In this paper we present a fully symbolic TCTL model checking algorithm for real-time systems represented in a formal model called finite state machine with time (FSMT), which works on fully symbolic state sets containing both the clock values and the state variables. Our algorithm is able to verify TCTL properties on complete and incomplete FSMTs containing unknown components. For that purpose over-approximations of state sets fulfilling a TCTL property φ for at least one implementation of the unknown components and under-approximations of state sets fulfilling φ for all possible implementations of the unknown components are computed. We present two different methods to convert timed automata to FSMTs. In addition to FSMTs simulating pure interleaving behaviour of timed automata we can produce FSMTs with a parallelized interleaving behaviour which allows parallelism of conflict-free transitions. This can dramatically reduce the number of steps during verification. Our prototype implementation outperforms the state-of-the-art model checkers UPPAAL and RED on complete systems, and on incomplete systems our tool is able to prove interesting properties when parts of the system are unknown.
Introduction
Both the application areas and the complexity of real-time systems have grown with an enormous speed during the last decades. Moreover, in many applications the correct operation of real-time systems is safety-critical, which makes verification crucial. Timed automata [3, 4] have become a standard for modelling real-time systems. They extend finite automata to the real-time domain by adding real-valued clock variables used to represent time. Verifying safety properties of timed automata can be reduced to the computation of all states from which unsafe states can be reached and checking whether some initial states are included in this set of states (backward model checking) or to the computation of all states which can be reached from the initial states and checking whether some unsafe states are included in this set of states (forward model checking).
Model checking approaches for timed automata can be classified into semi-symbolic and fully symbolic approaches. Semisymbolic approaches represent discrete locations explicitly whereas sets of clock valuations are represented symbolically e.g. by unions of clock zones. Clock zones are convex regions that result from an intersection of clock constraints of the form x i ∼ d and x i − x j ∼ d where d ∈ Q, ∼ ∈ {<, ≤, =, ≥, >} and x i , x j are clock variables. Fully symbolic approaches represent the complete state set (including valuations of both clocks and discrete variables) by a single data structure. In Section 3 we provide a more detailed review of data structures for semi-symbolic and symbolic representation of timed systems.
In this work, we present a fully symbolic model checking algorithm for a formal model for real-time systems, called finite state machines with time (FSMT), which represents real-time systems by symbolic transition functions and reset conditions. FSMTs have an elegant definition of parallel composition (where communication is performed by reading each other's state variables, reading shared input variables and shared clocks). In contrast to timed automata where parallel composition may lead to a blowup in the number of locations, the parallel composition of FSMTs just needs linear space due to the symbolic representation.
In order to verify timed automata (with additional integer variables in the state space) we present a method to convert a timed automaton into an FSMT. In addition to normal interleaving semantics (i.e. asynchronous semantics) for discrete steps of timed automata we give a symbolic representation of an FSMT simulating a 'parallelized interleaving' behaviour, which allows parallelism of transitions causing no conflicts. This parallelized interleaving behaviour can dramatically reduce the number of steps during verification.
In contrast to [1] , we do not consider invariants in timed automata or FSMTs. Invariants are a well-known means to enforce progress in timed automata. However, when considering parallel composition of several timed automata, invariants are a hidden way of communication between several components. By using invariants it is possible that a component A enforces that a synchronising transition in component B is taken without any time delay. By differentiating between urgent and non-urgent synchronisation actions we make this hidden communication mechanism explicit in the interface of the components.
The first part of the paper is dedicated to complete systems with possible non-determinism, but without any interaction with an environment, i.e. closed systems. We present a fully symbolic model checking algorithm for complete FSMTs able to verify complex TCTL properties. Our algorithm uses LinAIGs ('And-Inverter-Graphs with linear constraints') [5] [6] [7] to describe the state space. LinAIGs provide a fully symbolic representation both for the continuous part (i.e. the clock values) and the discrete part (i.e. the state variables). For state space compaction LinAIGs profit to a large extent from the enormous progress made in the area of SAT and SMT (SAT modulo theories) solving [8, 9] . For the quantification of real-valued variables, LinAIGs make use of the Weispfenning-Loos test point method [10] which is especially suitable for LinAIG representations.
In the second part we extend our consideration to the verification of incomplete timed systems, i.e., timed systems that contain unknown components. Unknown components are called 'Black Boxes', whereas all known components are combined into the so-called 'White Box'. As for complete systems, there is no environment influencing the behaviour of an incomplete system. However, the white box interacts with the black box which plays a role similar to an environment of open systems. In contrast to an abstract 'environment' which enables or disables transitions synchronising with the environment, black boxes represent unknown component timed automata.
Our verification algorithm deals with different communication methods between the white box and the black box, namely shared integer variables and urgent and non-urgent synchronisation. Here we address two interesting questions: The question whether there exists a replacement of the black box such that a given property is satisfied ('realisability') and the question whether the property is satisfied for all possible replacements ('validity').
The verification of incomplete timed systems can provide three major benefits: (1) Certain verification steps can be performed at early stages of the design of a timed system, when parts of the overall system may not yet be finished, so that errors can be detected as early as possible. (2) Complex parts of a complete timed system can be abstracted away and just the relevant components for verifying a certain property are considered. (3) Finally, the location of design errors in timed systems not satisfying some property can be narrowed down by iteratively masking potentially erroneous components.
Our approach is not restricted to the verification of safety properties, but provides fully symbolic methods to do full TCTL model checking both for complete and incomplete timed systems. For incomplete systems we use over-approximations of state sets satisfying a TCTL property φ for at least one black box implementation and under-approximations of state sets satisfying φ for all possible black box implementations. Using these sets, we provide sound proofs of validity and non-realisability.
The paper is organised as follows. In Section 2 we give a brief review of timed automata, of TCTL, and LinAIGs. Here we also give more details on using urgent and non-urgent communication instead of invariants. In Section 3 we compare our approach to related work. Then we give a review of finite state machines with time (FSMT) in Section 4. In Section 5 we prepare the translation of timed automata into FSMTs by proposing two options for handling discrete steps: the optimised parallelized interleaving semantics for accelerating state space traversal and the pure interleaving semantics which corresponds to the standard asynchronous interleaving of several components. Then we present details on the translation of timed automata into FSMTs in Section 6. Our model checking algorithm for complete systems is given in Section 7. After introducing incomplete real-time systems in Section 8, we present a model checking approach for incomplete systems in Section 9, including a conversion of incomplete timed systems into incomplete FSMTs. We conclude the paper in Section 11 after presenting experimental results in Section 10. 1 In a network of timed automata, transitions in different components labelled with the same action are taken simultaneously. If a transition in a timed automaton is not labelled by any action, it can only be taken, if all other timed automata stay in their current location. Resets are assignments to clock variables of the form x i := 0.
A transition in a timed automaton may be declared as urgent. Whenever an urgent transition in the system is enabled, the current location must be left without any delay. Just like transitions, actions may be declared as urgent. Let a u be an urgent action. If several timed automata are composed in parallel and in all components containing a u -transitions a transition labelled with a u is enabled, then there must not be any time delay before taking a transition. Timed automata are formally defined as follows:
Definition 1 (Timed automaton).
A timed automaton TA is a tuple L, l 0 , X, Act, Int, lb, ub, E, AP, lab , where L is a finite set of locations, l 0 ∈ L is an initial location, X := {x 1 , . . . , x n } is a finite set of real-valued clock variables, Act = Act nu ∪ Act u , with Act nu ∩ Act u = ∅. Act nu is a finite set of non-urgent synchronisation actions and Act u is a finite set of urgent synchronisation actions. Int = {int 1 , . . . , int m } is a finite set of bounded integer variables, lb : Int → Z assigns a lower bound to each int i ∈ Int, for 1 ≤ i ≤ m and ub : Int → Z assigns an upper bound to each int i ∈ Int, with lb(int i ) ≤ ub(int i ) for 
L is a set of transitions, with E = E nu ∪ E u . E nu = { l, g e , act, r e , assign e , l ∈ E | act ∈ Act nu ∪ { nu }} is the set of non-urgent transitions from source location l to destination location l labelled with guard g e , action act, resets r e and assignments to integers assign e , and E u = { l, g e , act, r e , assign e , l ∈ E | act ∈ Act u ∪ { u }} is the set of urgent transitions from source location l to destination location l labelled with guard g e , action act, resets r e and assignments to integers assign e . Ass is a subset of 2 Assign(Int) where each set contains at most one assignment to an integer variable from Int. If for e = l, g e , act, r e , assign e , l ∈ E it holds that act ∈ Act, then we call e a transition with a (non-urgent or urgent) synchronisation action, if act ∈ { nu , u } then we call e a (non-urgent or urgent) transition without synchronisation action. AP is a set of atomic propositions and lab : L → 2 AP assigns a subset of atomic propositions to each location.
A state s = l, η, μ in a timed automaton consists of a location l, a clock valuation η which assigns a non-negative real value to each clock variable x ∈ X , and an integer valuation μ which assigns an integer value to each integer variable int ∈ Int with lb(int) ≤ μ(int) ≤ ub(int). For a clock valuation η and λ ∈ R ≥0 , η + λ means the clock valuation η with
Definition 2 (Semantics of a timed automaton).
Let TA = L, l 0 , X, Act, Int, lb, ub, E, AP, lab be a timed automaton.
• There is a continuous transition s 
, r e , assign e , l ∈ E with act ∈ Act ∪ { u , nu } and (η, μ) satisfies the guard g e , η (x i ) = 0 for x i ∈ r e and η (x 
∈ r e , and μ results from μ by applying the assignments in assign e . • →= A timed system is a system of p timed automata {TA 1 , . . . , TA p }. It has an interleaving semantics, i.e., transitions in different timed automata may not be taken simultaneously unless they synchronise over non-urgent or urgent actions. As usual, the composition of p timed automata is again a timed automaton.
G. Morbé, C. Scholl / Science of Computer Programming
••• (••••) •••-•••λ − → c ∪ act − − → d ,
Definition 4 (Timed system
, lab where lab assigns a subset of propositions with lab(l
, and E is the smallest set with the following property: act there is a unique timed automaton TA i that is allowed to have transitions which are labelled by act and perform assignments to int. In well-formed systems write-conflicts on integer variables cannot occur. We only consider well-formed timed systems.
In the literature (e.g. [11] ) locations are connected with so-called invariants as an alternative to urgent transitions and urgent actions. Invariants in timed automata are conjunctions of clock constraints of the form x i ∼ d with ∼ ∈ {<, ≤}, d ∈ Q ≥0 . A timed automaton is only allowed to stay in a location as long as the location invariant is not violated. Invariants, just as urgency, are used to enforce discrete (synchronising or non-synchronising) transitions (i.e. they limit the duration of stay in a location). Especially for synchronisations between different components we prefer urgency instead of invariants to enforce a certain discrete behaviour in the system. We do not allow invariants in this paper, because they are a hidden way of communication between several components. Let us consider just two components A and B. Usually, a synchronisation between A and B via a synchronisation action act may or may not be performed immediately after it has been enabled. However, by making use of invariants it is possible that component A enforces that the synchronising transition in B is taken without any time delay. We propose to make this hidden communication mechanism explicit: We differentiate between urgent synchronisation actions by which the time evolution can be stopped and an immediate reaction can be enforced and "normal" (non-urgent) synchronisation actions. Thus we declare urgency or non-urgency as a property of the interface of the components.
In the following we show that disallowing invariants is not a real restriction however, because it is easy to see that for each timed automaton with closed location invariants there is a semantically equivalent timed automaton (i.e., a timed automaton allowing the same trajectories) with urgency and without invariants.
Lemma 1. For each timed automaton without urgency and with closed location invariants there exists a semantically equivalent timed automaton with urgency and without invariants.
We give a brief sketch of the needed transformation and illustrate it in Figs. 1(a) and 1(b). Consider a location l in timed automaton TA with an invariant of the form x ≤ n with n ∈ Q and x is a clock variable. When transforming TA into a semantically equivalent timed automaton TA , l is copied into an equivalent location l without invariant. For each incoming transition of l without reset on x an additional guard of the form x ≤ n is added to guarantee that l cannot be entered with a clock value x > n.
For each outgoing non-synchronising (and non-urgent) transition e of l with a guard g with g ∧ (x = n) = false, there are two edges in the copy: One non-urgent transition with all original labels and one urgent transition with the additional guard x = n corresponding to the boundary of the invariant (see Fig. 1(a) ). For a transition leaving l labelled with a synchronising (and non-urgent) action a, there are two transitions in TA as well: The original transition and an additional transition with identical labels, apart from the additional guard (x = n) and a new urgent action a u replacing the original action a (see Fig. 1(b) ). In other components from A(a) composed in parallel, transitions which were originally labelled by a are also duplicated into two edges, one with the non-urgent action a and one with the new urgent action a u . This transformation is done successively for all components from A(a). Removing invariants from the next component in A(a) may introduce again transitions with new urgent actions a u into all components in A(a) and so on. In the worst case the components can increase by a factor max a∈Act |A(a)|.
2
This has the effect that whenever in l the value of x is n a discrete transition must be taken to leave the location. If the timed automaton is not timelock-free, then we finally add an urgent self loop to l which is labelled by the guard x = n in order to preserve possible time-locks due to the invariant x ≤ n.
If we consider incomplete timed systems which contain (apart from components defining the white box) a black box and an interface between the white box and the black box including a non-urgent action a, then the transformation sketched above applied to the white box components may introduce new urgent actions a u as described above into the interface.
A similar technique is used in the context of timed games where "forced transitions" labelled with upper limits of invariants are added in order to prevent one player from forcing the system into a timelock [12] . Bornot et al. in [13] introduce timed automata with deadlines which provide a general model for enforcing time progress conditions in locations. Transitions are additionally labelled with a deadline. Once the deadline of a transition is violated this transition becomes urgent and time progression is stopped. Urgency does only stop time and does not grant a higher priority to the transition with a violated deadline.
Timed computation tree logic
Timed CTL [14] [15] [16] is an extension of the temporal logic CTL [17] used to express properties for real-time systems.
Definition 5 (Syntax of TCTL).
The syntax of TCTL is composed of state formulas and path formulas. TCTL state formulas over a set AP of atomic propositions, a set X of clock variables and a set Int of integer variables of a timed automaton TA are defined according to the following grammar:
with ap ∈ AP being an atomic proposition in TA, cc ∈ C(X) an atomic clock constraint and ic ∈ C(Int) an atomic integer constraint. ϕ is a path formula defined by: ϕ ::= U J with J ⊆ R ≥0 being an interval whose bounds are either rational numbers or infinite.
The basic state formulas are defined as usual. For a state s = l, η, μ , an atomic proposition ap holds if ap ∈ lab(l). The clock constraint cc holds if η satisfies cc and the integer constraint ic holds if μ satisfies ic. As usual, E ϕ holds in a state s when there exists a time-divergent path which starts in s, and satisfies the path formula ϕ. A ϕ holds in a state s when ϕ is satisfied on all time-divergent paths starting in s.
Intuitively, a path satisfies U J whenever at some point in J , a state satisfying is reached and at all previous time instants ∨ holds. Let π be a time-divergent path. Let λ i be the time delay of transition s i −→ s i+1 on π , with λ i = 0 when s i −→ s i+1 is a discrete transition and 
The LinAIG data structure
We have implemented a prototype of a TCTL model checking algorithm for complete and incomplete systems using LinAIGs [5] [6] [7] for representing sets of states. LinAIGs are able to provide a compact representation for arbitrary boolean combinations of linear constraints and boolean variables. LinAIGs (see Fig. 2 ) consist of both a boolean and a continuous part. The boolean part of LinAIGs is represented by functionally reduced And-Inverter-Graphs (FRAIGs) [18, 19] , which basically are boolean circuits consisting only of and gates and inverters. In order to represent the continuous part, LinAIGs use a set of boolean constraint variables Q where each linear constraint is encoded by some q l ∈ Q .
Apart from boolean operations and substitutions, LinAIGs support quantification of boolean and real variables and thus fit exactly the technical needs of our implementation of a fully symbolic TCTL model checker. For the quantification of real-valued variables, LinAIGs make use of the Weispfenning-Loos test point method [10] For keeping the overall representation as compact as possible, LinAIGs make heavy use of SAT modulo theories (SMT) solvers [8, 9] . SMT solvers are used to prove that nodes represent equivalent predicates and thus can be merged. Moreover, they are used to detect and remove 'redundant linear constraints', i.e., constraints which are present in the current LinAIG, but not really needed for describing the represented predicate. This operation [6] fights the increase in the number of linear constraints / boolean constraint variables potentially introduced by the Weispfenning-Loos test point method. Since in our application the linear constraints are restricted to clock constraints, we do not need SMT solvers for full linear arithmetic, but only for difference logic which can be solved much more efficiently.
Related work
Our approach is based on finite state machines with time (FSMTs) [1] as a formal model for real-time systems and on LinAIGs ('And-Inverter-Graphs with linear constraints') [5] [6] [7] as a fully symbolic representation of FSMTs. Related approaches model real-time systems by timed automata [3, 4] and use either semi-symbolic or fully symbolic state set representations.
Semi-symbolic approaches like UPPAAL [11, 20] represent discrete locations of timed automata explicitly whereas sets of clock valuations are represented symbolically e.g. by unions of clock zones. In UPPAAL, clock zones in turn are represented by so-called difference bound matrices (DBMs) which are manipulated by efficient methods. These techniques are well-suited when the sizes of the discrete state space and the numbers of different clock regions per location remain moderate. Clock Difference Diagrams (CDDs) [21] make the attempt to represent unions of clock zones more compactly. CDDs are BDDlike data structures where nodes are labelled by clock differences x i − x j and the outgoing edges of nodes are labelled by (disjoint) intervals of rational numbers. Clock Restriction Diagram (CRDs) [22] are a variant of CDDs where outgoing edges of nodes are labelled by upper bounds for clock differences instead of disjoint intervals. CRDs were combined with BDDs (leading to CRD+BDDs) to provide a fully symbolic representation of the state space in the tool RED [22] . Another fully symbolic representation has been given by difference decision diagrams (DDDs) [23] which are basically BDD representations where the decision variables are boolean abstractions of clock constraints x i − x j ∼ d. Computing all states reachable by evolution of time amounts to the existential quantification of a real-valued variable. Both for CRD+BDDs and DDDs this quantification is performed based on the classical Fourier-Motzkin technique which requires enumerating all paths in the diagram. Restricted to a path representing a conjunction of clock constraints, the Fourier-Motzkin technique is strongly related to quantifier elimination in DBMs by the shortest-path closure [24] . As in DDDs, Seshia and Bryant [25] consider BDD representations using boolean abstractions of clock constraints, however they reduce real-valued quantifier elimination to adding so-called transitivity constraints followed by a series of quantifications for boolean variables. As another data structure Clock Matrix Diagrams (CMDs) have been introduced [26] . CMDs basically correspond to CRD+BDDs where sequences of edges representing convex constraints are collapsed into single edges labelled by DBMs and boolean variables are restricted to the lowest levels in the variable orders.
The LinAIG data structure used in this paper provides compact state set representations by making profit from the enormous progress made in the area of SAT and SMT (SAT modulo theories) solving [8, 9] . For the quantification of real-valued variables, LinAIGs make use of the Weispfenning-Loos test point method [10] which is especially suitable for LinAIG representations.
Our translation of timed automata into FSMTs uses 'parallelized interleaving' as an alternative to 'normal interleaving'. Normal interleaving directly corresponds to the asynchronous semantics of timed automata whereas parallelized interleaving allows parallelism of transitions causing no conflicts and thus can dramatically reduce the number of steps during verification. Parallelized interleaving is related to partial-order reduction (e.g. [27, 28] ) and path reduction [29] :
In contrast to partial-order reduction (e.g. [27, 28] ) which reduces the number of states to be considered during model checking, parallelized interleaving does not avoid certain computation paths or states, but combines their traversal into one symbolic step and thus accelerates state space traversal. Consider a timed system TS composed from n components TA 1 , . . . , TA n and suppose -for simplicity -that the local discrete transitions of the components are independent, i.e., they are neither related through read or write conflicts nor they synchronise over actions. According to the semantics of the concurrent asynchronous system TS, a discrete step of TS consists in a discrete step of some component TA i . For the concurrent execution of one discrete step per component, there are n! different sequences and 2 n different states (one state for each subset of executed components). If the specification does not distinguish between these sequences, partial-order reduction can reduce n! sequences to one representative sequence consisting of n transitions. Symbolic model checkers without partial-order reduction already compute a symbolic representation of all 2 n states visited on n! sequences by n symbolic steps. Symbolic model checking with parallelized interleaving assumes that each component TA i may or may not take a transition, considers all possible combinations in parallel, and computes a symbolic representation for all these 2 n states by one single step. Of course, for the general case of components with dependencies we have to analyse which components may run in parallel without changing the semantics. Path reduction [29] provides an alternative possibility for mitigating negative effects of pure interleaving. Path reduction analyzes components and replaces certain computation paths by single transitions. In that way, computation paths of components are compressed, leading to a reduced number of possible interleavings of different components. Path reduction is orthogonal to our technique, since it preprocesses components, whereas parallelized interleaving improves the parallel execution of several components by combining computation paths resulting from different interleavings into one symbolic step.
Our approach for verification of incomplete timed systems shares ideas with Modal Transition Systems (MTSs) [30, 31] (and their successors like Partial Kripke Structures (PKSs) [32] and Kripke Modal Transition Systems (KMTSs) [33] ) which exhibit must-and may-transitions between states. In our context must-transitions are transitions between states that exist for all possible black box implementations. May-transitions are transitions that may exist for at least one possible black box implementation. In that sense our method is strongly related to 3-valued model checking [33] and its extensions using symbolic representations [34] [35] [36] . The approaches mentioned above were given for discrete systems, whereas we extend and adapt these ideas to timed systems and properties in TCTL (Timed Computation Tree Logic) [14] [15] [16] .
The module checking problem [37] may be seen as a validity problem ('is a given property satisfied for all possible replacements of the black box') confined to a single black box (which models the environment behaviour). Kupferman, Vardi and Wolper use tree automata techniques to solve the module checking problem for discrete systems specified by branching time properties (CTL, CTL*) [37] .
The realisability problem ('does a replacement of the black box exist, so that a given property is satisfied?') is strongly connected to the controller synthesis problem [38, 39] , where a system interacts with an unknown controller. In the real-time domain the controller synthesis problem is modelled as a timed two-player game [40] [41] [42] , where the controller (black box) tries to satisfy a safety property and plays against the white box (who tries to violate it).
These approaches with their 'classical notion' of controller synthesis give the controller more power than the system, in the sense that each transition belonging to the controller (1) is urgent and (2) has a higher priority than other transitions. In our model we consider the black box and the white box as part of the system with equal rights such that there is (1) urgent and non-urgent communication between the white box and the black box and (2) transitions synchronising with the black box have the same priority as other transitions. Thus, the black box is a regular component of the system. By Fig. 3 we illustrate that controller synthesis approaches are not able to decide the realisability question for safety properties as defined in our context. The figure shows a small white box with an initial location l 0 , two additional locations and two transitions, one labelled with a non-urgent synchronisation action a. We consider a property = l 2 ∨(l 0 ∧(x = 1)) as unsafe and the task is to implement the black box in such a way that no unsafe state can be reached. The interface between the white box and the black box is given by the non-urgent synchronisation action a. Since (1) the synchronisation action a is non-urgent and (2) the transition synchronising with the black box does not have a higher priority, it is not possible to define such an implementation for the black box. Even if the black box is always in a location with an enabled outgoing transition labelled by a, the white box can chose to take the discrete transition leading to l 2 (which is an unsafe state) as both transitions in the system have the same priority. Additionally, if the white box does not take any discrete transition in the system and stays in l 0 the black box cannot stop time evolution and the unsafe state (l 0 ∧ (x = 1)) will be reached, since the synchronisation action a is non-urgent and thus time is allowed to pass even if the transition synchronising over a is enabled.
However, the mentioned controller synthesis approaches (where transitions belonging to the controller are urgent and have a higher priority than other transitions) lead to the result that the controller can impede the system to reach an unsafe state, i.e., it is possible to replace the black box by a controller such that the system is forced to take the discrete transition leading to l 1 before x = 1. This shows that our approach may prove unrealisability in cases when controller synthesis classifies the problem as realisable. Another example for such a case is given by the benchmark 'arbiter error' considered in Section 10, where -in contrast to our TCTL model checking algorithm -'classical' controller synthesis cannot identify the error (by proving unrealisability).
Additionally, whereas existing controller synthesis tools like Uppaal-Tiga [40] consider only reachability of safety properties, our algorithm goes beyond and is able to handle full TCTL properties.
Finite state machine with time
Finite state machines with time (FSMT) [1] are a formal model to represent real-time systems, and are especially suited for being represented symbolically. An FSMT is an extension of finite state machines by real-valued clock variables. FSMTs have an elegant definition of parallel composition (where communication is performed by reading each other's state variables, shared input variables and shared clocks). In contrast to timed automata where parallel composition may lead to a blowup in the number of locations, the parallel composition of FSMTs just needs linear space due to the symbolic representation. Later on, we will present a fully symbolic model checking algorithm for complete and incomplete FSMTs and a translation from timed automata into FSMTs. Since systems of FSMTs have a synchronous semantics, it is possible to translate timed automata using a 'parallelized interleaving' semantics which accelerates the standard asynchronous execution of timed automata by allowing parallelism of transitions causing no conflicts.
Let X := {x 1 , . . . , x n } be the set of real-valued clock variables, Y := {y 1 , . . . , y l } a set of (boolean) state variables, I := {i 1 , . . . , i h } a set of (boolean) input variables. Let C b (X) be the set of arbitrary boolean combinations of clock constraints and C b (X, Y ) be the set of arbitrary boolean combinations of clock constraints and state variables (similarly for C b (X, Y , I)).
l , namely the set of all valuations of variables in X and Y which evaluate c to true. An FSMT is defined as follows:
Definition 6 (FSMT). A Finite State Machine with Time (FSMT) is a tuple
are reset functions, and urgent : {0, 
2 } with the corresponding reset conditions reset 
The parallel composition of the two FSMTs (dashed lines in Fig. 4 ) will be shown in Example 2.
n of an FSMT includes a valuation γ of the state variables, which is also called location, and a valuation η of the clock variables. Trajectories of an FSMT always start in states satisfying init. An FSMT may perform discrete steps which are defined by transition functions δ i based on the valuations of clocks, state variables, and inputs. When performing a discrete step, a clock x i is reset to 0 iff reset x i evaluates to 1. Moreover, an FSMT may perform continuous steps (or time steps) where it stays in the same location and lets time pass. This means that all clocks may be increased by the same constant as long as urgent evaluates to false. More formally, the semantics of FMSTs is defined as follows:
Definition 7 (Semantics of an FSMT). Let
• There is a continuous transition from state
and ∀ 0 ≤ λ < λ it holds that for all valuations ι of the input variables, in each state s = (γ , η + λ ), the predicate urgent evaluates to false.
• There is a discrete transition from state 
• 
Y (i) ) be a mapping for the inputs of components F 1 , . . . , F p , and let I = {i 1 , . . . , i h } be the set of (global) inputs. Then the composition of
Example 2 (System of FSMTs).
In Example 1 we have seen the two FSMTs F 1 and F 2 from Fig. 4 . In this example we will see the parallel composition of these two FSMTs, illustrated by dashed lines in Fig. 4 . The system of the two FSMTs has one global input variable i 1 1 of F 1 , i.e., the two FSMTs read a shared input variable and communicate by reading each others state variables. In the example the two sets of clock variables X (1) and X (2) are disjoint.
Pure interleaving vs. parallelized interleaving
In this section we prepare the translation of timed automata into FSMTs by proposing two options for handling discrete steps of several components. In contrast to normal interleaving semantics (i.e. asynchronous semantics) of timed automata, FSMTs have a synchronous semantics, such that in each discrete step each component takes a transition. This allows us to give a symbolic representation of an FSMT simulating a 'parallelized interleaving' behaviour [1] , which allows parallelism of conflict-free discrete transitions. In parallelized interleaving, a single discrete step may have the same effect as a series of discrete steps according to the standard interleaving semantics. In fact, we add "shortcuts" of successive discrete steps to the set of behaviours, however the original discrete steps are still existing non-deterministic alternatives in the parallelized interleaving model. Since the TCTL syntax (Section 2.2) does not include any operator reasoning about the number of discrete steps, combining several discrete steps into one does not change the truth of any TCTL formula. In combination with a symbolic computation where several alternatives are followed in a single step, parallelized interleaving behaviour can dramatically reduce the number of computation steps during verification compared to 'pure interleaving' behaviour.
Discrete transitions are independent (conflict-free) if the execution of one transition does not influence the execution of the others. In the following, we describe potential conflicts which affect the independence of transitions in timed systems:
1. Using parallelized interleaving semantics, read/write-conflicts on clock variables can occur, when a clock is reset on one transition and read by an other transition. Consider the timed system shown in Fig. 5(a) , which consists of the timed automata TA 1 and TA 2 . Allowing parallel execution of transitions, the state
by taking the transitions from l 0 to l 1 and from l 2 to l 3 . However, according to interleaving semantics, this state is unreachable. Taking the transition from l 0 to l 1 in TA 1 , the clock variable x 2 is reset and will never take a value greater than 1. Thus, TA 2 will never be able to take the transition from l 2 to l 3 and stays in its initial location forever. Taking the transition from l 2 to l 3 in TA 2 leads to an analogues behaviour. Thus, for transitions with read/write-conflicts on clocks, parallelized interleaving behaviour is not allowed. 2. A similar read/write-conflict may occur for integer variables. Fig. 5(b) shows an example for this kind of conflict. In TA 3 , the integer variable i is read and the integer variable j is updated when taking the discrete transition. The same holds for TA 4 with i and j switched. State s = l 1 , l 3 is not reachable when using interleaving semantics, however, by taking both transitions in parallel state s can be reached. 3. It is clear that transitions causing a write/write-conflict on integers must not be taken in parallel.
Write/write-conflicts on clock variables do not exist as clock variables can only be reset to 0, and thus, no concurrent writing of different values to the same clock variable is possible. Transitions without any conflicts described above are independent and parallelized interleaving behaviour is allowed.
From complete timed automata into complete FSMTs
In order to be able to verify systems of timed automata using our framework, we show how to convert a timed system into a system of FSMTs simulating either pure interleaving semantics or parallelized interleaving semantics. The main advantage of converting timed automata into FSMTs is using the parallel composition of FSMTs which (due to symbolic representations) does not lead to a potential blow-up, in contrast to the direct composition of timed automata. Our experimental results in Section 10 show that we definitively profit from the translation of moderate-sized timed automata into FSMTs which are then composed using FSMT composition. We show the translation using the timed system presented in Fig. 6 , consisting of two automata communicating via a shared integer variable int and an urgent synchronisation action a u . Transitions i are labelled by the guards g i . More detailed information about the translation can be found in Appendix A. The first steps (Section 6.1) are the same for both methods of translation. In Section 6.2, we show how to compute an FSMT simulating the pure interleaving behaviour of timed systems. FSMTs simulating parallelized interleaving behaviour are computed in Section 6.3. The motivation for the parallelized interleaving variant consists in an accelerated state space traversal.
First steps of translation
In a first step, we use boolean state variables (the location bits) to logarithmically encode the locations of the timed automata. The sets of location bits of two different timed automata are disjoint and for an automaton TA q with l different locations, we need l q = log(l) different location bits. To encode the locations of the timed automata shown in Fig. 6 , we need two different location bits y 0 and y 1 , one location bit per component. Location l 0 is encoded with y 0 , l 1 with y 0 , and the locations s 0 and s 1 are encoded with y 1 and y 1 , respectively.
The integer variables of the timed system are replaced by a binary encoding using boolean state variables (the integer bits). As the bounds of the integer variables are known, the number of integer bits required to represent the integers is known as well.
In order to make things easier in the following sections, each guard is extended by the state variable encoding of the source of its respective transition. The resulting new guards in our example will be g
Modifications for pure interleaving behaviour
In order to produce FSMTs simulating pure interleaving behaviour, it has to be assured that at any time only one timed automaton may take a non-synchronising transition while the others remain in their current location. Non-synchronising transitions of different timed automata must not be enabled at the same time. For this, we assign a unique encoding of new input variables to each component and add this assignment to the guards of the non-synchronising transitions of the respective component. Since our example includes only two components, we need one new input variable i 0 and extend the guards g FSMTs consist of deterministic transition functions, and thus, we have to exclude non-deterministic behaviour (as allowed for timed automata). When more than one transition is enabled in a timed automaton at the same time it is chosen non-deterministically which one is taken. To establish determinism for FSMTs we add different assignments of new input variables to the non-disjoint guards of transitions with the same source. These input variables must not be shared among different automata. The question how many additional input variables are needed in order to make guards disjoint is reduced to a colouring problem. 6 In the example assume that there is a non-determinism in location s 0 , i.e. g This non-determinism is solved by using a new input variable i 1 to extend the non-disjoint guards to g In order to allow synchronisation without actions in the FSMT, we have to guarantee that transitions, labelled with the same synchronisation action, are enabled at the same time while all other transitions are disabled. To ensure that synchronising transitions are enabled at the same time, their guards have to be equal. For this, their guards are replaced by a conjunction of the respective guards. In our example we replace both the guards g , whereas the guards of non-synchronising transitions do not change. To ensure that during the synchronisation only the synchronising components are allowed to take a transition, we add a disjunction of the unique encoding of input variables, previously assigned to the components in order to establish interleaving behaviour, to 4 For simplicity we omit technical details due to unused codes in the integer representation. 5 We use the notion g k i for the k-th modification of the guard of transition i. 6 For more details, see Section A.2.
the guards of the synchronising transitions. As our example consists of only two components and we used the encodings i 0 and i 0 , the resulting disjunction is i 0 ∨ i 0 = true. Adding true to a guard will not change it, of course. In the following Since for an FSMT we have to define transition functions, we have to avoid the case that there is a state where no transition into a successor state is enabled. For this reason we introduce a self loop to every location in the system. This self loop gets as guard the conjunction of the negated guards of all outgoing transitions, thus the self loop of a location is enabled whenever no other outgoing transition is enabled. Additionally we add the encoding of the source location of the self loop to its guard. In the example we add a self loop guarded by g
After these transformations we can build the transition functions, reset conditions and urgency predicate to get an FSMT representation of the timed system with pure interleaving behaviour. This is shown in Section 6.4.
Modifications for parallelized interleaving behaviour
In the previous section we have seen which modifications have to be done to convert a timed system into an FSMT simulating pure interleaving behaviour. In this section, we will show the modifications to get an FSMT with parallelized interleaving behaviour. We will demonstrate the translation using the example from Fig. 6 and assume that the first steps (Section 6.1) have already been computed resulting in the guards g 1 i (containing the encoding of the source state) 7 for all i ∈ {1, 2, 3, 4}. Detailed information can be found in Section A.3.
In a parallelized interleaving run there may be conflicts caused by assignments on integer variables (see Section 5) . To avoid such a problem we add different assignments of new input variables to the guards of transitions causing conflicts and thus, force the timed system to simulate an interleaving behaviour for such transitions. The system from ). Similar conflicts can also occur due to a simultaneous reading and writing of integer variables or due to resets of clock variables (see Section 5). These conflicts are solved similarly by forcing the system to an interleaving behaviour for these transitions (see Section A.3).
Parallelized interleaving is introduced to accelerate model checking runs by reaching certain states faster. But of course, we should not lose intermediate states of interleaved executions. For that reason we give each component the nondeterministic choice to stay in its current location during a discrete step. For this we introduce a self loop with guard true to every location in the automata. As in Section 6.1 we add the source location encoding to the guard of these new self loops. By taking this transition the automaton does not leave the current location and does not do any assignments to clocks or integer variables. Then, to introduce determinism we do the same modifications using input variables as we have done for pure interleaving behaviour in Section 6.2. In the example, apart from the already existing non-determinism in s 0 , we have introduced a non-determinism in the locations l 0 and l 1 as well due to the new self loops. Since the sets of input variables used to ensure determinism in different components have to be disjoint, we need three new input variables i 1 (used in TA 0 ) and i 2 , i 3 (used in TA 1 ). To remove the non-determinism in l 0 the previously introduced self loop will get a new guard g 3 5 = y 0 ∧ i 1 and the guard g 2 1 will be replaced by g 3 1 =g The synchronisation is handled in a similar way as we have seen in Section 6.2 for pure interleaving behaviour. The components in the system synchronise by reading each others state bits and inputs. In the example we compute the new guard g sync =g for all i ∈ {2, 3, 5, 6, 7, 8}.
Note that, we do not have to add any constraint to guarantee that all non-synchronising automata remain in their current location (as done in Section 6.2) since here we allow parallelism. The guards of all non-synchronising transitions remain unchanged.
The modifications to ensure completeness of the transition functions of resulting FSMTs are equivalent to Section 6.2. Thus, a new self loop guarded by the conjunction of the negated guards of all outgoing transitions combined with the The resulting system is deterministic and has a parallelized interleaving behaviour. In the following section we show how to compute the FSMT including transition functions and reset conditions.
Computation of a symbolic representation
The set of clock variables X of the FSMT is identical to the set of clock variables in the underlying timed system. The set of state variables Y includes the variables used for location encoding and for integer encoding, in our example, assume that we only have one clock x, X = {x} and Y = {y 0 , y 1 , y 2 }. In the pure interleaving case, the input variables I contain the variables used to ensure interleaving behaviour and the variables resolving non-determinism, e.g. I = {i 0 , i 1 } (see Section 6.2). In the parallelized interleaving case, the input variables consist of the variables solving conflicts on integer and clock variables and the variables guaranteeing determinism, e.g.
Based on the guards computed in Section 6.2 (for the pure interleaving case) or in Section 6.3 (for the parallelized interleaving case) it is easy to compute the transition functions for the location bits. We show how to compute the transition functions and reset conditions for the pure interleaving case, the parallelized interleaving case is computed analogously.
After the modifications of Section 6.2 we have eight different guards, four of them {g The transition function δ j determines when the location bit y j in the modified automaton is set to true. It is computed by a disjunction over the modified guards of all transitions leading to a state in which location bit y j is set to 1 in the encoding. In our example, location bit y 0 is set to true in l 1 , thus we have to consider all transitions leading to l 1 (including the self loops introduced during translation). These are the transition leading from l 0 to l 1 guarded by g The transition function for y 1 is defined as δ 1 
Some state variables have been used to encode integer variables in the timed system (e.g. int has been encoded with y 2 ) and we need a transition function δ j which defines the value an integer bit y j is updated to. When taking a transition, an integer is assigned to an arbitrary arithmetic expression over integer variables and integer constants, or it remains unchanged. Thus, we have to consider all transitions with assignments to the integer bit y j and we have to compute the conjunction of their guards with the arithmetic expression computing integer bit y j . Note that on each transition without assignment to y j , the valuation of y j has to remain unchanged, i.e., for transitions without assignment to y j we compute the conjunction of their guards with y j . Then we compute a disjunction over all those conjunctions. In our example the integer bit y 2 is updated to 0 on the transition from l 1 to l 0 guarded by g 5 2 and to 1 on the non-synchronising transition from s 0 to s 1 guarded by g 5 3 , such that δ 2 = (g
Besides the transition functions we need reset conditions which indicate when the clock variables are reset. The reset condition reset x of a clock x is computed by a disjunction over all modified guards of all transitions performing a reset on x. E.g., the only clock variable x is reset once on the synchronising transition from l 0 to l 1 labelled with the guard g The predicate init describing the initial states is a conjunction of the encodings of the initial states in the system, constraints setting the clock valuation to 0, and the encoding of the integer valuations setting all integers to their lower bounds, e.g., init = y 0 ∧ y 1 ∧ y 2 ∧ (x = 0). Finally, we compute the urgent-predicate which is a conjunction of the extended guards of urgent transitions. In our case we only have one urgent synchronisation such that urgent = g All components together provide a fully symbolic representation of the corresponding FSMT. Our model checking algorithm uses this representation to perform fully symbolic model checking.
Transformation of TCTL formulas
Note that the syntax of TCTL formulas for FSMTs with a set X of clock variables and Y of boolean state variables is defined according to the following grammar: 
9:
10: end switch
with y i ∈ Y , cc ∈ C(X) being an atomic clock constraint, and ϕ ::= U J . TCTL formulas for TAs according to Section 2.2 have to be translated in a straightforward manner: An atomic proposition ap in a TCTL formula is replaced by a disjunction of all encodings of locations which are labelled by ap. 8 In the same way, integer constraints ic are replaced by formulas over integer bits.
TCTL model checking for complete real-time systems
TCTL model checking for complete timed systems is based on the computation of a set Sat( ) 9 of all states satisfying a TCTL formula , followed by checking whether all initial states are included in this set.
Eliminating the timing parameter in TCTL formulas
A TCTL path formula with J = [0, ∞) may be considered as a CTL formula and can be verified using normal CTL model checking algorithms. Any other intervals J = [0, ∞) in a TCTL formula can be transformed into an interval J = [0, ∞). For J = [0, ∞) a new clock variable x new is introduced which is neither used in the timed automaton nor in the formula .
The variable x new is used to measure the elapsed time until a certain property holds. In [16] it is shown that the TCTL path 
Model checking algorithm
Now, that the timing parameter can be eliminated in TCTL formulas, we can define a model checking algorithm for a given FSMT and a given TCTL formula. Algorithm 1 uses a recursive method to compute for all subformulas the sets of states Sat( ) for which is satisfied (similar to CTL model checking). The computation of Sat( ) for being true, a state variable y i or a clock constraint cc is clear. The computation of the negation and conjunction is straight forward. As seen before (Section 7.1) the computation of the TCTL formula EU J can be reduced to a computation of a CTL formula EU by introducing a new clock x new . The computation of E( 1 U J 2 ) is a fixed point iteration which starts from Sat((x new ∈ J ) ∧ 2 ) and iteratively adds all predecessor states which are in Sat( 1 ∨ 2 ). The predecessor computation is done by a special operator Pre which computes for a state set S the set of all states s with s → s, s ∈ S. After a fixed point has been reached All computed state sets are represented by LinAIGs (see Section 2.3) in our implementation, i.e., by a single symbolic data structure representing both discrete and continuous parts of the state space. Note that especially for the computation of negation and intersection (Lines 7 and 8 of Algorithm 1) we profit from the fact that negation and intersection can be computed efficiently using LinAIGs. In contrast, negation and intersection are rather expensive for semi-symbolic representations where the continuous part is represented by unions of convex clock zones as in [11, 20] . This is the reason why model checkers based on unions of convex clock zones usually do not support full TCTL.
Sat(E(
The computation of the predecessor state set Pre( ) consists of a continuous step (Pre c ( )) and a discrete step (Pre d ( )) and will be described in Sections 7.3 and 7.4. For the computation of Pre we use efficient implementations of substitution and existential quantification of boolean as well as real-valued variables in the LinAIG data structure.
Remark 2.
According to the semantics of TCTL (see Section 2.
2) E ϕ holds in a state s iff there exists a time-divergent path which starts in s, and satisfies the path formula ϕ. The presented algorithm for TCTL model checking is therefore only correct for so-called timelock-free FSMTs. For FSMTs with timelocks, it may be the case that the computation of E(ψ 1 Uψ 2 ) is based on a timelock state in Sat(ψ 2 ) which is not the origin of any time-divergent path. In the following we assume timelock-free FSMTs. For proving timelock freedom there are two options: (1) One possibility for (small) timed 8 Remember that encodings of locations are conjunctions of location bits or their negations. 9 If clear from the context, we do not always differentiate between sets like Sat( ) and predicates describing these sets.
automata is proving sufficient conditions by analyzing cycles in the TA. Then timelock freedom is preserved by parallel composition, see [16] , e.g. (2) Fortunately, our model checking algorithm is able to prove timelock freedom by checking the formula TL = AG(EF {=1} true). Note that according to the TCTL semantics AG(EF {=1} true) is a tautology, but our algorithm returns true if and only if the system is timelock-free.
Pre c ( ) -continuous step for Pre( )
Let be a state set of our model checking algorithm. Then the state set reachable by a (backward) continuous step (letting time pass) can be described by
To enhance the readability of the formulas, we abbreviate x 1 , . . . , x n by x, y 1 , . . . , y l by y and i 1 , . . . , i h by i. Let x + λ be the abbreviation for (x 1 + λ, . . . , x n + λ) for a scalar λ.
Lemma 2 (State set Pre c ( )). Pre c ( )( x, y) contains exactly those states from which ( x, y) is reachable by a continuous transition in the FSMT.

Proof. (Sketch) Lemma 2 follows directly from the semantics of the continuous step of FSMTs (Definition 7). The first line
of Equation (1) (1) asserts that time evolution from state ( x, y) to state ( x + λ, y) is not interrupted by any urgent discrete transition, which is enabled for some state ( x + λ , y) with (0 ≤ λ < λ). The predicate urgent determines when an urgent transition is enabled. 2 
Pre d ( ) -discrete step for Pre( )
Consider a clock constraint of the form x i − x j ∼ d with x i , x j ∈ X , ∼ ∈ {<, ≤, =, ≥, >} and d ∈ Q. There are only four possible cases how a clock constraint can be changed due to resets executed during a transition: (1) x i and x j are reset, (2) only x i is reset, (3) only x j is reset or (4) none of the clock variables in the constraint is reset. We use the reset conditions reset x i to determine when a clock variable x i is reset. The substitution for each clock constraint of the form The second part of the discrete step is a quantification of the boolean input variables i in . Proof. (Sketch) Lemma 3 follows directly from the semantics of the discrete step of FSMTs (Definition 7). The substitution of the state variables with the corresponding transition functions (Equation (2)), and the quantification of the input variables (Equation (4)) represents the changing of the locations through discrete transitions. The resets on discrete transitions are represented by the substitution of the clock constraints according to Equation (3). 2
Lemma 3 (State set Pre d ( )). Pre d ( )( x, y) includes contains exactly those states from which ( x, y) is reachable by a discrete transition in the FSMT. G. Morbé, C. Scholl / Science of Computer Programming
••• (••••) •••-•••
Incomplete real-time systems
When the overall design is not finished yet, or a system is too large for being verified in its entirety, we consider incomplete real-time systems which contain unknown components, called black box. The system includes several components which are known in detail (white box) and an interface to the black boxes. In this scenario the black box has a similar role than the environment when considering open systems. However, in contrast to an abstract 'environment' which enables or disables transitions synchronising with the environment, black boxes represent unknown component timed automata and we look into the questions of realisability and validity.
Remark 3. Note that we do not allow communication via shared clock variables in the following, i.e., we assume local clock variables of the white box and the black box components. In particular, clock variables which are reset in the black box, are not allowed to be read in the guards of the white box components. This is justified by the realistic assumption that only discrete information may be transferred from one component to another. In the following we begin with the definition of incomplete timed systems and then define incomplete FSMTs.
Remark 4. Furthermore, we restrict our consideration to timelock-free black boxes that can not enable infinitely many non-synchronising urgent transitions during a finite amount of time.
We call those black boxes 'timelock-free non-Zeno black boxes'. Other black boxes are not interesting for us, because they can stop time evolution without any interaction with the white box components and thus do not model a realistic system behaviour.
Incomplete timed system
An incomplete timed system [2] which contains several unknown components uses different types of communication channels between the black box and the white box:
• Let Int BB be a set of shared bounded integer variables which can be read and updated by the complete system, including black box and white box. Integers from Int BB are used to pass numerical values, within the integer bounds, from one component to another. When updated by the black box the value of these integers is unknown.
• Non-urgent actions from Act BB nu synchronise the black box with the white box. Since the details of the black box implementation are unknown, the particular time of synchronisation is unclear. This gives the black box the power of enabling and disabling synchronising transitions in the white box.
• Urgent actions from Act BB u synchronise the black box with the white box via urgent transitions. By synchronising over an urgent action the black box stops time evolution, and thus, the black box can influence both, the discrete and the timing behaviour of the system. Remember that parallel composition of different components is done according to Definition 4.
Example 3. Fig. 7 shows an incomplete timed system with a black box which communicates with the white box via the shared integer i and the non-urgent and urgent synchronisation actions a and a u . By sending or not sending the action a the black box can enable or disable the transition from l 2 to l 0 . When the white box is located in location l 1 , the black box can enable the transition from l 1 to l 2 by sending the urgent action a u , however, by doing so, time evolution is blocked and the transition has to be taken without any delay.
Incomplete FSMT
An incomplete FSMT [2] is a fully symbolic representation of incomplete real-time systems. Just as incomplete timed systems, an incomplete FSMT consists of several known components (white box), several unknown components (black box), and an interface of the black box with the white box.
FSMTs do not contain any integers or synchronisation actions and communicate by reading each others state variables, and thus, the interface of the black box with the white box consists of state bits which can be written by the black box. In Section 9.1 we will see how to translate an incomplete timed system into an incomplete FSMT, which can be verified by our model checking algorithms.
TCTL model checking for incomplete real-time systems
TCTL model checking for complete timed system consists in the computation of Sat( ) and a check whether all initial states are included in this set. The situation becomes more complex, if we consider incomplete timed systems, since for each implementation of the black box we may have different state sets satisfying . 
Modelling incomplete systems
More precisely, we begin with a sketch of how to extend the translation of timed automata into FSMTs (see Section 6) for incomplete systems. For our model checking algorithm the communication between the black box and the white box is of particular importance. We distinguish between four different types of transitions in the white box: are used in the computation of Sat ∀ ( ). Secondly, we have to consider only u-sync-transitions. For computing Sat ∀ ( ) and Sat ∃ ( ), we need a modified version of the u-sync-transitions where certain integer values may be replaced by arbitrary values. In the following we give a brief sketch of how this replacement works: Remember that we consider well-formed timed automata (see Remark 1), i.e., for each integer int i and each synchronising action act either the white box or the black box is allowed to have u-synctransitions which are labelled by act and contain assignments to int i . If only the black box is allowed to write to int i on u-sync-transitions labelled by act, then we have to account for the fact that the black box may write an arbitrary value to int i when taking such a u-sync-transition. This is realised by introducing a set of additional inputs (i evaluating to true whenever no transition is enabled. This predicate can be extracted from the guards of the self-loops introduced by the converter.
Model checking algorithm
Now we show how to do fully symbolic TCTL model checking for incomplete real-time systems modelled as incomplete
FSMTs by computing fully symbolic representations of the sets Sat ∃ ( ) and Sat ∀ ( ) as defined above. The most important ingredient of TCTL model checking is the predecessor operation Pre, and thus, the essential contribution is how to define two variants of Pre for computing Sat ∃ and Sat ∀ .
Definition 9 (Pre ∃ (S), Pre ∀ (S)). If for at least one black box implementation there is a transition s → s with s ∈ S, then s is included into Pre ∃ (S). (This transition can be regarded as a may transition following the notion from [30]). If a state s is included in Pre ∀ (S), then for all black box implementations there is a transition s → s with s ∈ S. (The transition is a must transition.)
For formulas like = EF whose evaluation needs a fixed point iteration we make use of Pre ∃ to compute Sat ∃ ( ) (instead of Pre which is used for complete systems). In the special case = EF we start with the set Sat ∃ ( ) (which at least includes the set of states which may satisfy depending on the concrete black box implementation) and we use Pre ∃ to compute the set of states which can reach Sat ∃ ( ) via one 'may transition'. By iteratively applying Pre ∃ we obtain Sat ∃ (EF ) which includes all states from which there is a computation path to a state from Sat ∃ ( ) for at least one black box implementation.
Likewise for Sat ∀ ( ) we replace Pre by Pre ∀ . In the special case = EF we start with the set Sat ∀ ( ) (which at most includes the set of states which definitely satisfy independently from the black box implementation) and we use Pre ∀ to compute the set of states which can reach Sat ∀ ( ) via one 'must transition', i.e. independently from the black box implementation. Again, we obtain Sat ∀ (EF ) by iteratively applying Pre ∀ . The remaining operations are more or less straightforward. It is easy to see that
, negation plays a special role here, since it turns 'existential quantification of black boxes into universal quantification' and over-approximation into under-approximation (and vice-versa). Moreover, it holds Sat
In the second case we only have '⊆' instead of '=', since a certain state may fulfill 1 ∧ ¬ 2 for certain black box implementations and ¬ 1 ∧ 2 for all others, thus it belongs to
A second source of approximation stems from the fact that we assume that the black box can make different decisions based on the current state of the white box, i.e., the black box 'can read the state bits of the white box'. (Note that the same assumption is implicitly made in classical controller synthesis approaches for safety properties as well [40] [41] [42] .)
The evaluation of general TCTL formulas needs both Pre ∀ and Pre ∃ . In the following we describe the computation of Pre ∀ ( ) and Pre ∃ ( ) separately for discrete steps and time steps.
Pre d ∀ ( ) -discrete step for Pre ∀ ( )
Starting with a state set ( x, y) the discrete (backward) step needed for Pre ∀ ( ) computes only predecessors from which can be reached over a discrete transition in the white box, independently from the implementation of the black box. 10 Note that the δ all i
do not depend on i BB -variables, since all actions (including urgent actions) have been removed before applying the converter. The proof of the lemma is straightforward, since due to the interleaving semantics of timed automata, the no-synctransitions can always be taken independently from the implementation of the black box. On the other hand, discrete steps that reach independently from the black box use only no-sync-transitions. This is easy to see by considering a special black box implementation BB no-sync which never synchronises with the white box, and thus, disables all nu-sync-transitions and u-sync-transitions.
Pre c ∀ ( ) -continuous step for Pre ∀ ( )
Starting with a state set ( x, y) the time step for Pre ∀ ( ) computes only predecessors from which ( x, y) can be reached through time passing, independently from the black box implementation. Because of urgent synchronisation, the black box can affect the timing behaviour in the white box by enabling a u-sync-transition, and thus, stopping time evolution. Additionally, the black box can take internal urgent transitions which do not synchronise with the white box and update the shared integer variables to unknown values. To illustrate the peculiarities of the continuous predecessor computation with intervention of a black box, consider the following example:
Example 4. Fig. 8 shows a small extract of an incomplete timed system where the white box consists of three u-synctransitions (dashed arrows), which are labelled with clock constraints and integer constraints as guards, and one no-synctransition, which is labelled with a clock constraint as guard. The white box communicates with the black box via an urgent synchronisation action a u , and a shared integer variable i, with i ∈ {0, 1}. We assume that, using our model checking algorithm, a state set , containing the states l 0 , η(x) = 7, μ(i) = 0 and l 0 , η(x) = 7, μ(i) = 1 has already been computed. We ask whether
is reachable from s, regardless of the black box behaviour.
If the black box would never synchronise over a u , then no u-sync-transition would be enabled, and thus, time is allowed to pass starting in s. However, time evolution could be interrupted by internal urgent non-synchronising transitions of the black box, which possibly update integer i, such that, after the continuous evolution the value of i is unknown to the white box. Hence, after 7 time units, state
(Note that the black box can interrupt the time evolution only for a finite number of times during 7 time units, since we restrict our consideration to timelock-free non-Zeno black boxes, see Remark 4. Thus, the black box can not prevent reaching the clock value of 7 by infinitely many interrupts.)
However, all possible black box implementations have to be considered, including a black box replacement, which synchronises via a u , and thus, blocks time evolution. Considering well-formed timed systems (Remark 1), there exist two different cases:
The black box is not allowed to update integer i on transitions which synchronise via a u , because i is updated on such transitions in the white box. Then, the black box cannot change i when taking the u-sync-transitions in Fig. 8 . (Of course, the black box still may switch the valuation of i between μ(i) = 0 and μ(i) = 1 on internal urgent non-synchronising transitions which interrupt the time evolution.) Then, we can only guarantee that there is no black box implementation which prevents from being reached starting from s, if additionally includes the state l 1 , η(x) = 5, μ(i) = 0 and one of the following states, l 2 , η(x) = 6, μ(i) = 1 or l 3 , η(x) = 6, μ(i) = 1 . This can be seen as follows:
Starting in s = l 0 , η(x) = 0, μ(i) = 0 , the clock value η(x) = 5 is definitely reached by time evolution (since the clock x is local to the white box, see Remark 3). Depending on the behaviour of the black box, the u-sync-transition from l 0 to l 1 may be enabled, such that the black box can enforce the run to arrive at l 1 , η(x) = 5, μ(i) = 0 . Thus, l 1 , η(x) = 5, μ(i) = 0 has to be in in order to be sure that is reached independently from the black box behaviour.
If the black box does not enable the u-sync-transition at that moment, time evolution continues until η(x) = 6.
Presumed that the black box has previously set the value of i to 1, it has the possibility to synchronise over a u .
In state l 0 , η(x) = 6, μ(i) = 1 , when the black box tries to synchronise over a u , there are two u-sync-transitions enabled (l 0 to l 2 and l 0 to l 3 ), among which the white box can choose, which one to take. When the white box chooses to take the u-sync-transition from l 0 to l 2 , the state l 2 , η(x) = 6, μ(i) = 1 is reached. On the other hand, if the white box chooses to take the u-sync-transition from l 0 to l 3 , the state l 3 , η(x) = 6, μ(i) = 1 will be reached. So, if either l 2 , η(x) = 6, μ(i) = 1 or l 3 , η(x) = 6, μ(i) = 1 is in , the black box cannot empede the white box, which can choose freely which transition to take, from reaching . If the black box does not enforce (by synchronising via a u ) any of the transitions discussed above, time evo-
is reached from s, independently from the behaviour of the black box. Case 2: The black box is allowed to update integer i on transitions which synchronise with the white box via a u .
Thus, while synchronising with the white box, the black box may change the valuation of i. Compared to Case 1,
With these states additionally included in , it is guaranteed that the black box is not able to prevent a path from s into . When η(x) = 5 and the black box enforces taking the u-sync-transition from l 0 to l 1 , it can update integer i to 1, and thus, the run is forced into state
∈ , the black box could prevent from being reached. With an analogous argumentation, is not reached from s for a certain black box implementation when neither
Eqn. (5) values which may be assigned by the black box to integer bits on urgent transitions synchronising with the white box (see also enabled transition labelled with this action. In that case, the black box is not able to stop time evolution by this urgent synchronisation action, otherwise the white box has to synchronise by choosing a u-sync-transition.
In Lines 4 to 6 of Eqn. (5), this consideration is transferred to all states ( x + λ , y) (0 < λ < λ) between ( x, y) and ( x + λ, y). This is the actual time evolution, starting in state ( x, y). During this time evolution, the black box may change the valuation of its state variables through internal urgent non-synchronising transitions, which have to be taken, and thus, the valuation of the state variables y BB is unknown. is reachable by a discrete transition in the white box.
The proof follows from the following argument: The result corresponds to a backwards evaluation of discrete white box transitions of any kind (no-sync-transitions, u-sync-transitions, nu-sync-transitions). By existentially quantifying i int , we account for all possible integer assignments by the black box in case of u-sync-transitions. Of course, more transitions can never be enabled in the white box, not even by a black box implementation which always provides all synchronisation actions needed to enable synchronising transitions in the white box.
Pre c ∃ ( ) -continuous step for Pre ∃ ( )
Pre c
∃ ( ) includes all states from which a state in is reachable through time evolution for at least one black box implementation. This can be a black box implementation which never synchronises via an urgent action during the time step, and thus, no u-sync-transition has to be considered. Furthermore, the black box can update shared integer variables on internal urgent non-synchronising transitions. Eqn. (6) This explains the existential quantification of y BB in Line 2 of Eqn. (6).
• time evolution is not stopped by any u-transition. In a timed system without shared integers, which are accessible to the white box and the black box, Eqn. (6) can be simplified by just omitting the existential quantification of the y BB -variables (Line 3).
Discrete and time steps together
In our implementation we apply alternating discrete steps and time steps for the operations Pre ∃ and Pre ∀ . For Pre ∃ we additionally apply an existential quantification of the shared integer variables y BB after each application of Pre d ∃ and Pre c ∃ . This existential quantification corresponds to an interleaving with a potential discrete backwards step of the black box. Since we have to consider all possible black box implementations for Pre ∃ , we have to assume that the shared integers can be set to arbitrary values in this step. Since, for Pre ∀ , we only have to consider effects shared by all possible black box implementations and there are certainly black box implementations which do not write shared integers at all, we completely omit potential discrete black box backward steps (and thus the existential quantification of y BB ) for Pre ∀ .
Experimental results
Experimental setup
We implemented the full TCTL model checking algorithms for complete and incomplete timed systems in the prototype model checker FSMTMC [1, 2] and analysed our approach on several parameterized benchmarks with parameter n indicating the number of components in the benchmark and ranging within 3 and 50 (Column 'nbr.'). 12 Parameterized benchmarks made it easy for us to generate sets of increasingly complex benchmarks for comparison. Actually we do not consider parameterized benchmarks as the main field of application for our algorithm and thus we did not make use of symmetry reduction, neither within our tool nor within any competitor. We compare the results to the state-of-the-art model checkers Uppaal v.4 (UPP.), RED 8 and Kronos 2.5 (KRO.). All tools were run with default configurations, Uppaal performs a semi-symbolic forward analysis with breadth first search and RED does a fully symbolic backward traversal. Both can only be used for checking safety properties whereas Kronos can also be used for full TCTL model checking, but cannot handle benchmarks containing integer variables (like 'arbiter' and 'leader'). Table 1 shows the results of our tool checking safety properties by backward reachability analysis for benchmarks modelled as complete FSMTs (comp.) and as incomplete FSMTs (inc.) with pure interleaving (FSMTMC-INTER) or with parallelized interleaving (FSMTMC-PARA) and compares them to Uppaal v.4 (UPP.) and RED 8. In the same way, Table 2 gives the runtimes of our approach verifying properties which require full TCTL model checking and compares them to Kronos 2.5 (KRO.). All benchmarks were originally modelled as timed automata and for our tool they were automatically translated into FSMTs. In columns CONV. of Tables 1 and 2 we give the CPU times (in seconds) of the (un-optimized) translator. Of course, the translation differs for complete and incomplete FSMTs (for incomplete systems of FSMTs even several types of transition functions and reset conditions have to be computed according to Section 9.1). Here we report the maximum of the translation times for complete and incomplete FSMTs in the pure interleaving case. The times for the parallelized interleaving case are of similar magnitude, and in all cases when the model checker did not timeout, the sum of translation times and model checking times did not exceed the time out either. In the tables we give for each tool the last result (last nbr) before running into a time out and the first result after running into a time out. Additionally we add a line in the table for each tenth result if there is no time out (entry in the table) occurring in the last ten measurements. 13 The experiments have been conducted on an Intel Xeon with 3.3 Ghz with a time limit of 8000 CPU seconds and a memory limit of 2 GB. 14 
Verification of complete and incomplete real-time systems
The toy example [1] ('toy' in Table 1 ) models n timed automata which communicate via a shared integer variable. When performing a reachability analysis on this benchmark we can observe an enormous performance gain for parallelized interleaving due to a reduction of the number of steps in state space traversal. Our algorithm with parallelized interleaving behaviour can finish state space traversal just after one step and solves the complete benchmark set up to nbr = 50, whereas 12 A brief description of the benchmarks is given in Appendix B, more detailed information can be found at http :/ /abs .informatik.uni-freiburg .de /morbe / scp /scp .html. 13 Tables with the complete results can be found at http :/ /abs .informatik.uni-freiburg .de /morbe /scp /scp .html. 14 An empty entry (denoted by −) in the tables mean that the tool ran either into a time out or a memory out. a pure interleaving computation needs n steps to reach the property and can solve benchmarks up to nbr = 16. Uppaal performs much worse on this example (time out at nbr = 15), since it works on an explicit representation of locations and it computes all possible permutations of enabled transitions step by step. Our approach clearly outperforms RED (time out at nbr = 9) as well which is based on a different fully symbolic representation and performs only pure interleaving.
The case study gear production stack ('GPS' in Table 1 ) [43] models an industrial workflow, and demonstrates the strength of symbolic methods, such that RED (nbr = 39) achieves better results than the semi-symbolic model checker Uppaal (nbr = 18). However, our new symbolic approach can solve the complete benchmark set with up to nbr = 50 in both configurations (parallelized interleaving and pure interleaving) in reasonable amount of time. In the two benchmarks GPS and toy no useful result is obtained from the model checker when some components are put into the black box. The entries (NA) in columns 'inc.' mean that the benchmarks are not applicable for black box model checking. For all following benchmarks we considered both complete and incomplete versions.
The arbiter example [1,2] models a system of nbr processes controlled by a distributed arbiter which asserts that a critical resource can only be used by one component at a time. We have two versions of this benchmark, one correct ('arbiter' in Table 1 ), where a safety property can be proven, and one erroneous version ('arbiter error' in Table 1 ), where several processes can access the critical resource at the same time, and thus, the safety property is falsified. Both versions can be modelled as incomplete systems where nbr − 2 processes are put into a black box. The complexity of the incomplete distributed arbiter, however, increases with increasing nbr. It can be seen that our model checker (FSMTMC-PARA nbr = 15 and FSMTMC-INTER nbr = 19) outperforms the reference tools Uppaal (nbr = 6) and RED (nbr = 6) on complete systems.
Considering incomplete systems, our tool FSMTMC is able to prove validity of the property for the correct version and non-realisability for the erroneous version for the complete benchmark set (up to nbr = 50) within moderate CPU times.
On the leader election benchmark [26] ('leader' in Table 1 ), which models a timed leader election in a ring protocol, we check whether a leader is found within a given time limit. This is not the case, such that the property is falsified. Uppaal (up to nbr = 10) and RED (up to nbr = 5) are able to solve larger systems than FSMTMC which can only solve systems with nbr = 3 processes. By putting nbr − 3 processes into a black box, we abstracted the complete system into an incomplete one, however, we are able to prove non-realisability of the safety property. (Nevertheless, the complexity of the white box increases with nbr.) Now FSMTMC is able to finish the verification runs for all instances of the benchmark set.
The communicating parallel processes [2] includes nbr processes which synchronise via actions. On this system we perform a backward reachability analysis verifying a safety property ('CPP reach' in Table 1 ) and full TCTL model checking ('CPP timelock' in Table 2 ). For the reachability analysis on the complete systems, parallelized interleaving semantics enhances the performance of our tool which can solve more benchmarks (up to nbr = 38 for parallelized interleaving and up to nbr = 37 for pure interleaving) than the competitors (Uppaal up to nbr = 31 and RED up to nbr = 3). The incomplete CPP benchmarks can all (up to nbr = 50) be solved by our model checker. Additionally to checking a safety property, we check for time divergence (absence of time locks) with the property TL = AG(EF {=1} true) which requires full TCTL and thus, can be verified neither with Uppaal nor with RED. Compared to the tool Kronos, which explicitly computes the product automaton, we can solve more instances of the complete system (nbr = 4 instead of nbr = 3) and for the incomplete systems our tool has no difficulties in proving non-realisability of TL for the complete benchmark set.
The CSMA benchmark [44] ('CSMA timelock' in Table 2 ) is a system with several senders trying to access a single multi-access bus and is tested for time divergence with the property TL . Here, on the complete system our tool cannot solve any instance whereas Kronos can solve the system with up to nbr = 7 components. However on the incomplete system, where nbr − 2 senders are put into a black box (the complexity of the bus increases with nbr), we can prove non-realisability of the property on all benchmarks.
Altogether the experimental evaluation shows that semi-symbolic model checkers like Uppaal are really fast on examples with a smaller number of components. However, when the number of components gets larger leading to a large number of locations in the parallel composition of the components, our methods benefit from the symbolic representation which are able to represent both the discrete and the continuous part of the state space using a single data structure (LinAIGs). Moreover, we profit from a clever formulation of the continuous and discrete predecessor steps with a minimized number of quantifications of real variables (using suitable substitution operations). Whenever the model under consideration allows parallelism of conflict-free non-synchronising transitions, model checking may be considerably accelerated using FSMTs simulating parallelized interleaving behaviour. In addition, the experiments for incomplete timed systems show that in many cases we were able to prove non-realisability or validity of interesting TCTL properties. Abstraction of components into Black Boxes may accelerate model checking dramatically, since abstracted state bits and clocks do not contribute to the state space representations.
Conclusions
We introduced a new formal model to represent real-time systems, the finite state machine with time, which is wellsuited for fully symbolic verification algorithms. We presented a backward model checking algorithm to verify complete FSMTs and incomplete FSMTs where some part of the system is unknown and communicates with the known system over shared integers and urgent and non-urgent synchronisation. For a given TCTL property and an incomplete FSMT our model checking algorithm can prove non-realisability (there is no black box implementation such that the property is satisfied) and validity (the property is satisfied for all possible black box implementations). In order to verify timed automata with our algorithm we presented two different methods to convert timed automata into FSMTs. The resulting FSMT has either a pure interleaving behaviour or a parallelized interleaving behaviour. The experimental results on complete systems show that our approach outperforms other state-of-the-art model checkers due to its fully symbolic data structure and the usage of parallelized interleaving. On incomplete systems we are able to prove interesting properties early when parts of the overall system may not yet be finished. Additionally, the results demonstrate that fading out complete components of a timed system dramatically reduces the complexity of the system, and thus, the verification effort. synchronise over act. First, to guarantee that in each synchronising timed automaton TA q ∈ A(act), a transition j labelled with act is enabled, a synchronisation condition sync(act) = (q l−1 , . . . , q 0 ) is the binary representation of q) is computed which ensures that no non-synchronising timed automaton is able to take a transition while others synchronise. The guard g (q) i of each transitions i ∈ q (act) for all q, with TA q ∈ A(act) has to be replaced by g (q) i = sync(act) ∧ inter(act) Using the extended guards, synchronising transitions are enabled at the same time, and due to previous modification steps, for interleaving behaviour and for determinism, no other transition is enabled while synchronisation takes place.
In order to define transition functions for FSMTs which define a successor state for each state, we introduce a self loop to each location with the conjunction of the negated guards of all outgoing transitions of this location, thus the self loop of a location is enabled whenever no other outgoing transition is enabled.
A.3. Modifications for parallelized interleaving behaviour
To avoid the problem of reaching more states than allowed by the semantics of interleaving caused by resets of clock variables (see Section 5), we force the timed system to simulate a pure interleaving behaviour in such cases by adding read/write-enable numbers for clock variables. Assume q timed automata TA i 1 , . . . , TA i q having transitions which both read and reset a clock variable x i at the same time. Then we need log(q + 2) additional input variables to encode read/writeenable numbers rw which updates int i is extended by 'rw int i = bin(k)'. This makes it impossible that two timed automata write int i at the same time, since the corresponding guards cannot be enabled at the same time. Equally it is impossible that in the same step one timed automaton reads an integer and another one writes on it. In order to give each component the non-deterministic choice to stay in its current location during a discrete step, we introduce a self loop with guard 'true' to every location in the automaton. By taking this transition the automaton does not leave the current location and does no assignments to clocks or integer variables. Then, to introduce determinism we do the same modifications using input variables as we have done for pure interleaving behaviour in Section A.2.
Synchronisation is realised as for pure interleaving behaviour (Section A.2), except that here, synchronisation may take place parallel to other discrete transitions. To ensure that transitions which synchronise via a synchronisation action act are taken in parallel, the guards of all these transitions are replaced by the synchronisation condition sync(act). The condition includes guards which are already extended by the encoding of the source location, the input variables used to solve conflicts on integers and clocks, and the input variables dedicated to solve non-determinism. The condition inter(act) is not needed here, since other discrete transitions can taken at the same time.
The modifications to ensure completeness of the transition functions of resulting FSMTs are equivalent to Section A.2. The resulting system is deterministic and has a parallelized interleaving behaviour. In the following section we show how to compute transition functions, reset conditions and a global invariant.
A.4. Computation of a symbolic representation
The state variables Y = {y 1 , . . . , y l } of the FSMT result from the encoding of integers and locations. The set of clock variables X = {x 1 , . . . , x n } of the FSMT is identical to the set of clock variables in the underlying timed system. In the pure interleaving case, the input variables I = {i 1 , . . . , i h } contain the variables used to ensure interleaving behaviour and the variables resolving non-determinism. In the parallelized interleaving case, the input variables consist of the variables solving conflicts on integer and clock variables and the variables guaranteeing determinism. )), which contain the location encoding, the assignments of the inputs used for interleaving behaviour, determinism and synchronisation, in the pure interleaving case as computed in Section A.2, or which contain the location encoding, the assignments of the inputs
