University of Pennsylvania

ScholarlyCommons
Technical Reports (CIS)

Department of Computer & Information Science

January 1994

An Efficient Generation of the Timed Reachability Graph for the
Analysis of Real-Time Systems
Inhye Kang
University of Pennsylvania

Insup Lee
University of Pennsylvania, lee@cis.upenn.edu

Follow this and additional works at: https://repository.upenn.edu/cis_reports

Recommended Citation
Inhye Kang and Insup Lee, "An Efficient Generation of the Timed Reachability Graph for the Analysis of
Real-Time Systems", . January 1994.

University of Pennsylvania Department of Computer and Information Science Technical Report No. MS-CIS-94-36.
This paper is posted at ScholarlyCommons. https://repository.upenn.edu/cis_reports/229
For more information, please contact repository@pobox.upenn.edu.

An Efficient Generation of the Timed Reachability Graph for the Analysis of RealTime Systems
Abstract
As computers become ubiquitous, they are increasingly used in safety critical environments. Since many
safety critical applications are real-time systems, automated analysis technique of real-time properties is
desirable. Most widely used automated analysis techniques are based on state space exploration.
Automatic analysis techniques based on state space exploration suffer from the state space explosion
problem. In particular, a real-time system may have an unbounded number of states due to infinitely many
possible time values. This paper presents our approach for generating a finite and efficient representation
of the reachable states called a timed reachability graph for a real-time system. In this paper, a real-time
system is specified using a timed automaton which is a timed extension of the well-known finite
automaton. Our approach for coping with the state explosion problem is to extract timing information
from states and to represent it as relative time relations between transitions. We also present an
algorithm for computing the minimum and maximum time bounds between executions of two actions
from a timed reachability graph to determine timing properties.

Comments
University of Pennsylvania Department of Computer and Information Science Technical Report No. MSCIS-94-36.

This technical report is available at ScholarlyCommons: https://repository.upenn.edu/cis_reports/229

An Efficient Generation of the Timed Reachability
Graph for the Analysis of Real-Time Systems
MS-CIS-94-36
DISTRIBUTED SYSTEMS LAB 79
LOGIC & COMPUTATION LAB 83

Inhye Kang
Insup Lee

University of Pennsylvania
School of Engineering and Applied Science
Computer and Information Science Department
Philadelphia, PA 19104-6389

July 1994

An Efficient Generation of the Timed Reachability
Graph for the Analysis of Real-Time Systems *
Inhye Kang and Insup Lee
Department of Computer and Information Science
University of Pennsylvania
Philadelphia, PA 19104-6389

Abstract

As computers become ubiquitous, they are increasingly used in safety critical environments. Since many safety critical applications are real-time systems, automated analysis
technique of real-time properties is desirable. Most widely used automated analysis techniques are based on state space exploration. Automatic analysis techniques based on state
space exploration suffer from the state space explosion problem. In particular, a real-time
system may have an unbounded number of states due to infinitely many possible time values. This paper presents our approach for generating a finite and efficient representation
of the reachable states called a timed reachability graph for a real-time system. In this
paper, a real-time system is specified using a timed automaton which is a timed extension
of the well-known finite automaton. Our approach for coping with the state explosion
problem is t o extract timing information from states and to represent it as relative time
relations between transitions. We also present an algorithm for computing the minimum
and maximum time bounds between executions of two actions from a timed reachability
graph to determine timing properties.

1

Introduction

As computers become ubiquitous, they are increasingly used in safety critical environments.
Typical safety critical applications are control systems, monitoring systems and communication
systems. Any failure of such computer systems may cause a great financial loss, environmental
disaster or even the loss of lives. The potential high cost associated with an incorrect operation
of these systems has created a demand for a rigorous framework in which various design alternatives can be formally specified and rigorously analyzed and tested before implementation.
It is commonly believed that future safety critical systems will be more complex due t o
increased demands on their functionalities as well as the size of the problem domain. Thus, it
will be difficult for one t o analyze and test the correctness without computer-aided tools. One
'This research was supported in part by DARPAINSF CCR90-14621 and NSF CCR93-11622.

common aspect of all safety critical systems is that they must respond under stringent realtime constraints. That is, their correctness depends not only on how concurrent components
interact, but also on the time at which these interactions occur. In addition, these systems
are costly to prototype, requiring careful prediction of timing properties before implementation
and evaluation of design alternatives.
Although the verification problem is in general undecidable, there exist several automatic
verification and analysis techniques for finite st ate systems. Such techniques are usually based
on state space exploration. That is, they first identify a set of states that are reachable from the
initial states and then analyze this set for verification. Such techniques exist for proving absence
of deadlock or livelock, for proving properties expressed in propositional temporal logic or realtime logic, and for determining trace equivalence, testing preorder or bisimulation equivalence,
etc.
The major weakness of the state space exploration based approach is that the size of the
state space grows exponentially with the number of processes and thus creates the state space
explosion problem. In addition, the approach is only applicable to systems with finite states.
However, a real-time system has infinitely many states due to time domain. There have been
several researches to construct the finite reachability graph from a real-time system [13,11,8,2].
Real-time is modeled using discrete time model (e.g., the set of non-negative integers) or dense
time model (e.g., the set of non-negative real numbers). Many of them assume discrete domain
for time. However, the reachability analysis based on the discrete time model has the case of
not detecting some reachable states in the real world where time is dense [I]. That is, the
results (behaviors) obtained in the dense time model can differ from those in discrete time
model. For real-time systems with dense time, there exist few researches on timed reachability
analysis. This paper describes our approach to construct a timed reachability graph on a dense
time model. Our approach is to develop a technique for generating the finite representation of
the reachable states (called a timed reachability graph) for a real-time system by clustering a
possibly infinite set of states that share reachability and timing properties.
Our model for a real-time system is a timed automaton introduced in [2]. In a timed
automaton, the time domain is dense and various timing constraints can be expressed. It has
a finite set of states (control locations) and finite set of real-valued clocks. The transitions
may depend on the values of the clocks and can reset some of the clocks. The values of the
clocks increase at the same speed with time. Our goal is to develop a technique to construct
an efficient timed reachability graph of the timed automaton.
Timed automaton has been extensively studied for verification of real-time systems [6, 4,
3, 15, 101. Most of the verification algorithms are based on a region graph [2], which is a
reachability graph of a timed automaton. At any point in time, the global state of a timed
automaton is given by the current state and the clock valuation. The state space has infinitely
many global states due to time domain. A region graph is a finite representation of the state
space by merging equivalent states in some sense into a region. However, the region graph
suffers from state explosion [2]. Our approach to cope with the state explosion problem is
to omit clock valuations from global states. We believe that, in most cases, including clock

valuations in the global states causes the state explosion. In our timed reachability graph,
timing information is captured by relative time relations between times at which transitions
are taken. In our experience, the size of the timed reachability graph is much smaller than
the size of the region graph. In this paper, we describe an algorithm for constructing the
timed reachability graph. In particular, we develop a precise notion of equivalence that we
use for clustering states. We also present an algorithm for computing the following real-time
property from the timed reachability graph: the minimum and maximum time bounds between
executions of any two given actions. This property can be used to predict timing properties of
the system.
The paper is organized as follows. In Section 2, we overview other methods related to our
work. Section 3 presents the syntax and semantics of the timed automaton. In Section 4, we
describe our algorithm for generating the reachability graph from a given timed automaton.
Section 5 gives an algorithm for computing the minimum and maximum time bounds between
two actions. In Section 6 , we discuss and compare our approach with related work through
a railroad crossing example. In Section 7, we conclude the paper with the current and future
research issues.

Related Work
Reachability analysis is to construct a state-transition model of a system by generating all
reachable states from the initial state. The state-transition model is called a reachability graph.
x<3 a?
Suppose a transition s li s f , where a? is a receive action through channel a. If the current
valuation of x is greater than 3 at state s or the synchronization counterpart cannot send a
message through a, then sf is unreachable. In real-time systems, a state can be unreachable
due to timing constraints. Although timing constraints have different expressions in different
models, the property that time increases uniformly and unboundedly is the same. Therefore,
the number of global states in which information related to time is encoded can be infinite.
One of the most important problems in timed reachability analysis is to construct a finite
timed reachability graph of the given system by clustering equivalent states in some sense. The
domain of time is either discrete or dense. Many of real-time models [13, 11, 81 follow the
discrete time semantics since it is easier to handle and analyze. Their algorithms to construct
a timed reachability graph generate the successors of the current state by increasing a time
unit (or some units of time) at each step during construction of the timed reachable graph. For
real-time systems with dense time, there exist little work on timed reachability analysis. The
most successful method is proposed by Alur et a1 [2]. We now discuss and compare existing
timed reachability analysis met hods.
In Communicating Real-time Machines (CRSMs) [13], a system consists of a set of CRSMs
connected with one-to-one communication channels. Each CRSM has a finite set of data variables, control locations (called states) and transitions. Transitions consist of an enabling condition, an action, a transformation function and lower and upper time bounds. There are two

kinds of actions: communication and internal actions. The behaviors of the global system are
time-stamped traces of actions. Raju [12] gives a method to generate a reachability graph representing the behaviors. In the reachability graph, each node consists of the current location of
each CRSM, the variable valuation, and the time spent by each CRSM in its current location.
Each edge is labeled with a set of actions executed and the time gap between nodes. Successors of each node are generated according to the earliest possible time execution, i.e., maximal
parallelism. The domain of each variable is restricted to be finite, and thus the number of
possible variable valuations are finite. The time spent by each CRSM labeling a node can be
distinguished using (1 c) different values, where c is the largest value (not including m) of
upper bounds of transitions from its current location. The finite valuations of variables and
time information result in the finiteness of the reachability graph.
Timed Transition Models (TTMs) is proposed to model real-time systems by Ostroff [ll].
In TTMs, time is modeled using an external and conceptual global clock which ticks infinitely
often. A TTM has variables including a special variable which represent the current location
of the system. Transitions consist of an enabling condition, a transformation function and
lower and upper time bounds. Unlike CRSMs, there is no concept of actions. When several
TTMs are composed, it follows the interleaving semantics not the maximal parallelism. In
the reachability graph, each node consists of the history field as well as the current variable
valuation. The history field represents the currently enabled transitions and pending transitions
with the current time bounds. Each edge represents a transition which is either one of enabling
transitions in the source node or the tick transition representing a unit of time passage. With
a tick transition, the current time bounds of transitions in the history field is decreased by one
up to zero. Therefore, there are ( c 1) different values similar to CRSM, where c is the largest
value appearing in the enabling conditions of the transitions. As long as a TTM has a finite
number of valuations, the reachability graph is finite.
Modechart [8] is a graphical specification language for real-time systems. A Modechart
specification consists of modes that can be running in parallel or sequentially. A mode contains
at most one action executed for some amount of time (lower and upper time bounds are given).
A mode transition between sequential modes are labeled with enabling conditions over events
or lower and upper time bounds. A computation is an assignment of times to events. The
computations of a system can be given as a directed tree (called a computation tree) whose
paths correspond to the computations. In the computation tree, each node represents an event
occurrence not a control location (mode) and each edge represents a causality. The timing
information is maintained using a weighted graph called a separation graph whose weights
represent lower and upper time bounds between nodes. For a finite representation of the
computation tree, the computation graph is generated by collapsing the equivalent nodes in
the tree. Here, the meaning of equivalence of two nodes is that the computation trees from the
nodes have the same structure. The resulting computation graph is finite since there are finitely
many distinguishable nodes in a computation tree. A difficulty of constructing the computation
graph is that it is required to put deadlines not explicitly specified in the specification. As an
example, if a successor can occur zero or more time after the current node, the successor is

+

+

divided into two nodes: one node with deadline 0 and another with delay 1 due to broadcasting
communication in which a transition of a node can be triggered by events executed by its
predecessors with zero time distance [14].
A timed automaton introduced in [2]is a timed extension of the well-known finite automaton.
It has a finite set of state controls and finite set of real-valued clocks. The transitions may
depend on the values of the clocks and can reset some of the clocks. The values of the clocks
increase at the same speed with time. Timed automata have dense time semantics unlike
CRSM, TTM, and Modechart. Because there can be an arbitrary number of clock variables
and transitions can reset any subset of clock variables, time dependent behaviors of a realtime system are expressive. In a timed automaton, at any point in time the global state can
be described by the current state and clock valuation. The system has infinitely many global
states due to time domain. Alur et al. [2] provides the equivalence relation over clock valuations.
Two valuations are equivalent if the integral parts of each clock are same and the orderings of
fractional parts of all the clocks are same. Alur et al. construct a finite reachability graph called
a region graph by merging the equivalent global states into a region. The region graph has size
exponential in the number of clocks and the size of the constants that appear in the enabling
conditions of the transitions [2]. In [4], regions having the same reachability are clustered and
the resultant graph is called a minimal region graph. But, even the minimal region graph has
exponential size.
In our approach, the timed reachability graph consists nodes corresponding to reachable
states and edges corresponding to transitions in a timed automaton. Clock valuations are
ignored and the relative time relations between edges (i.e., transitions) are augmented to capture
the timing information. Testing the reachability of a state while generating the graph can be
done by testing the satisfiability of all relations in the path up to the state. We develop a
notion of equivalence of nodes such that two nodes are equivalent if they share reachable states
and timing properties. The finiteness of the timed reachability graph comes from the finiteness
of sets of equivalent nodes. An advantage of our approach is that the size of resultant timed
reachability graph is much smaller than a region graph (even when compared to a minimal
region graph). Moreover, the explicit timing relations gives a straightforward way to construct
of the timed reachability graph and the power to analyze the timing properties directly from
the graph. In a region graph, a region loses time information by encoding time information
into a state and merging states into the region. In [2], to keep track of a desirable timing
information, a new clock is introduced and then the region graph is refined with respect to the
clock. Courcoubeitis [6] give an algorithm with respect to a region graph to compute a timing
gap between two regions which is given as the function of 6 for 6 << 1, that is, an imprecise
value with deviation 6 .

Figure 1: A simple timed automaton

Timed Automata
A timed automaton [2, 3, 41 has a finite set of clocks to express timing constraints in a realtime system. The values of all the clocks increase uniformly at a state and can be reset to zero
on a transition. A transition can be taken if the current values of clocks satisfy the enabling
condition. On the transition, its associated action is executed and its associated clocks are
reset. For example, a timed automaton in Figure 1 represents a system with clocks x and y.
The system starts at the initial state so. The values of clocks x and y are initially zero and
increase at the same speed. The clock x is reset on transition 71. At any instant, the value
of x equals the time elapsed since the last time TI was taken. Thus, 71 can be taken at least
4 seconds after either the start of the system or the last execution of rl. On the other hand,
since the clock y is never reset with any transition, 7 2 can be executed only within 6 seconds
after the system started.
Let 118 be the set of non-negative integers, and R be the set of non-negative real numbers.
For simplicity, we restrict an enabling condition as a conjunction of x * c for x E X and * t o be
5 or 2. We use the definition of a time automaton in [3].

Definition 3.1 A timed automaton M is a tuple (S,s;,;~,X , C, T ) , where
1. S is a finite set of states(control locations),

2. s;,;~ is the initial state,
3. X is a finite ordered set of clocks,

4.

C is a finite set of actions,

5. T S x Ec x 2X x C x S is a transition relation, where Ec is the set of enabling conditions
built using the boolean connectives over the atomic formulas of the form x * c for x E X
and c E N .
We define the following functions for convenience:
r1 : T -+ Ec is the projection of a transition to its enabling condition.
r2 : T --+ 2X is the projection of a transition to the set of clocks that are reset.

n3 : T

4

C is the projection of a transition to the action.

For a transition T E T , if the current state satisfies enabling condition n1(7), then the system
may take the transition. On the transition, the system resets all clocks in n2(7) t o zero, performs
action 7r3(7), and moves to the next state, instantaneously.
Let i E J8 represent a valuation of clocks and let represent a tuple (6,. - .,6) E J8 for
S E R, where k is the number of clock variables. The formal semantics of a timed automaton
is given by executions as follows:

a

Definition 3.2 An execution of a timed automaton M = (S,s;,;t, X, C, T) is defined as a finite
or infinite sequence:
(~0,zO,tO) ( s l , z l , t l )

(~27227t2)" '

satisfying the following properties:
-b

-b

Initialization: s o = s;,;t, xo = 0, to = 0
Succession: for all i, let
- (4-1

+ 6-1) satisfies

- &(x) =

= t; -

Then

~ ~ ( 7and
, )

if x E ~ ~ ( 7 ; )
(&';_I S;-~)(X) otherwise

+

-b

Note that t; represents the time when the system control moves from s;-1 to s;, that is, the
time when transition T; is taken.
When we analyze a system, we are usually interested in (observable) behaviors, not in the
valuations of clocks.

Definition 3.3 A behavior of M is a sequence ((al, tl), (a2,t2), . . .) such that there exists an
execution (so,2 0 , to) 1 (s1, &, tl) 3 ( ~ 2 ~ 2t2).
2 , . - in M and a1 = ~ 3 ( 7 1 ) ,a2 = ~ 3 ( ~ 2 .).,.
In Figure 1, a finite sequence

is an execution of the automaton and its behavior is ((a, 4.5), (b, 5), ( c ,6)). An infinite behavior
((a, 5.8), (b, 7.1), (a, 11.5), (b, 20.5), (a, 21.8), (b, 22.5), . . .)
can be obtained from an execution,

of the automaton.

Timed Reachability Graph Generation

4

In this section, we present how to generate the timed reachability graph, on which our analysis
algorithm is applied. First, we introduce a timed reachability tree whose paths correspond to
executions of a timed automaton and develop an equivalence relation between nodes. We then
give an algorithm that computes the timed reachability graph by clustering equivalent nodes
in the reachability tree.

4.1

The Timed Reachability Tree

The executions of a timed automaton can be given as a directed tree, called a reachability tree,
in which nodes correspond to states and edges correspond to transitions. To capture timing
relations, edges are augmented by timing constraints given by clocks in the timed automaton.
As an example, we consider the timed automaton in Figure 1. The corresponding reachability tree is shown in Figure 2(a). For an edge e, let @(e) denote the variable representing
the time when the system executes e (precisely, the corresponding transition of e). The timing
information of the timed automaton is given as the relative time relation between edges: e.g.,
@(el) 2 @(eo) 4 means that the system executes el at least 4 time units after it executes eo.
Since two transitions TI and 7 2 exist from state so, two outgoing edges may be possible from
no, n3, nc, and so on. The enabling condition of 71 is x 2 4 and x is reset on the execution
of el, e4, e7, and so on. Let's consider the node nc. Here, the system can execute e7 at least
4 time units after @(e4),that is, the timing relation of e7 is given as @(e7)2 @(e4) 4. On
the other hand, the enabling condition of 7 2 is y 5 6 and y is reset on eo. But, the relation
@(e8)5 @(eo) 6 cannot be satisfied since the system enters at node n6 at least 8 time units
after it enters no due to edges el and e4. Thus, node ng is unreachable and is not included in
the tree.
Before we define a reachability tree formally, we introduce some notations. For a transition
T E T, source(^) and target(r) denote the source and target state of the transition, respectively.
Similarly, for an edge e, source(e) and target(e) denote the source and target node of the edge,
respectively. For an edge e, Reach(e) denotes the sequence of edges in the path from the root
up to e. In Figure 2(a), Reach(e7) = eoele3e4eGe7. Suppose a transition T has an enabling
-c;) for 1 E N, x; E X and c; E N. For an edge e with p2(e) = T and a
condition A1<i<l(x;
sequence seq = eoel ...el of edges, timerel(e, seq) = /\l<i<l(@(e)
-* @(eZi) c;) such that eZi is
the last edge in seq that reset x;. That is, timerel transforms timing constraints over clocks in
the timed automaton to relative time relation between edges in the reachability tree. In Figure
2(a), timerel(e4, eoele3) is @(el) 2 @(el) 4 because the timing constraint related to e4, i.e.,
r3(p2(e4)),is x >_ 4 and x is reset on transition p2(el) not on transition p2(e3).
We now define a reachability trees. We assume T;,;~ with 7r2(rinit)
:= {x 1x E X ) .

+

+

+

*

+

+

Definition 4.1 For a timed automaton M = ( S ,sinit,X, C, T), the corresponding reachability
tree is a directed tree G = (N, n;,it, E, p1, p2, pg), where
1. N is a set of nodes,

(a) A Reachability Tree

(b) A Reachability Graph

Figure 2: A Timed Reachability Tree and Graph

2.

n;,jt

is the root with pl(ninit) = s;,;t,

3. e;,jt is the initial edge with p2(ein;t)= r;,;t and p3(ein;t) = true,

4. E

N x T x N is a set of edges,

5. pl : N + S is a function that maps a node to a state,

6. p2 : E + T is a function that maps an edge to a transition,'

7. p3 is a function that maps an edge to a timing constraint between nodes,
satisfying that for every execution ( s o ,20, to) 3 ( s l ,G,t l ) 3 (s2,22,t 2 ) - - ., there exists a
sequence eonlelnle2n2 . - such that pl ( n ; ) = s;, p2(e;) = T;, p3(ei) = time-rel(e;, eoel ...e;-1)
for all i.
For a node ni, we say that n; is reachable through sequence eoel. ..e;-lei.

Lemma 4.1 For a sequence eoelea ...ek of edges in G , the condition

=(

A

1sj<k

(

A

(

t i m e r e l ( e j ,eo . - - ej-1)) A (

A

A

(@(ej-1)5 @ ( e j ) ) )

l<j<k

(@(ej*
) @(erj,+ c j i ) ) ) ) A (

l<j<k l<i<lj

(@(ej-1) 5 @ ( e j ) ) )

l<j<k

is satisfiable, where r1(p3(ej))= (Al5;<rj
( x j ;* cji)).

Proof.

The proof follows from Definition 3.2 and Definition 4.1.
The satisfiability of the above condition means that the target node of ek, target(ek)is reachable
through sequence eoel ...ek. The first part of the condition says that enabling conditions are
satisfied and the second part indicates that the time ordering is preserved.
The following lemma insures that behaviors of the timed automaton can be obtained from
the corresponding reachability tree.

Lemma 4.2 For a timed automaton M and the corresponding reachability tree G , suppose
there is a sequence eoele2.. . from the root in G. For every timed sequence t 0 t l t 2 . .. such that
to = 0 and ti 5 t;+l, if p3(ei)[@(eo)/to,
@ ( e l ) / t l@
, ( e 2 ) / t 2 ., ..] is true for all i, then the sequence

is a behavior i n M .

Proof.

This follows immediately from Definition 3.3, Definition 4.1 and Lemma 4.1.
For a sequence eoele3e5 of the reachability tree in Figure 2(a), ,u3(el)Ap3(e3)Ap3(e5)
is equal
e (~e 5 )5 @(eo) 6. Since the condition is satisfiable (e.g.
to condition @ ( e l ) @(eo)+ 4 ~ t r u @
@(eo):=O,@(el):=4.5,@(e3):=5,and @(e5):=6),node n5 is reachable and ((a,4.5),( b , 5), ( c ,6))
is a behavior of the timed automaton.

>

+

his component has redundant information with E. But, it is added for convenience.

10

4.2

The Timed Reachability Graph

Suppose a timed automaton M and its corresponding reachability tree G. Since G may have
infinitely many nodes and edges, we need t o construct its finite representation, a timed reachability graph. Our approach o f generating the timed reachability graph is t o cluster a (possibly
infinite) set o f nodes that have the same reachability property.

Definition 4.2 For a reachability tree G = ( N ,n;,;t, E , pl ,p2, p3), a binary relation R C N x N
is an r-equivalence relation iJ for every ( n l ,n 2 ) E R,
1) two nodes are labeled with the same state ( p l ( n l ) = p l ( n 2 ) ) and
2) for every edge el with source(el) = n l , there exists e2 such that source(e2)= n2, p2(el) =
p2(e2)and (target(el),target(e2))E R, and vice versa.
I f two nodes nl and n2 are in some r-equivalence relation R, nl and n2 are said t o be equivalent
with respect to reachability, denoted by n
n'.
For a reachability tree G, we define some notations as follows. For two edges el and e2 with
@ ( e l ) @ ( e 2 ) let
, distance(e1, e 2 ) represent the earliest time of the execution o f e2 after el
was executed and distance(e2, e l ) represent the earliest time of the execution of el before the
execution of e2. For a clock x and an edge e2, distance(x, e2) is defined as the earliest time of
the execution o f e2 after x was reset. Note that i f el i s the last edge in Reach(e2)that reset x ,
then distance(x, e2) is equal t o distance(e1,e2). For a clock x and a set T , C T o f transitions,
let c ( x ,T,) be the largest constant that is compared with x in all of the enabling conditions of
the transitions i n T,.
N~

<

Definition 4.3 For two nodes n and n' in G such that p l ( n ) = pl(n1), let e and e' be the
incoming edges of n and n', respectively. For a set T , 2 T , let X , = { x l , . . . ,x k ) be the set of
clocks appearing in the enabling conditions in T,. Let e,, be the last edge in Reach(e) that reset
x; and eki be the last edge in Reach(e1) that reset x;. Let d = m a x { c ( x ; ,T,)lx; E X,). The the
r-equivalence condition for n and n' over T , is dejned as follows:
1. for all i , either
distance(x;,e ) > c(x;,T,) and distance(x;,e')

> c(x;,T,), and

2. for all i and j such that distance(x;,e ) 5 c(x;,T,) and distance(xj,e ) 5 c ( x j ,T,), either
distance(e,,, e Z J )= distance(e:,, e:,) or
distance(e,, ,e Z j )< -d and distance(e;, ,ek,) < -d

Lemma 4.3 For two nodes n and n' in G such that p l ( n ) = pl(nt), if the r-equivalence condition for n and n' over T holds, then nl
n2.
M~

Proof. Let us construct a set R
N x N. Initially, R = {(n, n')}. For (nl, ni) E R and
for every el, ei such that source(el) = nl, source(ei) = ni and p2(el) = p2(ei), R = R U
{(target(el),target(ei))}. We now show that R is an r-equivalence relation. For all (nl, ni) E
R, the r-equivalence condition holds since the condition holds for (n, n') and its descendents
preserve the condition by the r-equivalence condition 2 (with T, = T). For every el such
that source(el) = n, there exists ei such that source(ei) = n' and p2(el) = p2(ei) by the requivalence condition 1, and vice versa. Thus, R is an r-equivalence relation, that is, nl w T n2.
We can cluster equivalent nodes using Lemma 4.3. Note that if we can find a r-equivalence that
equates more nodes, then the resulting reachability graph becomes much smaller. To find such
an r-equivalence, we use the following observation: Since we only need to consider transitions
whose enabling conditions depend on the values of clocks in a node n, it may be possible to use
T, (in Definition 4.3) that is a proper subset of T. For a node n and a transition T , the values
of clocks in n do not affect T if T is in one of the following cases:
1.

is unreachable from state pl(n), that is, there is no path from state pl(n) to a state
whose outgoing transitions include T.
T

2. For every path from state pl(n) to a state whose outgoing transitions include T , each
clock used in the enable condition of T is reset to zero in some transition along the path.
Based on the above facts, we provide weaker conditions to equate two nodes as follows. For a
node n, let RT(n) denote the set of transitions in T which are not in the above cases. That is,
RT(n) includes only transitions, say T, such that T is reachable from pl(n) and there is a path
from pl(n) to T such that there is a clock used in T that is not reset in the path.
Lemma 4.4 For two nodes n and n' in G such that pl(n) = pl(nl), if the r-equivalence condition for n and n' over RT(n) holds, then nl w T n2.

Proof. This can be proved similarly to Lemma 4.3.
In a reachability graph, timing constraints are expressed in the form of @(e)*@{el, ....,el) +c
rather than @(e)* @(el) c since multiple paths reaching to e can exist due to cycles. A timing
constraint @(e) 5 @{el, e2} 5 means that the time when the system executes e is less than
or equal to the last time when the system executed el or e2.
We now present an algorithm that constructs a reachability graph of a given timed automaton. The algorithm is given in Figure 3. In the algorithm, Step 1 is an initialization.
N includes the set of nodes and E includes the set of edges in G. Unexplored is the set of
nodes which need to be tested whether there exists its equivalent node in N. It is implemented
using a queue in order to explore the reachability graph by breadth first search. BackEdge
is the set of back-edges which make cycles in the graph. Step 2 repeats as long as there is at
least one unexplored reachable node. In Step 2A, if there exists a node n' satisfying conditions
of Lemma 4.4, then the selected node n is removed and the outgoing edge is adjusted to the
equivalent node n'. In Step 2B, if there is no such node, then the selected node n is added

+

+

1.
N := 0; E := 0;
create the initial node n;,;t such that p ~ ( n ; , ; ~=) sinit;
Unexplored := { n j n i t } ;
2.

while Unexplored

# 0 do

pick and remove a node n from Unexplored;
2A

if there exists a node n' in N such that n w T n' then
remove the incoming edge e of n from E ;
create an edge e' with source(et) := source(e), target(el) := n',
p2(e1) := pz(e), p3(et) := p3(e)[e/e1];
add e' into E and BackEdge;

2B
else
add n into N;
for every outgoing transition T E T of the corresponding state of n, p l ( n ) do
create a node n' with p l ( n 1 ) := t a r g e t ( r ) ;
if n' is reachable then
add n' into Unexplored;
create an edge e' with source(et) := n, target(e1):= n', p2(ei) := T ,
p3(et) := t i m e - r e l ( n l ( 7 ) ,e', Reach(e)).
add e' into E;

end for
end while
3.
for every edge e reachable from BackEdge do
update the timing relation p3(e) appropriately;
end for

Figure 3: Reachability Graph Construction Algorithm

to N. Nodes corresponding to states immediately reachable from p l ( n ) are created and added
to Unexplored. After the while loop, Step 3 adjusts timing constraints in edges reachable by
BackEgde. For each e E BackEgde and each el E E , if el is reachable from e and its timing
constraint @ ( e l )* @{...) c is affected by el1 E Reach(e), then e" is added to the constraint like
@(el)* @{..,e", ..) c.

+

+

Lemma 4.5 The reachability graph generated from the above algorithm is finite.

+

Proof. Considering Lemma 4.3, distance(x;, e ) is represented as at most ( c ( x ; ) 2 ) different
values and distance(x;, x j ) is represented as at most (d 2)2 different values. Since the reachability graph generated using Lemma 4.4 is smaller than one generated using Lemma 4.3, the
algorithm generates the finite reachability graph.
We illustrate the algorithm using an example of the timed automaton in Figure 1. The timed
reachability graph generated from the algorithm is shown in Figure 2 ( b ) . Initially, N := 0 ,
E := { e o ) , Unexplored = { n o } and
,
BackEdge := 0. Each step represents the execution of the
while-loop body in Step 2.

+

1. Select no from Unexplored. After executing Step 2 A , N := { n o ) , Unexplored := {nl,n 2 ) ,
E := {eo,e l , e 2 ) .
2. For nl,n2 E Unexplored, process Step 2. Then N := { n o , n 1 , n 2 ) , Unexplored := { n s ) ,
E := {eo, e l , e2,e3).

3. For n3, check whether it is equivalent to no. R T ( s o ) = ( 7 1 , r2,r3), R X ( s O )= { x , y ) , and
c ( y ,R T ( s o ) ) = 6. Since distance(y, eo) = 0 and distance(y, e3) = 4 , no 7LT n3. Thus,
N := { n o ,n l , n 2 , n s ) , Unexplored := in4,725) and E := { e o ,e l , e2, es, e4, e5).
4. Considering n4, R T ( s l ) = (721, R X ( s l ) = { y ) , and c ( y ,R T ( s l ) ) = 6. n4 is not
equivalent to nl since distance(y,e l ) = 4 and distance(y,e7) = 8. At the last, N :=
n l , n 2 , n3, n 4 } 9 Unexplored := (1257 1;26)7 E := {eO, el e2, (33, e47 e.57 e6).

5. Considering n5, n2 N T n5. Thus, a new edge ek such that p2(el,) = p 2 ( e 5 ) , p3(ek) =
p3(e5)[e5/el,]
are created. N := {no,nl, n2, n3, n4},Unexplored := { n 6 ) ,
E := {eo,e l , e2, e3, e4, e:, e s ) . And BackEdge becomes {el,}.
6. For

+,

check whether it is equivalent to no or n3. Since distance(y, e6) = 8 , no
n3
n6 (see the step for n3). N := {no,nl, 722, n , n4, n 6 ) , Unexplored := { n 7 ) , E :=
{eo, e l , e2, e3, e4, el,)e6, e7).
n6,

+,

7. For 727, since distance(y, e4) = 8 and distance(y, e7) = 12 are all greater than c ( y ,R T ( s l ) )
and distance(x, e4) = distance(x, e7) = 0 , n4
n7. Thus, we can remove the edge from
n6 to n7 and put a back-edge ek from n6 to n4 with p2(e17) := p2(e7) and p3(ek) :=
p3(e7)[e7/ek].That is, N := { n o ,nl, n2,n3,n4, n 6 } , Unexplored := 0 ,
E := {eo,e l , e2, e3, e4,e5,e6, e:), BackEdge := {el,, e;}.
N~

In Step 3, there exist back-edges. Since x is reset on ek, the execution time of ek may affect the
execution time of next reachable edges, e6 and e',. The timing constraint of ,u2(ek) is x 2 4.
Thus we augment the timing of e', with @(ek)2 @{e4,e',) 4.

+

Implementation Issue. A sequence el, e2, ..., el is said to be closed if edges appearing in the
timing constraints from e2 to el are included in the set of edges in the sequence. For a closed
sequence of edges, el, e2, ...,el, the corresponding weighted graph W is defined as follows. The
graph W includes nodes m; corresponding to e; for all 1 5 i 5 I and weighted edges from w;
to w ; + ~with weight 0 for all 1 i < I . The following weighted edges are also included in W:
For each relation @(ei) {@(eil),@(ei2),...@(ei,))
c in the' timing constraint ps(e;), suppose
ej is the nearest edge among e;l, e ; ~.,..e;, backward from e; in the given sequence.

*

<

+

*=
thenI
put an edge from w; to wj with weight c.
If * => then put an edge from wj to w; with weight -c.

If

The value of distance(x, e) in Lemma 4.4 can be obtained by computing the maximum
distance from an edge with reseting clock x to e in the weighted graph of the path up to e. The
reachability test (the satisfiability of the condition in Lemma 4.1) of a node n through a path
seq = eo, ..., el from the root can be done using the weighed graph W of seq as well as symbolic
computation. If the maximum weight distance(e0, el) from eo and el is greater than or equal
to zero, then n is reachable.

5

Minimum and Maximum Time Bounds Between Two
Actions

An advantage of the reachability graph is that algorithms can be developed for proving properties of the graph and this implies proving properties of the original system. In this section, we
give a procedure to compute the earliest time and the latest time that an action can succeed
another one with respect to the reachability graph.
For two actions a and b, let min(a, b) and max(a, b) denote the earliest time and the latest
time at which b can happen after a , respectively. For a sequence p, first(p) denotes the first
element of p and last(p) denotes the last element of p. We give the algorithm shown in Figure 4
for computing min(a, b) and max(a, b) with respect to a given reachability graph. Step 1 finds
all non-cyclic sequences p = ele2 ...ek such that a is performed on el, and b is not performed
during the intermediate steps and is performed on ek. Step 2 finds the set Q of the least closed
sequences containing p. The sequences can be computed by back-tracing the graph from el.
It may happen to infinitely back-tracing the graph from el to find the least closed sequence
including p due to cycles in the graph. Thus, Step 2 may not terminate. We are currently
investigating the termination of the procedure. For every q E &, the maximum weight from el
to ek, d(el, ek), is equal to the minimum time bound from a and b in q , and the absolute number

1.

P

:= {(ele2.-.ek)(non-cyclic, ~3(p2(e1))= a,%(p2(ek)) = b,vl

< i < k.r3(,u2(ei))# b);

2.

Q := 0;
for all p E P do
Q1 := {q lq is the least closed sequence including p};
for all q E Q1 do
f (q) := first(p); l(q) := last(p);

end for

Q := Q u Q1;
end for
3.

for all q E Q do
construct the weighted graph corresponding to q;
add d(f (q) l(q)) into F m i n ;
add Id(l(q), f (q))1 into F m a x ;
end for
4.

min(a, b) := minimum{Fmin};

Figure 4: Procedure for Computing min(a, b) and max(a, b)
of the maximum weight from ek to el, d(ek,el), is equal to the maximum time bound from a to
b. In Step 3, d(el, ek) and d(ek,el) can be computed using the weighted graph corresponding
to q. After Step 3, min(a, b) is the minimum of F,;, and max(a, b) is the maximum of Fma,.
The minimum and maximum time bounds between two given states can be computed by
slightly modifying the algorithm in Figure 4.

6

An Example: Railroad Crossing

The standard railroad crossing problem has been used to compare different formal methods for
real-time systems 171. Figure 5 shows an automatic controller that opens and closes a gate at a
railroad crossing presented in [3]. The system is formed as the composition of three components
which execute in parallel and synchronize with the same action names. When a train approaches
the crossing, it sends an approach signal to the controller and enters the crossing at least 200
seconds later. When a train leaves the crossing, it sends an exit signal to the controller. The
exit signal should be sent within 500 seconds after the approach signal. The controller sends
a signal lower to the gate exactly at 100 seconds after the approach signal and sends a raise
signal within 100 seconds after exit. The gate responds to lower and raise signals by moving

tme. ( y], lower

x>e200.() ,in

x<=soo,(] .exit

loo<=y<=um,(),

Train

Gate

Controller

Figure 5: Automata for Train, Gate, and Controller
down within 100 seconds and moving up between 100 and 200 seconds, respectively. These
three components can be composed into a global timed automaton. From the automaton, we
can compute the reachability graph as shown in Figure 6, where we compute a utility property
: whenever the gate goes down, what the earliest time and the latest time at which it is moved
back up are, that is, min(down, up) and max(down, up). They are computed as follows using
the algorithm in Figure 4.

Step1 There are two non-cyclic sequences with the first action down and the last action up:
pl = e4e7e9elle12e16 and p2 = e4e7e9elle12e13e17.

Step2 The least closed sequences containing pl and p2 are
pi1 = ~ 1 ~ 2 ~ 4 ~ 7 ~ 9 ~ p12
1 1=
~ 1e12e13e17e2e4e7e9e11e12e16,
2 ~ 1 6 ~
p21 = e1e2e4e7e9e11e12e13e17, p22 = e12e13e17e~e4e7e9e11e1~e13e17.

Step3 For the sequence pll, Figure 7 shows the weighted graph, where min(e4,e16) = 100 and
max(e4,e16) = 700. Similarly for p12, p21, and p22.
Step4 min(down, up) = 100 and max(down, up) = 700.
Courcoubetis and Yannakakis [6] give an algorithm to compute the minimum and the maximum time bounds between two states with respect to a region graph whose complexity is
propositional to the size of the region graph. For the railroad crossing example, the number
of regions is greater than lo7. Moreover, the algorithm gives the the results as the function of
c << 1 since the precise time information is lost in a region graph. In [3], they verify a property:

Figure 6: A Reachability Graph

Figure 7: Weighted Graphs

whenever the gate goes down, it is moved back up within I( for some K . When K = 500,
they construct a minimal reachable region graph whose number of regions is 412. Moreover, a
different minimal graph is required to be computed for a different value of I( in their approach.
However, our approach generates the timed reachability graph with 15 nodes as shown in Figure
6. With min(down, u p ) = 100 and max(down, u p ) = 700, we can say that for 100 5 K 5 700,
whenever the gate goes down, it is moved back up within K.

7

Conclusion

We have presented an algorithm to cope with the state explosion problem in generating the
state space of a timed automaton. Our algorithm clusters a set of states that are equivalent
under the notion of r-equivalence, which we have formally defined. In our experience, the timed
reachability graph is much smaller than the minimal reachable region graph of [4]. To show the
usefulness of the timed reachability graph, we have presented a procedure for computing the
minimum and maximum time bounds between two actions. As an illustration, we have applied
our technique to the well-known railroad crossing example.
Although the timed reachability graph presented in this paper is similar to the computation
graph in [8],there are several differences. The underlying time domain of the computation graph
is discrete. In the computation graph, each node represents a transition not a state. While
timing information in a computation graph is maintained separately using a weighted graph
called a separation graph, we represent timing information using relative time relations between
edges in the timed reachability graph. The relations make it possible to test node's reachability
using a symbolic operation in Lemma 4.1. Since a Modechart specification has no clock, they
have no equivalence condition comparing distances between clocks and thus have an simpler
equivalence condition. In particular, timing information is defined only between two nodes
that have an edge between them. This limitation is natural since in a Modechart specification,
timing constraints can be expressed between two sequential modes with a transition.
The work described in this paper is part of our research in developing effective tools based on
state space exploration [5]. So far, we have developed Communicating Timed State Machines
(CTSM) as a formalism that can be used to design and implement analysis algorithms based
on state-space exploration. CTSM is a state machine including one-to-many communication,
message passing, data variables, and real-time. We have developed a minimization procedure
with respect to bisimulation for states with arbitrary data variables [9]. For the specification of
timing constraints in CTSM, we follow the strategy of timed automata and can use the timed
reachability analysis procedure described in this paper. We plan to integrate two procedures to
construct the state generation of CTSM. We are also currently investigating other properties
that can be checked directly from the reachability graph generated by our algorithm.

References
[I] R. Alur. Techniques for Automatic Verification of Real-Time Systems. Ph.d. dissertation, Department of Computer Science, Stanford Univ., August 1991.
[2] R. Alur, C. Courcoubetis, and D. Dill. Model Checking for Real-time Systems. In Annual
Symposium on Logic in Computer Science, 1990.
[3] R. Alur, C. Courcoubetis, D. Dill, N. Halbwachs, and H. Wong-Toi. An Implementation of Three
Algorithms for Timing Verification Based on Automata Emptiness. In Proc. of IEEE Real-Time
Systems Symposium, 1992.
[4] R. Alur, C. Courcoubetis, N. Halbwachs, D. Dill, and H. Wong-Toi. Minimization of Timed
Transition Systems. In W.R. Cleaveland, editor, Proceedings of International Conference on
Concurrency Theory, Lecture Notes in Computer Science vol. 630. Springer-Verlag, August 1992.
[5] Duncan Clarke, Insup Lee, and Hong liang Xie. VERSA: A Tool for the Specification and Analysis
of Resource-Bound Real-Time Systems. Technical Report MS-CIS-93-77, Dept. of CIS, Univ. of
Pennsylvania, Sept 1993.
[6] C. Courcoubetis and M. Yannakakis. Minimum and Maximum Delay Problems in Real-time
Systems. In Proceedings of Conference on Computer-Aided Verification, 1990.
[7] C. Heitmeyer, R. Jeffords, and B. Labaw. Comparing Different Approaches for Specifying and
Verifying Real-Time Systems. In Proc. loth IEEE Workshop on Real-Time Operating Systems
and Software, May 1993.
[8] F. Jahanian and D. A. Stuart. A method for verifying properties of modechart specifications. In
Proc. of IEEE Real-Time Systems Symposium, 1988.
[9] Inhye Kang and Insup Lee. State Minimization for Concurrent System Analysis Based on State
Space Exploration. t o appear in Proc. of COMPASS, June 1994.

[lo] X. Nicollin, J. Sifakis, and S. Yovine. Compiling Real-Time Specifications into Extended Automata. IEEE Transactions on Software Engineering, 18(10), September 1992.
[l11 J.S . Ostroff. Deciding Properties of Timed Transition Models. I E E E Transactions on Parallel
and Distributed Systems, 1(2), April 1990.

[12] S. C. V. Raju. An automatic Verification Technique for Communicating Real-Time State Machines. Technical Report 93-04-08, Univ. of Washington, April 1993.
[13] A. C. Shaw. Communicating Real-Time State Machines. IEEE Transactions on Software Engineering, 18(9), September 1992.
[14] D. A. Stuart. Implementing a verifier for real-time systems. In Proc. of IEEE Real-Time Systems
Symposium, 1990.
[15] M. Yannakakis and D. Lee. An Efficient Algorithm for Minimizing Real-time Transition Systems.
In Proceedings of Conference on Computer-Aided Verification, 1993.

