw, fg)
( enter-amount, fW   t6  20g)
( verify-details, fg)
( successful, fW   t10  10g)
( return-card, fg)
mfinal: card-not-inserted
TES of Scenario 4
Figure 5.4: Timed Event Sequences of the ATM with withdraw and deposit options
48
S0 S1 S2
S3 S4
S5
S6S7
S8
S9
S10
S12
S13
S14
S15
S11
insert-card
c0 := 0
enter-pin
c0  5; c0  60
inc
orr
ect
-pi
n
enter-pin
c0  5; c0  60 correct-pin
correct-pin
reque
st-da
ta-fro
m-ba
nk
c4 :
= 0
display-menu
c4  5
deposit, c6 := 0
enter-amount
c6  20
c9 := 0
successful
c9  10
return-card
withdraw,c6 := 0
enter-amount
c6  20
verify-details
c10 := 0
successful
c10  10
return-card
Figure 5.5: The synthesized timed automaton of the ATM
49
5.0.2 Light Control System
Conisder the variant of a light control system [3] shown in figure 5.6. Initially, the
system is in Idle state. The state changes from Idle to Light upon issuing the command
ON . If ON is issued again within 3 units of time, the light will go to Bright state. Else
the light goes back to Idle state. In the mode graph, Idle is both the initial and final mode.
The partial behaviour of the control system using which the model is generated is also given
in Figure 5.7. The timed automaton synthesized by our algorithm using the mode graph in
Figure 5.6 and the three TES in Figure 5.7 is shown in Figure 5.8.
Idle Light Bright
ON
OFF
ON
OFF
Figure 5.6: Mode graph of the Light Control System
minitial : Idle
(ON; fg)
(OFF; fw   t0 > 3g)
(ON; fg)
(ON; fw   t0 <= 3g)
(OFF; fg)
mfinal : Idle
Scenario 1
minitial : Light
(ON; fw   t0 <= 3g)
(OFF; fg)
(ON; fg)
(OFF; fw   t0 > 3g)
mfinal : Idle
Scenario 2
minitial : Bright
(OFF; fg)
(ON; fg)
(ON; fw   t0 <= 3g)
(OFF; fg)
mfinal : Idle
Scenario 3
Figure 5.7: Timed Event Sequences of the Light Control System
50
Idle
Light
Idle
Light
Bright Idle Light Idle
Bright
ON [c0 := 0]
OFF [c0 > 3]
ON [c0 := 0]ON [c0 <= 3]
ON [c0 <= 3]
OFF ON [c0 := 0] OFF [c0 > 3]
ON [c0 <= 3] OFF
Figure 5.8: Timed automaton of the Light Control System
51
5.0.3 Fuel Management System
Consider the variant of a fuel management system [7] with three states - Empty,
Normal, Full. Upon the action IN , the fuel is filled in and upon action OUT the fuel
is used up. The mode graph of Figure 5.9 depicts one such system. In the mode graph, the
initial mode is Empty and the final mode is Normal. The timed automaton synthesized
by our algorithm using the mode graph in Figure 5.9 and the three TES in Figure 5.10 is
shown in Figure 5.11.
Empty Normal Full
IN
IN
OUT
OUT
Figure 5.9: Mode graph of the Fuel Management System
minitial : Empty
(IN; fg)
(OUT; fg)
(IN; fg)
(IN; fg)
(OUT; fg)
mfinal : Normal
Scenario 2
minitial : Full
(OUT; fg)
(OUT; fg)
(IN; fg)
mfinal : Normal
Scenario 1
minitial : Normal
(IN; fg)
(OUT; fg)
(OUT; fg)
(IN; fg)
mfinal : Normal
Scenario 3
Figure 5.10: Timed Event Sequences of the Fuel Management System
S0 S1 S2 S3 S4 S5 S6 S7
IN OUT IN IN OUT OUT IN
IN
Figure 5.11: Timed automaton of the Fuel Management System
52
5.0.4 Train and Railroad Crossing System
We consider a variant of the Train component of the Train, Gate and Controller system
[2]. Initially, the train is Far from the railroad crossing and the events Enter and Exit
represent the events of entry and exit of the railroad crossing. The mode graph of such
system is shown in Figure 5.12. The initial mode and the final mode in the mode graph is
Far. The synthesized automaton using three TES in Figure 5.13 is shown in Figure 5.14.
Far
Past
Near
Approach
EnterExit
Figure 5.12: Mode graph of the Train And Railroad Crossing System
minitial : Far
(Approach; fg)
(Enter; fg)
(Exit; fg)
mfinal : Far
Scenario 1
minitial : Near
(Enter; fg)
(Exit; fg)
(Approach; fg)
mfinal : Near
Scenario 2
minitial : Past
(Exit; fg)
(Apprach; fg)
(Enter; fg)
(Exit; fg)
mfinal : Far
Scenario 3
Figure 5.13: Timed Event Sequences of the Train And Railroad Crossing System
S0 S1 S2 S3 S4 S5 S6
Approach Enter Exit Approach Enter Exit
Figure 5.14: Timed automaton of the Train And Railroad Crossing System
53
In the next few subsections, we present several examples of how our optimal clock
allocation algorithm is applied to real world examples.
5.0.5 Traffic Light System
Consider the example of the behaviour of a traffic light [8]. Figure 5.15 shows a variant
of the traffic light model. The system periodically moves from Initial state to Red, from
Red to Y ellow, from yellow to Green and then it is Reset. As seen from the automaton,
on the transitions of turn   yellow and turn   green a clock constraint is checked and a
new clock is born. Clearly, clocks are not optimally allocated in the timed automaton, as at
any point of time only one clock will be sufficient. The result of applying our optimal clock
allocation algorithm to this timed automaton is shown in figure 5.16. One clock is used
instead of three clocks. That is, clock c0 is assigned to t0; t1 and t2. The clock assignments
are as follows: f(c0; t0); (c0; t2); (c0; t1)g.
Initial Red Yellow Green
epsilon
t0 := 0
turn-yellow
t0  5; t1 := 0
turn-green
t1  1; t2 := 0
reset
t2  5
Figure 5.15: Timed automaton of the Traffic Light
Initial Red Yellow Green
epsilon
c0 := 0
turn-yellow
c0  5; c0 := 0
turn-green
c0  1; c0 := 0
reset
c0  5
Figure 5.16: The optimally allocated timed automaton of the Traffic Light
54
5.0.6 CSMA/CD Protocol
Consider a variant of the CSMA/CD protocol [18] shown in Figure 5.17. Assume there
are n senders S1; S2; ::; Sn and a medium M . The action send means messages are sent,
busy means the channel is busy and cd indicates a colloision. begin and end signifiy the
beginning and the ending of a transmission. In the automaton, there are three clocks but at
any point only two clocks are required. The range of clock x1 ends on transition r7. The
clock can be reassigned to x3 after the constraint is checked. The final optimally allocated
timed automaton is shown in Figure 5.18
55
init send
cd1transm
cd2
r1 [x0 := 0]
r11 [x0 := 0]
r10
r2 [x
0 =
0; x
1 :=
0]
r3 [x
0 =
0; x
1 :=
0]
r5
[x
0
=
0;
x 1
:=
0]
r4 [x
1 <
=
2]
r9
r6 [x
1 =
]
r7 [x1 <= ; x3 := 0]
r8
[x
3
<
=
2]
Figure 5.17: The timed automaton for the sender in CSMA/CD protocol
56
init send
cd1transm
cd2
r1 [c1 := 0]
r11 [c1 := 0]
r10
r2 [c
1 =
0; c
2 :=
0]
r3 [c
1 =
0; c
2 :=
0]
r5
[c 1
=
0;
c 2
:=
0]
r4 [c
2 <
=
2]
r9
r6 [c
1 =
]
r7 [c1 <= ; c1 := 0]
r8
[c
1
<
=
2]
Figure 5.18: The optimally allocated timed automaton for the sender in CSMA/CD protocol
57
6 Conclusions
We develop and implement an algorithm to construct a minimal, deterministic and
acyclic timed automaton from a given set of scenarios and a mode graph. A scenario is
a partial behavior of the system during some time interval. We propose Timed Event Se-
quences to formally express the scenarios. The use of mode graphs helps us to understand
what events are allowed in the automaton. We first synthesize a time annotated graph from
Timed Event Sequences and a mode graph. We start with an empty graph and then extend
the graph as we come across each scenario. The generated time annotated graph is then
used as an input to the algorithm which assigns clocks, clock resets and clock constraints
to the transitions. The generated timed automaton belongs to a class of timed automata that
satisfies the dominance assumption. In this class, we also assume that, a clock ti can be
reset only on a transition leaving a state s such that L(s) = i.
For optimal clock allocation, our algorithm takes in a timed automaton A constructed
using our synthesis method and generates an optimally allocated timed automatonA0 where
the number of clocks is minimal. We only consider the clock variables in clock constraints
to minimize the number of clocks but not the satisfiablity of the clock constraints. To min-
imize the number of clocks, we perform liveness analysis on the clocks to determine which
clocks can be reused. After performing liveness analysis, each transition is extended with
born and active sets. The automaton with the extended transitions is used to minimize and
optimally allocate the clocks. We do not change the graph of the original timed automaton
and the complexity of the algorithm is quadratic in the size of the graph.
58
In the future, we will identify a more general class of timed automata to which our clock
allocation method can be applied and extend our results to timed automata in general, not
just the one that satisfies our dominance assumption.
59
Bibliography
[1] E. Abraham. Modeling and Analysis of Hybrid Systems. Faculty of Mathematics,
Computer Science, and Natural Sciences RWTH Aachen University, 2012 (cit. on
p. 12).
[2] R. Alur and D. L. Dill. “A Theory of Timed Automata”. In: Theor. Comput. Sci.
126.2 (Apr. 1994), pp. 183–235. ISSN: 0304-3975. DOI: 10.1016/0304-3975(94)
90010-8. URL: http://dx.doi.org/10.1016/0304-3975(94)90010-8 (cit. on
pp. 1, 4, 5, 7, 53).
[3] P. Bouyer. An introduction to timed automata. 2011-2012. URL: https://pdfs.
semanticscholar.org/a363/3e789b4e17f4eafe1868605911bea49d2be0.pdf
(cit. on p. 50).
[4] E. M. Clarke Jr., O. Grumberg, and D. A. Peled. Model Checking. Cambridge, MA,
USA: MIT Press, 1999. ISBN: 0-262-03270-8 (cit. on pp. 9–11).
[5] C. Damas, B. Lambeau, F. Roucoux, and A. van Lamsweerde. “Analyzing Critical
Process Models Through Behavior Model Synthesis”. In: Proceedings of the 31st In-
ternational Conference on Software Engineering. ICSE ’09. Washington, DC, USA:
IEEE Computer Society, 2009, pp. 441–451. ISBN: 978-1-4244-3453-4. DOI: 10.
1109/ICSE.2009.5070543. URL: http://dx.doi.org/10.1109/ICSE.2009.
5070543 (cit. on p. 2).
60
[6] C. Daws and S. Yovine. “Reducing the number of clock variables of timed automata”.
In: 17th IEEE Real-Time Systems Symposium. Dec. 1996, pp. 73–81. DOI: 10.1109/
REAL.1996.563702 (cit. on p. iii).
[7] P. Derler, E. A. Lee, and A. S. Vincentelli. “Modeling Cyber-Physical Systems”.
In: Proceedings of the IEEE 100.1 (Jan. 2012), pp. 13–28. ISSN: 0018-9219. DOI:
10.1109/JPROC.2011.2160929 (cit. on p. 52).
[8] A. Dubey, S. Nordstrom, T. Keskinpala, S. Neema, T. Bapty, and G. Karsai. “To-
wards a verifiable real-time, autonomic, fault mitigation framework for large scale
real-time systems”. In: Innovations in Systems and Software Engineering 3.1 (2007),
pp. 33–52. ISSN: 1614-5054. DOI: 10.1007/s11334-006-0015-7. URL: http:
//dx.doi.org/10.1007/s11334-006-0015-7 (cit. on p. 54).
[9] O. Finkel. “Undecidable Problems About Timed Automata”. In: CoRR
abs/0712.1363 (2007). URL: http : / / arxiv . org / abs / 0712 . 1363 (cit. on
pp. iii, 3, 29).
[10] S. Guha, C. Narayan, and S. Arun-Kumar. “Reducing Clocks in Timed Automata
while Preserving Bisimulation”. In: CONCUR 2014 – Concurrency Theory: 25th
International Conference, CONCUR 2014, Rome, Italy, September 2-5, 2014. Pro-
ceedings. Ed. by P. Baldan and D. Gorla. Berlin, Heidelberg: Springer Berlin Heidel-
berg, 2014, pp. 527–543. ISBN: 978-3-662-44584-6. DOI: 10.1007/978-3-662-
44584-6_36. URL: http://dx.doi.org/10.1007/978-3-662-44584-6_36
(cit. on p. iii).
[11] K. G. Larsen, P. Pettersson, and W. Yi. UPPAAL in a Nutshell. 1997 (cit. on p. 12).
[12] T. Lengauer and R. E. Tarjan. “A Fast Algorithm for Finding Dominators in a Flow-
graph”. In: vol. 1. 1. New York, NY, USA: ACM, Jan. 1979, pp. 121–141. DOI: 10.
61
1145/357062.357071. URL: http://doi.acm.org/10.1145/357062.357071
(cit. on p. 15).
[13] N. Saeedloei. From Scenarios to Timed Automata. Technical Report. Duluth, MN:
Department of Computer Science, University ofMinnesota Duluth, June 2016. URL:
http://www.d.umn.edu/cs/research/Neda%20Saeedloei%20Technical%
20Report%2016-01.pdf (cit. on pp. 15, 21).
[14] N. Saeedloei and F. Kluzniak. Optimal Clock Allocation for a Class of Timed Au-
tomata. Technical Report. Duluth, MN: Department of Computer Science, Univer-
sity of Minnesota Duluth, Sept. 2016. URL: http : / / www . d . umn . edu / cs /
research/documents/technicalReport-Neda-3.pdf (cit. on p. 28).
[15] S. Somé, R. Dssouli, and J. Vaucher. “From Scenarios to Timed Automata: Building
Specifications from Users Requirements”. In: 2nd Asia-Pacific Software Engineer-
ing Conference (APSEC ’95), December 6-9, 1995, Brisbane, Queensland, Australia.
1995, pp. 48–57. DOI: 10.1109/APSEC.1995.496953. URL: http://dx.doi.
org/10.1109/APSEC.1995.496953 (cit. on p. 2).
[16] S. Uchitel, G. Brunet, and M. Chechik. “Synthesis of Partial Behavior Models from
Properties and Scenarios”. In: IEEE Trans. Software Eng. 35.3 (2009), pp. 384–406.
DOI: 10.1109/TSE.2008.107. URL: http://dx.doi.org/10.1109/TSE.
2008.107 (cit. on p. 2).
[17] S. Uchitel, J. Kramer, and J. Magee. “Synthesis of Behavioral Models from Scenar-
ios.” In: IEEE Trans. Software Eng. 29.2 (2003), pp. 99–115. URL: http://dblp.
uni-trier.de/db/journals/tse/tse29.html#UchitelKM03 (cit. on p. 2).
[18] S. Yovine. “A case study: the CSMA/CD protocol”. In: (Nov. 1994) (cit. on p. 55).
62
