This paper presents a method for model checking dense complex real-time systems. This approach is implemented at the meta level of the Rewriting Logic system Maude. The dense complex real-time system is specified using a syntax which has the semantics of timed automata and the property is specified with the temporal logic TLTL (Timed LTL). The well known timed automata model checkers Kronos and Uppaal only support TCTL model checking (a very limited fragment in the case of Uppaal). Specification of the TLTL property is reduced to LTL and its temporal constraints are captured in a new timed automaton. This timed automaton will be composed with the original timed automaton representing the semantics of the complex real-time system under analysis. Then, the product-timed automaton will be abstracted using partition refinement of state space based on strong bi-simulation. The result is an untimed automaton modulo the TLTL property which represents an equivalent finite state system to be model-checked using Maude LTL model checking. This approach is successfully tested on industrial designs.
Introduction
Many formal frameworks that have been proposed to reason about complex real-time systems are based on timed automata [2] . These automata are equipped with clocks, variables used to measure time, ranging over the non negative real numbers (R + ). Consequently, the state space is infinite and cannot be explicitly represented by enumerating all states. Among the different description languages for specifying real-time requirements, we are particularly interested in the temporal logic TLTL [16, 28] . Real-time model checking techniques based on partition refinement [30, 33] build a symbolic state space that is as coarse as possible. Starting from some (implicit) initial partition, the partition is iteratively refined until the verification problem can be decided.
In this paper, we have augmented the LTL syntax used by Maude LTL model-checker [17] by operators to specify TLTL properties. Then, we have proposed a reduction technique from TLTL model-checking to LTL model-checking. This reduction will help us to analyze our system using Maude LTL model checker. Given a complex real-time system specification, a written parser with Maude [12, 13] , will generate an equivalent timed automaton A. For a TLTL property specification ψ, we construct an equivalent LTL formula ϕ and a new timed automaton capturing its temporal behavior. Then, the captured behavior will be composed with the original timed automaton. This is noted by A + . We prove that A satisfies ψ if and only if A + satisfies ϕ.
The labeled transition system modeling the behavior of the constructed timed automaton A + comprises two kinds of transitions, namely timeless actions representing the discrete evolutions of the system, and time lapses corresponding to the passage of time. Due to density of time, there are infinitely many time transitions. A finite model can be obtained by defining an appropriate equivalence relation inducing a finite number of equivalence classes. The main idea behind these relations is that they abstract away from the exact amount of time elapsed. An important problem consists in constructing the quotient of a labeled transition system (representing a timed automaton) with respect to an equivalence relation.
In this paper we have defined an equivalence relation based on strong bi-simulation [24] , which is used by our algorithm to generate the quotient graph. Each edge in the timed automaton represents a discrete transition which has information concerning the source and target states, the enabling condition and the set of clocks to be reset after making this transition. Initially, the timed automaton represents the states of complex timed system as blocks (zones) of states (also called symbolic states). We call this the initial partition of states. We refine any source block of states if there is an outgoing edge with an enabling condition (which is a constraint) formula different from true, using the invariant of the block of states and the enabling condition of this transition. The produced sub-blocks represent classes of equivalent states where each sub-block has new invariant that either satisfies or does not satisfy the enabling condition. The refinement process will terminate if there is no block of states to be refined.
Related work
While LTL model checking is PSPACE complete, the TLTL model checking is undecidable [5] . To our knowledge, it doesn't exist until now a tool for TLTL model checking. However, there are different techniques [6, 22] using TLTL for the diagnosis of reactive systems and runtime verification. The problem is less severe in the case of branching-time timed logics, where TCTL model checking is PSPACE complete [4, 1] (whereas CTL model checking is possible in polynomial time). In contrast to TLTL model checking, there are industrial tools for TCTL model checking (KRONOS and UP-PAAL) used successfully.
In our previous work [10] , an approach is proposed to reduce TCTL model checking to CTL model checking. This approach is implemented and tested using the SMV tool. Another similar work can be found in [8] , where the model checking is based on the on-the-fly exploration of a simulation graph. The simulation graph is the graph reachable, generated from the region graph [1] and from an initial region. A region is a set of states with the same location and a convex set of clock valuations. This forwardreachability approach is used in tools such as KRONOS [15] and UPPAAL [23] . Thus, because the nodes in the simulation graph are region sets and only discrete transitions are explicit, while time passes implicitly inside the nodes, the simulation graph is much smaller than the region graph. The simulation graph is used to solve the model checking problem for a proposed automata-based branching-time temporal logic (TECTL * ∃ ). The on-the-fly model checking procedure consists in solving the emptiness problem, that is, in checking whether an automaton (the automaton product of the system automaton and the property automaton) has an infinite execution sequence that satisfies a given acceptance condition. In our work, the property automaton capturing the temporal constraints, is automatically generated from the TLTL specification. Our quotient graph is produced directly from the initial automaton of timed system specification, which resembles the simulation graph, without passing by the region graph. On the other hand, as it has been shown in [8] , the simulation graph preserves only linear-time properties and it is used in practice mainly for reachability properties. Moreover, symbolic states in the simulation graph are not necessarily disjoint, so that this graph can be much larger than the quotient graph. The quotient graph is coarser than the initial automaton but finer, and therefore bigger, than the initial graph. Another algorithm that also combines the on-the-fly and the symbolic approaches has been proposed in [29] . In that work, a symbolic graph is dynamically constructed by the verification procedure, according to the formula (specified in an extended temporal logic of μ-Calculus) to be checked. A similar reduction for a derivate of dense time TCTL (TCTL with freeze quantifiers [3] ) is given in [18] . This approach augments the region graph used in [1] by a new atomic proposition and new transitions to handle the reset quantifier. Another related work can be found in [11] , where verification is performed by translating TCTL (interpreted over discrete time) into CTL by adding an additional specification clock to the model. So, to modelcheck the augmented model, the CTL logic is extended, and thus the model-checker, too.
The closest work to ours for the time abstraction based on equivalence can be found in [32] . Where the algorithm in [7] for minimal-model generation (which is an enhancement of the algorithm of Paige and Tarjan [27] to avoid refin-ing unreachable classes) is adapted to infinite state space of timed automaton. This new algorithm which generates a finite region graph using partitioning, uses decision procedures for computing intersection, set difference and predecessors of classes, and testing whether a class is empty. Also, the TCTL specification is reduced to CTL logic extended with new atomic propositions to deal with the specification constraints. Then, a TCTL model checker has been developed based on techniques of the classic CTL model-checker. The generated region graph has size exponential in the number of clocks and the highest constant used in the definition of timing constraints. The other closest work is in [21] , where the authors propose an approach to produce a compact reachability graph from a timed automaton. In this work, a state is defined as a history: execution upto the state. It is defined as a pair (location, timed history) instead of (location, clock valuation). A timed history is a set of pairs (transition, time) upto the location of the state. An execution is defined as the transitions between the states (defined as histories). To generate an infinite state space, the algorithm uses the notion of history equivalence (states with the same untimed histories are merged into an equivalence class). To generate a finite state space, a transition bisimulation technique (the states that have the same future behaviors are further collapsed) is used to produce equivalent classes. The resultant state space is finite and can be used to analyze realtime properties. The authors have implemented this approach and analyzed applications, where the real-time properties to be verified are expressed as timed automata to be composed with the system timed automata. Other techniques are based on abstraction of the constraints specified in the system and in the property, using the framework of predicate abstractions as abstract interpretation [9, 25] .
The rest of the paper is organized as follows. Section 2 presents a background about Rewriting Logic and Maude LTL Model-Checker. In Section 3, we present the semantics based on Rewriting Logic for specification of complex real-time systems and their semantics based on the formalism of timed automata. Our approach for transformation of the TLTL specifications to LTL specifications is presented in Section 4. In Section 5, we present our method for generating finite bi-similar graphs of the complex timed systems. In Section 6, we explain how to use these graphs for Maude LTL model checking and how the results can be projected back to original complex timed systems. Complexity and implementation results of our approach are presented in Section 7. At the end, a conclusion is given. In Rewriting Logic, there is a universal theory U such that any rewrite theory R and a term t can be presented as meta-level terms R and t in U respectively. Furthermore, we have
Rewriting Logic and
if t is the n-th result obtained by applying the rewriting rule labeled l to t. By the universal theory U, we can manipulate meta-level terms at object level. We call the feature that can represent meta-level objects at object level as reflection. We have used this feature during the implementation of our approach. The system Maude has metalevel operators for moving between reflection levels as upModule, upTerm, downTerm, and others. Other operators are used to act on metalevel terms as for parsing (metaParse) and pretty-printing (metaPrettyPrint) terms.
Since no domain-specific model of concurrency is built into the logic, the range of applications that can be naturally specified is indeed very wide. Another advantage of Maude as the system specification language is that integration of model checking with theorem proving techniques becomes quite seamless. The same rewrite theory R = (Σ, E, R) can be the input to the LTL model checker and to several other proving tools in the Maude environment [17] .
Thus, a Maude module is a rewrite theory R = (Σ, E, R). Fixing a distinguished sort State, the initial model T R of the rewrite theory R = (Σ, E, R) has an underlying Kripke structure K(R, State) given by the total binary relation extending its one-step sequential rewrites. In the framework, the Kripke structure is specified as a rewrite theory K. The states are equivalence classes of terms defined in K. The transitions of the Kripke structure correspond to rewriting rules in K. Since the Kripke structure is specified as a rewrite theory and system configurations as equivalence classes of terms, the universal theory U can be used to explore successors of the current system configuration.
To the initial algebra of states T Σ/E we can likewise associate equationally-defined computable state predicates as atomic predicates for such a Kripke structure. In this way we obtain a language of LTL properties of the rewrite theory R. • defining a new module, say CHECK-M, that includes the modules M and the predefined module MODEL-CHECKER as submodules;
• giving a subsort declaration,
where State is one of the key sorts in the module MODEL-CHECKER;
• defining the syntax of the state predicates we wish to use by means of constants and operators of sort Prop, a subsort of the sort Formula (i.e., LTL formulas) in the module MODEL-CHECKER; we can define parameterless state predicates as constants of sort Prop, and parameterized state predicates by operators from the sorts of their parameters to the Prop sort.
• defining the semantics of the state predicates by means of equations.
Once the semantics of each of the state predicates has been defined, we are then ready, given an initial state init, to model check any LTL formula, say form, involving such predicates. We do so by evaluating in Maude, the expression init |= form . Two things can then happen: if the property form holds, then we get the result true; if it doesn't, we get a counterexample expressed as a finite path followed by a cycle.
Complex Real-time Systems Specification
A complex real-time system can be the composition of many timed sub-systems called processes. The semantics of each process will be represented by a timed automaton. The processes can communicate by sending and receiving messages via channels. This mechanism of communication will be used as synchronization between the different processes to compute their composition. The following is the overall system specification semantics.
op system_:'prop_;'chan_;_|=_. : Token NeTokenList NeTokenList GProcesses Bubble -> GTProblem .
The first argument is the system identifier. A list of atomic propositions is the second argument. The third argument is a list of channels identifiers. The fourth argument will represent the semantics of system processes. The last argument is for the semantics of the TLTL formula. A transition is between two states (source and target, first and second argument, respectively). The transition is conditioned by a temporal constraint. As actions, a transition can reset clocks and it can send and receive messages via the specified channels. This mechanism of sending and receiving messages will be used for synchronization.
op _->_:_{_}{_} : Token Token NeTokenList NeTokenList NeTokenList -> GTTransition .
A temporal constraint has the following semantics. The following is an example, which has two atomic propositions, p and r. One communication channel C. This complex real-time system is composed of one process with three states: a, b, and c and three transitions. The realtime specification is followed by specification of a TLTL property which can be omitted and given separately to allow the specification of different TLTL properties.
system Example : prop p r ; chan C ; process P : clocks x state a :
The semantics of a complex real-time system is represented by timed automata [2] which extend the automata formalism by adding clocks. These semantics will be defined by the following two main operators. The first partial operator (getSystem) is called when the parsing of a complete specification is succeeded (the result of the parsing is a Term), to generate needed semantics as system identifier, atomic propositions, and channels identifiers. This operator calls the second (solveProcesses) to construct the timed automaton for the whole complex real-time system by composition of the processes timed automata. A timed automaton A is a tuple
, where:
• Q is a finite set of locations. We denote by q 0 ∈ Q the initial location.
• X is a finite set of clocks. A valuation v is a function that assigns a non negative real-
• Σ is a finite set of labels (message channels).
• E is a finite set of edges. Each edge e ∈ E is a tuple q, θ, X, σ, q where -q, q ∈ Q are the source and the target locations respectively, -θ ∈ Θ is an associated clock constraint which governs the triggering of the transition. It is called its enabling condition or its guard. We denote the set of constraints over X by Θ. A constraint is defined as a conjunction of atoms of the form x ∼ c, where x ∈ X , ∼∈ {=, >, ≥, <, ≤} and c is a natural constant.
-X ⊆ X is the set of clocks to be reset after making this transition.
-σ is a subset of synchronization events from the set Σ. A synchronization event is the combination of a channel name preceded by the symbol ! to indicate send event, or ? for receive event.
• L 1 : Q → 2 AP is a function that associates to each location a set of atomic propositions from the set AP.
• L 2 : E → 2 Σ is a function that associates to each edge a set of synchronization events from the set Σ. We have two kinds of synchronization events (send events and receive events).
• I is a function that associates a condition I(q) ∈ Θ to every location q ∈ Q called the invariant of q. Figure 1 shows an example of a timed automaton representing the semantics of the example above. AP = {p, r} and
The initial state is the pair q 0 , v 0 such that v 0 (x) = 0 for all x ∈ X . Let S denote the set of states of A. We will refer to L 1 (s) by L 1 (q), for all s ∈ S, where s = q, v . The set S can be partitioned to zones (symbolic states). A zone z = (q, V z ) is a set of states from S which are associated with the same discrete state q ∈ Q and a convex set of
The state of a timed system can be changed through an edge that changes the location and resets some of the clocks (discrete transition), or by letting time pass without changing the location (time transition).
Let e = q, θ, X, σ, q ∈ E be an edge. The state q, v has a discrete transition to q , v , 
For timed automata, we label each discrete transition with a label (or an action) a. The label is composed of a temporal constraint to execute the transition when it holds and an action of resetting clocks. The time transitions
have a particular label named τ denoting time elapse which is considered as an internal or hidden action. Let A be the set of actions and 
A run r of M is an infinite sequence of states and transitions. We denote R the set of runs of M. A run is divergent if ∞ i=0 δ i (the sum of all delays δ i on this run) diverges. We denote R ∞ the set of divergent runs of M. In the following, we will consider timed automata with only divergent runs (if the automaton has non-divergent runs, called also zeno runs, it is possible to restrict the behavior to divergent runs [19] ).
A complex real-time system is composed of many processes using the operator Compose. Their different timed automata will be composed to construct the timed automaton of the overall complex real-time system. The parallel composition of two timed automata ( ) is defined as follows.
, L 2 is defined during the composition of edges. The set E of edges is obtained as follows.
receive(σ) and send(σ) are used to extract channel names used by receive and send events, respectively. channel(σ) returns the name of the communication channel used by the event
A transition waiting reception of messages from transitions in other processes via defined transmission channels, will be composed only with those transitions delivering these messages.
The first case of (1) indicates that the receive events on both transitions are sent mutually by these two transitions. The second case of (1) indicates that the receive events of the first transition are all sent by the second transition, but the receive events of the second are empty or not all sent by the first transition. The third condition of (1) is the symmetry of the second. The cases (2) and (3) are for automata not sharing communication channels. The composition of two automata without synchronization events equals to their Cartesian product. This composition of timed automata representing different processes of a system, terminates by producing one timed automaton without synchronization events. The produced system timed automaton will be composed with the property timed automaton generated from the TLTL specification.
Transformation of TLTL Specifications
Many important properties of complex timed systems find a natural expression in the realtime temporal logic TLTL, which extends the linear time logic LTL [16, 3, 28] . This extension either augments temporal operators with time bounds, or uses reset quantifiers. We use a version of TLTL with time bounds.
Maude LTL model checker [17] provides the common LTL operators U, W, R, , and O, written as until, until weak, releases, always, eventually, and next in addition to the well known set of Boolean operators : ¬, ∧, ∨, ⇒ and ⇔. The formulas ϕ of the linear temporal logic LTL are defined inductively by the grammar:
Where p ∈ AP is an atomic proposition. The LTL semantics over a labeled transition system, are defined using the satisfaction relation, denoted by s |= ϕ, on the syntax of ϕ:
The added TLTL (Timed LTL) operators are: O ∼c ϕ states that the next occurrence of ϕ is within the time bounds ∼ c. ϕU ∼c ψ states that ϕ is true until the next occurrence of ψ, and that this occurrence of ψ is within the time bounds ∼ c. ∼c ϕ states that ϕ must always be true within the time bounds ∼ c. ∼c ϕ states that ϕ must be true at some point within the time bounds ∼ c, where ∼∈ {=, >, ≥, <, ≤} and c ∈ N (N is the set of natural numbers).
The formulas ψ of the timed linear temporal logic TLTL are defined inductively by the grammar:
Where ϕ is an LTL formula. The formulas of TLTL are interpreted over the set of states of a timed automaton represented by a transition system M. Let q, v ∈ S be a state reachable in M and let a TLTL-formula ψ. The satisfaction relation, denoted by q, v |= M ψ, is defined inductively on the syntax of ψ:
• q, v |= M ϕ Its semantics is defined using the semantics of the logic LTL.
•
We augmented the LTL syntax used by Maude LTL model-checker by the following operators to specify TLTL properties.
op O'{=_}_ : Time Formula -> Formula . op O'{>_}_ : Time Formula -> Formula . op O'{>=_}_ : Time Formula -> Formula . op O'{<_}_ : Time Formula -> Formula . op O'{<=_}_ : Time Formula -> Formula . op _U'{=_}_ : Formula Time Formula -> Formula . op _U'{>_}_ : Formula Time Formula -> Formula . op _U'{>=_}_ : Formula Time Formula -> Formula . op _U'{<_}_ : Formula Time Formula -> Formula . op _U'{<=_}_ : Formula Time Formula -> Formula . op <>'{=_}_ : Time Formula -> Formula . op <>'{>_}_ : Time Formula -> Formula . op <>'{>=_}_ : Time Formula -> Formula . op <>'{<_}_ : Time Formula -> Formula . op <>'{<=_}_ : Time Formula -> Formula .
op []'{=_}_ : Time Formula -> Formula .
op []'{>_}_ : Time Formula -> Formula .
op []'{>=_}_ : Time Formula -> Formula .
op []'{<_}_ : Time Formula -> Formula .
op []'{<=_}_ : Time Formula -> Formula .
Our objective is to transform a TLTL formula ψ to an LTL formula ϕ. Any TLTL formula ψ will introduce a new set of specification clocks X ψ . This set of specification clocks does not control the behavior of any system under consideration. The transformation process reduces the TLTL formula ψ recursively by decomposing ψ. At the end, it generates an equivalent LTL formula ϕ and a timed automaton A ψ , capturing the timed behavior specified in the TLTL formula ψ. If the formula does not contain temporal constraint (it is already an LTL formula), the transformation process returns this formula and an empty timed automaton.
On the other hand, if the TLTL formula contains temporal constraints, these can be of one of the forms presented below. The constructed timed automaton A ψ , is almost the same for all the forms which have a set of one clock variable X ψ = {z}, two discrete states Q ψ = {q
} with invariants z ≤ c and true respectively (these two discrete states are labeled according to the formula), and one edge
This timed automaton will be composed (using the operator TCompose of linear composition) with the product of the two timed automata A ψ and A ψ constructed by the recursive call to the functions Transform(ψ , Pr) and Transform(ψ , Pr) respectively. The second argument is used to label one of the two discrete states (Q ψ = {q
The following is an example for transformation of the formulas of the form ϕU ≥c ψ and ϕU ≤c ψ respectively. The transformations for the other TLTL operators are coded almost by the same manner. The formulas using the timed operators O and are converted to equivalent formulas before transformation as follows. Figure 2 . Figure 2 . Generated timed automaton A with LTL formula ϕ for ψ = ≥2 r.
The following is the result of the Maude command.
reduce in VRTS : Transform(<>{>= 2}Prop ('r), "Z") . rewrites: 13 in -157072442571ms cpu (0ms real) (~rewrites/second) result AutomatonFormula: {"U" :{"z"}; {"q1"}; {("q1" : "z" <= 2{empty}),"q2" : True{"Z"}};{"q1" -> "q2" : "z" = /\ Prop('a)), "Z") . rewrites: 79 in -3902117295ms cpu (0ms real) (~rewrites/second) result AutomatonFormula: {"UU" :{"z"}; {"q1q1"}; {("q1q1" : "z" <= 2{"Z","Z2111"}), ("q1q2" : "z" <= 2{"Z"}),("q2q1" : "z" <= 3{"Z2111"}),"q2q2" : True{empty}}; {"q1q1" -> "q2q1" : "z" = 2{empty}{empty}, "q2q1" -> "q2q2" : "z" = 3{empty}{empty}} ;
The constructed timed automaton A ψ will be composed with the original timed automaton A (A A ψ ). The operator Transform is using the operator TCompose to realize a linear composition (denoted by ⊕) of two timed automata. It is defined to compose the constructed timed automata A ψ and A ψ , where ψ and ψ are sub-formulas of ψ, to get only one timed automaton A ψ with one clock variable z. Its difference from the operator is in the construction of the set of edges E, which is obtained as follows. Let e i ∈ E i of the form
We replace e 2 in E 2 by q 2 , z 2 = c 2 − c 1 , ∅, ∅, q 2 and we remove e 1 from E 1 . Else, if c 2 < c 1 , Figure 3 . Generated timed automaton A with LTL formula ϕ for ψ = ≤2 (a ∧ ≤1 b).
rop( Z)U((P rop( Z2111)UP rop( b)) ∧ P rop( a))
we add e = (q 1 , This process will continue until E i = ∅, for i = 1, 2 or one of the following two cases is satisfied. In the case where E 1 = ∅ and E 2 = { q 2 , z 2 = c 2 , ∅, ∅, q 2 }, we assume that q 1 ∈ Q 1 is the discrete state without outgoing edge. Then, we add the edge e = (q 1 ,
In the other case where
we assume that q 2 ∈ Q 2 is the discrete state without outgoing edge. Then, we add the edge e = (q 1 , q 2 ), z = c 1 , ∅, ∅, (q 1 , q 2 ) to E, where I( q 1 , q 2 ) = z ≤ c 1 . At the end, if there are discrete states in the produced timed automaton, without ingoing and outgoing edges, they will be removed from the set of discrete states Q. 
Theorem 1. Let M be the transition system of the timed automaton A modeling a real-time system. If the function
= q 0 , v 0 , q 1 , v 1 , · · · , q i , v i , · · · ∈ R ∞ with q 0 , v 0 = q, v , where i ≥ 0 such that Σ i k=0 δ k ≥ c
If the timed automaton
A ψ = A ψ ⊕ {Q = {q ψ 0 , q ψ 1 }, X = {z}, Σ = ∅, e ψ = (q ψ 0 , z = c, ∅, ∅, q ψ 1 ), L 1 = {L 1 (q ψ 0 ) = True, L 1 (q ψ 1 ) = "Z"}, L 2 = ∅, I = {I(q ψ 0 ) = z ≤ c, I(q ψ 1 ) = True}} ⊕ A, v i |= M ψ ⇔ (q i , q ψ ), v i |= M + ψ ϕ (M + ψ is the model of A A ψ ) and q j , v j |= M ψ ∧ ¬ψ ⇔ (q j , q ψ ), v j |= M + ψ ϕ ∧ ¬ϕ (M + ψ is the model of A A ψ ). It is clear from the parallel composition that (q i , q ψ , q ψ ), v i |= M + ψ ψ ϕ and (q j , q ψ , q ψ ), v j |= M + ψ ψ ϕ , where M + ψ ψ is the model of A (A ψ ⊕ A ψ ) (⊕
is the operator TCompose as defined before).

If M + is the model of A A ψ , then it is clear that v i (z) ≥ c and using the property of parallel composition, we have (q
i , q ψ , q ψ , q ψ 1 ), v i |= M + ϕ ∧ "Z" (L 1 (q ψ 1 ) = "Z") and for all 0 ≤ j < i we have (q j , q ψ , q ψ , q ψ 0 ), v j |= M + ϕ ∧ ¬ϕ . By the semantics of TLTL, we have q, v |= M + ϕ ∧ ¬ϕ Uϕ ∧ "Z".
Generating Bi-similar Finite System
The model of a timed automaton is an infinite transition-state system due to dense time. Then, it is not possible to perform a model checking.
In this section we present our method that generates a strongly bi-similar finite system based on a defined equivalence where exact delays are abstracted away while information on the discrete changes of the system is retained.
Strong Bi-simulation
For a labeled transition system M = (S, A τ , T , s 0 , L), a partition ℘ (or equivalence relation on S) of the elements of S is a set of disjoint blocks 
The set of bi-simulations on S, ordered by inclusion has a minimal element which is the identity relation denoted by ℘ 0 and it has a maximal element denoted by ℘ max which is an equivalence relation on (or a partition of) S. We will be interested in the maximal element which induces the smallest number of equivalence classes in terms of relation inclusion. ℘ max (which is unique) may be obtained as the limit of a decreasing sequence of relations ℘ i .
Most algorithms used to solve the bi-simulation problem are based on some form of partition refinement, i.e. they perform successive iterations in which blocks of the current partition are split into smaller blocks, until no block can be split any more. While splitting a block, states that cannot be distinguished are kept in the same block. Two states can be distinguished if one of the states allows a transition with a certain label to a state in a certain block and the other state does not have a transition with the same label to a state in the same block. This means that in our case of timed automata the time associated to a state doesn't satisfy the temporal constraint labeling the transition.
Let ℘ be a partition of S. ℘ is compatible with T (it is also called stable) if and only if the following property P holds:
Correctness of a partition refinement algorithm follows from two facts. First, a stable partition is a bi-simulation relation (states are equivalent if they are in the same block). Second, each computed partition by the refinement of the previous one respects the property P. • S/℘ is the set of equivalence classes noted
Definition 2. Let M = (S,
• C 0 = [s 0 ] is the equivalence class of s 0 .
M/℘ max is the normal form of M with respect to ℘ max . We present below the implementation with Maude of our partition-refinement algorithm based on strong bi-simulation. We start from an initial partition of the state space in zones. Each time a zone Z is to be refined, it is split with respect to all its discrete successors by some edge e. We can prove that if all successors are zones, then the result of the split is also a set of zones, that is, convexity is preserved by the split operation.
Partition-refinement Algorithm
A product timed automaton
can contain spurious behaviors. This means that there are paths in the product-timed automaton that will never be executed. These spurious behaviors are due to parallel composition which doesn't predict them. Thus, it is necessary to get rid of them before the process of (time abstraction) partition refinement. If not, these spurious behaviors will be part of the overall system behavior and will yield false negative counterexamples. There are techniques to remove spurious behaviors. We have used simulation of the product-timed automaton. The unfired transitions during simulation will be removed from the timed automaton. The result of simulation is a timed graph G = Q, X , E, L, I , where E is the set of edges without event labels, and L is defined exactly as L 1 . Let e = q, θ, X, q ∈ E be an edge such that its guard is θ different from true. We will refine the block of source states (q, v) of e represented as a convex zone Z = (q, V Z ).
The objective of refinement is to abstract the quantitative aspect of time needed to measure the constraint θ. So, this block of states (zone) is refined into sub-zones. The invariant of one of these sub-zones satisfies the constraint θ. But, the invariants of the other sub-zones don't satisfy this constraint. This process of refinement will continue until there are no blocks to refine.
The operators over temporal constraints, used in the algorithm of partition refinement are defined as follows.
1. Var(θ) is the set of clock variables in the formula θ.
2. With(θ, x) is the constraint θ reduced to a constraint defined only on the clock variable x (e.g.
is the constraint θ reduced to a constraint defined without the clock variable x (e.g.
, it is not convex).
6. floor(θ) if θ is convex, then this operator will return θ itself, else it returns the constraint representing the lower convex valuations. The constraint θ is defined on one clock variable (e.g floor(
7. ceil(θ) if θ is convex, then this operator will return ∅, else it returns the constraint representing the upper convex valuations. The constraint θ is defined on one clock vari-
Our defined Maude operator split splits a zone that is a source of an edge e = q, θ, X, q , taken arbitrarily from the set E of the current partition, where θ = true. The refinement (splitting) is based on a clock variable x taken also arbitrarily from the set of clock variables in the constraint θ. The zone is split into at most three sub-zones. These sub-zones have the same location q, but with different invariants. Their union equals to I(q). Because their invariants are different and for algorithm simplicity, we will denote their location q differently to distinguish them. This will not have any effect on the algorithm results.
The first sub-zeno (with discrete state q x ) has the invariant I(q x ) = With(θ, x) ∧ Without(I(q), x) and an outgoing edge q x , Without(θ, x), ∅, q .
If floor(With(I(q), x) \ With(θ, x)) = ∅, we have a second sub-zone with a discrete state q l with an invariant I(q l ) = floor(With(I(q), x) \ With(θ, x)) ∧ Without(I(q), x). This subzone has an outgoing edge q l , true, ∅, q x .
If ceil(With(I(q), x) \ With(θ, x)) = ∅, then we have a third sub-zone with a discrete state q u and an invariant I(q u ) = ceil(With(I(q),
. This sub-zone has an ingoing edge q x , true, ∅, q u . The three new sub-zones will be marked by the same set of atomic propositions L(q).
At the end of this iteration, the edge e and the zone Z will be removed and replaced by the new edges and the new sub-zones. The other outgoing and incoming edges from and to the zone Z will be updated according to the new partition.
The non-zenoness of the timed automaton and the convexity of its constraints guarantee that the produced partition has zones preserving the convexity and the non-zenoness. Moreover, the algorithm terminates.
Quotient Graph
The partition-refinement algorithm generates a stable partition ℘ max which is the coarsest. Each block in this partition is characterized by an invariant and a unique discrete state. These blocks are reachable and their invariants are convex. The edges of this partition are of the form q, true, ∅, q . This partition can be easily represented by a graph, we call it the quotient graph G ℘max . The set C of nodes of G ℘max is the set of the partition blocks. Thus, a node corresponding to block B i is denoted C i . The edges of G ℘max are the edges in the partition ℘ max between the different blocks in addition to edges of the form q, true, ∅, q if the invariant I(q) is bounded only from below or a state doesn't have an outgoing edge. The strong bisimulation quotient graph (G ℘max ) is generated by the algorithm of partition refinement and, as it is defined, has the following properties:
such that s 1 δ → s 2 , for some δ ∈ R + and if C 1 e → C 2 , for some edge e, then ∀s 1 ∈ C 1 there exists s 2 ∈ C 2 , such that s 1 e → s 2 .
. It is easy to conclude that every run r is inscribed in a unique path ρ in G ℘max . And inversely, if 
Maude LTL Model Checking
In this section we show that the strong bisimulation ℘ max preserves the LTL properties. The timed automaton model checking can be reduced to model checking a finite graph, the strong bi-simulation quotient graph (G max ) generated by the algorithm of partition refinement.
Consider a labeled transition system M = (S, A τ , T , s 0 , L) modeling a strongly non-zeno timed automaton A and an LTL formula ϕ. We want to check whether M satisfies ϕ. Let ℘ max be a strong bi-simulation on M. From G ℘max -Property 3 of G ℘max , we can conclude that for any LTL formula ϕ and any pair of states (s, s ) ∈ ℘ max , s |= M ϕ if and only if s |= M ϕ.
A formula is said to hold in a node C of G ℘max if it is satisfied in some state of C (this implies that the formula is satisfied in any state of C). Now, the problem of verifying if a state s ∈ S satisfies the LTL formula ϕ (s |= M ϕ) is reduced to checking if the node C ∈ C containing the state s satisfies the formula ϕ (C |= ϕ). The following lemma gives the correctness of the model checking. The property is not satisfied ... This is a counter example:
By mapping to the concrete timed automaton, the discrete states of the nodes (classes) aq1zlxl, a-q1zlx, a-q1zlxu, a-q1zxux, a-q2xl, and a-q2x are a. Thus, the concrete trace
Complexity and Implementation Results
We denote the size of a timed automaton
by the pair (|Q|, |E|), where |Q| is the number of discrete states and |E| is the number of edges. For a TLTL formula ψ with n temporal constraints, the algorithm Transform generates a timed automaton A ψ with one clock variable, |Q ψ | ≤ n + 1 and
The size of the quotient graph G ℘max is defined by the pair of the number of its nodes and number of its edges, which are at most
The partition-refinement algorithm generates the quotient graph in a time
To obtain confidence in the correctness of the implementation, our first experiments concentrated on existing case studies taken from realtime model checking literature. The first case study is the analysis of The CSMA/CD (Carrier Sense, Multiple Access with Collision Detection) protocol which works as follows [31, 20] . When a station has data to send, it first listens to the channel. If it is idle (i.e., no other station is transmitting) the station begins sending its message. However, if it detects a busy channel, it waits a random amount of time and then repeats the operation. When a collision occurs, because several stations transmit simultaneously, then all of them detect it, abort their transmissions immediately and wait a random time to start all over again. If two messages collide then they are both lost.
The propagation delay of the channel plays an important role in the performance of the CSMA/CD protocol. It is possible that just after a station begins sending, another one becomes ready to send. If it senses the channel before the signal of the former arrives, it will find the channel idle and will start sending too. Hence, a collision will happen. Let σ be the time for a signal to propagate between the two farthest stations. Suppose that at time t 0 a station S 0 begins sending a message. Thus, within the time interval [t 0 , t 0 + σ), it is still possible that some station S i transmits if it has data, causing a collision. However, after time t 0 + σ, the channel will be sensed busy by all the stations until the current message is delivered. Hence, the maximum time the channel could be sensed idle by any station after the beginning of a transmission is σ.
Based on the fact above, we might think that a station that does not hear a collision for a time equal to σ, could be sure that no other station would interfere. However, this conclusion is wrong. Due to the propagation delay, the noise burst caused by the collision could take a time σ to arrive. In fact, in the worst case it would take 2 × σ for a station to detect a collision.
In case of collision, each station waits randomly a time between 0 and 2 × σ before trying again. In general, after i collisions, a station waits a random time between 0 and 2 i × σ. Moreover, after too many retrials (e.g., 16 as in the 802.3 standard [20] ) a failure signal could be reported to the higher layers.
Assume that only messages of equal length are sent and let λ be the time to send a message. Then if no collision occurs, a message will be completely delivered in a time equal to λ + σ. For instance, for a 10Mbps Ethernet with a typical worst case round trip propagation delay of 51.2us, we set 2 × σ to be 51.2us and for standard frames of 1024bytes, λ is approximately 782us.
The system consists of n stations S 1 , · · · , S n and the medium M. The behavior of the medium is as follows. Initially, it is ready and it can accept a message from any station. Suppose that one station begins transmitting (TRANS-MIT). There is a time interval of length σ within which the medium can accept data from the other station, causing a collision (CD). This is modeled with a watchdog which is canceled when a collision occurs. In the case of a collision, it takes time σ to the medium to propagate it. This is naturally modeled with a timeout. If no collision occurs, the medium waits for the termination signal. When it arrives, the medium returns to the initial state. The overall specification is obtained putting all the above (stations and the medium) in parallel. CSMA/CD n = Medium S 1 · · · S n . The following is the specification of a system composed of two senders (the process specification of the second sender is the same as for Sender1) and a medium. #BUSY means broadcast send via channel BUSY.
We have verified the following real-time property expressed in the logic TLTL. When a collision occurs, because two stations k = j transmit simultaneously, they both detect it at most σus later:
The second case study is the analysis of FDDI (Fiber Distributed Data Interface) (example taken from [14] ). FDDI is a high performance fiber optic token ring Local Area Network. We consider a network composed by n identical stations S 1 , · · · , S n and a ring, where the stations can communicate by synchronous messages with high priority and asynchronous messages with low priority. The timed automaton that models the protocol is obtained as the parallel composition FDDI n = Ring S 1 · · · S n , where the automata synchronize through actions. The following is the specification of a system composed of two stations (the process specification of the second station is the same as for Station1) and a ring. The formula of TLTL that describes the property of the bounded time for sending asynchronous message where each idle station in the FDDI system will send asynchronous messages before a time c is:
where S i = idle is any state s ∈ S verifying the condition that the automaton corresponding to station number i is in the location idle.
The experiments were done on a Pentium IV at 1GHz with 512MB of memory. Our approach has been able to generate the quotient graph for up to 5 processes (for the CSMA/CD protocol, including the medium) and 6 processes (for the FDDI protocol, including the ring). by number of nodes, number of edges for each quotient graph generated using different configurations and the time consumed (in seconds). The symbol -means the tool fails due to lack of memory.
First experiments thus show that our real-time model checking technique performs relatively well. Although these positive results are only based on limited experience with the tool, we believe that further experiments will show that they are of a more general character. This would show that combination of transformation and partition refinement is a useful approach to realtime model checking, that could be at least as valuable as the currently followed approaches. To our knowledge, it doesn't exist a tool for TLTL model checking to compare with our approach (it is known that the model checking for the logic TLTL is undecidable).
Conclusion
In this paper, we have presented a technique for model checking dense complex real-time systems implemented with Maude. This method is based on the reduction of TLTL specifications to LTL. The timed behavior of the TLTL specification is captured and represented as a timed automaton. This timed automaton is composed with the original timed automaton modeling the timed system. Then, a time abstraction technique based on strong bi-simulation, is used to generate a finite graph modulo the TLTL specification. Then, the Maude LTL model checker is used for performing LTL model checking on this graph. We have taken advantage of the reflective aspect of Rewriting Logic to implement this tool.
The correctness of this technique is mathematically proved and tested on many small examples. Relatively complex specifications of the protocols CSMA/CD and FDDI were also successfully tested. Our future work is to generalize this technique to accept real-time semantics defined in Real-Time Maude (RT-Maude) [26] . Thus, a real-time system specified with RT-Maude could be analyzed using this method.
