Turkish Journal of Electrical Engineering and Computer Sciences
Volume 29

Number 3

Article 28

1-1-2021

Control synthesis for parametric timed automata under
reachability
EBRU AYDIN GÖL

Follow this and additional works at: https://journals.tubitak.gov.tr/elektrik
Part of the Computer Engineering Commons, Computer Sciences Commons, and the Electrical and
Computer Engineering Commons

Recommended Citation
GÖL, EBRU AYDIN (2021) "Control synthesis for parametric timed automata under reachability," Turkish
Journal of Electrical Engineering and Computer Sciences: Vol. 29: No. 3, Article 28. https://doi.org/
10.3906/elk-2007-170
Available at: https://journals.tubitak.gov.tr/elektrik/vol29/iss3/28

This Article is brought to you for free and open access by TÜBİTAK Academic Journals. It has been accepted for
inclusion in Turkish Journal of Electrical Engineering and Computer Sciences by an authorized editor of TÜBİTAK
Academic Journals. For more information, please contact academic.publications@tubitak.gov.tr.

Turkish Journal of Electrical Engineering & Computer Sciences
http://journals.tubitak.gov.tr/elektrik/

Research Article

Turk J Elec Eng & Comp Sci
(2021) 29: 1751 – 1764
© TÜBİTAK
doi:10.3906/elk-2007-170

Control synthesis for parametric timed automata under reachability
Ebru AYDIN GOL∗
Department of Computer Engineering, Faculty of Engineering, Middle East Technical University, Ankara, Turkey
Received: 30.07.2020

•

Accepted/Published Online: 20.01.2021

•

Final Version: 31.05.2021

Abstract: Timed automata is a fundamental modeling formalism for real-time systems. During the design of such
real-time systems, often the system information is incomplete, and design choices can vary. These uncertainties can
be integrated to the model via parameters and labelled transitions. Then, the design can be completed by tuning the
parameters and restricting the transitions via controller synthesis. These problems, namely parameter synthesis and
controller synthesis, are studied separately in the literature. Herein, these are combined to generate an automaton
satisfying the given specification by both parameter tuning and controller synthesis, thus exploring all design choices.
First, it is shown that the negative decidability results derived for the parameter synthesis problem apply to the proposed
problem. Then, a specific version of the problem is studied, where the specification is to reach a target set and
parameters can take values from bounded integer sets. An algorithm based on depth first analysis combined with
an iterative feasibility check is presented to solve the proposed problem. The correctness and the completeness (under
mild assumptions) of the developed algorithm are proven. The findings of the paper are illustrated on an example drawn
from scheduling.
Key words: Timed automata, decidability, control, parameter synthesis

1. Introduction
Designing real-time systems with correctness guarantees is a diﬀicult process. Formal mathematical models,
such as timed automata (TA), are developed for modeling and verification of real-time systems [1]. A timed
automaton extends a finite automaton with a set of real-valued clock variables that measure the time. The
clocks can be reset and tested. Thus the constraints over the time passed since the occurrence of an event of
interest can be easily represented. Some of the examples of TA models of real-time systems are scheduling of
real-time systems [2–4], medical devices [5, 6], and rail-road crossing systems [7].
The correctness of a timed automaton model against a specification can be verified via model checking.
It is implemented in various off-the-shelve tools, such as UPPAAL [8], Imitator [9], HyTech [10], and it is
applied on industrial case studies [8, 10, 11]. Model-checking can be performed once a complete TA model
is obtained, and a negative verification result requires the designer to modify the final, possibly complicated,
model. During the design phase, the system information can be incomplete and timing constants can be varied.
In parametric timed automata (PTA) such uncertainties are modeled with parameters in place of the timing
constants. For PTA, the design is completed via parameter synthesis: find a set of parameters such that the
resulting model satisfies the specification. However, almost all nontrivial parameter synthesis problems are
undecidable [12]. For example, for a parametric timed automaton, synthesis of parameters for reaching a set
∗ Correspondence:

ebrugol@metu.edu.tr

1751
This work is licensed under a Creative Commons Attribution 4.0 International License.

AYDIN GOL/Turk J Elec Eng & Comp Sci

of locations is undecidable even when the parameters are integer valued. The same problem becomes decidable
when a finite upper bound is given for each parameter. Nevertheless, symbolic algorithms without termination
guarantees exist for variations of the synthesis problem [12–14], including reachability specifications. While
parametric models provide considerable flexibility in the design, the synthesis algorithms are computationally
very expensive, for example, see [15] for benchmark examples.
Another approach that is orthogonal to parameter synthesis is controller synthesis, where possible design
choices are integrated to the model via labels of the transitions and a control strategy restricts the transitions
according to the labels [16–18]. In the pioneering work [16], the authors developed an iterative algorithm for
solving synthesis problem for safety specifications (avoid “bad” states at all times). In addition, synthesis of
optimal strategies considering location and transition weights has been considered. As summarized in a recent
survey, corner point abstractions and game theoretic optimal control approaches are used to solve this problem
under reachability specifications for deterministic and nondeterministic timed automata, respectively [17]. Both
methods include the computationally expensive step of construction of a finite representation.
As mentioned above, the parameter and control synthesis problems are studied separately in the literature.
Here, our goal is to tune the parameters and restrict transitions via controller synthesis such that the resulting
automaton satisfies a specification; thus we combine both problems. A variation of parameter and controller
synthesis problem is studied in [19], where a safety specification is considered, and the symbolic parameter
synthesis method is extended to incorporate symbolic constraints over the transition labels.

In [20], the

authors present a parametric timed automaton model for an adaptive cruise control system. This model
integrates the controller synthesis problem into the parameter synthesis problem via parametric mutually
exclusive constraints.
In this paper, we formalize a control synthesis problem for parametric timed automata. We first show that
the negative decidability results apply to the most general form of this problem. Then, we focus on a specific
version of the problem where the goal is to reach a target set and the parameters are restricted to bounded
integer sets. We show that the solution space is finite, thus the synthesis problem is, trivially, decidable. We
propose an algorithm based on depth first search over the graph structure of timed automata. Central to the
proposed method is the exploration along only realizable automata paths. In particular, a mixed integer linear
programming (MILP) based feasibility check is performed for each candidate node (exploration direction), and
only feasible nodes are added. Thus, this approach avoids computation of paths that cannot be part of the
solution. The correctness of the proposed algorithm, as well as the completeness under mild assumptions are
proven. In addition, the completeness for the general case (no additional assumption) is guaranteed with an
additional computation step.
The paper is organized as follows. Section 2 presents the necessary notation and background information.
Section 3 formally defines the control synthesis for parametric timed automata problem, derives decidability
results and finally presents the proposed synthesis algorithm. Section 4 presents a case study inspired from
scheduling problem, and illustrate the developed synthesis algorithm. Finally, Section 5 concludes the paper
with possible future research directions.

2. Background
Notation The set of natural numbers, real numbers, nonnegative real numbers and positive real numbers
are denoted by N , R , R≥0 , and R>0 , respectively.
1752

AYDIN GOL/Turk J Elec Eng & Comp Sci

A timed automaton is a finite state machine extended with real-valued clock variables [1, 21, 22]. The
constraints over these clocks govern the execution of the automata. For a set of clocks C , a clock constraint
is defined with the following grammar ϕ := x ∼ c | ϕ ∧ ϕ where ∼∈ {<, >, ≥, ≤}, c ∈ N is a natural number
and x ∈ C is a clock. A constraint ϕ is called parametric if it contains a parameter in the place of the numeric
constant c. A clock valuation is a function ν : C → R≥0 that assigns a nonnegative real value to each clock.
A clock valuation ν satisfies a constraint ϕ , denoted by ν |= ϕ , if the constraint evaluates to true when each
clock is replaced with the corresponding valuation. Two operations are used over the clock valuations: delay
and reset. For a clock valuation ν and a positive constant d ∈ R>0 ν + d is the clock valuation obtained by
incrementing each clock by d , (ν + d)(x) = ν(x) + d for each x ∈ C . For a clock valuation ν , and a set of
clocks λ ⊆ C , ν[λ] is the clock valuation obtained by resetting each clock from λ to 0 , i.e. ν[λ](x) = 0 for
each x ∈ λ and ν[λ](x) = ν(x) for each x ∈ C \ λ.
Definition 1 ((Parametric) timed automata) A timed automaton A = (L, l0 , Σ, C, ∆, Inv) is a tuple,
where L is a finite set of locations, l0 ∈ L is the initial location, Σ is a finite input alphabet, C is a finite
set of clocks, ∆ ⊆ L × Σ × 2C × Φ(C) × L is a finite transition relation, and Inv : L → Φ(C) is an invariant
function.
A transition e = (ls , α, λ, ϕ, lt ) ∈ ∆ is from location ls to location lt . The transition can be taken when the
current input symbol is α and the clock valuation satisfies ϕ . Upon taking the transition, clocks from λ are
reset to 0. A timed automaton is parametric if it contains a parametric constraint (either as an invariant or
transition guard). For a parametric timed automaton A, its set of parameters P , and a parameter valuation
v : P → N that assigns a number to each parameter, a (nonparametric, or concrete) timed automaton A(v)
is obtained by replacing each parameter p with v(p). A path is an interleaving sequence of locations and
transitions π = l0 e1 l1 e2 l2 . . . such that ei = (li−1 , αi , λi , ϕi , li ) ∈ ∆ for each i ≥ 1 and li ∈ L for each i ≥ 0 .
A transition system is a tuple T = (S, s0 , Σ, →) , where S is a set of states, s0 ∈ S is an initial state, Σ is
a

a finite input alphabet and →⊂ S × Σ × S is a transition relation. The notation s → s′ is used for (s, a, s′ ) ∈→ .
The semantics of timed automaton is defined as a transition system:
Definition 2 Let A = (L, l0 , Σ, C, ∆, Inv) be a timed automaton. The semantics of A is defined by a transition
system T (A) = (S, s0 , Σ′ , →) , where
S = {(l, ν) | l ∈ L, ν |= Inv(l)} is the set of states,
s0 = (l0 , 0) is the initial state such that 0(x) = 0 for each x ∈ C ,
Σ′ = Σ ∪ R≥0 ,
the transition relation is defined by the following rules
d

– delay: (l, ν) → (l, ν + d) for d ∈ R>0 if ν + d |= Inv(l)
a

– discrete: (l, ν) → (l′ , ν ′ ) if there exists (l, a, λ, ϕ, l′ ) ∈ ∆ such that ν |= ϕ , ν ′ = ν[λ] and ν ′ |= Inv(l′ )
a

We denote a delay transition of duration d followed by a discrete transition under input a by (l, ν) →d
d

a

(l′ , ν ′ ) (i.e ∃ν ′′ : (l, ν) → (l, ν ′′ ) → (l′ , ν ′ )) . A run ρ of T (A) is a possibly infinite alternating sequence of
1753

AYDIN GOL/Turk J Elec Eng & Comp Sci

states, delay and discrete transitions originating from s0 :
a

a

a

ρ := (l0 , 0) →1 d1 (l1 , ν1 ) →2 d2 (l2 , ν2 ) →2 d2 . . .
The set of all runs of T (A) is denoted by [[A]] . A path π = l0 e1 l1 e2 l2 . . . with ei = (li−1 , αi , λi , ϕi , li ) for each
i ≥ 1 is said to be realized by a delay sequence d = d1 , d2 , . . . if there exists a run ρ ∈ [[A]] induced by π and
d , i.e., i-th location of ρ is li , and i -th transition is taken according to delay di and transition ei . A path π
is said to be realizable, if there exists a delay sequence d such that π and d induce a run ρ of T (A) .
Definition 3 (Control strategy) A control strategy C : L → Σ of a timed automaton A = (L, l0 , Σ, C, ∆, Inv)
generates an input symbol for each location such that C(l) ∈ Σ(l) = {α | (l, α, λ, ϕ, l′ ) ∈ ∆}. The timed automaton obtained by executing A in closed loop with C is defined as C(A) = (L, l0 , Σ, C, C(∆), Inv) where
C(∆) = {e | e = (l, α, λ, ϕ, l′ ) ∈ ∆ and α = C(l)}.
Intuitively, the input of the TA A is determined with respect to the strategy C for each discrete transition
when A is run in closed loop with C . Note that the control strategy simply restricts the transitions of A.
The control synthesis and parameter synthesis problems are studied against reachability, unavoidability,
safety properties, and more complex properties expressed in temporal logics such as computation tree logic
(CTL) and metric interval temporal logic (MITL). In this paper, synthesis for reachability properties is studied,
and the related definitions are given below. This type of properties are commonly used in scheduling problems [2–
4]. In addition, the paper presents some decidability results for MITL and CTL. The interested readers are
referred to [23] for more information on temporal logics.
Reachability: For a timed automaton A = (L, l0 , Σ, C, ∆, Inv), a subset of its states LT ⊂ L is called
a

a

a

reachable if there exists ρ = (l0 , 0) →1 d1 (l1 , ν1 ) →2 d2 (l2 , ν2 ) →2 d2 . . . ∈ [[A]] such that li ∈ LT for some i ≥ 0.
3. Results
In this section, we first formally define the control synthesis for parametric timed automata problem.
Then in the first subsection, we derive decidability results considering restrictions on parameter ranges and
specifications. In the second subsection, for a restricted version of the problem that is shown to be decidable,
we present a synthesis algorithm and prove its correctness.
Problem 3.1 Given a parametric timed automaton A = (L, l0 , Σ, C, ∆, Inv) , its set of parameters P , an
interval Ip for each parameter p ∈ P , and a property ψ ,
a) [decision] Is there a control strategy C and a parameter valuation v pair such that C(A(v)) satisfies ψ ?
b)[synthesis] Generate a control strategy C and a parameter valuation v such that C(A(v)) satisfies ψ if one
exists.
In literature, the parameter and control synthesis problems are studied separately. The parameter
synthesis problem is studied from several aspects: safety, reachability, temporal logic formulas are considered
as the specification ( ψ ), intervals in real numbers, intervals in integers and bounded intervals are considered
for parameter intervals ( Ip ). In addition the restricted versions of the problem with respect to the number of
parametric clocks and parametric constraints are considered in terms of decidability. The next section analyses
Problem 3.1-a) in terms of decidability with respect to these results.
1754

AYDIN GOL/Turk J Elec Eng & Comp Sci

3.1. Decidability analysis for controller synthesis for parametric timed automata
A recent paper surveying the results on decision problems over parametric timed automata shows that almost
all non-trivial decision problems are undecidable [12]. The negative decidability results are based on a reduction
from halting problem of a two-counter machine that is known to be undecidable. On the other hand, decidability
results are obtained when either the parameters are restricted to bounded integer sets or the number of
parametric clocks and constraints are bounded. Problem 3.1 extends the classical parameter synthesis problem
with the ability of restricting transitions via controller synthesis. We show that the negative decidability results
applies to this problem as well. In particular, we first show that Problem 3.1-a) is undecidable for reachability.
Theorem 1
Proof

The controller and parameter synthesis problem is undecidable for reachability.

Consider the class of PTA that has a single input, i.e. Σ = {α} . For this class, the only feasible

controller is (C)(l) = α for each l ∈ L. Consequently, the problem reduces to the parameter synthesis problem,
which is known to be undecidable. If the controller and parameter synthesis problem was decidable, the result
would apply to this sub-class. Thus, it is undecidable.
2
The same argument from the proof of Theorem 1 applies to other properties such as safety and unavoidability for which the parameter synthesis problem is known to be undecidable. Thus, we conclude that
Problem 3.1-a) is undecidable for reachability, safety and unavoidability properties.
The controller space is finite since both L and Σ are finite sets, and its size is upper bounded by | Σ ||L| .
Consequently, if the parameter synthesis problem is decidable, then the corresponding controller and parameter
synthesis problem is also decidable, since it is suﬀicient to enumerate all possible control strategies and solve the
parameter synthesis problem for each of them. For example, the parameter synthesis problem is decidable for the
considered properties when each parameter is integer valued and restricted to a finite set. Thus, Problem 3.1-a)
is decidable for these properties when Ip = [lp , up ] ⊂ N with a finite upper bound up < ∞ for each p ∈ P . In
particular, the problem can be solved by enumerating each parameter valuation and controller synthesis pair
and performing model-checking on the resulting TA. However, due to the exponential nature of the solution
space and the model checking complexity, the greedy approach would be infeasible for any practical problem.
In the subsequent section, we present an eﬀicient algorithm for reachability property considering bounded and
integer valued parameters.
3.2. Synthesis algorithm for reachability property
In this section, we present an algorithm to solve Problem 3.1 when Ip = [lp , up ] ⊂ N is a finite set of integers
for each p ∈ P and the specification ψ is Reach(LT ) where LT ⊂ L. First, we argue that the problem cannot
be directly reduced to parameter synthesis under reachability via Example 1.
Example 1 Consider the parametric timed automaton shown in Figure 1. It has four locations L = {l0 , l1 , l2 , l3 }
and four transitions ∆ = {e1 , e2 , e3 , e4 } . The parameter domains are p1 ∈ [7, 8] and p2 ∈ [2, 3], and the target
location is l3 ( LT = {l3 }). The feasible control inputs are Σ(l0 ) = {a} , Σ(l1 ) = {a, b}, and Σ(l2 ) = {a} until
the target is reached; thus, no input is considered for l3 . There are two possible control strategies C1 and C2
that only differ at l1 , let C1 (l1 ) = a and C2 (l1 ) = b. It is not possible to reach l3 under strategy C1 since
it eliminates the transition to l3 . On the other hand, the only path under strategy C1 is l0 e1 l1 e4 l3 . Along
this path, the total time spent in l0 and l1 is upper bounded by 4 via invariants, and it is lower bounded by
1755

AYDIN GOL/Turk J Elec Eng & Comp Sci

p1 ∈ [7, 8] via the guard on e4 . Thus the parameter synthesis problem is infeasible under this strategy. However,
the classical parameter synthesis problem is feasible as it does not require assigning an input to each location.
In particular, l3 is reachable along the path l0 e1 l1 e2 l2 e3 l1 e4 l3 for the parameter valuation p1 = 7 and p2 = 3 .
Note that path l0 e1 l1 e2 l2 e3 l1 e4 l3 cannot be taken under any strategy.
y≤3
l2

start

l0
y≤3

e3
a
y≥3
y := 0

y := 0
a
e2
e1 a

z ≥ p2

y := 0, z := 0

l1
y≤1

e 4 b x ≥ p1 ∧ y ≥ 1

l3
z < 2p2

Figure 1. Timed automaton from Ex. 1. Transition labels are shown in blue. The control input, reset and guards are
shown next to transitions. For example e1 = (l0 , a, {y, z}, z ≥ p2 , l1 ) .

The proposed synthesis method to find a control strategy C and parameter valuation v for reaching LT
is summarized in Algorithm 1. The algorithm explores the possible paths and constructs an exploration tree in a
depth first search manner. The nodes of the exploration tree correspond to the timed automaton locations, and
child nodes are added with respect to the timed automaton transitions (see line 1 and line 19). First, the initial
location of A is set as the root of the tree (see line 1). Thus, a path from root to a node of this exploration
tree corresponds to a path of A. The child nodes are added to the exploration tree as the possible paths are
explored (stored in node.children ), and control assignments are stored along the paths (the same control is
used when a location appears more than once). Furthermore, the algorithm performs feasibility analysis for
each new node and only adds nodes that are feasible, thus automaton paths obtained from the exploration tree
are always realizable (see Defn. 2). Consequently, if a target node is reached, no further analysis is required and
the algorithm returns the stored control assignments and parameter valuations obtained via feasibility analysis
(see line 15). Next, the details of the steps of the algorithm and the feasibility computation are explained.
As in the classical depth first search implementation, the nodes to be explored are stored in a stack.
In the proposed synthesis algorithm, in addition to storing such nodes, the stack is also used for marking the
validity ranges of the previously selected control actions. In particular, a stack entry is in the following form
[node, explore] and there are 3 cases for explore : 1) it is ⊥, 2) it contains a previously stored control for node.l ,
or 3) it contains the control choices to be explored from node.l . In the first case, it marks the validity range for
the control choice stored in C(node.l) . In the second case, along the path from root to node , location node.l
is previously visited and a control value is already set for it, thus exploration for the possible control inputs
(lines 7-11) is not performed. Finally, in the last case, explore ⊆ Σ(node.l) and a control input from explore
is set for node.l (line 8), then, first, the rest of the control choices for the node are pushed back (line 9) for later
exploration, second [node.l, ⊥] is pushed to mark the validity of the control choice. In particular, extracting
this entry back from the stack (line 6) means that all possible paths from node.l constrained to the inputs
assigned from root to node (stored in C ) are already considered, and LT is not reachable. Thus, the control
assignment for node.l is removed and the exploration continues with another node stored in the stack (line 4).
In the inner loop, each location l′ that can be reached from node.l under the control input C(node.l)
1756

AYDIN GOL/Turk J Elec Eng & Comp Sci

Algorithm 1 Controller synthesis-reachability
Require: A TA A = (L, l0 , Σ, C, ∆, Inv), parameter set P , parameter intervals Ip for each ∈ P , target set
LT ⊂ L, a bound on the number of cycles along a path limit.
Ensure: Control strategy C and parameter valuation v such that LT is reachable on C(A(v)).
1: root = N ode(l ← l0 , children ← ∅) .
2: C(l) =⊥ for each l ∈ L , Stack = ∅ .
3: Stack.push([root, Σ(l0 )])
4: while Stack is not empty do
5:
node, explore = Stack.pop
6:
if explore =⊥ then C(node.l) =⊥, Continue to line 4.
▷ A backtracking point, delete the
corresponding input from C and continue with stack.
7:
if IsExploreSet(explore) then
8:
C(node.l) = explore.pop()
▷ Assign a control input for l .
9:
if explore ̸= ∅ thenStack.push([node, explore])
▷ Push back for the remaining control choices.
10:
Stack.push([N ode(l ← node.l), ⊥])
▷ Push a backtracking point for the control choice.
11:
end if
12:
for each (l′ , e′ ) ∈ {(l, e) | e = (node.l, C(node.l), λ, ϕ, l) ∈ ∆} do
13:
v = IsF easible(root − to − l′ )
▷ Find parameters that makes the path to l′ realizable.
14:
if v =⊥ then Continue to line 12.
▷ If no parameters exists, continue with the next location.
15:
if l′ ∈ LT then Return C , v
▷ A solution is found.
16:
if CycleCount(root − to − l′ ) > limit then Continue to line 12.
▷ Do not continue exploring.
17:
if C(l′ ) =⊥ then explore′ = Σ(l′ ) else explore′ = C(node.l)
18:
node′ = N ode(l ← l′ , children ← ∅)
▷ Create a new node.
19:
node.children.push(node′ , e′ )
▷ Add the node and e′ for path generation.
20:
Stack.push([node′ , explore′ ])
21:
end for
22: end while
23: return No solution

is explored (line 12-21). First, a feasibility check is performed on the timed automaton path induced by the
exploration tree path from root to l′ . This check returns a parameter valuation v such that the path is
realizable on A(v) if such a valuation exists, otherwise it returns ⊥. The details of this method is given in
the next subsection. If the path cannot be realized by any parameter valuation, exploration along l′ is stopped
(line 14). If the path is feasible, then it is checked whether l′ is a target region. If this is the case, it is
concluded that there is a realizable path from l0 to l′ in C(A(v)) , and the strategy C and valuation v are
returned (line 15). Otherwise, a cycle check is performed. If the number of cycles including l′ is greater than a
predefined value, the exploration along l′ is stopped (line 16). If the cycle limit is not reached, a new node for
l′ is constructed (lines 18 and 19), and added to tree and stack for further exploration (line 20). If l′ is already
visited along the path from root to node′ , the same control input is set to C(l′ ) , thus the control choices will
not be considered for l′ along the branches from node′ (line 7) and the control input for location l′ along the
path from root to this node will be consistent. However, if a control input is not assigned for l′ , all possible
choices are pushed to stack for further exploration (line 17).
Complexity. The complexity of Algorithm 1 is characterized by the number of locations |L| , branching
factor b of the underlying graph structure, i.e., b = maxl∈L |{e | e = (l, α, δ, ϕ, l′ ) ∈ ∆}| , and the cycle bound
limit . In particular, the size of the resulting exploration tree is upper bounded by b|L|·limit , where |L| · limit
is an upper bound on the tree depth. The number of feasibility analysis, i.e. MILP solutions (2), is also upper
1757

AYDIN GOL/Turk J Elec Eng & Comp Sci

bounded by b|L|·limit . However, thanks to the pruning of the infeasible directions, in practice, the number of
the solved MILP problems is significantly less. In addition, the MILP size (the number of decision variables
and the constraints) is linear with the length of the corresponding automaton path. Thus, while the number of
decision variables is upper bounded by b|L|·limit + |P | , this bound is only reached along the longest path.
3.2.1. Feasibility check
We present a mixed integer linear programming based method for feasibility check. For a given parametric timed
automaton A, its path π = l0 e1 l2 e2 . . . en ln with ei = (li−1 , αi , λi , ϕi , li ) for each i ≥ 1 , we find a valuation v
such that π is realizable on A(v) (if such a valuation exists). Here, we define a mixed integer linear program
such that its feasible solution defines a parameter valuation v ⋆ and delay sequence d⋆ = d⋆0 , d⋆1 , . . . , d⋆n−1 such
that π and d⋆ induce a run ρ ∈ A(v ⋆ ) . Essentially, the delay variables d0 , d1 , . . . , dn−1 , and parameters p ∈ P
are the decision variables of the MILP. For a given path, and a constraint along the path (either on a transition
or an invariant), the clock can be represented in terms of the delay variables as it measures the time passed
since its last reset. As time can only pass on a location, when leaving a location, a clock equals to the sum
of the delay variables that correspond to the locations since the clock’s last reset. In order to formalize this
notion, we define the following mapping:
Γ(x, π, i) = dk + dk+1 + . . . + di−1 where k = max({m | x ∈ λm , m < i} ∪ {0}),

(1)

where k is the index of the transition where x is last reset before ei along π , and it is 0 if it is not reset.
Γ(0, π, i) is defined as 0 for notational convenience. The clock x equals to Γ(x, π, i) on the i-th transition ei
along π .
Recall that a clock constraint is conjunction of clock inequalities x ∼ c, where c is either a parameter
p ∈ P or a constant from N and ∼∈ {<, ≤, >, ≥}. An inequality x ∼ c is mapped to the new delay variables
with respect to its position. If it is on the guard ϕi of transition ei , it is mapped to Γ(x, π, i) ∼ c. If it is on
the invariant Inv(li ) of location li , it should be satisfied when arriving to (i.e. for lower bounds) and leaving
from (i.e. for upper bounds) the location. Thus it is mapped to Γ(x, π, i + 1) ∼ c for leaving, and mapped to
Γ(x, π, i).I(x ̸∈ λi ) ∼ c for arriving, where I is a binary function mapping true to 1 and f alse to 0. Finally,
the MILP for the path π is defined as:
find vp ∈ N for each p ∈ P and di ∈ R for each i = 0, . . . , n − 1

(2)

subject to

(3)

Γ(x, π, i) ∼ c

for each i = 1, . . . , n − 1, and for each x ∼ c from ϕi

Γ(x, π, i).I(x ̸∈ λi ) ∼ c
Γ(x, π, i + 1) ∼ c
lp ≤ vp ≤ up
di ≥ 0

for each i = 1, . . . , n, and for each x ∼ c from Inv(li )

for each i = 0, . . . , n − 1, and x ∼ c ∈ from Inv(li )
for each p ∈ P, where Ip = [lp , up ]

for each i = 0, . . . , n − 1

(4)
(5)
(6)
(7)
(8)

Proposition 1 Let A = (L, l0 , Σ, C, ∆, Inv) be a parametric timed automaton with parameter set P , and
parameter range Ip for each p ∈ P and π be a path of A. Then the MILP as defined in (2) is feasible if and
only if there exists a parameter valuation v such that π is realizable on A(v) .
1758

AYDIN GOL/Turk J Elec Eng & Comp Sci

Proof

Let π be l0 e1 l1 e2 . . . en ln with ei = (li−1 , αi , λi , ϕi , li ). (If) Assume that MILP (2) is feasible and

vp⋆

for each p ∈ P and delay sequence d⋆ = d⋆0 , d⋆1 , . . . , d⋆n−1 be a solution, and T (A(v ⋆ )) = (S, s0 , Σ′ , →)

let

be defined as in Defn. 2. Define clock value sequence ν0 , ν1 , …, νn−1 with respect to the delay sequence and
transitions e1 , . . . , en iteratively as ν0 = 0 and :
νi = (νi−1 + d⋆i−1 )[λi ]

for i = 1, . . . , n.

Observe that the νi definition is consistent with Γ(·, π, i) (1) along the path π and
a : νi (x) = Γ(x, π, i)I(x ̸∈ λi )

and

b : νi (x) + d⋆i = Γ(x, π, i + 1)

(9)

for each clock x ∈ C . For illustration of non-parametric ( x ∼ c) and parametric ( y ∼ p ) inequalities let
Inv(li ) = x ∼ c ∧ y ∼ p ∧ ϕ′ for an arbitrary clock constraint ϕ′ . Then νi (x) ∼ c ∧ νi (y) ∼ vp⋆ holds via (5)
and (9)-a. As the same argument holds for each inequality from ϕ′ , we reach that νi |= Inv(li ) , thus (li , νi ) ∈ S
for each i by Defn. 2. By applying the same argument on the inequalities over (6) and (9)-b, we reach that
d⋆

i
νi + d⋆i |= Inv(li ), thus (li , νi ) →
(li , νi + d⋆i ) (delay transition). Furthermore, from (4) and (9)-b, we have

α

that νi + d⋆i |= ϕi+1 , thus (li , νi + d⋆i ) →i (li+1 , νi+1 ). Observing that s0 = (l0 , 0) ∈ S , and the above derivation
a

a

applies to each i = 1, . . . , n , we conclude that ρ = (l0 , ν0 ) →1 d⋆0 (l1 , ν1 ) →2 d⋆1 . . . (ln , νn ) ∈ [[A(v ⋆ )]]. (Only if)
Assume that MILP (2) is infeasible, but there exists a parameter valuation v ′ such that π is realizable on A(v ′ )
via a delay sequence d′0 , . . . , d′n−1 . Then (4),(5), and (6) holds for d′0 , . . . , d′n−1 and v ′ along the path π via
Defn. 2. Thus, d′0 , . . . , d′n−1 and v ′ is a feasible solution of MILP, thus we reached a contradiction.

2

In line 13 of Algorithm 1, the feasibility check is performed on the timed automaton path induced by the
exploration tree path from root to node , and the location l′ . The tree path and the timed automaton path are
defined in (10) and (11), respectively.
node0 , . . . , noden−1

where node0 = root, noden−1 = node from line 5, and

(10)

(nodei , ei ) ∈ nodei−1 .children for i = 1, . . . , n − 1,
π = l0 e1 l2 e2 . . . en ln

where l0 = root.l, li = nodei .l, and ei as in (10) for i = 1, . . . , n − 1,

(11)

finally en = e′ , ln = e′ from line 12.
The path π is uniquely defined due to the tree structure. The feasibility of this path is checked via (2). Note that
the iterative path construction via depth first search ensures that MILP for π ′ = l0 e1 l2 e2 . . . ln−1 is previously
constructed and it is feasible. For π , the constraints regarding dn−1 , Inv(In−1 ) , en and Inv(ln ) are added to
this one.
In [24], a linear programming based method was used to generate an optimal delay sequence for a weighted
timed automaton. Here, the optimization problem is in MILP form (2) since both integer valued parameters and
delay variables are synthesized. An MILP based encoding was used in [25] for non-parametric timed automata
under reachability specifications, where the integer variables were used to encode possible automaton paths.
3.2.2. Analysis of the synthesized controller
In this section, we first show that if Algorithm 1 generates a control strategy C and parameter valuation v ,
then LT is reachable on C(A(v)), thus the result is correct. Then, we analyze the completeness, i.e., does the
1759

AYDIN GOL/Turk J Elec Eng & Comp Sci

algorithm find a solution when one exists, regarding the pruning of the exploration with respect to the detected
cycles (line 16) and identify the cases in which the solution is complete. Finally, we present an extension to
Algorithm 1 to guarantee completeness for any timed automata.
Proposition 2 Let A = (L, l0 , Σ, C, ∆, Inv) be a parametric timed automaton with parameter set P , and
parameter range Ip for each p ∈ P , and LT ⊂ L be a set of its states. If Algorithm 1 generates control strategy
C and parameter valuation v when run on A, Ip for each p ∈ P and LT , then LT is reachable on C(A(v)).
Proof

Let C and v be the control strategy and parameter valuation pair returned by Algorithm 1 in line 15.

Let π = l0 e1 l2 e2 . . . en ln be the corresponding path of A as defined in (11). Note that by line 15, ln ∈ LT . By
Prop. 1, π is realizable on A(v) , thus LT is reachable on A(v) . The backtracking mechanism in lines 6 and 10
and the depth first exploration ensures that (nodei , ⊥) is in the stack for each nodei defined in (10). Thus,
C(li ) ∈ Σ is well-defined. Furthermore, ei is defined with respect to C(li ) in line 12. Consequently, π is a path
of C(A)(v) , which concludes the proof.

2

Proposition 2 shows that the result obtained from Algorithm 1 is correct. Next, we prove that the
algorithm is complete if it does not perform a pruning in line 16. In other words, when the answer for
Problem 3.1-a) is yes, the algorithm might not be able to find a control strategy and parameter valuation
pair due to the pruning of the exploration performed in line 16. However, pruning is necessary for a termination
guarantee as illustrated in Example 2.
Example 2 Consider the timed automaton from Figure 1. The path l0 e1 l1 (e2 l2 e3 l1 e2 l2 e3 l1 )n is feasible (line 13)
for any n ≥ 0 . Thus, it is necessary to detect such cases to avoid an infinite computation loop. On the other
hand, consider a variation of the TA on which the input on e4 is also a. As discussed in Example 1, while
l0 e1 l1 e4 l3 is not realizable for any parameter valuation, l0 e1 l1 e2 l2 e3 l1 e4 l3 is realizable. Thus, traversing such a
cycle can enable a transition, thus avoiding all of the cycles is not viable.
Proposition 3

Let A = (L, l0 , Σ, C, ∆, Inv) be a parametric timed automaton with parameter set P , and

parameter range Ip for each p ∈ P and LT ⊂ L be a set of its states. If Algorithm 1 does not generate a result
without eliminating any node in line 16, then no strategy and valuation pair exists for the reachability problem.
Proof

Assume that there exists control strategy C and proper valuation v with vp ∈ Ip for each p ∈ P ,

such that a path π = l0 e1 l2 e2 . . . en ln of C(A(v)) is realizable and ln ∈ LT . As Algorithm 1 searches paths
exhaustively in a depth first manner, the exploration along path π is stopped before reaching ln . Let node be
the furthest one reached and retrieved from stack in line 8 along π and C and let node.l = li . In the inner loop,
each location l′ that can be reached from node.li under the control input C(node.li ) is explored (line 12-21).
As π is a path of C(A) , (li+1 , ei+1 ) is in the set defined in line 12. As li is assumed to be the furthest one, an
exploration tree node is not defined for li+1 , thus the execution is ended in line (a) 14,(b) 15, or(c) 16. Case
(a) contradicts with the assumption that π is realizable on C(A(v)), since if it is realizable, then any prefix of
this path is also realizable via (2) and Proposition 1. Both case (b) and (c) contradicts with the proposition
statement. Thus, the initial assumption on the existence of such a path is wrong.

2

We deduce from Proposition 3 that the algorithm is complete for acyclic timed automata. Furthermore,
completeness can be guaranteed with a proper cycle limit. For example, if there is a deadline t to reach a target
location (checked on the transitions ends in LT ), and then t can be used as the limit in line 16.
1760

AYDIN GOL/Turk J Elec Eng & Comp Sci

Guaranteeing completeness: The completeness for any parametric timed automaton with bounded
integer valued parameters can be guaranteed with an additional computation step. The barrier for the completeness is the pruning step in line 16, where a prefix of a realizable path can be pruned due to the cycle limit.
To eliminate this barrier, the idea is to mark the nodes in line 16 instead of only pruning them, and perform
further analysis if a solution is not found. In particular, if the algorithm reaches line 23 (no solution found),
for each marked node in line 16 1) find a set of parameter valuations for the path from root to the marked
node and define the search space for controller, and 2) run a greedy analysis for each of these. Essentially, the
partial path to node reduces the search space of the reachability problem. The first step is the computation of
the reduced space and the second step is the search for a solution in this space via enumeration. In the first
step, first, the set of valuations is computed by constructing the MILP (2) for the path from root to node and
projecting the feasible solution space on to parameter variables. This computation results in a set of valuations
V ⊆ Ip1 × . . . × Ipm , P = {p1 , . . . , pm } such that the MILP (2) is not feasible for a v ∈ Ip1 × . . . × Ipm \ V (a
feasible solution is not eliminated). Thus, it reduces the parameter search space to V . Next, the search space for
the control strategy is defined with respect to the strategy C computed from root to node . The search is only
performed for locations with C(l) =⊥, since if C(l) = α ∈ Σ, a control assignment is already done for l on root
to node . Finally, in the second step reachability analysis via a verification tool such as UPPAAL is performed
on the resulting timed automaton for each parameter and control strategy pair. Note that the search space is
potentially reduced significantly compared to the initial problem. As each possible strategy and valuation pair
from the marked node is analyzed, performing these steps for each marked node guarantees completeness.

4. Case study
We show the results of Algorithm 1 on a timed automaton that models a scheduling problem. We first describe
the scheduling problem, then introduce the timed automaton modeling it. In this scheduling scenario, there are
two types of jobs namely J1 and J2 that should be processed in this order. J1 can be processed by machine
M1,a or machine M1,b . Similarly, J2 can be processed by M2,a or M2,b . The initial setup time (idle time before
using any machine or starting a job transfer process), non-idle time, the time spent during the job transfers
between machines, and the machine use durations are bounded. In particular, machine M1,a cannot be used
more than 10 time units. M2,a cannot complete J2 in less than 6 time units. The non-idle time is upper
bounded by 18 . The total processing time is upper bounded by 20 (or 22 based on the schedule). M2,b cannot
be started after the first 10 time units. In addition to these strict constraints there are some flexible constraints.
M2,a cannot be used within the first 16, 17 or 18 time units. The initial idle time and the job transfer task
to M1,a cannot exceed 3, 4 or 5 . The idle time cannot be less than 4 or 5 if M1,a is directly utilized. If a
job transfer task was employed before M1,a , the sum of the idle time and the job transfer time should be more
than 5, 6 , 7 or 8 . The time spent on J2 should be less than the time spent on J1 . If M2,a is used, its upper
bound can be in [10, 14] , however if M2,b is used, this bound can be in [8, 16] . The goal is to find values for
the flexible constraints and a scheduling scenario that describes a sequence of events and the corresponding
durations such that the scenario satisfies the constraints. To achieve this, we model this scheduling problem as
a parametric timed automaton shown in Figure 2.
In TA shown in Figure 2, the initial location l0 represents the initial setup (idle). l1 , l4 , l2 and l5
represent machines M1,a , M1,b , M2,a , and M2,b , respectively. l7 , l8 , and l9 represent the job transfer tasks.
Finally, l3 and l6 are the locations that can be reached once both jobs are complete, thus LT = {l3 , l6 }. The
1761

AYDIN GOL/Turk J Elec Eng & Comp Sci

e5 a y ≥ 1 y := 0

e8 a y ≥ 1 y := 0

y ≤ p1

l7

l8

e 6 a z ≥ p3
y := 0, t := 0

y := 0, t := 0

e7 a
l0

x ≤ p1

e9 a z ≥ 2

y := 0, z := 0

e4 a

start

e1 a

x ≥ p2

y := 0, t := 0

e10 b y ≥ p2

y≤1

l1

e2 a

y := 0

y ≥ p4

y ≥ p4 ∧ x ≥ p6

l2

e3 a

y ≤ p4 ∧ x ≤ 20 ∧ y ≥ 6

l3

t ≤ 18

y ≤ 10
e16 b

y ≥ p5
e17 b
y := 0
l9

y := 0, t := 0
e13
l4

e11 b

y ≤ p4 ∧ x ≤ 22 ∧ y ≥ 6

e14 b

y := 0
b y ≥ p5
y ≥ p5 ∧ x ≤ 10

y ≥ 4 ∧ x ≤ 10

l6
t ≤ 18

y := 0
e12 b

e15 a

y ≤ p5 ∧ x ≤ 20

y ≤ p5 ∧ x ≤ 22

l5

Figure 2. Timed automaton for the case study. Transition labels are shown in blue. The control input, reset and guards
are shown next to transitions.

scheduling constraints are integrated to the timed automaton via clock constraints. Clock y is reset on each
transition, thus it measures the time spent in the last location. For example, the constraint on the use of M1,a
is encoded as Inv(l1 ) = y ≤ 10 . The constraint that M2,a cannot complete J2 in less than 6 time units
is represented by the constraint y ≥ 6 on the transitions leaving l2 . Clock x is not reset on any transition.
Therefore, it represents the time passed since the beginning of the execution. It is used to describe the bounds on
the total processing times ( 20 and 22 ). In addition, it is used to define the constraints relative to the initiation
of the schedule. The constraint that M2,b cannot be started after the first 10 time units captured with the
constraint x ≤ 10 on the transitions that end in l5 . Clock t is reset only on transitions that leave l0 , thus it
represents the non-idle time. The constraint on the non-idle time is enforced by Inv(l3 ) = Inv(l6 ) = t ≤ 18 . The
flexible constraints are represented with parameters. The constraints on the duration of the idle time and the job
transfer task to M1,a are captured with parameters p1 ∈ Ip1 = [3, 5], p2 ∈ Ip2 = [4, 5] and p3 ∈ Ip3 = [5, 8]. The
relative constraint on the time spend on J1 and J2 is captured with parameters p4 ∈ [10, 14] and p5 ∈ [8, 16]
along the parametric constraints on the guards of the transitions that leave l1 , l2 , l4 and l5 . The choice for the
processing machines ( M1,a , M1,b , M2,a , M2,b ) are encoded as control inputs Σ = {a, b} .
The control strategy generated by Algorithm 1 is C(li ) = a for li ∈ {l0 , l1 , l7 , l8 } and C(li ) = b for
li ∈ {l2 , l4 , l5 , l9 }.

The parameters are p1 = 5, p2 = 4, p3 = 5, p4 = 10, p5 = 8, p6 = 16 .

The path

π = l0 e4 l7 e6 l1 e2 l2 e17 l6 ∈ C(A(v)) is realizable. The delay sequence 1, 5, 10, 6 together with parameter valuations
p1 = 5 , p3 = 5 , p4 = 10 and p6 = 16 is a solution of the MILP (2) defined for π . Thus, LT is reachable on
C(A(v)). Path π and the delay sequence specify the following schedule: stay idle for 1 time unit, then perform
a job transfer to M1,a for 5 time units, use M1,a for 10 time units, and finally use M2,a for 5 time units.
In order to find all realizable paths (together with the corresponding control strategies and parameters)
up to a given cycle count, instead of terminating the computation in line 15, the found strategy and parameter
pair C, v is stored and the computation continued. For this case study, the modified version of the algorithm
1762

AYDIN GOL/Turk J Elec Eng & Comp Sci

generated 9 realizable paths and corresponding strategies. The paths are πn = l0 e4 l7 (e5 l7 )n e6 l1 e2 l2 e17 l6 with
n = 0, 1, 2, 3, 4, 5, 6 (7 paths) and πm = l0 e1 l1 e7 l8 (e8 l8 )m e9 l2 e17 l6 with m = 1, 2 (2 paths). Note that each πn
is generated by the same strategy, however the parameters differ. For each πm , the strategy and the parameters
are the same. Thus, the modified version of algorithm can be used to find all paths, and select a path together
with the corresponding C, v according the an optimization criteria. The proposed methods are implemented as
a python tool. The computation times for this example are 0.05 and 0.27 seconds on a laptop with 2.3Ghz
quad core i5 processor for finding π and all realizable paths, respectively.
5. Conclusion
In this paper, we presented the controller synthesis for parametric timed automata problem to simultaneously
tune parameters and restrict transitions. We proved that the negative decidability results apply to the most
general form of this problem. Then, we focussed on a specific version of the problem: reachability with bounded
integer parameters. We developed an algorithm to solve this problem and proved its correctness. In addition,
we analyzed the algorithm in terms of completeness and identified the cases when the solution is complete.
Furthermore, we presented an extension to guarantee completeness for any timed automaton. The results were
shown on a nontrivial timed automaton modeling a scheduling scenario. The future research directions include
considering other specifications such as safety and unavoidability.
Acknowledgment
This work has received funding from the European Union’s Horizon 2020 research and innovation programme
under the Marie Sklodowska-Curie grant agreement No 798482.
References
[1] Alur R, Dill D L. A theory of timed automata. Theoretical Computer Science 1994; 126 (2): 183–235.
[2] Fehnker A. Scheduling a steel plant with timed automata. In: Proceedings Sixth International Conference on
Real-Time Computing Systems and Applications; Hong Kong, China; 1999. pp. 280-286.
[3] David A, Illum J, Larsen K G, Skou A. Model-based framework for schedulability analysis using UPPAAL 4.1. In:
Model-based design for embedded systems. CRC Press, 2009, pp. 117-144.
[4] Guan N, Gu Z, Deng Q, Gao S, Yu G. Exact schedulability analysis for static-priority global multiprocessor
scheduling using model-checking. In: Software Technologies for Embedded and Ubiquitous Systems; Santorini
Island, Greece; 2007. pp. 263-272.
[5] Kwiatkowska M, Mereacre A, Paoletti N, Patanè A. Synthesising robust and optimal parameters for cardiac
pacemakers using symbolic and evolutionary computation techniques. In: Abate, A., Šafránek, D. (editors). Hybrid
Systems Biology. Lecture Notes in Computer Science, vol 9271. Cham, Switzerland: Springer, 2015, pp. 119-140.
[6] Jiang Z, Pajic M, Alur R, Mangharam R. Closed-loop verification of medical devices with model abstraction and refinement. International Journal on Software Tools for Technology Transfer 2014; 16 (2): 191-213.
doi.org/10.1007/s10009-013-0289-7
[7] Wang F. Formal verification of timed systems: a survey and perspective. Proceedings of the IEEE 2004; 92 (8):
1283–1305. 0.1109/JPROC.2004.831197
[8] Behrmann G, David A, Larsen K G, Hakansson J, Petterson P et al. Uppaal 4.0. In: Proceedings of the 3rd
International Conference on the Quantitative Evaluation of Systems; Washington, DC, USA; 2006. pp. 125-126.

1763

AYDIN GOL/Turk J Elec Eng & Comp Sci

[9] André É, Fribourg L, Kühne U, Soulat R. Imitator 2.5: A tool for analyzing robustness in scheduling problems. In:
Formal Methods; Paris, France; 2012. pp. 33-36.
[10] Henzinger T A, Preussig J, Wong-Toi H. Some lessons from the hytech experience. In: Proceedings of the 40th
IEEE Conference on Decision and Control; Orlando, FL, USA; 2001. pp. 2887–2892.
[11] André É, Fribourg L, Mota J-M, Soulats R. Verification of an industrial asynchronous leader election algorithm
using abstractions and parametric model checking. In: Verification, Model Checking, and Abstract Interpretation;
Cascais, Portugal; 2019. pp. 409-424.
[12] André E. What’s decidable about parametric timed automata?
Technology Transfer 2019; 21 (2): 203–219.

International Journal on Software Tools for

[13] Bezděk P, Beneš N, Barnat J, Černá I. Ltl parameter synthesis of parametric timed automata. In: Software
Engineering and Formal Methods; Vienna, Austria; 2016. pp. 172-187.
[14] Jovanovic A, Lime D, Roux, O H. Integer parameter synthesis for real-time systems. IEEE Transactions on Software
Engineering 2015; 41 (5): 445-461.
[15] André É. A benchmark library for parametric timed model checking. In: Formal Techniques for Safety-Critical
Systems; Shenzhen, China; 2019. pp. 75-83.
[16] Asarin E, Maler O, Pnueli A, Sifakis J. Controller synthesis for timed automata. In: 5th IFAC Conference on System
Structure and Control; Nantes, France; 1998. pp. 447-452.
[17] Bouyer P, Fahrenberg U, Larsen KG, Markey N, Ouaknine J et al. Model Checking Real-Time Systems, pp. 1001–
1046. Cham, Switzerland: Springer International Publishing, 2018.
[18] Alur R, La Torre S, Pappas G J. Optimal paths in weighted timed automata. Theoretical Computer Science 2004;
318 (3): 297-322.
[19] Étienne A, Knapik M, Penczek W, Petrucci L. Controlling actions and time in parametric timed automata. In:
16th International Conference on Application of Concurrency to System Design; Torun, Poland ; 2016. pp. 45-54.
[20] Kara M Y, Gol E A. Adaptive cruise control with timed automata. In: 21th IFAC World Congress; Berlin, Germany
(online), 2020. pp. 1-6.
[21] Alur R. Timed automata. In: International Conference on Computer Aided Verification; Trento Italy; 1999. pp.8-22.
[22] Larsen K G, Yi W. Time abstracted bisimulation: Implicit specifications and decidability. In: International
Conference on Mathematical Foundations of Programming Semantics; New Orleans, LA, USA; 1993. pp. 160-176.
[23] Baier C, Katoen J-P, Larsen K G. Principles of Model Checking. Cambridge, MA, USA: The MIT Press, 2008.
[24] Bouyer P, Brihaye T, Bruyère V, Raskin J-F. On the optimal reachability problem of weighted timed automata.
Formal Methods in System Design 2007; 31 (2): 135-175.
[25] Ober I. Revisiting bounded reachability analysis of timed automata based on milp. In: Formal Methods for Industrial
Critical Systems; Maynooth, Ireland; 2018. pp. 269-283.

1764

