A systematic study on explicit-state non-zenoness checking for timed automata by WANG, Ting et al.
Singapore Management University 
Institutional Knowledge at Singapore Management University 
Research Collection School Of Information 
Systems School of Information Systems 
1-2015 
A systematic study on explicit-state non-zenoness checking for 
timed automata 
Ting WANG 
Jun SUN 
Singapore Management University, junsun@smu.edu.sg 
Xinyu WANG 
Yang LIU 
Yuanjie SI 
See next page for additional authors 
Follow this and additional works at: https://ink.library.smu.edu.sg/sis_research 
 Part of the Software Engineering Commons 
Citation 
WANG, Ting; SUN, Jun; WANG, Xinyu; LIU, Yang; SI, Yuanjie; DONG, Jin Song; YANG, Xiaohu; and LI, 
Xiaohong. A systematic study on explicit-state non-zenoness checking for timed automata. (2015). IEEE 
Transactions on Software Engineering. 41, (1), 3-18. Research Collection School Of Information Systems. 
Available at: https://ink.library.smu.edu.sg/sis_research/4973 
This Journal Article is brought to you for free and open access by the School of Information Systems at 
Institutional Knowledge at Singapore Management University. It has been accepted for inclusion in Research 
Collection School Of Information Systems by an authorized administrator of Institutional Knowledge at Singapore 
Management University. For more information, please email libIR@smu.edu.sg. 
Author 
Ting WANG, Jun SUN, Xinyu WANG, Yang LIU, Yuanjie SI, Jin Song DONG, Xiaohu YANG, and Xiaohong LI 
This journal article is available at Institutional Knowledge at Singapore Management University: 
https://ink.library.smu.edu.sg/sis_research/4973 
0098-5589 (c) 2013 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation
information: DOI 10.1109/TSE.2014.2359893, IEEE Transactions on Software Engineering
WANG ET AL.: A SYSTEMATIC STUDY ON NON-ZENONESS CHECKING FOR TIMED AUTOMATA 1
A Systematic Study on Explicit-state
Non-Zenoness Checking for Timed Automata
Ting Wang, Jun Sun, Xinyu Wang, Yang Liu, Yuanjie Si, Jin Song Dong, Xiaohu Yang, Xiaohong Li
Abstract—Zeno runs, where infinitely many actions occur within finite time, may arise in Timed Automata models. Zeno runs
are not feasible in reality and must be pruned during system verification. Thus it is necessary to check whether a run is Zeno
or not so as to avoid presenting Zeno runs as counterexamples during model checking. Existing approaches on non-Zenoness
checking include either introducing an additional clock in the Timed Automata models or additional accepting states in the zone
graphs. In addition, there are approaches proposed for alternative timed modeling languages, which could be generalized to
Timed Automata. In this work, we investigate the problem of non-Zenoness checking in the context of model checking LTL
properties, not only evaluating and comparing existing approaches but also proposing a new method. To have a systematic
evaluation, we develop a software toolkit to support multiple non-Zenoness checking algorithms. The experimental results show
the effectiveness of our newly proposed algorithm, and demonstrate the strengths and weaknesses of different approaches.
Index Terms—Timed Automata; non-Zenoness; Model Checking; Verification Tool
✦
1 INTRODUCTION
TIMED Automata [1], [2] are popular for real-timesystem modeling and verification. They allow mod-
eling of real-time systems through explicit manipulation of
clock variables. Real-time behavior is captured by clock
constraints on system transitions, setting or resetting clocks,
etc. Verification tools for Timed Automata based models
have proven to be successful [3], [4], [5], [6]. Nonethe-
less, researchers have also identified various limitations
for Timed Automata based system modeling and veri-
fication [1], [7]. For instance, Timed Automata are not
determinizable [8], [9]; modeling hierarchical systems in
Timed Automata is non-trivial [7], [10], [11], etc.
In this work, we focus on the emptiness checking
problem, i.e., the problem of checking whether a Timed
Automaton accepts at least one non-Zeno run. An infinite
run is non-Zeno if and only if it takes an unbounded amount
of time; otherwise it is Zeno. Zeno runs are infeasible in
reality and thus must be pruned during system verification.
That is, it is necessary to check whether a run is Zeno or not
so as to avoid presenting Zeno runs as counterexamples. For
instance, liveness properties are usually meaningless unless
• Ting Wang, Xinyu Wang, Yuanjie Si and Xiaohu Yang are with the
College of Computer Science, Zhejiang University, P.R. China. E-mail:
{qdw,wangxinyu,siyuanjie,yangxh}@zju.edu.cn
• Jun Sun is with ISTD, Singapore University of Technology and Design,
Singapore. E-mail: sunjun@sutd.edu.sg
• Yang Liu is with the School of Computer Engineering, Nanyang
Technological University, Singapore. E-mail: yangliu@ntu.edu.sg
• Jin Song Dong is with the School of Computing, National University
of Singapore, Singapore. E-mail: dongjs@comp.nus.edu.sg
• Xiaohong Li is with the School of Computer Science and Technology,
Tianjin University, P.R. China. E-mail: xiaohongli@tju.edu.cn
• The corresponding author Xinyu Wang is with the College of Computer
Science, Zhejiang University, Zheda Road 38, Hangzhou, Zhejiang
Province, P.R. China, 310000. E-mail: wangxinyu@zju.edu.cn. Phone:
+8613867468299.
non-Zenoness is assumed; and safety properties cannot
be trusted since Zeno runs may conceal deadlocks, etc.
Furthermore, the reason why non-Zenoness checking is
particularly interesting is that it is infeasible with zone
abstraction [12]. Zone abstraction, which constructs zone
graphs, is an effective technique for model checking Timed
Automata and it has been employed by many tools includ-
ing UPPAAL [3]. Zone graphs are however too abstract to
directly infer time progress and hence non-Zenoness. There
have been existing approaches on solving the problem of
combining non-Zenoness checking and zone abstraction.
The basic idea is to enhance the zone graphs with additional
information which facilitates non-Zenoness checking. The
proposed approaches include introducing one clock in the
Timed Automaton model [13], [14] or adding additional
accepting states in the zone graph [12], [15].
Despite the existing approaches, there are a number
of issues yet to be investigated. Firstly, the state-of-the-
art emptiness checking algorithm [15] has a complexity
of (|C| + 1)2 · |ZG| where |C| is the number of clocks
and |ZG| is the size of the zone graph. In other words,
it incurs significant overhead in checking non-Zenoness
(as compared to constructing the zone graph only). On
the other hand, there are methods proposed for alternative
real-time system modeling languages which incur much
less overhead. For instance, in [16], the authors show that
non-Zenoness checking for Stateful Timed CSP can be
achieved based on zone graphs without adding clocks or
accepting states, i.e., with a complexity of |ZG|. A closer
look shows that their proof relies on the fact that clocks
in Stateful Timed CSP have constant upper bounds. Given
that Stateful Timed CSP and Timed Automata have similar
expressiveness [16], [17], their algorithm can be potentially
extended to, at the least, a subset of Timed Automata.
The question is then whether we extend their algorithm
to arbitrary Timed Automata by transforming them into a
0098-5589 (c) 2013 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation
information: DOI 10.1109/TSE.2014.2359893, IEEE Transactions on Software Engineering
WANG ET AL.: A SYSTEMATIC STUDY ON NON-ZENONESS CHECKING FOR TIMED AUTOMATA 2
form satisfying similar syntactical conditions and whether
the transformation is beneficial.
Secondly, the existing approaches [14], [15] are mostly
developed for Timed Bu¨chi Automata, rather than Timed
Safety Automata [2] which are supported by popular tools
like UPPAAL and are often used in practice. The question
is then whether they work effectively despite the differ-
ence between Timed Bu¨chi Automata and Timed Safety
Automata. For instance, given a network of Timed Safety
Automata, the approach proposed in [13] adds one state for
each accepting state and thus would double the number of
states and potentially lead to state space explosion. Thirdly,
there are limited evaluation and comparison on the existing
algorithms, within a practical and fair environment. For
instance, in practice, checking whether a system contains a
non-Zeno run has limited usage by itself. Instead, it is more
useful to check whether there is a non-Zeno counterexample
given a property (for instance, a temporal logic formula).
Therefore, it is necessary to develop a model checker which
makes use of the proposed algorithms and compare them
in the same setting. Lastly, though different approaches
have been proposed, to the best of our knowledge, few
model checkers provide satisfactory support to deal with
the non-Zenoness problem. UPPAAL [3] provides some
form of non-Zenoness detection but it is sufficient-only.
KRONOS [4] allows a sufficient and necessary condition
for non-Zenoness checking, but it is computationally ex-
pensive. It is thus important to provide a tool which offers
the best of all the approaches.
In this work, we make the following new technical
contributions. Firstly, we generalize the approach in [16]
so as to solve the non-Zenoness checking problem for
Timed Automata. The rationale is that common timed
behavior patterns like delay, timeout and deadline can be
captured using clocks which have constant upper bounds.
For instance, if a clock c is used to model a ‘timeout’ at
time d, c is associated with an upper bound d which remains
constant. Based on the results shown in [16], we define a
subclass of Timed Safety Automata, called CUB-TA, and
develop an efficient non-Zenoness checking algorithm for
CUB-TA with a complexity |ZG| (i.e., linear in the size of
the zone graph) without adding any extra clocks or states.
To be precise, CUB-TA are Timed Safety Automata whose
clocks have non-decreasing upper bound along any path
before they are reset. Furthermore, we develop an algorithm
which automatically transforms an arbitrary Timed Au-
tomaton into an equivalent CUB-TA by paying the price of
potential extra states. Though introducing extra states may
incur computational overhead, we show that a number of
benchmark Timed Automata models either are CUB-TA or
can be transformed into equivalent CUB-TA by adding only
few states. As a result, non-Zenoness can be checked more
efficiently than previous approaches. Secondly, we conduct
a systematic comparison between existing approaches by
model checking a number of systems modeled using a
network of Timed Safety Automata, against temporal log-
ic properties, with the assumption of non-Zenoness. The
comparison results allow us to identify the best algorithm
in different settings. Lastly, we develop a software toolkit
(in the PAT framework [18]) which combines the existing
approaches and heuristically selects the ‘right’ algorithm
based on the input model. To the best of our knowledge,
our implementation in PAT is the only model checker
which directly supports model checking LTL with the non-
Zenoness assumption.
Organization The remainders of the paper are organized
as follows. Section 2 defines the Timed Safety Automata
and the non-Zenoness problem. Section 3 presents the exist-
ing non-Zenoness checking algorithms. Section 4 proposes
a new approach. Section 5 presents the implementations
and evaluation results. Section 6 concludes the paper and
discusses the related work.
2 BACKGROUND
In this section, we present the definitions of Timed Au-
tomata and zone abstraction.
2.1 Timed Automata
Let R+ denote the set of non-negative real numbers.
Given a set of clocks C, the set of clock constraints
is defined inductively based on a primitive constraint
δ := true | x ∼ n | x − y ∼ n | δ1 ∧ δ2 where
∼∈ {=, <,≤, >,≥}; x, y are clocks in C and n ∈ R+ is
a constant. Without loss of generality (Lemma 4.1 of [1]),
we assume that n is a non-negative integer constant. A
constraint of the form x − y ∼ n is called diagonal. We
write Φ(C) to denote the set of all diagonal-free clock
constraints over C. The set of downward constraints in
Φ(C) obtained with ∼∈ {≤, <} is denoted as Φ≤,<(C). A
clock valuation v for a set of clocks C is a function which
assigns a real value to each clock. A clock valuation v
satisfies a clock constraint δ, written as v |= δ, if and only
if δ evaluates to true using the clock values given by v.
For d ∈ R+, let v + d denote the clock valuation v ′ such
that v′(c) = v(c) + d for all c ∈ C. For X ⊆ C, let clock
resetting notion [X → 0]v denote the valuation v ′ such that
v′(c) = v(c) for all c ∈ C \X and v′(x) = 0 for all x ∈ X.
Definition 1: A Timed Bu¨chi Automaton (TBA) is a tuple
Ab = (S, Init,Σ,C, F,T) where S is a finite set of control
locations; Init ⊆ S is a set of initial locations; Σ is an
alphabet; C is a finite set of clocks; F ⊆ S is a set of
accepting locations; T ⊆ S × Σ × Φ(C) × 2C × S is a
labeled transition relation.
A configuration of a TBA Ab is a pair (s, v) such that s ∈ S
is a location and v is a clock valuation. A run of Ab is an in-
finite sequence π = 〈(s0, v0), (d0, e0), (s1, v1), (d1, e1), · · ·〉
such that s0 ∈ Init; v0 assigns 0 to every clock; and for all
i ≥ 0, there exists a transition (si, ei, δ,X, si+1) ∈ T such
that vi+di  δ and vi+1 = [X → 0](vi+di). π is non-Zeno
if and only if the sum of all di is unbounded. Given π, we
can obtain a timed word 〈(d0, e0), (d1, e1), · · · , (di, ei), · · ·〉.
To ensure progress, a subset of the locations F are marked
as accepting and a run is accepting if it visits any accepting
0098-5589 (c) 2013 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation
information: DOI 10.1109/TSE.2014.2359893, IEEE Transactions on Software Engineering
WANG ET AL.: A SYSTEMATIC STUDY ON NON-ZENONESS CHECKING FOR TIMED AUTOMATA 3
location infinitely often. With the accepting conditions, the
automaton cannot idly stay in a location forever, and only
accepting runs are considered as valid behaviors of the
automaton. We define the language of a TBA to be the
set of timed words which can be obtained from the set of
accepting non-Zeno runs. A TBA is non-empty if and only
if its language is not an empty set. Two TBA are equivalent
if they define the same language.
For example, Fig. 1(a) models a Train Process in Railway
Control System [19] using TBA, where Safe is the initial
location and Cross is an accepting location. Since Cross
is the only accepting location, all accepting runs of the
automaton must visit Cross infinitely often. It implies that
the location Appr must be left when the value of clock c
is at most 20, otherwise the automaton will get stuck at
location Appr and never be able to enter Cross. Likewise,
the automaton must leave Start when c is at most 15 to be
able to enter Cross.
Later, Timed Safety Automaton (TSA) was introduced
in [2] which adopts an intuitive notion of progress.
Instead of having accepting locations, each location in
TSA is associated with a local timing constraint called a
location invariant. An automaton can stay at a location as
long as the valuation of the clocks satisfy the invariant.
The timed expressiveness of Timed Safety Automata is
strictly less than that of Timed Bu¨chi Automata [20].
Definition 2: A Timed Safety Automaton is a tuple
A = (S, Init,Σ,C, L,T) where S is a finite set of control
locations; Init ⊆ S is a set of initial locations; Σ is an
alphabet; C is a finite set of clocks; L : S → Φ≤,<(C) labels
each location with an invariant; T ⊆ S×Σ×Φ(C)×2C×S
is a labeled transition relation.
Similar to TBA, a configuration of a TSA A is a pair
(s, v) such that s ∈ S is a location and v is a clock
valuation with v  L(s). A run of A is an infinite
sequence π = 〈(s0, v0), (d0, e0), (s1, v1), (d1, e1), · · ·〉 such
that s0 ∈ Init; v0 assigns every clock to 0; and for all
i ≥ 0, there is a transition (si, ei, δ,X, si+1) ∈ T such that
vi+ di  L(si) and vi+ di  δ and vi+1 = [X → 0](vi+ di)
and vi+1  L(si+1). π is non-Zeno if and only if the sum of
all di is unbounded. Given π, we can obtain a timed word
〈(d0, e0), (d1, e1), · · · , (di, ei), · · ·〉. We define the language
of a TSA to be the set of timed words which can be obtained
from the set of non-Zeno runs. Two TSA are equivalent if
they define the same language.
The main difference between TBA and TSA is that
for TBA, accepting locations are used to guarantee time
progress, while in TSA, location invariants are used. A
TBA and a TSA are equivalent if they define the same
language. For example, consider the TSA in Fig. 1(b),
which is equivalent to the TBA in Fig. 1(a). The invariant
specifies a local condition that location Cross must be left
when c is at most 5, Appr must be left when c is at most 20,
and Start must be left when c is at most 15. This gives a
local view of the timing behavior of the automaton at each
location. In the rest of the paper, we focus on TSA as they
are supported by popular tools like UPPAAL and are often
used for system modeling1. For simplicity, they are referred
simply as Timed Automata unless otherwise stated.
In many practical applications, a system is composed
of many components running in parallel. Each of these
components can be modeled as a Timed Automaton, and
a composition operator can be used to define a network
of communicating Timed Automata. In the following, we
define the parallel composition of two Timed Automata,
which can be readily extended to multiple Timed Automata.
Definition 3: Let Ai = (Si, Initi,Σi,Ci, Li,Ti) where
i ∈ {1, 2} be two Timed Automata. Parallel composi-
tion of A1 and A2, written as A1 ‖ A2, is a Timed
Automaton (S, Init,Σ,C, L,T) such that S = S1 × S2;
Init = Init1 × Init2; Σ = Σ1 ∪ Σ2; C = C1 ∪ C2; for
all (s1, s2) ∈ S, L((s1, s2)) = L1(s1) ∧ L2(s2); T is the
smallest transition relation satisfying the following rules.
• ((s1, s2), a, δ,X, (s′1, s2)) ∈ T for all s2 ∈ S2 if
(s1, a, δ,X, s′1) ∈ T1 and a ∈ Σ2, .
• ((s1, s2), a, δ,X, (s1, s′2)) ∈ T for all s1 ∈ S1 if
(s2, a, δ,X, s′2) ∈ T2 ∧ a ∈ Σ1.
• if (s1, a, δ,X, s′1) ∈ T1 and (s2, a, δ′,X′, s′2) ∈ T2 and
a ∈ Σ1 ∩ Σ2, ((s1, s2), a, δ ∧ δ′,X ∪ X′, (s′1, s′2)) ∈ T.
The three rules above state that a transition of the compo-
sition is either a local transition of either A1 or A2, or a
synchronization on a common event of A1 and A2. Parallel
composition is commutative and associative.
2.2 Zone Abstraction
Zone abstraction is an effective technique for model check-
ing Timed Automata, which has been employed by many
tools including UPPAAL [3]. The result of zone abstraction
is a zone graph, which is subject to model checking. It is
also known that zone graphs are too abstract to directly infer
time progress and hence non-Zenoness [12]. A zone is the
conjunction of multiple primitive constraints over a set of
clocks. Technically speaking, a zone is the maximal set of
clock valuations satisfying the constraint. A zone is empty
if and only if the constraint is unsatisfiable. In the following,
we use zones and clock constraints interchangeably as the
latter is the syntactic representation of the former.
It is well known that a zone can be equivalently rep-
resented as a DBM (short for Difference Bound Matri-
ces [21], [22]). Let t1, t2, · · · , tn denote n clocks and t0
denote a dummy clock whose value is always 0. A DBM
representing a constraint on the clocks is a (n+1)×(n+1)
matrix. Entry (i, j) in the matrix is a pair (∼ ij, dij) where
∼ij∈ {<,≤} and dij is an integer, representing the upper
bound on difference between clock t i and tj, i.e., ti−tj ∼ij dij.
A DBM thus represents the conjunction of clock constraints
ti − tj ∼ij dij for all clocks ti and tj such that 0 ≤ i ≤ n
and 0 ≤ j ≤ n. Interested readers are referred to [21], [22]
for more details on zone operations and its corresponding
1. TBA are often used to model properties.
0098-5589 (c) 2013 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation
information: DOI 10.1109/TSE.2014.2359893, IEEE Transactions on Software Engineering
WANG ET AL.: A SYSTEMATIC STUDY ON NON-ZENONESS CHECKING FOR TIMED AUTOMATA 4
leave[i]!
StopS
Safe
Appr
appr[i]! {c}
stop[i]?
c ≤ 10
Start
go
[i]
?
{c}
τ, 10
≤ c ≤
20
{c}
τ 7 ≤ c ≤ 15{c}
leave[i]!
c ≥ 3
StopS
Safe Cross
Appr
appr[i]! {c}
stop[i]?
c ≤ 10
Start
go
[i]
?
{c}
τ, c ≥
10
{c} τ
c ≥ 7
{c}
c ≤ 5
c ≤ 20 c ≤ 15
(a) (b)
3 ≤ c ≤ 5 Cross
Fig. 1. TBA and TSA
S1 S2
e2,x ≤ 1,{x}
e1,x ≥ 1
 
?? 
S1,x ≥ 0 S2,x ≥ 1
e1
e2
 
?????? 
Fig. 2. A sample zone graph
DBM implementation. The following zone operations are
relevant in this work. Given a zone δ, we use δ↑ to denote
the zone reached by delaying an arbitrary amount of time
from zone δ. Given a set of clocks C, we use δ\C to denote
the zone obtained by removing the constraints on clocks in
C, i.e., projection onto clocks not in C.
Before giving the formal definition of zone graphs, it
is necessary to introduce the zone normalization function,
denoted as N , to ensure that the number of zones in a
zone graph is finite [23], [24]. The idea of normalization
is to transform zones that may contain arbitrarily large
constants to a unique representation of a class of zones
whose constants are bounded by certain fixed constant, e.g.,
the maximum clock ceiling in A. The intuition is that once
the value of a clock is larger than the ceiling, its precise
value is no longer relevant, but only the fact that it is larger
than the ceiling.
Definition 4: Let A = (S, Init,Σ,C, L,T) be a timed
automaton. Its zone graph, denoted as ZG(A), is a tuple
(Sz, Initz,Σ,Tz) such that
• Sz is a set of nodes, each of which is a pair (s, δ) such
that s ∈ S is a location and δ is a clock constraint;
• Initz = {(init,N ((
∧
c∈C c = 0)
↑ ∧ L(init))) | init ∈
Init} is a set of initial nodes;
• Tz : Sz × Σ × Sz is a transition relation such that
((s1, δ1), e, (s2, δ2)) ∈ Tz if and only if there exists a
transition (s1, e, δ,X, s2) ∈ T and δ1 ∧ δ = false and
[X → 0](δ1 ∧ δ) ∧ L(s2) = false and δ2 = (N ([X →
0](δ1 ∧ δ) ∧ L(s2)))↑.
We remark that the initial zones of the nodes in Initz are
always normalized, and the transition relation Tz ensures
that all the zones in Sz are normalized. Fig. 2 shows a
simple automaton Ab and its corresponding zone graph
ZG(Ab).
A path of ZG(A) is an infinite or finite sequence of
transitions: πz = 〈(s0, δ0), e0, (s1, δ1), e1, (s2, δ2), e2, · · ·〉
where (s0, δ0) ∈ Initz and ((si, δi), ei, (si+1, δi+1)) ∈ Tz
for all i ≥ 0. A run 〈(s0, v0), (d0, e0), (s1, v1), (d0, e0), · · ·〉
of A is an instance of πz if vi  δi for all i ≥ 0. The
path is called an abstraction of the run. It can be shown
that every path in ZG(A) is an abstraction of a run of A,
and conversely, every run of A is an instance of a path in
ZG(A) [25]. As a result, zone graph preserves reachability
and linear properties. Similarly, we can define the zone
graph and related concepts for TBA and a path of the zone
graph for a TBA is accepting if and only if it visits some
accepting node infinitely often.
3 ALGORITHMS
In this section, we present existing approaches for non-
Zenoness checking.
3.1 Algorithm 1: Strongly Non-Zeno
One solution to the non-Zenoness problem is to transform
a TBA into a strongly non-Zeno automaton (SNZ). An
SNZ is a TBA satisfying a syntactic condition such that
all accepting runs starting at the initial location are non-
Zeno. SNZ was defined in [13] and has been implemented
in the tool Profounder [14].
Formally, given a TBA Ab = (S, Init,Σ,C, F,T) and
a clock t not in C, the corresponding SNZ, denoted as
SNZ(Ab), is constructed using the following procedure.
1) Add a fresh clock t into C;
2) For each location s in F, add a new accepting location
s′;
3) For each transition (si, e, δ,X, s) ∈ T, where s ∈ F
and si ∈ S, add a new transition (si, e, δ ∧ t ≥ 1,X ∪
{t}, s′);
4) For each location s in F, replace s with s′ in F;
5) For each location s′ in F and the corresponding
location s, add a transition (s′, τ, true,∅, s);
0098-5589 (c) 2013 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation
information: DOI 10.1109/TSE.2014.2359893, IEEE Transactions on Software Engineering
WANG ET AL.: A SYSTEMATIC STUDY ON NON-ZENONESS CHECKING FOR TIMED AUTOMATA 5
s s
s1
sn
?
?
s1
sn
?
? s'
e1, δ1, X1
en, δn, Xn
e1, δ1 ˄ t ≥ 1
X1 {t}
∩
en, δn ˄ t ≥ 1
Xn {t}
∩
e1, δ1, X1
en, δn, Xn
τ
????????????????????????????? ?                                         ??????? 
Fig. 3. Strongly non-Zeno timed automaton [14]
The construction is illustrated in Fig. 3. Informally, to
transform an arbitrary Timed Automaton A b into an
equivalent SNZ, one needs to add one new clock t to
monitor time progress. Furthermore, every accepting
location is duplicated such that one copy of the location
is as before but is no longer accepting, while the other
copy is accepting, but only can be reached when t ≥ 1.
Moreover when the second copy is reached, t is reset to
0. Intuitively, this construction ensures that at least one
unit of time has passed between two visits to an accepting
location. Though proposed for TBA, this approach can
be easily applied to TSA. Given a TSA A, because all
locations in A are ‘accepting’, to construct SNZ(A), every
location in A has to be duplicated. For example, Fig. 4
shows the constructed SNZ for the TSA in Fig. 1(b).
Notice that every location is copied and each newly added
location has an incoming transition with a guard condition
t ≥ 1.
Lemma 1 [15]: If a path in ZG(Ab) visits infinitely often
both a transition that bounds some clock t from below
and a transition that resets the same clock t, then all its
instances are non-Zeno. 
The converse is also true. If Ab has a non-Zeno accepting
run, at least 1 time unit elapses infinitely often. Hence,
the guard t ≥ 1 is satisfied infinitely often and there
exists an accepting run of SNZ(Ab) and one can find
an accepting path in the zone graph of SNZ(A b). The
following theorem shows that every accepting run of
SNZ(Ab) is non-Zeno.
Theorem 1 [13]: Let Ab be a TBA. SNZ(Ab) is strongly
non-Zeno. 
Furthermore, it is easy to show that if Ab and A′b are
strongly non-Zeno, so is Ab ‖ A′b. Thus, given a net-
work of TBA, we can convert each TBA to an SNZ and
guarantee that the composition is strongly non-Zeno. After
constructing SNZ(Ab), the problem of checking whether
there is an accepting non-Zeno run is reduced to checking
whether it visits any accepting location infinitely often
(i.e., Bu¨chi acceptance), which has been studied extensively
leave[i]!
c ≥ 3
StopS
Safe Cross
Appr
appr[i]! {c}
stop[i]?
c ≤ 10
Start
go
[i]
?
{c}
c ≥ 10,
{c}
c ≥ 7
{c}
c ≤ 5
c ≤ 20 c ≤ 15
Appr?
c ≤ 20
app
r[i]
!
t≥1,
{c,
t}
Cross?
c ≤ 5
c≥1
0,t≥
1
{c,
t}
c≥7,t≥1{c,t}
StopS?
sto
p[i]
?
c≤10
,t≥1
{t}
Start?
c ≤ 15
go[i]?
t≥1,{c,t}
Safe?
leave[i]!,c ≥ 3
t ≥ 1,{t}
Fig. 4. The train model in SNZ
(see [26] for a survey). For instance, Tarjan’s SCC (Strongly
Connected Components, i.e., maximal strongly connected
subgraphs) algorithm can be used to find an accepting cycle
in the zone graph.
This simple approach of adding one clock, however,
may lead to an exponential blowup in the size of the
zone graph, as shown in [12]. Consider the TBA B b in
Fig. 5 which yields an exponentially larger zone graph
with the addition of one clock. For simplicity, we omit
the event labeling if the event is τ . Due to the inherent
nondeterminism, one obtains k! zones at location a that
describe an ordering of the form xi1 ≤ xi2 ≤ · · · ≤ xik
with {i1, i2, · · · , ik} = {1, 2, · · · , k}. Automaton Bb has a
Zeno cycle between location a and b, with b being the only
accepting location. As a result, any algorithm that searches
for a non-Zeno accepting cycle has to explore the entire
zone graph. Consequently, an algorithm that first transforms
Bb into a strongly non-Zeno automaton needs to explore
at least k! (d− 1)k zones. This is because the modified
automaton SNZ(Bb) yields a zone graph that includes zones
describing distances.
3.2 Algorithm 2: Guessing Zone Graph
In order to address the problem of exponential blowup,
an alternative solution has been proposed in [12], which
0098-5589 (c) 2013 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation
information: DOI 10.1109/TSE.2014.2359893, IEEE Transactions on Software Engineering
WANG ET AL.: A SYSTEMATIC STUDY ON NON-ZENONESS CHECKING FOR TIMED AUTOMATA 6
a
?
b a
?
b
b'
??≤ d
????
????
???? ????
????
????
??≤ d
???≤ d)
˄(t ≥ 1) ???
 
????????????????????????????????????????? ?                            ??????? 
Fig. 5. Exponential blow up in the zone graph [12]
avoids adding extra clocks. The proposed method is to
construct a guessing zone graph which introduces extra
states into the zone graph. Notice that this approach was
also proposed for TBA and can be readily extended to
networks of TSA. The intuition behind this approach
is that there are two kinds of Zeno paths in the zone
graph. Either the path has infinitely many transitions that
bound some clock x from above, but only finitely many
transitions that reset x and, thus, the total time elapsed
is bounded. Or, the path contains a transition that resets
x, and subsequently a transition that requires x = 0.
Thus time cannot elapse at all. This is called zero-checks.
Guessing zone graphs are designed to handle these two
cases explicitly.
Definition 5: Given a TBA Ab = (S, Init,Σ,C, F,T) and
its zone graph ZG(Ab) = (Sz, Initz,Σ,Tz), GZG(Ab) is a
labeled transition system (Sg, Initg,Σ,Tg) such that a state
in Sg is of the form (s, δ,Y) where (s, δ) is a node in
ZG(Ab) and Y ⊆ C; Initg = {(s0, δ0,C) | (s0, δ0) ∈ Initz};
and Tg : Sg × Σ × Φ(C) × 2C × Sg is the least transition
relation which satisfies the following two conditions.
• ((s1, δ1,Y), e, δ,X, (s2, δ2,Y ∪ X)) ∈ Tg if t =
(s1, e, δ,X, s2) is a transition in Ab and there is a
transition ((s1, δ1), e, (s2, δ2)) in ZG(Ab) and there
are clock valuations v ∈ δ1, v′ ∈ δ2 and d ∈ R+
such that v + d 
∧
x∈C−Y x > 0 and v + d  δ and
[X → 0](v+ d) = v′.
• ((s, δ,Y), τ, true,∅, (s, δ,Y′)) ∈ Tg where Y′ = ∅ or
Y′ = Y where τ is a special invisible event. 
Intuitively, the Y component of a node (s, δ,Y) allows us
to infer that the clocks not in Y are strictly positive. A
node of the form (s, δ,∅) is called clear node, from which
every reachable zero-check is preceded by the reset of the
clock that is checked, and hence nothing prevents time
elapse in this node. A node is accepting if it contains an
accepting location s. A path of the guessing zone graph
is non-Zeno if all clocks bounded from above are reset
infinitely often during the run and the run visits a clear
node [12]. A path is blocked if there is a clock that is
bounded from above infinitely often and reset only finitely
S1,x ≥ 0
S2,x ≥ 1
S1,x ≥ 0,{x}
S2,x ≥ 1,{x}
S1,x ≥ 0,ø
S2,x ≥ 1,øτ
τ
e1,
x ≥ 1
x ≤ 1,
e2,{x}
x ≥ 1e2,x ≤ 1,{x}
e1e2 e1
 
??????????????????                                 ??????? 
Fig. 6. A zone graph and its guessing zone graph
Algorithm 1: GZG emptiness check
Input: a zone graph ZG
Output: true if and only if the model is non-empty
1 while there are unvisited states in ZG do
2 find an accepting SCC scc;
3 if scc contains blocking clocks then
4 remove all blocking transitions from scc;
5 apply Algorithm 1 to scc;
6 end
7 else if scc is nonblocking with zero-checks then
8 construct GZG gzg for scc;
9 if gzg contains an SCC which contains a clear
node then
10 return true;
11 end
12 end
13 else return true;
14 end
15 return false;
often by the transitions on the path. Otherwise the path
is called unblocked. Fig. 6 shows a simple zone graph
ZG(Ab) along with its guessing zone graph GZG(Ab),
corresponding to the automaton shown in Fig. 2.
Theorem 2 [12]: A TBA Ab has a non-Zeno accepting run
if and only if there exists an unblocked path in GZG(A b)
visiting both an accepting node and a clear node infinitely
often. 
This theorem reduces the problem of non-Zenoness check-
ing to a Bu¨chi acceptance checking plus a simple check
on whether a clock bounded from above is always reset.
Thus, the non-Zenoness checking problem can be solved
based on algorithms like Tarjan’s SCC algorithm, with a
complexity linear in the size of GZG(Ab). Nonetheless,
since GZG(Ab) is |C| + 1 times larger than ZG(Ab), it
is important to avoid constructing the full GZG(Ab) if
possible. Guessing zone graphs are designed to detect nodes
where time elapse is not prohibited by future zero-checks.
However, in the absence of zero-checks, this construction
is not necessary, i.e., it is sufficient to construct the part of
GZG(Ab) corresponding to SCCs in ZG(Ab) with zero-
checks. An on-the-fly algorithm was proposed in [15],
shown as Algorithm 1, which detects zero-checks and
constructs GZG(Ab) only if necessary.
Given a zone graph (not guess zone graph), Algorithm 1
0098-5589 (c) 2013 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation
information: DOI 10.1109/TSE.2014.2359893, IEEE Transactions on Software Engineering
WANG ET AL.: A SYSTEMATIC STUDY ON NON-ZENONESS CHECKING FOR TIMED AUTOMATA 7
returns true if it contains a non-Zeno accepting run. For
simplicity, transitions in the zone graph are marked with
two additional labels. One is a set of resetting clocks and
the other is a set of clocks that are bounded from above.
Algorithm 1 applies Tarjan’s algorithm to identify SCCs.
Once an SCC scc which contains at least one accepting
state in the zone graph is found (line 2), we check whether
any clock is blocked at line 3 by comparing the union of
resetting clocks and the union of bounded clocks of the
transitions in scc. If some clocks are blocked (i.e., condition
at line 3 is satisfied), we remove blocking transitions at
line 4 (i.e., transitions which put an upper bound on a
clock which is never reset in scc). Intuitively, the blocking
transitions are the reasons why time can not go unbounded
and therefore loops formed by the remaining transitions
in scc may form non-Zeno paths. At line 5, we apply
Algorithm 1 recursively so as to check whether there are
non-Zeno accepting runs in the remaining of scc. If no
clock is blocked in scc, we check whether scc contains
zero-checks at line 7. If it does, the corresponding GZG
is constructed and Algorithm 1 returns true only if the
corresponding GZG contains an SCC which contains a
clear node. If there is no zero-check, the loop formed by
the states and transitions in scc is non-Zeno and therefore
Algorithm 1 returns true at line 13.
The worst case complexity of the algorithm is |ZG| ·
(|C| + 1)2 where |ZG| is the size of the zone graph and
|C| is the number of clocks. In practice the algorithm
often performs better by constructing only a small part of
GZG(Ab). In the following, we illustrate how Algorithm 1
works with a simple example.
Consider the TBA Ab in Fig. 7, where location 2 is
accepting. For readability, a node of ZG(Ab) is written
as ([m](z), n) where m is a location in Ab, z is a zone
and n is an identifier. Algorithm 1 firstly identifies the
SCC formed by the nodes with identifiers 2, 3, 4, 5 and
6, which are connected by the double edges in ZG(A b).
Next, it finds that the SCC is blocking as clock y is
bounded from above on the transition from node 5 to 2
and is never reset. Hence, the blocking transition from
node 5 to 2 is removed and Algorithm 1 is applied to
the remaining states and transitions in the SCC. The SCC
containing nodes 4, 5 and 6 is now identified, which is
both unblocked and accepting. Next, Algorithm 1 finds that
the SCC contains zero-checks (on the transition from node
4 to node 5) and the corresponding part of GZG(A b) is
constructed, shown on the right of Fig. 7. Notice that node
4 of ZG(Ab) becomes node 1 of the part of GZG(Ab).
Following Definition 5, in GZG(Ab), we construct node
2 which is clear node. Notice that node 2 in GZG(Ab)
does not have any successor because the set of clear clocks
is empty, and hence the outgoing transition with x == 0
is omitted. Next, Algorithm 1 finds an SCC in GZG(Ab)
which contains a clear node, i.e., the SCC formed by node
3, 6, 7, 8 and 9 where 7 and 8 are clear nodes.
3.3 Alternative Approaches
Besides the two approaches presented above, there are alter-
native approaches which can be used to solve the problem
of model checking with non-Zenoness in the literature. In
the following, we review them briefly.
An approach based on a simulation graph has been pro-
posed in [14] to check emptiness of a TBA. The proposed
algorithm is both symbolic and on-the-fly. The simulation
graph is a graph whose nodes are non-empty symbolic s-
tates of a TBA and edges represent operations of generating
successors of symbolic states. The authors define a sub-
class of TBA with persistent acceptance conditions, i.e.,
every outgoing transition of accepting location targets to
an accepting location. That is, once a TBA enters accepting
locations it never exits. Then the authors distinguish four
cases and proposed an algorithm for each case, depending
on whether the automaton is strongly non-Zeno or not
(a TBA is called strongly non-Zeno if all accepting runs
starting at the initial state are non-Zeno), and whether it
has persistent acceptance conditions or not. Table 1 lists the
different cases and their algorithms. The algorithms have
been implemented in a tool called Profounder. However,
the nodes of the simulation graph are unions of regions
which are non-convex, thus, not efficiently representable.
In [25], the authors extended the work of [14] to show
that the main result of [14] carries over to a zone-based
simulation graph. The idea of [25] is to use simulation
graph over-approximations to preserve convexity based on
the results in [24] and then extend the algorithms in [14]
to zone-closed simulation graph. This approach has been
implemented in Open-Kronos for emptiness checking of
SNZ.
There have been a series of work on symbolic model
checking algorithms for Timed Automata using BDD-
like data structures [27]–[30]. It has been shown that
non-Zenoness can be supported using an auxiliary clock
variable, combined with a greatest fix-point calculation.
Their algorithms have been implemented in the tool named
RED. While related, symbolic model checking is a differ-
ent paradigm compared to explicit-state model checking
as we discuss in this work. Furthermore, it is known
that performance of BDD-based symbolic model checking
varies significantly with a variety of factors like variable
ordering, encoding techniques, etc. Therefore, in this work,
we choose to focus on studying explicit-state algorithms for
non-Zenoness checking and comparing them in the same
implementation.
In addition, the authors in [31] deal with the Zeno
problem in concurrent two-player timed games with safety
objectives. In their setting, Timed Automata are viewed as
infinite-state timed game structures. In each round of the
timed game, both players simultaneously propose moves,
with each move consisting of an action and a time delay
after which the player wants the proposed action to take
place. Of the two proposed moves, the move with the
shorter time delay wins the round and determines the next
state of the game. To prevent a player from winning by
0098-5589 (c) 2013 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation
information: DOI 10.1109/TSE.2014.2359893, IEEE Transactions on Software Engineering
WANG ET AL.: A SYSTEMATIC STUDY ON NON-ZENONESS CHECKING FOR TIMED AUTOMATA 8
y ? 1
{x} {x}
x==0
Ab
[0](x==y,y?0),1 [1](x?0,y-x?1),2
[2](x?y,y-x?1),3
[3](x?0),4 [0](x?0),5
[2](x?y),6
ZG(Ab)
[3](x?0){x,y},1 [0](x?0){x,y},4
[3](x?0){?},2
[0](x?0){ø},7
[2](x?y){x,y},5 [2](x?y){ø},8
[3](x?0){x},6 [0](x?0){x},9[2](x?y){x},3
Part of GZG(Ab)
0 3
1 2
Fig. 7. An example using GZG approach
TABLE 1
The algorithms used in simulation graph
Persistent acceptance conditions Non-persistent acceptance conditions
Strongly non-Zeno find simple accepting cycle find simple accepting cycle
using simple DFS using double DFS or SCCs
Non strongly non-Zeno find simple accepting progressive cycle find accepting progressive cycle
using full DFS or transform to SNZ using incomplete search or transform to SNZ
blocking time, each player is restricted to strategies that
ensure the player cannot be responsible for causing a Zeno
run. In their approach, non-Zenoness is inferred from the
history of certain predicates of the system clocks, rather
than from an extra clock that is kept in memory. The
authors construct the winning strategies for the controller
which requires access to a linear number of memory bits,
significantly improving the previous known exponential
bound. However this game theoretic approach is presented
based on region graphs and it is not clear whether it works
with zone graphs. In comparison, the focus of this work
is on solving the problem of combining non-Zenoness
checking and zone abstraction.
4 EMPTINESS CHECK FOR CUB-TA
As shown above, the state-of-the-art emptiness checking
algorithm [15] has a complexity of (|C| + 1)2 · |ZG|. In
other words, it still incurs significant overhead in checking
non-Zenoness. On the other hand, there are methods pro-
posed for alternative real-time system modeling languages
which incur less overhead. In [16], the authors showed
that non-Zenoness checking for Stateful Timed CSP can
be solved based on zone graphs without adding extra
clocks or states. The reason is that in Stateful Timed CSP,
clocks have constant upper bounds and hence, intuitively,
there will not be unforeseen zero-checks. In the following,
we generalize this result to Timed Automata with non-
decreasing upper bounds, referred to as CUB-TA, and
propose an alternative approach for non-Zenoness. That is,
we propose to transform an arbitrary Timed Automaton into
an equivalent CUB-TA, and then use an efficient algorithm
to check non-Zenoness. We leave the question on whether
this transformation is beneficial to the next section.
4.1 Automata with Non-decreasing Upper Bounds
A clock upper bound is either ∞ or a pair (n,∼) where
∼ is either < or ≤. We write (n1,∼1) = (n2,∼2) to
denote n1 = n2 and ∼1=∼2; (n1,∼1) ≤ (n2,∼2) to
denote n2 > n1, or if n2 = n1, then either ∼2 is ≤ or
both ∼1 and ∼2 are <. Further, we write (n,∼) > d
where d is a constant to denote n > d. We define
min((n,∼1), (m,∼2)) to be (n,∼1) if (n,∼1) ≤ (m,∼2);
otherwise, min((n,∼1), (m,∼2)) = (m,∼2). Given a clock
c and a clock constraint δ, we write ub(δ, c) to denote the
upper bound of c given δ. Formally,
ub(δ, c) =
⎧⎪⎪⎨
⎪⎪⎩
(n,∼) − if δ is c ∼ n and ∼∈ {≤, <}
∞ − if δ is c > n or c ≥ n
∞ − if δ is x ∼ n and x = c
∞ − if δ is true
min(ub(δ1, c), ub(δ2, c))− if δ is δ1 ∧ δ2
We fix a TSA A = (S, Init,Σ,C, L,T) and its zone graph
ZG(A) = (Sz, Initz,Σ,Tz) in the following. A path of A
from s0 is a sequence π = 〈s0, e0, δ0,X0, s1, e1, δ1,X1, · · ·〉
such that (si, ei, δi,Xi, si+1) ∈ T for all i ≥ 0. We write
paths(s0) to denote all paths starting from s0. Given a
path π, let reset(π, c) be the number of transitions before
c is first reset, i.e., reset(π, c) = k if there exists k such
that c ∈ Xk and c ∈ Xj for all 0 ≤ j < k; otherwise
reset(π, c) = ∞.
Definition 6: A TSA A is a CUB-TA if
and only if for all clock c ∈ C; s0 ∈ S;
π = 〈s0, e0, δ0,X0, s1, e1, δ1,X1, · · ·〉 ∈ paths(s0)
and for all i such that 0 ≤ i < reset(π, c),
ub(L(si), c) ≤ ub(δi, c) ≤ ub(L(si+1), c). 
Intuitively, every clock in a CUB-TA has a non-decreasing
upper bound along any path before it is reset. For instance,
Fig. 8(a) shows a CUB-TA, and Fig. 8(b) shows a TSA
which is not, since c’s upper bound at location A is (5,≤)
and it is (3, <) for the transition from location A to C.
In order to solve the emptiness problem, we extend
zone graph ZG(A) with two transition labels. One is a
set of resetting clocks, i.e., if a transition in ZG(A) is
generated by a transition (s1, e, δ,X, s2) in A, the transition
is labeled with X. The other label is a Boolean flag b
which is true if and only if the transition can potentially
be delayed. The value of the flag can be determined
as follows. Let c0 be a clock such that c0 ∈ C. Let
0098-5589 (c) 2013 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation
information: DOI 10.1109/TSE.2014.2359893, IEEE Transactions on Software Engineering
WANG ET AL.: A SYSTEMATIC STUDY ON NON-ZENONESS CHECKING FOR TIMED AUTOMATA 9
A B C
B A C
c1 ≤ 5
c1 ≤ 5
{c2}
c1 ≤ 5
c2 ≤ 5 c1 ≤ 5
c2 = 5
{c1,c2}
c ≤ 5
{c}
c ≤ 5
c < 3
{c}
(a) CUB-TA
(b) non-CUB-TA
Fig. 8. CUB-TA examples
((s1, δ1), e, (s2, δ2)) be a transition in ZG. We set c0 = 0
at node (s1, δ1) so that it becomes (s1, δ1 ∧ c0 = 0). If
[X → 0]((δ1 ∧ c0 = 0)↑ ∧ δ) ∧ L(s2) implies c0 = 0
where δ and X are the clock guard and resetting clocks
corresponding to the transition, then the flag b is false.
The idea is to have a clock c0 starting at 0 for every state
so that by looking at the value of c0 after a transition,
we can infer whether the transition is required to occur
immediately. We say that a transition can be delayed
locally (for some non-zero amount of time) if c0 = 0 is not
implied (i.e., flag b is true). Notice that given a system run,
a transition which can be locally delayed may in fact be
constrained to occur immediately globally. For instance,
given the CUB-TA in Fig. 8(a), the transition from location
A to B can be delayed locally. Nonetheless, given the run
starting with location A and ending with C, it is implied
that the transition from A to B must occur immediately
(as the transition from B to C must be delayed for 5 time
units). We remark that introducing the clock c0 here is
different from the approach of introducing an extra clock
for non-Zenoness detection [13] as c0 is 0 in all nodes
of the zone graph and therefore no extra state is introduced.
Theorem 3: Let π = 〈(s0, δ0), (e0,X0, b0), (s1, δ1),
(e1,X1, b1), · · ·〉 be an (infinite) run of ZG(A) where
(Xi, bi) are the newly added transition labels. π is non-Zeno
if and only if
∗ there exist infinitely many k such that bk = true; and
 for all c ∈ C, for all i ≥ 0, if ub(L(si), c) = ∞, there
exists j such that j ≥ i and c ∈ Xj or ub(L(sj), c) = ∞.
Proof (only-if ) If π is non-Zeno, ∗ is trivially true. If
a clock c is bounded from above (i.e., with an upper
bound other than ∞), it must be reset later or the upper
bound becomes infinity since by definition its value goes
unbounded along the run; otherwise, we have an empty
zone and thus an infeasible run. Hence,  is true.
(if ) In the following, we show that if ∗ and  are true, π is
non-Zeno. Let the following be a segment of π according
to ∗ and .
〈(si, δi), (Xi, bi), (si+1, δi+1), · · · , (sj, δj), · · · , (sk, δk)〉
where i ≤ j ≤ k and bj = true. Furthermore, for all c ∈ C,
if ub(L(sj), c) = ∞, there exists m, n such that i − 1 ≤
m < j ≤ n ≤ k − 1 such that c ∈ Xm (or m = −1
such that c is ‘reset’ before the initial state) and, c ∈ Xn or
ub(L(sn), c) = ∞. That is, the segment contains a transition
which can be delayed locally. Furthermore, the segment
covers the ‘life-span’ (between two resets) of all clocks in
L(sj) which have an upper bound other than ∞.
In general, the infinite run π is progressive if and only
if it takes an unbounded amount of time. Since there are
infinitely many segments as above in π, if any such segment
can take a positive amount of time, then the run π is
progressive and thus non-Zeno. Next, we show that the
segment can take a positive amount of time.
Let yx denote the number of time units that can elapse
from state sx to sx+1 where i ≤ x ≤ k−1. In the following,
we obtain all constraints on upper bounds of y j. For each
clock c ∈ C, we have a set of constraints of the following
form: ym + ym+1 + · · · + yt ∼ ub(L(st), c) where ∼∈ {≤
, <} and j ≤ t ≤ n. The constraints put upper bounds
on the total time of a part of the segment, i.e., from the
moment c is previously reset to the moment of entering
state st. Notice that constraints on lower bounds are ignored
as they are irrelevant. Because bj is true, it is implied that
ub(L(st), c) > 0 for all m ≤ t ≤ n (by assumption bj =
true). In the following, we analyze two cases.
• If ∼ is ≤, the constraints are satisfied with yj = ubmin
where ubmin is the minimum of ub(L(st), c) for all
c ∈ C and for all m ≤ t ≤ n and the rest of the
variables equal to 0.
• If ∼ is <, the constraints are satisfied with yj = ubmin2 .
In both cases, the segment is progressive and, therefore,
we conclude that π is non-Zeno. Furthermore, because
yx where x = j is subject to other constraints, it may be
that yx must be strictly positive and as a result the above
constraints are satisfiable only when yj is 0. In such a case,
the segment is progressive because yx is strictly positive
and, therefore, we conclude that π is non-Zeno. With
the arguments above, we conclude that the theorem holds. 
Intuitively, the theorem states that, if there is a transition
which can be delayed locally, either it can be delayed
globally or some other transition can be delayed globally.
The proof does not work for arbitrary Timed Automaton
as the upper bound of a clock could be decreasing, e.g., a
zero-check may be encountered later and y j is constrained
to be zero.
4.2 CUB-TA Emptiness Check
In the following, we present an algorithm to solve the
emptiness problem based on the theorem below, which
reduces the problem to an SCC searching problem.
Theorem 4: A CUB-TA A contains a non-Zeno run if and
only if ZG(A) contains a reachable (maximum) strongly
connected component (SCC) such that
† it contains a transition ((s, δ), (e,X, b), (s′, δ′)) such
that b = true; and
‡ for every clock c in C, if ub(L(s), c) = ∞ for some
state (s, δ) in the SCC, there exists a transition in the
SCC with label (X, b) such that c ∈ X.
0098-5589 (c) 2013 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation
information: DOI 10.1109/TSE.2014.2359893, IEEE Transactions on Software Engineering
WANG ET AL.: A SYSTEMATIC STUDY ON NON-ZENONESS CHECKING FOR TIMED AUTOMATA 10
Proof (only-if ) Assume that the model is non-empty, there
must be a non-Zeno run, say π. Since ZG is finite-state,
π must visit a set of states and transitions, denoted as Inf ,
infinitely often. There must be an SCC, say scc, which
contains Inf . Inf must contain a transition with a label b
being true (by contradiction) and therefore † is trivially
true. Next, we prove ‡ by contradiction. Assume there is
a state s in scc where a clock c has an upper bound d
which is not ∞ and there is no transition in scc which
resets c. Because the upper bound of c never decreases
(by definition of CUB-TA), the upper bound of c at every
state in scc must be d. Since scc contains Inf , this implies
that π is Zeno as c is always bounded from above and
never reset, which contradicts our assumption that π is
non-Zeno. Thus, scc must satisfy ‡.
(if ) Assume there is an SCC satisfying † and ‡. Let π be a
run which visits every state/transition in the SCC infinitely
often. It is easy to see that π satisfies ∗ of Theorem 3
because of †. By ‡, we conclude that every clock which
has an upper bound other than ∞ at a state is reset later.
Therefore, π is non-Zeno by Theorem 3 and therefore A
contains a non-Zeno run.
Therefore, we conclude that the theorem holds. 
The above theorem implies that in order to solve the
emptiness problem, we need to test each SCC against two
conditions: whether it contains a transition which can be
locally delayed; and whether every clock which has an
upper bound other than ∞ at some state is reset along
some transition in the SCC. Notice that both checks have
a complexity linear in the size of the SCC. This leads
to Algorithm 2, which can be extended to model check
temporal logic properties (e.g., LTL) with the assumption of
non-Zenoness. It takes a CUB-TA as input, and constructs
ZG on-the-fly while applying Tarjan’s algorithm to identify
SCCs. Once an SCC is found, we check whether it satisfies
† and ‡. If so, it returns true at line 5. After checking all
SCCs, it returns false.
The correctness of the algorithm can be established based
on Theorem 4. The algorithm is terminating as ZG (with
zone normalization) is finite-state. The complexity of the
algorithm is linear in time |ZG| (which is due to Tarjan’s
algorithm for identifying SCC). The overhead of checking
† and ‡ is minor.
4.3 Transform Arbitrary Automaton to CUB-TA
Algorithm 2 works only for CUB-TA. In the following,
we develop an approach for non-Zenoness checking by
transforming an arbitrary Timed Automaton to an equiv-
alent CUB-TA. Recall that in Section 2.1 the language of
a TSA is defined as the set of timed words which can be
obtained from the set of non-Zeno runs. Hereafter we say
that a timed automaton and the corresponding CUB-TA are
equivalent if and only if they define the same language.
Intuitively, a Timed Automaton is not a CUB-TA if there
exists a ‘problematic’ transition (s, e, δ,X, s′) and a clock c
such that ub(L(s), c) is larger than ub(δ, c); or c ∈ X and
Algorithm 2: CUB-TA emptiness check
Input: a zone graph ZG(A)
Output: true if and only if A contains at least one
non-Zeno run
1 while there are un-visited states in the zone graph do
2 find a new SCC scc;
3 mark all states in scc as visited;
4 if scc satisfies † and ‡ then
5 return true;
6 end
7 end
8 return false;
ub(L(s), c) is larger than ub(L(s′), c). In both cases, we can
‘strengthen’ the invariant of s by adopting the respective
clock upper bounds in δ or L(s ′) without affecting the
system taking this transition. It may however affect other
transitions, e.g., strengthening L(s) might disable other
transitions. Hence, to obtain an equivalent CUB-TA, we
can split location s into multiple ones, each of which is
labeled with a different upper bound for taking a different
transition. Afterwards, we can remove the ‘problematic’
transitions from the original location so that the resultant
Timed Automaton is a CUB-TA.
Given a TSA A = (S, Init,Σ,C, L,T), the transforma-
tion is shown in Algorithm 3. Given two clock constraints
δ and γ, we write δ ≤ γ to denote that for all clock c,
ub(δ, c) ≤ ub(γ, c), i.e., all clock upper bounds are non-
decreasing from δ to γ. We write δ ≤ γ otherwise, i.e.,
when some clock upper bound is decreasing. Recall that
given a clock constraint δ, δ \ X denotes the constraint
obtained by removing constraints on clocks in X. In an
abuse of notations, assuming ub(δ1, c1) = (n1,∼1) and
ub(δ2, c2) = (n2,∼2), we write ub(δ1, c1) ∧ ub(δ2, c2)
to denote c1 ∼1 n1 ∧ c2 ∼2 n2. Furthermore, we write
ub(δ,C) to denote
∧
c∈C ub(δ, c) where C is a set of clocks,
i.e., the conjunction of upper bounds on all clocks in C.
The algorithm has four parts. Part one (line 1 to 12) finds
out ‘problematic’ transitions for every location s in S and
collects all clock constraints which have some decreasing
upper bounds in the set constraints(s). Given a transition
(s, e, δ,X, s′) in T and any clock c ∈ C, if c ∈ C (or c ∈
C), ub(L(s), c) is compared to ub(δ, c) and ub(L(s′), c) (or
ub(δ, c)). Thus, at line 6 and 8, the location invariant L(s)
is compared to δ ∧ (L(s′) \ X) (or δ ∧ (γ \ X)), which
is a conjunction of the constraint on the transition and the
location invariant of s′ (or a constraint from constraints(s′))
on the clocks which are not reset along the transition. If
some clock’s upper bound is decreasing in δ ∧ (L(s ′) \X)
(or δ ∧ (γ \ X)), L(s) ∧ δ ∧ (L(s′) \ X) (or L(s) ∧
δ ∧ (γ \ X)) is added to constraints(s). Notice that every
constraint γ ∈ constraints(s) conjuncts L(s) and thus γ ≤
L(s). The set constraints(s) is a monotonically increasing
set, which reaches a fixed point when the loop from line 2
to 12 finishes. We remark that if the given TSA is a CUB-
TA, constraints(s) will be empty. Part two (line 13 to 18)
0098-5589 (c) 2013 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation
information: DOI 10.1109/TSE.2014.2359893, IEEE Transactions on Software Engineering
WANG ET AL.: A SYSTEMATIC STUDY ON NON-ZENONESS CHECKING FOR TIMED AUTOMATA 11
Algorithm 3: CUB-TA transformation
Input: a Timed Automaton A = (S, Init,Σ,C, L,T)
Output: a CUB-TA C which is equivalent to A
1 set constraints(s) := ∅ for all s ∈ S and adding := true;
2 while adding is true do
3 adding := false;
4 for each location s in S do
5 for each transition (s, e, δ,X, s′) in T do
6 if L(s) ≤ δ ∧ (L(s′) \ X) and θ = L(s) ∧ δ ∧ (L(s′) \ X) ∈ constraints(s), add θ into constraints(s) and
set adding to be true;
7 for each constraint γ in constraints(s′) do
8 if L(s) ≤ δ ∧ (γ \ X) and θ′ = L(s) ∧ δ ∧ (γ \ X) ∈ constraints(s), add θ′ into constraints(s) and
set adding to be true;
9 end
10 end
11 end
12 end
13 for each location s in S do
14 set clones(s) to be an empty set;
15 for each constraint δ in constraints(s) do
16 add a new location st to clones(s) and S; set L(st) to be ub(δ,C);
17 end
18 end
19 for each location s in S do
20 for each location st in clones(s) do
21 for each incoming transition (s′, e, δ′,X, s) with s′ in S do
22 add transition (s′, e, δ′,X, st);
23 add one transition (st′, e, δ′,X, st) for each st′ in clones(s′);
24 end
25 for each outgoing transition (s, e, δ ′,X, s′) with s′ in S do
26 add transition (st, e, δ′,X, s′);
27 add one transition (st, e, δ ′,X, st′) for each st′ in clones(s′);
28 end
29 end
30 end
31 remove all transitions (s, e, δ,X, s′) such that L(s) ≤ δ ∧ (L(s′) \ X);
32 set the set of initial locations to be {clones(s) | s ∈ Init} ∪ Init;
‘clones’ every location s in S multiple times, once for each
constraint in constraints(s). Notice that clones(s) denotes
the set of all clones of s (exclusive). Part three (line 19 to
30) then copies all incoming/outgoing transitions to/from
any location s such that for each transition (s, e, δ,X, s ′)
in the original TSA, there is a transition (sc, e, δ,X, sc′) for
every sc ∈ clones(s)∪{s} and sc′ ∈ clones(s′)∪{s′}. Lastly,
part four (line 31) removes all ‘problematic’ transitions so
that the result is guaranteed to be a CUB-TA.
For instance, Fig. 9 shows the resultant CUB-TA
from the one shown in Fig. 1(b). Fig. 1(b) is not CUB as
ub(L(Appr), c) (which is 20) is larger than the upper bound
on c in the transition (Appr, stop[i]?, c ≤ 10, {c}, StopS)
(which is 10). To turn it into a CUB-TA using Algorithm 3,
we split Appr into two locations, i.e., location Appr
labeled with the original invariant and a new location
New with invariant c ≤ 10. Next, incoming/outgoing
transitions to the original Appr are copied to New.
leave[i]!
c ≥ 3
StopS
Safe Cross
New
appr[i]! {c}
stop[i]?
c ≤ 10
Start
go
[i]
?
{c}
τ, c ≥ 10
{c}
τ c ≥ 7{c}
c ≤ 5
c ≤ 10 c ≤ 15
Appr
c ≤ 20
τ, c ≥
10
{c}
appr[i]!{c}
Fig. 9. Equivalent CUB-TA of train process
Afterwards, we remove the ‘problematic’ transition
(Appr, stop[i]?, c ≤ 10, {c}, StopS). This is safe because
the transition must occur when c ≤ 10 and the same
0098-5589 (c) 2013 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation
information: DOI 10.1109/TSE.2014.2359893, IEEE Transactions on Software Engineering
WANG ET AL.: A SYSTEMATIC STUDY ON NON-ZENONESS CHECKING FOR TIMED AUTOMATA 12
transition can now take place from New. Afterwards, the
Train Process becomes a CUB-TA.
Theorem 5: Given an arbitrary TSA, applying Algorithm 3
results in an equivalent CUB-TA.
Proof : Let A = (S0, Init0,Σ,C, L0,T0) be the input TSA
and C = (S1, Init1,Σ,C, L1,T1) be the resultant one. It is
easy to see that C is a CUB-TA because of line 31. Next, we
show first that the language of C is a subset of that of A. If
line 31 is removed from Algorithm 3, it is easy to see that
C is equivalent to A as all that has been done is duplicating
some locations and transitions. Therefore, we conclude that
with line 31, the language of C is no more than that of A.
Next, we argue that removing the ‘problematic’ transitions
at line 31 does not remove any timed word so that the
language of C is no less than that of A.
Given a transition (s, e, δ,X, s′), we say that it is CUB
if L(s) ≤ δ ∧ (L(s′) \ X). In the following, we write
transi to denote (si, ei, δi,Xi, si+1) and trans′i to denote
(s′i , e
′
i, δ
′
i ,X
′
i , s
′
i+1). Let Q = 〈trans0, trans1, · · · , transn〉
be a sequence of connected transitions in A. Let π be a
timed word of A generated by firing the transitions in Q
in sequence. We show, by an induction on the length of
Q, that the following is true (referred to as  hereafter):
there must be a sequence of connected transitions Q ′ =
〈trans′0, trans′1, · · · , trans′n〉 in C such that sn+1 = s′n+1 and
Q′ generates an equivalent timed word in C.
The base case is when Q contains one transition Q =
〈trans0〉. If trans0 is CUB, it is not removed by line 31
in C and hence we let Q′ = 〈trans0〉 and thus  holds. If
trans0 is not CUB, there must be a location s′0 in clones(s0)
such that L(s′0) = ub(L(s0) ∧ δ0 ∧ (L(s1)\X),C) because
L(s0) ≤ δ0 ∧ (L(s1) \ X0) at line 6 in Algorithm 3. Thus,
(s′0, e0, δ0,X0, s1) must be a transition in C and we set
Q′ = 〈(s′0, e0, δ0,X0, s1)〉. A timed word π which can be
generated by Q can also be generated by Q ′ (since s′0 is
an initial location of C), i.e., if the clock upper bounds
in δ0 ∧ (L(s1) \ X) are satisfied, they must be satisfied
at location s0 and thus also s′0. That is, going through s′0
instead of s0 does not rule out any timed word.
In the following, we assume that  holds for any
Q of length i ≤ k (i.e., induction hypothesis) and we
prove that  holds for any Q of length k + 1. Let
Q = 〈trans0, · · · , transk−1, transk〉 be a sequence of k+ 1
connected transition in A. If transk is CUB, by induction
hypothesis, there exists 〈trans′0, · · · , trans′k−1〉 such that 
is satisfied. We set Q′ = 〈trans′0, · · · , trans′k−1, transk〉 and
it is easy to see that Q′ satisfies  and all transitions in Q′
are CUB.
If transk is not CUB, there must be a location s′k
in clones(sk) such that L(s′k) = ub(L(sk) ∧ δk ∧
(L(sk+1) \ Xk),C) because L(sk) ≤ δk ∧ (L(sk+1) \ Xk)
at line 6 in Algorithm 3. We modify Q such that the
last transitions transk−1 and transk are replaced with
(sk−1, ek−1, δk−1,Xk−1, s′k) and (s′k, ek, δk,Xk, sk+1) respec-
tively. By a simple argument, we can show that doing so
does not rule out any timed word, i.e., if the clock upper
bounds in δk ∧ (L(sk+1) \ Xk) are satisfied, they must be
satisfied at location sk and thus also s′k. Afterwards, if the
transition (sk−1, ek−1, δk−1,Xk−1, s′k) is CUB, by induction
hypothesis, we can generate a sequence of transitions in C,
say 〈trans′0, · · · , trans′k−2〉 such that s′k−1 = sk−1 and we
append (sk−1, ek−1, δk−1,Xk−1, s′k) and (s′k, ek, δk,Xk, sk+1)
to the sequence so as to obtain a sequence of CUB transi-
tions in C. The resulting sequence evidences that  holds.
Otherwise, we repeat the above to replace sk−1 with a state
in clones(sk−1), and similarly sk−2, sk−3, · · · afterwards if
necessary. We set Q′ to be the resulting sequence. Because
no timed word is ruled out during each replacement, we can
generate the same timed word from Q ′. Therefore, every
timed word of A is also a timed word of C.
By induction,  holds for any sequence of transitions in
A and thus A and C are equivalent. 
The complexity of Algorithm 3 is linear in |S| × |T| × |C|
where |S| is the number of locations and |T| is the number
of transition and |C| is the number of clocks. In the worst
case, every transition introduces a new upper bound for
every clock and the upper bounds propagate through every
location. That is, the number of iterations of the loop from
line 2 to 12 is bounded by the number of locations. The
number of extra locations introduced by the above algo-
rithm depends on the number of ‘problematic’ transitions.
The best case is that the given Timed Automaton is a
CUB-TA and hence no locations are added. It is possible
that a clock upper bound may propagate through multiple
paths and results in introducing multiple locations. In the
worst case, the number of locations in the resultant TSA is
|S| × |T|, i.e., every location is copied for every transition.
In practice, however, the worst case is rare as we show
in the next section. Compared to the GZG approach, it
may be that many of the extra locations are not necessary
(e.g., distinguishing a location with a lower upper bound
from the original location may not be essential if non-
Zenoness can be concluded through other means) and
therefore it is possible that transforming a TSA into an
CUB-TA is not beneficial. Furthermore, given a network
of Timed Automata, adding even one extra location into a
component automaton may significantly increase the size of
the zone graph. It is thus necessary to evaluate and compare
the performance of different approaches with real-world
systems.
Given a network of TSA, if clocks are local to each
TSA, we can apply Algorithm 3 to each TSA separately and
guarantee that parallel composition of the resultant TSA is a
CUB-TA. If there are shared clocks, either we can compute
the product of the TSA with shared clocks and then apply
Algorithm 3 to the product or we can transform the model
so as to avoid shared clocks if possible [32].
5 EVALUATION
We developed a tool, named TA@PAT, implementing the
above mentioned algorithms for model checking networks
of TSA with non-Zenoness assumption against LTL prop-
erties. TA@PAT is developed based on the PAT frame-
work [18], with 36K lines of C# code excluding libraries
0098-5589 (c) 2013 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation
information: DOI 10.1109/TSE.2014.2359893, IEEE Transactions on Software Engineering
WANG ET AL.: A SYSTEMATIC STUDY ON NON-ZENONESS CHECKING FOR TIMED AUTOMATA 13
from the PAT framework. A model in TA@PAT is a net-
work of TSA. In addition, we support features like shared
variables and pair-wise channel synchronization (similar to
those supported in UPPAAL). A property is in the form
of an LTL formula constituted by propositions on shared
variables. We adopt the automata-based approach for model
checking LTL properties [33], i.e., a Bu¨chi automaton is
constructed from negation of the formula and the product of
the system and the Bu¨chi automaton is constructed on-the-
fly in order to determine whether the property is satisfied
or not, while checking whether non-Zenoness is satisfied
or not.
In order to evaluate the efficiency of the non-Zenoness
checking algorithms in a practical and fair environment,
we conducted a systematic comparison by model check-
ing 14 benchmark systems with/without the assumption
of non-Zenoness. We collect the models in the UPPAAL
distribution as well as models which we can find online
or published previously, i.e., Fischer’s mutual exclusion
algorithm (Fischer), box sorter unit (Box), a simple two
doors example (2doors), Lynch-Shavit’s algorithm (Lynch),
the bridge crossing puzzle (Bridge), a time triggered archi-
tecture (TTA), Bang-Olufsen’s collision detection protocol
(BOCDP), a gear controller (Gear), a collision avoidance
protocol for an Ethernet like medium (CAPEM), Wendi-
Anantha’s communication protocol for wireless micro-
sensor networks (WACP), the railway control system (Rail-
way), the CSMA/CD protocol (CSMA), the TDMA pro-
tocol with or without error-tolerance (TDMA 1/TDMA 2)
and the fibre distributed data interface protocol (FDDI). The
LTL formulae are specified according to different models,
e.g., whenever a process makes a request, it will enter the
critical section (Fischer model), or whenever a frame is
sent, the frame will be destroyed (BOCDP model). All
the models and TA@PAT are available online2. To be
fair, we re-implemented the previous approaches so that
all algorithms are programmed in the same programming
language (i.e., C#), running on the same platform and
built on the same underlying data structure (e.g., the DBM
library).
Fig. 10 shows the experimental results, obtained on a
server running 64-bit Windows with Intel(R) Core(TM) i7-
2600 CPU at 3.40GHz and 8GB RAM. The horizontal axis
shows the models. The vertical axis shows the verification
time, where ‘infinity’ means out of memory or more than
2 hours; the columns with different shading represent the
verification time for different methods as shown in Fig. 10.
Besides, we list the number of states visited (as well as
the verification time) during the verification for different
approaches, as shown in Table 2, where ‘–’ means the
same as ‘infinity’. Every model is checked using the ap-
proach without the assumption of non-Zenoness (W/o non-
Zenoness), the CUB-TA based approach (denoted as CUB),
the approach based on adding states in the zone graph
(denoted as GZG) and the one based on adding one extra
clock (denoted as SNZ). The verification results include
2. http://www.comp.nus.edu.sg/~pat/zeno
‘valid’, ‘invalid’ and ‘inv-val’ as shown in Table 2, where
‘inv-val’ means that the property is invalid without non-
Zenoness (due to Zeno counterexamples) and valid with
non-Zenoness. In such cases, the counterexamples found
by the approach without non-Zenoness are Zeno ones.
A number of observations can be made on the verification
results. First of all, Zeno counterexamples do occur (e.g., in
the models of Bridge, TTA and Gear with ‘inv-val’, and also
in some models with ‘invalid’ like the FDDI model), which
shows that model checking with non-Zenoness is neces-
sary. Furthermore, depending on the model and the non-
Zenoness checking algorithm, model checking with non-
Zenoness incurs minor to significant computational over-
head compared to model checking without non-Zenoness.
This suggests that an efficient algorithm for model checking
with non-Zenoness can potentially reduce verification time
significantly.
The performance of the three non-Zenoness checking
approaches varies on different models. In all the 20 cases,
the SNZ approach is significantly slower. This is because
not only there is one additional clock, but also additional
accepting locations must be added into the model so as
to make sure one time unit is elapsed during any accepting
loop in the zone graph. Notice that the number of additional
locations equals the number of accepting locations in the
original model, which is the number of locations in the
setting of TSA. In all the 20 cases, we can get three
observations for the CUB and GZG approaches: (1) the
CUB approach won 13 cases (with 9 models of Box,
Lynch, BOCDP, Gear, CAPEM, WACP, Railway, CSMA
and TDMA), i.e., it is faster and visits less states than the
GZG approach; (2) the GZG approach only won 2 cases of
the FDDI model; (3) for the other 5 cases (with 4 models
of Fischer, 2doors, bridge and TTA), the GZG approach
has similar performance as the CUB approach, and the
two approaches visit the same number of states. A closer
investigation of the models reveals that among the fourteen
systems, ten are CUB-TA, whereas the Railway model, the
CSMA model, the TDMA model and the FDDI model are
not. This suggests that models with non-decreasing upper
bounds do exist in practice and, as a result, the CUB-TA
based approach could be useful.
For the 13 cases with result ‘invalid’ or ‘inv-val’ in obser-
vation (1), the CUB approach often performs significantly
better. The reason is that whenever it is necessary to re-
explore a blocking SCC or deal with zero-checks (i.e.,
expand the zone graph to build a part of the guessing
zone graph rather than only the zone graph) in order
to check non-Zenoness, the GZG approach in [15] often
suffers, especially when the SCC is large. Notice that
zero-checks exist in most of the models, e.g., an urgent
location or a committed location freezes the time. This is
expected as for CUB-TA, the CUB approach solves the
non-Zenoness problem without introducing any clock or
state. The performance improvement is not so significant
for the Gear model because the SCC is small and the re-
exploration and zero-check are done quickly, but the GZG
approach does visit more states than the CUB approach.
0098-5589 (c) 2013 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation
information: DOI 10.1109/TSE.2014.2359893, IEEE Transactions on Software Engineering
WANG ET AL.: A SYSTEMATIC STUDY ON NON-ZENONESS CHECKING FOR TIMED AUTOMATA 14
MA_1 invalid 19.7 25.1 41.5 5000
MA_2 invalid 6.2 13.3 28.5 5000
I*3 valid 4.4 5000 4.5 5000
I*3 invalid 5.1 5000 18 5000
0.0005
0.005
0.05
0.5
5
50
500
5000
Fischer*3
invalid
Fischer*6
valid
Box
invalid
2doors
invalid
Lynch*4
invalid
Lynch*5
invalid
Bridge
inv-val
TTA*13
inv-val
BOCDP
invalid
Gear
inv-val
CAPEM
invalid
WACP*7
invalid
Railway*4
invalid
Railway*5
invalid
CSMA*6
invalid
CSMA*11
invalid
TDMA_1
invalid
TDMA_2
invalid
FDDI*3
valid
FDDI*3
invalid
Without non-Zenoness CUB GZG SNZ
time(s) 
infinity 
Fig. 10. The time used for three approaches by model checking LTL with non-Zenoness
TABLE 2
The visited states of three approaches by model checking LTL with non-Zenoness
Model W/o non-Zenoness CUB GZG SNZ
#States Time(s) #States Time(s) #States Time(s) #States Time(s)
Fischer*3 invalid 454 0.08 454 0.1 454 0.1 44647 4.4
Fischer*6 valid 1527961 104.5 1527961 129.7 1527961 130.9 – –
Box invalid 494 0.01 494 0.01 954 0.03 – –
2doors invalid 143 0.005 143 0.007 143 0.006 11744 1.1
Lynch*4 invalid 10877 0.3 17328 0.6 47501 2.1 – –
Lynch*5 invalid 241729 10.6 407019 23.0 1327249 103.7 – –
Bridge inv-val 48 0.002 497634 12.9 497634 12.1 – –
TTA*13 inv-val 464 0.06 125896 70.3 125896 69.2 – –
BOCDP invalid 38955 2.8 38955 3.6 100407 6.6 – –
Gear inv-val 84 0.06 486476 22.1 501566 23.5 – –
CAPEM invalid 17416 1.3 17416 1.5 31212 3.5 – –
WACP*7 invalid 14879 29.5 14879 30.2 141979 56.9 – –
Railway*4 invalid 19527 2.7 32569 6.0 116573 9.4 – –
Railway*5 invalid 389146 779.2 585573 2918.8 – – – –
CSMA*6 invalid 97 0.1 689 0.2 2662 0.4 65925 15.3
CSMA*11 invalid 232 0.1 3494 1.3 349280 102.6 – –
TDMA 1 invalid 236547 19.7 236553 25.1 663922 41.5 – –
TDMA 2 invalid 235089 6.2 280786 13.3 659773 28.5 – –
FDDI*3 valid 88698 4.4 – – 88698 4.5 – –
FDDI*3 invalid 88571 5.1 – – 177113 18.0 – –
Among the 9 models of the 13 cases, 3 models are not
CUB-TA (Railway, CSMA and TDMA). However, if the
number of added locations is small, the CUB approach may
still perform better than the GZG approach. For the Railway
model, the CSMA model and the TDMA model, the ratios
of the number of added locations to the number of original
locations are around 17%, 30% and 50% respectively.
As shown in the observation (2), for the 4 models which
are not CUB-TA, the GZG approach outperforms CUB
approach only on one model, i.e., the FDDI model. It is
because 11 extra locations are added for each automaton
during the process of transforming the model into an
equivalent CUB-TA, which makes the zone graph very large
for the CUB approach. The ratio of the number of added
locations to the number of original locations is around
137%.
For the observation (3), the GZG approach has similar
performance as the CUB approach. This is due to the
heuristics proposed in [15], which allows the GZG algo-
rithm to avoid adding states into the zone graph in certain
cases. With the GZG approach applied on the 5 cases, for
the ‘valid’ case (Fischer), there is no SCC in the zone graph;
for the two ‘invalid’ cases (Fischer and 2doors), the SCC
found for the first time is non-blocking and there is not any
zero-check; for the two ‘inv-val’ cases (Bridge and TTA),
the SCC is blocked but the re-exploration finishes quickly
without finding any non-blocking SCC, and as a result,
zero-check is unnecessary (notice that the re-exploration
0098-5589 (c) 2013 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation
information: DOI 10.1109/TSE.2014.2359893, IEEE Transactions on Software Engineering
WANG ET AL.: A SYSTEMATIC STUDY ON NON-ZENONESS CHECKING FOR TIMED AUTOMATA 15
does not introduce new states, whereas expanding the zone
graph to a guessing zone graph for zero-checks introduces
more states). Moreover, all the models in this observation
are CUB-TA, therefore no extra location is introduced
for the CUB approach. As a result, the GZG and CUB
approaches visit the same number of states.
Furthermore, we can see from Table 2 that the CUB ap-
proach visited the same number of states with the approach
without non-Zenoness, for all CUB-TA models (except
for the Lynch, Bridge, TTA and Gear models, since they
contain Zeno runs), while the GZG approach and the SNZ
approach increase the number of visited states significantly,
especially when a property is invalid. This also suggests
why the CUB approach performs better. For those models
which are not CUB-TA, since extra locations are introduced
to transform the model into CUB-TA, the number of visited
states increases using the CUB approach, especially so for
the FDDI model. However, the number of visited states
is still less than that of the GZG approach and the SNZ
approach for the Railway, CSMA and TDMA examples,
which do not introduce too many extra locations.
Based on the above observations, we develop a heuristic
algorithm for choosing the right approach in TA@PAT.
Fig. 11 shows the workflow of TA@PAT. Given an input
TA, TA@PAT works as follows.
1) Check if the TA is an SNZ (refer to [34] for the
algorithm). If the answer is yes, we perform model
checking without non-Zenoness. From Fig. 10 and
Table 2 we can see that the approach without non-
Zenoness has the best performance. If the TA is an
SNZ itself, all runs of the TA are guaranteed to be
non-Zeno and the approach without non-Zenoness is
sufficient.
2) If the TA is not SNZ, check if the TA is an CUB-
TA. If the answer is yes, we perform model checking
with non-Zenoness using the CUB approach. We can
see from the observation (1) and observation (3) that
for all the CUB-TA models, CUB approach performs
better than or similar to GZG approach. The SNZ
approach is not considered since it is always much
slower.
3) If the TA is not a CUB-TA, we transform the TA into
a CUB-TA. If the number of the added locations is no
more than 50% of the original locations in the model,
we model check with non-Zenoness using the CUB
approach. We conservatively propose the threshold
50% which is the largest ratio from the results of the
observation (1). We also make it user configurable so
that the users can control which approach to use when
the CUB approach has to introduce more locations.
4) Otherwise we model check using the GZG approach.
6 DISCUSSION
Our contribution in this work is threefold. Firstly, we show
that for CUB-TA, non-Zenoness checking can be solved
based on the zone graph only without introducing any
Is SNZ?
yes no Select one
approach
Is CUB?
Transform into
CUB-TA
Input TA
yes
noyes
no
MC without
non-Zenoness
MC using CUB
approach
MC using GZG
approach
#Added
states≤50%?
Fig. 11. Workflow of TA@PAT
extra clock or states. Furthermore, we develop an algo-
rithm to transform an arbitrary Timed Automaton into an
equivalent CUB-TA. Secondly, we make a systematic and
experimental evaluation on the problem of model checking
with the non-Zenoness assumption and compare different
approaches in the context of model checking LTL through
various benchmark systems. Lastly, we develop a software
toolkit integrated with these approaches, which heuristically
selects different approaches for different models.
In addition to the above-mentioned approaches on check-
ing non-Zenoness, this work is related to research on non-
Zenoness in general. In [13], it has been shown that a Timed
Automaton is strongly non-Zeno if for each structural
loop of the Timed Automaton (i.e., a loop in the Timed
Automaton itself, not the underlying transition system),
there exists a clock c such that c is reset during the loop
and c is bounded from below in a guard of a transition
during the loop. A weaker condition of the SNZ method
is identified in [34] (e.g., instead of checking all structural
loops, only some loops are checked). The authors argue
that a network is non-Zeno if the product automaton is
SNZ, i.e., if every loop in the product automaton is SNZ.
The proposed conditions to guarantee absence of Zeno
runs in a network include: (a) it suffices to consider loops
that correspond to elementary cycles (i.e., cycles with
exactly one repeating location), and (b) Zeno runs cannot
occur if all non-SNZ loops have at least one observable
action, which cannot be matched against any other non-
SNZ loop (blocking synchronisation with any SNZ loop
guarantees non-Zenoness). Effectively, the work in [34]
weakens the requirements imposed in [13], and proves that
the composition between an SNZ loop and another non-
SNZ loop can yield an SNZ loop in the product automaton.
The analysis in [34] is able to assert absence of Zeno runs
for a larger class of specifications, but it assumes a simple
Timed Automaton model. In [35], the authors show that
the analysis is not sound when UPPAAL extensions such
as non-Zero clock assignments and broadcast channels are
considered, and that synchronisation can be better exploited
to improve precision. Besides, they extend the analysis for
0098-5589 (c) 2013 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation
information: DOI 10.1109/TSE.2014.2359893, IEEE Transactions on Software Engineering
WANG ET AL.: A SYSTEMATIC STUDY ON NON-ZENONESS CHECKING FOR TIMED AUTOMATA 16
the situations when urgent and committed locations, urgent
channels, parameters and selections exist. Thus a more
comprehensive analysis to deal with additional features
introduced by UPPAAL networks is proposed.
However, preventing Zeno runs altogether by construc-
tion would be too restrictive for users [35]. Rather, methods
should be provided to check whether a run is Zeno or not
and discard the Zeno runs in the process of verification.
In [13], [14], the authors showed that every Timed Au-
tomaton can be transformed into a strongly non-Zeno one,
for which, the emptiness problem can be solved easily.
The price to pay is an extra clock. It has been shown that
adding one clock may result in an exponentially larger zone
graph [12]. The proposed remedy is the GZG approach.
In addition, this work is related to the work on non-Zeno
real-time game strategy [31], which however is not based on
zone abstraction, whereas our work is on solving a problem
on combining zone abstraction and non-zenoness.
In terms of tool support for model checking with non-
Zenoness, UPPAAL [3] and KRONOS [4] and RT Spin [36]
allow some form of non-Zenoness detection. UPPAAL relies
on test automata [37] and leads-to properties. The problem
with this approach is that it is sufficient-only. KRONOS
supports an expressive language for specifying proper-
ties, which allows encoding of a sufficient and necessary
condition for non-Zenoness. Checking for non-Zenoness
in KRONOS is expensive. The non-Zenoness checking
algorithm implemented in RT Spin is unsound [36]. While it
is possible to check LTL properties indirectly using existing
tools like KRONOS, as far as we know, TA@PAT is the
only model checker which supports model checking LTL
with the non-Zenoness assumption directly.
REFERENCES
[1] R. Alur and D. L. Dill, “A Theory of Timed Automata,” Theoretical
Computer Science, vol. 126, pp. 183–235, 1994.
[2] T. A. Henzinger, X. Nicollin, J. Sifakis, and S. Yovine, “Symbolic
Model Checking for Real-Time Systems,” Information and Compu-
tation, vol. 111, no. 2, pp. 193–244, 1994.
[3] K. G. Larsen, P. Pettersson, and W. Yi, “Uppaal in a Nutshell,”
International Journal on Software Tools for Technology Transfer,
vol. 1, no. 1-2, pp. 134–152, 1997.
[4] M. Bozga, C. Daws, O. Maler, A. Olivero, S. Tripakis, and S. Yovine,
“Kronos: A Model-Checking Tool for Real-Time Systems,” in CAV,
ser. LNCS, vol. 1427. Springer, 1998, pp. 546–550.
[5] F. Wang, “Symbolic Verification of Complex Real-Time Systems
with Clock-Restriction Diagram,” in Formal Techniques for Net-
worked and Distributed Systems. Springer, 2002, pp. 235–250.
[6] D. Beyer, C. Lewerentz, and A. Noack, “Rabbit: A Tool for BDD-
based Verification of Real-Time Systems,” in CAV. Springer, 2003,
pp. 122–125.
[7] S. Cattani and M. Z. Kwiatkowska, “A Refinement-based Process Al-
gebra for Timed Automata,” Formal Aspects of Computing, vol. 17,
no. 2, pp. 138–159, 2005.
[8] R. Alur, L. Fix, and T. A. Henzinger, “Event-Clock Automata: A
Determinizable Class of Timed Automata,” Theor. Comput. Sci., vol.
211, no. 1-2, pp. 253–273, 1999.
[9] J. Ouaknine and J. Worrell, “On the Language Inclusion Problem
for Timed Automata: Closing a Decidability Gap,” in LICS. IEEE
Computer Society, 2004, pp. 54–63.
[10] A. David, K. G. Larsen, A. Legay, U. Nyman, and A. Wasowski,
“ECDAR: An Environment for Compositional Design and Analysis
of Real Time Systems,” in ATVA, ser. LNCS, vol. 6252. Springer,
2010, pp. 365–370.
[11] J. S. Dong, P. Hao, S. Qin, J. Sun, and W. Yi, “Timed Automata
Patterns,” IEEE Transactions on Software Engineering, vol. 34, no. 6,
pp. 844–859, 2008.
[12] F. Herbreteau, B. Srivathsan, and I. Walukiewicz, “Efficient Empti-
ness Check for Timed Bu¨chi Automata,” Formal Methods in System
Design, vol. 40, no. 2, pp. 122–146, 2012.
[13] S. Tripakis, “Verifying Progress in Timed Systems,” in ARTS, ser.
LNCS, vol. 1601. Springer, 1999, pp. 299–314.
[14] S. Tripakis, S. Yovine, and A. Bouajjani, “Checking Timed Bu¨chi
Automata Emptiness Efficiently,” FMSD, vol. 26, no. 3, pp. 267–
292, 2005.
[15] F. Herbreteau and B. Srivathsan, “Efficient On-the-Fly Emptiness
Check for Timed Bu¨chi Automata,” in ATVA, 2010, pp. 218–232.
[16] J. Sun, Y. Liu, J. S. Dong, Y. Liu, L. Shi, and E. Andre´, “Modeling
and Verifying Hierachical Real-time Systems using Stateful Timed
CSP,” TOSEM, 2012, to appear.
[17] J. Ouaknine and J. Worrell, “Timed CSP = Closed Timed Safety
Automata,” Electr. Notes Theor. Comput. Sci., vol. 68, no. 2, 2002.
[18] J. Sun, Y. Liu, J. S. Dong, and J. Pang, “PAT: Towards Flexible
Verification under Fairness,” in CAV, ser. LNCS, vol. 5643, 2009.
[19] W. Yi, P. Pettersson, and M. Daniels, “Automatic Verification
of Real-Time Communicating Systems by Constraint-Solving,” in
ICFDT, 1994, pp. 223–238.
[20] T. A. Henzinger, P. Kopke, and H. Wong-Toi, “The Expressive Power
of Clocks,” in ICALP, 1995, pp. 417–428.
[21] D. L. Dill, “Timing Assumptions and Verification of Finite-State
Concurrent Systems,” in Automatic Verification Methods for Finite
State Systems, ser. LNCS, vol. 407. Springer, 1989, pp. 197–212.
[22] G. Behrmann, K. G. Larsen, J. Pearson, C. Weise, and W. Yi,
“Efficient Timed Reachability Analysis Using Clock Difference
Diagrams,” in CAV, ser. LNCS, vol. 1633, 1999, pp. 341–353.
[23] T. G. Rokicki, “Representing and Modeling Digital Circuits,” Ph.D.
dissertation, Stanford Uni., 1993.
[24] P. Bouyer, “Forward Analysis of Updatable Timed Automata,”
Formal Methods in System Design, vol. 24, no. 3, pp. 281–320,
2004.
[25] S. Tripakis, “Checking Timed Bu¨chi Automata Emptiness on Sim-
ulation Graphs,” ACM Trans. Comput. Log., vol. 10, no. 3, 2009.
[26] S. Schwoon and J. Esparza, “A Note on On-the-fly Verification
Algorithms,” in TACAS. Springer, 2005, pp. 174–190.
[27] F. Wang, “Efficient Verification of Timed Automata with BDD-Like
Data-Structures,” in VMCAI, 2003, pp. 189–205.
[28] F. Wang, G.-D. Huang, and F. Yu, “TCTL Inevitability Analysis of
Dense-Time Systems: From Theory to Engineering,” IEEE Trans.
Softw. Eng., vol. 32, no. 7, pp. 510–526, 2006.
[29] F. Wang, “Efficient Model-Checking of Dense-Time Systems with
Time-Convexity Analysis,” in RTSS, 2008, pp. 195–205.
[30] F. Wang, L.-W. Yao, and Y.-L. Yang, “Efficient Verification of
Distributed Real-time Systems with Broadcasting Behaviors,” Real-
Time Syst., vol. 47, no. 4, pp. 285–318, 2011.
[31] K. Chatterjee and V. S. Prabhu, “Synthesis of Memory-efficient Real-
time Controllers for Safety Objectives,” in HSCC. ACM, 2011, pp.
221–230.
[32] S. Balaguer and T. Chatain, “Avoiding Shared Clocks in Networks
of Timed Automata,” in CONCUR, ser. LNCS, vol. 7454. Springer,
2012, pp. 100–114.
[33] M. Y. Vardi and P. Wolper, “Reasoning About Infinite Computation-
s,” Information & Computation, vol. 115, no. 1, 1994.
[34] H. Bowman and R. Go´mez, “How to Stop Time Stopping,” Formal
Aspects of Computing, vol. 18, no. 4, pp. 459–493, 2006.
[35] R. Go´mez and H. Bowman, “Efficient Detection of Zeno Runs in
Timed Automata,” in FORMATS, ser. LNCS, vol. 4763. Springer,
2007, pp. 195–210.
[36] S. Tripakis and C. Courcoubetis, “Extending Promela and Spin for
Real Time,” in TACAS, ser. LNCS, vol. 1055. Springer, 1996, pp.
329–348.
[37] L. Aceto, P. Bouyer, A. Burguen˜o, and K. G. Larsen, “The Power
of Reachability Testing for Timed Automata,” Theoretical Computer
Science, vol. 300, no. 1-3, pp. 411–475, 2003.
0098-5589 (c) 2013 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation
information: DOI 10.1109/TSE.2014.2359893, IEEE Transactions on Software Engineering
WANG ET AL.: A SYSTEMATIC STUDY ON NON-ZENONESS CHECKING FOR TIMED AUTOMATA 17
Ting Wang received her bachelor’s degree
in software engineering from Zhejiang
University of China in 2008. She is currently
a PhD student in College of Computer
Science and Technology of Zhejiang
University. She has studied in Singapore
University of Technology and Design (SUTD)
as a visiting student in 2012, and also
studied in National University of Singapore
(NUS) since 2013. Her research interests
include formal methods and software
engineering, in particular, system verification and model checking.
Jun Sun received the bachelor’s and PhD
degrees in computing science from the Na-
tional University of Singapore (NUS) in 2002
and 2006, respectively. In 2007, he received
the prestigious LEE KUAN YEW postdoc-
toral fellowship in the School of Computing
of NUS. In 2010, he joined the Singapore
University of Technology and Design (SUTD)
as an assistant professor. He was a visit-
ing scholar at MIT from 2011 to 2012. His
research focuses on software engineering
and formal methods, in particular, system verification and model
checking. He is the cofounder of the PAT model checker.
Xinyu Wang received his bachelor’s and
PhD degrees in computer science from Zhe-
jiang University of China in 2002 and 2007.
He was a research assistant in Zhejiang U-
niversity, during 2002 2007. He is current-
ly an associate professor in the College of
Computer Science, Zhejiang University. His
research interests include software engineer-
ing, formal methods and very large informa-
tion systems.
Yang Liu received the bachelor’s of comput-
ing degree in 2005 from the National Univer-
sity of Singapore (NUS), the PhD degree in
2010, and continued with postdoctoral work
at NUS. Since 2012, he has been with the
Nanyang Technological University (NTU) as
an assistant professor. His research focus-
es on software engineering, formal methods,
and security. Particularly, he specializes in
software verification using model checking
techniques. This work led to the development
of a state-of-the-art model checker, process analysis toolkit.
Yuanjie Si received his bachelor’s and PhD
degrees in computer science from Zhejiang
University of China in 2007 and 2013. He has
studied in Singapore University of Technolo-
gy and Design (SUTD) as a visiting student in
2011. His research interests include software
engineering and formal verification, in partic-
ular, system verification, model checking and
software reliability evaluation techniques.
Jin Song Dong received the bachelor’s and
PhD degrees in computing from the Univer-
sity of Queensland, Australia, in 1992 and
1996, respectively. From 1995 to 1998, he
was a research scientist at CSIRO in Aus-
tralia. Since 1998, he has been at the School
of Computing of the National University of
Singapore (NUS), where he is currently an
associate professor and one of the PhD su-
pervisors at the NUS Graduate School. He is
on the editorial board of Formal Aspects of
Computing and Innovations in Systems and Software Engineering.
His research interests include formal methods, software engineering,
pervasive computing, and semantic technologies.
Xiaohu Yang received his PhD degree in
computer science from Zhejiang University of
China in 1993. Since 1994, he has been a
faculty member in the College of Computer
Science, Zhejiang University. He is currently
a professor in Zhejiang University. His re-
search interests include software engineer-
ing, formal methods and very large informa-
tion systems.
Xiaohong Li is a professor in School of Com-
puter Science at Tianjin University of China.
She received her Computer Science PhD
degree from Tianjin University in 2005. Her
research interests are software engineering,
formal methods and information security. In
recent years, she has published more than
40 academic articles. She obtained Tianjin
city award of progress of science and tech-
nology. She is also a senior member of China
Computer Federation (CCF).
