Chapter 10
Timed Automata
In the previous chapter, we have discussed a temporal logic where time was a discrete
entities. A ”time unit” was one application of the transition relation of an LTS. We
could express statements like ”the elevator never moves with opened doors” or that
”the elevator eventually serves floor 5”. In LTL, we cannot express the property that
”the elevator shall server floor 5 within 5 minutes”. For many systems, their correctness
not only depend on the results but also on when these results are produced. We call such
systems ”Real-Time Systems”. The Theory of Timed Automata has been developed to
reason about such real-time systems.
Note that this chapter introduces definitions. Examples can be found in the slides
presented during the lectures.
10.1
Clocks and clock constraints
10.1.1
Clock variables and clock constraints
The main feature of the theory of Timed Automata is to introduce the notion of a clock.
A clock is a real-valued variable. This means that in the context of Timed Automata,
time is represented by a dense set. Time is a continuous entity.
The intuition behind clocks is that all clocks in a system increase at the same rate.
The only operations possible on a clock are (1) read the value of the clock and (2) reset
the clock to 0. Intuitively, a clock represents the amount of time elapsed since the last
reset of the clock (see Figure 10.1)
Formally, a clock c simply is a non-negative real number, that is, c 2 R+ .
To express conditions over clocks, clock constraints are used. A clock constraint
can be used in a location. In that case, it is called a location invariant. The intuition is
that time is allowed to progress in the location as long as the invariant holds. When the
invariant does not hold, the location must be left. When a clock constraint is used on a
transition, it is called a guard. The intuition is that a transition is available as long as
the guard holds. When the guard evaluates to false, the transition cannot be taken. We
first define the set of valid clock constraints. Later we will come back to the semantics
67
68
CHAPTER 10. TIMED AUTOMATA
Figure 10.1: A clock that is regularly reset.
of invariants and guards.
Definition 10.1.1. (Clock constraints) A clock constraint over set C of clocks is formed
according to the grammar:
g ::= x < c | x  c | x > c | x
c|g^g
where c 2 N. Let B(C) denote the set of clock constraints over C.
Notes:
1. Clock constraints are often written in abbreviated form. For instance, consider
a clock x, the constraint x  5 ^ x 3 will be written 3  x  5. The same
holds for equality. Instead of writing x  5 ^ x 5, we shall write x == 5.
2. It is possible to also specify the difference between clocks at the price of a
slightly more complex theory. In this chapter we will only treat the simpler
theory. Clock constraints with clock differences have the form x y op c where
op 2 {<, , >, } and c 2 N.
3. The restriction to natural numbers is to ensure decidability of the reachability
problem, that is, deciding whether a state is reachable. This decidability is not
affected if we allow the rationals. It is possible to convert each rational in a clock
constraint to a natural number by suitable scaling. In general, we can multiply
each constant by the least common multiple of denominators of all constants
appearing in all clock constraints.
10.1.2
Semantics for clock constraints
In the previous sub-section, we define the syntax for clock constraints. In this subsection, we define their semantics, that is, when is a clock constraint true. Two concepts
are needed for this:
10.2. TIMED AUTOMATA
69
1. a clock valuation that will give the value of each clock; and
2. a satisfaction relation that will define for which valuation a given clock constraint is true.
We first define a clock valuation:
Definition 10.1.2. (Clock valuation) A clock valution ⌫ for a set of clock variables C is
a function ⌫ : C ! IR+ that assigns to each clock x 2 C its current value ⌫(x).
We shall define the set of all possible valuations over a set of clocks C by Eval (C).
We can now define the satisfaction relation for clock constraints.
Definition 10.1.3. (Satisfaction relation for clock constraints) Given a set of clocks C,
a clock x 2 C, a clock valuation ⌫ 2 Eval (C), a natural number c 2 IN and clocks
guards ✓, ✓0 2 B(C), the satisfaction relation for clock constraints |=✓ Eval (C) ⇥ B(C)
is defined as follows:
⌫ |= x < c
⌫ |= x  c
⌫ |= ¬✓
iff ⌫(x) < c
iff ⌫(x)  c
iff ⌫ 6|= ✓ ⌫ |= ✓ ^ ✓0 iff ⌫ |= ✓ and ⌫ |= ✓0
To represent the update of clocks, we shall write ⌫ + d that represents the clock
valuation where all clocks have increased by some non-negative real number d. That
is, (⌫ + d)(x) = ⌫(x) + d for all clocks x 2 C.
When all clocks are equal to a constant value C, we shall write C to denote the
clock valuation ⌫(x) = C for all clocks in C.
Example 10.1.4. For clock valuation ⌫ = [x = ⇡ 2 , y = 22], valuation ⌫ +
⇡ 2 + 16 , y = 22 + 16 ].
10.2
Timed Automata
10.2.1
Definition
Definition 10.2.1. (Timed Automaton) A timed automaton is a tuple:
TA = (Loc, Loc 0 , Act, C, !, Inv , AP , L)
where:
1. Loc is a finite set of locations;
2. Loc 0 is a finite set of initial locations;
3. Act is a finite set of actions;
4. C is a finite set of clocks;
5. !✓ Loc ⇥ Act ⇥ B(C) ⇥ 2C ⇥ Loc is a transition relation;
1
6
= [x =
70
CHAPTER 10. TIMED AUTOMATA
6. inv : Loc ! B(C) is an invariant assignment function;
7. AP is a finite set of atomic propositions;
8. L : Loc ! 2AP is a labelling function for the locations.
B(TA) denote the set of clock constraints occurring in guards and invariants of TA.
↵,✓,
Regarding transitions, we shall write l
! l0 for (l, ↵, ✓, , l0 ) 2!, where ↵ is
an action in Act, ✓ is a clock guard in B(C), and ✓ C is a set of clocks to be reset to
0.
10.2.2
Timed LTS semantics
The semantics of a Timed Automaton is given by a Timed Transition System, which is
a Labelled Transition Systems where actions are extended with delays.
Definition 10.2.2. (Transition systems semantics for a timed automaton) Given a timed
automaton TA = (Loc, Loc 0 , Act, C, !, Inv , AP , L), the transition system TS (TA) =
(S, Act 0 , !0 , I, AP 0 , L0 ) is defined as follows:
• S = Loc ⇥ Eval (C)
• Act 0 = Act [ IR+
• I = {(l0 , ⌫) | l0 2 Loc 0 ^ 8x 2 C.⌫(x) = 0}
• AP 0 = AP [ B(C)
• L0 ((l, ⌫)) = L(l) [ {✓ 2 B(C) | ⌫ |= ✓}
• transition relation !0 is defined by the following two rules:
↵ 0
1. discrete transition (l, ⌫) ! (l0 , ⌫ 0 ) if the following four conditions hold:
(a)
(b)
(c)
(d)
there exists a transition l
⌫ |= ✓
⌫ 0 = ⌫[ ! 0]
⌫ 0 |= Inv (l0 )
↵,✓,
! l0 in TA
d 0
2. delay transition (l, ⌫) ! (l, ⌫ + d) if the following condition holds:
(a) ⌫ + d |= Inv (l)
This means that a TA can take a discrete transition if the clock guard is true and
after resetting all clocks specified on the transition the location invariant of the target
invariant holds. A TA can take a delay transition if the amount of delay is such that the
location invariant is maintained. Otherwise, delaying is not allowed.
Note that any Timed Transition System has the following properties:
10.3. TIME DIVERGENCE, TIMELOCK, AND ZENO
71
• Null delay It is always possible to delay for 0 time units. That is, the following
transition is always present:
0
(l, ⌫) ! (l, ⌫)
• Time additivity There are uncountably many ways to let time pass:
s
d1 +d2
d
d
1
2
! s0 if and only if s !
s00 !
s0
• Time determinism There is exactly one state reached after a given delay:
d
|{s0 | s ! s0 }| = 1
Remark It is important to notice that executing an action occurs in zero time. Time
is only increased on delay transition.
10.3
Time divergence, timelock, and Zeno
The semantics of a Timed Automaton is given by a transition system with uncountably
many states and transitions. The paths of this transition system represent possible behaviours of the timed automaton. Because of the infinite and dense structure of the state
space, not all behaviours are realistic. We will see that some unrealistic behaviours are
flaws in models and can be avoided. Some other behaviours are intrinsic characteristics
of a dense set. These unrealistic behaviours cannot be avoided.
10.3.1
Time divergence
The notion of time divergence applies to a path. A path is time divergent if the sum
of the delays over this path is infinite. In contrast, time convergence identifies a path
for which the sum of the delays are bounded by some natural numbers. Consider the
following sequence:
1 3 7 15
, , , ...
2 4 8 16
This sequence corresponds to the following infinite sum:
1 ✓ ◆i+1
X
1
i=0
2
which is known to converge to 1.
Now consider a clock x and a location l with the following invariant Inv (l) = x 
1. There is nothing in the theory of timed automata that precludes the execution where
time increase according to the sequence below. That is, the following is a execution
fragment in location l:
1
7
15
(l, 0)(l, )(l, )(l, )...
2
8
16
72
CHAPTER 10. TIMED AUTOMATA
Such a path is called time convergent as time over this path will never increase about
a constant, in that case, the natural number 1. Such paths are unrealistic behaviours but
cannot be avoided in the theory. When analysing Timed Automata we will always
ignore time convergent paths and only consider time divergent ones, that is, paths for
which time can always make progress.
To formalise the notion of time divergence we first define a function computing the
time elapsed on a path.
Definition 10.3.1. (Elapsed time on a path) Given a timed automaton TA with actions
in Act, we define function ExecTime : Act [ IR+ ! IR+ as follows:
(
0 if ↵ 2 Act
ExecTime(↵) =
d if ↵ = d 2 IR+
↵
↵
0
1
For an infinite execution ⇢ = s0 !
s1 !
s2 ... with ↵i 2 Act [ IR+ , we define
the elapsed time over this fragment is defined as follows:
ExecTime(⇢) =
1
X
ExecTime(↵i )
i=0
For the path ⇡ induced by execution ⇢ we define:
ExecTime(⇡) = ExecTime(⇢)
We can now formulate a precise definition of time divergence:
Definition 10.3.2. (Time divergence) An infinite path fragment ⇡ is time divergent if
and only if ExecTime(⇡) = 1. Otherwise, the path fragment is time convergent.
We now define the set of time divergent paths for a given state of the transition
system obtained from a timed automaton.
Definition 10.3.3. (Time divergent set of paths) Given a state s of the transition system
TS (TA), we define the set of time divergent paths as follows:
Paths div (s) = {⇡ 2 Paths(s) | ExecTime(⇡) = 1}
Note that time convergent paths cannot be avoided. In practice, such path are simply ignored, that is, an invariant holds in a state if and only if it holds for all time
divergent paths starting in that state.
10.3.2
Timelock
A state contains a timelock is there exist no time divergent paths starting from that
state.
Definition 10.3.4. (Timelock) Given a state s of TS (TA), s has a timelock if and only
if Paths div (s) = ;. A TA is timelock-free if and only if no state in Reach(TS (TA))
has a timelock.
10.4. PARALLEL COMPOSITION
73
In contrast to time convergent paths that cannot be avoided, timelocks are flaws in
models and must be avoided.
10.3.3
Zeno
In the theory of Timed Automata, actions occur in zero time. This means, that nothing
precludes executions of infinitely many actions in finite time. That is, a timed automaton may have time convergent paths with an infinite number of actions.
Definition 10.3.5. (Zeno path) An infinite path ⇡ of a transition system TS (TA) is
zeno if and only it is time convergent and the number of actions executed along ⇡ is
infinite.
Definition 10.3.6. (Nonzeno timed automaton) A timed automaton TA is nonzeno if
and only if all initial states of TS (TA) have no zeno paths.
10.4
Parallel composition
To model complex systems, a good approach is to first build simple blocks. Second,
these basic blocks are composed to form a more complex system. We consider the
composition of timed automata using handshaking communications. The idea is to define a set of handshaking actions, called H. Two timed automata communicate via H
by performing actions in H together. That is, the two timed automata need to synchronise on all actions in H. For actions outside H, each automaton evolves independently
of the other automaton. Formally, this composition is defined as follows:
Definition 10.4.1. (Handshaking for timed automata) Given two timed automata TA1 =
(Loc1 , Loc0 ,1 , Act 1 , C1 , !1 , Inv 1 , AP 1 , L1 ) and TA2 = (Loc2 , Loc0 ,2 , Act 2 , C2 , !2
, Inv 2 , AP 2 , L2 ), such that AP 1 \ AP 2 = ; and C1 \ C2 = ;. We define the set of
handshaking actions:
H ✓ Act 1 \ Act2
and the parallel composition of TA1 and TA2 via H as TA1 ||H TA2 =
(Loc 1 ⇥ Loc2 , Loc 0,1 ⇥ Loc 0,2 , Act1 [ Act2 , C1 [ C2 , !, Inv , AP1 [ AP2 , L)
where
• L((l1 , l1 )) = L1 (l1 ) [ L2 (l2 )
• Inv ((l1 , l2 )) = Inv (l1 ) ^ Inv (l2 )
and the transition relation ! is defined by the following rules:
• for ↵ 2 H
l1
↵,✓1 ,
1
!1 l 1 ^ l 2
(l1 , l2 )
↵,✓1 ^✓2 ,
↵,✓2 ,
1[ 2
2
!2 l 2
! (l1 , l2 )
74
CHAPTER 10. TIMED AUTOMATA
• for ↵ 62 H
l1
(l1 , l2 )
↵,✓,
!1 l1
↵,✓,
! (l1 , l2 )
and
l2
(l1 , l2 )
↵,✓,
!2 l2
↵,✓,
! (l1 , l2 )
Composition can only take place between two compatible timed automata. Two
timed automata are compatible is they have disjoints sets of atomic propositions (AP 1 \
AP 2 = ;) and clock variables (C1 \ C2 = ;). The invariants of the resulting timed
automaton is the pairwise conjunction of each location invariant. The same holds for
the atomic propositions. For any action in the set of handshaking actions, the transition
for this action is guarded by the conjunction of the clock guards and the set of the
clocks to be reset is the union of each reset set.
10.5
Conclusion
This chapter introduced the main definitions of the theory of Timed Automata. Clock
variables and clock constraints are introduced to specify constraints on the time at
which actions may occur. Introducing time brings about the issue of time convergence, that is, paths may only allow time to increase up to a given bound. Such time
convergent paths cannot be avoided and have to be ignored in the analysis. In contrast,
timelocks occur in state without any time divergent path. Timelocks are flaws and must
be avoided. The same holds for zeno paths. A path is zeno when it is time convergent
and has infinitely many actions. Finally, we defined composition rules to combine two
timed automata using a set of handshaking actions.
10.6
Exercises
See instructions 4 and 5 on the course website http://www.win.tue.nl/˜jschmalt/
teaching/2IX20/2IX20.html.