Updatable Timed Automata
Patricia Bouyer
1
, Catherine Dufourd
2
, Emmanuel Fleury
3
, and Antoine Petit
1
1
LSV, CNRS UMR 8643 & ENS de Cachan,
61, Av. du Président Wilson,
94235 Cachan Cedex, France
Email: {bouyer,petit}@lsv.ens-cachan.fr
2
EDF – R&D – Dépt. OSIRIS – 1, Av. du Général de Gaulle
92141 Clamart Cedex, France
Email: catherine.dufourd@edf.fr
3
BRICS
, Aalborg University
Fredrik Bajers Vej 7
9220 Aalborg Ø, Denmark
Email: fleury@cs.auc.dk
Abstract. We investigate extensions of Alur and Dill’s timed automata, based on the possibility to
update the clocks in a more elaborate way than simply reset them to zero. We call these automata
updatable timed automata. They form an undecidable class of models, in the sense that emptiness
checking is not decidable. However, using an extension of the region graph construction, we exhibit
interesting decidable subclasses. In a surprising way, decidability depends on the nature of the clock
constraints which are used, diagonal-free or not, whereas these constraints play identical roles in timed
automata. We thus describe in a quite precise way the thin frontier between decidable and undecidable
classes of updatable timed automata.
We also study the expressive power of updatable timed automata. It turns out that any updatable au-
tomaton belonging to some decidable subclass can be effectively transformed into an equivalent timed
automaton without updates but with silent transitions. The transformation suffers from an enormous
combinatorics blow-up which seems unavoidable. Therefore, updatable timed automata appear to be a
concise model for representing and analyzing large classes of timed systems.
1 Introduction
Since their introduction by Alur and Dill [AD90,AD94], timed automata are one of the most-studied and
most-established models for real-time systems. Numerous works have been devoted to the “theoretical”
comprehension of timed automata (among them, see [ACD
+
92], [AHV93], [AFH94], [ACH94], [Wil94],
[HKWT95]). However the major property of timed automata is probably that emptiness checking is a
decidable problem for this model [AD94]. Based on this nice theoretical result, several model-checkers
have been developed (for instance CMC
1
[LL98], HYTECH
2
[HHWT95,HHWT97], KRONOS
3
[Yov97]
and U
PPAAL
4
[LPY97,BLL
+
98]) and a lot of case studies have been treated (see the web pages of the
tools).
This work has been partly supported by the french RNTL project “Averroes” and french-indian CEPIPRA project
n
o
2102 − 1.
Basic Research in Computer Science (http://www.brics.dk), funded by the Danish National Research Foun-
dation.
1
http://www.lsv.ens-cachan.fr/~fl/cmcweb.html
2
http://www-cad.eecs.berkeley.edu/~tah/HyTech/
3
http://www-verimag.imag.fr/TEMPORISE/kronos/
4
http://www.uppaal.com/
A lot of work has naturally been devoted to extensions of timed automata, with much interest for classes
whose emptiness problem remains decidable. There are two main (non exclusive) reasons for extending
existing models. First, they can be used to model strictly larger classes of systems and therefore treat
more case studies. They also lead to more compact representations of some systems. Conciseness makes
modelling easier, in the same way advanced programming languages make the writing of programs easier
than with assembly languages.
Considering timed automata, extensions can be obtained in various ways. Recall that in a timed automaton,
a transition is guarded by a constraint over a set of variables, called clocks. This constraint has to be satisfied
in order to enable the transition. Right after the transition is taken, a subset of clocks is reset to zero. This set
of clocks is specified in the label of the transition. The constraints used in Alur and Dill’s original model
allow to compare (the value of) a clock, or the difference between two clocks, with a rational constant.
Note that comparing the sum of two clocks with a constant leads to an undecidable class of automata (see
[AD94] but also [Duf97,BD00] where more precise results on the number of clocks are given). Periodic
clock constraints, as defined in [CG00], allow to express properties like "the value of a clock is even" or
"the value of a clock is of the form 0.5+3n where n is some integer. The corresponding class of automata
is strictly more powerful than Alur and Dill’s timed automata if silent transitions (or ε-transitions) are not
allowed but coincides with the original model otherwise. Note that, contrary to the untimed setting, silent
transitions strictly increase the expressive power of the model (see [BGP96,DGP97] or [BDGP98] for a
survey). Several other exotic extensions have been proposed among which we can mention [DZ98] where
subsets of clocks can be “freezed”.
The aim of the present paper is to investigate an other way to extend the model, with new operations on the
clocks. As we recalled just above, in Alur and Dill’s model, when a transition is taken, a specified subset
of clocks is reset to zero. Our goal is to study more complex updates on clocks, with a particular attention
to the decidability of the emptiness problem and to the expressive power of the corresponding classes of
automata. We will first study "deterministic" updates where a clock can be reset to a given constant, which
does not have to be zero anymore, or to the value of another clock, or more generally to the sum of a
constant and of the value of an other clock. We will then be interested in "non-deterministic" updates,
where a clock can be reset to an arbitrary value greater than some fixed constant. Note that this type of
updates appear sometimes naturally, for example in models of telecommunication protocols (see e.g. the
study of the ABR protocol proposed in [BF99,BFKM03]). In the sequel, we will call the corresponding
automata, updatable timed automata.
It is easy to verify that such updates, even if we only use deterministic ones, lead to an undecidable class
of automata. Indeed, it is easy to simulate a two-counter machine (or Minsky machine) with an updat-
able timed automaton. But it turns out that very interesting subclasses of updatable timed automata can be
proven decidable. A surprising result is that decidability often depends on the clock constraints – diagonal-
free (i.e. where the only allowed comparisons are between a clock and a constant) or not (where differences
of two clocks can also be compared with constants). This point makes an important difference with “clas-
sical” (i.e. Alur and Dill’s) timed automata for which it is well-known that these two kinds of constraints
have the same expressive power. We show for instance that updates of the form x := x +1lead to an
undecidable class of timed automata if arbitrary clock constraints are allowed but to a decidable class if
only diagonal-free clock constraints are allowed. Note that automata with updates of the form x := x − 1
always form an undecidable class whatever constraints, diagonal-free or general, are used. We will show
that decidability is often not far from undecidability and we will describe in a quite thin way the frontier
between the two worlds.
Decidability results are obtained through a generalization of the region graph proposed by Alur and Dill.
Given a timed automaton, and using the region graph, a finite automaton can be constructed, which recog-
nizes exactly the untiming of the language recognized by the original timed automaton. Note that the region
2
graph depends on the class of constraints, diagonal-free or not, and on updates. The main difficulty is then
to prove that a given set of updates is "compatible" (in a sense which will be of course precisely defined
in the paper) with the region graph. This compatibility has to be proven for all updates, not only for resets
as was the case in the original model, but also for deterministic and non-deterministic updates as described
previously. We will finally see that the complexity of this decision procedure remains P
SPACE-complete.
In this paper, we also study the expressive power of updatable timed automata. We show that they are
not more powerful than classical timed automata in the sense that for any updatable timed automaton, that
belongs to some decidable subclass, a classical timed automaton (potentially with ε-transitions) recognizing
the same language – and even most often bisimilar – can be effectively constructed. However in most cases,
an exponential blow-up seems unavoidable and thus a transformation into a classical timed automaton does
not lead to an efficient decision procedure. This exponential blow-up suggests that we can have much more
concise models if using updatable timed automata than if we only use classical timed automata.
The paper is organized as follows. In section 2, we present basic definitions of timed words, clock con-
straints and updates. Updatable timed automata are defined in section 3 where the emptiness problem is
briefly introduced. Section 4 is devoted to our undecidability results. We first reduce an undecidable prob-
lem on two counter machines to the emptiness problem for a subclass of updatable timed automata. We
then deduce that for several other subclasses of updatable timed automata, emptiness is also undecidable.
In section 5, we first propose a generalization of the region automaton principle first described by Alur and
Dill. We then use this extension to exhibit large subclasses of updatable timed automata for which empti-
ness is decidable, when only diagonal-free clock constraints are used (section 5.2) and then when arbitrary
clock constraints (section 5.3) are used. The question of the expressive power of updatable timed automata
is addressed in section 6. A short conclusion summarizes our results and propose some open questions or
developments.
This journal paper is the full version corresponding to the two conference papers [BDFP00a,BDFP00b].
2 Preliminaries
2.1 Timed Words and Clocks
If Z is any set, let Z
∗
(resp. Z
ω
) be the set of finite (resp. infinite) sequences of elements in Z. We note
Z
∞
= Z
∗
∪ Z
ω
. We consider as time domain T the set Q
+
of non-negative rationals or the set R
+
of
non-negative reals and Σ as a finite set of actions.Atime sequence over T is a finite (or infinite) non
decreasing sequence τ =(t
i
)
1≤i
∈ T
∞
.Atimed word ω =(a
i
,t
i
)
1≤i
is an element of (Σ × T)
∞
, also
written as a pair ω =(σ, τ ), where σ =(a
i
)
1≤i
is a word in Σ
∞
and τ =(t
i
)
1≤i
a time sequence in T
∞
of same length.
We consider a finite set X of variables, called clocks.Aclock valuation over X is a mapping v : X → T
that assigns to each clock a time value. The set of all clock valuations over X is denoted T
X
. Let t ∈ T,
the valuation v + t is defined by (v + t)(x)=v(x)+t, ∀x ∈ X.
2.2 Clock Constraints
Given a set of clocks X, we introduce two sets of clock constraints over X. The most general one, denoted
by C(X), allows to compare a clock or the difference of two clocks with a constant. It is formally defined
by the following grammar:
ϕ ::= x ∼ c | x − y ∼ c | ϕ ∧ ϕ | ϕ ∨ ϕ
where x, y ∈ X, c ∈ Q, ∼∈{<, ≤, =, =, ≥,>}
3
We also consider the proper subset of diagonal-free clock constraints where the comparison between two
clocks is not any more allowed. This set is denoted by C
df
(X) and is defined by the grammar:
ϕ ::= x ∼ c | ϕ ∧ ϕ | ϕ ∨ ϕ,
where x ∈ X, c ∈ Q and ∼∈{<, ≤, =, =, ≥,>}
Note that this restricted set of constraints is called diagonal-free because constraints of the form x − y ∼ c
are called diagonal clock constraints.
Clock constraints are interpreted over clock valuations. The satisfaction relation, denoted as “v |= ϕ”if
valuation v satisfies the clock constraint ϕ,isdefined in a natural way for both sets of constraints:
v |= x ∼ c if v(x) ∼ c
v |= x − y ∼ c if v(x) − v(y) ∼ c
v |= ϕ
1
∧ ϕ
2
if v |= ϕ
1
and v |= ϕ
2
v |= ϕ
1
∨ ϕ
2
if v |= ϕ
1
or v |= ϕ
2
2.3 Updates
Clock constraints allow to test the values of the clocks. In order to change these values, we use the notion
of updates which are functions from T
X
to P(T
X
)
5
. An update hence associates with each valuation a set
of valuations.
In this work, we restrict to a small class of updates, the so-called local updates, constructed in the following
way. We first define a simple update over a clock z as one of the two following functions:
up ::= z :∼ c | z :∼ y + d
where c, d ∈ Q,y∈ X and ∼∈{<, ≤, =, =, ≥,>}
Let v be a valuation and up be a simple update over z. A valuation v
is in up(v) if v
(y)=v(y) for any
clock y = z and if v
(z) satisfies:
v
(z) ∼ c ∧ v
(z) ≥ 0 if up = z :∼ c
v
(z) ∼ v(y)+d ∧ v
(z) ≥ 0 if up = z :∼ y + d
A local update over a set of clocks X is a collection up =(up
i
)
1≤i≤k
of simple updates, where each up
i
is a simple update over some clock x
i
∈ X (note that it may happen that x
i
= x
j
for some i = j). Let
v, v
∈ T
n
be two clock valuations. The valuation v
is in up(v) if for every i, the set up
i
(v) contains the
valuation v
defined by
v
(x
i
)=v
(x
i
)
v
(y)=v(y) for any y = x
i
The terminology “local” comes from the fact that v
(x) only depends on x and not on the other values
v
(y).
Example 1. Let us consider the local update up =(x :>y,x:< 7). Let v, v
be two valuations. It holds
that v
∈ up(v) if v
(x) >v(y) ∧ v
(x) < 7.
Note that up(v) may be empty. For instance, the local update (x :< 1,x :> 1) leads to an empty set.
For any set of clocks X, we denote by U(X) the set of local updates over X. In this paper, we will simply
call updates these local updates. The following subsets of U(X) will play an important role in the rest of
the paper.
5
P(T
X
) denotes the powerset of T
X
.
4
- U
0
(X) is the set of reset updates. A reset update is a local update up such that each simple update
defining up is of the form x := 0.
- U
cst
(X) is the set of “constant” updates, that is the set of updates up such that each simple update
defining up is of the form x := c with c ∈ Q.
- U
det
(X) is the set of deterministic updates. An update up is said deterministic if for any clock valuation
v, there exists at most one valuation v
such that v
∈ up(v). It is immediate to check that a local update
up =(up
i
)
1≤i≤k
is deterministic if all simple updates up
i
are of one of the following form:
1. x := c with x ∈ X and c ∈ Q
2. x := y with x, y ∈ X
3. x := y + c with x, y ∈ X and c ∈ Q \{0}
3 Updatable Timed Automata
We now define the central notion of updatable timed automata. As we explain in details below, these
automata extend the classical family of Alur and Dill’s timed automata [AD90,AD94].
3.1 The Model
An updatable timed automaton over T is a tuple A =(Σ,X,Q, T, I,F,B), where:
– Σ is a finite alphabet of actions,
– X is a fi nite set of clocks
– Q is a finite set of states
– T ⊆ Q × [C(X) × (Σ ∪{ε}) ×U(X)] × Q is a finite set of transitions
– I ⊆ Q is the subset of initial states
– F ⊆ Q is the subset of final states
– B ⊆ Q is the subset of Büchi-repeated states.
The special action ε is called silent action and a transition in Q × [C(X) ×{ε}×U(X)] ×Q is called silent
transition or ε-transition.
If C⊆C(X) is a subset of clock constraints and U⊆U(X) a subset of updates, the class
Uta
ε
(C, U)
denotes the set of all updatable timed automata in which transitions only use clock constraints in C and
updates in U. The subclass of automata which do not use silent transitions is simply written
Uta
(C, U).
Timed automata, as studied in details by Alur and Dill [AD90,AD94], thus correspond to the classes
Uta
ε
(C
df
(X), U
0
(X)) and
Uta
(C
df
(X), U
0
(X)) (where C
df
(X) and U
0
(X) are respectively the set of
diagonal-free clock constraints and reset updates as defined in section 2).
As for timed automata, a behavior in an updatable timed automaton is obtained through the notion of paths
and runs. Let us fix for the rest of this part an updatable timed automaton A.Apath in A is a finite or
infinite sequence of consecutive transitions:
P = q
0
ϕ
1
,a
1
,up
1
−−−−−−→ q
1
ϕ
2
,a
2
,up
2
−−−−−−→ q
2
..., where (q
i−1
,ϕ
i
,a
i
,up
i
,q
i
) ∈ T, ∀i>0
The path is said to be accepting if it starts in an initial state (q
0
∈ I) and either it is finite and it ends in a
final state, or it is infinite and passes infinitely often through a Büchi-repeated state.
A run through the path P from the clock valuation v
0
, with v
0
(x)=0for any clock x, is a sequence of the
form:
q
0
,v
0
a
1
−−→
t
1
q
1
,v
1
a
2
−−→
t
2
q
2
,v
2
...
5
