Dynamic Clock Elimination in Parametric Timed Automata by 
Dynamic Clock Elimination in Parametric Timed
Automata
Étienne André
Université Paris 13, Sorbonne Paris Cité, LIPN, CNRS, UMR 7030
93430 Villetaneuse, France
Etienne.Andre@univ-paris13.fr
Abstract
The formalism of parametric timed automata provides designers with a formal way to specify
and verify real-time concurrent systems where timing requirements are unknown (or parameters).
Such models are usually subject to the state space explosion. A popular way to partially reduce
the size of the state space is to reduce the number of clock variables. In this work, we present a
technique for dynamically eliminating clocks. Experiments using Imitator show a diminution
of the number of states and of the computation time, and in some cases allow termination of
the analysis of models that could not terminate otherwise. More surprisingly, even when the
number of clocks remains constant, there is little noticeable overhead in applying the proposed
clock elimination.
1998 ACM Subject Classification D.4.7 Real-time systems and embedded systems
Keywords and phrases Verification, Real-time systems, Parameter synthesis, State space reduc-
tion, Inverse Method
Digital Object Identifier 10.4230/OASIcs.FSFMA.2013.18
1 Introduction
Ensuring the correctness of critical real-time systems, involving concurrent behaviors and
timing requirements, is crucial. Formal verification methods may not always be able to verify
full size systems, but they provide designers with an important help during the design phase,
in order to detect otherwise costly errors. Timed automata (TA) are an extension of finite
state automata with clocks, i.e., real-valued variables that are compared with constants in
guards and invariants, and may be reset along transitions. TA have been extensively used in
the past decades, and led to useful and efficient implementations.
Parameter synthesis for real-time systems is a set of techniques aiming at synthesizing
dense sets of valuations for the timing requirements of a system. It consists in considering the
delays as unknown constants, or parameters, and synthesizing constraints on these parameters
guaranteeing the system correctness. Parameterizing TA gives parametric timed automata
(PTA) [4].
A fundamental problem in the exploration of the reachability space in PTA is to compact
as much as possible the generated space of symbolic states. We propose here a state space
reduction based on clock elimination.
Related Work
It is well known that the fewer clocks, the more efficient real-time model checking is [11].
Furthermore, a smaller number of clocks may imply a more compact state space: when
constraints are represented using arrays and matrices, the fewer clocks, the smaller the
© Étienne André;
licensed under Creative Commons License CC-BY
1st French Singaporean Workshop on Formal Methods and Applications 2013 (FSFMA’13).
Editors: Christine Choppy and Jun Sun; pp. 18–31
OpenAccess Series in Informatics
Schloss Dagstuhl – Leibniz-Zentrum für Informatik, Dagstuhl Publishing, Germany
É. André 19
constraints are, the more compact the state space is. Formalisms such as (parametric) timed
Petri nets [24] or stateful timed CSP [22] have the advantage to dynamically create and
discard clocks (or firing times in Petri nets). Hence, clocks only appear in symbolic states
when they are actually useful. In contrast, in (parametric) timed automata, according to
their standard semantics, clocks must be present in all states.
Still, several works have been proposed to reduce the state space based on the clocks. A
well known approach in timed automata is to abstract the value of the clocks as soon as
they become larger than the system’s largest constant. This technique is implemented in
most tools for TA such as UPPAAL [19]; unfortunately, this approach does not apply to
PTA, where the constants are replaced with parameters. In [15], two methods are proposed
to reduce the number of clocks: (1) the detection of active clocks (the other clocks can
be safely eliminated) and (2) the detection of clocks equal to each others (in which case
only one such clock can be kept). It is shown that the resulting automaton is bisimilar to
the original one, and experiments show large state space reductions. Our work is close to
the first method, but extended to the parametric case. Furthermore, the constraints are
implemented in [15] in the form of difference bound matrices, where adding and removing
clocks is straightforward. In contrast, we use polyhedra where such operations are much
more costly; however, experiments show that the overhead in the worst case is still very
limited in our setting. Finally, our original motivation was to ensure termination of some
systems, which is not necessary in the non-parametric setting since most algorithms rely on
symbolic state space partitions guaranteeing termination.
More recently, an approach has been proposed in [10] to avoid the use of global clocks in
networks of timed automata, to be analyzed in a distributed setting. Although that approach
does not reduce the number of clocks (in contrast to ours), it simplifies the model since less
synchronization is needed between the different TA in parallel.
Finally, our work is partially inspired by the parametric extension of stateful timed CSP
(PSTCSP) [7]. In PSTCSP, clocks are dynamically created, and discarded when no longer
used. Whereas this clock elimination natively belongs to the semantics of PSTCSP, and
hence does not require any additional computation, we have to propose algorithms to be
able to dynamically eliminate clocks in PTA.
Contribution
We introduce here a technique to eliminate clocks on-the-fly, when it is guaranteed that they
will not be read in guards and invariants until their next reset. Our approach is based on
a static computation of the location where clocks can be safely eliminated, as well as on a
dynamic elimination of these clocks during the analysis.
We implemented our approach in Imitator [5], a tool for the synthesis of timing
parameters in which operations on constraints rely on the Parma Polyhedra Library [9].
Experiments show a diminution of the number of states and of the computation time, and in
some cases allow termination of the analysis of models that could not terminate otherwise.
Surprisingly, even when the number of clocks (and hence of states) remains constant, the
computation time does not increase, i.e., there is little noticeable overhead in applying the
proposed clock elimination.
Outline
We recall preliminaries in Section 2. We define and characterize our dynamic clock elimination
technique in Section 3. We present experiments using Imitator in Section 4 and conclude
in Section 5.
FSFMA’13
20 Dynamic Clock Elimination in Parametric Timed Automata
2 Preliminaries
We denote by N, Q+ and R+ the sets of non-negative integers, non-negative rational and
non-negative real numbers, respectively.
2.1 Clocks, Parameters and Constraints
Throughout this paper, we assume a fixed set X = {x1, . . . , xH} of clocks. A clock is a
variable xi with value in R+. All clocks evolve linearly at the same rate. A clock valuation is
a function w : X → RH+ assigning a non-negative real value to each clock variable. We will
often identify a valuation w with the point (w(x1), . . . , w(xH)). Given a constant d ∈ R+,
we use X + d to denote the set {x1 + d, . . . , xH + d}. Similarly, we write w+ d to denote the
valuation such that (w + d)(x) = w(x) + d for all x ∈ X.
Throughout this paper, we assume a fixed set P = {p1, . . . , pM} of parameters, i.e.,
unknown constants. A parameter valuation pi is a function pi : P → RM+ assigning a
nonnegative real value to each parameter. There is a one-to-one correspondence between
valuations and points in (R+)M . We will often identify a valuation pi with the point
(pi(p1), . . . , pi(pM )).
We define here constraints as a set of linear inequalities. An inequality over X and P is
e ≺ e′, where ≺∈ {<,≤}, and e, e′ are two linear terms of the form∑
1≤i≤N
αizi + d
where zi ∈ X ∪ P , αi ∈ Q+, for 1 ≤ i ≤ N , and d ∈ Q+. We define in a similar manner
inequalities over X (resp. P ). A constraint is a conjunction of inequalities.
We denote by L(X), L(P ) and L(X ∪ P ) the set of all constraints over X, over P ,
and over X and P respectively. In the sequel, the letter D ∈ L(X) denotes a constraint
over the clocks, the letter K ∈ L(P ) denotes a constraint over the parameters, and the
letter C ∈ L(X ∪ P ) denotes a constraint over the clocks and the parameters.
Given a clock valuation w, D[w] denotes the expression obtained by replacing each clock x
in D with w(x). A clock valuation w satisfies constraint D (denoted by w |= D) if D[w]
evaluates to true.
Given a parameter valuation pi, C[pi] denotes the constraint over the clocks obtained by
replacing each parameter p in C with pi(p). Likewise, given a clock valuation w, C[pi][w]
denotes the expression obtained by replacing each clock x in C[pi] with w(x). We say that
a parameter valuation pi satisfies a constraint C, denoted by pi |= C, if the set of clock
valuations that satisfy C[pi] is nonempty. We use the notation <w, pi> |= C to indicate that
C[pi][w] evaluates to true. Given a constraint C and a clock x, we write x ∈ C to denote
that x is not a free variable in C.
Given two constraints C1 and C2 over the clocks and the parameters, C1 is said to be
included in C2, denoted by C1 ⊆ C2, if ∀w, pi : <w, pi> |= C1 =⇒ <w, pi> |= C2.
We denote by C\X the constraint over the parameters obtained by eliminating its clock
variables (e.g., using Fourier-Motzkin [21]). Similarly, we denote by C↓P the constraint over
the parameters obtained by projecting C onto the set of parameters, that is after elimination
of the clock variables. Formally, C↓P = {pi | ∃w : <w, pi>}. Note that C\X = C↓P .
Sometimes we will refer to a variable domain X ′, which is obtained by renaming the
variables in X. Explicit renaming of variables is denoted by the substitution operation. Given
a constraint C over the clocks and the parameters, we denote by C[X←X′] the constraint
É. André 21
obtained by replacing in C the variables of X with the variables of X ′. We sometime write
C(X) or C(X ′) to denote the set of clocks used within C.
We define the time elapsing of C, denoted by C↑, as the constraint over X and P obtained
from C by delaying an arbitrary amount of time. Formally:
C↑ =
(
(C ∧X ′ = X + d)\X∪{d}
)
[X′←X]
where d is a new parameter with values in R+, and X ′ is a renamed set of clocks. The inner
part of the expression adds the same delay d to all clocks; then the original set of clocks X
and d are eliminated; the outer part of the expression renames clocks X ′ with X.
2.2 Labeled Transition Systems
We introduce below labeled transition systems, which will be used later in this section to
represent the semantics of parametric timed automata.
I Definition 1. A labeled transition system is a quadruple LT S = (Σ, S, S0,⇒), with Σ
a set of symbols, S a set of states, S0 ⊂ S a set of initial states, and ⇒ ∈ S × Σ × S a
transition relation. We write s a⇒ s′ for (s, a, s′) ∈ ⇒. A run (of length m) of LT S is a finite
alternating sequence of states si ∈ S and symbols ai ∈ Σ of the form s0 a0⇒ s1 a1⇒ · · · am−1⇒ sm,
where s0 ∈ S0. A state si is reachable if it belongs to some run r.
2.3 Parametric Timed Automata
Parametric timed automata are an extension of the class of timed automata [3] to the
parametric case, where parameters can be used within guards and invariants in place of
constants [4].
Syntax
I Definition 2 (Parametric Timed Automaton). A parametric timed automaton (PTA) A is a
8-tuple of the form A = (Σ, L, l0, X, P,K, I,→), where
Σ is a finite set of actions,
L is a finite set of locations, l0 ∈ L is the initial location,
X is a set of clocks, P is a set of parameters, K ∈ L(P ) is the initial constraint,
I is the invariant, assigning to every l ∈ L a constraint I(l) ∈ L(X ∪ P ), and
→ is a step relation consisting of elements of the form (l, g, a, ρ, l′), where l, l′ ∈ L are
the source and destination locations, a ∈ Σ, ρ ⊆ X is a set of clocks to be reset by the
step, and g ∈ L(X ∪ P ) is the step guard.
The constraint K corresponds to the initial constraint over the parameters, i.e., a
constraint that will be true in all the states of A (see semantics in Definition 4). For example,
in a PTA with two parameters min and max, one may want to constrain min to be always
smaller or equal to max, in which case K is defined to be min ≤ max.
Semantics
The (symbolic) semantics of PTA relies on the following notion of state.
I Definition 3 (State). Let A = (Σ, L, l0, X, P,K, I,→) be a PTA. A state s of A is a pair
(l, C) where l ∈ L is a location, and C ∈ L(X ∪ P ) its associated constraint.
FSFMA’13
22 Dynamic Clock Elimination in Parametric Timed Automata
C
g
I(l′)
C ′
ρ
Figure 1 Forward reachability for timed automata.
For each valuation pi of P , we may view a state s as the set of pairs (l, w) where w is a clock
valuation such that <w, pi> |= C.
The initial state of A is s0 = (l0, C0), where C0 = K ∧ I(l0) ∧
∧H−1
i=1 xi = xi+1. In this
expression, K is the initial constraint over the parameters, I(l0) is the invariant of the initial
location, and the rest of the expression lets clocks evolve from the same initial value.
The semantics of PTA is given in the following in the form of an LTS.
IDefinition 4 (Semantics of PTA). LetA = (Σ, L, l0, X, P,K, I,→) be a PTA. The semantics
of A is LT S(A) = (Σ, S, S0,⇒) where
S = {(l, C) ∈ L× L(X ∪ P ) | C ⊆ I(l)},
S0 = {(l0,K ∧ I(l0) ∧
∧H−1
i=1 xi = xi+1)}
and a transition (l, C) a⇒ (l′, C ′) belongs to ⇒ if ∃C ′′ : (l, C) a→ (l′, C ′′) d→ (l′, C ′), with
discrete transitions (l, C) a→ (l′, C ′) if there exists (l, g, a, ρ, l′) ∈ → and
C ′ =
((
C(X) ∧ g(X) ∧X ′ = ρ(X))\X ∧ I(l′)(X ′))
[X′←X]
and
delay transitions (l, C) d→ (l, C ′) with C ′ = C↑ ∧ I(l)(X).
In Figure 1, we present in a graphical way the computation of the successor constraint of
a state (l, C). First, C is intersected with the guard g of the transition. Then, the clocks
that must be reset by the transition (as in ρ) are projected onto zero. Then, the constraint is
intersected with the invariant of the destination location I(l′). Time elapsing is then applied.
The resulting constraint C ′ is finally obtained by intersecting again with the invariant of the
destination location I(l′).
Let LT S(A) = (Σ, S, S0,⇒). When clear from the context, given (s1, a, s2) ∈ ⇒, we
write (s1
a⇒ s2) ∈ ⇒(A); and we write s0 for the (only) state in S0.
A path of A is a finite alternating sequence of states and actions.
I Definition 5 (Path). Let A be a PTA. Let s0 a0⇒ . . . an−1⇒ sn, such that si ai⇒ si+1 ∈ ⇒(A),
for all 0 ≤ i ≤ n− 1.
Then s0
a0⇒ . . . an−1⇒ sn is said to be a path of A. The set of all paths of A is denoted
by Paths(A).
We define traces as time-abstract paths.
I Definition 6 (Trace). Given a path (l0, C0) a0⇒ (l1, C1) a1⇒ · · · am−1⇒ (lm, Cm), the corre-
sponding trace is l0
a0⇒ l1 a1⇒ · · · am−1⇒ lm.
É. André 23
Finally, we recall the parallel composition of PTA: N PTA can be composed into a single
parametric timed automaton, by performing a product of the N PTA.
I Definition 7. Let N ∈ N. For all 1 ≤ i ≤ N , let Ai = (Σi, Li, (l0)i, Xi, Pi,Ki, Ii,→i) be
a PTA. The sets Li are mutually disjoint. A network of PTA is A = A1‖ . . . ‖AN , where ‖
is the operator for parallel composition defined in the following way. This network of PTA
corresponds to the PTA A = (Σ, L, l0, X, P,K, I,→) where
Σ =
⋃N
i=1 Σi, L = ΠNi=1Li, l0 = 〈(l0)1, . . . , (l0)N 〉,
X =
⋃N
i=1Xi, P =
⋃N
i=1 Pi, K =
∧N
i=1Ki,
I(〈l1, . . . , lN 〉) =
∧N
i=1 Ii(li) for all 〈l1, . . . , lN 〉 ∈ L,
and → is defined as follows. For all a ∈ Σ, let Ta be the subset of indices i ∈ 1, . . . , N such
that a ∈ Σi. For all a ∈ Σ, for all 〈l1, . . . , lN 〉 ∈ L, for all 〈l′1, . . . , l′N 〉 ∈ L, we have that
(〈l1, . . . , lN 〉, g, a, ρ, 〈l′1, . . . , l′N 〉) ∈ → if:
for all i ∈ Ta, there exist gi, ρi such that (li, gi, a, ρi, l′i) ∈ →i, g =
∧
i∈Ta gi, ρ =
⋃
i∈Ta ρi,
and,
for all i 6∈ Ta, l′i = li.
3 On-the-fly Clock Elimination
3.1 Motivation
Consider the PTA depicted in Figure 2. This PTA contains 2 locations, 2 clocks x1 and x2,
as well as 2 parameters p1 and p2. Although the clock x2 is not used in l2, its existence
will generate an infinite set of states. More precisely, an infinite number of states with a
constraint of the form x2 = x1 + i× p1 (with i infinitely growing) will be generated.
l1 l2
x2 = p2
x1 := 0
x1 = p1
x1 := 0
Figure 2 A looping automaton.
This situation is not met in the non-parametric setting. Indeed, it is well known that,
once the value of a clock gets larger than the system’s largest constant c, this clock value can
be safely abstracted to an abstract value “greater than c”. Unfortunately, this is not possible
in the parametric setting, due to the fact that constants are unknown.
Here, we propose a simple technique based on dynamic clock elimination. We can note
that x2 is “useless” in l2: indeed, it is not read in any guard, nor reset, and, since l2 has no
successor location except itself, x2 will not be read in the future. As a consequence, x2 can
be safely discarded or eliminated in l2, so as to ensure termination of the analysis.
Recall that this situation is not met in formalisms such as the parametric extension
of stateful timed CSP [7]. Indeed, in this formalism, clocks are dynamically created, and
discarded when no longer used.
3.2 General Approach
We propose here to eliminate useless clocks on-the-fly, i.e., during the analysis. By useless,
we mean clocks that will not be useful in the future (i.e., not read in guards and invariants),
until their next reset. Technically, detecting useless clocks would require to explore the
FSFMA’13
24 Dynamic Clock Elimination in Parametric Timed Automata
system, and check whether a given clock will be used (i.e., read in a guard or in an invariant)
in the future. Unfortunately, this would not be interesting to do in practice since this would
require to analyze the whole system, which we want to avoid. Hence, one must accept
to possibly exhibit an under-approximation of the set of useless clocks, in order to find a
trade-off between efficiency and accuracy.
In this work, we propose the following technique. First, we detect the useless clocks in a
static manner; hence, we construct prior to the analysis a table associating each location
with the list of the clocks useless in this location. During the analysis, it is sufficient to check
this table in order to know which clocks are useless.
Second, we consider only local clocks, i.e., used in a single PTA. (Recall that the PTA
analyzed can be made of a network of N PTA in parallel.) This requirement is motivated by
obvious efficiency reasons: exploring each PTA in an independent manner is by far more
efficient than exploring the composition of several PTA, required to detect the locations in
which global clocks (used by several PTA) can be safely discarded. Note that, in all case
studies we considered, all clocks were always local. Extending our work to the case of global
clocks is discussed in Section 5.
3.3 Static Computation of the Useless Clocks per Location
We introduce in Algorithm 1 an algorithm useless(A, x), that computes in a static manner
the set of locations where a clock x is useless. This algorithm takes as input a PTA A and a
clock x, and outputs the list of locations in A where x is useless.
Algorithm 1: useless(A, x)
input : PTA A, clock x
output : List of locations where x is unnecessary
1 Marked← {l|∃l′, a, g, ρ : (l, a, g, ρ, l′) ∈ →∧ x ∈ g} ∪ {l|x ∈ I(l)}
2 Waiting← Marked
3 while Waiting 6= ∅ do
4 pick l′ from Waiting
5 foreach (l, a, g, ρ, l′) ∈ → do
6 if x /∈ ρ then
7 if l /∈ Marked then
8 Marked← Marked ∪ {l}
9 Waiting←Waiting ∪ {l}
10 return L \Marked
The algorithm makes use of a set of waiting locations (“Waiting”) and a set of marked
locations (“Marked”); this latter set corresponds to the locations where x is actually useful.
Lines 1– 2 initialize the value of Waiting and Marked to the set of locations that are either
predecessors of a guard involving x or have an invariant involving x. Then, it proceeds by
coloring locations in a backward manner, starting from Marked. As long as the set of waiting
locations is not empty, the algorithm picks a location l′ from this set (line 4); then, for each
transition whose destination location is l′, the algorithm checks whether the clock x is reset
along the transition (line 6). If not, and if the transition source l is not marked yet, then l is
added both to the set of marked locations and to the waiting set (lines 8–9). The algorithm
finally returns the set of locations in A that are not marked (line 10).
É. André 25
l1
l2
l3 l4
x2 ≤ p2
x1 ≤ p2
x1 = p1
x1 := 0
x2 := 0
x2 = p1
x2 := 0
(a) A toy PTA A
l1
l2
l3 l4
x2 ≤ p2
x1 ≤ p2
x1 = p1
x1 := 0
x2 := 0
x2 = p1
x2 := 0
(b) Locations marked in useless(A, x1)
l1
l2
l3 l4
x2 ≤ p2
x1 ≤ p2
x1 = p1
x1 := 0
x2 := 0
x2 = p1
x2 := 0
(c) Locations marked in useless(A, x2)
Figure 3 Static computation of the useless clocks: an example.
Let us apply Algorithm 1 to the simple PTA in Figure 3a and to clock x1. Initially,
Marked = Waiting = {l1, l2}. Let us pick l1 from Waiting. Since l1 has no predecessor,
no action is performed. Let us pick l2 from Waiting; l2 has two predecessors l1 and l3.
For l1, x1 /∈ ρ, but l1 ∈ Marked, hence again no action is performed. For l3, x1 /∈ ρ, and
l3 /∈ Marked, hence we add l3 to both Marked and Waiting. We now pick l3 from Waiting; l3
has one predecessor l1, already in Marked. The Waiting set is now empty, and the algorithm
has marked l1, l2 and l3, as showed in Figure 3b; the non-marked locations are returned,
viz., {l4}.
The result of the application of Algorithm 1 to A and x2 is given in Figure 3c. The
locations for which x2 is useless are l2 and l3.
In the case of a network of PTA (see Definition 7), the list of useless clocks in a global
location is the union, for each of the PTA in parallel, of the clocks useless in the local location
for this PTA.
I Remark. An alternative and equivalent way to present Algorithm 1 is to use the following
recursively defined function (given in a functional programming-like syntax), that decides
whether a clock is useless in a given location.
FSFMA’13
26 Dynamic Clock Elimination in Parametric Timed Automata
let uselessInLoc (x, l) =
x notin I(l)
and
foreach (l, a, g, rho , l’ ) in steps then
x notin g
and ( x in rho or uselessInLoc(x, l’) )
3.4 Dynamic Elimination of the Clocks in Practice
Following the static computation of the locations in which each clock is useless, we can
now eliminate the clocks on-the-fly during a reachability analysis. More precisely, this is
performed after computing the constraint associated with a new state; once this constraint
has been computed, useless clocks are eliminated. This elimination is a variable elimination
à la Fourier-Motzkin [21], so as not to modify the relationship between the other clocks and
parameters.
Algorithm 2: Computation of a new state in Imitator.
input : PTA A, state (l, C), transition (l, a, g, ρ, l′)
output : New state (l′, C ′)
1 C ′ ← C ∧ g
2 C ′ ← ρ(C ′)
3 C ′ ← C ′ ∧ I(l′)
4 C ′ ← C ′↑
5 C ′ ← Eliminate(C ′)
6 return (l′, C ′)
We give in Algorithm 2 a simplified1 version of the computation of the successor state
(l′, C ′), generated from a source state (l, C) via transition (l, a, g, ρ, l′), as implemented in
Imitator [5]. The addition of the clock elimination is highlighted (line 5); in this expression,
Eliminate(C ′) denotes the elimination of the clocks useless in the destination location l′, as
computed by Algorithm 1 for each clock. In Imitator, the variable elimination is performed
using the dedicated function of the Parma Polyhedra Library [9].
3.5 Characterization
In this section, we show that applying the dynamic clock elimination during a reachability
analysis preserves parametric analyses, as well as the satisfiability of linear-time properties.
Let us denote by U(l) the list of clocks useless in a given location l; the result of this
function can be computed by applying Algorithm 1 for each clock.
We define below the semantics of PTA under dynamic clock elimination.
1 Imitator also features discrete variables, as well as stopwatches; these features are beyond the scope
of this paper, and are discarded here. Furthermore, after each modification of C′, a satisfiability test
is performed to check whether (l′, C′) is valid new state; if not, it is discarded (using an exception
mechanism).
É. André 27
I Definition 8. Let A = (Σ, L, l0, X, P,K, I,→) be a PTA. The semantics of A under
dynamic clock elimination is LT Sdyn(A) = (Σ, S, S0,⇒dyn) where
S = {(l, C) ∈ L× L(X ∪ P ) | C ⊆ I(l)},
S0 =
{
(l0,
(
K ∧ I(l0) ∧
∧H−1
i=1 xi = xi+1
)\U(l0)}
and a transition (l, C) a⇒dyn (l′, C ′) belongs to ⇒dyn if ∃C ′′ : (l, C) a⇒ (l′, C ′′), and C ′ =
C ′′\U(l′).
Hence, a transition in the semantics under dynamic clock elimination corresponds to a
transition conform to the standard semantics of PTA (i.e., (l, C) a⇒ (l′, C ′′)), followed by the
elimination of the clocks useless in l′ (i.e., C ′ = C ′′\U(l′)).
We denote by Pathsdyn(A) the set of paths of A computed using the semantics of A
under dynamic clock elimination.
We characterize below the effect of dynamically eliminating clocks while performing a
reachability analysis.
I Theorem 9. Let A be a PTA. Then:
⇒ Let (l0, C0) a0⇒ · · · am−1⇒ (lm, Cm) be a path in Paths(A). Then there exist C ′i, 0 ≤ i ≤ m
such that (l0, C ′0)
a0⇒ · · · am−1⇒ (lm, C ′m) is a path in Pathsdyn(A), with C ′i = Ci\U(li) for
0 ≤ i ≤ m.
⇐ Conversely, let (l0, C ′0) a0⇒ · · ·
am−1⇒ (lm, C ′m) be a path in Pathsdyn(A). Then there exist
Ci, 0 ≤ i ≤ m such that (l0, C0) a0⇒ · · · am−1⇒ (lm, Cm) is a path in Paths(A), with
C ′i = Ci\U(li) for 0 ≤ i ≤ m.
Proof (sketch). The first part (⇒) is obtained by induction on the length of the paths.
Suppose the result holds for i, and let us prove it for i+ 1. Consider (li, Ci)
ai⇒ (li+1, Ci+1).
From the induction hypothesis, there exists (li, C ′i) with C ′i = Ci\U(li). Since Ci ⊆ C ′i, then
there exists C ′′i+1 such that (li, C ′i)
ai⇒ (li+1, C ′′i+1). The fact that C ′i+1 = Ci+1\U(li+1) can
be proved by showing that the operations in the two items of Definition 4 preserve this
equality. Note that this holds only because the clocks in U(li) and U(li+1) are not used in
the invariants, guards and resets in the definition.
The second part (⇐) is obtained using a similar reasoning.
J
Basically, Theorem 9 states that each path in Paths(A) has an equivalent in Pathsdyn(A),
and conversely. Furthermore, in each state, the relationship between all parameters and all
clocks (except the clocks useless in this state) is the same in both semantics; this comes from
the fact that C ′i = Ci\U(li).
We exhibit below two corollaries of Theorem 9. The first corollary states that the
projection of the constraints associated to the states of a path in both the standard semantics
and the semantics under dynamic clock elimination are the same. Hence, the clock elimination
is suitable to perform parametric model checking based on paths.
I Corollary 10. Let A be a PTA. Let (l0, C ′0) a0⇒ · · ·
am−1⇒ (lm, C ′m) be a path in Pathsdyn(A),
and let (l0, C0)
a0⇒ · · · am−1⇒ (lm, Cm) be its equivalent path in Paths(A).
Then Ci↓P = C ′i↓P , for all 0 ≤ i ≤ m.
Proof. Since C ′i = Ci\U(li) then C ′i\X = Ci\X , hence C ′i↓P = Ci↓P . J
FSFMA’13
28 Dynamic Clock Elimination in Parametric Timed Automata
The second corollary states that the dynamic clock elimination preserves linear time
properties. Given a linear-time property, we denote by ϕ |= Paths(A) the fact that all paths
of A satisfy ϕ (and similarly for Pathsdyn).
I Corollary 11. Let A be a PTA. Let ϕ be a linear-time property.
Then ϕ |= Paths(A) if and only if ϕ |= Pathsdyn(A).
Proof. Since each path in Paths(A) has an equivalent path in Pathsdyn(A) and vice-versa,
the sets of traces are equal. Hence the linear-time properties satisfied are equal. J
4 Experimental Validation
This clock elimination technique has been implemented in Imitator [5] (since version 2.6.1)
as an optional feature (option -dynamic-elimination). We compare the efficiency of our
dynamic clock elimination technique on the inverse method IM [8]. This algorithm takes
advantage of a known reference parameter valuation, and synthesizes a constraint around
the reference valuation guaranteeing the same traces as for the reference valuation, i.e.,
guaranteeing that the same linear-time properties are satisfied. The two algorithms compared
are (1) IM and (2) IM dyn, i.e., IM where useless clocks are eliminated on-the-fly using the
algorithms of Section 3. Note that, since IM relies on the exploration of the parametric state
space (after eliminating all clocks), from Corollary 10, the result of both algorithms will be
the same.
Table 1 compares the performances and results of IM and IM dyn. Columns |X| and |P |
denote the number of clocks and parameters of the PTA, respectively. For each algorithm,
columns |S|, |T | and t denote the number of states, of transitions and the computation time
in seconds, respectively. In the last 2 columns, we compare the results: first, we divide
the number of states in IM by the number of states in IM dyn and multiply by 100 (hence,
a number smaller than 100 denotes an improvement of the clock elimination); second, we
perform the same comparison for the computation time. Experiments were performed on
a KUbuntu 13.04 64 bits system running on an Intel Core i7 CPU 2.67GHz with 4GiB of
RAM.
Table 1 Experiments.
IM IM dyn Comparison
Example |X| |P | |S| |T | t |S| |T | t |S| t
Figure 2 2 2 - - loop 2 2 0.007 0 0
Figure 3 2 2 - - loop 6 8 0.006 0 0
AndOr 4 12 11 11 0.047 11 11 0.050 100 106
SPSMALL 10 26 31 30 0.580 31 30 0.584 100 101
Train 3 6 78 94 0.100 61 76 0.072 78 72
BRP 7 6 429 474 3.50 429 474 3.21 100 92
CSMA/CD6 3 3 13,365 14,271 19.6 13,365 14,271 19.5 100 99
RCP 5 6 327 518 0.68 181 282 0.41 55 60
AAM06 3 8 1,497 1,844 8.28 768 997 2.92 51 35
AM02 3 4 182 215 0.392 182 215 0.386 100 98
BB04 6 7 806 827 25.4 806 827 27.2 100 107
CTC 15 21 1,364 1,363 83.4 201 291 2.52 15 3.0
LA02 3 5 6,290 8,023 710 4,932 7,154 473 78 67
LPPRC10 4 7 78 102 0.375 78 102 0.395 100 105
É. André 29
Description of the Models
The first 2 models are the looping PTA in Figure 2 and Figure 3a. The next 2 models are
asynchronous circuits [13, 8]. The next case study is a classical train–gate–controller from [4].
The next 3 models are common protocols [14, 18, 17]. The other models are scheduling
problems [1, 2, 12, 23, 20]. All models are described and available (with sources and binaries
of Imitator) on Imitator’s Web page2.
Interpretation of the Experiments
Let us comment the experiments in Table 1. Although only the 2 toy models are such that
only IM dyn can analyze them whereas IM loops, the optimization of IM dyn also leads to
state space reductions in many other models. These state space reductions come from the
fact that useless clocks may in general lead to the creation of many similar states, only
different with respect to the (generally increasing) value of these clocks; when the useless
clocks are eliminated, all these similar states are replaced with only one state.
The use of the optimized version IM dyn has the following advantages. First, the state
space is often reduced compared to the classical IM (without clock elimination). Although
the dynamic elimination of clocks does not seem to bring anything in the case of hardware
verification, it seems much more interesting for protocols and scheduling problems. This is
particularly interesting for the scheduling problems, with a division of the number of states
by a factor of up to 6 (CTC). Second, the computation time is always reduced when the
dynamic clock elimination indeed reduces the state space, by a factor of up to 33 (CTC).
Third, and more surprisingly, the overhead brought by the dynamic elimination does not
yield a significant augmentation of the computation time, even when the clock elimination
does not reduce the state space at all; the worst case is +7% (BB04), which remains very
reasonable. These experiments encourage us to consider to set this optimization as default
in Imitator.
Finally, in some cases (BRP, CSMA/CD, AM02), the computation time is smaller in the
case of dynamic clock elimination, despite the absence of state space reduction – which is
surprising. This may be due to little variations of the processor. This might also be explained
by the fact that, even when states are not merged, the computation of the successor states
may be more efficient when the constraints are smaller (i.e., have fewer clocks).
5 Conclusion
We introduced here a state space reduction technique based on an on-the-fly elimination
of unnecessary clocks in parametric timed automata. This technique has the following
advantages: (1) some models that include loops preventing termination may terminate; (2)
the relationship between the remaining clocks and parameters is preserved, which makes
it suitable for many (parametric) model checking algorithms; (3) the application of this
technique to the inverse method (implemented in Imitator) shows interesting state space
reductions without adding any significant overhead in terms of computation time.
2 http://www.lsv.ens-cachan.fr/Software/imitator/dynamic/
FSFMA’13
30 Dynamic Clock Elimination in Parametric Timed Automata
Future Work
So far, we considered only local clocks, i.e., clocks used in only one of the different PTA in
parallel. Considering global clocks (i.e., used in most of the PTA describing the model) would
be interesting. In order to avoid the static composition of all PTA prior to the analysis, this
would require more complex algorithms than our current detection of the locations where a
clock can be discarded. An alternative is to combine our technique with the technique of
global clock elimination introduced in [10], if this latter technique can be extended to the
parametric setting.
A future extension consists in extending the second algorithm of [15], i.e., to dynamically
eliminate clocks that are equal to another clock. Although simple in theory, this optimization
would require some operations on the constraints that may turn more complex and time-
consuming in the parametric setting (using polyhedra) than in the non-parametric setting
(using difference bound matrices).
We aim at extending this work to the case of hybrid systems, where clocks are generalized
to variables with (in general) arbitrary rates. This could then be applied to the inverse
method generalized to hybrid systems [16].
We are also interested in studying the optimization presented here with the (more
restrictive) state space reduction based on convex merging recently proposed in [6].
Acknowledgement
I am grateful to an anonymous reviewer for his/her useful comments.
References
1 Yasmina Adbeddaïm, Eugene Asarin, and Oded Maler. Scheduling with timed automata.
Theoretical Computer Science, 354(2):272–300, 2006.
2 Yasmina Adbeddaïm and Oded Maler. Preemptive job-shop scheduling using stopwatch
automata. In TACAS, volume 2280 of Lecture Notes in Computer Science, pages 113–126.
Springer, 2002.
3 Rajeev Alur and David L. Dill. A theory of timed automata. Theoretical Computer Science,
126(2):183–235, 1994.
4 Rajeev Alur, Thomas A. Henzinger, and Moshe Y. Vardi. Parametric real-time reasoning.
In STOC, pages 592–601. ACM, 1993.
5 Étienne André, Laurent Fribourg, Ulrich Kühne, and Romain Soulat. IMITATOR 2.5:
A tool for analyzing robustness in scheduling problems. In FM, volume 7436 of Lecture
Notes in Computer Science, pages 33–36. Springer, 2012.
6 Étienne André, Laurent Fribourg, and Romain Soulat. Merge and conquer: State merging
in parametric timed automata. In ATVA, Lecture Notes in Computer Science. Springer,
2013. To appear.
7 Étienne André, Yang Liu, Jun Sun, and Jin Song Dong. Parameter synthesis for hierarchical
concurrent real-time systems. In ICECCS, pages 253–262. IEEE Computer Society, 2012.
8 Étienne André and Romain Soulat. The Inverse Method. FOCUS Series in Computer
Engineering and Information Technology. ISTE Ltd and John Wiley & Sons Inc., 2013.
9 Roberto Bagnara, Patricia M. Hill, and Enea Zaffanella. The Parma Polyhedra Library:
Toward a complete set of numerical abstractions for the analysis and verification of hardware
and software systems. Science of Computer Programming, 72(1–2):3–21, 2008.
10 Sandie Balaguer and Thomas Chatain. Avoiding shared clocks in networks of timed au-
tomata. In CONCUR, volume 7454 of Lecture Notes in Computer Science, pages 100–114.
Springer, 2012.
É. André 31
11 Johan Bengtsson and Wang Yi. Timed automata: Semantics, algorithms and tools. In Lec-
tures on Concurrency and Petri Nets, volume 3098 of Lecture Notes in Computer Science,
pages 87–124. Springer, 2003.
12 Enrico Bini and Giorgio C. Buttazzo. Schedulability analysis of periodic fixed priority
systems. IEEE Transactions on Computers, 53(11):1462–1473, 2004.
13 Robert Clarisó and Jordi Cortadella. The octahedron abstract domain. Science of Computer
Programming, 64(1):115–139, 2007.
14 Pedro R. D’Argenio, Joost-Pieter Katoen, Theo C. Ruys, and Jan Tretmans. The bounded
retransmission protocol must be on time! In TACAS, volume 1217 of Lecture Notes in
Computer Science, pages 416–431. Springer, 1997.
15 Conrado Daws and Sergio Yovine. Reducing the number of clock variables of timed au-
tomata. In RTSS, pages 73–81. IEEE Computer Society, 1996.
16 Laurent Fribourg and Ulrich Kühne. Parametric verification and test coverage for hybrid
automata using the inverse method. International Journal of Foundations of Computer
Science, 24(2):233–249, 2013.
17 Thomas Hune, Judi Romijn, Mariëlle Stoelinga, and Frits W. Vaandrager. Linear para-
metric model checking of timed automata. Journal of Logic and Algebraic Programming,
52-53:183–220, 2002.
18 Marta Z. Kwiatkowska, Gethin Norman, Jeremy Sproston, and Fuzhi Wang. Sym-
bolic model checking for probabilistic timed automata. Information and Computation,
205(7):1027–1077, 2007.
19 Kim Guldstrand Larsen, Paul Pettersson, and Wang Yi. UPPAAL in a nutshell. Interna-
tional Journal on Software Tools for Technology Transfer, 1(1-2):134–152, 1997.
20 Thi Thieu Hoa Le, Luigi Palopoli, Roberto Passerone, Yusi Ramadian, and Alessandro
Cimatti. Parametric analysis of distributed firm real-time systems: A case study. In ETFA,
pages 1–8. IEEE, 2010.
21 Alexander Schrijver. Theory of linear and integer programming. John Wiley & Sons, Inc.,
1986.
22 Jun Sun, Yang Liu, Jin Song Dong, Yan Liu, Ling Shi, and Étienne André. Modeling and
verifying hierarchical real-time systems using Stateful Timed CSP. ACM Transactions on
Software Engineering and Methodology, 22(1):3.1–3.29, 2013.
23 Naoyuki Tamura. CSP2SAT: JSS benchmark results. http://bach.istc.kobe-u.ac.jp/
csp2sat/jss/, 2007.
24 Louis-Marie Traonouez, Didier Lime, and Olivier H. Roux. Parametric model-checking of
stopwatch Petri nets. Journal of Universal Computer Science, 15(17):3273–3304, 2009.
FSFMA’13
