Are timed automata bad for a specification language? Language inclusion checking for timed automata by WANG, Ting et al.
Singapore Management University 
Institutional Knowledge at Singapore Management University 
Research Collection School Of Information 
Systems School of Information Systems 
4-2014 
Are timed automata bad for a specification language? Language 
inclusion checking for timed automata 
Ting WANG 
Jun SUN 
Singapore Management University, junsun@smu.edu.sg 
Yang LIU 
Xinyu WANG 
Shanping LI 
Follow this and additional works at: https://ink.library.smu.edu.sg/sis_research 
 Part of the Software Engineering Commons, and the Theory and Algorithms Commons 
Citation 
WANG, Ting; SUN, Jun; LIU, Yang; WANG, Xinyu; and LI, Shanping. Are timed automata bad for a 
specification language? Language inclusion checking for timed automata. (2014). Proceedings of the 
20th International Conference on Tools and Algorithms for the Construction and Analysis of Systems, 
Grenoble, France, April 5-13. 310-325. Research Collection School Of Information Systems. 
Available at: https://ink.library.smu.edu.sg/sis_research/4957 
This Conference Proceeding Article is brought to you for free and open access by the School of Information 
Systems at Institutional Knowledge at Singapore Management University. It has been accepted for inclusion in 
Research Collection School Of Information Systems by an authorized administrator of Institutional Knowledge at 
Singapore Management University. For more information, please email libIR@smu.edu.sg. 
Are Timed Automata Bad for a Specification Language?
Language Inclusion Checking for Timed Automata
Ting Wang1, Jun Sun2, Yang Liu3, Xinyu Wang1, and Shanping Li1
1 College of Computer Science and Technology, Zhejiang University, China
2 ISTD, Singapore University of Technology and Design, Singapore
3 School of Computer Engineering, Nanyang Technological University, Singapore
Abstract. Given a timed automaton P modeling an implementation and a timed
automaton S as a specification, language inclusion checking is to decide whether
the language of P is a subset of that of S . It is known that this problem is un-
decidable and “this result is an obstacle in using timed automata as a specifica-
tion language” [2]. This undecidability result, however, does not imply that all
timed automata are bad for specification. In this work, we propose a zone-based
semi-algorithm for language inclusion checking, which implements simulation
reduction based on Anti-Chain and LU-simulation. Though it is not guaranteed
to terminate, we show that it does in many cases through both theoretical and em-
pirical analysis. The semi-algorithm has been incorporated into the PAT model
checker, and applied to multiple systems to show its usefulness and scalability.
1 Introduction
Timed automata, introduced by Alur and Dill in [2], have emerged as one of the most
popular models to specify and analyze real-time systems. It has been shown that the
reachability problem for timed automata is decidable using the construction of region
graphs [2]. Efficient zone-based methods for checking both safety and liveness proper-
ties have later been developed [14,21]. In [2], it has also been shown that timed automata
in general cannot be determinized, and the language inclusion problem is undecidable,
which “is an obstacle in using timed automata as a specification language”.
In order to avoid undecidability, a number of subclasses of timed automata which are
determinizable (and perhaps serve as a good specification language) have been identi-
fied, e.g., event-clock timed automata [3,17], timed automata restricted to at most one
clock [16] and integer resets timed automata [18]. Recently, Baier et al. [4] described a
method for determinizing arbitrary timed automaton, which under a boundedness con-
dition, yields an equivalent deterministic timed automaton in finite time. Furthermore,
they show that the boundedness condition is satisfied by several subclasses of timed au-
tomata which are known to be determinizable. However, the method is based on region
graphs and it is well-known that region graphs are inefficient and lead to state space
explosion. Compared to region graphs, zone graphs are often used in existing tools
for real-time system verification, such as UPPAAL [14] and KRONOS [23]. Zone-based
approaches have also been used to solve problems which are related to the language
 This research is sponsored in part by NSFC Program (No.61103032) of China.
E. ´Abraha´m and K. Havelund (Eds.): TACAS 2014, LNCS 8413, pp. 310–325, 2014.
c© Springer-Verlag Berlin Heidelberg 2014
Are Timed Automata Bad for a Specification Language? 311
inclusion problem, like the universality problem (which asks whether a timed automa-
ton accepts all timed words) for timed automata with one-clock only [1]. However, to
the best of our knowledge, there has not been any zone-based method proposed for
language inclusion checking for arbitrary timed automata.
In this work we develop a zone-based method to solve the language inclusion prob-
lem. Formally, given an implementation timed automaton P and a specification timed
automaton S, the language inclusion problem is to decide whether the language of P
is a subset of that of S. It is known that the problem can be converted to a reachabil-
ity problem on the synchronous product of P and determinization of S [16]. Inspired
by [1,4], the main contribution of this work is that we present a semi-algorithm with a
transformation that determinizes S and constructs the product on-the-fly, where zones
are used as a symbolic representation. Furthermore, simulation relations between the
product states are used, which can be obtained through LU-simulation [5] and Anti-
Chain [22]. With the simulation relations, many product states may be skipped, which
often contributes to the termination of our semi-algorithm.
Our semi-algorithm can be applied to arbitrary timed automata, though it may not ter-
minate sometimes. To argue that timed automata can nonetheless serve as a specification
language, we investigate when our approach is terminating, both theoretically and em-
pirically. Firstly, we prove that, with the clock boundedness condition [4], we are able to
construct a suitable well-quasi-order on the product state space to ensure termination.
It thus implies that our semi-algorithm is always terminating for subclasses of timed
automata which are known to be determinizable. Furthermore, we prove that for some
classes of timed automata which may violate the boundedness condition, our semi-
algorithm is always terminating as long as there is a well-quasi-order on the abstract
state space explored. Secondly, using randomly generated timed automata, we show
that our approach terminates for many timed automata which are not determinizable
(and violating the boundedness condition) because of the simulation reduction. Thirdly,
we collect a set of commonly used patterns for specifying timed properties [8,12] and
show that our approach is always terminating for all of those properties. Lastly, our
semi-algorithm has been implemented in the PAT [19] framework, and applied to a
number of benchmark systems to demonstrate its effectiveness and scalability.
The remainders of the paper is organized as follows. Section 2 reviews the notions of
timed automata. Section 3 shows how to reduce language inclusion checking to a reach-
ability problem, which is then solved using a zone-based approach. Section 4 reports
the experimental results. Section 5 reviews related work. Section 6 concludes.
2 Background
In this section, we review the relevant background and define the language inclusion
problem. We start with defining labeled transition systems (LTS). An LTS is a tuple
L = (S, Init, Σ, T ), where S is a set of states; Init ⊆ S is a set of initial states;
Σ is an alphabet; and T ⊆ S × Σ × S is a labeled transition relation. A run of L is
a finite sequence of alternating states and events 〈s0, e1, s1, e2, · · · , en, sn〉 such that
(si, ei, si+1) ∈ T for all 0 ≤ i ≤ n− 1. We say the run starts with s0 and ends with sn.
A state s′ is reachable from s iff there is a run starting with s and ending with s′. A state
312 T. Wang et al.
is always reachable from itself. A run is rooted if it starts with a state in Init. A state
is reachable if there is a rooted run which ends at the state. Given a state s ∈ S and an
event e ∈ Σ, we write post(s, e,L) to denote {s′|(s, e, s′) ∈ T }. We write post(s,L)
to denote {s′|∃e ∈ Σ · (s, e, s′) ∈ T }, i.e., the set of successors of s.
Let F ⊆ S be a set of target states. Given two states s0 and s1 in S, we say that s0
is simulated by s1 with respect to F if s0 ∈ F implies that s1 ∈ F ; and for any e ∈ Σ,
(s0, e, s
′
0) ∈ T implies there exists (s1, e, s′1) ∈ T such that s′0 is simulated by s′1. In
order to check whether a state in F is reachable, if we know that s is simulated by s′,
then s can be skipped during system exploration if s′ has been explored already. This is
known as simulation reduction [7].
The original definition of timed automata is finite-state timed Bu¨chi automata [2]
equipped with real-valued clock variables and Bu¨chi accepting condition (to enforce
progress). Later, timed safety automata were introduced in [11] which adopt an intu-
itive notion of progress. That is, instead of having accepting states, each state in timed
safety automata is associated with a local timing constraint called a state invariant. An
automaton can stay at a state as long as the valuation of the clocks satisfies the state
invariant. The reader can refer to [9] for the expressiveness of timed safety automata.
In the following, we focus on timed safety automata as they are supported in the state-
of-art model checker UPPAAL [14] and are often used in practice. Hereafter, they are
simply referred to as timed automata.
Let R+ be the set of non-negative real numbers. Given a set of clocks C, we define
Φ(C) as the set of clock constraints. Each clock constraint is inductively defined by:
δ := true|x ∼ n|δ1∧δ2|¬δ1 where ∼∈ {=,≤,≥, <,>};x is a clock in C and n ∈ R+
is a constant. Without loss of generality, we assume that n is an integer constant. The
set of downward constraints obtained with ∼∈ {≤, <} is denoted as Φ≤,<(C). A clock
valuation v for a set of clocksC is a function which assigns a real value to each clock. A
clock constraint can be viewed as the set of clock valuations which satisfy the constraint.
A clock valuation v satisfies a clock constraint δ, written as v ∈ δ, iff δ evaluates to be
true using the clock values given by v. For d ∈ R+, let v+ d denote the clock valuation
v′ s.t. v′(c) = v(c) + d for all c ∈ C. For X ⊆ C, let clock resetting notion [X → 0]v
denote the valuation v′ such that v′(c) = v(c) for all c ∈ C ∧ c /∈ X , and v′(x) = 0 for
all x ∈ X . We write C = 0 to be the clock valuation where each clock c ∈ C reads 0.
Formally, a timed automaton is a tuple A = (S, Init, Σ,C, L, T ) where S is a finite
set of states; Init ⊆ S is a set of initial states; Σ is an alphabet; C is a finite set of
clocks; L : S → Φ≤,<(C) labels each state with an invariant; T ⊆ S × Σ × Φ(C) ×
2C × S is a labeled transition relation. Intuitively, a transition (s, e, δ,X, s′) ∈ T can
be fired if δ is satisfied. After event e occurs, clocks in X are set to zero. The (concrete)
semantics of A is an infinite-state LTS, denoted as C(A) = (Sc, Initc,R+ × Σ, Tc)
such that Sc is a set of configurations of A, each of which is a pair (s, v) where s ∈ S
is a state and v is a clock valuation; Initc = {(s, C = 0)|s ∈ Init} is a set of initial
configurations; and Tc is a set of concrete transitions of the form ((s, v), (d, e), (s′, v′))
such that there exists a transition (s, e, δ,X, s′) ∈ T ; v + d ∈ δ; v + d ∈ L(s);
[X → 0](v + d) = v′; and v′ ∈ L(s′). Intuitively, the system idles for d time units at
state s and then take the transition (generating event e) to reach state s′. An example
timed automaton is shown in Fig. 1(a). The initial state is p0. The automaton has a state
Are Timed Automata Bad for a Specification Language? 313
(c)
s2s3
s0 s1
y>0, a 
x>3, a
x>0, a
{x}
a
{x, y}
x?3, a
{x}  
(b)
p2p3
p0 p1
0<x?3, a 
x>3, a
x>0, a
{x}
a
{x}
x?3, a
{x}  
p2p3
p0
x?3 (a)
p1
a
{x}  
x>0, a 
x>3, a
x>0, a
{x}
a
{x}
{x} {x} {x}
Fig. 1. Timed automata examples
invariant x ≤ 3 on state p3 which implies that if the control is at p3, it must transit to
the next state before the value of clock x is larger than 3.
A timed automaton A is deterministic iff Init contains only one state and for any
two transitions (s0, e0, δ0, X0, s′0) ∈ T and (s1, e1, δ1, X1, s′1) ∈ T , if s0 = s1 and
e0 = e1, then δ0 and δ1 are mutually exclusive. Otherwise, A is non-deterministic. For
instance, The timed automaton in Fig. 1(c) is non-deterministic as the two transitions
from state s2 are both labeled with a and the guards are not mutually exclusive.
Given 〈(s0, v0), (d1, e1), (s1, v1), (d2, e2), · · · (sn, vn)〉 as a run of C(A), we can ob-
tain a timed word: 〈(D1, e1), (D2, e2), · · · , (Dn, en)〉 so that Di =
∑i
j=1 dj for all
1 ≤ i ≤ n. We define the L(A, (s, v)) to be the set of timed words obtained from the
set of all runs starting with (s, v). The language of A, written as L(A), is defined as
the language obtained from any rooted run of A. Two timed automata are equivalent if
they define the same language. In practice, a system model is often composed of sev-
eral automata executing in parallel. We skip the details on parallel composition of timed
automata and remark our approach in this work applies to networks of timed automata.
The language inclusion checking problem is then defined as follows. Given a timed
automaton P and a timed automaton S, how do we check whether L(P) ⊆ L(S)?
In order to simplify the presentation in later sections, we first transform a given
timed automaton to an equivalent one without state invariants, which will not affect our
approach. The idea is to move the state invariants to transition guards. Given a timed
automaton A and a state s with state invariant L(s), we construct a timed automaton A′
with the following two steps. Firstly, if (s, e, δ,X, s′) is a transition from s, change it
to (s, e, δ ∧ L(s), X, s′). Secondly, if (s′, e, δ,X, s) is a transition leading to s, for any
clock constraint of the form x ∼ n where ∼∈ {≤, <} in L(s), if x /∈ X , conjunct δ
with x ∼ n. For instance, given the timed automaton in Fig. 1(a), we construct the timed
automaton in Fig. 1(b). The state invariant x ≤ 3 of state p3 is added to the transition
from p2 to p3 and the transition from p3 to p0. By a simple argument, it can be shown
that L(A) = L(A′). Notice that this transformation is not sound if the language of a
timed automaton is defined differently, e.g., with a non-Zenoness assumption. In the
following, we assume that all timed automata are without state invariants.
3 Language Inclusion Checking
In this section, we present our method on solving the language inclusion checking prob-
lem. We fix P = (Sp, Initp, Σp, Cp, Lp, Tp) and S = (Ss, Inits, Σs, Cs, Ls, Ts) to be
the two timed automata such that Sp and Ss are disjoint as well as Cp and Cs.1
1 The proofs in this section can be found at
http://www.comp.nus.edu.sg/˜pat/refine ta/paper.pdf
314 T. Wang et al.
s0 s1 s2
s3
s1 s2
{z0} {z1, z0} {z2}
{z2}
{z3, z2}
z2>0, a, {z3}
s0
{z4, z2}
{z4}
Level 0 Level 1 Level 2 Level 3 Level 4
s1
s1
z4>0, a, {z5}
{z5, z2}
{z5, z4}
z4>3, a, {z5}
Level 5
s3
{z4}
z0>3, a, {z1} z2>0, a, {z3}
z4>0, a, {z5}
a, {z2}
a, {z4}
z2?3, a, {z4}
Fig. 2. Unfolding a timed automaton into an infinite timed tree
3.1 Unfolding Specification
In our method, we construct on-the-fly an unfolding of S in the form of an infinite timed
tree which is equivalent to S. The idea is adopted from the approach in [4]. Before we
present the formal definition, we illustrate the unfolding using an example. Fig. 2 shows
the infinite timed tree after unfolding the automaton shown in Fig. 1(c). The idea is to
introduce a fresh clock at every level and use the newly introduced clocks to replace
ordinary clocks, i.e., x and y in this example. The benefit of doing this becomes clear
later. At level 0, we are at state s0 and introduce a clock z0. Now since clock x and
clock y are started at the same time as z0 and the clocks will not be reset before the
transition from s0 takes place, we can use z0 to replace x and y in the transition guard
from s0 at level 0 to s1 at level 1. Because at level 0, the reading of clock z0 is relevant
to the future system behavior, we say that z0 is active. In the tree, we label every node
with a pair (s, A) where s is a state and A is a set of active clocks. Notice that not all
clocks are active. For instance, clock z0 and clock z1 are no longer active at level 2.
One transition from the level 0 node leads to the node of level 1, corresponding to the
transition from state s0 to state s1 in Fig. 1(c). The clock constraint x > 3 is rewritten
to z0 > 3 using only active clocks from the source node. A fresh clock z1 is introduced
along the transition. Notice that the node at level 1 is labelled with a set of two active
clocks. z1 is active at state s1 at level 1 since it can be used to replace clock x which
is reset along the transition, whereas z0 is active because it is used to replace clock y
which is not reset along the transition. The set of active clocks of the node at level 2 is
a singleton z2 since both of the clocks x and y are reset along the transition. z0 and z1
are not active as their reading is irrelevant to future transitions from s2. Following the
same construction, we build the tree level by level.
In the following, we define the unfolding of S. Let Z = 〈z0, z1, z2, · · · 〉 be an infinite
sequence of clocks. The unfolding S is an infinite timed tree, which can be viewed
as a timed automaton S∞ = (St∞, Init∞, Σ∞, Z, T∞) with infinitely many states.
Furthermore, we assume that S∞ is associated with function level such that level(n)
is the level of node n in the tree for all n ∈ St∞. A state n in St∞ is in the form of
(s, A) where s ∈ Ss and A is a set of clocks. Given any state n, we define a function
fn : Cs → Z which maps ordinary clocks in Cs to active clocks in Z . In an abuse of
notations, given a clock constraint δ on Cs, we write fn(δ) to denote the clock constraint
obtained by replacing clocks in Cs with those in Z according to fn. Given any state
Are Timed Automata Bad for a Specification Language? 315
n = (s, A), we define A to be {fn(c)|c ∈ Cs}. The initial states Init∞ and transition
relation T∞ are unfolded as follows.
– For any s ∈ Inits, there is a level-0 node n = (s, {z0}) in St∞ with level(n) = 0,
fn(c) = z0 for all c ∈ Cs.
– For each node n = (s, A) at level i and for each transition (s, e, δ,X, s′) ∈
Ts, we add a node n′ = (s′, A′) at level i + 1 such that fn′(c) = fn(c) if
c ∈ Cs \ X , fn′(c) = zi+1 if c ∈ X ; level(n′) = i + 1. We add a transition
(n, e, fn(δ), {zi+1}, n′) to T∞.
Note that transitions at the same level have the same set of resetting clocks, which
contains one clock. Given a node n = (s, A) in the tree, observe that not every clock x
in A is active as the clock may never be used to guard any transition from s. Hereafter,
we assume that inactive clocks are always removed.
3.2 Zone Abstraction for Language Inclusion Checking
It can be shown that S and S∞ are equivalent [4]. Intuitively, S and S∞ have the
same language, thus the language inclusion problem can be converted to the language
inclusion problem between P and S∞. To solve the problem, we have to deal with two
sources of infinity. One is that there are infinitely many clocks and the other is there are
infinitely many clock valuations for each clock. In the following, we tackle the latter
with zone abstraction [14].
In this work, we define a zone (which may or may not be convex) as the maximum
set of clock valuations satisfying a clock constraint. Given a clock constraint δ, let δ↑
denote the zone reached by delaying an arbitrary amount of time. For X ⊆ C, let
[X → 0]δ denote the zone obtained by setting clocks in X to 0; and let δ[X ] denote the
projection of δ on X .
We define an LTS Z∞ = (S, Init, Σ, T ), which is a zone graph generated from the
synchronous product of P and the determinization of S∞. A state in S is an abstract
configuration of the form (sp, Xs, δ) such that sp ∈ Sp; Xs is a set of nodes in S∞ as
defined in Section 3.1; and δ is a clock constraint. Recall that a state of S∞ is of the form
(ss, A) where ss ∈ Ss and A is a set of active clocks. Given a set of states Xs of S∞,
we write Act(Xs) to denote the set of all active clocks, i.e., {c|∃(ss, A) ∈ Xs · c ∈ A}.
δ constraints all clocks in Act(Xs).
The Init of the zone graph is defined as: {(sp, Init∞, (Act(Init∞) = 0)↑)|sp ∈
Initp}. Σ equals to Σp. Next, we define T by showing how to generate successors of a
given abstract configuration (sp, Xs, δ). For every state (ss, A) ∈ Xs, let T∞(e,Xs) be
the set of transitions in T∞ which start with a state in Xs and are labeled with event e.
Notice that the guard conditions of transitions in T∞(e,Xs) may not be mutually exclu-
sive. We define a set of constraintsCons(e,Xs) such that each element in Cons(e,Xs)
is a constraint which conjuncts, for each transition in T∞(e,Xs), either the transition
guard or its negation. Notice that elements in Cons(e,Xs) are by definition mutually
exclusive. Given (sp, Xs, δ) and an outgoing transition (sp, e, gp, Xp, s′p) from sp in P ,
for each g ∈ Cons(e,Xs) we generate a successor (s′p, X ′s, δ′) as follows.
– For any state (ss, A) ∈ Xs and any transition ((ss, A), e, gs, Y, (s′s, A′)) ∈ T∞, if
δ ∧ gp ∧ g ∧ gs is not false, then (s′s, A′) ∈ X ′s.
316 T. Wang et al.
p2, {(s2, {z2})}
0?x=z2
p3, {(s3, {z2}), (s1, {z3, z2})}
0?z3<x=z2 ? x-z3?3 ? z2-z3?3
0<x?3 ? z2>0, a
{z3}
p0, {(s2, {z4}), (s0, {z4, z2})}
0?x=z4<z2 ? z2-x?3 ? z2-z4?3
x?3 ? z2?3, a
{x, z4}
p1, {(s3, {z2}), (s1, {z3, z2})}
0?x=z3<z2
x>0 ? z2>0, a
{x, z3}
{x, z4}
z2>3, a
p2, {(s2, {z4}), (s0, {z4, z2})}
0?x=z4<z2 ? z2-x?3 ? z2-z4?3
z2?3, a
{x, z4}
0<x?3 ? 0<z4?3, a
{z5}
p1, {(s3, {z4}), (s1, {z5, z4})}
0?x=z5<z4 ? z4-x?3 ? z4-z5?3
x>0 ? 0<z4?3, a
{x, z5}
x>0 ? z4>3, a
{x, z5}
p1, {(s3, {z4}), (s1, {z5, z4}), (s1, {z5, z2})}
0?x=z5 ? 3<z4<z2 ? z4-x>3 ? z2-x>3 
? z4-z5>3 ? z2-z5>3 ? z2-z4?3
x>3 ? z4>3, a
{x, z5}
L0
L1
L2
L3
L4
L5
p0, {(s0, {z0})}
0?x=z0
p1, {(s1, {z1, z0})}
(0?x=z1)? z0>3 ? z0-x>3 ? z0-z1>3
x>3 ? z0>3, a {x, z1}
a {x, z2}
?
?
p2, {(s2, {z0})}
0?x=z0
p3, {(s3, {z0}), (s1, {z1, z0})}
0?z1<x=z0 ? x-z1?3 ? z0-z1?3
0<x?3 ? z0>0, a
{z1}
p0, {(s2, {z1}), (s0, {z1, z0})}
0?x=z1<z0
x?3 ? z0?3, a
{x, z1}
p1, {(s3, {z0}), (s1, {z1, z0})}
0?x=z1<z0
x>0 ? z0>0, a
{x, z1}
p1, {(s3, {z1}), (s1, {z2, z1}), (s1, {z2, z0})}
0?x=z2<z1 ? 3<z1<z0 ? z1-x>3 ? z1-z2>3
x>3 ? z1>3, a
{x, z2}
p0, {(s0, {z0})}
0?x=z0
p1, {(s1, {z1, z0})}
0?x=z1<z0
x>3 ? z0>3, a {x, z1}
a {x, z0}
(a) (b)
Fig. 3. Zone graphs: (a) Z∞ and (b) ZLUr
– All states in Xs are at the same level and thus all transitions in T∞(e,Xs) have the
same resetting clock. Let Y be that clock and δ′ = ([Y ∪Xp → 0](δ ∧ g ∧ gp))↑.
– The transition from (sp, Xs, δ) to (s′p, X ′s, δ′) is labeled with the tuple (e, gp ∧
g,Xp ∪ Y ).
We illustrate the above using the example in Fig. 3(a). Given the abstract config-
uration in level 4, which is (p2, {(s2, {z4}), (s0, {z4, z2})}, 0 ≤ x = z4 < z2 ∧
z2 − x ≤ 3 ∧ z2 − z4 ≤ 3). As shown in Fig. 2, there are two transitions from
state (s2, {z4}) which are labeled with event a and one from state (s0, {z4, z2}), which
makes up Ts(a, {(s2, {z4}), (s0, {z4, z2})}). The two transitions from (s2, {z4}) have
the same guard z4 > 0 and the one from (s0, {z4, z2}) has the guard z4 > 3. The set
Cons(e,Xs) contains the following constraints: z4 > 0 ∧ z4 > 3, z4 ≤ 0 ∧ z4 > 3,
z4 > 0 ∧ z4 ≤ 3, and z4 ≤ 0 ∧ z4 ≤ 3. Taking the transition form p2 to p1 as an
example, we generate four potential successors for each of constraints in Cons(e,Xs),
as shown above. Two of them are infeasible as the resultant constraints are false. The
rest two are shown in Fig. 3(a) (the first two from left at level 5). Since z2 is no longer
active for the second successor, the clock constraint of the second successor is modified
to 0 ≤ x = z5 < z4 ∧ z4 − x ≤ 3 ∧ z4 − z5 ≤ 3 so as to remove constraints on z2.
Similarly, we can generate other configurations in Fig. 3(a).
In the following, we reduce the language inclusion checking problem to a reach-
ability problem in Z∞. Notice that one of constraints in Cons(e,Xs) conjuncts the
negations of all guards of transitions in T∞(e,Xs). Let us denote the constraint as neg.
For instance, given the same abstract state in the middle of level 4 in Fig. 3(a), the
constraint neg in Cons(e,Xs) is: z4 ≤ 0 ∧ z4 ≤ 3, which is equivalent to z4 ≤ 0.
Conjuncted with the guard condition x > 0 and the initial constraint 0 ≤ x = z4 <
z2 ∧ z2 − x ≤ 3 ∧ z2 − z4 ≤ 3, it becomes false and hence no successor is generated
for neg. Given neg, assume the corresponding successor is (s′p, X ′s, δ′). It is easy to see
Are Timed Automata Bad for a Specification Language? 317
that X ′s is empty. If δ′ is not false, intuitively there exists a time point such that P can
perform e whereas S cannot, which implies language inclusion is not true. Thus, we
have the following theorem.
Theorem 1. L(P) ⊆ L(S) iff there is no reachable state (sp, ∅, δ) in Z∞. 
Theorem 1 therefore reduces our language inclusion problem to a reachability problem
on Z∞. If a state in the form of (sp, ∅, δ) is reachable, then we can conclude that the
language inclusion is false. The remaining problem is that there may be infinitely many
clocks. In the following, we show how to reduce the number of clocks, which is inspired
by [4]. Intuitively, given any abstract state (sp, Xs, δ) in the zone graph Z∞, instead of
always using a new clock in Z , we can reuse a clock which is not currently active, or
equivalently not in Act(Xs). For instance, given the state on level 1 in Fig. 3(a), there
are two active clocks z0 and z1. For the successor of this state on level 2, instead of
using z2, we can reuse z0 and systematically rename z2 to z0 afterwards. The result of
renaming is shown partially in Fig. 3(b) (notice that some zones in Fig. 3(b) are different
from the ones in Fig. 3(a) and some states have been removed, because of simulation
reduction shown next). We denote the zone graph after renaming as Zr. We also denote
the successors of an abstract state ps in Zr as post(ps,Zr). By a simple argument, it
can be shown that there is a reachable state (sp, ∅, δ) in Z∞ iff there is a reachable state
(s′p, ∅, δ′) in Zr.
3.3 Simulation Reduction
We have so far reduced the language inclusion checking problem to a reachability prob-
lem in the potentially infinite-state LTS Zr. Next, we reduce the size of Zr by exploring
simulation relation between states in Zr. We first extend the lower-upper bounds (here-
after LU-bounds) simulation relation defined in [5] to language inclusion checking.
We define two functions L and U . Given a state s in Zr and a clock x ∈ Cp ∪
Z , we perform a depth-first-search to collect all transitions reachable from s without
going through a transition which resets x. Next, we set L(s, x) (resp. U(s, x)) to be the
maximal constant k such that there exists a constraint x > k or x ≥ k (resp. x < k or
x ≤ k) in a guard of those transitions. If such a constant does not exist, we set L(s, x)
(resp. U(s, x)) to −∞. We remark that L(s, x) is always the same as U(s, x) for a clock
in Z because both guard conditions and their negations are used in constructingZr. For
instance, if we denote the state at level 0 in Fig. 3(b) as s0, which can be seen as the
initial state in Zr, the function L is then defined such that L(s0, x) = 3, L(s0, z0) = 3.
Next, we define a relation between two zones using the LU-bounds and show that
the relation constitutes a simulation relation. Given two clock valuations v and v′ at a
state s and the two functions L and U , we write v LU v′ if for each clock c, either
v′(c) = v(c) or L(s, c) < v′(c) < v(c) or U(s, c) < v(c) < v′(c). Next, given two
zones δ1 and δ2, we write δ1 LU δ2 to denote that for all v1 ∈ δ1, there is a v2 ∈ δ2
such that v1 LU v2. The following shows that LU constitutes a simulation relation.
Lemma 1. Let (s,X, δi) where i ∈ {0, 1} be two states of Zr and F be the set of states
{(s′, ∅, δ′)} in Zr. (s,X, δ1) simulates (s,X, δ0) w.r.t. F if δ0 LU δ1. unionsq
318 T. Wang et al.
With the above lemma, given an abstract state (s,X, δ) of Zr, we can enlarge the time
constraint δ so as to include all clock valuations which are simulated by some valuations
in δ without changing the result of reachability analysis. In the following, we write
LU(δ) to denote the set {v|∃v′ ∈ δ · v LU v′}2. We construct an LTS, denoted
as ZLUr which replaces each state (s,X, δ) in Zr with (s,X, LU(δ)). We denote the
successors of a state ps in ZLUr as post(ps,ZLUr ). By a simple argument, we can show
that there is a reachable state (s, ∅, δ) in Zr iff there is a reachable state (s′, ∅, δ′) in
ZLUr . For instance, given the Zr after renaming Z∞ shown in Fig. 3(a), Fig. 3(b) shows
the corresponding ZLUr .
Next, we incorporate another simulation relation in our work which is inspired by
the Anti-Chain algorithm [22]. The idea is that given two abstract states (s,X, δ) and
(s′, X ′, δ′) of ZLUr , we can infer a simulation relation by comparing X and X ′. One
problem is that states in X and X ′ may have different sets of active clocks. The exact
names of the clocks however do not matter semantically. In order to compare X and
X ′ (and compare δ and δ′), we define clock mappings. A mapping from Act(X ′) to
Act(X) is a injection function f : Act(X ′) → Act(X) which maps every clock in
Act(X ′) to one in Act(X). We write X ′ ⊆f X if there exists a mapping f such that
for all (s′s, A′) ∈ X ′, there exists (ss, A) ∈ X such that ss = s′s and for all x ∈ A′,
f(x) ∈ A. Notice that there might be clocks in Act(X) which are not mapped to. We
write range(f) to denote the set of clocks which are mapped to in Act(X). With an
abuse of notations, given a constraint δ′ constituted by clocks in Act(X ′), we write
f(δ′) to denote the constraint obtained by renaming the clocks accordingly to f . We
write δ ⊆f δ′ if δ[range(f)] ⊆ f(δ′), i.e., the clock valuations which satisfy the
constraint δ[range(f)] (obtained by projecting δ onto clocks in Act(X ′)) satisfy δ′
after clock renaming. Next, we define a relation between two abstract configurations.
We write (s,X, δ)  (s′, X ′, δ′) iff the following are satisfied: s = s′ and there exists
a mapping f such that X ′ ⊆f X and δ ⊆f δ′. The next lemma establishes that  is a
simulation relation.
Lemma 2. Let (s,X, δ) and (s′, X ′, δ′) be states in ZLUr . Let F = {(s, ∅, δ0)} be the
set of target states. (s′, X ′, δ′) simulates (s,X, δ) w.r.t. F if (s,X, δ)  (s′, X ′, δ′). 
For example, let ps0 denote the state at level 1 in Fig. 3(a). Let ps1 denote the bold-
lined state at level 1 and ps2 denote the one at level 5 in Fig. 3(b). With the LU simu-
lation relation, ps0 can be replaced by ps1. A renaming function f can be defined from
clocks in ps1 to clocks in ps2, i.e., f(z0) = z1 and f(z1) = z2. After renaming, ps1
becomes (p1, {(s1, {z2, z1})}, 0 ≤ x = z2 < z1). Therefore, ps2  ps1 and hence we
do not need to explore from ps2. Similarly, we do not need to explore from the bold-
lined state at level 3 in Fig. 3(b), namely ps3. Notice that without the LU simulation
reduction ps3  ps1 cannot hold, and the successors of ps3 must be explored.
3.4 Algorithm
In the following, we present our semi-algorithm. Let ZLUr be the tuple (S, Init, Σ, T )
where Init is a set (initp, Inits, LU((Cp = 0 ∧ z0 = 0)↑)). Algorithm 1 constructs
2 Notice that we may not be able to represent this set as a convex time constraint [5].
Are Timed Automata Bad for a Specification Language? 319
Algorithm 1. Language inclusion checking
1: let working := Init;
2: let done := ∅;
3: while working = ∅ do
4: remove ps = (sp, Xs, δ) from working;
5: add ps into done and remove all ps′ ∈ done s.t. ps′  ps;
6: for all (s′p, X ′s, δ′) ∈ post(ps,ZLUr ) do
7: if X ′s = ∅ then
8: return false;
9: end if
10: if  ps′ ∈ done such that (s′p, X ′s, δ′)  ps′ then
11: put (s′p, X ′s, δ′) into working;
12: end if
13: end for
14: end while
15: return true;
ZLUr on-the-fly while performing reachability analysis with simulation reduction. It
maintains two data structures. One is a set working which stores states in S which are
yet to be explored. The other is a set done which contains states which have already
been explored. Initially, working is set to be Init and done is empty. During the loop
from line 3 to line 14, each time a state is removed from working and added to done.
Notice that in order to keep done small, whenever a state ps is added into done, all
states which are simulated by ps are removed. We generate successors of ps at line 6.
For each successor, if it is a target state, we return false at line 8. If it is simulated by
a state in done, it is ignored. Otherwise, it is added into working so that it will be
explored later. Lastly, we return true at line 15 after exploring all states. We remark that
done is an Anti-Chain [22] as any pair of states in done is incomparable. The following
theorem states that the semi-algorithm always produces correct results.
Theorem 2. Algorithm 1 returns true iff L(P) ⊆ L(S). 
Next, we establish sufficient conditions for the termination of semi-algorithm with the
theorems of well quasi-order (WQO [15]). A quasi-order (QO) on a set A is a pair
(A,) where  is a reflective and transitive binary relation in A × A. A QO is a
WQO if for each infinite sequence 〈a0, a1, a2, . . .〉 composed of the elements in A,
there exists i < j such that aj  ai. Therefore if a WQO can be found among states
in ZLUr with the simulation relation , our semi-algorithm terminates, as stated in the
following theorem.
Theorem 3. Let S be the set of states of ZLUr . If (S,) is a WQO, Algorithm 1 is
terminating. 
The above theorem implies that our semi-algorithm always terminates given the subclass
of timed automata satisfying the clock boundedness condition [4], including strongly
non-Zeno timed automata, event-clock timed automata and timed automata with integer
resets. That is, if the boundedness condition is satisfied, ZLUr has a bounded number
320 T. Wang et al.
of clocks and if the number of clocks are bounded, obviously the set S is finite (with
maximum ceiling zone normalization). Since (S,=) is aWQO ifS is finite by a property
ofWQO, and ‘=’ implies ‘’, (S,) is also a WQO for this special case. Furthermore,
the theorem also shows that the semi-algorithm is terminating for all single-clock timed
automata, as a WQO has been shown in [1], which may not satisfy the boundedness
condition.
4 Evaluation
Our method has been implemented with 46K lines of C# code and integrated into the
PAT model checker [19]3. We remark that in our setting, a zone may not be convex
(for instance, due to negation used in constructing Zr) and thus cannot be represented
as a single difference bound matrix (DBM). Rather it can be represented either as a
difference bound logic formula, as shown in [3], or as a set of DBMs. In this work, the
latter approach is adopted for the efficiency reason. In the following, we evaluate our
approach in order to answer three research questions. All experiment data are obtained
using a PC with Intel(R) Core(TM) i7-2600 CPU at 3.40 GHz and 8.0 GB RAM.
The first question is: are timed automata good to specify commonly used timed
properties? That is, if timed automata are used to model the properties, will our semi-
algorithm terminate? In [8,12], the authors summarized a set of commonly used patterns
for real-time properties. Some of the patterns are shown below where a, b, c are events;
x is a clock and h denotes all the other events. Most of the patterns are self-explanatory
and therefore we refer to the readers to [8,12] for details. We remark that although the
patterns below are all single-clock timed automata, a specification may be the parallel
composition of multiple patterns and hence have multiple clocks. Observe that all timed
automata below are deterministic except (g). A simple investigation shows that (g) sat-
isfies the clock boundedness condition and hence our semi-algorithm terminates for all
the properties below.
h
b
s0 s1
a
(d) response
{x}
b
x ? k
(a) absence
s0
x > k  
ax ? k 
h x > k 
h
s0
x > k  
ax ? k 
a x > k 
h
(b) universality
s0 s1
x ? k 
ax ? k 
h
h
a(c) existence
s0 s1
a
h
(e) precedence-1
{x}
b
h
ax > k
s0 s1
a
h
(f) precedence-2
{x}
b
h
a
{x}
x ? k s0 s1
(h) occurrence times
x ? k  
h
s3s2
h
a
x ? kx ? kx ? k
x ? k  
h
x ? k  
h
a a a
(g) chains
s0 s1
x ? k
h
x ? k  
b
x ? k  
a
x ? k
c
s3s2
x ? k
h a
bc
x ? kx ? k
a b c
The second question is: is the semi-algorithm useful in practice? That is, given a
real-world system, is it scalable? In the following, we model and verify benchmark
3 PAT and the experiment details can be found at
http://www.comp.nus.edu.sg/˜pat/refine ta
Are Timed Automata Bad for a Specification Language? 321
Table 1. Experiments on Language Inclusion Checking for Timed Systems
System |Cs| Det  +LU LU 
stored total time stored total time stored total time
Fischer*8 1 Yes 91563 224208 28.3 138657 300384 516.7 - - -
Fischer*6 6 No 38603 78332 537.0 - - - - - -
Fischer*6 2 No 27393 58531 6.8 36218 70348 30.3 - - -
Fischer*7 2 No 121782 271895 42.9 159631 326772 661.7 - - -
Railway*8 1 Yes 796154 1124950 142.1 - - - - - -
Railway*6 6 No 23265 33427 7.2 27903 39638 20.4 - - -
Railway*7 7 No 180034 260199 66.7 222806 318698 1352.8 - - -
Lynch*5 1 Yes 3852 11725 0.6 16193 48165 6.0 45488 421582 377.2
Lynch*7 1 Yes 79531 400105 34.9 - - - - - -
Lynch*5 2 No 8091 29686 2.4 63623 208607 151.3 56135 324899 290.1
Lynch*6 2 No 35407 162923 16.7 477930 1828668 5751.1 - - -
FDDI*7 7 Yes 1198 1590 7.4 8064 9592 36.4 8452 11836 125.5
CSMA*7 1 Yes 9840 36255 4.5 - - - - - -
timed systems using our semi-algorithm and evaluate its performance. The benchmark
systems include Fischer’s mutual exclusion protocol (Fischer for short, similarly here-
inafter), Lynch-Shavit’s mutual exclusion protocol (Lynch), railway control system
(Railway), fiber distributed data interface (FDDI), and CSMA/CD protocol (CSMA).
The results are shown in Table 1. The systems are all built as networks of timed au-
tomata, and the number of processes is shown in column ‘System’. The verified prop-
erties are requirements on the systems specified using the timed patterns. Some of the
properties contain one timed automaton with one clock, while the rest are networks of
timed automata with more than one clock (one clock for each timed automaton). In
the table, column ‘|Cs|’ is the number of clocks (processes) in the specification. The
systems in the same group, e.g., Fischer*6 and Fischer*7 both with |Cs| = 2, have
the same specification. Notice that the number of processes in a system and the one
in the specification can be different because we can ‘hide’ events in the systems and
use h in the specifications as shown in the patterns. Column ‘Det’ shows whether the
specification is deterministic or not. The results of our semi-algorithm are shown in
column ‘ +LU ’. In order to show the effectiveness of simulation reduction, we show
the results without  reduction in column LU and the results without LU -reduction
in column . For each algorithm, column ‘stored’ denotes the number of stored states;
column ‘total’ denotes the total number of generated states; column ‘time’ denotes the
verification time in seconds. Symbol ‘-’ means either the verification time is more than
2 hours or out-of-memory exception happens. Notice that our semi-algorithm termi-
nates in all cases and all verification results are true. Comparing stored and total, we
can see that many states are skipped due to simulation reduction. From the verification
time we can see that both simulation relations are helpful in reducing the state space.
To the best of our knowledge, there is no existing tool supporting language inclusion
checking of these models.
322 T. Wang et al.
Table 2. Experiments on Random Timed Automata
|S| |C| Dt = 0.6 Dt = 0.8 Dt = 1.0 Dt = 1.1 Dt = 1.3
4 1 1.00\0.99\0.98 0.99\0.93\0.74 0.99\0.82\0.59 0.99\0.63\0.39 0.89\0.18\0.09
4 2 0.99\0.98\0.94 0.98\0.87\0.68 0.94\0.72\0.51 0.85\0.49\0.33 0.45\0.12\0.06
4 3 0.99\0.98\0.93 0.95\0.82\0.65 0.89\0.67\0.52 0.75\0.42\0.28 0.31\0.10\0.06
6 1 1.00\0.99\0.98 0.99\0.97\0.90 0.99\0.61\0.41 0.97\0.43\0.29 0.83\0.13\0.08
6 2 0.99\0.99\0.98 0.99\0.96\0.88 0.88\0.49\0.32 0.79\0.34\0.22 0.44\0.09\0.05
6 3 0.99\0.99\0.98 0.99\0.94\0.85 0.78\0.44\0.29 0.69\0.31\0.21 0.34\0.11\0.07
8 1 1.00\0.99\0.99 0.99\0.92\0.83 0.96\0.53\0.40 0.94\0.37\0.31 0.55\0.08\0.07
8 2 0.99\0.99\0.99 0.99\0.91\0.84 0.84\0.48\0.37 0.73\0.32\0.25 0.25\0.10\0.09
8 3 0.99\0.99\0.99 0.98\0.91\0.83 0.78\0.47\0.38 0.70\0.40\0.32 0.20\0.08\0.07
The last question is: how good are timed automata as a specification language? We
consider a timed automaton specification is ‘good’ if given an implementation model,
our semi-algorithm answers conclusively on the language inclusion problem. To answer
this question, we extend the approach on generating non-deterministic finite automata
in [20] to automatically generate random timed automata, and then apply our semi-
algorithm for language inclusion checking. Without loss of generality, a generated timed
automaton has always one initial state and the alphabet is {0, 1}. In addition, the follow-
ing parameters are used to control the random generation process: the number of state
|S|, the number of clocks |C|, a parameter Dt for transition density and a clock ceiling.
For each event in the alphabet, we generate k transitions (and hence the transition den-
sity for the event is Dt = k/|S|) and distribute the transitions randomly among all |S|
states. For each transition, the clock constraint and the resetting clocks are generated
randomly according to the clock ceiling. We remark that if both implementation and
specification models are generated randomly, language inclusion almost always fails.
Thus, in order to have cases where language inclusion does hold, we generate a group
of implementation specification pairs by generating an implementation first, and then
adding transitions to the implementation to get the specification.
The experimental results are shown in Table 24. For each different combinations of
|S|, |C| and Dt, we compute three numbers shown in the form of a \ b \ c. a is the per-
centage of cases in which our semi-algorithm terminates; c is the percentage of the cases
satisfying the boundedness condition (and therefore being determinizable [4]). The gap
between a and c thus shows the effectiveness of our approach on timed automata which
may be non-determinizable. In order to show the effectiveness of simulation reduction,
b is the percentage of cases in which our semi-algorithm terminates without simulation
reduction (and with maximum ceiling zone normalization). We generate 1000 random
pairs to calculate each number. In all cases a > b and b > c, e.g., a is much larger than
4 Notice that there are cases where there is only one clock in the specification and yet our semi-
algorithm is not terminating. This is because of using a set of DBMs to represent zones. That
is, because there is no efficient procedure to check whether a zone z is a subset of another
(which is represented as the union of multiple DBMs), the LU-simulation that we discover is
partial and we may unnecessarily explore more states, infinitely more in some cases.
Are Timed Automata Bad for a Specification Language? 323
b and c when Dt ≥ 1.0. This result implies that our semi-algorithm terminates even if
the specification may not be ‘determinizable’, which we credit to simulation reduction
and the fact that the semi-algorithm is on-the-fly (so that language inclusion checking
can be done without complete determinization). When transition density increases, the
gap between a and b increases (e.g., when Dt ≥ 1.0, b is always much smaller that
a), which evidences the effectiveness of our simulation reduction. In general, the lower
the density is, the more likely it is that the semi-algorithm terminates. We calculate the
transition density of the timed property patterns and the benchmark systems. We find
that all the events have transition densities less than or equal to 1.0 except the absence
pattern. Based on the results presented in Table 2, we conclude that in practice, our
semi-algorithm has a high probability of terminating. This perhaps supports the view
that timed automata could serve as a good specification language.
5 Related Work
The work in [2] is the first study on the language inclusion checking problem for
timed automata. The work shows that timed automata are not closed under complement,
which is an obstacle in automatically comparing the languages of two timed automata.
Naturally, this conclusion leads to work on identifying determinizable subclasses of
timed automata, with reduced expressiveness. Several subclasses of timed automata
have been identified, i.e., event-clock timed automata [3,17], timed automata with inte-
ger resets [18] or with one clock [16] and strongly non-Zeno timed automata [4].
Our work is inspired by the work in [4] which presents an approach for deciding
when a timed automaton is determinizable. The idea is to check whether the timed
automaton satisfies a clock boundedness condition. The authors show that the condi-
tion is satisfied by event-clock timed automata, timed automata with integer resets and
strongly non-Zeno timed automata. Using region construction, it is shown in [4] that an
equivalent deterministic timed automaton can be constructed if the given timed automa-
ton satisfies the boundedness condition. The work is closely related to [1], in which the
authors proposed a zone-based approach for determinizing timed automata with one
clock. Our work combines [1,4] and extends them with simulation reduction so as to
provide an approach which could be useful for arbitrary timed automata in practice.
In addition, a game-based approach for determinizing timed automata has been pro-
posed in [6,13]. This approach produces an equivalent deterministic timed automaton
or a deterministic over-approximation, which allows one to enlarge the set of timed
automata that can be automatically determinized compared to the one in [4]. In com-
parison, our approach could determinize timed automata which fail the boundedness
condition in [4], and can cover the examples shown in [6]. The work is remotely re-
lated to work in [10]. In particular, it has been shown that under digitization with the
definition of weakly monotonic timed words, whether the language of a closed timed
automaton is included in the language of an open timed automaton is decidable [10].
6 Conclusion
In summary, the contributions of this work are threefold. First, we develop a zone-based
approach for language inclusion checking of timed automata, which is further combined
324 T. Wang et al.
with simulation reduction for better performance. Second, we investigate, both theoret-
ical and empirically, when the semi-algorithm is terminating. Lastly, we implement the
semi-algorithm in the PAT framework and apply it to benchmark systems. As far as
the authors know, our implementation is the first tool which supports using arbitrary
timed automata as a specification language. More importantly, with the proposed semi-
algorithm and the empirical results, we would like to argue that timed automata do serve
a specification language in practice. As for the future work, we would like to investigate
the language inclusion checking problem with the assumption of non-Zenoness.
References
1. Abdulla, P.A., Ouaknine, J., Quaas, K., Worrell, J.B.: Zone-Based Universality Analysis
for Single-Clock Timed Automata. In: Arbab, F., Sirjani, M. (eds.) FSEN 2007. LNCS,
vol. 4767, pp. 98–112. Springer, Heidelberg (2007)
2. Alur, R., Dill, D.L.: A Theory of Timed Automata. Theory of Computer Science 126(2),
183–235 (1994)
3. Alur, R., Fix, L., Henzinger, T.A.: Event-clock Automata: A Determinizable Class of Timed
Automata. Theoretical Computer Science 211, 253–273 (1999)
4. Baier, C., Bertrand, N., Bouyer, P., Brihaye, T.: When Are Timed Automata Determiniz-
able? In: Albers, S., Marchetti-Spaccamela, A., Matias, Y., Nikoletseas, S., Thomas, W. (eds.)
ICALP 2009, Part II. LNCS, vol. 5556, pp. 43–54. Springer, Heidelberg (2009)
5. Behrmann, G., Bouyer, P., Larsen, K.G., Pela´nek, R.: Lower and Upper Bounds in Zone-
based Abstractions of Timed Automata. International Journal on Software Tools for Tech-
nology Transfer 8(3), 204–215 (2004)
6. Bertrand, N., Stainer, A., Je´ron, T., Krichen, M.: A Game Approach to Determinize Timed
Automata. In: Hofmann, M. (ed.) FOSSACS 2011. LNCS, vol. 6604, pp. 245–259. Springer,
Heidelberg (2011)
7. Dill, D.L., Hu, A.J., Wong-Toi, H.: Checking for Language Inclusion Using Simulation Pre-
orders. In: Larsen, K.G., Skou, A. (eds.) CAV 1991. LNCS, vol. 575, pp. 255–265. Springer,
Heidelberg (1992)
8. Gruhn, V., Laue, R.: Patterns for Timed Property Specifications. Electronic Notes in Theo-
retical Computer Science 153(2), 117–133 (2006)
9. Henzinger, T.A., Kopke, P.W., Wong-Toi, H.: The Expressive Power of Clocks. In: Fu¨lo¨p, Z.
(ed.) ICALP 1995. LNCS, vol. 944, pp. 417–428. Springer, Heidelberg (1995)
10. Henzinger, T.A., Manna, Z., Pnueli, A.: What Good are Digital Clocks? In: Kuich, W. (ed.)
ICALP 1992. LNCS, vol. 623, pp. 545–558. Springer, Heidelberg (1992)
11. Henzinger, T.A., Nicollin, X., Sifakis, J., Yovine, S.: Symbolic Model Checking for Real-
time Systems. Journal of Information and Computation 111(2), 193–244 (1994)
12. Konrad, S., Cheng, B.H.C.: Real-time Specification Patterns. In: ICSE, pp. 372–381 (2005)
13. Krichen, M., Tripakis, S.: Conformance Testing for Real-Time Systems. Formal Methods in
System Design 34(3), 238–304 (2009)
14. Larsen, K.G., Petterson, P., Wang, Y.: UPPAAL in a Nutshell. Journal on Software Tools for
Technology Transfer 1(1-2), 134–152 (1997)
15. Marcone, A.: Foundations of BQO Theory. Transactions of the American Mathematical So-
ciety 345(2), 641–660 (1994)
16. Ouaknine, J., Worrell, J.: On The Language Inclusion Problem for Timed Automata: Closing
a Decidability Gap. In: LICS, pp. 54–63 (2004)
17. Raskin, J., Schobbens, P.: The Logic of Event Clocks - Decidability, Complexity and Expres-
siveness. Journal of Automata, Languages, and Combinatories 4(3), 247–286 (1999)
Are Timed Automata Bad for a Specification Language? 325
18. Suman, P.V., Pandya, P.K., Krishna, S.N., Manasa, L.: Timed Automata with Integer Resets:
Language Inclusion and Expressiveness. In: Cassez, F., Jard, C. (eds.) FORMATS 2008.
LNCS, vol. 5215, pp. 78–92. Springer, Heidelberg (2008)
19. Sun, J., Liu, Y., Dong, J.S., Pang, J.: PAT: Towards flexible verification under fairness. In:
Bouajjani, A., Maler, O. (eds.) CAV 2009. LNCS, vol. 5643, pp. 709–714. Springer, Heidel-
berg (2009)
20. Tabakov, D., Vardi, M.Y.: Experimental Evaluation of Classical Automata Constructions.
In: Sutcliffe, G., Voronkov, A. (eds.) LPAR 2005. LNCS (LNAI), vol. 3835, pp. 396–411.
Springer, Heidelberg (2005)
21. Tripakis, S.: Verifying progress in timed systems. In: Katoen, J.-P. (ed.) ARTS 1999. LNCS,
vol. 1601, pp. 299–314. Springer, Heidelberg (1999)
22. De Wulf, M., Doyen, L., Henzinger, T.A., Raskin, J.-F.: Antichains: A New Algorithm for
Checking Universality of Finite Automata. In: Ball, T., Jones, R.B. (eds.) CAV 2006. LNCS,
vol. 4144, pp. 17–30. Springer, Heidelberg (2006)
23. Yovine, S.: Kronos: a Verification Tool for Real-time Systems. Journal on Software Tools for
Technology Transfer 1(1-2), 123–133 (1997)
