

### VERIFICA DI PROCESSI CONCORRENTI VPC 19-20

# Timed models

Prof.ssa Susanna Donatelli Universita' di Torino

www.di.unito.it

susi@di.unito.it



### Reference material books:

Concepts, Algorithms, and Tools

fo

Model Checking

Joost-Pieter Katoen Lehrstuhl für Informatik VII Friedrich-Alexander Universität Erlangen-Nürnberg

Lecture Notes of the Course
"Mechanised Validation of Parallel Systems"
(course number 10359)
Semester 1998/1999

Prof. Jost-Pieter Katoen (University of Aachen, D)



# Acknowledgements

Transparencies adapted from the course notes and trasparencies of

Prof. Jost-Pieter Katoen, University of Aachen (Germany)

**-**...

Why is time introduced in formalisms for system verification?

- Correctness may depend also on time (think of the operations of a pipelined CPU)
- Usefulness may depend on time (when I call the lift, when the lift will come, or I want to compute how long does a production line takes)

To check a timed property the time should be explicitely represented in the model

We can check also untimed property on a timed model (example: reachability of a marking in a timed Petri net)

### What is a time specification

- 1. A value  $\rightarrow$  fixed delay for an activity
- 2. An interval (min-max) → the duration of an activity is a non deterministic value in the interval
- 3. A stochastic distribution → the duration of an activity is a value is extracted from a distribution
- 4. The possibility of defining clocks as variables that increase constantly
- 5. A mix of the above

### Continuous or discrete?

#### Discrete:

- time is a discrete entity
- time elapses in regular ticks
- events/activities can happen only at ticks
- between two ticks the system stays unchanged
- used to represent synchronous system (system with a global discrete clock)
- can represent an abstraction of a continuous system
- ex1: imagine a discrete time Petri net, in which all firing have equal duration
- ex2: imagine a discrete time Petri net, in which firings have different discrete durations



# PN examples











# 4

# PN examples





IN TERLEAVING





# PN examples









# PN examples





Property of interest: how often does the lazy chap cooks, for how long does it cook?

Exists an execution in which he eats only for X unit time?

What is the state of the system?

- value of the variables plus value of clocks
- marking plus value of clocks
- process algebra terms plus the value of clocks

How many states do we have? ∨

How do we express temporal properties?

- use temporal logic without time (X "accounts" for time)
- use temporal logic in which temporal operators have a time interval  $A[\phi U^{[t1,t2]}\psi]$

### Continuous or discrete?

#### **Continous:**

- time is a continuous entity (modelled as a real nonnegative variable)
- time elapses continuously
- events/activities can happen at any instant of time
- time between two events can be arbitrarily small
- used to represent asynchronous system
- ex1: imagine a continuous time Petri net, in which all activities have equal duration
- ex2: imagine a continuous time Petri net, in which activities have different durations
- ex2: imagine a continuous time Petri net, in which activities have different durations, chosen non deterministically in a given interval



# PN examples







### PN examples



Property of interest: how often does the lazy chap cooks, for how long does it cook?

Exists an execution in which he eats only for X unit time?

What is the state of the system?

- value of the variables plus value of clocks
- marking plus value of clocks
- process algebra terms plus the value of clocks

How many states do we have?

How do we express temporal properties?

• use temporal logic in which temporal operators have a time interval  $A[\phi U^{[t1,t2]}\psi]$ 

# Some timed formalisms and logics

#### Timed automata

Timed Petri nets

Semantics is given in terms of Timed transition system, the system of timed executions

Timed process algebra

Timed CTL (TCTL) example: a leader is elected within 3 seconds

Note: there is no probabilistic reasoning, only non determinism and "possibility"



# Timed automata part

- Syntax of timed automata
- State of a finite automata, execution paths and timed transition systems
- Semantics of timed automata (in terms of a timed transition system)
- TCTL syntax and semantics
- Model checking TCTL
- Timed automata and temporal logic in Uppaal



- Finite-state graph with locations and edges
  - + clock variables
  - + ......
- Time elapses in location, not in edges
- Example: light switch, with clock x





- Finite-state graph with locations and edges
  - + clocks variables (run at the same speed)
  - + clock constraints that "constrain" the behaviour (examples: x≤3, x-y>5)



A clock constraint can be a guard on an edge



- Finite-state graph with locations and edges
  - + clocks variables (run at the same speed)
  - + clock constraints







# 4

### Timed automata

#### x, y clocks



A possible execution



# Timed automata: another example





Def.: a clock is a variable ranging over R<sup>+</sup>

Def. Clock constraints. Let C be a set of clocks, with  $x \in C$  and c a <u>natural value</u>, then

- 1. x < c and  $x \le c$  are clock constraints
- 2. If  $\alpha$  is a clock constraint, then  $\neg \alpha$  is a clock constraint
- 3. If  $\alpha$  and  $\beta$  are clock constraints, then  $\alpha \wedge \beta$  is a clock constraint
- 4. Anything else is not a clock constraint.

The set of clock constraints over C is indicated with  $\Psi(C)$  or Cstr(C)



Note: adding x+y to clock constraints makes the MC undecidable (and x-y)?

Note: taking c over the real makes the MC undecidable (and for rational?)

# 4

### Definition of timed automata

- Def.: A timed automata A is a tuple (L, I<sub>0</sub>, E, Label, C, clocks, guard, inv) with
- L a non empty and finite set of locations with initial location
  I<sub>0</sub>
- ■E⊆ LxL, a set of edges
- Label: L--> 2<sup>AP</sup> a function that assigns to each location a set Label(I) of atomic propositions
- C, a finite set of clocks
- •clocks:  $E \longrightarrow 2^{C}$ , a function that assign to each edge  $e \in E$  a set of clocks  $clocks(e) \longrightarrow clocks$  to be reset
- guard: E --> Cstr(C), a function that assign to each edge e
   ∈ E a clock constraint guard(e)
- inv: L --> Cstr(C), a function that assign to each location I
   ∈ L a clock constraint inv(I)



#### **Guards or invariants**



$$x \ge 2$$
$$\{x\} := 0$$



$$\frac{2 \le x \le 3}{\{x\} := 0}$$

$$x \le 3$$



























Def.: clock valuation v for a set of clocks C is a function v: C-->R+, assigning to each clock x in C its current value v(x)

Def.: Let V(C) denote the set of all clock valuations over C. A state of a timed automata A is a pair

with I a location of A and v a valuation over C, the clocks of A

For positive real d, v+d is the valuation where each clock is incremented by d. The valuation v with clock x reset is

$$(\text{reset } x \text{ in } v)(y) = \left\{ \begin{array}{ll} v(y) & \text{if } y \neq x \\ 0 & \text{if } y = x. \end{array} \right.$$

# 4

### Timed automata

Def.': evaluation of clock constraints. For  $x \in C$ ,  $v \in V(C)$ , natural c and  $\alpha$  and  $\beta \in Cstr(C)$ , we have

$$v \models x \leqslant c \quad \text{iff } v(x) \leqslant c$$
 $v \models x < c \quad \text{iff } v(x) < c$ 
 $v \models \neg \alpha \quad \text{iff } v \not\models \alpha$ 
 $v \models \alpha \land \beta \quad \text{iff } v \models \alpha \land v \models \beta.$ 

# Timed Transition System (TTS)

Def.: Timed transition system underlying a timed automata A, M(A), is defined as  $(S,s_0,-->)$  where

- $\bullet \ \ S = \{ \, (l,v) \in L \times V(C) \mid v \models \mathit{inv}(l) \, \}$
- $s_0 = (l_0, v_0)$  where  $v_0(x) = 0$  for all  $x \in C$
- the transition relation  $\longrightarrow \subseteq S \times (\mathbb{R}^+ \cup \{*\}) \times S$  is defined by the rules:
  - 1.  $(l, v) \xrightarrow{*} (l', reset \ clocks(e) \ in \ v)$  if the following conditions hold:
    - (a)  $e=(l,l')\in E$
    - (b)  $v \models guard(e)$ , and
    - (c) (reset clocks(e) in v)  $\models inv(l')$
  - 2.  $(l, v) \xrightarrow{d} (l, v+d)$ , for positive real d, if the following condition holds:  $\forall d' \leq d. v + d' \models inv(l)$ .

# 4

### Path of a TTS

Def.: a path is an infinite sequence  $s_0 \xrightarrow{a_0} s_1 \xrightarrow{a_1} \dots$  where, for all i,  $s_i \xrightarrow{a_i} s_{i+1}$  is a transition in the TTS An execution of a timed automata A is a path through its timed transition system M(A).

The elapsed time on a path is defined as follow:

Definition 44. (Elapsed time on a path)

For path  $\sigma = s_0 \xrightarrow{a_0} s_1 \xrightarrow{a_1} \dots$  and natural i, the time elapsed from  $s_0$  to  $s_i$ , denoted  $\Delta(\sigma, i)$ , is defined by:

$$\Delta(\sigma, 0) = 0$$

$$\Delta(\sigma, i+1) = \Delta(\sigma, i) + \begin{cases} 0 & \text{if } a_i = * \\ a_i & \text{if } a_i \in \mathbb{R}^+. \end{cases}$$



#### Path of a TTS



$$\sigma = (off, v_0) \xrightarrow{3} (off, v_1) \xrightarrow{*} (on, v_2) \xrightarrow{4} (on, v_3) \xrightarrow{*} (on, v_4)$$
$$\xrightarrow{1} (on, v_5) \xrightarrow{2} (on, v_6) \xrightarrow{2} (on, v_7) \xrightarrow{*} (off, v_8) \dots$$

|                | $v_0$ | $v_1$  | $v_2$ | $v_3$ | $v_4$ | $v_5$ | $v_6$    | $v_7$ | $v_8$ |
|----------------|-------|--------|-------|-------|-------|-------|----------|-------|-------|
| $\overline{x}$ | 0     | 3<br>3 | 0     | 4     | 0     | 1     | 3        | 5     | 0     |
| y              | 0     | 3      | 0     | 4     | 4     | 5     | $\gamma$ | g     | g     |

# -

#### Path of a TTS

Def.: a path is called time-divergent if  $\lim_{i\to\infty} \Delta(\sigma,i) = \infty$ .

Non timed-divergent paths in previous automata?

Ex. of non time-div path:  $s_0 \xrightarrow{2^{-1}} s_1 \xrightarrow{2^{-2}} s_2 \xrightarrow{2^{-3}} s_3 \dots s_k \xrightarrow{2^{-k+1}} s_{k+1} \dots$ 

The set of time-divergent paths from a state s is  $Paths^{\infty}(s)$ 

Def: A timed automata A is called non-Zeno if from any state some time-divergent path can start  $\frac{\text{true}}{\{x\}}$ 

true

# 4

## Example of a Timed automata

L'esempio della lampadina a due livelli



#### Example of a Timed automata

L'esempio della lampadina a due livelli





# **Examples of Timed automata**



### Timed Computational Tree Logic (TCTL)

Syntax: CTL + formula clocks that can be reset in formula

Semantics defined over TTS

Example of properties that can be expressed in TCTL

- If a message is sent,
   it is received within at most 5 time units.
   AG ( send(m) → AF<sup>≤5</sup> receive(m) )
- It is possible to reach a red state
   from each blue state immediately.
   AG ( blue → EF<sup>=0</sup> red )
- The program finishes exactly after 5 time units.
   A (¬finished U<sup>=5</sup> finished)



Def: For  $p \in AP$ ,  $z \in D$ , D the set of formula clocks, and  $\alpha \in Cstr(C \cup D)$ , the set of TCTL formulae is given by:

$$\phi ::= p \ \middle| \ \alpha \ \middle| \ \neg \phi \ \middle| \ \phi \ \lor \ \phi \ \middle| \ z \ \mathsf{in} \ \phi \ \middle| \ \mathsf{E} \left[\phi \, \mathsf{U} \, \phi\right] \ \middle| \ \mathsf{A} \left[\phi \, \mathsf{U} \, \phi\right].$$

Clock z in "z in  $\Phi$ " is called a freeze identifier, and it means: "z in  $\Phi$ " is valid in state s if  $\Phi$  holds in s where clock z starts from 0

For example: "z in (z=0)" is valid (true in any state) while "z in (z>1)" is not

Clocks have to be bounded to the formula



Not a very convenient way to express timed properties, and a number of derived operators have been defined:

- $E(\Phi U^{\leq n} \Psi) = \text{reset } z \text{ in } E(\Phi U(z \leq n \wedge \Psi))$
- A ( $\Phi U^{< n} \Psi$ ) = reset z in A ( $\Phi U (z < n \land \Psi)$ )
- $EF^{=n} \Phi$  = reset z in  $EF(z=n \wedge \Phi)$
- $AF^{\leq n} \Phi$  = reset z in AF ( $z \leq n \wedge \Phi$ )
- EG $^{< n}$   $\Phi$  =  $\neg AF^{< n}$   $\neg \Phi$
- $AG^{=n} \Phi$  =  $\neg EF^{=n} \neg \Phi$

#### Example of a Timed automata

L'esempio della lampadina a due livelli





Semantics: need to define (i,d), position over a path and an order relationship on position

This definition is wrong in Katoen's notes (as was in the original paper of Alur and Dill of 1989/90)



Def.: A RT-trajectory  $\sigma$  is an infinite sequence of states  $s_i = (l_i, v_i)$  and delays  $\delta_i$ :

$$\sigma = S_0 - \delta_0 - S_1 - \delta_1 - S_2 - \delta_2 - S_3 - \delta_3 - S_3 -$$

Def.: A position in  $\sigma$  is the pair  $(i,\delta)$ :  $i \in \mathcal{N}$  and  $\delta \leq \delta_1$ 

Def.: location in the position  $(i,\delta)$  is  $loc(i,\delta) = l_i$ 

Def.: valuation in the position  $(i,\delta)$  is val $(i,\delta) = v_i + \delta$ 

Def.: state in position  $(i,\delta)$  is

$$\sigma(i,\delta) = (loc(i,\delta), val(i,\delta))$$



Def.: time elapsed at position  $(i,\delta)$  is

$$\tau_{\sigma}(i,\delta) = \delta + \sum_{0 \le j < i} \delta_i$$

Def. of precedence on positions: we say that  $(i,\delta)$  precedes  $(j,\delta')$  and we write  $(i,\delta)<<(j,\delta')$  if:

• 
$$i = j$$
 and  $\delta \leq \delta'$ 



Def: Semantics of TCTL. Let  $p \in AP$ ,  $z \in D$ ,  $w \in V(D)$ ,  $s \in S$  (States of the TTS),  $\alpha \in Cstr(C \cup D)$ , s = (I,v),  $v \in V(C)$ , the set of TCTL formulae is given by:

$$s,w\models p$$
 iff  $p\in Label(s)$   $\in Label(l)$ 
 $s,w\models \alpha$  iff  $v\cup w\models \alpha$ 
 $s,w\models \neg \phi$  iff  $\neg (s,w\models \phi)$ 
 $s,w\models \phi\lor \psi$  iff  $(s,w\models \phi)\lor (s,w\models \psi)$ 
 $s,w\models z$  in  $\phi$  iff  $s$ , reset  $z$  in  $w\models \phi$ 

( $l,w$ )
 $v\in V(c)$  we  $V(c)$ 



......cont.: let  $p \in AP$ ,  $z \in D$ ,  $w \in V(D)$ ,  $s \in S$ ,  $\alpha \in Cstr(C \cup D)$ ,  $P_{\mathcal{M}}^{\infty}(s)$  the RT-trajectories starting in s,

$$\begin{split} s,w &\models \mathbf{E}\left[\phi \,\mathsf{U}\,\psi\right] &\quad \text{iff } \exists\, \sigma \in P^\infty_{\mathcal{M}}(s).\,\exists\, (i,d) \in Pos(\sigma). \\ &\quad (\sigma(i,d),w + \Delta(\sigma,i) \models \psi \ \land \\ &\quad (\forall\, (j,d') \ll (i,d).\,\sigma(j,d'),w + \Delta(\sigma,j) \models \phi \ \lor \ \psi)) \\ s,w &\models \mathbf{A}\left[\phi \,\mathsf{U}\,\psi\right] &\quad \text{iff } \forall\, \sigma \in P^\infty_{\mathcal{M}}(s).\,\exists\, (i,d) \in Pos(\sigma). \\ &\quad ((\sigma(i,d),w + \Delta(\sigma,i)) \models \psi \ \land \\ &\quad (\forall\, (j,d') \ll (i,d).\,(\sigma(j,d'),w + \Delta(\sigma,j)) \models \phi \ \lor \ \psi)) \end{split}$$



Why it is necessary that ...  $w+\Delta(\sigma,j)) \models \phi \lor \psi$ 

Consider the formula

reset z in 
$$E(z \le 5 U z > 5)$$

then on paths on which the delays on the paths are almost zero we approach 5: it is not possible to find "the point" in which z become >5 for the first time





#### **Example of TCTL**

Promptness requirement: maximal delay between an event and its reaction

$$AG \left[ send(m) \Rightarrow AF_{<5} \, receive(r_m) \right]$$

$$2 \text{ in } AF(ucure(r_m) \text{ oud } 2<5)$$

Punctuality requirement: exact delay between events

$$\mathsf{EG}\left[send(m) \Rightarrow \mathsf{AF}_{=11} \, receive\left(r_m\right)\right]$$



#### Example of TCTL

Periodicity requirement: an event occur within a certain period Example: a machine that put boxes on a belt every 25 time units

$$\begin{array}{c} \mathsf{AG}\left[\mathsf{AF}_{=25}\ putbox\right] & \xrightarrow{\mathsf{Linc}} \\ \mathsf{AG}\left[putbox\ \Rightarrow\ \neg\ putbox\ \mathsf{U}_{=25}\ putbox\right] \end{array}$$

Attention: the correct version of the above formula is AG (putbox  $\Rightarrow$  z in [(not(putbox) or z=0) U (putbox and z =25)])

Same correction for the formulas in the next pages



#### Example of TCTL

Minimal delay: minimal delay between events

Example: the delay between two trains at a crossing (tac) should be at least 180

$$\mathsf{AG}\left[tac \Rightarrow \neg tac \mathsf{U}_{\geqslant 180} \ tac\right]$$

Interval delay: an event must occur within a certain interval from another event

Example: trains should have a maximal distance of 900 time units (the minimal delay still holds)

$$\mathsf{AG}\left[tac \Rightarrow (\neg tac \,\mathsf{U}_{\geqslant 180} \,tac \,\land\, \neg tac \,\mathsf{U}_{\leqslant 900} \,tac)\right]$$

$$AG[tac \Rightarrow \neg tac U_{=180} (AF_{\leq 720} tac)]$$



Even simple automata give rise to infinite TTS, the infinite number of states is due to the real valuations of clocks

Solution: a finite number of equivalence classes on the clock valuations. Equivalence should maintain....

Question: what could be such equivalence on the TA below?



x = 2.1

x = 2



Solution: a finite number of equivalence classes on the clock valuations.

Define an equivalence  $\approx$  that should have the following characteristics:

- correctness:  $(v,w) \approx (v',w') ==> \forall \Phi: (v,w) |=\Phi \operatorname{sse}(v',w')| =\Phi$
- finiteness: the number of equivalence classes of ≈ is finite

Approach: we present the definition and we explain why each constraint is needed



Approach: we present the definition and we explain why each constraint is needed. Lex  $c_x$  be the maximal constant that appears in a constraint on x

#### Definition 49. (Clock equivalence)

Let  $\mathcal{A}$  be a timed automaton with set of clocks C and  $v, v' \in V(C)$ . Then  $v \approx v'$  if and only if

- 1.  $\lfloor v(x) \rfloor = \lfloor v'(x) \rfloor$  or  $v(x) > c_x$  and  $v'(x) > c_x$ , for all  $x \in C$ , and
- 2.  $frac(v(x)) \leq frac(v(y))$  iff  $frac(v'(x)) \leq frac(v'(y))$  for all  $x, y \in C$  with  $v(x) \leq c_x$  and  $v(y) \leq c_y$ , and
- 3. frac(v(x)) = 0 iff frac(v'(x)) = 0 for all  $x \in C$  with  $v(x) \leq c_x$ .



1st observation: may be we can use only the integral part

$$v \approx v'$$
 if and only if  $\lfloor v(x) \rfloor = \lfloor v'(x) \rfloor$  for all  $x \in C$ .

2nd observation: the integral part is not enough, also the relative order of clocks should be taken into account

$$\begin{array}{c|c}
x < 1 \\
\hline
\{x\} \\
y < 1 \\
\hline
\{y\} \\
\end{array}$$

$$\begin{array}{c|c}
x = 1 \\
\hline
l_1 \\
\end{array}$$

$$\begin{array}{c|c}
y = 1 \\
\hline
l_2 \\
\end{array}$$

When v(x)=0.4 and v(y)=0.3, A can reach  $l_2$  when v(x)=0.2 and v(y)=0.3, A cannot reach  $l_2$ 

$$v(x) \leqslant v(y)$$
 if and only if  $v'(x) \leqslant v'(y)$  for all  $x, y \in C$ 



3rd observation: since in the constraint the comparison is with natural numbers, it can make a difference whether v(x)=n or v(x)=n.m

$$x=1$$

When v(x)=1.1 and v'(x)=1, the clocks have the same integral part but only from v' we can take the transition to  $l_1$ 

$$frac(v(x)) = 0$$
 if and only if  $frac(v'(x)) = 0$  for all  $x \in C$ .

4th observation: all valuation are of interest only when they do not pass  $c_x$  be the maximal constant that appears in a constraint on x



This lead to the following definition (Alur-Dill 1994):

#### Definition 49. (Clock equivalence )

Let  $\mathcal{A}$  be a timed automaton with set of clocks C and  $v, v' \in V(C)$ . Then  $v \approx v'$  if and only if

- 1.  $\lfloor v(x) \rfloor = \lfloor v'(x) \rfloor$  or  $v(x) > c_x$  and  $v'(x) > c_x$ , for all  $x \in C$ , and
- 2.  $frac(v(x)) \leq frac(v(y))$  iff  $frac(v'(x)) \leq frac(v'(y))$  for all  $x, y \in C$  with  $v(x) \leq c_x$  and  $v(y) \leq c_y$ , and
- 3. frac(v(x)) = 0 iff frac(v'(x)) = 0 for all  $x \in C$  with  $v(x) \leq c_x$ .



#### Equivalence - example



The first requirement leads to the following eq. classes

$$[0 \leqslant x < 1], [1 \leqslant x < 2], [2 \leqslant x < 3], [3 \leqslant x < 4], \dots$$

Since the biggest constant with which x is compared is 2,

$$[0 \le x < 1], [1 \le x < 2], [x = 2], and [x > 2]$$

Separating according to the fractional part

$$[x = 0], [0 < x < 1], [x = 1], [1 < x < 2], [x = 2], and [x > 2]$$

Clock ordering irrelevant (only one clock)



#### Equivalence - example

Def.: the equivalence classes according to the previous definition can be constructed using a partition refinement algorithm (there is an example of application on page 220 of the book, that leads to the following construction)







Figure 4.7: Partitioning of  $\mathbb{R}^+ \times \mathbb{R}^+$  according to  $\approx$  for  $c_x = 2$  and  $c_y = 1$ 



#### Equivalence and TCTL

The theorem below (Alur-Dill-Courcoubetis) states that regions can be safely used for TCTL model checking

#### Theorem 51.

Let  $s, s' \in S$  such that  $s, w \approx s', w'$ . For any TCTL-formula  $\phi$ , we have:

$$\mathcal{M}(\mathcal{A}), (s, w) \models \phi \text{ if and only if } \mathcal{M}(\mathcal{A}), (s', w') \models \phi.$$



#### Region automata

Def.: a region is a pair (I,[v]), where I is a location and [v] an equivalence class over clock valuations

We can build a finite state automata over region, called region automata.

In region automata there are two types of transitions: let time

elapse or take a transition in the TA



region automata for the single location automata used before

S: let trine eleger



#### Region automata

Def.: a region is a pair (I,[v]), where I is a location and [v] an equivalence class over clock valuations

We can build a finite state automata over region, called region automata.

In region automata there are two types of transitions: let time elapse or take a transition in the TA



region automata for the single location automata used before



## Region automata

What happens when there are also formula clocks? We have to include also formula clocks in the computation of the equivalences

