Parameter synthesis for hierarchical concurrent real-time systems by ANDRÉ, Étienne et al.
Singapore Management University 
Institutional Knowledge at Singapore Management University 
Research Collection School Of Information 
Systems School of Information Systems 
7-2012 
Parameter synthesis for hierarchical concurrent real-time systems 
Étienne ANDRÉ 
Yang LIU 
Jun SUN 
Singapore Management University, junsun@smu.edu.sg 
Jin Song DONG 
Follow this and additional works at: https://ink.library.smu.edu.sg/sis_research 
 Part of the Software Engineering Commons 
Citation 
ANDRÉ, Étienne; LIU, Yang; SUN, Jun; and DONG, Jin Song. Parameter synthesis for hierarchical 
concurrent real-time systems. (2012). Proceedings of the 17th IEEE International Conference on 
Engineering of Complex Computer Systems, ICECCS 2012, Paris, France, July 18-20. 253-262. Research 
Collection School Of Information Systems. 
Available at: https://ink.library.smu.edu.sg/sis_research/5020 
This Conference Proceeding Article is brought to you for free and open access by the School of Information 
Systems at Institutional Knowledge at Singapore Management University. It has been accepted for inclusion in 
Research Collection School Of Information Systems by an authorized administrator of Institutional Knowledge at 
Singapore Management University. For more information, please email libIR@smu.edu.sg. 
Parameter Synthesis for Hierarchical Concurrent Real-Time Systems
´Etienne Andre´∗, Yang Liu†, Jun Sun‡ and Jin-Song Dong§
∗LIPN, CNRS UMR 7030, Universite´ Paris 13, France
Email: Etienne.Andre@lipn.univ-paris13.fr
†Temasek Laboratories, National University of Singapore
Email: tslliuya@nus.edu.sg
‡Singapore University of Technology and Design
Email: sunjun@sutd.edu.sg
§School of Computing, National University of Singapore
Email: dongjs@comp.nus.edu.sg
Abstract—Modeling and verifying complex real-time sys-
tems, involving timing delays, are notoriously difﬁcult prob-
lems. Checking the correctness of a system for one particular
value for each delay does not give any information for other
values. It is hence interesting to reason parametrically, by
considering that the delays are parameters (unknown con-
stants) and synthesize a constraint guaranteeing a correct
behavior. We present here Parametric Stateful Timed CSP, a
language capable of specifying hierarchical real-time systems
with complex data structures. Although we prove that the
synthesis is undecidable in general, we present an algorithm
for efﬁcient parameter synthesis that behaves well in practice.
Keywords-CSP; parametric timed veriﬁcation; model check-
ing; robustness; reﬁnement.
I. INTRODUCTION
The speciﬁcation and veriﬁcation of real-time systems,
involving complex data structures and timing delays, are
notoriously difﬁcult problems. The correctness of such real-
time systems usually depends on the values of these timing
delays. One can check the correctness for one particular
value for each delay, using classical techniques of timed
model checking, but this does not guarantee the correctness
for other values. Actually, checking the correctness for all
possible delays, even in a bounded interval, would require an
inﬁnite number of calls to the model checker, because those
delays can have real (or rational) values. It is therefore in-
teresting to reason parametrically, by considering that these
delays are unknown constants, or parameters, and try to
synthesize a constraint (a conjunction of linear inequalities)
on these parameters guaranteeing a correct behavior.
Motivation: We are interested here in the good pa-
rameters problem for real-time systems: “ﬁnd a set of
parameter valuations for which the system is correct”. This
problem stands between veriﬁcation and control, in the sense
that we actually change (the timed part of) the system in
order to guarantee some property. Furthermore, we aim at
deﬁning a formalism that is intuitive, powerful (with use
of external variables, structures and user deﬁned functions),
and allowing efﬁcient parameter synthesis and veriﬁcation.
Parameter Synthesis: Timed automata (TAs) are ﬁnite
control automata equipped with clocks, that are compared
with timing delays in guards and invariants [2]. TAs have
been efﬁciently used over the last decade to verify timed
systems, in particular using the UPPAAL model checker [21].
The parametric extension of TAs (viz., parametric timed
automata, or PTAs) allows the use of parameters within
guards and invariants [3].
The parameter design problem for PTAs was formulated
in [17], where a straightforward solution is given, based
on the generation of the whole state space – which is
unfortunately unrealistic in most cases. The HYTECH model
checker, one of the ﬁrst for parametric timed (actually
hybrid) automata, has been used to solve several case
studies; Unfortunately, it can hardly verify even medium
sized examples due to arithmetics with limited precision and
static composition of automata, quickly leading to mem-
ory overﬂows. The parameter synthesis problem has then
been applied in particular to communication protocols (e.g.,
Bounded Retransmission protocol [14] or Root Contention
protocol [13] using TREX [7]) and asynchronous circuits
(e.g., [30], [12]). Although drastic optimizations were de-
veloped for timed automata, in particular using DBMs, most
of them do not apply to the parametric framework, or to
only partially parameterized systems (e.g., [8], where a non-
parametric model is veriﬁed against a parameterized for-
mula). In [5], the inverse method synthesizes constraints for
fully parameterized systems modeled using PTAs. Different
from CEGAR-based methods, this original semi-algorithm is
based on a “good” parameter valuation 𝜋, and synthesizes
a constraint guaranteeing the same time abstract behavior
as for 𝜋, thus providing the system with a criterion of
robustness. As an interesting consequence, the preservation
of the time-abstract behavior guarantees the preservation of
linear time properties (expressed, e.g., in LTL).
In [20], parametric analyses of scheduling problems are
performed, based on the process algebra ACSR-VP. Con-
straints are synthesized using symbolic bisimulation meth-
ods, guaranteeing the feasibility of a scheduling problem.
2012 IEEE 17th International Conference on Engineering of Complex Computer Systems
978-0-7695-4700-8/12 $26.00 © 2012 IEEE
DOI 10.1109/ICECCS.2012.29
2532 9541 81 4
This work is closer to our approach, in the sense that it
synthesizes timing parameters in a process algebra; however,
it is dedicated to scheduling problems only, whereas our
approach is general.
Semi-algorithms (i.e., if the algorithm terminates, then
the result is correct) have been proposed in [29] for syn-
thesizing parameters for time Petri nets with stopwatches.
Different from our setting, the constraint satisﬁes a formula
expressed using a non-recursive subset of parametric TCTL;
furthermore, their implementation does not allow the use of
elaborated data structures.
Stateful Timed CSP: CSP (Communicating sequen-
tial processes) [18] is a powerful event based formalism
for describing patterns of interaction in concurrent sys-
tems. Timed CSP (see, e.g., [25]) extends CSP with timed
constructs for reasoning about real-time systems. Stateful
Timed CSP (STCSP) extends Timed CSP with more timed
constructs and shared variables in order to specify hier-
archical complex real-time systems [27]. An advantage of
Timed CSP over TAs is the lower number of clocks neces-
sary to verify the systems. Indeed, unlike TAs, clocks are
implicit in STCSP, and are only activated when necessary.
Contribution: We present here Parametric Stateful
Timed CSP (PSTCSP). First, this parameterization of
STCSP is a powerful language capable of specifying hierar-
chical real-time systems with shared variables and complex,
user-deﬁned data structures, in an intuitive manner.
Second, although we show that the emptiness problem is
undecidable for PSTCSP, we develop and compare two semi-
algorithms for parameter synthesis. The ﬁrst one, computing
all reachable states, allows the application of ﬁnite state
timed model checking techniques deﬁned in [27], but does
not often terminate. We also extend the inverse method [5]
to PSTCSP, and give a sufﬁcient termination condition;
this algorithm behaves well in practice, allowing efﬁcient
parameter synthesis even for fully parameterized systems,
i.e., where all timing delays are parametric.
Third, the implementation of PSTCSP within PSyHCoS
offers both an intuitive modeling facility using a graphical
interface, and efﬁcient algorithms for veriﬁcation and pa-
rameter synthesis.
PSTCSP shares similar design principles with integrated
speciﬁcation languages like Timed Communicating Object Z
(TCOZ) [22] and CSP-OZ-DC [19]. The main idea is to treat
sequential terminating programs (rather than Z or Object-Z),
which may indeed be C# programs, as internal events. The
result is a highly expressive modeling language that can be
automatically analyzed by tools.
Plan of the Paper: We recall preliminary notions in
Section II. We introduce PSTCSP in Section III and study its
expressiveness and decidability questions in Section IV. We
introduce algorithms for parameter synthesis in Section V,
and apply them to case studies. We conclude in Section VI.
II. PRELIMINARIES
Finite-Domain Variables: We assume a ﬁnite set 𝒱𝑎𝑟
of ﬁnite-domain variables. Given Var ⊂ 𝒱𝑎𝑟, a variable
valuation is a function assigning to each variable a value
in its domain. We denote by 𝒱(Var) the set of all variable
valuations.
Constraints: We assume a set 𝒳 of clocks, disjoint
with 𝒱𝑎𝑟. A clock is a variable with value in ℝ≥0. All
clocks evolve linearly at the same rate. Given a ﬁnite
set 𝑋 = {𝑥1, . . . , 𝑥𝐻} ⊂ 𝒳 , a clock valuation is a function
𝑤 : 𝑋 → ℝ≥0. We will often identify 𝑤 with the point
(𝑤(𝑥1), . . . , 𝑤(𝑥𝐻)). Given 𝑑 ∈ ℝ≥0, we use 𝑋 + 𝑑 to
denote {𝑥1 + 𝑑, . . . , 𝑥𝐻 + 𝑑}.
We also assume a set 𝒰 of parameters (i.e., un-
known constants) disjoint with 𝒱𝑎𝑟 and 𝒳 . Given 𝑈 =
{𝑢1, . . . , 𝑢𝑀} ⊂ 𝒰 , a parameter valuation is a function
𝜋 : 𝑈 → ℝ≥0. We will often identify 𝜋 with the point
(𝜋(𝑢1), . . . , 𝜋(𝑢𝑀 )).
Given 𝑋 ⊂ 𝒳 and 𝑈 ⊂ 𝒰 , an inequality over 𝑋 and 𝑈
is 𝑒 ≺ 𝑒′, where ≺∈ {<,≤}, and 𝑒, 𝑒′ are two terms of
the form
∑
1≤𝑖≤𝑁 𝛼𝑖𝑧𝑖 + 𝑑 with 𝑧𝑖 ∈ 𝑋 ∪ 𝑈 , 𝛼𝑖 ∈ ℝ≥0
for 1 ≤ 𝑖 ≤ 𝑁 , and 𝑑 ∈ ℝ≥0. We deﬁne similarly
inequalities over 𝑋 (resp. 𝑈 ). A constraint is a conjunction
of inequalities. We denote by 𝒦𝑋∪𝑈 the set of all constraints
over 𝑋 and 𝑈 , and similarly for 𝒦𝑋 and 𝒦𝑈 . In the sequel,
we use the following conventions: 𝑤 (resp. 𝜋) denotes a
clock (resp. parameter) valuation; 𝐽 denotes an inequality
over 𝑈 ; 𝐷 ∈ 𝒦𝑋 ; 𝐾 ∈ 𝒦𝑈 ; and 𝐶 ∈ 𝒦𝑋∪𝑈 .
We denote by 𝐷[𝑤] the expression obtained by replacing
in 𝐷 each clock 𝑥 with 𝑤(𝑥). If 𝐷[𝑤] evaluates to true,
we say that 𝑤 satisﬁes 𝐷 (denoted by 𝑤 ∣= 𝐷). We
denote by 𝐶[𝜋] the constraint over 𝑋 obtained by replacing
in 𝐶 each 𝑢 ∈ 𝑈 with 𝜋(𝑢). Likewise, we denote by
𝐶[𝜋][𝑤] the expression obtained by replacing each clock 𝑥
in 𝐶[𝜋] with 𝑤(𝑥). If 𝐶[𝜋][𝑤] evaluates to true, we write
<𝑤, 𝜋> ∣= 𝐶. If ∃𝑤 : <𝑤, 𝜋> ∣= 𝐶, then 𝜋 satisﬁes 𝐶,
denoted by 𝜋 ∣= 𝐶.
Similarly, 𝜋 satisﬁes 𝐾, denoted by 𝜋 ∣= 𝐾, if the
expression obtained by replacing in𝐾 each 𝑢 ∈ 𝑈 with 𝜋(𝑢)
evaluates to true.
Given 𝑋 ′ ⊆ 𝑋 , we denote by ∃𝑋 ′ : 𝐶 the constraint over
𝑋 and 𝑈 obtained from 𝐶 after elimination1 of the clocks
of 𝑋 ′. Similarly, we denote by ∃𝑋 : 𝐶 the constraint over 𝑈
obtained from 𝐶 after elimination of all clocks. We denote
by 𝐶/𝑋′ the constraint ∃(𝑋 ∖𝑋 ′) : 𝐶. We deﬁne 𝐶↑ as the
constraint over 𝑋 and 𝑈 obtained from 𝐶 by delaying time,
i.e., by renaming 𝑋 ′ with 𝑋 in the expression: (∃𝑋, 𝑑 :
𝐶 ∧𝑋 ′ = 𝑋 + 𝑑), where 𝑑 is a new parameter with values
in ℝ≥0, and 𝑋 ′ is a fresh set of clocks.
Events: In the following, 𝜏 denotes an unobservable
event; ✓ denotes the special event of process termination;
Σ denotes the set of observable events such that 𝜏 /∈ Σ and
1Using variable elimination techniques such as Fourier-Motzkin [26].
254
𝑃
.
= Stop inaction
∣ Skip termination
∣ 𝑒→ 𝑃 event preﬁxing
∣ 𝑎{prg} → 𝑃 data operation
∣ if (𝑏) {𝑃} else {𝑄} conditional choice
∣ 𝑃 ∣𝑄 general choice
∣ 𝑃 ∖𝐸 hiding
∣ 𝑃 ;𝑄 sequential composition
∣ 𝑃 ∥ 𝑄 parallel composition
∣ Wait[𝑢] delay*
∣ 𝑃 timeout[𝑢] 𝑄 timeout*
∣ 𝑃 interrupt[𝑢] 𝑄 timed interrupt*
∣ 𝑃 within[𝑢] timed responsiveness*
∣ 𝑃 deadline[𝑢] deadline*
∣ 𝑄 process referencing
Figure 1. Syntax of PSTCSP processes
✓ ∈ Σ; Σ𝜏 = Σ ∪ {𝜏}. Furthermore, the following event
naming conversion is adapted: 𝑒 ∈ Σ; 𝑎 ∈ Σ𝜏 ; 𝐸 ⊆ Σ.
Labeled Transition Systems: Labeled transition systems
will be used later on to represent the semantics of PSTCSP.
Deﬁnition 2.1: A labeled transition system (LTS) is a
tuple ℒ = (𝑆, 𝑠0,Σ𝜏 ,⇒) where 𝑆 is a set of states,
𝑠0 ∈ 𝑆 is the initial state, Σ𝜏 is a set of symbols, and
⇒ : 𝑆 × Σ𝜏 × 𝑆 is a labeled transition relation. We write
𝑠
𝑎⇒ 𝑠′ for (𝑠, 𝑎, 𝑠′) ∈ ⇒. A run of ℒ is an alternating
sequence of states 𝑠𝑖 ∈ 𝑆 and symbols 𝑎𝑖 ∈ Σ𝜏 of the form
⟨𝑠0, 𝑎0, 𝑠1, 𝑎1, ⋅ ⋅ ⋅⟩ such that 𝑠𝑖 𝑎𝑖⇒ 𝑠𝑖+1 for all 𝑖. A state
𝑠𝑖 is reachable if it belongs to some run 𝑟. We denote by
Runs(ℒ) the set of runs of ℒ.
III. SYNTAX AND SEMANTICS OF PSTCSP
A. Syntax
A process 𝑃 is deﬁned by the grammar in Figure 1,
where 𝑢 ∈ 𝑈 .2 Processes marked with * allow the use of
parameters instead of timing constants in STCSP. 𝒫 denotes
the set of all possible processes.
Deﬁnition 3.1: A Parametric Stateful Timed CSP (or
PSTCSP) model is M = (Var , 𝑈, 𝑉0, 𝑃,𝐾0) where Var ⊂
𝒱𝑎𝑟, 𝑈 ⊂ 𝒰 , 𝑉0 is the initial variable valuation, 𝑃 ∈ 𝒫 ,
and 𝐾0 ∈ 𝒦𝑈 is an initial constraint.
The initial constraint 𝐾0 allows one to deﬁne constrained
models, where some parameters are already related. For
example, in a timed model with two parameters min and
max , one may want to constrain min to be always smaller
or equal to max , i.e., 𝐾0 = {min ≤ max}.
Hierarchy comes from the nested deﬁnition of processes.
Each component may have internal hierarchies, and allow
abstraction and reﬁnement, in the sense that a subprocess
may be replaced by another equivalent one in some cases.
2Actually, 𝑢 ∈ (𝑈 ∪ ℚ≥0) would be possible too, but having 𝑢 ∈ 𝑈
simpliﬁes the reasoning and proofs.
Also, this offers a readable syntax, starting from the top level
of the system, and being more precisely deﬁned when one
goes to lower hierarchical levels.
Instantiation: Given M = (Var , 𝑈, 𝑉0, 𝑃,𝐾0) and
𝜋 = (𝜋1, . . . , 𝜋𝑀 ), M[𝜋] denotes the instantiation of M
with 𝜋, viz., (Var , 𝑈, 𝑉0, 𝑃,𝐾), where𝐾 is𝐾0∧
⋀𝑀
𝑖=1(𝑢𝑖 =
𝜋𝑖). This corresponds to the model obtained from M by
substituting every occurrence of 𝑢𝑖 by 𝜋𝑖. Note that M[𝜋] is
a non-parametric STCSP model.
B. Informal Semantics
We ﬁrst brieﬂy describe the untimed constructs, which
are identical to STCSP. Process Stop does nothing but
idling. Process Skip terminates, possibly after idling for
some time. Process 𝑒→ 𝑃 engages in event 𝑒 ﬁrst and then
behaves as 𝑃 . Note that 𝑒 may serve as a synchronization
barrier, if combined with parallel composition. In order to
seamlessly integrate data operations, sequential programs
may be attached with events. Process 𝑎{prg} → 𝑃 performs
data operation 𝑎 (i.e., executing the sequential prg whilst
generating event 𝑎) and then behaves as 𝑃 . The program
may be a simple procedure updating data variables (e.g.,
𝑎{𝑣1 := 5; 𝑣2 := 3}, where 𝑣1, 𝑣2 ∈ Var ) or a more
complicated sequential program. A conditional choice is
written as if (𝑏) {𝑃} else {𝑄}. Process 𝑃 ∣𝑄 offers an un-
conditional choice3 between 𝑃 and 𝑄. Process 𝑃 ;𝑄 behaves
as 𝑃 until 𝑃 terminates and then behaves as 𝑄 immediately.
𝑃 ∖𝐸 hides occurrences of events in 𝐸. Parallel composition
of two processes is written as 𝑃 ∥ 𝑄, where 𝑃 and
𝑄 may communicate via multi-party event synchronization
(following CSP rules [18]) or shared variables.
We now explain the parametric timed constructs.
∙ Given a parameter 𝑢, process Wait[𝑢] idles for an
unknown (constant) number of 𝑢 time units.
∙ In process 𝑃 timeout[𝑢] 𝑄, the ﬁrst observable event
of 𝑃 shall occur before 𝑢 time units elapse. Otherwise,
𝑄 takes over control after exactly 𝑢 time units.
∙ Process 𝑃 interrupt[𝑢] 𝑄 behaves exactly as 𝑃 until
𝑢 time units, and then 𝑄 takes over. In contrast to
𝑃 timeout[𝑢] 𝑄, 𝑃 may engage in multiple observable
events before it is interrupted. Also note that 𝑄 will
be executed in any case, whereas in 𝑃 timeout[𝑢] 𝑄,
process 𝑄 will only be executed if no observable event
occurs before 𝑢 time units.
∙ Process 𝑃 within[𝑢] must react within an unknown
number of 𝑢 time units, i.e., an observable event must
be engaged by process 𝑃 within 𝑢 time units.
∙ Process 𝑃 deadline[𝑢] constrains 𝑃 to terminate,
possibly after engaging in multiple observable events,
before 𝑢 time units.
3For simplicity, in the discussion, we leave out external and internal
choices from the classic CSP [18]. Nevertheless, both constructions are
deﬁned in PSTCSP, implemented, and used in our case studies.
255
Discussion on deadline: The deadline timed construct
intuitively means that a process must terminate within a
certain amount of time. Different deﬁnitions of deadline
actually appear in the literature. In [16], a deﬁnition of the
deadline command is given, and an instantiation as an exten-
sion to the high-integrity SPARK programming language is
proposed. In this case, a static analysis is performed during
the compiling process and, in the case where an inability
to meet the timing constraints occurs, then an appropriate
error feedback is sent to the programmer. As a consequence,
the deadline construction guarantees that the constrained
process will terminate before the speciﬁed deadline.
In [24], the authors use Unifying Theory of Programming
in order to formalize the semantics of TCOZ. As in [16],
they consider that the deadline imposes a timing constraint
on 𝑃 , which thus requires the computation of 𝑃 to be
ﬁnished within the time mentioned in the deadline.
Different from [24], [16], we here choose to stick to the
semantics of STCSP [27] and consider a deadline semantics
as an attempt to terminate a process before a certain time.
If the process does not terminate before the deadline, it is
just stopped4.
C. Example: Fischer Mutual Exclusion
We introduce an example to show that PSTCSP is expres-
sive enough to capture concurrent real-time systems.
Example 3.2: Fischer’s mutual exclusion algorithm is
modeled as (Var , 𝑈, 𝑣𝑖,FME ,True), where 𝑈 = {𝛿, 𝛾},
and Var = {turn, cnt}. The turn variable indicates which
process attempted to access the critical section most recently.
The cnt variable counts the number of processes accessing
the critical section. Initial valuation 𝑣𝑖 maps turn to −1 (no
process is attempting initially) and cnt to 0 (no process is
in the critical section initially). Process FME is deﬁned as
follows.
FME
.
= proc(1) ∥ proc(2) ∥ ⋅ ⋅ ⋅ ∥ proc(𝑛)
proc(𝑖)
.
= if (turn = −1) {Active(𝑖)} else {proc(𝑖)}
Active(𝑖)
.
= (update.𝑖{turn := 𝑖} → Wait[𝛾]) within[𝛿];
if (turn = 𝑖)
𝑐𝑠.𝑖{cnt := cnt + 1} →
exit .𝑖{cnt := cnt − 1; turn := −1}
→ proc(𝑖)
else proc(𝑖)
where 𝑛 is a constant representing the number of processes.
Process proc(𝑖) models a process with a unique integer
identify 𝑖. If turn is −1 (i.e., no other process is attempting),
proc(𝑖) behaves as speciﬁed by Active(𝑖). In Active(𝑖),
turn is ﬁrst set to 𝑖 (i.e., the 𝑖th process is now attempting)
by action update.𝑖. Note that update.𝑖 must occur within 𝛿
time units (captured by within[𝛿]). Next, the process idles
for 𝛾 time units. It then checks if turn is still 𝑖. If so, it enters
the critical section and leaves later. Otherwise, it restarts
from the beginning.
4Remark that, in that case, time elapsing may be stopped too.
A classical parameter synthesis problem is to ﬁnd values
of 𝛿 and 𝛾 for which mutual exclusion is guaranteed. A
solution will be given in Section V-C2. □
D. Clock Activation
The semantics uses parameters and clocks. Like in STCSP,
clocks in PSTCSP are implicitly associated with timed
processes – which is different from PTAs. For instance,
given a process 𝑃 timeout[𝑢] 𝑄, an implicit clock should
start whenever this process is activated. A clock starts ticking
once the process becomes activated. Consider the following
process 𝑃 .= (Wait[𝑢1]; Wait[𝑢2]) interrupt[𝑢3] 𝑄. There
are three implicit clocks, one associated with Wait[𝑢1]
(say 𝑥1), one with Wait[𝑢2] (say 𝑥2) and one with 𝑃
(because of interrupt[𝑢3], say 𝑥3). Clocks 𝑥1 and 𝑥3
are starting at the same time because the execution of
interrupt is linked with Wait[𝑢1]. In contrast, clock 𝑥2
starts only when Wait[𝑢1] terminates. It can be shown that
𝑥1 and 𝑥3 always have the same value and thus one clock
is sufﬁcient. In order to minimize the number of clocks,
we introduce clocks at runtime so that timed processes
which are activated at the same time share the same clock.
Intuitively, a clock is introduced if and only if one or more
timed processes have just become activated.
We recall from [27] how to systematically associate clocks
with timed processes. We write Wait[𝑢]𝑥 to denote that
the process Wait[𝑢] is associated with clock 𝑥. Given a
process 𝑃 and a clock 𝑥, we use function Act(𝑃, 𝑥) to deﬁne
the process with activated clocks. The deﬁnition of Act is
very similar to the one for STCSP (see [27]) and is given
in [6]. For instance, we have Act(𝑃 timeout[𝑢] 𝑄, 𝑥) =
Act(𝑃, 𝑥) timeout[𝑢]𝑥 𝑄, which means that we associate
clock 𝑥 to the timeout construct and recursively activate 𝑃
with 𝑥. However, 𝑄 is not concerned because it is not
activated yet.
We denote by cl(𝑃 ) the set of active clocks associated
with 𝑃 or any subprocess of 𝑃 . For instance, the set of
clocks associated with 𝑃 timeout[𝑢]𝑥 𝑄 contains 𝑥 and
the clocks associated with 𝑃 .
E. Semantics
In the following, we introduce the semantics for PSTCSP
in terms of states containing constraints over 𝑋 and 𝑈 .
Formally, a (symbolic) state 𝑠 of M is a triple (𝑉, 𝑃,𝐶)
where 𝑉 is a variable valuation, 𝑃 ∈ 𝒫 is a process, and
𝐶 ∈ 𝒦𝑋∪𝑈 . For each parameter valuation 𝜋, we may view
a state 𝑠 = (𝑉, 𝑃,𝐶) as the set of triples (𝑉, 𝑃,𝑤) where 𝑤
is a clock valuation such that <𝑤, 𝜋> ∣= 𝐶.
1) Idling Function: We adapt in the following the func-
tion idle, deﬁned in [27], which, given a process, calculates
a constraint expressing how long the process can idle. The
result is in the form of a constraint over the clocks and the
parameters. Figure 2 shows the detailed deﬁnition. Rules
i1 to i5 state that if the process is untimed and none of
256
idle(Stop) = True i1
idle(Skip) = True i2
idle(𝑒→ 𝑃 ) = True i3
idle(𝑎{prg} → 𝑃 ) = True i4
idle(if (𝑏) {𝑃} else {𝑄}) = True i5
idle(𝑃 ∣𝑄) = idle(𝑃 ) ∧ idle(𝑄) i6
idle(𝑃 ∖𝐸) = idle(𝑃 ) i7
idle(𝑃 ;𝑄) = idle(𝑃 ) i8
idle(𝑃 ∥ 𝑄) = idle(𝑃 ) ∧ idle(𝑄) i9
idle(Wait[𝑢]𝑥) = 𝑥 ≤ 𝑢 i10
idle(𝑃 timeout[𝑢]𝑥 𝑄) = 𝑥 ≤ 𝑢 ∧ idle(𝑃 ) i11
idle(𝑃 interrupt[𝑢]𝑥 𝑄) = 𝑥 ≤ 𝑢 ∧ idle(𝑃 ) i12
idle(𝑃 within[𝑢]𝑥) = 𝑥 ≤ 𝑢 ∧ idle(𝑃 ) i13
idle(𝑃 deadline[𝑢]𝑥) = 𝑥 ≤ 𝑢 ∧ idle(𝑃 ) i14
idle(𝑃 ) = idle(𝑄) if 𝑃 .= 𝑄 i15
Figure 2. Idling calculation
its subprocesses is activated, then the function returns true.
Intuitively, it means that the process may idle for arbitrary
amount of time. Rules i6 to i9 state that if subprocesses
of the process are activated, then function idle is applied
to the subprocesses. For instance, if the process is a choice
(rule i6) or a parallel composition (rule i9) of 𝑃 and 𝑄,
then the result is idle(𝑃 ) ∧ idle(𝑄). Intuitively, this means
that process 𝑃 ∣𝑄 (or 𝑃 ∥ 𝑄) may idle as long as both 𝑃
and 𝑄 can idle. Rules i10 to i14 deﬁne the cases when the
process is timed. For instance, process Wait[𝑢]𝑥 may idle
as long as 𝑥 is less than or equal to 𝑢.
2) Semantics: We now deﬁne the semantics of PSTCSP
under the form of an LTS. Let 𝑌 = ⟨𝑥0, 𝑥1, ⋅ ⋅ ⋅⟩ be a
sequence of clocks.
Deﬁnition 3.3: Let M = (Var , 𝑈, 𝑉0, 𝑃,𝐾0) be a
PSTCSP model. The semantics of M, denoted by ℒM, is an
LTS (𝑆, 𝑠0,⇒,Σ𝜏 ) where 𝑆 = {(𝑉, 𝑃,𝐶) ∈ 𝒱(Var)×𝒫 ×
𝒦𝑋∪𝑈}, 𝑠0 = (𝑉0, 𝑃,𝐾0) and the transition relation ⇒ is
the smallest transition relation satisfying the following. For
all (𝑉, 𝑃,𝐶) ∈ 𝑆, if 𝑥 is the ﬁrst clock in the sequence 𝑌
which is not in cl(𝑃 ), and (𝑉,Act(𝑃, 𝑥), 𝐶 ∧ 𝑥 = 0) 𝑎⇝
(𝑉 ′, 𝑃 ′, 𝐶 ′) then ((𝑉, 𝑃,𝐶), 𝑎, (𝑉 ′, 𝑃 ′, 𝐶 ′/cl(𝑃 ′))) ∈ ⇒.
The transition relation⇝ is speciﬁed by a set of rules; we
give in Figure 3 the rules for the parametric timed constructs
of PSTCSP. Other rules are quite similar to STCSP, and are
detailed in [6].
The rule 𝑎𝑤𝑎𝑖𝑡 deﬁning ⇝ for Wait says that a 𝜏 -
transition occurs exactly when 𝑥 = 𝑢. Intuitively, 𝐶↑∧𝑥 = 𝑢
denotes the time when 𝑢 time units elapsed since 𝑥 has
started. Other rules can be explained in a similar manner.
Let us explain further Deﬁnition 3.3. Given a state
(𝑉, 𝑃,𝐶), a clock 𝑥 which is not currently associated
with 𝑃 is picked. The state (𝑉, 𝑃,𝐶) is transformed into
(𝑉,Act(𝑃, 𝑥), 𝐶 ∧ 𝑥 = 0), i.e., timed processes which just
become activated are associated with 𝑥 and 𝐶 is conjuncted
with 𝑥 = 0. Then, a ﬁring rule is applied to get a target
(𝑉, Wait[𝑢]𝑥, 𝐶)
𝜏⇝ (𝑉, Skip, 𝐶↑ ∧ 𝑥 = 𝑢)
(𝑎𝑤𝑎𝑖𝑡)
(𝑉, 𝑃,𝐶)
𝜏⇝ (𝑉 ′, 𝑃 ′, 𝐶′)
(𝑉, 𝑃 timeout[𝑢]𝑥 𝑄,𝐶)
𝜏⇝ (𝑉 ′, 𝑃 ′ timeout[𝑢]𝑥 𝑄,𝐶′ ∧ 𝑥 ≤ 𝑢)
(𝑎𝑡𝑜1)
(𝑉, 𝑃, 𝐶)
𝑒⇝ (𝑉 ′, 𝑃 ′, 𝐶′)
(𝑉, 𝑃 timeout[𝑢]𝑥 𝑄,𝐶)
𝑒⇝ (𝑉 ′, 𝑃 ′, 𝐶′ ∧ 𝑥 ≤ 𝑢)
(𝑎𝑡𝑜2)
(𝑉, 𝑃 timeout[𝑢]𝑥 𝑄,𝐶)
𝜏⇝ (𝑉,𝑄,𝐶↑ ∧ 𝑥 = 𝑢 ∧ idle(𝑃 ))
(𝑎𝑡𝑜3)
(𝑉, 𝑃, 𝐶)
𝑎⇝ (𝑉 ′, 𝑃 ′, 𝐶′)
(𝑉, 𝑃 interrupt[𝑢]𝑥 𝑄,𝐶)
𝑎⇝ (𝑉 ′, 𝑃 ′ interrupt[𝑢]𝑥 𝑄,𝐶′ ∧ 𝑥 ≤ 𝑢)
(𝑎𝑖𝑡1)
(𝑉, 𝑃 interrupt[𝑢]𝑥 𝑄,𝐶)
𝜏⇝ (𝑉,𝑄,𝐶↑ ∧ 𝑥 = 𝑢 ∧ idle(𝑃 ))
(𝑎𝑖𝑡2)
(𝑉, 𝑃,𝐶)
𝜏⇝ (𝑉 ′, 𝑃 ′, 𝐶′)
(𝑉, 𝑃 within[𝑢]𝑥, 𝐶)
𝜏⇝ (𝑉 ′, 𝑃 ′ within[𝑢]𝑥, 𝐶′ ∧ 𝑥 ≤ 𝑢)
(𝑎𝑤𝑖1)
(𝑉, 𝑃, 𝐶)
𝑒⇝ (𝑉 ′, 𝑃 ′, 𝐶′)
(𝑉, 𝑃 within[𝑢]𝑥, 𝐶)
𝑒⇝ (𝑉 ′, 𝑃 ′, 𝐶′ ∧ 𝑥 ≤ 𝑢)
(𝑎𝑤𝑖2)
(𝑉, 𝑃,𝐶)
𝑎⇝ (𝑉 ′, 𝑃 ′, 𝐶′) , 𝑎 ∕= ✓
(𝑉, 𝑃 deadline[𝑢]𝑥, 𝐶)
𝑎⇝ (𝑉 ′, 𝑃 ′ deadline[𝑢]𝑥, 𝐶′ ∧ 𝑥 ≤ 𝑢)
(𝑎𝑑𝑙1)
(𝑉, 𝑃,𝐶)
✓⇝ (𝑉 ′, 𝑃 ′, 𝐶′)
(𝑉, 𝑃 deadline[𝑢]𝑥, 𝐶)
✓⇝ (𝑉 ′, 𝑃 ′, 𝐶′ ∧ 𝑥 ≤ 𝑢)
(𝑎𝑑𝑙2)
Figure 3. Firing rules for the parametric timed constructs
state (𝑉 ′, 𝑃 ′, 𝐶 ′). Lastly, clocks which are not in cl(𝑃 ′) are
pruned from 𝐶 ′. Observe that one clock may be introduced
and zero or more clocks may be pruned during a transition.
Example 3.4: Let us consider the following state 𝑠1 =
(𝑉, Wait[𝑢1]interrupt[𝑢2]Skip, 𝑢2 < 𝑢1). Activation
with 𝑥1 gives (𝑉, Wait[𝑢1]𝑥1interrupt[𝑢2]𝑥1Skip, 𝑢2 <
𝑢1 ∧ 𝑥1 = 0). Applying ﬁring rule ait2 gives state
(𝑉, Skip, 𝐶) with 𝐶 = {(𝑢2 < 𝑢1 ∧ 𝑥1 = 0)↑ ∧ 𝑥1 =
𝑢2 ∧ idle(Wait[𝑢1]𝑥1)}, viz., 𝑢2 < 𝑢1 ∧ 𝑥1 ≥ 0 ∧ 𝑥1 =
𝑢2 ∧ 𝑥1 ≤ 𝑢1. Then, we remove 𝑥1 from 𝐶 because
it does not appear within Skip; this gives the new state
𝑠2 = (𝑉, Skip, 𝑢2 < 𝑢1).
We can also apply ﬁring rule ait1 (and hence await)
to 𝑠1, which gives (𝑉, Skip interrupt[𝑢2]𝑥1 , 𝐶 ′) with
𝐶 ′ = 𝑢2 < 𝑢1 ∧ 𝑥1 = 𝑢1 ∧ 𝑥1 ≤ 𝑢2. This constraint is
unsatisﬁable, hence this state is discarded. □
IV. EXPRESSIVENESS AND UNDECIDABILITY
A. Expressiveness
We ﬁrst state that STCSP is equivalent to closed
timed 𝜖-automata [23], i.e., timed safety automata with 𝜖-
transitions [10] and exclusively closed guards and invariants
(i.e., whose inequalities are of the form 𝑒 ≤ 𝑒′, with 𝑒, 𝑒′
linear terms).
Lemma 4.1: Stateful Timed CSP is as expressive as
closed timed 𝜖-automata.
Proof: We ﬁrst show that STCSP without the deadline
and the within constructs is equivalent to Timed CSP. It is
known that all Timed CSP constructs, including timeout
257
and interrupt can be derived from Wait[𝑑] and CSP
constructs [15]. It has been shown that the expressive power
of Timed CSP is equal to closed timed 𝜖-automata [23]. As a
consequence, STCSP without the deadline and the within
constructs is equivalent to Timed CSP.
Furthermore, the within construct can be deﬁned us-
ing the deadline construct: considering 𝑃 within[𝑑],
this can be achieved by executing 𝑃 in parallel with
𝑄 deadline[𝑑];𝑅, with 𝑄 a process synchronizing on any
observable event with 𝑃 , and 𝑅 a process synchronizing,
possibly several times, on any observable event with 𝑃 .
Finally, the deadline[𝑑] construct can be easily translated
into a closed timed 𝜖-automata by adding a location with an
invariant 𝑥 ≤ 𝑑, for some additional clock 𝑥 set to 0 when
the process deadline[𝑑] is activated.
We deﬁne parametric closed timed 𝜖-automata as a para-
metric extension of closed timed 𝜖-automata, following the
parameterization of TAs into PTAs [3]. It follows from
Lemma 4.1 that PSTCSP is equivalent to parametric closed
timed 𝜖-automata.
Proposition 4.2: Parametric Stateful Timed CSP is as
expressive as parametric closed timed 𝜖-automata.
Since closed timed 𝜖-automata are a subclass of 𝜖-TAs [4],
then parametric closed timed 𝜖-automata are a subclass of
𝜖-PTAs. By corollary of Proposition 4.2, PSTCSP is less
expressive than 𝜖-PTAs, but incomparable with PTAs.
We believe that PSTCSP is an interesting formalism
because one can make use of complex data structures and
the 𝜏 -transitions are used in PSTCSP for compositionality of
the sub-component, which is missing in PTAs. Furthermore,
high level real-time system requirements often state the
system timing constraints in terms of deadline, timeout or
wait, which can be regarded as common timing patterns. For
example, “task P must complete within 𝑢 units of time” is
a typical one (deadline[𝑢]). PSTCSP is better suited for
specifying the requirements of complex real-time systems
because it has the exact language constructs that can directly
capture those common timing patterns. On the other hand,
if PTAs are considered to be used to capture high level real-
time requirements, then one often needs to manually cast
those timing patterns into a set of clock variables explicitly
and carefully design the constraints. Also, although tools
exist for specifying hierarchy or some data structures for
(non-parametric) TAs, such as UPPAAL, PSTCSP is, as far
as we know, the ﬁrst fully parametric formalism allowing to
combine hierarchical aspects, shared variables and complex
data structures in a single and readable formalism.
B. Membership and Emptiness
We consider here the questions of membership (“is a
parameter valuation consistent with a model?”) and empti-
ness (“given a model M, does there exist a parameter
valuation consistent with M?”). Both questions refer to the
notion of consistency. For PTAs, consistency is deﬁned as
the acceptance of at least one timed word. This notion of
acceptance of words relies on the existence of accepting
locations: a timed word is accepted by a PTA A if A ends
up in an accepting location after reading it. However, CSP
(and its timed, parametric extensions) does not feature the
notion of “accepting” processes. We consider instead the
reachability problem: does an execution starting from a
process 𝑃0 lead to a given process 𝑃 ?
Formally, given a PSTCSP model M of initial
state (𝑉0, 𝑃0, 𝐶0), given 𝑃 ∈ 𝒫 , we denote by Π(M) the
set of parameter valuations consistent with M, i.e., {𝜋 ∈
𝑈 ∣ ∃𝑉,𝐶 : (𝑉0, 𝑃0, 𝐶0)⇝ (𝑉, 𝑃,𝐶) ∈ Runs(M[𝜋])}.
The membership problem is decidable for PSTCSP: it
sufﬁces to consider the STCSP model M[𝜋] and solve this
problem using techniques developed in [27].
Theorem 4.3 (Undecidability of emptiness): Let M be a
PSTCSP model, and 𝑃 a process. The problem of deciding
if Π(M) is empty is undecidable.
Proof: By reduction of the halting problem for 2-
counter machines to the problem of testing if there exists
a parameter valuation consistent with a PSTCSP model,
following the reduction used in [3] (see proof in [6]).
An immediate corollary is that parameter synthesis is
undecidable in general.
V. PARAMETER SYNTHESIS
We use in this section a model Mex =
{∅, {𝑢1, 𝑢2}, 𝑃,True} with 𝑃 .= (𝑎 → Wait[𝑢2]; 𝑏 →
Stop) interrupt[𝑢1] 𝑐 → 𝑃 , in order to illustrate our
algorithms.
A. State Space Exploration
Recall from Deﬁnition 2.1 that a state 𝑠 is reachable in one
step from another state 𝑠′ if 𝑠 is the successor of 𝑠′ in a run.
This deﬁnition extends to sets of states: Given a PSTCSP
model M, one deﬁnes PostM(𝑆) (resp. Post 𝑖M(𝑆)) as the set
of states reachable from a set 𝑆 of states in one step (resp.
𝑖 steps). Formally, PostM(𝑆) = {𝑠′∣∃𝑠 ∈ 𝑆, ∃𝑎 ∈ Σ𝜏 :
𝑠
𝑎⇒ 𝑠′}. And Post∗M(𝑆) is deﬁned as the set of all states
reachable from 𝑆 in M (i.e., Post∗M(𝑆) =
∪
𝑖≥0 Post
𝑖
M(𝑆)).
We can deﬁne a semi-algorithm reachAll(M) as a classical
ﬁxpoint computation, which iteratively computes Post∗M(𝑆)
(and does not terminate if it is inﬁnite).
Application: Let us apply reachAll to Mex . Since we
have no variable, we denote for the sake of conciseness the
states by (𝑃,𝐶), where 𝑃 is the current process, and 𝐶
the current constraint over 𝑋 and 𝑈 . We get the following
states, depicted in Figure 4 using a directed graph whose
edges are labeled with actions.
𝑠0 = ((𝑎→ Wait[𝑢2]; 𝑏→ Stop) interrupt[𝑢1]𝑥1 𝑐→
𝑃 , 0 ≤ 𝑥1 ≤ 𝑢1)
𝑠1 = ((Wait[𝑢2]𝑥2 ; 𝑏 → Stop) interrupt[𝑢1]𝑥1 𝑐 →
𝑃 , 0 ≤ 𝑥2 ≤ 𝑥1 ≤ 𝑢1 ∧ 𝑥2 ≤ 𝑢2)
258
𝑠0
𝑠1
𝑠2
𝑠3
𝑠4
𝑠5
𝑠6 𝑠8
𝑠7
𝑎
𝜏
𝜏
𝜏
𝑐
𝜏
𝜏
𝑏
𝜏
𝑐
𝜏
𝑎
𝜏
𝜏
𝜏
Figure 4. States reachable in model Mex
𝑠2 = (𝑐→ 𝑃,True)
𝑠3 = ((Skip; 𝑏 → Stop) interrupt[𝑢1]𝑥1 𝑐 →
𝑃 , 𝑢2 ≤ 𝑥1 ≤ 𝑢1)
𝑠4 = ((𝑏 → Stop) interrupt[𝑢1]𝑥1 𝑐 → 𝑃 , 𝑢2 ≤
𝑥1 ≤ 𝑢1)
𝑠5 = (𝑐→ 𝑃 , 𝑢2 ≤ 𝑢1)
𝑠6 = (Stop interrupt[𝑢1]𝑥1 𝑐→ 𝑃 , 𝑢2 ≤ 𝑥1 ≤ 𝑢1)
𝑠7 = (𝑃 , 𝑢2 ≤ 𝑢1)
𝑠8 = ((Wait[𝑢2]𝑥2 ; 𝑏→ Stop) interrupt[𝑢1]𝑥1 𝑐→ 𝑃,
0 ≤ 𝑥2 ≤ 𝑥1 ≤ 𝑢1 ∧ 𝑢2 ≤ 𝑢1)
The interpretation of the graph is as follows: the projection
onto 𝑈 of the constraint associated with states 𝑠0, 𝑠1 and 𝑠2
is True . Hence, these states can be reached for any valuation
of 𝑢1 and 𝑢2. However, the projection onto 𝑈 of the
constraint associated with the other states is 𝑢2 ≤ 𝑢1. Hence,
these states can only be reached for parameter valuations
satisfying this inequality. □
Proposition 5.1: Let M be a PSTCSP model. Then Algo-
rithm reachAll(M) does not terminate in the general case.
Proof: See counterexample in Example 5.2.
Example 5.2: Consider the PSTCSP model M =
(∅, {𝑢1, 𝑢2}, ∅, 𝑃,True) where 𝑃 .= 𝑄 interrupt[𝑢1] 𝑏→
Skip and 𝑄 .= 𝑎 → Wait[𝑢2];𝑄. Starting from the initial
state, reachAll will go into an inﬁnite loop, generating in
particular states of the form (∅, 𝑃, 𝑖 ∗𝑢2 ≤ 𝑥1 ≤ 𝑢1), with 𝑖
inﬁnitely growing (details are given in [6]). □
Model Checking: When the set of reachable states is
ﬁnite, one can apply to the reachability graph ﬁnite-state
model checking techniques, such as most techniques deﬁned
in [27] for STCSP (e.g., model checking with and without
non-Zenoness assumption, and reﬁnement checking). One
can also extend such techniques to perform parameter syn-
thesis. Instead of replying “yes” or “no” to a request, one can
output a constraint such that the request is valid or violated.
Unfortunately, in most cases, the set of reachable states
in PSTCSP (as in other parametric timed formalisms) is
inﬁnite5. Hence the techniques (even on-the-ﬂy) deﬁned in
the non-parametric framework do not apply anymore.
B. Parameter Synthesis Using the Inverse Method
We show here how to adapt to PSTCSP the inverse
method IM proposed in [5] for PTAs. Given a PTA A
5For timed systems, the state space is always inﬁnite because of dense
time. Here, we mean that the number of (symbolic) states (𝑉, 𝑃,𝐶) is
inﬁnite too.
and a reference parameter valuation 𝜋, IM synthesizes a
constraint 𝐾 on the parameters such that, for all 𝜋′ ∣= 𝐾,
the time abstract behavior, i.e., the sequences of locations
and actions, of A instantiated with 𝜋 and A instantiated with
𝜋′ are the same. Hence, all linear time properties valid in A
instantiated with 𝜋 are also valid in A instantiated with 𝜋′,
and vice versa.
In order to adapt IM to the framework of PSTCSP, we
need to check whether the constraint associated with a state
is satisﬁed by a given parameter valuation. This refers to the
following notion of 𝜋-compatibility.
Deﬁnition 5.3 (𝜋-compatibility): Let M be a PSTCSP
model, and 𝑠 = (𝑃, 𝑉,𝐶) be a state of M. The state 𝑠 is
said to be 𝜋-compatible if 𝜋 ∣= 𝐶.
In order to characterize the properties of IM , we deﬁne
the notion of trace as an alternating sequence of processes
and actions.
Deﬁnition 5.4 (Trace): Given a PSTCSP model M and
a run 𝑟 of M of the form (𝑃0, 𝑉0, 𝐶0)
𝑎0⇒ ⋅ ⋅ ⋅ 𝑎𝑚−1⇒
(𝑃𝑚, 𝑉𝑚, 𝐶𝑚), the trace associated with 𝑟 is the alternating
sequence of processes and actions 𝑃0
𝑎0⇒ ⋅ ⋅ ⋅ 𝑎𝑚−1⇒ 𝑃𝑚. The
trace set of M is the set of all traces associated with the
runs of M.
We give in Figure 5 the adaptation of IM (M, 𝜋) to
PSTCSP. Starting with a constraint 𝐾 = 𝐾0, we itera-
tively compute a growing set of reachable states. When a
𝜋-incompatible state (𝑉, 𝑃,𝐶) is encountered (i.e., when
𝜋 ∕∣= 𝐶),𝐾 is reﬁned as follows: a 𝜋-incompatible inequality
𝐽 (i.e., such that 𝜋 ∕∣= 𝐽) is selected within the projection
of 𝐶 onto the parameters 𝑈 and the negation ¬𝐽 of 𝐽 is
added to 𝐾. The procedure is then started again with this
new 𝐾, and so on, until ﬁxpoint is reached (i.e., all new
states have been met before, or no new state is reachable).
We ﬁnally return the intersection of the projection onto 𝑈
of the constraints associated with all reachable states.
Most properties of IM for PTAs also apply to our
framework. In particular, IM preserves the equality of trace
sets, as deﬁned below.
Proposition 5.5: Let M be a PSTCSP model, and 𝜋 a
parameter valuation. Let 𝐾 = IM (M, 𝜋). Then: (1) 𝜋 ∣= 𝐾,
and (2) for all 𝜋′ ∈ 𝐾, the trace sets of M[𝜋] and M[𝜋′] are
the same.
Proof: Using a reasoning similar to [5].
As a consequence, all linear-time properties valid forM[𝜋]
are preserved in M[𝜋′], for all 𝜋′ ∈ 𝐾. This is the case of
properties expressed using LTL, but also using the SE-LTL
logics [11].
Advantages: The efﬁciency of IM in practice comes
from the fact that the exploration of the state space is very
partial; branches are cut as soon as they differ from 𝜋. Fur-
thermore, in contrast to classical model checking techniques,
transitions are not stored in memory; only states are needed
(see Figure 5). Although IM is not guaranteed to output
the weakest constraint (i.e., the largest set of parameters), it
259
Require: PSTCSP model M = (Var , 𝑈, 𝑉0, 𝑃,𝐾0)
Require: Parameter valuation 𝜋
Ensure: Constraint 𝐾 over the parameters
1: 𝑖← 0 ; 𝐾 ← 𝐾0 ; 𝑆 ← {(𝑉0, 𝑃,𝐾)}
2: while True do
3: while there are 𝜋-incompatible states in 𝑆 do
4: Select a 𝜋-incompatible state (𝑉, 𝑃,𝐶) of 𝑆
5: Select a 𝜋-incompatible 𝐽 in 𝐶/𝑈
6: 𝐾 ← 𝐾 ∧ ¬𝐽
7: 𝑆 ← ∪𝑖𝑗=0 Post𝑗M({(𝑉0, 𝑃,𝐾)})
8: end while
9: if PostM(𝑆) ⊆ 𝑆 then
10: return
∩
(𝑉,𝑃,𝐶)∈𝑆 𝐶/𝑈
11: end if
12: 𝑖← 𝑖+ 1 ; 𝑆 ← 𝑆 ∪ PostM(𝑆)
13: end while
Figure 5. Algorithm IM (M, 𝜋)
often does (see Section V-C2); and it is always guaranteed to
output a dense set of parameter valuations in ∣𝑈 ∣ dimensions,
both non-null and non-reduced to a point.
Termination of IM is not guaranteed in the general case;
however, it terminates for all our case studies. For instance,
the application of IM to Example 5.2 terminates for any
non-null parameter valuation, although Algorithm reachAll
does not terminate. It has been shown that termination is
guaranteed for PTAs whose associated graph is acyclic. This
can be extended to PSTCSP, if a process has no recursion
(i.e., no cyclic dependencies between subprocesses).
Proposition 5.6: IM (M, 𝜋) terminates if M has no recur-
sion.
Actually, whereas it is possible to ﬁnd counterexamples
for IM in the setting of PTAs, we were not able to exhibit
any example in PSTCSP (with non-null parameter valua-
tions) such that IM does not terminate. For instance, IM
terminates for Example 5.2, although it contains a recursive
deﬁnition. This is not trivial, since a standard reachability
analysis would go into an inﬁnite loop, precisely because the
recursion is under the parameterized interrupt construct,
where 𝑢1 can be arbitrarily big when compared to 𝑢2. This
result is of particular interest since parameter synthesis is
undecidable for PSTCSP.
Furthermore, IM gives a criterion of robustness: it guar-
antees that, if the system is correct for 𝜋, it will also be
correct for valuations around 𝜋 (viz., for all valuations
satisfying IM (M, 𝜋)). This gives a quantitative measure of
the implementability of a timed system.
Application: Let us apply IM to Mex and 𝜋: 𝑢1 =
1 ∧ 𝑢2 = 2. One can intuitively understand IM by
looking at the graph of Figure 4: states 𝑠0, 𝑠1, and 𝑠2
are computed with a constraint projected onto 𝑈 equal to
True, hence 𝜋-compatible. Then state 𝑠3 is computed, with
constraint 𝑢2 ≤ 𝑢1, which is 𝜋-incompatible because 𝜋 is
such that 𝑢2 > 𝑢1. When computing again 𝑆 with 𝑢2 > 𝑢1,
the constraint associated to 𝑠3 now becomes unsatisﬁable,
and this state is discarded. Hence, ﬁxpoint is reached, and
the intersection of projection of the constraints onto 𝑈
is returned (viz., 𝑢2 > 𝑢1). By Proposition 5.5, for all
𝜋′ ∣= 𝑢2 > 𝑢1, the trace set of Mex [𝜋′] is the same as
for Mex [𝜋].
It can also be shown that the application of IM to Mex
and a valuation such that 𝑢2 ≤ 𝑢1 (e.g., 𝑢1 = 2 and 𝑢2 = 1)
leads to the result 𝑢2 ≤ 𝑢1.
C. Implementation and Experiments
This work has been implemented within PSyHCoS (stand-
ing for Parameter SYnthesis for Hierarchical COncurrent
Systems), a self-contained framework implemented in C#
and able to support composing, simulating and automatic
veriﬁcation of concurrent real-time systems. The tool adopts
some bits and pieces from PAT’s model checking li-
brary [28]. PSyHCoS comes with user friendly interfaces,
featured model editor and animated simulator.
The implementation of PSTCSP within PSyHCoS allows
in particular the use (within the process deﬁnitions) of data
structures, such as counters, sets, and more generally any
structure and function deﬁned by the user in C#.
One of the major issues in the synthesis of timing
parameters is the handling of constraints on both clocks
and parameters. Operations on such constraints (intersection,
variable elimination, satisﬁability, etc.) are by far more
complex than equivalent operations on constraints on clocks,
because the latter beneﬁt from the efﬁcient representation
using DBMs. Unfortunately, most optimizations deﬁned for
DBMs do not apply to parametric timed constraints. In our
setting, each state is implemented under the form of a pair
(process id, constraint id), both under the form of a string.
Although some processing is needed each time a new state
is computed, an advantage is that the constraint equality test
(when checking whether this new state has been met before)
reduces to (trivial) string equality.
We present in the remainder of this section an optimiza-
tion for state space reduction, as well as a set of case studies.
1) State Space Reduction: In PSTCSP, some states con-
sidered as different are actually equivalent. Consider states
𝑠1 = (∅, Wait[𝑢1]𝑥1deadline[𝑢2]𝑥2 , 𝑥1 ≤ 𝑥2 ≤ 𝑢2) and
𝑠2 = (∅, Wait[𝑢1]𝑥2deadline[𝑢2]𝑥1 , 𝑥2 ≤ 𝑥1 ≤ 𝑢2). It
is obvious that 𝑠1 = 𝑠2, except the names of the clocks.
Merging these states may lead to an exponential diminution
of the number of states. Hence, we implemented a technique
of state normalization: First, the clocks in the process are
renamed so that the ﬁrst one (from left to right) is named 𝑥1,
the second 𝑥2, and so on. Second, the variables in the
constraint are swapped accordingly. This technique solves
this problem at the cost of several nontrivial operations (lists
and strings sorting). We denote by reachAll+ (resp. IM+)
the version of reachAll (resp. IM ) using this technique.
260
2) Experiments: We give in Table I the example name,
the number ∣𝑈 ∣ of parameters and, for each algorithm,
the number ∣𝑆∣ (resp. ∣𝑇 ∣) of states (resp. transitions), the
maximum number ∣𝑋∣ of clocks, and the computation time 𝑡
on a Windows XP desktop computer with an Intel Quad Core
2.4GHz processor with 4GiB memory.6
Bridge is a classical bridge crossing problem for 4 persons
within 17minutes. Fischer𝑖 is the mutual exclusion protocol
for 𝑖 protocols. Jobshop is a scheduling problem. TrAHV is
the train example from [3]. RCS𝑖 is a railway control system
with 𝑖 trains. When reachAll (resp. reachAll+) terminates,
one can apply classical model checking techniques: for in-
stance, we checked that all models are deadlock-free (except
Jobshop which is precisely ﬁnite-state). When reachAll does
not terminate (Bridge, Fischer), IM is interesting because
it synthesizes constraints even for inﬁnite symbolic state
space case studies; and when reachAll terminates slowly
(TrAHV), IM may synthesize constraints quickly. The ref-
erence valuation used for IM either is the standard valuation
for the considered problem (Bridge, Jobshop, RCS𝑖, TrAHV)
or has been computed in order to satisfy a well-known
constraint of good behavior (Fischer𝑖).
Furthermore, the constraint output has several advantages.
First, it solves the good parameter problem. For instance, the
constraint synthesized for Fischer (𝛿 < 𝛾) is the weakest
constraint guaranteeing mutual exclusion. Second, it always
gives a criterion of robustness to the system, by deﬁning
a safety domain around each parameter, guaranteeing that
the system will keep the same (time-abstract) behavior, as
long as all parameters remain within 𝐾. Different from a
simple “ball” output by robust timed automata techniques,
this domain is a convex constraint in ∣𝑈 ∣ dimensions. Third,
it happens that the constraint is True (e.g., RCS𝑖 for all 𝑖).
In this case, one can safely reﬁne the model by removing
all timing constructs (Wait, deadline, etc.). Although this
might be checked using reﬁnement techniques in STCSP for
one particular parameter valuation, we prove it here for any
parameter valuation – and the designers of the RCS example
were actually not even aware of this possible reﬁnement.
As for the number of clocks, it is signiﬁcantly smaller
than equivalent models for PTAs for some case studies: for
instance, the Bridge case study would obviously require
4 clocks because there are 4 independent processes in
parallel. Beyond the fact that it has been shown that the
fewer clocks, the more efﬁcient real-time model checking
is [9], a smaller number of clocks implies a more compact
state space in our setting: the fewer clocks, the smaller the
constraints are, the more compact the state space is.
Also observe that, when IM+ indeed reduces the number
of states, it is much more efﬁcient than IM , not only w.r.t.
memory, but also w.r.t. time. However, with no surprise,
when no state duplication is met (e.g., Bridge), the com-
6Binaries, sources, models and results are available in [1].
putation time is longer. Although reducing this computation
is a subject of ongoing work, we do not consider it as a sig-
niﬁcant drawback: parameter synthesis’ largest limitations
are usually non-termination and memory saturation. Slower
analyses for some case studies (up to +80% for Bridge)
are acceptable when others beneﬁt from a dramatic memory
(and time) reduction (-90% for Fischer5), allowing parameter
synthesis even when IM goes out of memory (Fischer6).
Most importantly, our framework is efﬁcient: some case
studies handle more than 100,000 reachable symbolic states
in a very reasonable time, which, as far as we know, is un-
seen for parametric timed frameworks. As far as we know, no
other tool performs parameter synthesis for timed extensions
of CSP; as for other formalisms, fair comparisons would
be difﬁcult due to model translations: whereas translations
between PTAs and Petri Nets are rather straightforward, their
translation into process algebra is much trickier.
VI. CONCLUSION AND FUTURE WORK
We introduced Parametric Stateful Timed CSP, a formal-
ism for reasoning parametrically in hierarchical real-time
concurrent systems with shared variables and complex data
structures. The adaptation of the inverse method IM for
PSTCSP synthesizes a set of parameters around a reference
parameter valuation, guaranteeing the same time abstract
behavior, and providing the system with a measure of
robustness. IM behaves well in practice and, although we
showed that parameter synthesis is undecidable for PSTCSP,
is given a sufﬁcient termination condition. Our implementa-
tion within PSyHCoS leads to efﬁcient parameter synthesis.
As future work, we wish to improve the state space
representation, following the lines of the optimization of
Section V-C1, and develop further state space reduction
techniques. Also, parametric reﬁnement checking is the
subject of ongoing work.
ACKNOWLEDGMENT
Yang Liu is supported by research grant “Research and
Development in the Formal Veriﬁcation of System Design
and Implementation”. Jun Sun is supported by research grant
“IDD11100102 / IDG31100105” from Singapore University
of Technology and Design. Jin-Song Dong is supported by
MOE T2 Project “Advanced Model Checking Systems”.
We are grateful to Zhu Huiquan for solving several im-
plementation issues in PSyHCoS.
REFERENCES
[1] http://www-lipn.univ-paris13.fr/∼andre/software/PSyHCoS/.
[2] R. Alur and D. Dill. A theory of timed automata. Theoretical
computer science, 126(2):183–235, 1994.
[3] R. Alur, T. A. Henzinger, and M. Y. Vardi. Parametric real-
time reasoning. In STOC’93, pages 592–601. ACM, 1993.
261
Case reachAll reachAll+ IM IM+
study ∣𝑈 ∣ ∣𝑆∣ ∣𝑇 ∣ ∣𝑋∣ t ∣𝑆∣ ∣𝑇 ∣ ∣𝑋∣ t ∣𝑆∣ ∣𝑋∣ t ∣𝑆∣ ∣𝑋∣ t
Mex 2 8 14 2 0.008 8 14 2 0.006 3 2 0.004 3 2 0.005
Bridge 4 - - - M.O. - - - M.O. 2.8k 2 253 2.8k 2 455
Fischer4 2 - - - M.O. - - - M.O. 11k 4 41.9 2k 4 8.65
Fischer5 2 - - - M.O. - - - M.O. 133k 5 1176 13k 5 84.5
Fischer6 2 - - - M.O. - - - M.O. - - M.O. 86k 6 1144
Jobshop 8 14k 20k 2 21.0 12k 17k 2 18.1 1112 2 17.1 877 2 22.8
RCS5 4 5.6k 7.2k 4 10.5 5.6k 7.2k 4 9.54 5.6k 4 7.83 5.6k 4 16.7
RCS6 4 34k 43k 4 91.7 34k 43k 4 54.5 34k 4 60.4 34k 4 91.3
TrAHV 6 7.2k 13k 6 14.2 7.2k 13k 6 15.8 227 6 0.555 227 6 0.655
Table I
APPLICATION OF ALGORITHMS FOR PARAMETER SYNTHESIS USING PSYHCOS
[4] R. Alur and P. Madhusudan. Decision problems for timed
automata: A survey. In SFM-RT’04, volume 3185 of LNCS,
pages 1–24. Springer-Verlag, 2004.
[5] ´E. Andre´, T. Chatain, E. Encrenaz, and L. Fribourg. An
inverse method for parametric timed automata. Int. J. of
Found. of Comput. Sci., 20(5):819–836, 2009.
[6] ´E. Andre´, J. Sun, Y. Liu, and J.-S. Dong. Parameter synthesis
for hierarchical concurrent real-time systems (full version).
Research report, National University of Singapore, 2012.
www-lipn.univ-paris13.fr/∼andre/documents/PSTCSP.pdf.
[7] A. Annichini, A. Bouajjani, and M. Sighireanu. TReX: A
tool for reachability analysis of complex systems. In CAV’01,
pages 368–372. Springer-Verlag, 2001.
[8] G. Behrmann, K. G. Larsen, and J. I. Rasmussen. Beyond
liveness: Efﬁcient parameter synthesis for time bounded live-
ness. In FORMATS’05, pages 81–94, 2005.
[9] J. Bengtsson and W. Yi. Timed automata: Semantics, algo-
rithms and tools. In LCPN’03, volume 3098 of LNCS, pages
87–124. Springer, 2003.
[10] B. Be´rard, A. Petit, V. Diekert, and P. Gastin. Characteri-
zation of the expressive power of silent transitions in timed
automata. Fundamenta Informaticae, 36:145–182, 1998.
[11] S. Chaki, E. M. Clarke, J. Ouaknine, N. Sharygina, and
N. Sinha. State/event-based software model checking. In
IFM’04, volume 2999 of LNCS, pages 128–147, 2004.
[12] R. Clariso´ and J. Cortadella. The octahedron abstract domain.
Science of Computer Programming, 64(1):115–139, 2007.
[13] A. Collomb–Annichini and M. Sighireanu. Parameterized
reachability analysis of the IEEE 1394 Root Contention
Protocol using TReX. In RT-TOOLS’01, 2001.
[14] P. D’Argenio, J. Katoen, T. Ruys, and G. Tretmans. The
bounded retransmission protocol must be on time! In
TACAS’97. Springer, 1997.
[15] J. Davies. Speciﬁcation and Proof in Real-Time CSP. Cam-
bridge University Press, 1993.
[16] C. Fidge, I. Hayes, and G. Watson. The deadline command.
IEE Proceedings—Software, 146(2):104–111, 1999.
[17] T. A. Henzinger and H. Wong-Toi. Using HYTECH to
synthesize control parameters for a steam boiler. In FMIA’95,
pages 265–282, 1995.
[18] C. Hoare. Communicating Sequential Processes. International
Series in Computer Science. Prentice-Hall, 1985.
[19] J. Hoenicke and E.-R. Olderog. Combining speciﬁcation
techniques for processes, data and time. In IFM’02, pages
245–266, 2002.
[20] H.-H. Kwak, I. Lee, A. Philippou, J.-Y. Choi, and O. Sokol-
sky. Symbolic schedulability analysis of real-time systems.
In IEEE RTSS’98, pages 409–418, 1998.
[21] K. G. Larsen, P. Pettersson, and W. Yi. UPPAAL in a nut-
shell. International Journal on Software Tools for Technology
Transfer, 1(1-2):134–152, 1997.
[22] B. P. Mahony and J. S. Dong. Overview of the semantics of
TCOZ. In IFM’99, pages 66–85, 1999.
[23] J. Ouaknine and J. Worrell. Timed CSP = closed timed 𝜖-
automata. Nordic Journal of Computing, 10:99–133, 2003.
[24] S. Qin, J. Dong, and W.-N. Chin. A semantic foundation
for TCOZ in unifying theories of programming. In FME’03,
pages 321–340, 2003.
[25] S. Schneider. Concurrent and Real-time Systems. John Wiley
and Sons, 2000.
[26] A. Schrijver. Theory of linear and integer programming. John
Wiley and Sons, 1986.
[27] J. Sun, Y. Liu, J. Dong, and X. Zhang. Verifying stateful
timed CSP using implicit clocks and zone abstraction. In
ICFEM’09, volume 5885 of LNCS, pages 581–600, 2009.
[28] J. Sun, Y. Liu, J. S. Dong, and J. Pang. PAT: Towards ﬂexible
veriﬁcation under fairness. In CAV’09, volume 5643 of LNCS.
Springer, 2009.
[29] L.-M. Traonouez, D. Lime, and O. H. Roux. Parametric
model-checking of time Petri nets with stopwatches using the
state-class graph. In FORMATS’08, pages 280–294. Springer-
Verlag, 2008.
[30] T. Yoneda, T. Kitai, and C. J. Myers. Automatic derivation
of timing constraints by failure analysis. In CAV’02, pages
195–208. Springer-Verlag, 2002.
262
