Traditional approaches to the algorithmic verification of real-time systems are limited to checking program correctness with respect to concrete timing properties (e.g., "message delivery wit hin 10 milliseconds").
Introduction
Over the last fifteen years, an extensive amount of research has gone into providing foundations for the verification of reactive and concurrent systems (cf. [27] ). Most of this research, however, is focused on the verification of qualitative properties such as "safet y" and "liveness," rather than timing properties, as is needed for the verification of real-time systems.
This deficiency has been addressed over the last few years, and numerous formal approaches to *Supported by the National Science Foundation under grant CCR-9200794 and by the United States Air Force Office of Scientific Research under contract F49620-93-1-0056. (cf. [21, 28, 2, 16, 18, 1, 29] ). Essentially all algorithmic approaches suffer, however, from a serious flaw: they are addressed at verifying concrete specifications, such as "an acknowledgement will be sent 10 milliseconds after a message has been received."
Concrete timing constraints can be expressed and algorithmically verified using real-time temporal logics [7, 8, 13, 15, 6, 17, 32] or time-constrained finite-state machines [12, 25, 5, 3, 9] .
In reality, however, real-time systems are typically embedded in larger environments, and the system designer has to design the system relative to certain parameters of the environment. Thus arises the real need for verifying pararnet ric specifications. For example, "given a real-time system S, one may wish to verify a property p of the system as long as the deadline d of an action is less than the delay r in receiving an acknowledgement, r > d" [20] . The design of a robust system requires the verification of the desired behavior of the system without concrete values for the parameters r and d. Indeed, when studying the literat ure on real-time protocols, one sees that the desired timing properties for protocols are almost invariably parametric (cf. [30, 10, 33] ), because concrete timing constraints make sense only in the context of a given concrete environment.
In this paper, we attempt to lay the foundations for a theory of parametric reasoning about real time. The main reason that previous research has concentrated on concrete rather than parametric timing constraints is the extreme difficulty of the parametric verification problem.
In fact, it is not hard to show that standard real-time temporal logica become undecidable even when a single parameter is introduced. Hence, rather than temporal logic, we use finite-state machines with parametric timing constraints -parametric timed automata -as a basis for our theory. Our resulta will be threefold.
First, we present an algorithm for solving a nontrivial class of paramet- (s, v, (u, i) ), iff there is an edge (s, u, s', A, p) 6 E such that for all clocks z c C, A timed language is a set of timed words. Given a parametric timed automaton A and a parameter valuation 7, the timed language accepted by A with respect to 7, denoted by L7 (A), consists of all timed words w such that (s', v') c 67 (s, vo, w) for some initial state s G So, some accepting state St E F, and the initial clock values vo defined by VO(X) = O for all z E C. A parameter valuation 7 is consistent with A iff L7 (A) is nonempty. Thus, a parameter valuation 7 is consistent with A iff there exists a path from an initial state to a final state such that all the constraints on the clock values, as specified by the choice 7 for parameter values, are satisfied along the path.
We denote the set of parameter valuations consistent with A by I?(A). As an example, consider the parametric timed automaton shown in Figure 1 . The automaton consists of three states; so is the only initial state, and sz is the only final state. The input alphabet is unary, the set of clocks is {Z, y}, and the set of parameters is {a, b, c}. An edge (s, a, s', A, p) is shown by an arrow from state s to state s'. Since the alphabet is unary, the edges are not labeled with any input symbols. For a parameter valuation 7, the final state sz is reachable from the initial state (i.e., 7 6 I'(A)) iff 7(c) = n.7(a) + 7(b) for some n c N.
Real-time verification
Parametric timed automata can be used to solve verification problems for real-time systems. In automatatheoretic verification (cf. [31, 5, 22] ), a finite-state system is modeled by an automaton: the set of words accepted by the automaton corresponds to the po5 sible behaviors of the system. While automata on infinite words can be used to deal with nonterminating processes, for verifying safety properties it suffices to consider automata over finite words.
We specify each concurrent process of a finite-state real-time system as a parametric timed automaton.
For a given parameter valuation, the possible behaviors of the system are those timed words whose projections are accepted by the component automata. Let Li, i = 1,2, be two timed languages over the alphabets Xi. We write L1 fl L2 for the timed language over the alphabet Xl U 22 that contains all timed words whose Xl-projection is in L1 and whose X2-projection is in Lz (the Z~-projection of a timed word is obtained by repeatedly replacing each two-element substring (a, t) . (u', t')with u @ Xi by the pair (u', t + t')).Given two parametric timed automata Al and A2, we can define another parametric timed automaton, the product automaton AI 8 AZ (using a product construction similar to the one in [5] ), such that for all parameter valuations 7,
A system is modeled, then, by a product automaton @A~. We specify the correctness condition of the system by another parametric timed automaton, B, which accepts the "bad" or undesirable behaviors (i.e., the complement of the safety property to be verified).
It follows that for a parameter valuation~, the system is incorrect precisely when the automaton @Ai generates a bad behavior that is accepted by the automaton B; that is, iff~E I'(A) for the product automaton A = (@Ai) 13 B. Equivalently, the system is correct for given delay values~iff 7 @ I'(A). and, henceforth, we will assume that 1X1 = 1 and omit the edge labels a. We will use existentially quantified formulas of arithmetic with addition and order for defining sets of parameter valuations.
To be precise, a linear formula qi over a set X of variables is of the form (3Y. @), where @ is a quantifier-free formula over the variables in X U Y that is formed using the primitives =, <, +, A, V, and integer constants. Such a formula~specifies lXltuples of values from T. Given a linear formula d, it is decidable to check if@ is satisfiable in both cases in which the variables are interpreted over the natural numbers or the nonnegative reals, respectively [14] . Also for formulas @ and~with the same set of free variables, it is decidable to check if # and @ specify the same sets.
A Decidability Result
A crucial resource of a parametric timed automaton is the number of clocks it employs.
In this section, The intended meaning of this formula is that for every parameter valuation -y, the formula #ij specifies a binary relation over N: for clock values t and t', the machine configuration (sj, t')is reachable from (si, t) (1) Suppose that # contains a disjunct @' of the form (z' = a) A x. Let # be qS V 4" (note that disjunction commutes, and & may be false). Theñ " is @"* V (~"" .4' .+''*), where false* is (z' = x).
('2) Suppose that # is V tsl,,..~q$, where each 41 is of the form (z' = Z+ al) A @l. Let 1 = 11, . ..lk be a sequence such that 1 s [j~n for each lj, and each integer appears at most twice in the sequence t?.
There are only finitely many such sequences. For each such sequence 1, the formula 4* contains a disjunct
The formula xi, for 1~i < k, stands for One of the correctness requirements for the system is the following safety condition:
Whenever the train is inside the gate, the gate should be closed.
To test this safety property, we obtain an automaton A from the product TRAIN @ GATE @ CONTROLLER by requiring that a state (s1, 52, 53) of the product is an accepting state iff S1 = 2 (i.e., the train is inside the crossing) and 52 # 2 (i.e., the gate is not closed). A parameter valuation -y belongs to I'(A) iff the safety property does not hold. The reader can check that~E I'(A) iff 7(a) < 7(d) +Y(~). 
Undecidability of Emptiness
We now show that the emptiness problem for parametric timed automata is in general undecidable. Indeed, undecidability ensues even if we restrict the number of clocks to three, and the proof applies to both possible choices of the time domain T.
THEOREM
[Undecidability of emptiness].
Given a parametric timed automaton A, the problem of deciding if I'(A)
is empty is undecidable.
PROOF. We reduce the halting problem for 2-counter machines to the problem of testing if there exists a consistent parameter valuation. Consider a 2-counter machine M with two counters Cl and C2. The halting problem is to decide if M reaches a configuration (ln, c1, C2) for some c1 and C2. We construct a parametric timed automaton AM with three clocks such that I'(A~) is nonempty iff M halts. The theorem follows.
The automaton AM uses three clocks x,~, and z, and the set of parameters is {a, a_l, a+l, b, b_l, b+l}. The automaton has a start state so, a state /j corresponding to each possible value of the control variable ?, and some auxiliary states.
We want that for a parameter valuation~, a configuration (1~, v) of AM is reachable iff V(Z) = O and the configuration
Using some auxiliary states and appropriate edges between them, we add a path between so and 11 such that for a given~, the configuration (11, v) is reachable from (s., v') iff y(a) =~ ( 
Symbolic computation
Even though the problem of testing the emptiness of I?(A) is in general undecidable, we can attempt to construct a logical formula that explicitly represents the set I'(A).
Methods that use symbolic fixpoint computation for this purpose have been devel- We consider a simple class of (nondeterministic) 1-register machines. Such a machine consists of a finitestate control and one register that can hold any integer value. The input to the machine is an interpretation 7 that assigns natural numbers to a finite set P of input variables; the initial value of the register is O. Each instruction can add one of the input variables to the register, subtract one of the input variables from the register, or nondeterministically change the location of the control depending on whether the register value is negative, zero, or positive.
The machine accepts the input 7 iff a sequence of instructions leads from an initial state to a final state. A l-register machine is restricted iff whenever an input variable is added to the register, the resulting register value must be nonnegative, and whenever an input variable is subtracted, the resulting register value must be nonpositive.
We can reduce the emptiness problem for restricted l-register machines to the emptiness problem for parametric timed automata with two clocks. has two clocks, z and y, and a state for each control location of the l-register machine itl. The value of the register is encoded by the clock difference z -y. The register machine instruction that adds (or subtracts) the input variable a to the register corresponds, then, to a transition labeled with (y = a, y := O) (or (x = a, z := O), respectively).
Transition labels of the form (z -y),
for NG {=,<,>}, which correspond to test instructions, can be eliminated by duplicating each state so that all states have at most one incoming transition. 
