We 
Introduction
Timed automata [3, 13] , are automata extended with a finite set of real-valued clocks that proceed at a uniform rate and constrain the times at which transitions occur. Since the time component makes the underlying transition system to be infinite, verification algorithms depend on the construction of a finite partition of the state space. As shown in [2, 3] the complexity of the verification problem for timed automata is exponential on the number of clocks and on the largest time constant appearing in the timing constraints. Nevertheless, empirical results obtained in the last few years [5, 8, 11] show that the complexity due to time constants could be avoided in practice by a symbolic verification algorithm based on a representation of sets of states by systems of linear inequalities [7] . However, the number of clocks remains an important obstacle to be avoided in order to be able to develop verification algorithms which are efficient in practice.
In this paper we take a practical approach to tackle this problem. Experience shows that the number of clocks used
In 1996 IEEE RTSS'96, Dec. [4] [5] [6] 1996 , Washington, DC, USA. y This work has been partially supported by CNET contract # 95 7B. z VERIMAG is a joint laboratory of CNRS, UJF, INPG and Verilog SA.
in a specification mainly grows for two reasons. First, specifications are often written in high-level description languages and later compiled into timed automata having a number of clocks proportional to the number of time-outs that appear in the description [14, 10] . However, these timeouts are rarely active at the same time, and hence, the number of clocks could be reduced. Second, complex systems are described as the parallel composition of simpler components each one having a small number of clocks (usually only one is needed to model sequential components [14] ). It turns out that, due to the synchronization of transitions, many clocks are simultaneously reset and therefore they will be equal for some time since they all proceed at the same speed. Clearly, in this case, only one of these clocks is really necessary.
Taking into account these observations, we propose a method for reducing the number of clocks of a timed automaton by combining two algorithms. The first one consists in detecting active clocks, that is, those whose values may influence the future evolution of the system. The second one consists in detecting pairs of clocks that are always equal.
The paper is organized as follows. In section 2 we give the necessary definitions. In section 3 we describe the algorithms in detail. In section 4 we apply the method to a case study. In section 5 we discuss experimental results showing that an appropriate encoding of the state space, based on the output of the algorithms, leads to a considerable reduction of the memory space allowing a more efficient verification.
Basic definitions

Clocks, constraints and assignments
Let X be a finite set of clocks. A valuation v is a function that assigns a non-negative real-value v(x) 2 R + to each clock x 2 X. The set of valuations is denoted V X . For t 2 R + , v+t denotes the valuation v 0 such that v 0 (x) = v(x)+t for all x 2 X.
Let Ψ X be the set of predicates over X defined as a conjunction of atoms of the form x # c or x ? y # c, where x; y 2 X, # 2 f<; ; >; ; =g and c is an integer constant. For 2 Ψ X we write clk( ) to denote the set of clocks that appear in .
Let X be the set X f0g. An assignment is a function from X to X . For Y X, (Y ) X denotes the set of clocks fx 2 X j 9y 2 Y: x = (y)g. We denote v ] the valuation v 0 such that for all x 2 X, v 0 (x) = v( (x)) if (x) 2 X, otherwise v 0 (x) = 0.
Timed automata
A timed automaton A is a tuple hS; X; L; E; Ii [13, 5] 
Bisimulation
The notion of equivalence we are interested in is bisim- 
Renaming
Let X and Z be two disjoint sets of clocks, and A be a timed automaton over X. A clock renaming Γ from X to Z is a family of partial functions fΓ s : X ! Z g s2S such that Γ s (x ) = 0 iff x = 0. We write Γ s (x) = ? to denote that Γ s is undefined for x 2 X. We denote Γ(A) the timed automaton obtained from A by replacing clocks in X by clocks in Z in all conditions and assignments as follows.
For all s 2 S and for all constraints 2 Ψ X appearing in the invariant condition of s and in the guards of the edges going out of s, the new constraint Γ( ) 2 Ψ Z is obtained by replacing every x 2 X by Γ s (x) in . We require Γ s (x) to be defined for all x 2 clk( ).
For all edges e = (s; L; ; ; s 0 ) 2 E, the edge Γ(e) is (s; L; Γ( ); Γ( ); s 0 ) where the assignment Γ( ) is such that for all z 2 Z:
We require that for all x; y 2 X, if
We denote card(Γ s ) the number of clocks z 2 Z for which there exists a clock x 2 X such that Γ s (x) = z.
Reducing the number of clocks
Our aim is to find a set of clocks Z with card(Z) card(X) and a clock renaming Γ from X to Z such that Γ(A) is bisimilar to A. Even if this notion of reduction is global, that is, card(Z) clocks are globally required to model the same behavior, in general, it cannot be achieved by a global renaming of the clocks, i.e. the same renaming function for all the locations, which can be defined as a single function instead of a family of functions.
Consider as an example the timed automaton A 1 depicted in Figure 1 (a). It is easy to see that the xand z, xand y, and y and z have equal values at locations 0, 1 and 2, respectively.
Consider the renaming that at each location maps the pair of clocks having equal values to t, and the other clock to w: s x y z 0 t w t 1 t t w 2 w t t
It is not difficult to check that the timed automaton Γ(A 1 ) obtained by applying this renaming ( Figure 1(b) ) is bisimilar to A 1 . However, no global renaming will allow to reduce the number of the clocks to 2 without changing the behavior.
In the rest of this section we discuss two algorithms that compute for any timed automaton a clock renaming inducing a bisimilar timed automaton. Hereafter, all assignments of the form x := x are omitted in the figures. 
Activity
We propose here an algorithm for reducing the number of clocks of a timed automaton based on the notion of activity of a clock. Intuitively, a clock is active at some control location if its value at the location may influence the future evolution of the system. This may happen whenever the clock appears in the invariant condition of the location, it is tested in the condition of some of the outgoing edges, or an active clock takes its value when moving through an outgoing edge.
Definition
For every control location s 2 S we define clk(s) X such that x 2 clk(s) iff x 2 clk(I(s)) or there exists an edge e = hs; L; ; ; s 0 i 2 E such that x 2 clk( ). Now, we define the function act that associates with each control location s 2 S the set act(s) X of active clocks at s to be the least fixed point of the following system of equations: For all s 2 S, act(s) is the limit of the convergent sequence act 0 (s) act 1 (s) : : : such that: 
Renaming
Let Z be a set of clocks disjoint with X such that card(Z) = maxfcard(act(s)) j s 2 Sg. An act-renaming Γ is a renaming such that for all s 2 S,
(1) for all x 2 X, Γ s (x) is defined iff x 2 act(s), and (2) for all x; y 2 act(s), Γ s (x) = Γ s (y) iff x = y. Notice that for all s 2 S, Γ s is an injective function from act(s) to Z, and so card(Γ s ) = card(act(s)). It follows that all act-renamings generate bisimilar timed automata with the same number of clocks.
Application
We apply the algorithm described above to reduce the number of clocks of the timed automaton A 2 depicted in Figure 2 . This timed automaton is a model of the FDDI (Fiber Distributed Data Interface) protocol [9] for two stations and it has been taken from [4] . The corresponding timed automaton Γ act (A 2 ) is shown in Figure 3 . 
Equality
We describe here the algorithm for reducing the number of clocks based on the notion of equality between clocks.
Intuitively, two clocks x; y 2 X are equal in s 2 S if they have the same value in that location for every run, that is, if for every reachable state (s; v) we have that v(x) = v(y).
In this case, only one of the clocks is necessary to determine the behavior of the system at the location.
Definition
We define the equality relation such that two clocks are equal in a location if they are set by the assignment of every incoming edge either both to 0 or to clocks that are themselves equal in the source location.
Let r X X. We denote r the relation r f(0; 0)g.
Let be an assignment. We denote (r) the set of pairs The algorithm for iteratively computing the fixed point is shown in Table 2 . Table 2 . Algorithm for computing equ.
It can be shown that the values of all clocks x; y 2 X such that (x; y) 2 equ(s) are equal any time location s is entered. Clearly, the equality between the values of the clocks is preserved by the passage of time. Hence, the following proposition holds. 
Renaming
We denote Π s the partition of X induced by equ(s). Let Z be a set of clocks disjoint with X such that card(Z) = maxfcard(Π s ) j s 2 Sg. An equ-renaming Γ is a renaming such that for all s 2 S,
(1) Γ s (x) is defined for all x 2 X, and (2) for all x; y 2 X, Γ s (x) = Γ s (y) iff (x; y) 2 equ(s). Notice that for all s 2 S, card(Γ s ) = card(Π s ).
Proposition 5 Let Γ be an equ-renaming. Then A Γ(A).
It follows that all equ-renamings generate bisimilar timed automata with the same number of clocks.
Application
We apply the algorithm described above to reduce the number of clocks of the timed automaton A 1 depicted in Figure 1(a) It is easy to see that the renaming Γ that generates the timed automaton Γ(A 1 ) of Figure 1(b) is an equ-renaming.
Combining act and equ
Let A be a timed automaton, and act and equ be the activity and the equality computed for A with corresponding renamings Γ act and Γ equ . Now, let equ 0 be the equality computed for the timed automaton Γ act (A) with Γ equ 0 its corresponding renaming, and act 0 be the activity computed for the timed automaton Γ equ (A) with Γ act 0 its corresponding renaming.
Proposition 6 The timed automata
and A 2 = Γ act 0 (Γ equ (A)) are such that:
The number of clocks of A 1 and A 2 is the same. This proposition shows that applying an act-renaming and an equ-renaming one after the other and in any order results in bisimilar timed automata and in the same degree of clock reduction.
Application
Consider the timed automaton A 3 depicted in Figure 4 . 
Notice that there is no global reduction by activity since all the clocks are active in location 3. However, the number of clocks is reduced to 3 by equ 0 because clocks u 0 and w 0 are found to be equal for all locations. Figure 5 shows the timed automaton Γ(A 3 ). 
Case study
We apply the clock-reduction method described above to a timed automaton modeling a MOS circuit. This example has been taken from [12] .
A MOS transistor ( figure 6 ) is a three-terminal device. It can be in two basic states On and Off. When it is On, the current flows between terminals X 1 and X 2 . The transition between the two states is controlled by the switching terminal S. When the transistor is Off and S goes up (we denote this event by S "), after a delay of 1 time unit the state of the transistor becomes On. When S switches back, the gate The property that we want to verify is the absence of short-cuts, that is, current never flows from VDD to GND, or equivalently, that all the runs (starting at the initial state) never reach a state such that Table 3 shows the results obtained with the tool KRO-NOS [5] It is worth to notice that the reduction by activity on A MOS lowers the number of clocks to 10, whereas the reduction by equality on A MOS lowers it to 11. However, by combining the two renamings as suggested in section 3.3, we obtain a better global reduction to only 6 clocks. Roughly speaking, there are two reasons of this reduction. On one hand, in locations having more than 6 active clocks, there are many pairs of them that are equal so at most 6 active clocks are different. On the other hand, where there are more than 6 different clocks, many of them are not active so at most 6 different clocks are active. Table 4 shows the results obtained by applying the algorithms described in the previous sections to many case studies appeared in the literature: the models of the FDDI [9] , CSMA-CD [15] , and Fischer (FISC) [1] protocols described in [4] , the automatic production plant [5] , and the MOS circuit presented in Section 4. We have analyzed several instances of each protocol depending on the number of stations or processes that participate. The table shows the sizes of the corresponding timed automata, that is, the number of control locations, transitions and clocks. For each algorithm (activity and equality), the table shows the number of iterations and the number of clocks needed for the corresponding renaming. The last column shows the number of clocks obtained by combining the two renamings as suggested in Section 3.3. The most important global reductions are obtained for all the instances of the FDDI protocol and for the MOS circuit, where the number of clocks is halved. The running time (on a Sparc Station 20 with 64MB) of the biggest example (FISC 6) was less than 6 secs. Notice that, except for the FDDI, the whole set of clocks is very rarely needed (less than 10%). This observation justifies the symbolic representation of sets of states by systems of linear constraints of dimension card(Γ s ) for each control location s 2 S, instead of a unique dimension for all locations, equal to the global number of clocks card(X). This representation should lead to a more efficient verification, both in time and space. We show in the last column of Table 5 the coefficient of space reduction for the representation of the set of states given by the formula:
Conclusion
(1 + card(X)) 2 corresponding to a representation of linear inequalities by difference bound matrices [6] of size quadratic on the num- Table 5 . Clock distribution and space reduction.
ber of clocks. For instance, even if there is no global reduction of the number of clocks, the state space encoding with variable dimension for the Fischer mutual exclusion protocol for 6 processes (FISC 6) requires only the 18.8% of the total amount of memory needed by the encoding using a unique dimension.
