Introduction
For the formal specification and verification of real-time systems we use the modular formalism Cottbus Timed Automata (CTA), which is an extension of timed automata [AD94] . Matrix-based algorithms for the reachability analysis of timed automata are implemented in tools like Kronos, Uppaal, HyTech and Rabbit. A new BDD-based version of Rabbit, which supports also refinement checking, is now available.
For the representation of the models we use an integer semantics for closed timed automata. Using this discretization, we are able to use a unique representation of the discrete state space (given by the locations) and the continuous state space (given by the clocks). We use an estimate-based strategy for variable ordering which dramatically compresses the BDD representation of the transition relation and the reachable configurations and thus leads to much more efficient verification.
The restricted applicability of reachability analysis due to the high time complexity of the analysis for large models leads to the need of refinement checking for verification. We implemented an algorithm for checking the existence of a simulation relation to investigate the opportunities of refinement checking for Cottbus Timed Automata.
Section 2 introduces our notation for modular modeling of real-time systems: we recall the formal definition of timed automata and our integer semantics for closed timed automata. In Sect. 3 we describe our implementation of reachability analysis and, in more detail, in Sect. 4 we define the corresponding refinement checking. In Sects. 3 and 4, we present performance results for some example models.
Cottbus Timed Automata
We start with an informal definition of Cottbus Timed Automata (CTA), which is a modeling concept providing means for modular design [BR98] . A formal definition and the complete semantics of CTA are given in [BR01] . A CTA system description consists of a set of modules. One of them is the top module, which models the whole system. The other modules are used as templates. They can be instantiated several times in different modules. Thus, it is possible to express a hierarchical structure of the system, and to define replicated components of a system just once. Each module is named by an identifier. (1) The interface contains the declarations of clock variables and synchronization labels, each of them has a restriction type to control the access to the component. We distinguish the restriction types INPUT, OUTPUT, MULTIPLY RESTRICTED, and LOCAL. (2) A module contains a timed automaton as defined below. (3) The initial condition is a predicate over the module's variables and locations. (4) A module may contain instances of previously defined modules.
We now define closed timed automata and their integer semantics. Clock constraints are allowed as invariants and guards of a timed automaton. Let X be a set of clocks. Atomic clock constraints over X are comparisons of a clock with a time constant from N, the set of natural numbers (including 0). Clock constraints are conjunctions of atomic clock constraints. Formally, the set Φ(X) of clock constraints over X for closed timed automata is generated by ϕ := x ≤ c | x ≥ c | ϕ ∧ ϕ, with x ∈ X and c ∈ N. For closed timed automata it is sufficient to use only integer clock values for the computation of reachable locations.
The clock assignments Val I (X ) of X are the total functions from X into the set of natural numbers N. For a clock constraint ϕ ∈ Φ(X), [[ϕ] ] denotes the set of all clock assignments of X that satisfy ϕ. The clock assignment which assigns the value 0 to all clocks is denoted by v 0 . For a timed automaton A with a clock x, C A (x) denotes the greatest constant to which x is compared within a clock constraint of A. A
, where L is a finite set of locations, L 0 ⊆ L is a set of initial locations, X is a finite set of clocks, Σ with Σ ∩ N = ∅ is a finite set of synchronization labels, I is a total function that assigns an
represents a transition labeled with synchronization label a from location l to location m. The guard ϕ has to be satisfied to enable the switch. The switch resets all clocks in Y to the value 0.
The semantics of a timed automaton is defined by associating a transition system with
with the following timed and discrete transitions:
In the following we define runs and reachable configurations for a transition sys-
denotes the set of runs of T. The configuration s k is reachable. Reach(T) denotes the set of reachable configurations (shorter: reachable set) of T.
In our tool implementation we use the integer semantics for closed timed automata as defined above. This integer semantics is equivalent to the usual, continuous one regarding the set of reachable locations. More details and a formal proof are given in [Bey01] . To verify safety properties of a CTA model we provide two techniques: reachability analysis and refinement checking as described in the following two sections.
Reachability Analysis
For verification of a safety property, i.e. whether a configuration of a special set of invalid configurations is reachable or not, we compute at first the set of reachable configurations. Secondly, we intersect the reachable set with the set of invalid configurations. If the intersection is empty, then the safety property is fulfilled. Variants of this algorithm are possible for speed-up, e.g. on-the-fly analysis. We extended our existing matrixbased model checker Rabbit by the BDD-based reachability analysis of closed timed automata. Experience with finite automata shows that the efficiency critically depends on the choice of several parameters. In this section we sketch how our implementation determines these parameters.
Variable Ordering. We take the pre-order linearization of the CTA model as initial variable ordering. This implies that we consider the modeler's decision to encapsulate some components together within one module, i.e. local components of a module are assigned to neighboring positions within the variable ordering. Then we apply another heuristic to optimize the ordering respecting a size estimate for the BDD of the set of reachable configurations, which is derived from our upper bound for the transition relation as described and proven in [Bey01] .
Partial Transition Relations. Usually the transition relation → is represented as implicit union of a timed transition relation Examples. In the following we report some performance results. All the computation times obtained using our tool are given in seconds of CPU time on a SUN Ultra-Sparc 1 with 200 MHz processor and 64 MB memory. The results of the BDD-based version of Kronos are taken from [BMPY97] and also obtained using a SUN Ultra-Sparc-1.
The BDD-based version of Kronos is able to verify 14 processes of Fischer's mutex protocol. Rabbit needs 13.6 s computation time for the same model. The verification of 32 processes needs 208 s. We are able to verify even the model with 128 of Fischer's processes using 512 MB memory in 9168 s. Rabbit needs 6 s to compute the whole set of reachable configurations of the AND model with 4 inputs as mentioned in [BMPY97] . Kronos needs 324.7 s for this model. Out tool is able to verify the AND model up to 16 inputs in 1209 s. Another example is the little 'two state' example from [BMPY97] , for which they report to handle up to 9 automata. Rabbit computes all rechable configurations of 64 two state automata (having 2.2 · 10 88 configurations) in 94 s. We used on-the-fly analysis for this example, which increases dramatically the performance of models consisting of mostly independent components. For more details about the on-the-fly algorithm see [BN01] .
Refinement Checking
The intuition behind our refinement concept is an assumption/guarantee principle. We describe it with respect to our formalism: A refinement relation (P refines Q) for CTA modules P and Q has to fulfill the following properties (M denotes a module, M.GI, M.GO, M.GM R denotes the module's sets of synchronization labels declared as INPUT, OUTPUT, MULTREST, respectively): (1) Q.GI ⊆ P.GI. The occurrence of a synchronization label g as input in a module M means that M guarantees that g is not restricted in M. This clearly is a guarantee. Thus each input label of the specification should be an input label of the implementation. (2) P.GO ⊆ Q.GO. The occurrence of a synchronization label g as output in a module M means that M assumes that g is not restricted in the environment. The implementation should not make more assumptions than the specification, thus each output label of the implementation should also be an output label in the specification. (3) Q.G−Q.GL = P.G−P.GL. The synchronization labels of a module M can be partitioned into a set of interface labels (M.GI ∪M.GO∪M.GM R), and a set of local labels (M.GL). Interface labels are those via which M can communicate with the environment. (4) E P ⊆ E Q . The external trace set E P (defined below) of the labeled transition system generated by P is a subset of the external trace set E Q of the labeled transition system generated by Q. The intuition is that the occurrence of a trace t in E Q means that E Q allows the system behavior t, and the refinement should not allow more behaviors than the specification.
Let (a 0 , a 1 , a 2 , . . . ) of elements of M.G ∪ N. For each element a k of the trace the following must hold: There exists a run (s 0 , s 1 
We use a simulation relation for the algorithmic analysis of refinement within our tool implementation. To define timed simulation we need the notion of external transitions and external traces. After this we can proceed with the algorithm for the simulation check. We use the concept of safety simulation relation as described in [DHWT92] . (a 0 , a 1 , a 2 , . . . ) of elements of (M.G \ M.L) ∪ N is an external trace, if for  each a k there exists a sequence (s 0 , s 1 , . . . , s k+1 
with s i a M s i+1 for all i ∈ {0, 1, . . . , k}. It hides synchronization labels of internal discrete transitions.
A transition system Q simulates a transition system P if Q can match every step of P by a step with the same label. We define timed simulation for labeled transition systems as follows: The labeled transition system
and -all initial configurations of P are contained within the simulation relation:
The algorithm of the simulation check is shown in Fig. 1 . For the composition of P and Q we compute the set of reachable configurations. We consider this set of tuples (p, q) as the initial relation for trying to build a simulation relation between P and Q. Then, in each cycle of a fixed point iteration we assume that it is a simulation relation and we check whether all configurations of the set fulfill the simulation condition from the definition above. Differing from the definition, we use the transition relation of the product P||Q, which is already computed in our approach. (The computation of the reachable set needs more time than checking the simulation relation if using P||Q.) If there are 'bad' configurations we have to invalidate our assumption that it is already the simulation relation and we eliminate them from the relation. If we reached the fixed point (i.e. our assumption was true) we got the simulation relation. If the algorithm eliminates some of the initial configurations of P from the relation there cannot exist a simulation relation and the algorithm aborts. If we reached the fixed point (i.e. our assumption was true) we got the simulation relation.
Note. Modules P and Q are not allowed to contain variables within their interfaces (shared variables). The simulation check considers only synchronization labels regarding external traces.
Production Cell Example. To validate the practical relevance of our tool using a complex system, we developed a CTA model of a production cell, which is similar to the Lewerentz/Lindner production cell from FZI. The system consists of 20 machines and belts with 44 sensors and 28 motors. We modeled the system as modular composition of several belts, turntables and machines, including 45 timed automata containing 22 clocks. For the measurement of the throughput, i.e. how long does a piece need to go through the production cycle, we modeled each belt to be able to measure the time of transportation using a clock. For the verification process we can fade out some details of the machines. To verify a safety property, e.g. 'the drilling machine must be off if the transport belt is not off', we verify at first that the timed version of the transport belt implements an untimed version by checking the existence of a simulation relation. Now we can verify the safety property of the model using that smaller untimed version for transport belts. The analysis of the safety property of the system using a timed model for the sensor instances needs 1098 s. Using an untimed version for the transport belts, the same task needs only 556 s. It shows that an abstraction within one small part of the system has a big impact on the computation time. The computation time for the simulation check is 0.5 s because the belt model is a small part of the whole system.
