There has been a growing interest in defining models of automata enriched with time. For instance, timed automata were introduced as automata extended with clocks. In this paper, we study models of timed finite state machines (TFSMs), i.e., FSMs enriched with time, which accept timed input words and generate timed output words. Here we discuss some models of TFSMs with a single clock: TFSMs with timed guards, TFSMs with timeouts, and TFSMs with both timed guards and timeouts. We solve the problem of equivalence checking for all three models, and we compare their expressive power, characterizing subclasses of TFSMs with timed guards and of TFSMs with timeouts that are equivalent to each other.
Introduction
Finite automata (FA) and finite state machines (FSMs) are formal models widely used in the practice of engineering and science, e.g., in application domains ranging from sequential circuits, communication protocols, embedded and reactive systems, to biological modelling.
Since the 90s, the standard classes of FA have been enriched with the introduction of time constraints to represent more accurately the behaviour of systems in discrete or continuous time. Timed automata (TA) are such an example: they are finite automata augmented with a number of resettable real-time clocks, whose transitions are triggered by predicates involving clock values [1] .
More recently, timed models of FSMs have been proposed in the literature by the introduction of time constraints such as timed guards or timeouts. Timed guards restrict the input/output transitions to happen within given time intervals. In particular, the timed FSM proposed in [5, 3, 4] features: one clock variable, time constraints to limit the time elapsed at a state, and clock reset when a transition is executed.
The timed FSM proposed in [7, 6] features: one clock variable, time constraints to limit the time elapsed when an output has to be produced after an input has been applied to the FSM, clock reset when an output is produced, timeouts. The meaning of timeouts is the following: if no input is applied at a current state for some timeout period, the timed FSM moves from the current state to another state using a timeout function; e.g., timeouts are common in telecommunication protocols and systems.
TA and TFSMs are also used when deriving tests for discrete event systems. However, methods for deriving complete finite test suites with a guaranteed fault coverage exist only for TFSMs, therefore TFSMs are preferred over TA and other models, when the derivation of complete tests is required.
In this paper, we investigate some models of TFSMs with a single clock: TFSMs with only timed guards, TFSMs with only timeouts, and TFSMs with both timed guards and timeouts. We solve the problem of equivalence checking for all three models, we compare their expressive power, and we characterize subclasses of TFSMs with timed guards and of TFSMs with timeouts that are equivalent to each other. These results are obtained by introducing relations of bisimulation that define untimed finite state machines whose states include information on the clock regions. This is reminiscent of the region graph construction used to prove that in timed automata the verification questions (e.g., expressed by safety properties) have the same answer for all the clock valuations in the same clock region [1] . In our case, we are able to prove a stronger result: the timed behaviours of two timed FSMs are equivalent if and only if the behaviours of the companion untimed FSMs are equivalent. So our models of timed FSMs strike a good balance between expressivity and computational complexity.
Timed FSM Models
Let A be a finite alphabet, and let R + be the set of non-negative reals. A timed symbol is a pair (a,t) where t ∈ R + is called the timestamp of the symbol a ∈ A. A timed word is then defined as a finite sequence (a 1 ,t 1 )(a 2 ,t 2 )(a 3 ,t 3 ) . . . of timed symbols where the sequence of timestamps t 1 t 2 t 3 . . . is increasing. All the timed models considered in this paper are input/output machines that operate by reading a timed input word (i 1 ,t 1 )(i 2 ,t 2 ) . . . (i k ,t k ) defined on some input alphabet I, and producing a corresponding timed output word (o 1 ,t 1 ) (o 2 ,t 2 ) . . . (o k ,t k ) on some output alphabet O. The production of outputs is assumed to be instantaneous: the timestamp of the j-th output o j is the same of the j-th input i j . Models where there is a delay between reading an input and producing the related output are possible but not considered in this paper. Given a timed word
. . a k denotes the word obtained when deleting the timestamps.
A timed possibly non-deterministic and partial FSM (TFSM) is an FSM augmented with a clock. The clock is a real number that measures the time delay at a state, and its value is reset to zero when a transition is executed. In this section we first introduce the TFSM model with timed guards given in [3, 5] and the TFSM model with timeouts given in [7, 9] . Then, we define a TFSM model with both timed guards and timeouts that subsumes the other two. In addition, we study the equivalence problem for each of the three TFSM models.
TFSM with timed guards
A timed guard defines the time interval when a transition can be executed. Intuitively, a TFSM in the present state s and accepting input i at a time t satisfying the timed guard responds with output o and moves to the next state s ′ , while the clock is reset to 0 and restarts advancing in state s ′ .
Definition 1 (TFSM with Timed Guards [3, 5] The timed state of a TFSM is a pair (s, x) such that s ∈ S is a state of M and x ∈ R + is the current value of the clock. Transitions between timed states can be of two types:
• timed transitions of the form (s, x) t − → (s, x + t) where t ∈ R + , representing the fact that a delay of t time units has elapsed without receiving any input;
• input/output transitions of the form (s, x) 
such that s 0 is the initial state of M, and for every j ≥ 0 (s j , 0) Complete and deterministic machines. The usual definitions for FSMs of deterministic and nondeterministic, submachine, etc., can be extended to all timed FSMs models considered here. In particular, a TFSM is complete if for each state s, input i and value of the clock x there exists at least one transition
, otherwise the machine is partial. A TFSM is deterministic if for each state s, input i and value of the clock x there exists at most one input/output transition, otherwise is non-deterministics.
For the sake of simplicity, from now on we consider only complete and deterministic machines, leaving the treatment of partial and non-deterministic TFSM to future work. When a machine M is deterministic and complete, we have that B M (w) is a singleton set for every input word w. Hence, we can redefine the behavior B M as a function B M : (I × R) * → (O × R) * that associates every input word w = (i 1 ,t 1 )(i 2 ,t 2 ) . . . (o k ,t k ) with the unique output word B M (w) produced by M under input w.
Moreover, we can consider the transition relation of the machine as a complete function λ S : S × I × R + → S × O that takes as input the current state s, the delay t and the input symbol i and produces the (unique) next state and output symbol λ S (s,
. With a slight abuse of the notation, we can extend it to a function λ S : S × (I × R + ) * → S × O * that takes as inputs the initial state s and a timed word w, and returns the state reached by the machine after reading w and the generated output word. We will use s
Equivalence checking of TFSM with timed guards. In this section we show how to solve the equivalence problem of TFSM with guards by reducing it to the equivalence problem of untimed FSM. We proceed in three steps: first, we show how to build an "abstract" FSM from a TFSM with guards; then we define an appropriate notion of bisimulation to compare TFSM with guards with untimed FSM; finally, from the properties of the bisimulation relation, we conclude that two TFSM with guards are equivalent if and only if their abstractions are equivalent. Now, let M be a TFSM with guards. We define max(M) as the greatest integer constant (different from ∞) appearing in the guards of λ S . For any natural number N ≥ max(M), we define I N as the set of intervals
The discrete abstraction of a TFSM with guards will take as inputs pairs of the form (i, n, n ′ ) where i is the actual input and n, n ′ ∈ I N an interval representing the time delay. Figure 1 : I N -abstraction of TFSM with timed guards. Figure 1 shows an example of a simple TFSM with timed guards and of the corresponding I Nabstraction (for N = 1). We cannot directly compare the behavior of a timed FSM with the behavior of its untimed abstraction, since the former accepts timed input words on I and the latter accepts untimed input words on I × I N . For this reason, we need to introduce the notion of abstraction of a timed word. 
Definition 3. Given a TFSM with timed guards
M = (S, I, O, λ S , s 0 ) and a natural number N ≥ max(M), we define the abstract FSM A N M = (S, I × I N , O, λ A , s 0 ) as the untimed FSM such that (s, (i, n, n ′ ), o, s ′ ) ∈ λ A if and only if (s, i, t,t ′ , o, s ′ ) ∈ λ S for some guard t,t ′ such that n, n ′ ⊆ t,t ′ .
Definition 4. Given a finite alphabet A, a finite timed word v
= (a 1 ,t 1 ) (a 2 ,t 2 )(a 3 ,t 3 ) . . . (a m ,t m ),
an integer N and the set of intervals I N , we define its I N -abstraction as the finite word
I N (v) = (a 1 , n 1 , n ′ 1 ) (a 2 , n 2 , n ′ 2 )(a 3 , n 3 , n ′ 3 ) . . . (a m , n m , n ′ m ) such that t i − t i−1 ∈ n i , n ′ i for every 1 ≤ i ≤ m. I N -bisimulation
Definition 5. Given a TFSM with timed guards T = (S,
, an integer N ≥ max(T ) and the set of intervals I N , an I N -bisimulation is a relation ∼⊆ S × R that respects the following conditions:
1. for every pair of states s ∈ S and r ∈ R such that s
for every pair of states s ∈ S and r
I N -bisimilar machines have the same behavior, as formally proved by the following lemma.
Lemma 1. Given a TFSM with timed guards T = (S,
I, O, λ S , s 0 ) and an untimed FSM U = (R, I × I N , O, λ R , r 0 ), if there exists an I N -bisimulation ∼ such that s 0 ∼ r 0 then for every timed input word v = (i 1 ,t 1 )(i 2 ,t 2 )(i 3 ,t 3 ) . . . (i m ,t m ) we have that Untime(B T (v)) = B U (I N (v)).
Proof. We prove the lemma by showing that "for every pair of states s ∼ r and timed word
We prove the claim by induction on the length m of the input word v.
. By the definition of TFSM with timed guards, we have that there exists a transition (s, i, t,t ′ , o 1 , s 1 ) ∈ λ S such that t 1 ∈ t,t ′ . Since s ∼ r, by the definition of I N -bisimulation we have that there exists a transition (r, (i,
and the claim is proved. Now, suppose the claim holds for all natural numbers up to m − 1, and let v = (i 1 ,t 1 ) . . . 
Notice that, by the definition of TFSM with timed guards, w and w ′ must have the same timestamps (outputs are produced istantaneuously), and thus they must differ on the produced output symbols. This implies that there exists at least one index 1 ≤ j ≤ m such that o j = o ′ j and hence that Untime(w) = Untime(w ′ 
TFSM with timeouts
Definition 6 (TFSM with Timeouts [7, 9] 
Transitions of TFSM with timeouts can be triggered not only by the reception of an input, but also by timeouts. When the machine enters a state s it resets the clock to 0. If an input i is received before the timeout ∆ S (s) ↓N expires and a transition (s, i, o, s ′ ) ∈ S × I × O × S exists, then the machine produces o, moves to state s ′ while resetting the clock at s ′ to 0. If no input is received before the timeout ∆ S (s) ↓N expires, then the TFSM will move to the state specified by the timeout function ∆ S (s) ↓S and reset the clock to 0. If ∆ S (s) ↓N = ∞, then the machine can stay at state s infinitely long waiting for an input.
A timed state of a TFSM with timeouts is a pair (s, x) ∈ S × R + with the additional constraint that x < ∆ S (s) ↓N (the value of the clock cannot exceed the timeout). Timed and input/output transitions are defined as follows. Figure 2 : Example of ½-abstraction of a TFSM with timeouts.
• The timed transition relation t − → is the smallest relation closed under the following properties: -for every timed state (s, x) and delay t ≥ 0, if
-for every timed state (s, x) and delay t ≥ 0, if
• The input/output transition relation
The definition of timed run, behavior, complete and deterministic machine given in Section 2.1 for TFSM with timed guards can be extended to TFSM with timeouts.
Equivalence checking of TFSM with timeouts. We solve the equivalence problem for TFSM with timeouts using the same approach we used in Section 2.1 for TFSM with timed guards: we reduce the problem to the equivalence of standard FSM by an appropriate notion of "abstract" untimed FSM.
In the case of a TFSM with timeouts M, the constant max(M) is defined as the greatest timeout value of the function ∆ S different from ∞. States of the abstract FSM will be pairs (s, n) where s is a state of M and n is a natural number ranging from 0 to max(M) − 1 abstracting the clock value. Transitions can be either standard input/output transitions labelled with pairs from I × O or "time elapsing" transitions labelled with the special pair (½, ½) representing a one time-unit delay without inputs (see also [9] ).
Definition 7. Given a TFSM with timeouts
• (s, n) To compare timed words with untimed ones, we need to introduce the following notion of abstraction of a timed word. Given a real number t ∈ R, we denote with ⌊t⌋ the integer part of t, and with ½ ⌊t⌋ a (possibly empty) sequence of ⌊t⌋ delay symbols ½. 
½-bisimulation connects timed states (s, x) of a timed FSM with states of an untimed FSM. To understand the previous conditions, notice that ⌊x + t⌋ = ⌊x + 1⌋ implies 1 ≤ t < 2 and that ⌊x⌋ = ⌊x + t⌋ implies 0 ≤ t < 1. Therefore condition 1. refers to a timed transition in T of length 1 ≤ t < 2, which corresponds to the existence of a ½,½-transition in U . Similarly, condition 3. refers in T to a timed transition of length 0 ≤ t < 1 followed by an input-output transition, which corresponds to an inputoutput transition in U . Finally, condition 2. refers to a ½,½-transition in U , which corresponds to timed transitions in T with 1 ≤ t < 2; condition 4. refers to an input-output transition in U , which corresponds in U to timed transitions with 0 ≤ t < 1 followed by an input-output transition. The timed transitions for t ≥ 2 are handled by induction in the following Lemma 3. 
Definition 9. Given a TFSM with timeouts T = (S,
Proof. The proof is by induction on ⌊t⌋. For the basis of the induction, suppose ⌊t⌋ = 1 (1 ≤ t < 2) and let (s, 0) ∼ r. The two properties are a direct consequence of the definition of ½-bisimulation. By condition 1 of Definition 9, we have that for every 1 ≤ t < 2, (s, 0) t − → (s ′ , x ′ ) implies that there exists r ′ such that (s ′ , x ′ ) ∼ r ′ and r ½,½ − − → r ′ . By condition 2 of Definition 9, we have that for every 1 ≤ t < 2,
For the inductive case, suppose that ⌊t⌋ ≥ 2 and that the Lemma holds for ⌊t − 1⌋ ≥ 1. Now, let (s, 0) t − → (s ′ , x ′ ) and consider the timed state (s ′′ , x ′′ ) such that (s, 0) (o 1 ,t 1 ) . By the definition of TFSM with timeouts we have that λ S (s, (i 1 ,t 1 )) = (s 1 , (o 1 ,t 1 ) ) if and only if there exists a timed state (s ′ , x ′ ) such that (s, 0) 0) . To prove the direct implication, suppose λ S (s, v) = (s ′ , w). We distinguish between two cases depending on the value of t 1 .
• If t 1 < 1, by condition 3. of the definition of ½-bisimulation, there exists r 1 ∈ R such that r
Hence, λ R (r, ½(i 1 ,t 1 )) = (r 1 , ½(o 1 ,t 1 ) ).
• If t 1 ≥ 1, by Lemma 3 (i), there exists r ′ such that r
. of the definition of ½-bisimulation, we have that it is possible to find a state r 1 ∈ R such that
, and thus we can conclude that λ R (r, ½(i 1 ,t 1 )) = (r 1 , ½(o 1 ,t 1 )). To prove the converse implication, suppose λ R (r, ½(i 1 ,t 1 )) = (r 1 , o 1 ) = (r 1 , ½(o 1 ,t 1 )). We distinguish between two cases depending on the value of t 1 .
• If t 1 < 1, by condition 4. of the definition of ½-bisimulation (applied with t = 0), there exists (o 1 ,t 1 ) ).
and (s ′ , x ′ ) ∼ r ′ . By condition 4. of the definition of ½-bisimulation (applied with t = 0), we have that there exists a timed state (s 1 , 0) such that (s ′ , x ′ ) 0) . This implies that under input (i 1 ,t 1 ) the TFSM T produces the timed output word (o 1 ,t 1 ), and thus we can conclude that λ S (s, (i 1 ,t 1 )) = (s 1 , (o 1 ,t 1 ) ). 
TFSM with timeouts and timed guards
In this paper we define a new timed FSM model that incorporates both guards and timeouts. Informally, each state of the machine has a timeout (possibly ∞) and all outgoing transitions of the state have timed guards with upper bounds less than the state timeout. As in the other models described above, time is set to zero when executing a transition.
Definition 10 (Timed FSM). A timed FSM S is a finite state machine augmented with timed guards and timeouts. Formally, a timed FSM (TFSM) is a 6-tuple (S, I, O, λ S , s 0 , ∆ S ) Similarly to FSMs with timeouts, if no input is applied at a current state s before the timeout ∆ S (s) ↓N expires, then the TFSM will move to anther state ∆ S (s) ↓S as prescribed by the timeout function. If ∆ S (s) ↓N = ∞, then the TFSM can stay at state s infinitely long waiting for an input. Similarly to FSMs with timed guards, an input/output transition can be triggered only if the value of the clock is inside the guard t min ,t max labeling the transition. Timed transitions are thus defined as for TFSM with timeouts, while input/output transitions are defined as for TFSM with timed guards:
Equivalence checking of TFSM with timeouts and timed guards. We can solve the equivalence problem for TFSM with timeouts and timed guards by combining the techniques used for TFSM with timeouts (Section 2.2) and for TFSM with timed guards (Section 2.1). To incorporate the effect of guards in the abstract untimed FSM, we have to use a finer granularity for the "time elapsing" transitions, which are now labelled with the special pair (Ø, Ø), which intuitively represents a time delay 0 < t * < 1 without inputs. In the case of a TFSM with timeouts and timed guards M, the constant max(M) is defined as the maximum between the greatest timeout value of the function ∆ S (different from ∞) and the greatest integer constant (different from ∞) appearing in the guards of λ S . States of the abstract FSM will be pairs (s, n, n ′ ) where s is a state of M and n, n ′ is either a point-interval [n, n] or an open interval (n, n + 1) from the set I N defined in 2.1 for the abstraction of TFSM with timed guards.
Definition 11. Given a TFSM with timeouts and timed guards
• (s, (n, n + 1))
• (s, (N, ∞)) Figure 3 : Ø-abstraction of TFSM with timeout and timed guards. Figure 3 shows an example of a TFSM with timeouts and its Ø-abstraction. In this case the untimed abstraction accepts untimed input words on I ∪ {Ø}. As for TFSM with timeouts, the delay is implicitly represented by sequences of the special input symbol Ø interleaving the occurrences of the real input symbols from I. In this case the representation of delays is more involved:
• an even number 2n of Ø symbols represents a delay of exactly n time units;
• an odd number 2n + 1 of Ø symbols represents a delay t included in the open interval (n, n + 1).
The notion of abstraction of a timed word captures the above intuition.
Definition 12. Let Ø(t) be a function mapping a delay t ∈ R to a sequence of Ø as follows:
Given a finite alphabet A and a finite timed word v
The definition of Ø-bisimulation is similar to the one of ½-bisimulation. As in Definition 9, conditions 1. and 2. formalize the connection between timed transitions and the special symbol Ø. The finer granularity of the time delays allows us to simplify conditions 3. and 4.: differently from Definition 9, we do not need to consider timed transitions (s, x) t − → (s, x + t) before the actual input/output transition. 
Definition 13. Given a TFSM with timed guards and timeouts T = (S,
T and U are Ø-bisimilar if there exists a Ø-bisimulation ∼⊆ S × R such that (s 0 , 0) ∼ r 0 .
The following lemma proves that Ø-bisimilar machines have the same behavior. Proof. The claim can be proved using the same argument of Lemma 4. See [2] for details. Proof. The relation ∼= {((s, x), (s, n, n ′ )) | x ∈ n, n ′ } is a Ø-bisimulation for M and A M . 
Comparison of TFSM models
In this section we compare the TFSM models considered in this paper with respect to their expressivity. It is easy to see that the class of TFSM with timeouts and timed guards includes both TFSM with timeouts and TFSM with timed guards. We start our comparison by showing that TFSM with timed guards and TFSM with timeouts are incomparable. To this end, consider the two TFSM of Figure 4 : the following lemmas prove that there is no TFSM with timed guards equivalent to the TFSM with timeouts M 1 , and no TFSM with timeouts equivalent to the TFSM with timed guards M 2 . Proof. It is easy to see that M 1 , under input i, produces the output o 1 only at those time instants t such that 2n ≤ t < 2n + 1 for some natural n, while for time instants t ′ such that 2n + 1 ≤ t ′ < 2n + 2 the machine produces the output o 2 . Suppose that there exists a complete TFSM with timed guards
that is equivalent to M 1 . Let t max be the maximum value that appears on the guards of the transitions exiting the initial state s 0 of M ′ 1 that are labelled with i/o 1 . Two cases may arise.
• t max < +∞. In this case, let n be such that t max < 2n + • t max = +∞. In this case, there is a transition exiting s 0 labelled with i/o 1 and with an interval t f , +∞), for some t f < +∞. Let n be such that t f < 2n + 1 + Proof. It is easy to see that M 2 (under input i) produces the output o 1 only at those time instants t such that t ≤ 2, while for time instants strictly greater than 2 the machine produces the output o 2 . Suppose by contradiction that there exists a TFSM with timeouts M ′ 2 = (S, I, O, λ S , s 0 , ∆ S ) that is equivalent to M 2 , and consider the single-letter timed input word w = (i, 2). We have that M 2 accepts w and produces the output o 1 at time 2. Since M ′ 2 is equivalent to M 2 , we have that w must be accepted by M ′ 2 as well. Let (s, x) be a timed state of M ′ 2 such that (s 0 , 0) 2 − → (s, x). Since w is accepted, we have that there must exist a transition (s, i, o 1 , s ′ ) ∈ λ S for some s ′ ∈ S. Now, let w ′ be the timed input word (i, 2 + ε), for some ε < 1 ≤ ∆ S (s) ↓N . By the definition of TFSM with timeouts, we have that (s 0 , 0) 2+ε − − → (s, x + ε); thus w ′ is accepted by M ′ 2 , which produces the output o 1 at time 2 + ε, since the input/output transition (s, i, o 1 , s ′ ) ∈ λ S can be triggered from the timed state (s, x + ε). However, M 2 produces the output o 2 with input w ′ , in contradiction with the hypothesis that M 2 and M ′ 2 are equivalent.
The above examples show that, in general, TFSM with timeouts cannot be transformed into TFSM with timed guards, and that TFSM with timed guards cannot be transformed into TFSM with timeouts. We will now study the restrictions under which this transformation is possible, Consider the TFSM with timeouts M 1 of Figure 4 (a): it shows that that cycles of timeout transitions cannot be captured by a TFSM with timed guards. However, when there are no such cycles, we can use Algorithm 1 to transform a TFSM with timeouts into a TFSM with timed guards.
Proposition 3. Given a TFSM with timeouts M without loops of timeout transitions, Algorithm 1 terminates and builds a TFSM with timed guards that is equivalent to M.
Proof. See [2] . power and ease of analysis. We are currently generalizing these results to non-deterministic timed FSMs, and comparing our models with classical FSMs and special classes of timed automata (e.g., with a single clock). Future work includes deriving tests for a timed FSM with timed guards and timeouts, extending the derivation for a timed FSM with timed guards and for a timed FSM with timeouts, respectively, in [4] and in [9] . Finally, we will define the composition of timed FSMs and investigate the solution of equations over timed FSMs to synthesize unknown timed FSMs [8] .
