## Semantics and Verification 2005

### Lecture 10

- Equivalence Checking Problems
- Region Graph and Reachability
- Networks of Timed Automata
- Timed Hennessy Milner Logic

Timed Bisimilarity Untimed Bisimilarity Weak Timed Bisimulation Timed and Untimed Language Equivalence

## Timed Bisimilarity

Let  $A_1$  and  $A_2$  be timed automata.

### Timed Bisimilarity

We say that  $A_1$  and  $A_2$  are timed bisimilar iff the transition systems  $T(A_1)$  and  $T(A_2)$  generated by  $A_1$  and  $A_2$  are strongly bisimilar.

### Remark: both

- $\xrightarrow{a}$  for  $a \in Act$  and
- $\stackrel{d}{\longrightarrow}$  for  $d \in \mathbb{R}^{\geq 0}$

are considered as normal (visible) transitions.

Equivalence Checking Problems Regions Region Graph Networks of Timed Automata Timed Bisimilarity Weak Timed Bisimulation Timed and Untimed Language Equivalence

### Example of Timed Bisimilar Automata



Equivalence Checking Problems Regions Region Graph Networks of Timed Automata Timed Bisimilarity Weak Timed Bisimulation Timed and Untimed Language Equivalence

### Example of Timed Non-Bisimilar Automata



Equivalence Checking Problems Regions Region Graph Networks of Timed Automata Timed Bisimilarity Untimed Bisimilarity Weak Timed Bisimulation Timed and Untimed Language Equivalence

### Untimed Bisimilarity

Let  $A_1$  and  $A_2$  be timed automata. Let  $\epsilon$  be a new (fresh) action.

#### Untimed Bisimilarity

We say that  $A_1$  and  $A_2$  are untimed bisimilar iff the transition systems  $T(A_1)$  and  $T(A_2)$  generated by  $A_1$  and  $A_2$  where every transition of the form  $\stackrel{d}{\longrightarrow}$  for  $d \in \mathbb{R}^{\geq 0}$  is replaced with  $\stackrel{\epsilon}{\longrightarrow}$  are strongly bisimilar.

Remark:

- $\xrightarrow{a}$  for  $a \in N$  is treated as a visible transition, while
- $\stackrel{d}{\longrightarrow}$  for  $d \in \mathbb{R}^{\geq 0}$  are all labelled by a single visible action  $\stackrel{\epsilon}{\longrightarrow}$ .

### Corollary

Any two timed bisimilar automata are also untimed bisimilar.

Timed Bisimilarity Untimed Bisimilarity Weak Timed Bisimulation Timed and Untimed Language Equivalence

Timed Non-Bisimilar but Untimed Bisimilar Automata



Timed Bisimilarity Untimed Bisimilarity Weak Timed Bisimulation Timed and Untimed Language Equivalence

### Decidability of Timed and Untimed Bisimilarity

### Theorem [Cerans'92]

Timed bisimilarity for timed automata is decidable in EXPTIME (deterministic exponential time).

### Theorem [Larsen, Wang'93]

Untimed bisimilarity for timed automata is decidable in EXPTIME (deterministic exponential time).

Timed Bisimilarity Untimed Bisimilarity Weak Timed Bisimulation Timed and Untimed Language Equivalence

## Weak Timed Bisimulation

#### Weak Transition Relation

We introduce the following derived transition relations:

• 
$$s \stackrel{a}{\Longrightarrow} s'$$
 iff  $s \stackrel{\tau}{\longrightarrow} \stackrel{*}{\longrightarrow} \stackrel{a}{\longrightarrow} \stackrel{\tau}{\longrightarrow} \stackrel{*}{s'}$  when  $a$  is a discrete action.  
•  $s \stackrel{d}{\Longrightarrow} s'$  iff  $s \stackrel{\tau}{\longrightarrow} \stackrel{*}{\longrightarrow} \stackrel{d_1}{\longrightarrow} \stackrel{\tau}{\longrightarrow} \stackrel{*}{\cdots} \stackrel{\tau}{\longrightarrow} \stackrel{*}{\longrightarrow} \stackrel{d_n}{\longrightarrow} \stackrel{\tau}{\longrightarrow} \stackrel{*}{x'} s'$  with  $d = d_1 + d_2 + \cdots + d_n$ .

#### Weak Timed Bisimilarity

Let  $A_1$  and  $A_2$  be two timed automata. We say that  $A_1$  and  $A_2$  are weakly timed bisimilar iff the transition systems  $T(A_1)$  and  $T(A_2)$  generated by  $A_1$  and  $A_2$  using weak transitions  $\stackrel{a}{\Longrightarrow}$  and  $\stackrel{d}{\Longrightarrow}$  are strongly bisimilar.

Timed Bisimilarity Untimed Bisimilarity Weak Timed Bisimulation Timed and Untimed Language Equivalence

### Weakly Timed Bisimilar Automata



Equivalence Checking Problems Regions Region Graph Networks of Timed Automata Timed Bisimilarity Weak Timed Bisimulation Timed and Untimed Language Equivalence

## **Timed Traces**

Let  $A = (L, \ell_0, E, I)$  be a timed automaton over a set of clocks C and a set of labels N.

#### Timed Traces

A sequence  $(t_1, a_1)(t_2, a_2)(t_3, a_3) \dots$  where  $t_i \in \mathbb{R}^{\geq 0}$  and  $a_i \in N$  is called a timed trace of A iff there is a transition sequence

$$(\ell_0, v_0) \xrightarrow{d_1} . \xrightarrow{a_1} . \xrightarrow{d_2} . \xrightarrow{a_2} . \xrightarrow{d_3} . \xrightarrow{a_3} ..$$

in A such that  $v_0(x) = 0$  for all  $x \in C$  and

 $t_i = t_{i-1} + d_i$  where  $t_0 = 0$ .

Intuition:  $t_i$  is the absolute time (time-stamp) when  $a_i$  happened since the start of the automaton A.

Timed Bisimilarity Untimed Bisimilarity Weak Timed Bisimulation Timed and Untimed Language Equivalence

## Timed and Untimed Language Equivalence

The set of all timed traces of an automaton A is denoted by L(A) and called the timed language of A.

Theorem [Alur, Courcoubetis, Dill, Henzinger'94]

Timed language equivalence (the problem whether  $L(A_1) = L(A_2)$  for given timed automata  $A_1$  and  $A_2$ ) is undecidable.

We say that  $a_1a_2a_3...$  is an untimed trace of A iff there exist  $t_1, t_2, t_3, ... \in \mathbb{R}^{\geq 0}$  such that  $(t_1, a_1)(t_2, a_2)(t_3, a_3)...$  is a timed trace of A.

### Theorem [Alur, Dill'94]

Untimed language equivalence for timed automata is decidable.

Motivation Intuition Clock Equivalence

## Automatic Verification of Timed Automata

#### Fact

Even very simple timed automata generate timed transition systems with infinitely (even uncountably) many reachable states.

### Question

Is any automatic verification approach (like bisimilarity checking, model checking or reachability analysis) possible at all?

#### Answer

Yes, using region graph techniques.

Key idea: infinitely many clock valuations can be categorized into finitely many equivalence classes.

Motivation Intuition Clock Equivalence

## Intuition

Let  $v, v' : C \to \mathbb{R}^{\geq 0}$  be clock valuations. Let  $\sim$  denote untimed bisimilarity of timed transition systems.

### Our Aim

Define an equivalence relation  $\equiv$  over clock valuations such that

• 
$$v \equiv v'$$
 implies  $(\ell, v) \sim (\ell, v')$  for any location  $\ell$ 

$$2 \equiv$$
 has only finitely many equivalence classes.

Motivation Intuition Clock Equivalence

## Preliminaries

- Let  $d \in \mathbb{R}^{\geq 0}$ . Then
  - let  $\lfloor d \rfloor$  be the integer part of d, and
  - let frac(d) be the fractional part of d.

Any  $d \in \mathbb{R}^{\geq 0}$  can be now written as  $d = \lfloor d \rfloor + frac(d)$ .

Example:  $\lfloor 2.345 \rfloor = 2$  and frac(2.345) = 0.345.

Let A be a timed automaton and  $x \in C$  be a clock. We define

 $c_x \in \mathbb{N}$ 

as the largest constant with which the clock x is ever compared either in the guards or in the invariants present in A.

Motivation Intuition Clock Equivalence

## Clock (Region) Equivalence

### Equivalence Relation on Clock Valuations

Clock valuations v and v' are equivalent ( $v \equiv v'$ ) iff

 $\bullet \ \ \text{for all } x\in C \ \text{such that } v(x)\leq c_x \ \text{or } v'(x)\leq c_x \ \text{we have}$ 

 $\lfloor v(x) \rfloor = \lfloor v'(x) \rfloor$ 

② for all 
$$x \in C$$
 such that  $v(x) \leq c_x$  we have

frac(v(x)) = 0 iff frac(v'(x)) = 0

**◎** for all  $x, y \in C$  such that  $v(x) \leq c_x$  and  $v(y) \leq c_y$  we have

 $frac(v(x)) \leq frac(v(y))$  iff  $frac(v'(x)) \leq frac(v'(y))$ 

Motivation Intuition Clock Equivalence

## Regions

Let v be a clock valuation. The  $\equiv$ -equivalence class represented by v is denoted by [v] and defined by  $[v] = \{v' \mid v' \equiv v\}$ .

### Definition of a Region

An  $\equiv$ -equivalence class [v] represented by some clock valuation v is called a region.

#### Theorem

For every location  $\ell$  and any two valuations v and v' from the same region ( $v \equiv v'$ ) it holds that

 $(\ell, v) \sim (\ell, v')$ 

where  $\sim$  stands for untimed bisimilarity.

Definition Applications Zones and Zone Graphs

## Symbolic States and Region Graph

state  $(\ell, v) \quad \rightsquigarrow \quad \text{symbolic state } (\ell, [v])$ 

Note: 
$$v \equiv v'$$
 implies that  $(\ell, [v]) = (\ell, [v'])$ .

### **Region Graph**

Region graph of a timed automaton A is an unlabelled (and untimed) transition system where

- states are symbolic states
- $\Longrightarrow$  between symbolic states is defined as follows:  $(\ell, [v]) \Longrightarrow (\ell', [v'])$  iff  $(\ell, v) \xrightarrow{a} (\ell', v')$  for some label a $(\ell, [v]) \Longrightarrow (\ell, [v'])$  iff  $(\ell, v) \xrightarrow{d} (\ell, v')$  for some  $d \in \mathbb{R}^{\geq 0}$

### Fact

A region graph of any timed automaton is finite.

Definition Applications Zones and Zone Graphs

## Application of Region Graphs to Reachability

We write 
$$(\ell, v) \longrightarrow (\ell', v')$$
 whenever  
•  $(\ell, v) \xrightarrow{a} (\ell', v')$  for some label *a*, or  
•  $(\ell, v) \xrightarrow{d} (\ell, v')$  for some  $d \in \mathbb{R}^{\geq 0}$ .

### Reachability Problem for Timed Automata

**Instance (input):** Automaton  $A = (L, \ell_0, E, I)$  and a state  $(\ell, v)$ . **Question:** Is it true that  $(\ell_0, v_0) \longrightarrow^* (\ell, v)$ ? (where  $v_0(x) = 0$  for all  $x \in C$ )

Reduction of Reachability from Timed Automata to Region Graphs

Reachability for timed automata is decidable because

$$(l_0, v_0) \longrightarrow^* (l, v)$$
 in the timed automaton if and only if  $(l_0, [v_0]) \Longrightarrow^* (l, [v])$  in its (finite) region graph.

Definition Applications Zones and Zone Graphs

## Applicability of Region Graphs

### Proc

Region graphs provide a natural abstraction which enables to prove decidability of e.g.

- reachability
- timed and untimed bisimilarity
- untimed language equivalence and language emptiness.

### Cons

Region graphs have too large state spaces. State explosion is exponential in

- the number of clocks
- the maximal constants appearing in the guards.

Definition Applications Zones and Zone Graphs

## Zones and Zone Graphs

Zones provide a more efficient representation of symbolic state spaces. A number of regions can be described by one zone.

#### Zone

A zone is described by a clock constraint  $g \in \mathcal{B}(C)$ .

$$[g] = \{v \mid v \models g\}$$

### **Region Graphs**

symbolic state:  $(\ell, [v])$ where v is a clock valuation

### Zone Graphs

symbolic state:  $(\ell, [g])$ where g is a clock constraint

A zone is usually represented (and stored in the memory) as DBM (Difference Bound Matrice).

Definition Example Logical Properties in UPPAAL

lr

## Networks of Timed Automata



| ntuition in CCS                                      |  |
|------------------------------------------------------|--|
| $(a.Nil \mid \overline{a}.Nil) \smallsetminus \{a\}$ |  |

Let C be a set of clocks and *Chan* a set of channels.

We let  $Act = N \cup \mathbb{R}^{\geq 0}$  where

•  $N = \{c! \mid c \in Chan\} \cup \{c? \mid c \in Chan\} \cup \{\tau\}.$ 

Let  $A_i = (L_i, \ell_0^i, E_i, I_i)$  be timed automata for  $1 \le i \le n$ .

### Networks of Timed Automata

We call  $A = A_1 | A_2 | \cdots | A_n$  a networks of timed automata.

Definition Example Logical Properties in UPPAAL

## Example: Hammer, Worker, Nail



Definition Example Logical Properties in UPPAAL

## Timed Transition System Generated by $A = A_1 | \cdots | A_n$

$$T(A) = (Proc, Act, \{\stackrel{a}{\longrightarrow} | a \in Act\})$$
 where

Proc = (L<sub>1</sub> × L<sub>2</sub> × · · · × L<sub>n</sub>) × (C → ℝ<sup>≥0</sup>), i.e. states are of the form ((ℓ<sub>1</sub>, ℓ<sub>2</sub>, . . . , ℓ<sub>n</sub>), v) where ℓ<sub>i</sub> is a location in A<sub>i</sub>

• 
$$Act = \{\tau\} \cup \mathbb{R}^{\geq 0}$$

 $\bullet \longrightarrow$  is defined as follows:

$$\begin{array}{l} ((\ell_1, \dots, \ell_i, \dots, \ell_n), \nu) \xrightarrow{\tau} ((\ell_1, \dots, \ell'_i, \dots, \ell_n), \nu') \text{ if there is} \\ (\ell_i \xrightarrow{g, \tau, r} \ell'_i) \in E_i \text{ s.t. } \nu \models g \text{ and } \nu' = \nu[r] \text{ and} \\ \nu' \models I_i(\ell'_i) \land \bigwedge_{k \neq i} I_k(\ell_k) \end{array}$$

$$\begin{array}{l} ((\ell_1,\ldots,\ell_n),v) \stackrel{d}{\longrightarrow} ((\ell_1,\ldots,\ell_n),v+d) \text{ for all } d \in \mathbb{R}^{\geq 0} \text{ s.t.} \\ v \models \bigwedge_k I_k(\ell_k) \text{ and } v+d \models \bigwedge_k I_k(\ell_k) \end{array}$$

Definition Example Logical Properties in UPPAAL

### Continuation

# $((\ell_1, \dots, \ell_i, \dots, \ell_j, \dots, \ell_n), v) \xrightarrow{\tau} ((\ell_1, \dots, \ell'_i, \dots, \ell'_j, \dots, \ell_n), v')$ if $i \neq j$ and there are $(\ell_i \xrightarrow{g_i, a!, r_i} \ell'_i) \in E_i$ and $(\ell_j \xrightarrow{g_j, a?, r_j} \ell'_j) \in E_j$ s.t. $v \models g_i \land g_j$ and $v' = v[r_i \cup r_j]$ and $v' \models I_i(\ell'_i) \land I_j(\ell'_j) \land \bigwedge_{k \neq i, j} I_k(\ell_k)$

Definition Example Logical Properties in UPPAAL

## Logics for Timed Automata in UPPAAL

Let  $\phi$  and  $\psi$  be local properties (checkable locally in a given state).

Example: (H.busy  $\land$  W.rest  $\land$  20  $\leq$  z  $\leq$  30)

UPPAAL can check the following formulae (subset of TCTL)

- A[] $\phi$  invariantly  $\phi$
- $E\langle \phi \phi \rangle \phi$  possibly  $\phi$
- $\mathsf{A}\langle
  angle\phi$  always eventually  $\phi$
- E[] $\phi$  potentially always  $\phi$
- $\phi \rightarrow \psi \phi$  always leads to  $\psi$  (same as A[]( $\phi \implies A(\langle \psi)$ )

Legenda:

- A and E are so called path quntifiers, and
- $\bullet$  [] and  $\langle\rangle$  quantify over states of a selected path.