Interrupt Timed Automata with Auxiliary Clocks and Parameters by Bérard, Béatrice et al.
ar
X
iv
:1
40
9.
24
08
v1
  [
cs
.L
O]
  8
 Se
p 2
01
4
Interrupt Timed Automata with Auxiliary
Clocks and Parameters⋆
B. Be´rard1, S. Haddad2, A. Jovanovic´3, and D. Lime4
1 Sorbonne Universite´, UPMC-Paris 6, CNRS UMR 7606, Paris, France
Beatrice.Berard@lip6.fr
2 ENS Cachan, LSV, CNRS, INRIA, Cachan, France
haddad@lsv.ens-cachan.fr
3 Department of Computer Science, University of Oxford, Oxford, UK
Aleksandra.Jovanovic@cs.ox.ac.uk
4 E´cole Centrale de Nantes, IRCCyN, CNRS, Nantes, France
Didier.Lime@ec-nantes.fr
Abstract. Interrupt Timed Automata (ITA), an expressive timed model,
has been introduced in order to take into account interruptions, accord-
ing to levels. Due to this feature, this formalism is incomparable with
Timed Automata. However several decidability results related to reacha-
bility and model checking have been obtained. We add auxiliary clocks to
ITA, thereby extending its expressive power while preserving decidabil-
ity of reachability. Moreover, we define a parametrized version of ITA,
with polynomials of parameters appearing in guards and updates. While
parametric reasoning is particularly relevant for timed models, it very
often leads to undecidability results. We prove that various reachability
problems, including robust reachability, are decidable for this model, and
we give complexity upper bounds for a fixed or variable number of clocks,
levels and parameters.
1 Introduction
Timed and hybrid models. In order to model timed systems, the expressive model
of Hybrid Automata (HA) has been proposed [1]. Since its expressive power leads
to the undecidability of most verification problems, several semi-decision proce-
dures have been designed fo HA as well as subclasses with decidability results like
Timed Automata (TA) [2]. The model of interrupt timed automata (ITA) [3,4]
was proposed as a subclass of hybrid automata, incomparable with the class of
timed automata, where task interruptions are taken into account. Hence ITA are
particularly suited for the modelling of scheduling with preemption.
Parametric verification. Getting a complete knowledge of a system is often im-
possible, especially when integrating quantitative constraints. Moreover, even if
these constraints are known, when the execution of the system slightly deviates
⋆ This work has been supported by project ImpRo ANR-2010-BLAN-0317
from the expected behaviour, due to implementation choices, previously estab-
lished properties may not hold anymore. Additionally, considering a wide range
of values for constants allows for a more flexible and robust design.
Introducing parameters instead of concrete values is an elegant way of ad-
dressing these three issues. Parametrisation however makes verification more
difficult. Besides, it raises new problems like parameter synthesis, i.e., finding
the set (or a subset) of values for which some property holds.
Parameters for timed models. Among quantitative features, parametric reason-
ing is particularly relevant for timing requirements, like network delays, time-
outs, response times or clock drifts.
Pioneering work on parametric real time reasoning was presented in [5] for
the now classical model of timed automata, with parameter expressions replac-
ing the constants to be compared with clock values. Since then, many stud-
ies have been devoted to the parametric verification of timed models [6,7,8],
mostly establishing undecidability results for questions like parametric reacha-
bility, even for a small number of clocks or parameters. Relaxing completeness
requirement or guaranteed termination, several methods and tools have been de-
veloped for parameter synthesis in timed automata [9,10,11], as well as in hybrid
automata [12,13]. Another research direction consists in defining subclasses of
parametric timed models for which some problems become decidable [14,15,16].
Unfortunately, these subclasses are severely restricted. It is then a challenging
issue to define expressive parametric timed models where reachability problems
are decidable.
Contributions. Our contributions are twofold. First we define a more expressive
version of ITA, including auxiliary clocks. We prove that this new model is
strictly more expressive than the former one but retains decidability for the
reachability problem. With respect to the complexity issues, we provide upper
bounds: 2-EXPTIME in the general case, PSPACE when the number of levels is
fixed and PTIME when the number of clocks is fixed. We also give a PSPACE
matching lower bound when the number of levels is fixed.
Our second contribution is to enrich ITA with parameters in the spirit above.
A PITA is a parametric version of ITA where polynomial parameter expressions
can be combined with clock values both as additive and multiplicative coeffi-
cients. Considering only additive parametrisation, we reduce reachability to the
same problem in basic ITA. This reduction entails complexity upper bounds
of respectively 2-EXPTIME, PSPACE when the number of levels is fixed and
PTIME when the number of clocks and parameters is fixed. The multiplicative
setting is much more expressive and also very useful in practice, for instance to
model clock drifts. We prove that reachability in parametric ITA is decidable
as well as its robust variant, an important property for implementation issues.
To the best of our knowledge, this is the first time such a result has been ob-
tained for a model including a multiplicative parametrization. Furthermore, we
establish upper bounds for the computational complexity: 2-EXPSPACE and
PSPACE when the number of levels is fixed. Our technique combines the con-
struction of symbolic class automata from the unparametrized case and the first
order theory of real numbers.
Outline. The model of Interrupt Timed Automata with auxiliary clocks is de-
fined in Section 2, with reachability analysis in Section 3. The parametric ITA
model is introduced in Section 4. The reachability analysis is split into two
sections: the additive case is handled in Section 5 while the results for the mul-
tiplicative case are given in Section 6. We conclude and give some perpectives
for this work in Section 7.
2 Interrupt Timed Automata
2.1 Notations
The sets of natural, rational and real numbers are denoted respectively by N,
Q and R. Given an alphabet Σ, we denote by Σ∗ the set of finite words over
Σ, with ε the empty word. The set of timed words over Σ is the set of finite
sequences of the form (a1, t1) . . . (an, tn) where ai ∈ Σ for all i ∈ {1, . . . , n}
and (ti)1≤i≤n is a non decreasing sequence of real numbers. A timed language
is a set of timed words. For a timed word w = (a1, t1) . . . (an, tn), we define
Untime(w) = a1 . . . an as its projection on Σ
∗ and for a timed language L, we
set Untime(L) = {Untime(w) | w ∈ L}.
Given two sets F,G with F finite, we denote by Lin(F,G) the set of linear
expressions
∑
f∈F aff + b where the af ’s and b belong to G. We also denote by
Diff (F ) the set of expressions f − f ′ with f, f ′ ∈ F .
Clock constraints. Let X be a finite set of clocks and let Y, Z be disjoint subsets
of X . We denote by C(Y, Z) the set of constraints obtained by conjunctions of
atomic propositions of the form C ⊲⊳ 0, where C is an expression in
⋃
y∈Y Lin(Z∪
{y},Q) ∪ Diff (Y ) and ⊲⊳∈ {>,≥,=,≤, <}. Such a constraint either compares
with zero a linear expression of clocks in Y ∪ Z including at most one clock of
Y , or compares two clocks of Y . We also set C(X) =
⋃
Y,Z⊆X C(Y, Z).
Updates. An update overX is a conjunction of assignments of the form ∧y∈Y y :=
Cy, where Y ⊆ X and Cy ∈ Lin(X,Q). The set of updates is written U(X). For
an expressionC and an update u, the expressionC[u] is obtained by “applying” u
to C, i.e., simultaneously substituting each x by Cx in C, if x := Cx is the update
for x in u. For instance, for clocks X = {x1, x2}, expression C = 2x2 − 2x1 + 3
and the update u defined by x1 := 1∧ x2 := 3x1 +2, applying u to C yields the
expression C[u] = 2(3x1 + 2)− 2(1) + 3 = 6x1 + 5.
Valuations. A clock valuation is a mapping v : X 7→ R, with 0 the valuation
where all clocks have value 0. For a valuation v and an expression C ∈ Lin(X,Q),
we note v(C) ∈ R the result of evaluating C w.r.t. v. Given an update u and
a valuation v, the valuation v[u] is defined by v[u](x) = v(x) if x is unchanged
by u and v[u](x) = v(Cx) if x := Cx is the update for x in u. For instance,
let X = {x1, x2, x3} be a set of three clocks. For valuation v = (2, 1.5, 3) and
update u defined by x1 := 1∧x3 := x3−x1, applying u to v yields the valuation
v[u] = (1, 1.5, 1).
2.2 Interrupt Timed Automata
Definitions. The behaviour of an ITA can be viewed as the one of an operating
system with interrupt levels. With each level are associated a set of states and
a set of clocks partitionned into a main clock and auxiliary clocks. In a state
of a given level, exactly one clock of this level is active (rate 1), while the other
clocks at lower or equal levels are suspended (rate 0), and the clocks at higher
levels are not yet activated and thus contain value 0. The enabling conditions
on transitions, called guards, are constraints over clocks of the current level or
main clocks of lower levels (with some restrictions). Transitions can update the
clock values. If the transition decreases (resp. increases) the level, then each clock
which is relevant after (resp. before) the transition can (1) be left unchanged, (2)
be updated with a linear expression of main clocks of strictly lower levels or (3) be
updated with another clock at the same level (with some restrictions). Roughly
speaking, the restrictions are introduced to forbid at some level any (direct or
indirect) influence of the auxiliary clocks at lower levels on the behaviour of the
ITA.
Definition 1. An interrupt timed automaton (ITA) is a tuple A = 〈Σ,n,Q, q0,
Qf , λ,X, act, ∆〉, where:
– Σ is a finite alphabet;
– n is the number of levels;
– Q is a finite set of states, q0 is the initial state and Qf is a subset of Q of
final states. The mapping λ : Q → {1, . . . , n} associates with each state its
level. We denote by Qi = λ
−1(i) the set of states at level i;
– X =
⊎n
i=1Xi is the set of clocks partitionned according to the levels and
Xi = {xi} ⊎ Yi includes a main clock xi and a set of auxiliary clocks Yi.
The set of main clocks of levels less than k is denoted by X<k = {xi | i < k}
;
– act : Q → X with q ∈ Qi ⇒ act(q) ∈ Xi associates with a state its active
clock;
– ∆ ⊆ Q × C(X) × (Σ ∪ {ε}) × U(X) × Q is a finite set of transitions. Let
q
ϕ,a,u
−−−→ q′ be a transition in ∆ with k = λ(q) and k′ = λ(q′). The guard ϕ
is a constraint in C(Xk, X<k).
• if k ≤ k′ then the update u is of the form
∧
z∈
⋃
i≤k Xi
z := Cz
• if k > k′ then the update u is of the form
∧
z∈
⋃
i≤k′ Xi
z := Cz ∧
∧
z∈
⋃
k′<i≤k Xi
z := 0
where, when z ∈ Xi,
• either Cz = z, meaning that z is unchanged;
• or Cz =
∑
j<i ajxj + b, i.e., z is updated by an expression over main
clocks of lower levels;
• or Cz = z′ ∈ Xi if z ∈ Yi or i = k = k′, i.e., z is updated by another
clock at the same level
under the condition that z is not a main clock of level lower than the
current one 5.
The semantics of an ITA is described by a transition system, where a config-
uration (q, v) consists of a state q of the ITA and a clock valuation v.
Definition 2. The semantics of an ITA A is defined by the (timed) transition
system TA = (S, s0,→). The set of configurations is S =
{
(q, v) | q ∈ Q, v ∈ RX
}
,
with initial configuration s0 = (q0,0). The relation → on S consists of two types
of steps:
Time steps: Only the active clock in a state can evolve, all other clocks are
suspended. For a state q, a time step of duration d is defined by (q, v)
d
−→
(q, v′) with v′(act(q)) = v(act(q)) + d and v′(x) = v(x) for any other clock
x. We write v′ = v +q d.
Discrete steps: A discrete step (q, v)
e
−→ (q′, v′) can occur for some transition
e = q
ϕ,a,u
−−−→ q′ in ∆ such that v |= ϕ and v′ = v[u].
A run of A is a finite path in the transition system TA, which can be written
as an alternating sequence of (possibly null) time and discrete steps. A state
q ∈ Q is reachable from q0 if there is a path in TA from (q0,0) to (q, v), for
some valuation v. A run with label d1a1d2a2 . . . dnan is accepting if it starts in
(q0,0) and ends in (q, v), for some q ∈ Qf and some valuation v. For such a
run, the timed word w = (a1, d1)(a2, d1 + d2) . . . (an, d1 + . . .+ dn) (where pairs
with ε actions are removed) is said to be accepted by A. The timed language
of A, denoted by L(A), is the set of timed words accepted by A. The untimed
language of A is Untime(L(A)).
We now show several properties of this model linked to the presence of aux-
iliary clocks.
Example 1 (Simulation of timing policies). The earlier definition of ITA from [4]
is a restriction of Definition 1 without auxiliary clocks but with a policy, which
can be either urgent, delayed or lazy, associated with each state. In a lazy state
5 The motivation for this rather elaborate condition is explained in the reachability
decision procedure.
time may elapse, in an urgent state time may not elapse and in a delayed state
time must elapse. We show in Figure 1 how to model timing policies with a
dedicated auxiliary clock per level, say yi. When entering a state q of level i
from a state q′ of level j ≥ i, yi is updated with the active clock of q. By
definition, when entering a state q of level i from a state q′′ of level k < i, yi and
the active clock of q are null. Thus checking whether time has elapsed in q is
equivalent to check whether act(q) > yi. When q is a lazy state there is nothing
to check.
q, i
q′, j
q′′, k
yi = act(q)
yi := act(q)
(a) Urgent state q, with k < i ≤ j
q, i
q′, j
q′′, k
yi < act(q)
yi := act(q)
(b) Delayed state q, with k < i ≤ j
Fig. 1. Simulating timing policies
Example 2 (About expressiveness). Consider the ITAA1 of Figure 2 with a single
level and single final state q2. The main clock x is active in all states and y is
an auxiliary clock. Its untimed language is (ab)+. In the accepted timed words,
there is an occurrence of a at each time unit and the successive occurrences of b
come each time closer to the next occurrence of a than previously. More formally,
its timed language L = L(A1) is defined by:
L =
{
(a, t1)(b, t2) . . . (a, t2p+1)(b, t2p+2) | p ∈ N,
∀0 ≤ i ≤ p, t2i+1 = i+ 1 and i+ 1 < t2i+2 < i+ 2,
∀1 ≤ i ≤ p, t2i+2 − t2i+1 < t2i − t2i−1
}
It has been shown in [4] that this timed language cannot be accepted by an ITA
without auxiliary clocks, which yields the next proposition.
Proposition 1. There exists a timed language of an ITA with a single level and
one auxiliary clock that cannot be accepted by an ITA without auxiliary clocks.
Adding auxiliary clocks also has an impact on the complexity of decision
problems for ITA. In [4], it is shown that the state reachability problem is in
PTIME for a fixed number of levels without auxiliary clocks. The next proposi-
tion establishes a lower bound for this problem in ITA with a single level.
q0 q1 q2 q3
x = 1, a, x := 0 0 < x < 1, b, y := x
x = 1, a, x := 0
y < x < 1, b, y := x
Fig. 2. ITA A1 with an auxiliary clock
Proposition 2. The state reachability problem for ITA with a single level is
PSPACE-hard.
Proof. We proceed by reducing the planification problem to our reachability
problem. The planification problem is defined by n propositional variables p1, . . . , pn
and a set R of m rules. Each rule r ∈ R is defined by a guard
∧k
j=1 lj, with
litterals lj ∈ {p1,¬p1, . . . , pn,¬pn}, and an update
∧h
j=1 pαj := bj with bj ∈
{false, true}. Initially all propositions are false and the planification problem
consists in deciding whether there exists a sequence of rules r1 . . . rk applicable
from the initial state and leading to the state where all propositions are true.
The corresponding ITA has n auxiliary clocks y1, . . . , yn and two states q0 (the
initial one) and q1 (the final one) both with active clock x1. Each rule yields a
transition looping around q0 and an additional transition from q0 to q1 “check-
ing” that the goal has been reached. This reduction is illustrated in Figure 3.
r1: If ¬p1 then
p1 := true; p2 := false
r2: If p1 then
p2 := true
q0 q1
y1 = 1 ∧ y2 = 1, ε
y1 = 0, ε, y1 := 1 ∧ y2 := 1
y1 = 0, ε, y2 := 1
Fig. 3. Illustrating the reduction for PSPACE-hardness
3 Reachability analysis of ITA
We prove in this section that the untimed language of an ITA is a regular lan-
guage for which a finite automaton can effectively be built. Similarly to previous
cases, the proof is based on the construction of a (finite) class graph which
is time abstract bisimilar to the transition system TA. This result also holds
for infinite words with standard Bu¨chi conditions. As a consequence, we obtain
decidability of the reachability problem, as well as decidability for plain CTL∗
model-checking.
The construction of classes is much more involved than in the case of TA.
More precisely, it depends on the expressions occurring in the guards and up-
dates of the automaton (while in TA it depends only on the maximal constant
occurring in the guards). Given an ITA A with n levels, we associate with each
state q of A a set of expressions Exp(q) with the following meaning. The values
of clocks giving the same ordering of these expressions correspond to a class.
In order to define Exp(q), we first build a family of sets {Ek}1≤k≤n and set
Exp(q) =
⋃
k≤λ(q) Ek. Finally we show in Theorem 1 how to build the class
graph which proves the regularity of the untimed language. This immediately
yields a reachability procedure given in Theorem 2.
3.1 Construction of {Ek}k≤n
We first recall the normalization operation [4], on expressions relative to some
level. As explained below, this operation will be used to order expression values
at a given level.
Definition 3 (Normalization). Let k ≤ n and C =
∑
i≤k aixi + b be an ex-
pression over clocks in X<k+1, the k-normalization of C, denoted by norm(C, k),
is defined by:
– if ak 6= 0 then norm(C, k) = xk + (1/ak)(
∑
i<k aixi + b);
– else norm(C, k) = C.
Let C ⊲⊳ 0 be a guard occurring in a transition outgoing from a state q with
level k and C = akz +
∑
i<k aixi + b with z ∈ Xk (in the saturation procedure
we do not consider guards of the form z − z′ with z, z′ in Xk). By rescaling the
expression and if necessary changing the comparison operator we may assume
that C is written as αz +
∑
i<k aixi + b, with α ∈ {0, 1}.
The construction of {Ek}k≤n must be adapted to handle auxiliary clocks. It
proceeds top down from level n to level 1 after initialization Ek = Xk ∪ {0} for
all k. When level k is handled, new terms are added to Ei for 1 ≤ i ≤ k. These
expressions are those needed to compute a (pre)order on the expressions in Ek.
1. At level k, first for each expression αz +
∑
i<k aixi + b (with α ∈ {0, 1} and
z ∈ Xk) occurring in a guard of an edge leaving a state of level k, we add
−
∑
i<k aixi − b to Ek.
2. Then the following procedure is iterated until no new term is added to any
Ei for 1 ≤ i ≤ k.
(a) Let q
ϕ,a,u
−−−→ q′ with λ(q) ≥ k and λ(q′) ≥ k. For any C ∈ Ek, we add
C[u] to Ek. Observe that due to our restrictions on updates C[u] is still
either of the form z ∈ Xk or of the form
∑
j<k ajxj + b.
(b) Let q
ϕ,a,u
−−−→ q′ with λ(q) < k and λ(q′) ≥ k. Let C and C′ be two different
expressions in Ek. We compute C
′′ = norm(C[u]−C′[u], λ(q)), choosing
an arbitrary order between C and C′ in order to avoid redundancy. Let
us write C′′ as αxλ(q) +
∑
i<λ(q) aixi + b with α ∈ {0, 1}. Then we add
−
∑
i<λ(q) aixi − b to Eλ(q).
Lemma 1. For an ITA A, let H be the number of constraints in the guards,
U the number of updates in the transitions (we assume U ≥ 2) and M =
max{card(Xk) | 1 ≤ k ≤ n}. The construction procedure of {Ek}k≤n termi-
nates and the size of every Ek is bounded by (H +M)
2n−k × U2
n(n−k+1)
.
Proof. Given some k, we prove the termination of the stage relative to k. Observe
that step 2 of the iteration only adds new expressions to Eh for h < k. Thus
steps 1 and 2 can be ordered. Let us prove the termination of step 1. We define
E0k as the set Ek at the beginning of this stage and E
i
k as this set after insertion
of the ith item in it. With each added item C[u] can be associated its father
C. Thus we can view Ek as an increasing forest with finite degree (due to the
finiteness of the edges) and finitely many roots. Assume that this step does not
terminate. Then we have an infinite forest and by Ko¨nig lemma, it has an infinite
branch C0, C1, . . . where Ci+1 = Ci[ui] for some update ui such that Ci+1 6= Ci.
Observe that updates of the form x := x′ do not modify the set. Moreover, the
number of updates that change the variables x ∈ Xk is either 0 or 1 since once
x disappears it cannot appear again. We split the branch into two parts before
and after this update or we still consider the whole branch if there is no such
update. In these (sub)branches, we conclude with the same reasoning that there
is at most one update that change the variables x ∈ Xk−1. Iterating this process,
we conclude that the number of updates is at most 2k − 1 and the length of the
branch is at most 2k.
The final size of Ek is thus at most E
0
k × U
2k since the width of the forest
is bounded by U . In step 2, we add at most U × (|Ek| × (|Ek| − 1))/2 to Ei for
every i < k. This concludes the proof of termination.
We now prove by a backward induction that as soon as n ≥ 2, |Ek| ≤
(H +M)2
n−k
×U2
n(n−k+1)
. The doubly exponential size of En (proved above) is
propagated downwards by the saturation procedure. We define pk = |Ek|.
Basis case k = n. We have pn ≤ p0n × U
2n where p0n is bounded by H +M ,
hence pn ≤ (H +M)× U2
n
which is the claimed bound.
Inductive case. Assume that the bound holds for k < j ≤ n. Due to all executions
of step 2 of the procedure at strictly higher levels, p0k expressions were added to
Ek, with:
p0k ≤ (H +M) + U × [(pk+1 × (pk+1 − 1))/2 + · · ·+ (pn × (pn − 1))/2]
p0k ≤ (H +M) + U ×
[
(H +M)2
n−k
U2
n(n−k)+1
+ · · ·+ (H +M)2U2
n+1
]
p0k ≤ (n− k + 1)× (H +M)
2n−kU2
n(n−k)+1
(replacing all terms by the largest)
p0k ≤ (H +M)
2n−k × U2
n(n−k+1)+n
(here we use U ≥ 2 and n ≥ 2)
Taking into account step 1 of the procedure for level k, we have:
pk ≤ (H +M)
2n−k × U2
n(n−k)+1+2k+n.
Let us consider the term δ = 2n(n−k+1)−2n(n−k)+1−2k−n = 2n(n−k)+1(2n−1−
1)− 2k − n. We have δ ≥ 2n+1 − 2n ≥ 0, which yields the claimed bound.
In order to analyze the space requirements triggered by the saturation pro-
cedure, we establish the following lemma bounding the number of bits used for
integers involved in the rational constants of expressions in all Ek.
Lemma 2. Let A be an ITA, and let b0 be the maximal number of bits for
integers occurring in A. If b is the number of bits of an integer constant, occurring
in an expression of some Ek, then b ≤ ((n+ 1)!)29nb0.
Proof. Without loss of generality we assume that b0 ≥ 2. We also assume that
there is a single denominator s for the rationals occurring in updates since it
only induces a polynomial blow up.
Let bk be the number of bits of an integer occurring in some expression before
operations of level n− k are performed. We establish a relation between bk and
bk+1. At level n−k, step 1 involves a normalization on guards. Thus a numerator
is multiplied by a denominator to produce the new integers leading to a number
of bits 2bk. For an expression that was already present in En−k, its coefficients
are modified in order to get a common denominator by taking the product of the
original denominators. After this transformation the maximal number of bits is
bounded by (n− k + 1)bk.
Let C =
∑
i≤n−k aixi + b be an expression built after step 2(a). Examining
the successive updates, the coefficient ai can be expressed as
∑
d∈D
∏
j∈d cd,j
where D is the set of subsets of {i, . . . , n − k} containing i and cd,j are either
coefficients of the updates or coefficients of an expression built before this step.
The same reasoning applies to b. Before summing the products over d ∈ D, the
integers are transformed in order to get the same denominator by multiplying
every denominator (and corresponding numerator) by si with 0 ≤ i ≤ n − k.
So the maximal absolute value of the numerator of such a coefficient is bounded
by 2n−k(2(n−k+1)bk)n−k+12(n−k)b0 ≤ (22bk+1)(n−k+1)
2
which implies a maximal
number of bits equal to (n−k+1)2(2bk+1) for the numerators of the ai’s and b.
The maximal absolute value of the denominator of such a coefficient is less than
(2(n−k+1)bk)n−k+12(n−k)b0 which implies a maximal number of bits bounded by
(n− k + 1)2(2bk) for the denominators of the ai’s and b.
At step 2(b), the difference C[u] − C′[u] requires to compute the lcm of two
denominators (bounded by their product). So the difference operation leads to
a bound (n− k+1)2(4bk +2) for the numerators of its coefficients and (n− k+
1)2(4bk) for the denominators.
The final step 2(b) consists in multiplying a numerator and a denominator of
some coefficients leading to a bound (n − k + 1)2(8bk + 2) ≤ (n − k + 1)2(9bk)
for bk+1, which yields the desired bound.
3.2 Construction of the class automaton
In order to analyze the size of the class automaton defined below, we recall
an adaptation of a classical result about partitions of n-dimensional Euclidian
spaces.
Definition 4. Let {Hk}1≤k≤m be a family of hyperplanes of Rn. A region de-
fined by this family is a connected component of Rn \
⋃
1≤k≤mHk. An extended
region defined by this family is a connected component of
⋂
k∈I Hk \
⋃
k/∈I Hk
where I ⊆ {1, . . . ,m} with the convention that
⋂
k∈∅Hk = R
n.
Proposition 3.
1. [17] The number of regions defined by the family {Hk}1≤k≤m is at most∑n
i=0
(
m
i
)
.
2. [4] The number of extended regions defined by the family {Hk}1≤k≤m is at
most:∑n
p=0
(
m
p
)∑n−p
i=0
(
m−p
i
)
≤ e2mn.
Theorem 1. The untimed language of an ITA is regular.
Proof. Starting from an ITA A, and handling auxiliary clocks, we build a finite
automaton which is time abstract bisimilar to the transition system TA and thus
accepts Untime(L(A)).
Class definition. A state of the automaton, called class, is a syntactical represen-
tation of a subset of reachable configurations. It is defined as a pair R = (q, {k
}1≤k≤λ(q)) where q is a state and k is a total preorder over Ek, for 1 ≤ k ≤ λ(q).
The class R describes the set of configurations:
[[R]]= {(q, v) | ∀k ≤ λ(q) ∀(g, h) ∈ Ek, g[v] ≤ h[v] iff g k h}
The initial state is the class R0 such that [[R0 ]] contains (q0,0) and can be
straightforwardly determined. The final states are all classesR =
(
q, {k}1≤k≤λ(q)
)
with q ∈ Qf .
Observe that fixing a state, the set of configurations [[R ]] of a non empty
class R is exactly an extended region associated with the hyperplanes defined
by the comparison of two expressions of some Ek. An upper bound for the total
number of expressions of any level is given by (H+M)2
n
×U2
n2
, hence an upper
bound of the of the number of hyperplanes is obtained by squaring this number,
yielding (H +M)2
n+1
× U2
n2
. Using Point 2. of Proposition 3, the number of
semantically different classes for a given state is bounded by:
e2mn = e2(H +M)K2
n+1
× UK2
n2+1
(1)
whereK =
∑n
k=1 card(Xk) ≤ nM is the total number of clocks. Since semantical
equality between classes can be tested in polynomial time w.r.t. their size [18],
we implicitely consider in the sequel of the proof classes modulo the semantical
equivalence.
There are two kinds of transitions, corresponding to discrete steps and ab-
stract time steps.
Discrete step. Let R = (q, {k}1≤k≤λ(q)) and R
′ = (q′, {′k}1≤k≤λ(q′)) be two
classes. There is a transition R
e
−→ R′ for a transition e : q
ϕ,a,u
−−−→ q′ if there is
some (q, v) ∈ [[R]] and (q′, v′) ∈ [[R′]] such that (q, v)
e
−→ (q′, v′). In this case, for
all (q, v) ∈ [[R]] there is a (q′, v′) ∈ [[R′]] such that (q, v)
e
−→ (q′, v′). This can be
decided as follows.
Firability condition. For a transition e like above at level ℓ = λ(q), write
ϕ =
∧
j∈J Cj ⊲⊳j 0. Since we assumed rescaled guards, for every j, Cj = αz +∑
i<k aixi + b (with α ∈ {0, 1} and z in Xℓ) or Cj = z − z
′ with z, z′ ∈ Xℓ. In
the first case C′j = −
∑
i<ℓ aixi − b and z belong to Eℓ and in the second case
z, z′ ∈ Eℓ both by construction. For each j ∈ J , we define a condition depending
on ⊲⊳j. For instance, in the first case if the constraint in ϕ is Cj ≤ 0, we check that
αz ℓ C′j , or if the constraint in ϕ is Cj > 0 we check that αz ℓ C
′
j ∧C
′
j ℓ αz.
The second case is handled similarly.
Successor definition. Class R′ is defined as follows. Let k ≤ λ(q′) and g, h ∈
Ek.
1. Either k ≤ ℓ, then by construction, g[u], h[u] ∈ Ek then g ′k h iff g[u] k
h[u].
2. Or k > ℓ, let D = g[u]− h[u]. Due to our restrictions on updates for i ≤ ℓ,
xi[u] can only be equal to xi or
∑
j<i αjxj + β. Thus D can be written as∑
i≤ℓ cixi + d. We set C = norm(D, ℓ) and write C = αxℓ +
∑
i<ℓ aixi + b
(with α ∈ {0, 1}). By construction, C′ = −
∑
i<ℓ aixi − b ∈ Eℓ.
When cℓ ≥ 0 then g ′k h iff αxℓ ℓ C
′.
When cℓ < 0 then g ′k h iff C
′ ℓ αxℓ.
By definition of [[ · ]], we obtain:
– For any (q, v) ∈[[R]], if there exists (q, v)
e
−→ (q′, v′) then the firability condi-
tion is fulfilled and (q′, v′) belongs to [[R′]].
– If the firability condition is fulfilled then for each (q, v) ∈[[R ]] there exists
(q′, v′) ∈ [[R′]] such that (q, v)
e
−→ (q′, v′).
Time step. Let R = (q, {k}1≤k≤λ(q)), with again ℓ = λ(q). There is a transition
R
succ
−−−→ Post(R) for Post(R) = (q, {′k}1≤k≤ℓ), the time successor of R, which
is defined as follows.
For every i < ℓ, we define ′i=i. Let ∼ be the equivalence relationℓ ∩ 
−1
ℓ
induced by the preorder. On equivalence classes, this (total) preorder becomes
a (total) order. Let V be the equivalence class containing act(q).
1. Either V = {act(q)} and it is the greatest equivalence class. Then ′ℓ=ℓ
(thus Post(R) = R).
2. Either V = {act(q)} and it is not the greatest equivalence class. Let V ′ be
the next equivalence class. Then ′ℓ is obtained by merging V and V
′, and
preserving ℓ elsewhere.
3. Either V is not a singleton. Then we split V into V \ {act(q)} and {act(q)}
and “extend” ℓ by V \ {act(q)} ′ℓ {act(q)}.
By definition of [[ · ]], for each (q, v) ∈[[R]], there exists d > 0 such that (q, v+d) ∈[[
Post(R)]] and for each d with 0 ≤ d′ ≤ d, then (q, v + d′) ∈[[R]] ∪ [[Post(R)]].
From the properties above, this finite automaton accepts Untime(L(A)).
Theorem 2. The reachability problem for Interrupt Timed Automata is decid-
able and belongs to 2-EXPTIME. It is in PTIME when the number of clocks is
fixed and PSPACE-complete when the number of levels is fixed.
Proof. The reachability problem is solved by building the class graph and ap-
plying a standard reachability algorithm. The number of expressions in the Ek’s
is doubly exponential w.r.t the size of the model (see Lemma 1). The size of
an expression is exponential w.r.t. the size of the model (see Lemma 2). So the
size of a class representation is also doubly exponential in the size of the model.
The size of the graph, bounded by the number of semantically different classes,
is only polynomial w.r.t. the size of a class due to Point 2. of Proposition 3.
This leads to a 2-EXPTIME complexity. Observe that no complexity gain can
be obtained by a non deterministic search without building the graph.
Again using these lemmas and Point 2. of Proposition 3, when the number of
clocks is fixed the size of the graph is at most polynomial in the size of the
problem, leading to a PTIME procedure.
On the other hand, when the number of levels is fixed, the size of a class rep-
resentation is polynomial while the number of classes is exponential (see K in
Equation (1)). Thus a non deterministic search can be performed without build-
ing the graph, which yields a complexity in PSPACE. The PSPACE hardness is
a consequence of Proposition 2.
Remarks. This result should be compared with the similar one for TA. The
reachability problem for TA is PSPACE-complete and thus less costly to solve
than for ITA. Fixing the number of levels in ITA yields the same complexity.
Moreover, fixing the number of clocks does not reduce the complexity for TA
(when this number is greater than or equal to 3) while this problem belongs
now to PTIME for ITA. Summarizing, the main source of complexity for ITA
is the number of levels and clocks, while in TA it is the binary encoding of the
constants [19].
4 Parametric Interrupt Timed Automata
Parametric ITA are similar to ITA but they include polynomials of parame-
ters from a set P , in guards and updates. Given two sets F,G, we denote by
Pol(F,G), the set of polynomials with variables in F and coefficients in G and
by Frac(F,G), the set of rational functions with variables in F and coefficients
in G (i.e. quotients of polynomials). Observe that Lin(F,G) can be seen as the
subset of polynomials with degree at most one.
Definition 5. A parametric interrupt timed automaton (PITA) is a tuple A =
〈P,Σ, n,Q, q0, Qf , λ,X, act, ∆〉, where:
– P is a finite set of parameters,
– all other elements are defined as for ITA except that expressions appearing
in guards or updates belong to Lin(X,Pol(P,Q)): in such an expression∑
z∈Z azz + b, the az’s and b are polynomials over P with coefficients in Q.
This definition implies that an ITA is a PITA with P = ∅. When all expres-
sions occurring in guards and updates are in Lin(X∪P,Q) (which can be seen as
a subset of Lin(X,Pol(P,Q))), the PITA is said to be additively parametrised.
In contrast, in the general case, it is called multiplicatively parametrised.
As in the unparametrized case, updates operate on expressions. For instance,
for clocks in X = {x1, x2}, parameters in P = {p1, p2, p3}, expression C =
p2x2−2x1+3p1 and the update u defined by x1 := 1∧x2 := p3x1+p2, applying
u to C yields the expression C[u] = p2p3x1 + p
2
2 + 3p1 − 2. Note that the use of
multiplicative parameters for clocks may result in polynomial coefficients when
updates are applied. Here a clock valuation is a mapping v : X 7→ Pol(P,R).
For a valuation v and an expression C ∈ Lin(X,Pol(P,Q)), v(C) ∈ Pol(P,R)
is obtained by evaluating C w.r.t. v. Given an update u and a valuation v, the
valuation v[u] is defined by v[u](x) = v(Cx) for x inX if x := Cx is the update for
x in u and v[u](x) = v(x) otherwise. For instance, let X = {x1, x2, x3} be a set
of three clocks. For valuation v = (2p2, 1.5, 3p
2
1) and update u defined by x1 :=
1∧x3 := p1x3−x1, applying u to v yields the valuation v[u] = (1, 1.5, 3p31−2p2).
A parameter valuation is a mapping π : P 7→ R. For a parameter valuation
π and an expression C ∈ Lin(X,Pol(P,Q)), π(C) ∈ Lin(X,R) is obtained by
evaluating C w.r.t. π. If C ∈ Pol(P,Q), then π(C) ∈ R. Given a parameter
valuation π, a clock valuation v and an expression C ∈ Lin(X,Pol(P,Q)) we
write π, v |= C ⊲⊳ 0 when π(v(C)) ⊲⊳ 0.
Given a parameter valuation π and a PITAA, substituting the parameters by
their value according to π yields an ITA, denoted by A(π), where the coefficients
of clocks are in R. So the semantics ofA w.r.t. parameter valuation π is defined by
the (timed) transition system TA(π). A state q is reachable from q0 for valuation
π if q is reachable from q0 in A(π).
Example 3. A PITA A2 is depicted in Fig. 4(a), with two interrupt levels. Every
level i has only a main clock xi. Fixing the parameter valuation π: p1 = 5 and
p2 = −1, the run (q1, 0, 0)
4
−→ (q1, 4, 0)
a
−→ (q2, 4, 0)
3
−→ (q1, 4, 2)
b
−→ (q2, 4, 3) is
obtained as follows. After staying in q1 for 4 time units, a can be fired and
the value of x1 is then frozen in state q2, while x2 increases. Transition b can
be taken if x1 + p2x2 = 2, hence for x2 = 2, after which x2 is updated to
x2 = (p1 − 4p
2
2)4 + p2 = 3. A geometric view of this run w.r.t. π is given (in
bold) in Fig. 4(b).
q1, 1
q2, 2
x1 < p1, a
x1 + p2x2 = 2
b
x2 := (p1 − 4p
2
2)x1 + p2
(a) A PITA A2 with two interrupt levels
x1
x2
4
2
3
5
x1 = p1
x1 + p2x2 = 2
(b) A possible run in A2 for pi
Fig. 4. An example of PITA and a possible execution
Reachability problems. We consider several reachability problems for this class.
Let A be a PITA with initial state q0 and q be a state of A. The Existential (resp.
Universal) Reachability Problem asks whether q is reachable from q0 for some
(resp. all) parameter valuation(s). Scoped variants of these problems are obtained
by adding as input a set of parameter valuations given by a first order formula
over the reals or a polyhedral constraint. The Robust Reachability Problem asks
whether there exists a parameter valuation π and a real ε > 0 such that for all π′
with ‖π−π′‖∞ < ε, q is reachable from q0 for π′ (where ‖π‖∞ = maxp∈P |π(p)|).
When satisfied, this property ensures that small parameter perturbations do not
modify the reachability result. It is also related to parameter synthesis where a
valuation has to be enlarged to an open region with the same reachability goal.
5 Reachability Analysis with Additive Parametrization
We start with the easier particular case of additive parametrization, i.e., expres-
sions occurring in guards and updates are linear expressions on clocks and param-
eters with rational coefficients. We first prove that the existential parametrized
reachability problem can be reduced to the reachability problem on (non-param-
etrized) ITA.
Proposition 4. For any additively parametrized PITA A, with set of states Q
and initial state q0, there exists a (non-parametrised) ITA A′, with set of states
Q′, containing Q, and initial state q′0 fulfilling the following equivalence. For
every q ∈ Q:
there exists π such that q is reachable from q0 in A for π
iff q is reachable from q′0 in A
′.
Proof. For any additively parametrized PITA A with n levels, and k parameters
p1, ..., pk, we build an equivalent ITA A′ with n+ k + 1 levels and then use the
complexity results of section 3. The construction is shown in Fig. 5.
The ITA A′ consists of a “prefix” (the first k+1 levels) connected to the original
automaton A (with its n levels). The main clocks of levels 1 to k encode the
parameters p1, . . . , pk of A. In order to simplify further references, we also call
these clocks p1, ..., pk. Similarly, the main clock of the first level is called p0.
None of these k + 1 first level has any auxiliary clock. Since level numbers start
at 1, each clock pi is active in level i+ 1 in (the prefix of) A′.
In the first level of A′, clock p0 is active. After some arbitrary time, a transition,
with no guard, is taken to the state of the second level and clock p0 is frozen.
In the second level, clock p1 is active and the same procedure continues: after
some time a transition to the next level is taken, and clock p1 is frozen, and
so on for the first k levels. In these first k levels, we any run of A′ choses a
non-negative fixed value for the clocks p0, . . . , pk−1, and hence almost for the
parameters of A. Parameters may however have negative values so level k + 1
serves as a technicality to choose the final sign of the corresponding clocks. This
is done by assigning pi−1 or −pi−1 to clock pi, between each two consecutive
states, for all i ∈ [1..k − 1], in a run without any delay in any of the states of
level k+1 (the other runs, with delays in the states of level k+1, overlap on those
corresponding to other parameter valuations and are therefore not a problem).
In the last state of level k + 1, the frozen clocks p1, ..., pk can therefore have
any arbitrary real value assigned. The automaton finally proceeds to the initial
state of A keeping the values of these additional clocks. Since they correspond to
levels lower than any level of A they can be used liberally enough in the guards
and updates of A. The obtained automaton A′ is an ITA and parameters of A
are modeled as clocks in A′.
Let X be the set of clocks in A and X ′ be the set of clocks in A′ (thus X ′ = X ∪
{p0, ..., pk}). For any subset Y ⊆ X and a valuation v, we define the restriction
of v to Y as the unique valuation v on Y such that v|Y (x) = v(x). We now show
that a configuration s = (q, v) is reachable in A for some parameter valuation π
(i.e., in A(π)) iff there exists some configuration s′ = (q′, v′), such that q′ = q
and for all x ∈ X, v′|X(x) = v(x), is reachable in A
′.
On the one hand, if there exists a path to reach s′ in A′, then by construction
this path goes through a configuration (q0, v0) such that (q0, v0|X) is the initial
configuration of A (i.e. v0|X is the zero valuation). Let π be the parameter
valuation such that for all i > 0, π(pi) = v0(pi), then s is reachable in A(π).
On the other hand, let π be a parameter valuation and v be a clock valuation
on X such that (q, v) is reachable in A(π). Then using an appropriate run in
the prefix one reaches (q0, v0) with v0|X is the zero valuation and for all i >
p0
p1
pk−1
pk
An levels
true
true
true
k + 1 levels
pk := pk−1
pk := −pk−1
pk−1 := pk−2
pk−1 := −pk−2
p1 := p0
p1 := −p0
Fig. 5. An equivalent ITA A′
0, v0(pi) = π(pi). Afterwards this run is extended to reach q by mimicking the
run of A(π).
Using Proposition 4 and Theorem 2, we can now give the main result of this
section.
Theorem 3. The (polyhedral scoped) existential reachability problem is decid-
able for additively parametrised PITA, and belongs to 2-EXPTIME. It belongs
to PTIME when the number of clocks and parameters is fixed. It is PSPACE-
complete when the number of levels and parameters is fixed.
Proof. Following Proposition 4, every additively parametrised PITA can be
transformed into an equivalent ITA, and the (unscoped) reachability problem
of additively parametrised PITA is thus reduced to the reachability problem
of ITA, already known to be decidable. The complexity results follow from the
complexity results for ITA given in Theorem 2, since the size of A′ is only linear
in the size of A: if there are n levels, N clocks, k parameters, x states and y
transitions in A, the number of levels, clocks, states and transitions in A′ are
n+ k + 1, N + k + 1, x+ 2k + 1 and y + 3k + 1, respectively.
With a polyhedral scope, given as a finite union of polyhedra, we need to guard
the transition between the last state of the prefix and the initial state of A, in
A′, by the given polyhedra (each polyhedra of the union could guard a different
transition, as well).
6 Reachability Analysis with Multiplicative
Parametrization
We now focus on the multiplicative case and this section is devoted to the proof
of the following result:
Theorem 4. The (scoped) existential, universal and robust reachability prob-
lems for PITA are decidable and belong to 2-EXPSPACE. The complexity re-
duces to PSPACE when the number of levels is fixed.
We first present the main ideas underlying the proof, which is based on the
proof of Theorem 2 but extends it by the handling of parameters. Given a PITA
A, the first step is to build a finite partition of the set RP of parameter valuations.
An elementΠ of this partition is specified by a satisfiable first-order formula over
(R,+,×), with the parameters as variables. Intuitively, inside Π the qualitative
behaviour of A does not depend on the precise parameter valuation. In a second
step, we build a finite automaton R(Π) for each non empty Π . In R(Π), a state
R, again called a class, defines a set [[R]]π of reachable configurations of TA(π)
for a valuation π ∈ Π . The transition relation of R(Π) contains discrete steps
R
e
−→ R′ (for a transition e of A) and abstract time steps R −→ Post(R) with the
following properties:
Discrete Step (DS): If there is a transition R
e
−→ R′ in R(Π) then for each
π ∈ Π and each (q, v) ∈[[R]]π there exists (q′, v′) ∈ [[R′]]π such that (q, v)
e
−→
(q′, v′).
Conversely, let π ∈ Π and (q, v) ∈[[R]]π . If there exists a transition (q, v)
e
−→
(q′, v′) in TA(π) then for some R
′, there is a transition R
e
−→ R′ in R(Π) and
(q′, v′) belongs to [[R′]]π.
Time Step (TS): Let π ∈ Π and (q, v) ∈[[R]]π. There exists d > 0 such that
(q, v +q d) ∈[[Post(R)]]π and for each d′ with 0 ≤ d′ ≤ d, (q, v +q d′) ∈[[R]]π
∪ [[Post(R)]]π .
Hence, we obtain a finite family of abstract time bisimulations of the transition
systems TA(π), for all parameter valuations, which gives the decidability result.
Although the construction of R(Π) is similar to the one for ITA, expressions
in the sets {Ek}k≤n now contain polynomials of parameters. The main difference
is the normalization operation of an expression
∑
i≤k aixi+ b which depends on
the polynomial ak. For instance, consider expression p2x2+x1− 2 which appear
in automaton A2 of Fig. 4(a) with a comparison to 0. For a valuation where
p2 = 0, a normalization should yield x1−2. If p2 6= 0, the operation should yield
−x1−2p2 . In addition, the case p2 6= 0 should be split depending on the sign of p2,
since the operation could change the comparison operator involved in a guard.
Therefore, we also need to define a set PolPar of polynomials appearing in the
denominators like p2.
6.1 Construction of PolPar and expressions {Ek}k≤n
In the spirit of normalization, we define three operations on expressions, rela-
tively to a level k, to help building the elements in Ek to which the active clock
on level k will be compared.
Definition 6. Let k ≤ n be some level and let C be an expression in Lin(X<n+1,
Frac(P,Q)), C =
∑
i≤n aixi+ b with ak =
rk
sk
, for some rk and sk in Pol(P,Q).
We associate with C the following expressions:
– lead(C, k) = rk;
– if lead(C, k) /∈ Q \ {0}, comp(C, k) =
∑
i<k aixi + b;
– if lead(C, k) 6= 0 then compnorm(C, k) = −
∑
i<k
ai
ak
xi −
b
ak
.
In the previous example, comp corresponds to x1 − 2 while compnorm cor-
responds to −x1−2p2 . More examples are given after the construction of PolPar
and {Ek}k≤n. This construction proceeds top down from level n to level 1 after
initialising PolPar to ∅ and Ek to Xk ∪{0} for all k. When handling level k, we
add new terms to Ei for 1 ≤ i ≤ k.
1. At level k the first step consists in adding new expressions to Ek and new
polynomials to PolPar. More precisely, let C be any expression occurring in
a guard of an edge leaving a state of level k. We add lead(C, k) to PolPar
when it does not belong to Q and we add comp(C, k) and compnorm(C, k) to
Ek when they are defined.
2. The second step consists in iterating the following procedure until no new
term is added to any Ei for 1 ≤ i ≤ k.
(a) Let q
ϕ,a,u
−−−→ q′ with λ(q) ≥ k and λ(q′) ≥ k, and let C ∈ Ek. Then we
add C[u] to Ek.
(b) Let q
ϕ,a,u
−−−→ q′ with λ(q) < k and λ(q′) ≥ k. Let {C,C′} be a set of two
expressions in Ek. We compute C
′′ = C[u]−C′[u], choosing an arbitrary
order between C and C′. This step ends by handling C′′ w.r.t. λ(q) as
done for C w.r.t. k in step 1 above.
Example 4. For the automaton of Fig. 4(a), initially, we have PolPar = ∅,
E1 = {x1, 0} and E2 = {x2, 0}. Starting with level k = 2, we consider in step 1
the expressionC2 = p2x2+x1−2 appearing in the guard of the single edge leaving
q2. We compute lead(C2, 2) = p2, comp(C2, 2) = x1− 2, and compnorm(C2, 2) =
−x1−2p2 . We obtain PolPar = {p2} and E2 = {x2, 0, x1−2,−
x1−2
p2
}. For step 2(a)
and the same edge, we apply its update to the expressions of E2 that contain x2,
add them to E2, and thus obtain E2 = {x2, 0, x1 − 2,−
x1−2
p2
, (p1− 4p22)x1 + p2}.
In step 2(b), considering the single edge from q1 to q2, we compute the
differences between any two expressions from E2 (after applying update which
means here substituting 0 to x2 and letting x1 unchanged) and the resulting
expressions lead, comp and compnorm, which yields:
PolPar = {p2, p2 + 1, 1− p1 + 4p22, 1 + p1p2 − 4p
3
2},
E1 = {x1, 0, 2,−
2(p2+1)
p2
,−2− p2,
2+p2
1−p1+4p22
,
p22−2
p2
,
2−p22
1+p1p2−4p32
}.
We proceed with level 1. Since expression C1 = x1−p1 occurring in the guard
of the considered edge has leading coefficient equal to 1, there is no term to add
to PolPar. We add compnorm(C1, 1) = p1 to E1, hence the final result is:
PolPar = {p2, p2 + 1, 1− p1 + 4p22, 1 + p1p2 − 4p
3
2},
E1 = {x1, 0, 2,−
2(p2+1)
p2
,−2− p2,
2+p2
1−p1+4p22
,
p22−2
p2
,
2−p22
1+p1p2−4p32
, p1},
E2 = {x2, 0, x1 − 2,−
x1−2
p2
, (p1 − 4p22)x1 + p2}.
Lemma 3 below is used for the class automata construction. Its proof is
obtained by a straightforward examination of the above procedure.
Lemma 3. Let C belong to Ek for some k and c =
r
s be a coefficient of C with
s /∈ Q. Then there exists polynomials P1, . . . , Pℓ ∈ PolPar and some constant
K ∈ Q \ {0} such that s = K.
∏
1≤i≤ℓ Pi.
Lemma 4 is the parametrized version of Lemma 1 and its (omitted) proof is
almost identical.
Lemma 4. For a PITA A, let H be the number of constraints in the guards,
U the number of updates in the transitions (we assume U ≥ 2) and M =
max{card(Xk) | 1 ≤ k ≤ n}. The construction procedure of {Ek}k≤n termi-
nates and the size of every Ek is bounded by (H +M)
2n−k × U2
n(n−k+1)
.
Lemma 5 is the parametrized version of Lemma 2. However since the coef-
ficients are now rational functions, the degree of the polynomials must also be
analyzed.
Lemma 5. Let A be a PITA, and let b0 be the maximal total number of bits
for integers of an expression in A and d0 the maximal degree of polynomials,
occurring in A. If b is the total number of bits of the integer constants and d the
degree of a polynomial, occurring in an expression of PolPar or some Ek, then
b ≤ ((n+ 1)!)2(n+ 1)23n+1b0 and d ≤ (n+ 1)!5nd0.
Proof. W.l.o.g. we assume that there is a single denominator for the rationals
occurring in updates since it only induces a polynomial blow up.
Assume that before the level n − k is performed, the total number of bits for
integers occurring in some expression is bk. We establish by induction that bk ≤∏k
j=1(n + 2 − j)
2(k + 1)2n+2k+1b0. The basis case is trivial. At level n − k,
step 1 does induces an increasing only when operation compnorm is applied on a
original guard whose coefficients are polynomials (instead of rational fractions).
After this operation the number of bits is bounded by (n−k+1)b0 ≤ (n−k+1)bk.
For an expression that was already present in En−k, its coefficients are modified
in order to get a common denominator by taking the product of the original
denominators. After this transformation the total number of bits is bounded by
(n− k + 1)2bk.
Examining one update applied on an expression, the total number of bits of the
coefficients of the updated expression is increased by (n − k + 1)b0. Since an
expression built after step 2(a) has been obtained by less than 2n−k updates,
the total number of bits is less than (n− k + 1)2bk + 2n−k(n− k + 1)b0.
At step 2(b), the difference C[u] − C′[u] requires to compute the lcm of two
denominators (bounded by their product). So the difference operation leads to
a bound (n− k + 1)4bk + 2n−k+1(n− k + 1)b0 for the total number of bits.
The final step 2(b) consists in multiplying a numerator and a denominator of
some coefficients leading to a bound:
(n− k + 1)2(4bk + 2n−k+1b0)
≤ (n− k + 1)2
(
4
∏k
j=1(n+ 2− j)
2(k + 1)2n+2k+1b0 + 2
n−k+1b0
)
≤
(∏k+1
j=1 (n+ 2− j)
)2
((k + 1)2n+2(k+1)+1b0 + 2
n+2(k+1)+1b0)
=
(∏k+1
j=1 (n+ 2− j)
)2
(k + 2)(2n+2(k+1)+1b0)
for the number of bits.
Assume that before the level n− k is performed, the degree of a polynomial (of
parameters) occurring in some expression is at most dk. We establish a relation
between dk and dk+1. At level n − k, step 1 does not induce any increasing
when operation compnorm is applied on a original guard whose coefficients are
polynomials (instead of rational fractions). More precisely the numerators of
rational fractions are unchanged while the denominators are numerators of some
previous expressions. For an expression that was already present in En−k, its
coefficient are modified in order to get a common denominator by taking the
product of the original denominators. After this transformation the maximal
degree is bounded by (n− k + 1)dk.
Let us examine an expression C =
∑
i≤n−k aixi + b built after step 2(a). Exam-
ining the successive updates, the numerator of coefficient ai can be expressed
as
∑
d∈D
∏
j∈d cd,j where D is the set of subsets of {i, . . . , n − k} containing i
and cd,j are all coefficients of the updates (i.e. coefficients of polynomials) ex-
cept one coefficient of the expression built before this step. The same reasoning
applies to the constant coefficient of the expression. So the degree of the ai’s and
b is bounded by: (n − k + 1)(dk + d0). The denominators are denominators of
expressions previously built so bounded by (n− k + 1)dk.
At step 2(b), the difference C[u] − C′[u] requires to compute the lcm of two
denominators (bounded by their product). So the difference operation leads to a
bound (n−k+1)(2dk+d0) for the numerators of its coefficients and (n−k+1)2dk
for the denominators.
The final step 2(b) consists in multiplying a numerator and a denominator of
some coefficients leading to a bound (n−k+1)(4dk+d0). So dk+1 ≤ (n−k+1)5dk
yielding the desired bound.
We now explain the partition construction. Starting from the finite set PolPar,
we split the set of parameter valuations in parameter regions specified by the
result of comparisons to 0 of the values of the polynomials in PolPar. For in-
stance, for the set PolPar computed above, the inequalities p2 < 0, p2 + 1 = 0,
1−p2−4p21 = 0 and 1+p1p2−4p
3
2 = 0 define a set preg of parameter valuations.
The parameter region preg is non empty since it contains p1 = 5 and p2 = −1.
The set of such constraints yielding non empty regions can be computed by
solving an existential formula of the first-order theory of reals.
Then, given a non empty parameter region preg, we consider the following
subset of Ek for 1 ≤ k ≤ n: Ek,preg = {C ∈ Ek | the denominators of coefficients
of C are non null in preg}. Due to Lemma 3, these subsets are obtained by
examining the specification of preg.
Observe that expressions in E1,preg \ X1 belong to Frac(P,Q) and that,
depending on the parameter valuation, the values of two expressions can be dif-
ferently ordered. We refine preg according to a linear pre-order1 on E1,preg\X1
which is satisfiable within preg. We denote this refined region by Π = (preg,1)
and we now build a finite automaton R(Π).
6.2 Construction of the class automata
In this paragraph, we fix a non empty parameter region Π = (preg,1).
Class definition. A state of R(Π), called a class like before, is defined as a
pair R = (q, {k}1≤k≤λ(q)) where q is a state of A and k is a total preorder
over Ek,preg, for 1 ≤ k ≤ λ(q). For a parameter valuation π ∈ Π , the class R
describes the following subset of configurations in TA,π :
[[R]]π= {(q, v) | ∀k ≤ λ(q) ∀g, h ∈ Ek,preg , π(v(g)) ≤ π(v(h)) iff g k h}
The initial state of R(Π) is the class R0, such that (q0,0) ∈[[R0]]π, which can
be straightforwardly determined by extending 1 to E1,preg with x 1 0 and
0 1 x for all x ∈ X1, and closing 1 by transitivity.
Transitions in R(Π) consist of the following discrete and time steps:
Discrete step. Let R = (q, {i}1≤i≤λ(q)) and R
′ = (q′, {′i}1≤i≤λ(q′)) be two
classes and let e : q
ϕ,a,u
−−−→ q′ be a transition in A. There is a transition R
e
−→ R′
if for some π ∈ Π , there are some (q, v) ∈ [[R]]π and (q
′, v′) ∈ [[R′ ]]π such that
(q, v)
e
−→ (q′, v′). In this case, we claim that for all (q, v) ∈ [[R ]]π there is a
(q′, v′) ∈ [[R′]]π such that (q, v)
e
−→ (q′, v′). For this, we prove in the sequel that
the existence of transition R
e
−→ R′ is independent of π ∈ Π and of (q, v) ∈ [[R]]π .
It can be seen as follows.
We note ℓ = λ(q) for the level of transition e.
Firability condition. We write ϕ =
∧
j∈J Cj ⊲⊳j 0 with, for each j, either Cj =
aℓz +
∑
i<ℓ aixi + b (with z ∈ Xℓ) or Cj = z − z
′ with z, z′ ∈ Xℓ. We consider
three subcases of the first case.
• Subcase aℓ = 0. Then Cj = comp(Cj , ℓ) ∈ Eℓ,preg and using the positions of
0 and Cj w.r.t. ℓ, we can decide whether Cj ⊲⊳j 0.
• Subcase aℓ ∈ Q\{0}. Then compnorm(Cj , ℓ) ∈ Eℓ,preg, hence using the sign of
aℓ and the positions of z and compnorm(Cj , ℓ) w.r.t. ℓ, we can decide whether
Cj ⊲⊳j 0.
• Subcase aℓ /∈ Q. According to the specification of preg, we know the sign of
aℓ as it belongs to PolPar. In case aℓ = 0, we decide as in the first subcase.
Otherwise, we decide as in the second subcase.
The second case Cj = z − z′ is handled similarly.
Successor definition. To build the successor R′ = (q′, {′i}1≤i≤λ(q′)) of R, we
have to define the preorders {′i}1≤i≤λ(q′). Let k ≤ λ(q
′) and g, h ∈ Ek,preg .
1. Either k ≤ ℓ, by step 2(a) of the construction, g[u], h[u] ∈ Ek,preg . Then
g ′k h iff g[u] k h[u].
2. Or k > ℓ, let D = g[u]−h[u] =
∑
i≤ℓ aixi+b. There are again three subcases.
• Subcase aℓ = 0. ThenD = comp(D, ℓ) ∈ Eℓ,preg, so we can decide whether
D ℓ 0 and g′ ′k h
′ iff D ℓ 0.
• Subase aℓ ∈ Q \ {0}. Then compnorm(D, ℓ) ∈ Eℓ,preg. There are four
possibilities to consider. For instance if aℓ > 0 and xℓ ℓ compnorm(D, ℓ)
then g′ ′k h
′. The other cases are similar.
• Subcase aℓ /∈ Q. Let us write aℓ =
rℓ
sℓ
. According to the specification of
preg, we know the sign of aℓ since rℓ belongs to PolPar and sℓ is a product
of items in PolPar. In case aℓ = 0, we decide g
′ ′k h
′ as in the first case.
Otherwise, we decide in a similar way as in the second case. For instance if
aℓ > 0 and xℓ ℓ compnorm(D, ℓ) then g
′ ′k h
′.
Time step. For R = (q, {k}1≤k≤ℓ), there is a transition R
succ
−−−→ Post(R),
where Post(R) = (q, {′k}1≤k≤ℓ) is the time successor of R, defined as follows.
Intuitively, all preorders below ℓ = λ(q) are fixed, so ′i=i for each i < ℓ. On
level ℓ, the value of the active clock simply progresses along the one dimensional
time line, where the expressions are ordered. More precisely, let ∼ be the equiv-
alence relation ℓ ∩ 
−1
ℓ induced by the preorder. A ∼-equivalence class groups
expressions yielding the same value, and on these classes, the (total) preorder
becomes a (total) order. Let V be the ∼-equivalence class containing act(q).
1. Either V = {act(q)}. If V is the greatest ∼-equivalence class, then ′ℓ=ℓ
(and Post(R) = R). Otherwise, let V ′ be the next ∼-equivalence class.
Then ′ℓ is obtained by merging V = {act(q)} and V
′, and preserving ℓ
elsewhere.
2. Or V is not a singleton. Then we split V into V \{act(q)} and {act(q)} and
“extend” ℓ by V \ {act(q)} ′ℓ {act(q)}.
To conclude, observe that the automaton R(Π) defined above has the proper-
ties (DS) and (TS) mentionned previously, and is hence a finite time abstract
bisimulation of TA,π, for all parameter valuations π ∈ Π .
We are now in position to prove Theorem 4.
Proof. Starting from a PITA A, we use the above construction, whose termi-
nation is guaranteed by lemma 4, to design a non deterministic procedure for
existential reachability of a given state q:
1. Build PolPar and {Ek}1≤k≤n.
2. Guess a parameter region (preg,1).
3. Check non emptiness of (preg,1).
4. Build the class automaton R(preg,1) and check whether q occurs in some
class.
For universal reachability of q, in step 4, one checks whether q does not occur
in any class. This gives us a non deterministic procedure for the complementary
problem. For robust reachability in step 2, one guesses an open parameter region
i.e., only specified by strict inequalities.
We now analyse the complexity of these procedures. Due to lemmas 4 and 5,
the first step is performed in 2-EXPTIME and in PTIME when the number of
clocks is fixed. Guessing a parameter region has the same complexity.
The satisfiability problem for a first-order formula is in PSPACE [20]. Due to
lemma 4, the number s of (in)equalities specifying the region fulfills s = O((H+
M)2
n
× U2
n2
) with the previous notations. Let b be the total number of bits
of the integers occurring in a constraint of the specification of the region. Due
to lemma 5, b ≤ ((n + 1)!)2(n + 1)23n+1b0. Let d be the maximal degree of
the polynomials occurring in the specification of the region. Due to the same
lemma, d ≤ (n + 1)!5nd0. So the emptiness problem for a region is decided in
2-EXPSPACE which becomes PSPACE when the number of levels is fixed.
Observe now that the class automaton R(preg,1) is isomorphic to the class
automaton of the ITA A(π) that would be obtained from A with any parameter
valuation π in Π = (preg,1). It has been proved in Section 3 that this automa-
ton can be built in polynomial time w.r.t. the size of the representation of any
class. As the size of the representation of a class of a PITA has the same order as
the one of the corresponding ITA (dominated by the doubly exponential number
of expressions) and the construction algorithms perform similar operations, this
yields a complexity of 2-EXPTIME and PSPACE when the number of levels is
fixed.
So the dominating factor of this non deterministic procedure is the emptiness
check done in 2-EXPSPACE. By Savitch theorem this procedure can be deter-
minised with the same complexity.
Example 5. The construction of R(Π) is illustrated on the automaton A2 from
Fig. 4(a), for the region Π = (preg,1), where preg was defined above by: p2 <
0, p2+1 = 0, 1−p2−4p21 = 0 and 1+p1p2−4p
3
2 = 0. For 1, we first remove from
E1 the expressions with null denominator: E1,preg = {x1, 0, 2,−
2(p2+1)
p2
,−2 −
p2,
p22−2
p2
, p1} and we consider the ordering on E1,preg \ {x1} specified by the line
below.
−2− p2 0,
−
2(p2+1)
p2
p22−2
p2
2 p1
A part of the resulting class automaton R(Π), including the run correspond-
ing to the one in Fig. 4(b), is depicted in Fig. 6, where dashed lines indicate
(abstract) time steps.
The initial class is R0 = (q0, Z0) where Z0 is 1 extended with x1 = 0.
Denoting (slightly abusively) extensions with the symbol ∧, the time successors
of the initial state are obtained by moving x1 to the right along the line: R
1
0 =
(q0,1 ∧ 0 < x1 <
p22−2
p2
), R20 = (q0,1 ∧ x1 =
p22−2
p2
), . . . , up to R70 = (q0,1
∧ x1 > p1). Transition a can be fired from all classes up to R
5
0 (but not from
R60 and R
7
0 where the constraint x1 < p1 is not satisfied). In Fig. 6, we represent
only the one from R50 = (q0, Z1) with Z1 =1 ∧ 2 < x1 < p1, corresponding to
the run in Fig. 4(b).
Along this run, the ordering2 is determined by regionΠ and Z1, onE2,preg\
{x2} = {0, x1 − 2,−
x1−2
p2
, (p1 − 4p22)x1 + p2}. It is illustrated on the line below.
0 x1 − 2,
−
x1−2
p2
(p1 − 4p
2
2)x1 + p2
Firing transition a produces the class R1 = (q1, Z1,2 ∧x2 = 0)). Transition
b is then fired from the (second) time successor of R1 for which x2 = −
x1−2
p2
.
R0
R10
...
R50
...
R70
q1, Z1,2 ∧
x2 = 0
q1, Z1,2 ∧
0 < x2 < −
x1−2
p2
q1, Z1,2 ∧
x2 = −
x1−2
p2
q1, Z1,2 ∧
x2 = (p1 − 4p
2
2)x1 + p2
q1, Z1,2 ∧
x2 > (p1 − 4p
2
2)x1 + p2
· · ·
a
· · ·
a
b
a
Fig. 6. A part of R(Π) for A2
7 Conclusion
While seminal results on parametrised timed models leave little hope for de-
cidability in the general case, we provide here an expressive formalism for the
analysis of parametric reachability problems. Our setting includes a restricted
form of stopwatches and polynomials in the parameters occurring as both addi-
tive and multiplicative coefficients of the clocks in guards and updates. We plan
to investigate which kind of timed temporal logic would be decidable on PITA.
References
1. Alur, R., Courcoubetis, C., Halbwachs, N., Henzinger, T.A., Ho, P.H., Nicollin,
X., Olivero, A., Sifakis, J., Yovine, S.: The algorithmic analysis of hybrid systems.
Theoretical Computer Science 138 (1995) 3–34
2. Alur, R., Dill, D.L.: Automata for modeling real-time systems. In: ICALP’90,
Springer (1990) 322–335
3. Be´rard, B., Haddad, S.: Interrupt Timed Automata. In: FoSSaCS’09. Volume 5504
of LNCS., Springer (2009) 197–211
4. Be´rard, B., Haddad, S., Sassolas, M.: Interrupt timed automata: Verification and
expressiveness. Formal Methods in System Design 40(1) (2012) 41–87
5. Alur, R., Henzinger, T.A., Vardi, M.Y.: Parametric real-time reasoning. In: ACM
Symp. on Theory of Computing, ACM (1993) 592–601
6. Be´rard, B., Fribourg, L.: Automated verification of a parametric real-time program:
The ABR conformance protocol. In: CAV’99. Volume 1633 of LNCS., Springer
(1999) 96–107
7. Miller, J.S.: Decidability and complexity results for timed automata and semi-
linear hybrid automata. In: HSCC’00. Volume 1790 of LNCS., Springer (2000)
296–309
8. Doyen, L.: Robust Parametric Reachability for Timed Automata. Information
Processing Letters 102(5) (2007) 208–213
9. Andre´, E´., Chatain, Th., Encrenaz, E., Fribourg, L.: An inverse method for para-
metric timed automata. Int. J. of Foundations of Comp. Sci. 20(5) (2009) 819–836
10. Andre´, E´., Fribourg, L., Ku¨hne, U., Soulat, R.: IMITATOR 2.5: A tool for analyzing
robustness in scheduling problems. In: FM’12. Volume 7436 of LNCS., Springer
(2012) 33–36
11. Jovanovic´, A., Lime, D., Roux, O.H.: Integer parameter synthesis for timed au-
tomata. In: TACAS’13. Volume 7795 of LNCS., Springer (2013) 391–405
12. Alur, R., Henzinger, T.A., Ho, P.H.: Automatic Symbolic Verification of Embedded
Systems. IEEE Transactions on Software Engineering 22 (1996) 181–201
13. Henzinger, T.A., Ho, P.H., Wong-Toi, H.: HyTech: A Model-Checker for Hybrid
Systems. Software Tools for Technology Transfer 1 (1997) 110–122
14. Bozzelli, L., Torre, S.L.: Decision problems for lower/upper bound parametric
timed automata. Formal Methods in System Design 35(2) (2009) 121–151
15. Hune, T., Romijn, J., Stoelinga, M., Vaandrager, F.: Linear parametric model
checking of timed automata. J. of Logic and Alg. Prog. 52-53 (2002) 183–220
16. Jovanovic´, A., Faucou, S., Lime, D., Roux, O.H.: Real-time control with parametric
timed reachability games. In: WODES’12, IFAC (2012) 323–330
17. Zaslavsky, T.: Facing up to arrangements: Face-count formulas for partitions of
space by hyperplanes. AMS Memoirs 1(154) (1975)
18. Roos, C., Terlaky, T., Vial, J.P.: Theory and Algorithms for Linear Optimization.
An Interior Point Approach. Wiley-Interscience, John Wiley & Sons Ltd (1997)
19. Courcoubetis, C., Yannakakis, M.: Minimum and maximum delay problems in
real-time systems. Formal Methods in System Design 1(4) (1992) 385–415
20. Canny, J.F.: Some algebraic and geometric computations in PSPACE. In: ACM
Symp. on Theory of Computing, ACM (1988) 460–467
