In this paper we introduce a new formal model, called finite state machines with time (FSMT), to represent real-time systems. We present a model checking algorithm for FSMTs, which works on fully symbolic state sets containing both the clock values and the state variables. In order to verify timed automata (TA) with our model checking algorithm, we present two different methods to convert TAs to FSMTs. In addition to pure interleaving semantics we can convert TAs to FSMTs having a parallelized interleaving behavior which allows parallelism of transitions causing no conflicts. This can dramatically reduce the number of steps during verification. Our experimental results show that our prototype implementation outperforms the state of the art model checker uppaal.
I. INTRODUCTION
The application area of real-time systems grows with an enormous speed and along with that grows the complexity and the damage caused by the failure of such systems. Therefore, verification of such systems becomes more and more important. In this paper we introduce a new formal model for real-time systems, called finite state machines with time (FSMT) which is well-suited for symbolic verification algorithms. We present a fully symbolic model checking algorithm for FSMTs. In order to verify timed automata (TA) [1] , [2] , [4] we present a method to convert a TA into an FSMT. In addition to normal interleaving semantics of TAs we can give a symbolic representation of an FSMT simulating a 'parallelized interleaving' behavior, which allows parallelism of transitions causing no conflicts. This parallelized interleaving behavior can dramatically reduce the number of steps during verification.
Today's state of the art model checkers for TAs, like uppaal [3] , [9] work on a semi-symbolic representation of the state space, the so-called difference bound matrices (DBM). These model checkers explicitly run through all discrete locations of the TA while maintaining a symbolic representation of the reached clock values. This approach has a high performance on small TAs but cannot handle the enormous amount of discrete states in large systems. Our model checking algorithm uses LinAIGs [7] , [6] to describe the state space. Where DBMs combine a symbolic representation for the clock values with an explicit representation of locations, LinAIGs can represent both the continuous part (i.e. the clock values) and the discrete part (i.e. the state variables) symbolically. This allows us to handle larger systems of TAs than model checking tools using a semi-symbolic representation.
First experimental results show that our prototype implementation outperforms uppaal in both configurations, for pure interleaving behavior and for parallelized interleaving behavior. The results also indicate that for benchmarks allowing parallelized interleaving behavior this approach has a stunning performance due to reduction of the steps during verification.
The paper is organized as follows. In Sect. II we give a brief review of the well-known timed automata (TA), then we introduce the finite state machines with time (FSMT) in Sect. III. In Sect. IV we provide an insight into the functioning of our model checking algorithm. In Sect. V we introduce a method to convert a TA into an FSMT. Sect. VI is dedicated to the results where we evaluate our approach with both configurations. We conclude the paper in Sect. VII.
II. PRELIMINARIES -TIMED AUTOMATA Real-time systems are often represented as timed automata (TA) [1] , [2] , [4] . TAs use clock variables X := {x 1 , . . . , x n }. The set of clock constraints C(X) contains atomic constraints of the form (x i ∼ n) and (x i − x j ∼ n) with n ∈ Q and ∼∈ {<, ≤, =, ≥, >}. Let C c (X) be the set of conjunctions over clock constraints. c ∈ C c (X) describes a subset of (R + 0 )
n , namely the set of all valuations of variables in X which evaluate c to true.
We consider TAs with integer variables. Let Int := {int 1 , . . . , int r } be a set of bounded integer variables. lb : Int → Z and ub : Int → Z assign lower and upper bound to int i ∈ Int (lb (int i ) ≤ ub (int i )). Let Assign (Int) be the set of assignments to integer variables. The right-hand side of an assignment to an integer variable int i may be an integer arithmetic expression over integer variables and integer constants. Let Cond (Int) be a set of constraints of the form (int i ∼ n) and (int i ∼ int j ) with n ∈ Z, ∼∈ {<, ≤, =, ≥, >} and int i , int j ∈ Int. 1 is labeled with a clock constraint x i ≤ 5 which is a so-called location invariant.
Fig. 1. Timed automaton T Ai
In general, transitions in TAs are labeled with guards, actions, assignments to integers and resets of clocks. Guards are restricted to conjunctions of clock constraints and constraints on integers. Actions from Act := {a 1 , . . . , a k } are used for synchronization between different TAs. For our purposes they do not have a special meaning when considering one timed automaton in isolation. Transitions in different automata labeled with the same actions are taken simultaneously. If a transition in a TA is not labeled by an action, then this transition can only be taken, if all other TAs stay in their current location. Resets are assignments to clock variables of the form x i := 0. Invariants in TAs are conjunctions of clock constraints assigned to locations. A TA may stay in a location as long as the location invariant is not violated. Timed automata are formally defined as follows:
where L is a finite set of locations, l 0 ∈ L is an initial location, X = {x 1 , . . . , x n } is a finite set of real-valued clock variables, Act is a finite set of actions, Int = {int 1 , . . . , int r } is a finite set of integer variables. lb : Int → Z and ub : Int → Z assign lower and upper bound to each int i ∈ Int with
× L is a set of transitions and the function Inv : L → C c (X) assigns a conjunction of clock constraints as invariant to each location. If for e = (l, g e , act, r e , assign e , l ) ∈ E it holds that act ∈ Act, then we call e a transition with a synchronizing action; if act = , then we call e a transition without synchronizing action.
Definition 2 (Semantics of a Timed Automaton) Let T A = L, l 0 , X, Act, Int, lb, ub, E, Inv be a timed automaton. A state of T A is a combination of a location and a valuation of the clock variables and integer variables.
• There is a continuous transition from state s = (l,
• There is a discrete transition from state s = (l, A timed system is a system of p timed automata {T A 1 , . . . , T A p }. A timed system has an interleaving semantics, i.e., transitions in different timed automata may not be taken simultaneously unless they synchronize over actions. For simplicity, we assume that only two timed automata are able to synchronize over a binary synchronization channel, i.e., we restrict ourselves to timed systems where an action may only synchronize two different TAs. The composition of p timed automata is again a timed automaton:
, r e , assign e , l ) ∈ E (i) } for each act ∈ Act. We assume that
, X, Act, Int, lb, ub, E, Inv where E is the smallest set with the following property:
, r e , assign e , (l 1 , . . . , l i , . . . , l p )) ∈ E.
• If for 1 ≤ i, j ≤ p with i = j:
III. FINITE STATE MACHINES WITH TIME
Fig. 2. FSM with time
Now we present a new formal model to represent real-time systems, the finite state machines with time, which are especially suited for being represented symbolically. A finite state machine with time, to which we will refer as FSMT in this paper, is an extension of finite state machines by real-valued clock variables used to represent time. Later on, we will present a fully symbolic model checking algorithm for FSMTs and then a translation from TAs into FSMTs.
Let X := {x 1 , . . . , x n } be the set of real-valued clock variables, Y := {y 1 , . . . , y l } a set of (binary) state variables, I := {i 1 , . . . , i h } a set of (binary) input variables. Let C b (X) be the set of arbitrary boolean combinations of clock constraints and C b (X, Y ) be the set of arbitrary boolean combinations of clock constraints and state variables (similarly for n × {0, 1} l → {0, 1} is a predicate describing the set of initial states, Inv. An FSMT may perform discrete steps which are defined by transition functions δ i based on the valuations of clocks, state variables, and inputs. When performing a discrete step, a clock x i is reset to 0 iff reset x i evaluates to 1. Moreover an FSMT may perform continuous steps (or time steps) where it stays in the same location, but lets time pass. This means that all clocks may be increased by the same constant as long as the resulting state stays in the set described by Inv. More formally, the semantics of FMSTs is defined as follows:
• There is a discrete transition from state
• There is a continuous transition from state 
) be a mapping for the inputs of components F 1 , . . . , F p . Then the composition of F 1 , . . . , F p wrt. map is an FSMT F with
IV. MODEL CHECKING ALGORITHM Our model checking algorithm works on an FSMT F = X, Y, I, init, (δ 1 , . . . , δ l ), (reset x 1 , . . . , reset xn ), Inv as defined in Def. 4. It checks whether a state not fulfilling a safety predicate saf e ∈ C b (X, Y ) is reachable from some initial state fulfilling init. The algorithm works backwards, i.e. it starts with the state set representation ¬saf e and -step by step -it computes sets of states from which ¬saf e can be reached. After each step it checks whether the newly reached states include some initial states. If this is the case, the safety property is not fulfilled. If the fixpoint iteration converges and the backward traversal does not reach any initial state, then the safety property holds. For computing all backwards reachable states we alternate between continuous and discrete steps.
A. Continuous step
Let Φ (x 1 , . . . , x n , y 1 , . . . , y l ) be a state set of our model checking algorithm. Then the state set after a continuous step (letting time pass) is Φ (x 1 , . . . , x n , y 1 , . . . , y l ).
We refer to the result Φ of the backwards continuous step as the continuous preimage P re c (Φ).
B. Discrete step
In our model checking algorithm the discrete step is computed from the state set Φ = P re c (Φ). The resulting state set P re d (Φ ) contains all predecessors of Φ from which Φ can be reached by a discrete transition in the FSMT. The first part of the discrete step is a substitution of the state variables and the clock constraints in the current state set representation Φ . (Note that as an invariant of our model checking algorithm all computed state set representations are in C b (X, Y ), i.e., they are boolean combinations of boolean variables and clock constraints.) Each state variable y i is substituted with its transition function δ i :
Consider
in the constraint is reset. We use the reset conditions reset x i to determine when a clock variable x i is reset. The substitution for each clock constraint of the form (x i − x j ∼ n) in the state set is then
(Of course, (0 ∼ n) reduces to constant 0 or 1.) Φ (x 1 , . . . , x n , y 1 , . . . , y l , i 1 , . . . , i h ) is obtained from Φ (x 1 , . . . , x n , y 1 , . . . , y l ) by substituting all state variables as shown in formula (2) and all clock constraints as shown in formula (3) simultaneously.
The second part of the discrete step is a quantification of the boolean input variables i 1 , . . . , i h in Φ followed by an intersection with the invariant Inv.
The resulting state space Φ holds all states from which Φ can be reached by performing a discrete transition in the FSMT. We refer to Φ as the discrete preimage P re d (Φ ).
C. Algorithm
Algorithm 1 Model checking algorithm Φ 0 := ¬saf e; Φ collect := 0; i := 0
Our model checking algorithm is a backwards model checking algorithm, starting with ¬saf e as mentioned above. The main loop consists of a continuous step defined in Sect. IV-A and a discrete step defined in Sect. IV-B. After each of these steps we test whether one of the initial states was reached. The main loop is left when an initial state was reached (which means that the safety property is violated) or when a fixpoint is reached (which means that the safety property holds).
D. Implementation
We implemented a prototype of the model checking algorithm using LinAIGs [7] , [6] , [12] for representing sets of states. LinAIGs are able to provide a compact representation for arbitrary boolean combinations of linear constraints and boolean variables (which of course include the formulas from C b (X, Y )). LinAIGs contain both a boolean and a continuous part. The boolean part of LinAIGs is represented by functionally reduced AIGs (FRAIGs) [10] , [11] , which are boolean circuits consisting only of and gates and inverters. 'Functionally reduced' means that every node in the FRAIG represents a unique boolean function. In order to represent the continuous part, LinAIGs use a set of boolean constraint variables Q where each linear constraint is encoded by some q l ∈ Q. For keeping the overall representation as compact as possible LinAIGs make heavy use of SMT solvers [5] , [8] . LinAIGs support quantification of boolean and real variables which makes them a very powerful data structure which fits exactly the technical needs of our implementation. Moreover, since in our application the linear constraints are restricted to clock constraints, we do not need SMT solvers for full linear arithmetic, but only for difference logic which can be solved much more efficiently. This makes the LinAIG approach even more effective.
V. FROM TIMED AUTOMATA TO FSMTS In order to be able to verify systems of TAs using our framework presented so far, we present how to convert a system of TAs into an FSMT.
Components of FSMTs run in parallel, whereas components of TAs run asynchronously (one after the other) according to the interleaving semantics (unless parallelism is enforced by synchronization actions). In our translation we consider two different implementations of the interleaving semantics of TAs. At first, in Sect. V-B, we show how to transform a TA into an FSMT keeping its pure interleaving behavior. Then, in Sect. V-C, we present how to convert a TA into an FSMT with a parallelized interleaving behavior, in which we allow -in addition to single steps of components according to the interleaving semantics -parallelism for transitions causing no conflicts when taken in parallel. The different conflicts possible with parallelized interleaving behavior are also described in Sect. V-C. The motivation for the parallelized interleaving variant consists in an accelerated state space traversal.
A. First steps of translation
We consider a system of p timed automata {T A 1 , . . . , T A p }. The locations of timed automaton T A q (1 ≤ q ≤ p) are encoded with boolean variables y
(the location bits) for which we use a logarithmic encoding with l q = log (L q ) . The sets of location bits of two different TAs are disjoint. The integer variable int i with (1 ≤ i ≤ r) occurring in the timed system is replaced by a binary encoding of boolean variables b
(the integer bits). As lb (int i ) and ub (int i ) are known for all (1 ≤ i ≤ r), the number of integer bits f i needed to represent int i is also known.
The location bits and the integer bits together form the set of state bits {y 1 , . . . , y l }.
The location invariants in a TA can be merged into one condition for the complete automaton of the form Inv lq , x 1 , . . . , x n (by a simple conjunction of one implication for each location with the meaning 'if T A q is in location l, then the location invariant of l holds').
A timed automaton T A q with (1 ≤ q ≤ p) has a total of m q := |E q | transitions. Assume that transition i is a transition with the discrete location i (x 1 , . . . , x n ) and a reset set r
is extended by the constraint that the source of its corresponding edge is
, . . . ,
, i.e., it is changed to the new guard g
Moreover, a transition i in T A q may be labeled with a synchronization action a q,i . How to treat these actions is shown in section V-B for interleaving behavior and in section V-C for parallelized interleaving behavior. The following modifications which have to be done to convert a TA into an FSMT depend on whether we want to have pure interleaving behavior or parallelized interleaving behavior.
B. Modifications for Pure Interleaving Behavior
In order to use the model checking algorithm with pure interleaving behavior, it has to be assured that at any time only one TA may take a transition while the others remain in their current location unless of course two TAs synchronize. We have two kind of transitions which have to be considered separately:
• For transitions without synchronization actions it has to be ensured that transitions of two different TAs are not enabled at the same time. For this we use new input variables {e l−1 , . . . , e 0 }, l = log (p) in a system of p timed automata and we add different assignments for these new input variables to the guards of such transitions: For each transition i in a timed automaton T A q which is not labeled with a synchronization action we add these input variables to the guard g
and get a new guard g
with bin (q) = (q l−1 , . . . , q 0 ). bin (q) is the binary representation of q.
• For transitions labeled with a synchronization action we cannot use the previous modification as this would cause the synchronized transitions not be enabled at the same time. Let us assume that transition i in T A q and the transition j in T A k are labeled with the same action a {(q,i),(k,j)} . Then A a {(q,i),(k,j)} = {T A q , T A k } with bin (k) = (k l−1 , . . . , k 0 ) and bin (q) = (q l−1 , . . . , q 0 ).
To assure synchronization without the use of actions we extend the guards of the synchronized transitions. The new guard of transition i in T A q and of transition j in T A k is g
. This allows us to realize synchronization without using actions simply by the fact that one component may read the state bits and inputs of another component. Since for an FSMT we have to define transition functions, we have to avoid the case that there is a state where no transition into a successor state is enabled. For this reason we introduce a self loop to every location in each timed automaton T A q . The self loop of a location l i gets as guard the conjunction
it has not to be taken; the automaton can choose to stay in the current location. Additionally, when more than one transition is enabled at the same time it is chosen non-deterministically which one is taken. To establish determinism in a TA we use new input variables. For a set of t transitions with the same source and non-disjoint guards we need log (t) input variables to make the guards disjoint. These input variables can be shared within a TA but must not be shared among different TAs. A timed automaton T A q requires t (q) = log t (q) max input variables to guarantee determinism, where t
max is the maximum of non-disjoint transitions with the same source.
After these transformations we can build the transition functions, reset conditions and invariant to get an FSMT representation of the timed system with pure interleaving behavior. This is shown in section V-D.
C. Modifications for Parallelized Interleaving Behavior
In the previous section we have seen which modifications have to be done to convert a timed system into a system of FSMTs with pure interleaving behavior. In this section we will show what has to be done to get a system of FSMT with parallelized interleaving behavior. To this end several conflicts have to be solved.
(a) Read/write problem on clocks
T A (4) (b) Read/write problem on integers Fig. 3 . Conflicts caused by parallel behavior
• In a parallelized interleaving run there may be conflicts caused by resets of clock variables. Consider the timed system shown in in Fig. 3(a) which consists of components T A (1) and T A (2) . When parallel transitions of two components are allowed, the state s
2 , s
2 , 0, 0 is reachable from state s (1) takes the transition leaving its initial state first, then it resets the clock y and y will never be larger than 1. Thus the transition of T A (2) from s
will never be enabled and T A (2) always stays in its initial location. (A similar observation holds for the case that T A (2) is executed first.) To avoid the problem of reaching more states than allowed by the semantics of interleaving, we force the timed system to simulate a pure interleaving behavior in such cases by adding input variables. For each clock variable x t ∈ {x 1 , . . . , x n } we use one new input variable i t . The guard of a transition i in T A q resetting the clock variable x t is then enlarged to g
∧ ¬i t and the guard of a transition j in T A k with a clock constraint over x t is then g
Thus no transition reading the value of clock x t is enabled at the same time as a transition resetting x t .
• Another conflict of the same type may occur with integers. It is obvious that two transitions updating the same integer int i must not be taken in parallel because of write/write problems. But, just as we have seen for clock variables there may also be read/write conflicts on integer variables. In the timed system consisting of T A (3) and T A (4) shown in Fig. 3 (b) the state s
is not reachable according to interleaving semantics. However it is reachable, if transitions can be taken in parallel. Just as for the read/write conflict for clock variables we force the timed system to take an interleaving behavior for transitions causing conflicts on integer variables. We introduce write-enable numbers for integers. Assume integer int i is written in q timed automata T A i 1 , . . . , T A iq , then the write-enable number for int i is:
To encode we int i we need log (q + 1) input variables. The guard of each transition reading the value of integer int i is extended by 'we int i = bin (0)'. Each guard of a transition in T A i k (1 ≤ k ≤ q) which updates int i is extended by 'we int i = bin (k)'. This makes it impossible that two TAs write int i at the same time, since the corresponding guards cannot be enabled at the same time. Equally it is impossible that any integer variable is read and updated in the same discrete transition. The synchronization is handled in a similar way as we have seen in Sect. V-B for pure interleaving behavior. We use the ability of an FSMT to read the state bits and inputs of another FSMT to force two transitions to be taken simultaneously. Lets assume that transition i in T A q and transition j in T A k are labeled with the same synchronization action a {(q,i),(k,j)} . Then A a {(q,i),(k,j)} = {T A q , T A k }, and the guards of both transitions are changed to g
j . The action a {(q,i),(k,j)} is no longer needed to synchronize the transitions. Both components in the system synchronize by reading each others state bits and inputs. 2 Parallelized interleaving is introduced to accelerate model checking runs by reaching certain states faster. But of course, we should not lose intermediate states of interleaved executions. For that reason we give each component the non-deterministic choice to stay in its current location during a discrete step. For this we introduce a self loop with guard 'true' to every location in the automaton. By taking this transition the automaton does not leave the current location and does no assignments to clocks or integer variables. Then, to introduce determinism we do the same modifications using input variables as we have done for pure interleaving behavior in Sect. V-B.
The resulting system is deterministic and has a parallelized interleaving behavior. In the following section we show how to compute transition functions, reset conditions and a global invariant.
D. Computation of a symbolic representation
As a last component of the FSMT computed from timed automata T A 1 , . . . , T A P , we compute the global invariant Inv simply by conjunction of all local invariants Inv (q) . The transition functions, reset conditions, and the Invariant provide a fully symbolic representation of the corresponding FSMT. Our model checking algorithm uses this representation to perform fully symbolic model checking. Table I shows the results of our prototype on three different benchmarks. We ran our prototype with pure interleaving behavior (FSMT MC interleaving) and with parallelized interleaving behavior (FSMT MC parallel) and compare the results to uppaal. We have conducted all experiments on a 16 core AMD Opteron with 1.2 Ghz and 64 GB RAM with a time limit of 3600 seconds and a memory limit to 2 GB.
VI. EXPERIMENTAL RESULTS
saf e The first benchmark is a system consisting of n TAs T A 1 , . . . , T A n as shown in Fig. 1 with
(which is reachable from the initial states). Comparing pure interleaving and parallelized interleaving, we can observe an enormous performance gain for parallelized interleaving due to a reduction of the number of steps in state space traversal. Our algorithm with parallelized interleaving behavior can finish state space traversal just after one step by taking the transition s
for all i in parallel. Our algorithm with pure interleaving behavior computes in one step for each state reached so far all the predecessors reachable by one backwards step of an arbitrary automaton. Thus in this simple example it needs n steps for a system with n processes. Uppaal performs much worse on this example, since it works on an explicit representation of locations and it computes all possible permutations of enabled transitions step by step.
The second benchmark is the well known fischer protocol [13] . As we can see in Table I the results of our algorithm with a pure interleaving behavior are better than the results with a parallelized interleaving behavior. This is caused by the fact that the fischer protocol does not allow parallel behavior. Even if we run our model with a parallelized interleaving behavior, a pure interleaving behavior is simulated due to the write-enable numbers for the integer variable used in the benchmark. These additional inputs of the write-enable numbers which have to be quantified in the discrete step are responsible for the loss of performance. But in both configurations for pure interleaving and for parallelized interleaving behavior our symbolic model checking algorithm can solve systems with a lot more processes than uppaal.
The last benchmark is shown in Fig. 4 . It consists of a counter for an integer id, a distributed arbiter with n components, and n processes. The arbiter guarantees that only one process can enter a critical region. The counter determines which process is allowed to enter this region and once a process i enters it, the arbiter component i blocks the counter so that no other process may take a transition to a critical location. arbiter (i) and process (i) communicate over the actions enter i and exit i . The counter communicates with all arbiter components over the integer id.
The property which is verified in this benchmark is n i=1 crit (i) , which is not reachable. As we can see in Table I our model checking algorithm is able to handle much more processes than uppaal. As this benchmark allows parallel behavior our model checking algorithm with parallelized interleaving performs best and it can solve up to 17 processes where uppaal runs into a timeout of 3600 seconds already for 7 processes.
VII. CONCLUSIONS
We presented a new formal model to represent real-time systems, the finite state machine with time, which is well-suited for symbolic verification algorithms. We presented a backwards model checking algorithm to verify these FSMTs. In order to verify TAs with our algorithm we presented two different methods to convert TAs into FSMTs. The resulting FSMT has either a pure interleaving behavior or a parallelized interleaving behavior, which can dramatically reduce the number of verification steps for certain benchmark classes and brings an enormous gain of performance. We implemented a prototype of our model checking algorithm and tested it on several benchmarks. The results show that for benchmarks allowing parallelized interleaving behavior our model checking algorithm produces stunning results. On other benchmarks like the well known fischer protocol the variant using pure interleaving is still outperforming the state of the art tool uppaal due to our fully symbolic approach.
