Chapter 11
Timed Computational Tree
Logic (TCTL)
The previous chapter introduces Timed Automata as means to represent real-timed systems. This chapter introduces a logic to reason about Timed Automata and the timed
transition systems representing their semantics.The logic is called Timed Computational Tree Logic (TCTL).
Note that this chapter introduces definitions. Examples can be found in the slides
presented during the lectures.
11.1
TCTL syntax
The syntax of the logic Timed Computation Tree Logic is defined as follows:
' ::= a | g | '1 ^ '2 | ¬' | E('1 UJ '2 ) |A('1 UJ '2 )
where:
• a is an atomic action;
• g is a clock constraint;
• E means ”for some path”
• A means ”for all paths”
• J is an interval whose bounds are natural numbers
TCTL adds two important concepts to LTL:
1. Branching time: A and E are called path quantifiers. They enable to state that
in a given state a property must hold for all paths starting in the state or for some
path starting a the state.
75
76
CHAPTER 11. TIMED COMPUTATIONAL TREE LOGIC (TCTL)
2. Clock variables and clock constraints: clock variables and clock constraints can
be used in TCTL formulas, making it possible to reason about clocks and their
values.
11.2
TCTL semantics
11.2.1
Timed Until
The definition of the timed until is the essential part of TCTL. Before discussing the
intuition behind it, we state its formal definition:
Definition 11.2.1. (Timed until) Given a path ⇡ and a timed automaton TA, ⇡ |=
' UJ if and only if:
1. 9i
0.si + d |=
for some d, such that
i 1
X
k=0
2. and 80  j  i.sj + d0 |= ' _
j 1
X
k=0
where for si = (li , ⌫i ) and d
dk + d 2 J
for any d0 such that:
dk + d0 
i 1
X
dk + d
k=0
0 we have si + d = (li , ⌫i + d)
As for LTL, the validity of ”until” is defined by two conditions. The first one here
states that property ⇡ must hold for some time in the interval J. Note that without
specifying explicit clocks interval J denotes a time interval counted from the start of
the system. The first condition states that summing up the delay from this start time
should be such that holds for a time in J.
The second condition is more subtle. In particular, it requires that for all times
before the time d at which holds that either ' or holds. This is mainly due to the
fact that can hold too early but still be true in the time interval J.
11.2.2
Satisfaction relation for TCTL
Beside the timed until operator, the following definition gives the validity of the remaining operators of TCTL:
Definition 11.2.2. (Satisfaction relation for TCTL)
11.3. TIMELOCK AND ZENO
s |= a
s 6|= a
s |= g
s |= ¬'
s |= ' ^
s |= E'
s |= A'
iff
iff
iff
iff
iff
iff
iff
77
a 2 L(s)
a 62 L(s)
⌫ |= g
s 6|= '
s |= ' and s |=
9⇡ 2 Paths div (s).⇡ |= '
8⇡ 2 Paths div (s).⇡ |= '
It is important to notice that satisfaction is only defined over time divergent paths.
The reason is that time convergent paths would prevent many properties of the type
A' to hold. These properties must hold for all paths starting in a state. Consider the
property AGx == 1. This property is not true for some time convergent paths. It is
therefore required to ignore time convergent paths for the analysis of Timed Automata.
11.2.3
Semantics for timed automata
The following definition introduces the notion of satisfaction set. Given a formula, the
satisfaction set is the set of states satisfying this formula.
Definition 11.2.3. (Satisfaction set) Given a timed automaton TA with set of clocks C,
and a TCTL formula ', the satisfaction set of ' – noted Sat(') is defined as follows:
Sat(') = {s 2 Loc ⇥ Eval (C) | s |= '}
We define that a Timed Automaton satisfies a TCTL property if it satisfies this
property for all the initial states of its transition system semantics.
Definition 11.2.4. (TCTL semantics for timed automata) A timed automaton TA satisfies TCTL formula ' if and only if formula ' holds in all the initial states of TS (TA),
that is,
TA |= ' if and only if 8l0 2 Loc 0 .(l0 , 0) |= '
11.3
Timelock and Zeno
11.3.1
Characterising timelock freedom
The semantics of TCTL is only defined over time divergent paths. For properties of
the form E', a time divergent path must exist for which ' holds. That is, a timed
automaton without any time divergent path will not satisfy E'. In contrast, properties
for the form A' hold only for all time divergent paths. If there are no such paths, such
a property holds by definiiton. Indeed, the general truth value of 8x 2 ;.' is true.
There is simply nothing to check. Again, notice the logical contrast with existential
quantification. The general truth value of 9x 2 ;.' is false.
We now want a formula that will characterise a timelock-free timed automaton.
Recall the definition of timelock: state s1 has a timelock if and only there exist no time
1 in
TS (TA)
78
CHAPTER 11. TIMED COMPUTATIONAL TREE LOGIC (TCTL)
divergent paths starting in s. So, by negation, a state s is timelock-free if and only there
exists at least one time divergent path starting in s.
Consider the property EGtrue. This property states that there exists a path for
which it is always possible to have true. The only possibility for this to be false, is
that time is blocked and then even true is no longer true. This means that EGtrue
holds in state s if there is some time divergent path starting in s. This is exactly what
characterises a timelock-free state. Let us formulate the following statement:
A timed automaton TA is timelock-free if and only if 8s 2 Reach(TS (TA)).s |=
EGtrue
This means that when proving properties of the form A', one must ensure that the
timed automaton is free from timelocks.
Figure 11.1: Timelock and safety.
Example 11.3.1. Consider the timed automaton pictured in Figure 11.1. This timed
automaton satisfies AGtrue as it has no time divergent path at all.
Finally, consider the property AGEGtrue. This property is a tautology in TCTL,
that is, it is always true independently of the state under consideration. We need to
consider two cases.
(a): we consider the time divergent paths in s. By definition of a time divergent path,
they can always delay forever and EGtrue holds at all positions of these time
divergent paths.
(b): we consider the time convergent path in s. By definition of TCTL, we ignore
these paths and the property holds (see above discussion between universal and
existential quantifications).
Property AGEGtrue is therefore always true. In particular, it is not an appropriate
characterisation of timelock-free TA.
11.3.2
Timelock vs. Zeno
Timelock and Zeno are two different concepts, in the sense that one does not imply the
other.
Example 11.3.2. Figure 11.2 shows a timed automaton that is timelock-free but has
zeno paths.
11.4. CONCLUSION
79
Figure 11.2: Timelock and zeno.
11.4
Conclusion
This chapter presented Timed Computational Tree Logic, a logic to reason about properties of Timed Automata. The logic considers a branching notion of time. Path quantifiers are used to state whether in a given state a property should hold for some path
or for all paths of that state. The logic uses clock variables and clock constraints to
specify timing behaviours. In the analysis, time convergent paths are simply ignored.
11.5
Exercises
Exercise 11.5.1. Can you draw a timed automaton that has a time lock but has no zeno
paths?