Language Emptiness of Continuous-Time Parametric Timed Automata by Beneš, Nikola et al.
ar
X
iv
:1
50
4.
07
83
8v
1 
 [c
s.F
L]
  2
9 A
pr
 20
15
Language Emptiness of Continuous-Time
Parametric Timed Automata
Nikola Benesˇ1⋆, Peter Bezdeˇk1⋆⋆, Kim G. Larsen2, and Jiˇr´ı Srba2
1 Faculty of Informatics, Masaryk University Brno, Czech Republic
2 Department of Computer Science, Aalborg University, Denmark
Abstract. Parametric timed automata extend the standard timed au-
tomata with the possibility to use parameters in the clock guards. In gen-
eral, if the parameters are real-valued, the problem of language emptiness
of such automata is undecidable even for various restricted subclasses. We
thus focus on the case where parameters are assumed to be integer-valued,
while the time still remains continuous. On the one hand, we show that
the problem remains undecidable for parametric timed automata with
three clocks and one parameter. On the other hand, for the case with ar-
bitrary many clocks where only one of these clocks is compared with (an
arbitrary number of) parameters, we show that the parametric language
emptiness is decidable. The undecidability result tightens the bounds
of a previous result which assumed six parameters, while the decidabil-
ity result extends the existing approaches that deal with discrete-time
semantics only. To the best of our knowledge, this is the first positive
result in the case of continuous-time and unbounded integer parameters,
except for the rather simple case of single-clock automata.
1 Introduction
Timed automata [2] are a popular formalism used for modelling of real-time
systems. In the classical definition, the clocks in guards are compared to fixed
constants and one of the key problems, decidable in PSPACE [1], is the question
of language emptiness. More than 20 years ago, Alur, Henzinger and Vardi [3]
introduced a parametric variant of the language emptiness problem where clocks
in timed automata can be additionally compared to a number of parameters.
A clock is nonparametric if it is never compared with any of the parameters,
otherwise the clock is parametric. The parametric language emptiness problem
asks whether the parameters in the system can be replaced by constants so that
the language of the resulting timed automaton becomes nonempty.
Unfortunately, the parametric language emptiness problem is undecidable for
timed automata with three parametric clocks [3]. Yet Alur, Henzinger and Vardi
⋆ Nikola Benesˇ has been supported by the Czech Science Foundation grant project
no. GA15-11089S.
⋆⋆ Peter Bezdeˇk has been supported by the Czech Science Foundation grant project
no. GA15-08772S.
Table 1: Decidability of the language (non)emptiness problems
discrete time continuous time continuous time
integer parameters integer parameters real parameters
n clocks, m parameters
decidable [3] decidable undecidable [15]
1 parametric clock only
3 clocks, 1 parameter undecidable undecidable undecidable [15]
3 clocks, 6 parameters undecidable [3] undecidable [3] undecidable [3]
established a positive decidability result in the case of a single parametric clock.
This decidability result was recently extended by Bundala and Ouaknine [9] to
the case with two parametric clocks and an arbitrary number of nonparametric
clocks. Both positive results are restricted to the discrete-time semantics with
only integer delays. The problem of decidability of integer parametric language
emptiness in the continuous-time semantics has been open for over 20 years.
The parametric language emptiness problem has two variants, which we call
reachability (existence of a parameter valuation s.t. the language is nonempty)
and safety (existence of a parameter valuation s.t. the language is empty).
Our main contributions, summarised in Table 1, are: (i) undecidability of
the reachability and safety problems (in discrete and continuous-time semantics)
for three parametric clocks, no additional nonparametric clocks and one integer
parameter and (ii) decidability of the reachability and safety problems in the
continuous-time semantics for one parametric clock with an arbitrary number of
integer parameters and an unlimited number of additional nonparametric clocks.
For reachability the problem is further decidable in NEXPTIME.
Related work. Our undecidability result holds both for discrete and continuous
time semantics and it uses only a single parameter with three parametric clocks,
hence strengthening the result from [3] where six parameters were necessary for
the reduction. In [9] the authors established NEXPTIME-completeness of the
parametric reachability problem for the case of a single parametric clock but
only for the discrete-time semantics. Parametric TCTL model checking of timed
automata, in the discrete-time setting, was also studied in [8,18]. Our decision
procedure for one parametric clock is, to the best of our knowledge, the first one
that deals with continuous-time semantics without any restriction on the usage
of parameters and without bounding the range of the parameters.
Reachability for parametric timed automata was shown decidable for certain
(strict) subclasses of parametric timed automata, either by bounding the range of
parameters [13] or by imposing syntactic restrictions on the use of parameters as
in L/U automata [6,12]. The study of parametric timed automata in continuous
time with parameters ranging over the rational or real numbers showed undecid-
ability already for one parametric clock [15], or for two parametric clocks with
exclusively strict guards [10]. We thus focus solely on integer-valued parameters
in this paper.
2
Parametric reachability problems for interrupt timed automata were inves-
tigated by Be´rard, Haddad, Jovanovic´ and Lime [7] with a number of positive
decidability results although their model is incomparable with the formalism
of timed automata studied in this paper. Other approaches include the inverse
method of [17] where the authors describe a procedure for deriving constrains on
parameters in order to satisfy that timed automata remain time-abstract equiv-
alent, however, the termination of the procedure is in general not guaranteed.
2 Definitions
We shall now introduce parametric timed automata, the studied problems and
give an example of a parametric system for alarm sensor coordination.
Let N0 denote the set of nonnegative integers and R≥0 the set of nonnegative
real numbers. Let C be a finite set of clocks and let P be a finite set of parameters.
A simple clock constraint is an expression of the form x ⊲⊳ c where x ∈ C,
c ∈ N0 ∪ P and ⊲⊳ ∈ {<,≤,=,≥, >}. A guard is a conjunction of simple clock
constraints, we denote the set of all guards by G. A conjunction of simple clock
constraints that contain only upper bounds on clocks, i.e. ⊲⊳ ∈ {<,≤}, is called
an invariant and the set of all invariants is denoted by I.
A clock valuation is a function ν : C → R≥0 that assigns to each clock its
nonnegative real-time age and parameter valuation is a function γ : P → N0 that
assigns to each parameter its nonnegative integer value. Given a clock valuation ν,
a parameter valuation γ and a guard (or invariant) g ∈ G, we write ν, γ |= g
if the guard expression g, after the substitution of all clocks x ∈ C with ν(x)
and all parameters p ∈ P with γ(p), is true. By ν0 we denote the initial clock
valuation where ν0(x) = 0 for all x ∈ C. For a clock valuation ν and a delay
d ∈ R≥0, we define the clock valuation ν + d by (ν + d)(x) = ν(x) + d for all
x ∈ C.
Definition 1 (Parametric Timed Automaton). A parametric timed au-
tomaton (PTA) over the set of clocks C and parameters P is a tuple A =
(Σ,L, ℓ0, F, I,−→) where Σ is a finite input alphabet, L is a finite set of lo-
cations, ℓ0 ∈ L is the initial location, F ⊆ L is the set of final (accepting)
locations, I : L → I is an invariant function assigning invariants to locations,
and −→⊆ L × G × Σ × 2C × L is the set of transitions, written as ℓ
g,a,R
−−−→ ℓ′
whenever (ℓ, g, a, R, ℓ′) ∈−→.
For the rest of this section, let A = (Σ,L, ℓ0, F, I,−→) be a fixed PTA. We
say that a clock x ∈ C is a parametric clock in A if there is a simple clock
constraint of the form x ⊲⊳ p with p ∈ P that appears in a guard or an invariant
of A. Otherwise, if the clock x is never compared to any parameter, we call it
a nonparametric clock.
A configuration of A is a pair (ℓ, ν) where ℓ ∈ L is the current location and
ν is the current clock valuation. For every parameter valuation γ we define the
corresponding timed transition system Tγ(A) where states are all configurations
(ℓ, ν) of A that satisfy the location invariants, i.e. ν, γ |= I(ℓ), and the transition
relation is defined as follows:
– (ℓ, ν)
d
−→ (ℓ, ν + d) where d ∈ R≥0 if ν + d, γ |= I(ℓ);
– (ℓ, ν)
a
−→ (ℓ′, ν′) where a ∈ Σ if there is a transition ℓ
g,a,R
−−−→ ℓ′ in A such that
ν, γ |= g and ν′, γ |= I(ℓ′) where for all x ∈ C we define ν′(x) = 0 if x ∈ R
and ν′(x) = ν(x) otherwise.
A timed language of A under a parameter valuation γ, denoted by Lγ(A), is
the collection of all accepted timed words of the form (a0, d0)(a1, d1) . . . (an, dn) ∈
(Σ × R≥0)∗ such that in the transition system Tγ(A) there is a computation
(ℓ0, ν0)
d0−→ (ℓ′0, ν
′
0)
a0−→ (ℓ1, ν1)
d1−→ · · ·
an−1
−−−→ (ℓn, νn)
dn−→ (ℓ′n, ν
′
n)
an−−→ (ℓn+1, νn+1)
where ℓn+1 ∈ F .
We can now define two problems for parametric timed automata, namely the
reachability problem (reaching desirable locations) and safety problem (avoiding
undesirable locations). Note that the problems are not completely dual, as the
safety problem contains a hidden alternation of quantifiers.
Problem 1 (Reachability Problem for PTA). Given a PTAA, is there a parameter
valuation γ such that Lγ(A) 6= ∅ ?
Problem 2 (Safety Problem for PTA). Given a PTA A, is there a parameter
valuation γ such that Lγ(A) = ∅ ?
We shall now present a small case study of a wireless fire alarm system [11]
modelled as a parametric timed automaton. In the alarm setup, a number of
wireless sensors communicate with the alarm controller over a limited number
of communication channels (in our simplified example we assume just a single
channel). The wireless alarm system uses a variant of Time Division Multiple
Access (TDMA) protocol in order to guarantee a safe communication of multiple
sensors over a shared communication channel. In TDMA the data stream is
divided into frames and each frame consists of a number of time slots allocated
for exclusive use by the present wireless sensors. Each sensor is assigned a single
slot in each frame where it can transmit on the shared channel.
We model each sensor as a timed automaton with two locations as shown
in Figure 1a and 1b. The sensor in Figure 1a waits in its initial location until
it receives a wakeup1 message from the controller. After this, it takes strictly
between 2 to 3 seconds to gather the current status of the sensor and transmit it
as result1 message back to the controller. Any subsequent wakeup signals during
the transmission phase are ignored and after the transmission phase is finished,
the sensor is ready to receive another wakeup signal. The sensor in Figure 1b
has a more complex behaviour as transmitting the answer result2 can take either
strictly between 2 to 3 seconds, or 16 to 17 seconds.
The controller presented in Figure 1c is responsible for synchronising the two
sensors and for assigning them their time slots so that no transmissions interfere.
The parametric clock x of the controller determines the size of the time slots.
First, it takes at most 2 seconds for the controller to wake up the first sensor
4
x1 < 3
wakeup
1
?
x1 := 0
2 < x1 < 3
result1 !
wakeup
1
?
(a) Sensor 1
x2 < 17
wakeup
2
?
x2 := 0
2 < x2 < 3
result2!
16 < x2 < 17
result2!
wakeup
2
?
(b) Sensor 2
x ≤ p2
y ≤ 20
x < 2
y ≤ 20
x < 2
y ≤ 20
x ≤ p1
y ≤ 20
fail
timeout
x < 2
wakeup
1
!
x < p1 result1? x := 0
x = p1 x := 0
x < 2
wakeup
2
!
x < p2 x := 0 y := 0
x < p2 result2? x := 0 y := 0
res
ult
1
?
res
ult
2
?
result
2?
result
1?
res
ult
2
?
res
ult
1
?
y = 20
y = 20
y = 20
y = 20
(c) Controller with parameters p1 and p2
Fig. 1: Wireless Fire Alarm System
after which it waits until the elapsed time reaches the value of the parameter p1.
If it receives the result of the reading of the first sensor in this time slot, it moves
immediately into the next location where it performs the wakeup of the second
sensor. If the first sensor does not deliver any result and the clock x reaches
the value p1, it also moves to the next location. Now a symmetric control is
performed for the second sensor. If any of the two sensors transmit during the
time the controller transmits the wakeup signals, we enter the location fail . The
fail location is also reached if result2 is received in the time slot of the first sensor
and vice versa. The second clock y is used to simply measure the duration of
the whole frame; whenever the duration of the frame reaches 20 seconds, the
controller enters the timeout location.
We assume a standard handshake synchronisation of the controller and the
two sensors running in parallel that results in a flat product timed automaton
with two parameters p1 and p2. Note that x is the only parametric clock in our
example. Now, our task is to find suitable values of the parameters that guide
the duration of the time slots for the two sensors so that there is no behaviour
of the protocol where it fails or timeouts. This question is equivalent to the
safety problem on the constructed PTA where we mark fail and timeout as the
accepting (undesirable) locations.
The obvious parameter valuation where γ(p1) = 5 and γ(p2) = 19 guarantees
that the location fail is unreachable but it is not an acceptable solution as
the duration of the frame becomes 24 and we reach timeout . However, there is
another parameter valuation where γ(p1) = 5 and γ(p2) = 9 that guarantees
5
that there is no possibility to fail or timeout. This is due to the fact that if the
response time of the second sensor is too long, it skips one slot and the answer
fits into an appropriate slot in the next frame.
In Section 4 we provide an algorithmic solution for finding such a parameter
valuation that guarantees a given safety/reachability criterion. Note that as we
are concerned with language (non)emptiness only, we employ two simplifications
in the rest of the paper: First, we assume that the considered PTA have no
invariants, as moving all invariants to guards preserves the language. Second, we
assume that the alphabet is a singleton set as renaming all actions into a single
action preserves language (non)emptiness.
3 Undecidability for Three Parametric Clocks
We shall now provide a reduction from the halting/boundedness problems of two
counter Minsky machine to the reachability/safety problems on PTA. A Minsky
machine with two nonnegative counters c1 and c2 is a sequence of labelled in-
structions 1 : inst1; 2 : inst2; . . . , n : instn where instn = HALT and each inst i,
1 ≤ i < n, is of one of the following forms (for r ∈ {1, 2} and 1 ≤ j, k ≤ n):
– (Increment) i: cr++; goto j
– (Test and Decrement) i: if cr=0 then goto k else (cr--; goto j)
A configuration is a triple (i, v1, v2) where i is the current instruction and
v1, v2 ∈ N0 are the values of the counters c1 and c2, respectively. A computation
step between configurations is defined in the natural way. If starting from the
initial configuration (1, 0, 0) the machine reaches the instruction HALT (note
that the computation is deterministic) then we say it halts, otherwise it loops.
The problem whether a given Minsky machine halts is undecidable [16]. The
boundedness problem, i.e. the question whether there is a constant K such that
v1 + v2 ≤ K for any configuration (i, v1, v2) reachable from (1, 0, 0), is also
undecidable [14].
The reduction from a two counter Minsky machine to PTA with a single
parameter p and three parametric clocks x1, x2 and z is depicted in Figure 2.
The reduction rules are shown only for the instructions handling the first counter.
The rules for the second counter are symmetric. We also omit the transition labels
as they are not relevant for the emptiness problem. The reduction preserves the
property that whenever we are in a configuration (ℓi, ν) where ν(z) = 0 then
ν(x1) and ν(x2) represent the exact values of the counters c1 resp. c2, and the
next instruction to be executed is the one with label i. Note also that there are
no invariants used in the constructed automaton.
Lemma 1. Let M be a Minsky machine. Let A be the PTA built according to
the rules in Figures 2a and 2b (without the transitions for safety) and where ℓ1
is the initial location and ℓn is the only accepting location. The Minsky machine
M halts iff there is a parameter valuation γ such that Lγ(A) 6= ∅.
6
ℓi ℓ
1
i
ℓ2i ℓ
3
i
ℓ4i
ℓ5i ℓ
6
i
ℓj
z = 1 z := 0
x1 = p
x1 := 0
x2 = p x2 := 0
x2 = 1
x2 := 0
z = p z := 0
x2 = p
x2 := 0
x2 = 1 x2 := 0
x1 = p
x1 := 0
(a) Increment i: c1++; goto j
ℓi ℓ
1
i
ℓ2i ℓ
3
i
ℓ4i
ℓ5i ℓ
6
i
ℓj
ℓk
x1 = 0
z = 0, x1 > 0
x1 = p
x1 := 0
x1 = 1 x1 := 0
x2 = p
x2 := 0
z = p z := 0
x2 = p
x2 := 0
x1 = p x1 := 0
x1 = 1
x1 := 0
(b) Test and decrement i: if c1=0 then goto k else (c1--; goto j)
ℓj ℓacc
z = 0, x1 = p
(c) For safety, add this for every instruction i: c1++; goto j
Fig. 2: Encoding of Minsky Machine as PTA with a single parameter p
Proof (Sketch). We only sketch a part of the proof to show the basic idea. We
argue that from the configuration (ℓi, ν) where ν(z) = 0 and where ν(x1) and
ν(x2) represent the counter values, there is a unique way to move from ℓi to ℓj
(or possibly also to ℓk in the case of the test and decrement instruction) where
again ν(z) = 0 and the counter values are updated accordingly. As there are
no invariants in the automaton, we can always delay long enough so that we
get stuck in a given location, but this behaviour will not influence the language
emptiness problem we are interested in.
Consider the automaton for the increment instruction from Figure 2a and
assume we are in a configuration (ℓi, ν) where ν(z) = 0, ν(x1) = v1 and ν(x2) =
v2. First note that if v1 ≥ p then there is no execution ending in ℓk due to the
forced delay of one time unit on the transition from ℓi to ℓ
1
i and the guard x1 = p
7
tested in both the upper and lower branch in the automaton. Assume thus that
v1 < p. If v1 ≥ v2 then we can perform the following execution with uniquely
determined time delays: (ℓi, [x1 7→ v1, x2 7→ v2, z 7→ 0])
1
−→ (ℓ1i , [x1 7→ v1+1, x2 7→
v2 + 1, z 7→ 0])
p−v1−1
−−−−−→ (ℓ2i , [x1 7→ 0, x2 7→ p − v1 + v2, z 7→ p − v1 − 1])
v1−v2−−−−→
(ℓ3i , [x1 7→ v1 − v2, x2 7→ 0, z 7→ p − v2 − 1])
1
−→ (ℓ4i , [x1 7→ v1 − v2 + 1, x2 7→
0, z 7→ p−v2])
v2−→ (ℓj , [x1 7→ v1+1, x2 7→ v2, z 7→ 0]). In this case where v1 ≥ v2,
executing the lower branch of the automaton will result in getting stuck in the
location ℓ6i as here necessarily ν(x1) > p. Clearly, there is a unique way of getting
to ℓj in which the clock valuation of x1 was incremented by one, hence faithfully
simulating the increment instruction of the Minsky machine. The other cases
and instructions are dealt with similarly, see Appendix A. ⊓⊔
Lemma 2. Let M be a Minsky machine. Let A be the PTA built according to the
rules in Figures 2a, 2b and 2c (including the transitions for safety) and where ℓ1
is the initial location and ℓacc is the only accepting location. The Minsky machine
M is bounded iff there is a parameter valuation γ such that Lγ(A) = ∅.
Proof. If the computation of the Minsky machine is unbounded then clearly, for
any parameter value of p, the Minsky machine will eventually try to make one of
the counters larger or equal than p (using the increment instruction). Necessarily,
we will then have ν(x1) = p or ν(x2) = p in the location ℓj where we end after
performing the increment instruction i, implying that we can reach the accepting
location ℓacc due to the transition added in Figure 2c and hence the language
is nonempty. On the other hand, if the parameter p is large enough and the
computation bounded (note that the boundedness condition ∃K. v1+ v2 ≤ K is
equivalent to ∃K. max{v1, v2} ≤ K), we will not be able to enter the accepting
location ℓacc and the language is empty. ⊓⊔
We now conclude with the main theorem of this section, tightening the previ-
ously known undecidability result that used six parameters and three parametric
clocks [3]. The theorem is valid for both the continuous-time and the discrete-
time semantics due to the exact guards in all transitions of the constructed PTA
that allow to take transitions only after integer delays.
Theorem 1. The reachability and safety problems are undecidable for PTA with
one integer parameter, three parametric clocks and no further nonparametric
clocks in the continuous-time as well as the discrete-time semantics.
4 Decidability for One Parametric Clock
In this section, we show that both the reachability and safety problems for PTA
with a single parametric clock are decidable. Our general strategy is similar to
that of [3], i.e. reducing the original PTA (which has continuous-time semantics
in our case) into a so-called parametric 0/1-timed automaton with just a single
clock. It is shown in [3] that the set of parameter valuations that ensure language
nonemptiness of a given parametric 0/1-timed automaton with single clock is
8
effectively computable. Moreover, in [9] the authors show that the reachability
problem for parametric 0/1-timed automata is polynomial-time reducible to the
halting problem of parametric bounded one-counter machines, which is in NP.
As the parametric 0/1-timed automaton is going to be exponential in the size
of the original PTA, this makes the reachability problem for PTA with a single
parametric clock belong to the NEXPTIME complexity class.
A 0/1-timed automaton is a timed automaton with discrete time, in which all
the delays are explicitly encoded via two kinds of delay transitions: 0-transitions
and 1-transitions. Formally, we enrich the syntax of a timed automaton with two
transition relations
0
−→,
1
−→ ⊆ L × L and modify the semantics so that (ℓ, ν)
0
−→
(ℓ′, ν) iff ℓ
0
−→ ℓ′ and (ℓ, ν)
1
−→ (ℓ′, ν + 1) iff ℓ
1
−→ ℓ′; other delays in the timed
transition system are no longer possible.
Note that this treatment of
0
−→ and
1
−→ as special transitions differs slightly
from the original definition of [3], in which a 0/1 label is given to every tran-
sition of the 0/1-timed automaton. This change is only cosmetic; the ability to
distinguish between 0/1-transitions and action transitions will be useful in later
proofs.
Corner-Point Abstraction. As we are concerned with continuous time, our re-
duction to 0/1-timed automata is more convoluted than that of [3], in which
the nonparametric clocks were eliminated by moving their integer values into
locations. In our setting, using region abstraction to eliminate nonparametric
clocks will not allow us to correctly identify the 0/1 delays. We thus choose
to use corner-point abstraction [4] that is finer than the region-based one. In
this abstraction, each region is associated with a set of its corner points. Note
that the original definition only deals with timed automata that are bounded,
while we want to be more general here. For this reason, we extend the original
definition with extra corner points for unbounded regions.
We first define the region equivalence [2]. Let M ∈ N0 be the largest constant
appearing in the constraints of a given timed automaton. Note that in the original
definition the largest constant is considered for each clock independently. For the
sake of readability, we consider M to be a common upper bound for each clock.
Let ν, ν′ be clock valuations. Let further fr (t) be the fractional part of t and ⌊t⌋
be the integral part of t. We define an equivalence relation ≡ on clock valuations
by ν ≡ ν′ if and only if the following three conditions are satisfied:
– for all x ∈ C either ν(x) ≥M and ν′(x) ≥M or ⌊ν(x)⌋ = ⌊ν′(x)⌋;
– for all x, y ∈ C such that ν(x) ≤ M and ν(y) ≤ M , fr(ν(x)) ≤ fr(ν(y)) if
and only if fr(ν′(x)) ≤ fr (ν′(y));
– for all x ∈ C such that ν(x) ≤M , fr (ν(x)) = 0 if and only if fr (ν′(x)) = 0.
We define a region as an equivalence class of clock valuations induced by ≡.
A region r′ is a time successor of a region r if for all ν ∈ r there exists d ∈ R>0
such that ν + d ∈ r′ and for all d′, 0 ≤ d′ ≤ d, we have ν + d′ ∈ r ∪ r′. As the
time successor is unique if it exists, we use succ(r) to denote the time successor
of r. Moreover, if no time successor of r exists, we let succ(r) = r.
9
yx0 1 2 3
1
2
3
(a) Corner points where
M = 2 and C = {x, y}
0 0 1
y := 0
0 1
0
0 1
1
(b) Fragment of an evolution of a region with a corner
point (locations are omitted for simplicity)
Fig. 3: Corner point abstraction
An (M+1)-corner point α : C −→ N0∩ [0,M+1] is a function which assigns an
integer value from the interval [0,M + 1] to each clock. We define the successor
of the M+1-corner point α, denoted by succ(α), as follows:
for each x ∈ C, succ(α)(x) =
{
α(x) + 1 α(x) ≤M
M + 1 otherwise .
For R ⊆ C, we define the reset of the corner point α, denoted by α[R], as follows:
for each x ∈ C, α[R](x) =
{
α(x) x 6∈ R
0 x ∈ R .
We say α is a corner point of a region r whenever α is in the topological closure
of r. The construction of the corner-point abstraction is illustrated in Figure 3.
Notice the corner points in unbounded regions.
Construction of the Parametric 0/1-Timed Automaton. Now we show how to
construct for a given PTA with one parametric clock an equivalent 0/1-PTA
with just one clock. Let A = (Σ,L, ℓ0, F, I,−→) be the original PTA over the set
of clocks C and parameters P . Let xp denote the only parametric clock.
We first modify the automaton by adding a fresh clock z as follows: every
transition ℓ
g,a,R
−−−→ ℓ′ is changed into ℓ
g∧z<1,a,R′
−−−−−−−→ ℓ′ where R′ = R if xp 6∈ R,
and R′ = R ∪ {z} otherwise. To every location ℓ we then add a new self-loop
transition ℓ
z=1,a,{z}
−−−−−−→ ℓ. Intuitively, the new clock z will always contain the
fractional part of xp. We call this new automaton A
′. Clearly, this modification
preserves the language (non)emptiness of the original automaton A.
In the second step, we use the corner-point abstraction of A′ with respect to
all clocks except for xp to create the 0/1-timed automaton with a single clock.
Let Cˆ = (C ∪ {z}) \ {xp} and let M be the largest constant appearing in the
guards concerning the clocks in Cˆ. In the following, we consider regions and
10
corner-points with respect to clocks in Cˆ and the bound M . Let Reg denote the
set of all such regions and let Cp denote the set of all corresponding corner-points,
i.e. Cp = (N0 ∩ [0,M + 1])Cˆ .
We use the following auxiliary notation. Let r ∈ Reg and α ∈ Cp.
ι(r, α) =


LESS α(z) = 1 and r 6|= z = 1
MORE α(z) = 0 and r 6|= z = 0
EXACT otherwise
The 0/1-timed automaton over the singleton set of clocks {xˆp} is Aˆ = (Σ,L×
Reg × Cp, (ℓ0, r0, α0), F × Reg × Cp, I,−→) where r0 is the initial region and
α0(x) = 0 for all x ∈ Cˆ is the initial corner-point. The transition relation is
defined as follows:
– zero delay: (ℓ, r, α)
0
−→ (ℓ, r′, α) if r′ = succ(r) and α is a corner-point of both
r and r′;
– unit delay: (ℓ, r, α)
1
−→ (ℓ, r, α′) if α′ = succ(α) and both α and α′ are corner-
points of r;
– action: whenever ℓ
g,a,R
−−−→ ℓ′ in A′ then let g1, . . . , gk be all the simple clock
constraints appearing in g comparing clocks from Cˆ and let h1, . . . , hn be
the remaining simple clock constraints, i.e. those that consider xp. For every
(ℓ, r, α) that satisfies (1) r |= g1 ∧ · · · ∧ gk and (2) if ι(r, α) 6= EXACT then
no hi contains equality (=), we set (ℓ, r, α)
hˆ1∧···∧hˆn,Rˆ
−−−−−−−−→ (ℓ′, r[R\ {xp}], α[R\
{xp}]), where Rˆ = {xˆp} if xp ∈ R and Rˆ = ∅ otherwise. The constraints hˆi
are created as follows: all xp are changed into xˆp; if ι(r, α) = LESS , all <
are changed into ≤ and all ≥ are changed into >; if ι(r, α) = MORE , all ≤
are changed into < and all > are changed into ≥.
Theorem 2. The reachability and safety problems for parametric timed au-
tomata over integer parameters with one parametric clock in the continuous-time
semantics are decidable. Moreover, the reachability problem is in NEXPTIME.
Proof (Idea). Due to space constraints, the complete proof can be found in Ap-
pendix B. As mentioned above, the modification from A to A′ preserves the
language (non)emptiness. The idea of the proof is to show that for every given
parameter valuation, every run of A′ has a corresponding run in Aˆ and vice versa.
This shows that the reachability and safety problems for parametric timed au-
tomata with one parametric clock reduce to the reachability and safety problems
for parametric 0/1-timed automata. These problems were shown decidable in [3].
The complexity argument is discussed in the beginning of this section. ⊓⊔
5 Conclusion
We have shown that for three parametric clocks with a single integer parame-
ter, both the reachability and safety problems are undecidable in the discrete
11
as well as the continuous semantics. This improves the previously known unde-
cidability result by Alur, Henzinger and Vardi [3] where six parameters were
needed. For the case with a single parametric clock with an unrestricted num-
ber of integer parameters and with any number of additional nonparametric
clocks, we contributed to the solution of an open problem stated more than 20
years ago by proving a decidability result for reachability and safety problems
in the continuous semantics, extending the previously known decidability result
for the discrete-time semantics [3]. To achieve this result, we used the corner-
point abstraction technique that had to be modified to handle also corner-points
in unbounded regions, contrary to the use of the technique in [4]. Not surpris-
ingly, the decidability of the problem in case of two parametric clocks in the
continuous-time setting remains open, as it is the case also for a number of other
problems over timed automata with two real-time clocks [5]. On the other hand,
as demonstrated by our wireless fire alarm case study, the parameter synthesis
problem for one parametric clock and an unlimited number of parameters is suffi-
ciently expressive in order to describe nontrivial scheduling problems. As a next
step, we will consider moving from corner-point regions into zones and provide
an efficient implementation of the presented techniques.
Acknowledgements. We acknowledge a funding from from the EU FP7 grant
agreement nr. 318490 (SENSATION) and grant agreement nr. 601148 (CASST-
ING) and from the Sino-Danish Basic Research Center IDEA4CPS.
References
1. R. Alur, C. Courcoubetis, and D. Dill. Model-checking for real-time systems. In
LICS’90, pages 414–425. IEEE, 1990.
2. R. Alur and D. Dill. A theory of timed automata. Theoretical Computer Science,
126(2):183–235, 1994.
3. R. Alur, T.A. Henzinger, and M.Y. Vardi. Parametric real-time reasoning. In
Proceedings of 25th Annual Symposium on Theory of Computing (STOC’93), pages
592–601. ACM Press, 1993.
4. Gerd Behrmann, Ansgar Fehnker, Thomas Hune, Kim Guldstrand Larsen, Paul
Pettersson, Judi Romijn, and Frits W. Vaandrager. Minimum-cost reachability
for priced timed automata. In HSCC’01, volume 2034 of LNCS, pages 147–161.
Springer, 2001.
5. Patricia Bouyer, Thomas Brihaye, and Nicolas Markey. Improved undecidability
results on weighted timed automata. Inform. Proc. Letters, 98(5):188–194, 2006.
6. Laura Bozzelli and Salvatore La Torre. Decision problems for lower/upper bound
parametric timed automata. Formal Methods in Syst. Design, 35(2):121–151, 2009.
7. Beatrice Be´rard, Serge Haddad, Aleksandra Jovanovic´, and Didier Lime. Para-
metric interrupt timed automata. In RP’13, volume 8169 of LNCS, pages 59–69.
Springer, 2013.
8. Ve´ronique Bruye`re and Jean-Franc¸ois Raskin. Real-time model-checking: Parame-
ters everywhere. In FST TCS’03, volume 2914 of LNCS, pages 100–111. Springer,
2003.
9. Daniel Bundala and Joe¨l Ouaknine. Advances in parametric real-time reasoning.
In MFCS’14, volume 8634 of LNCS, pages 123–134. Springer, 2014.
12
10. Laurent Doyen. Robust parametric reachability for timed automata. Information
Processing Letters, 102(5):208 – 213, 2007.
11. Sergio Feo-Arenis, Bernd Westphal, Daniel Dietsch, Marco Mun˜iz, and Siyar An-
disha. The wireless fire alarm system: Ensuring conformance to industrial stan-
dards through formal verification. In FM’14, volume 8442 of LNCS, pages 658–672.
Springer, 2014.
12. Thomas Hune, Judi Romijn, Marie¨elle Stoelinga, and Frits Vaandrager. Linear
parametric model checking of timed automata. Springer, 2001.
13. A. Jovanovic´, D. Lime, and O. H. Roux. Integer parameter synthesis for timed
automata. In TACAS 2013, volume 7795 of LNCS, pages 401–415. Springer, 2013.
14. E.V. Kuzmin and D.J. Chalyy. Decidability of boundedness problems for Minsky
counter machines. Automatic Control and Computer Sciences, 44(7):387–397, 2010.
15. Joseph S Miller. Decidability and complexity results for timed automata and
semi-linear hybrid automata. In Hybrid Systems: Computation and Control, pages
296–310. Springer, 2000.
16. M.L. Minsky. Computation: Finite and Infinite Machines. Prentice, 1967.
17. E´tienne Andre´, Thomas Chatain, Laurent Fribourg, and Emmanuelle Encrenaz.
An inverse method for parametric timed automata. ENTCS, 223(0):29–46, 2008.
18. Farn Wang. Parametric timing analysis for real-time systems. Information and
Computation, 130(2):131–150, 1996.
13
A Appendix: Proof of Lemma 1
Lemma 1. Let M be a Minsky machine. Let A be the PTA built according to
the rules in Figures 2a and 2b (without the transitions for safety) and where ℓ1
is the initial location and ℓn is the only accepting location. The Minsky machine
M halts if and only if there is a parameter valuation γ such that Lγ(A) 6= ∅.
Proof. We shall first argue that from the configuration (ℓi, ν) where ν(z) = 0
and where ν(x1) and ν(x2) represent the counter values, there is a unique way to
move from ℓi to ℓj (or possibly also to ℓk in case of test and decrement instruction)
where again ν(z) = 0 and the counter values are updated accordingly. As there
are no invariants in the automaton, we can always delay long enough so that we
get stuck in a given location, but this behaviour will not influence the language
emptiness problem we are interested in.
Consider first the automaton for the increment instruction from Figure 2a
and assume we are in a configuration (ℓi, ν) where ν(z) = 0, ν(x1) = v1 and
ν(x2) = v2. First note that if v1 ≥ p then there is no execution ending in ℓk due
to the forced delay of one time unit on the transition from ℓi to ℓ
1
i and the guard
x1 = p tested in both the upper and lower branch in the automaton. Assume
thus that v1 < p. If v1 ≥ v2 then we can perform the following execution with
uniquely determined time delays:
(ℓi, [x1 7→ v1, x2 7→ v2, z 7→ 0])
1
−→
(ℓ1i , [x1 7→ v1 + 1, x2 7→ v2 + 1, z 7→ 0])
p−v1−1
−−−−−→
(ℓ2i , [x1 7→ 0, x2 7→ p− v1 + v2, z 7→ p− v1 − 1])
v1−v2−−−−→
(ℓ3i , [x1 7→ v1 − v2, x2 7→ 0, z 7→ p− v2 − 1])
1
−→
(ℓ4i , [x1 7→ v1 − v2 + 1, x2 7→ 0, z 7→ p− v2])
v2−→
(ℓj , [x1 7→ v1 + 1, x2 7→ v2, z 7→ 0]).
In this case where v1 ≥ v2, executing the lower branch of the automaton will
result in getting stuck in the location ℓ6i as here necessarily ν(x1) > p. Assume
now that v1 < v2. If we take upper branch in the automaton now then we get
stuck. However, we can execute along the lower branch as follows:
(ℓi, [x1 7→ v1, x2 7→ v2, z 7→ 0])
1
−→
(ℓ1i , [x1 7→ v1 + 1, x2 7→ v2 + 1, z 7→ 0])
p−v2−1
−−−−−→
(ℓ5i , [x1 7→ p− v2 + v1, x2 7→ 0, z 7→ p− v2 − 1])
1
−→
(ℓ6i , [x1 7→ p− v2 + v1 + 1, x2 7→ 0, z 7→ p− v2])
v2−v1−1−−−−−−→
(ℓ4i , [x1 7→ 0, x2 7→ v2 − v1 − 1, z 7→ p− v1 − 1])
v1+1−−−→
(ℓj , [x1 7→ v1 + 1, x2 7→ v2, z 7→ 0]).
14
In both cases, it is clear that the clock valuation of x1 was incremented by one
(due to uniquely given time delays during the computations) and hence they
faithfully simulate the behaviour of the Minsky machine.
Regarding the automaton for test and decrement instruction from Figure 2b,
assume we are in the configuration (ℓi, ν) with ν(x1) = v1, ν(x2) = v2 and
ν(z) = 0. It is clear that if v1 = 0 then we continue from location ℓk as expected
and if v1 > 0 then we can enter the configuration (ℓ
1
i , x1 7→ v1, x2 7→ v2, z 7→ 0)—
note that the guard z = 0 guarantees that no time has elapsed. In the latter
case, if v1 > v2 then we can execute the upper branch as follows:
(ℓ1i , x1 7→ v1, x2 7→ v2, z 7→ 0)
p−v1
−−−→
(ℓ2i , x1 7→ 0, x2 7→ p− v1 + v2, z 7→ p− v1)
1
−→
(ℓ3i , x1 7→ 0, x2 7→ p− v1 + v2 + 1, z 7→ p− v1 + 1)
v1−v2−1−−−−−−→
(ℓ4i , x1 7→ v1 − v2 − 1, x2 7→ 0, z 7→ p− v2)
v2−→
(ℓj, x1 7→ v1 − 1, x2 7→ v2, z 7→ 0)
and if v1 ≤ v2 we can execute the lower branch as follows:
(ℓ1i , x1 7→ v1, x2 7→ v2, z 7→ 0)
p−v2
−−−→
(ℓ5i , x1 7→ p− v2 + v1, x2 7→ 0, z 7→ p− v2)
v2−v1−−−−→
(ℓ6i , x1 7→ 0, x2 7→ v2 − v1, z 7→ p− v1)
1
−→
(ℓ4i , x1 7→ 0, x2 7→ v2 − v1 + 1, z 7→ p− v1 + 1)
v1−1−−−→
(ℓj , x1 7→ v1 − 1, x2 7→ v2, z 7→ 0).
Clearly, the clock value in x1 has been decremented in both cases. Should the
lower branch be taken in case v1 > v2 or the upper branch in case v1 ≤ v2, we
get stuck again.
Now if the Minsky machine halts then in the constructed PTA we can reach
the accepting location ℓn for any parameter valuation γ(p) larger than the maxi-
mum value of the counters during the computation and the answer to the reach-
ability problem is hence positive. If, on the other hand, the Minsky machine
loops then there is no parameter valuation γ(p) that will allow us to reach the
location ℓn. This is due to the fact that either one of the counters exceeds the
chosen parameter value and we get stuck or the computation will continue for
ever and never reach ℓn. ⊓⊔
B Appendix: Proof of Theorem 2
Theorem 2. The reachability and safety problems for parametric timed automata
over integer parameters with one parametric clock in the continuous-time seman-
tics are decidable. Moreover, the reachability problem is in NEXPTIME.
15
The semantics of a 0/1-timed automaton is similar to that of a timed au-
tomaton except for the fact that the delays are explicitly given by the 0/1-delay
transitions and the valuations of clocks are natural numbers. In our case we have
only one clock, xˆp, which means that a configuration of Aˆ is a tuple (ℓ, r, α, t)
where (ℓ, r, α) is a location of Aˆ and t ∈ N0 represents the valuation of xˆp.
Note that the 0/1-delay transitions in Aˆ are always deterministic and exclu-
sive: every location (ℓ, r, α) either has an outgoing 0-delay transition or an out-
going 1-delay transition, but not both. Moreover, after a 1-delay transition there
always follows a 0-delay transition, except in the case when the 1-delay transition
ends in the unbounded region.
Recall the ι(r, α) notation for r ∈ Reg and α ∈ Cp:
ι(r, α) =


LESS α(z) = 1 and r 6|= z = 1
MORE α(z) = 0 and r 6|= z = 0
EXACT otherwise
In order to prove the correctness of our construction, we also define an aux-
iliary notion of correspondence. Let ν : (C ∪ {z})→ R≥0, r ∈ Reg, α ∈ Cp, and
t ∈ N0. We say that ν corresponds with (r, α, t) if the following holds:
1. ν↾Cˆ ∈ r;
2. ⌊ν(xp)⌋ + f(r, α) = t, where f(r, α) = 1 if ι(r, α) = LESS and f(r, α) = 0
otherwise;
3. ν(xp) ∈ N0 ⇐⇒ ι(r, α) = EXACT .
In the following, let us fix a valuation of all parameters of P . We are going to
show that all runs of A′ have corresponding runs in Aˆ and vice versa. Note that
due to the construction of A′, we shall ignore all runs in which the new clock z
becomes larger than 1, as such situations are effectively deadlocks.
Lemma 3. Let (ℓ, ν) be a configuration of A′ with ν(z) ≤ 1, let (ℓ, ν)
d
−→ (ℓ, ν+d)
be a delay transition with d ∈ [0, 1− ν(z)], and let (r, α, t) ∈ Reg ×Cp×N0 such
that ν corresponds with (r, α, t). Then (ℓ, r, α, t) −→∗ (ℓ, r′, α′, t′) such that ν + d
corresponds with (r′, α′, t′).
Proof. For simplicity, we assume that d is small enough in the following sense:
Either ν and ν+d (restricted to clocks of Cˆ) are in the same region, or the region
of ν+d is a successor of the region of ν. This comes without loss of generality, as
every delay transition can be split into finitely many such small delay transitions.
We also assume that d > 0.
If both ν↾Cˆ and (ν+ d)↾Cˆ belong to r then clearly ⌊ν(xp)+ d⌋ = ⌊ν(xp)⌋ and
neither of ν(xp) and ν(xp) + d belong to N0. This means that ν + d corresponds
with (r, α, t).
Let us now assume that ν↾Cˆ ∈ r and (ν + d)↾Cˆ ∈ r
′ where r′ is the successor
of r. There are two possibilities depending on whether (ℓ, r, α) has a 0-delay or
a 1-delay transition.
16
If (ℓ, r, α)
0
−→ (ℓ, r′, α), this means that also (ℓ, r, α, t)
0
−→ (ℓ, r′, α, t). We show
that ν + d corresponds with (r′, α, t). Condition 1 is clearly satisfied. To show
the satisfaction of Conditions 2 and 3, we need to discuss three cases:
– ν(z) = 0: This means that necessarily r |= z = 0 and α(z) = 0, thus
ι(r, α) = EXACT and ι(r′, α) = MORE . Therefore f(r, α) = f(r′, α) = 0
and the conditions are clearly met as ⌊ν(xp)+ d⌋ = ⌊ν(xp)⌋ and ν(xp)+ d 6∈
N0.
– ν(z) ∈ (0, 1 − d): This means that necessarily neither r nor r′ contain
a valuation with integer value for z and thus ι(r, α) = ι(r′, α) 6= EXACT .
This means that f(r, α) = f(r′, α) and the conditions are clearly met as
⌊ν(xp) + d⌋ = ⌊ν(xp)⌋ and both ν(xp), ν(xp) + d 6∈ N0.
– ν(z) = 1 − d: This means that necessarily r′ |= z = 1 and α(z) = 1, thus
ι(r, α) = LESS and ι(r′, α) = EXACT . This means that f(r, α) = 1 while
f(r′, α) = 0. We have ⌊ν(xp) + d⌋ = ⌊ν(xp)⌋ + 1 and ν(xp) + d ∈ N0, the
conditions are thus met again.
If (ℓ, r, α)
1
−→ (ℓ, r, α′) then also (ℓ, r, α′)
0
−→ (ℓ, r′, α′) as noted above (due to
the bound on ν(z), r is not the unbounded region). This means that (ℓ, r, α, t)
1
−→
0
−→
(ℓ, r′, α′, t+1). Here, α′ is the successor of α and r′ is the successor of r. We show
that ν + d corresponds with (r′, α′, t+1). Again, Condition 1 is clearly satisfied.
Note that in this case r 6|= z = 0 and α(z) = 0. This means that α′(z) = 1,
ι(r, α) = MORE , ι(r, α′) = LESS , f(r, α) = 0, and f(r, α′) = 1. This also means
that ν(z) > 0 and we only have two cases:
– ν(z) ∈ (0, 1 − d): This means that r′ 6|= z = 1 and thus ι(r′, α′) = LESS .
Condition 3 is clearly satisfied as ν(xp) + d 6∈ N0. To show that Condition 2
is satisfied, consider that f(r′, α′) = 1 and ⌊ν(xp) + d⌋ = ⌊ν(xp)⌋.
– ν(z) = 1 − d: This means that r′ |= z = 1 and thus ι(r′, α′) = EXACT .
Condition 3 is clearly satisfied as ν(xp) + d ∈ N0. To show that Condition 2
is satisfied, consider that f(r′, α′) = 0 and ⌊ν(xp)+d⌋ = ⌊ν(xp)⌋+1 = t+1.
⊓⊔
Lemma 4. Let (ℓ, ν) be a configuration of A′ with ν(z) ≤ 1, let (ℓ, ν)
a
−→ (ℓ′, ν′)
be an action transition, and let (r, α, t) ∈ Reg × Cp × N0 such that ν corre-
sponds with (r, α, t). Then (ℓ, r, α, t)
a
−→ (ℓ′, r′, α′, t′) such that ν′ corresponds
with (r′, α′, t′).
Proof. The transition (ℓ, ν)
a
−→ (ℓ′, ν′) is due to a transition ℓ
g,a,R
−−−→ ℓ′ of the
timed automaton A′ where ν |= g and ν′ = ν[R]. Let now g1, . . . , gk be all
the simple clock constraints of g that consider clocks from Cˆ and h1, . . . , hn be
the remaining simple clock constraints, as in the construction of the 0/1-timed
automaton Aˆ. We know that r |= g1 ∧ · · · gk as ν↾Cˆ ∈ r. We thus know that
(ℓ, r, α)
hˆ1∧···hˆn,a,Rˆ
−−−−−−−−→ (ℓ′, r[R \ {xp}], α[R \ {xp}]) = (ℓ′, r′, α′), where hˆi and Rˆ
are given by the construction. We first need to show that t satisfies all clock
constraints hˆi.
17
– If hi = (xp < e) then ν(xp) < e and thus ⌊ν(xp)⌋ ≤ e− 1. If ι(r, α) = LESS
then f(r, α) = 1 and t ≤ (e − 1) + 1 = e, which satisfies the constraint
hˆi = (xˆp ≤ e). Otherwise, f(r, α) = 0 and t ≤ e − 1, which satisfies the
constraint hˆi = (xˆp < e).
– If hi = (xp ≤ e) then ν(xp) ≤ e. If ν(xp) = e then ι(r, α) = EXACT . Thus
f(r, α) = 0 and t = e, which satisfies xˆp ≤ e. Otherwise, ν(xp) < e. Due to
the reasoning in the previous item, t ≤ e if ι(r, α) = LESS and t ≤ e − 1
otherwise. This means that t satisfies hˆi.
– The other two cases (>, ≥) are dealt with similarly.
We have thus shown that the transition (ℓ, r, α, t)
a
−→ (ℓ′, r′, α′, t′) exists. Here,
t′ = 0 if xp ∈ R and t′ = t otherwise.
We now show that ν′ corresponds with (r′, α′, t′). Condition 1 is clearly sat-
isfied. If t′ = t then both xp, z 6∈ R, which means that both ν(xp) and ι(r, α)
are unchanged. If t′ = 0 then xp, z ∈ R, which means that ν(xp) = 0, ι(r′, α′) =
EXACT and f(r′, α′) = 0. In both cases, ν′ corresponds with (r′, α′, t′). ⊓⊔
Lemma 5. Let (ℓ, r, α, t) be a configuration of Aˆ, let (ℓ, r, α, t)
d
−→ (ℓ, r′, α′, t′)
with d ∈ {0, 1} and r′ |= z ≤ 1, and let ν correspond with (r, α, t). Then there
exists d′ such that (ℓ, ν)
d′
−→ (ℓ, ν + d′) and ν + d′ corresponds with (r′, α′, t′).
Proof. If d = 1, we choose d′ = 0 and show that ν + 0 = ν corresponds with
(r′, α′, t+ 1). Clearly, in this case r′ = r, α(z) = 0, and α′(z) = 1, which means
that ι(r, α) = MORE while ι(r, α′) = LESS . Therefore, f(r, α) = 0, f(r, α′) = 1
and if ⌊ν(xp)⌋ = t then ⌊ν(xp)⌋+ 1 = t+ 1.
Let us now assume that d = 0. This means that α′ = α while r′ is the
successor region of r. We choose an arbitrary d′ such that (ν + d′)↾Cˆ ∈ r
′. To
show that ν + d′ corresponds with (r′, α, t), we can use the very same reasoning
as in the proof of Lemma 3. ⊓⊔
Lemma 6. Let (ℓ, r, α, t) be a configuration of Aˆ with r |= z ≤ 1, let (ℓ, r, α, t)
a
−→
(ℓ′, r′, α′, t′), and let ν correspond with (r, α, t). Then (ℓ, ν)
a
−→ (ℓ′, ν′) and ν′
corresponds with (r′, α′, t′).
Proof. The transition (ℓ, r, α, t)
a
−→ (ℓ′, r′, α′, t′) in the semantics is due to a tran-
sition (ℓ, r, α)
hˆ1∧···hˆn,a,Rˆ
−−−−−−−−→ (ℓ′, r′, α′) of the 0/1-timed automaton Aˆ, which was
constructed from a transition ℓ
g,a,R
−−−→ ℓ′ of the timed automaton A′.
Clearly, if r |= g1 ∧ · · · gk then so does ν. We also need to show that ν |=
h1 ∧ · · ·hn. We know that t satisfies hˆi for all i.
– If hi = (xp < e) then either ι(r, α) = LESS and hˆi = (xˆp ≤ e) or hˆi =
(xˆp < e). In the first case, we know that f(α, r) = 1, which means that
⌊ν(xp)⌋ + 1 = t, which implies that ν(xp) < t ≤ e. In the second case,
f(α, r) = 0 which means that ⌊ν(xp)⌋ = t and thus ν(xp) < t + 1 ≤ e as
t ≤ e− 1.
18
– If hi = (xp ≤ e) then either ι(r, α) = MORE and hˆi = (xˆp < e) or hˆi =
(xˆp ≤ e). In both cases, if t < e then t ≤ e− 1 and thus ⌊ν(xp)⌋+ f(r, α) ≤
e − 1. This means that no matter the value of f(r, α), ν(xp) < e. If, in the
second case, t = e then ⌊ν(xp)⌋+ f(r, α) = e. If f(r, α) = 1 then ν(xp) < e.
If f(r, α) = 0 then this means that ι(r, α) = EXACT and ν(xp) = e as
ν(xp) ∈ N0.
– The remaining two cases (>, ≥) are dealt with similarly.
We now need to show that ν′ = ν[R] corresponds with (r′, α′, t′). This is
shown exactly as in the proof of Lemma 4. ⊓⊔
The correctness of the construction is now a corollary of the previous four
lemmata; this proves the main theorem.
19
