Parametric Verification: An Introduction
\'Etienne Andr\'e, Micha{\l} Knapik, Didier Lime, Wojciech Penczek and, Laure Petrucci

TL;DR
This paper introduces the field of parametric verification for concurrent systems, covering formal concepts, models, approaches, and practical tools for analyzing systems with unknown or variable parameters.
Contribution
It provides a comprehensive overview of parametric verification methods, models, and tools, along with references for further research in the area.
Findings
Coverage of various models like Parametric Timed Automata and Petri Nets
Introduction of Action Synthesis for property enforcement
Availability of practical tools and tutorials online
Abstract
This paper constitutes a short introduction to parametric verification of concurrent systems. It originates from two 1-day tutorial sessions held at the Petri nets conferences in Toru\'n (2016) and Zaragoza (2017). The paper presents not only the basic formal concepts tackled in the video version, but also an extensive literature to provide the reader with further references covering the area. We first introduce motivation behind parametric verification in general, and then focus on different models and approaches, for verifying several kinds of systems. They include Parametric Timed Automata, for modelling real-time systems, where the timing constraints are not necessarily known a priori. Similarly, Parametric Interval Markov Chains allow for modelling systems where probabilities of events occurrences are intervals with parametric bounds. Parametric Petri Nets allow for compact…
| Class | U-PTAs | bL/U-PTAs | L/U-PTAs | bIP-PTAs | IP-PTAs | bPTAs | PTAs | |
| closed | open | |||||||
| EF | [Hun+02] | [ALR16] | open | [Hun+02] | [ALR16] | [ALR16] | [Mil00] | [AHV93] |
| AF | open | [ALR16] | [JLR15] | [ALR16] | [ALR16] | [ALR16] | [JLR15] | |
| EG | open | [AL17] | [AL17] | [AL17] | open | [AL17] | ||
| AG | [AL17] | [ALR16] | open | [AL17] | [ALR16] | |||
| TCTL | [ALR18] | [ALR16] | [JLR15] | [ALR16] | [Mil00] | [AHV93] | ||
| EC | [AL17] | [AL17] | open | [AL17] | open | [AL17] | ||
| ED | open | [AL17] | open | [AL17] | [And16] | |||
| LgP | open | [AM15] | open | [AM15] | ||||
| TrP | open | [AM15] | open | [AM15] | ||||
| Class | Reachability | S. Unboundness | Coverability |
|---|---|---|---|
| PPN | Undecidable [Dav+15] | Undecidable [Dav+15] | Undecidable [Dav+15] |
| preT-PPN | Undecidable [Dav17] | ExpSpace-c [Dav+17] | ExpSpace-c [Dav+17] |
| postT-PPN | Undecidable [Dav17] | ExpSpace-c[Dav17] | ExpSpace-c [Dav+15] |
| P-PPN | open | ExpSpace-c[Dav17] | ExpSpace-c [Dav+15] |
| distinctT-PPN | Undecidable [Dav17] | ExpSpace-c[Dav17] | ExpSpace-c [Dav+15] |
| Class | Reachability | S. Unboundedness | Coverability |
|---|---|---|---|
| PPN | Undecidable [Dav+15] | Undecidable [Dav+15] | Undecidable [Dav+15] |
| preT-PPN | Undecidable [Dav17] | ExpSpace-c[Dav17] | ExpSpace-c [Dav+15] |
| postT-PPN | Undecidable [Dav17] | ExpSpace-h[Dav17] | ExpSpace-c [Dav+15] |
| P-PPN | Decidable [Dav+15] | ExpSpace-h[Dav17] | ExpSpace-c [Dav+15] |
| distinctT-PPN | Undecidable [Dav17] | ExpSpace-h[Dav17] | ExpSpace-c [Dav+17] |
| Class | Reachability | S. Unboundedness | Coverability |
|---|---|---|---|
| PPN | ✕ | ✕ | ✕ |
| preT-PPN | ✕ | ✓ | ✓ |
| postT-PPN | ✕ | ✓ | ✓ |
| P-PPN | open | ✓ | ✓ |
| distinctT-PPN | ✕ | ✕ | ✕ |
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
11institutetext: LIPN, CNRS UMR 7030, Université Paris 13, Villetaneuse, France 22institutetext: Institute of Computer Science, PAS, Warsaw, Poland 33institutetext: École Centrale de Nantes, LS2N, CNRS UMR 6004, Nantes, France 44institutetext: University of Natural Sciences and Humanities, II, Siedlce, Poland
Parametric Verification: An Introduction††thanks: This is the author version of the manuscript of the same name published in the Transactions on Petri Nets and Other Models of Concurrency (ToPNoC).
The published version is available at springer.com. This work is partially supported by the ANR national research program PACS (ANR-14-CE28-0002).
Étienne André 11 0000-0001-8473-9555
Michał Knapik
Didier Lime
Wojciech Penczek 2244 0000-0001-6477-4863
Laure Petrucci 11 0000-0003-3154-5268
Abstract
This paper constitutes a short introduction to parametric verification of concurrent systems. It originates from two 1-day tutorial sessions held at the Petri nets conferences in Toruń (2016) and Zaragoza (2017). A video of the presentation is available at youtube.com/playlist?list=PL9SOLKoGjbeqNcdQVqFpUz7HYqD1fbFIg, consisting of 14 short sequences. The paper presents not only the basic formal concepts tackled in the video version, but also an extensive literature to provide the reader with further references covering the area.
We first introduce motivation behind parametric verification in general, and then focus on different models and approaches, for verifying several kinds of systems. They include Parametric Timed Automata, for modelling real-time systems, where the timing constraints are not necessarily known a priori. Similarly, Parametric Interval Markov Chains allow for modelling systems where probabilities of events occurrences are intervals with parametric bounds. Parametric Petri Nets allow for compact representation of systems, and cope with different types of parameters. Finally, Action Synthesis aims at enabling or disabling actions in a concurrent system to guarantee some of its properties. Some tools implementing these approaches were used during hands-on sessions at the tutorial. The corresponding practicals are freely available on the Web.
1 Introduction to parametric verification
We first introduce the motivation for performing parametric verification. Several formal models can be considered, depending on the characteristics of the system and its properties the designer wants to address. We will also discuss the problems of interest in such a framework. At the end of this section, we will give pointers to some additional and complementary material.
The reader is assumed to have basic knowledge of Petri nets and/or automata and their associated verification techniques, since they constitute the basis of the formal models we address in a parametric setting.
1.1 Why parameters and of what kind?
Parameters provide several facilities for easily modelling complex systems:
Dimensioning: systems often exhibit components that occur as multiple copies of the same structure or similar ones. For example, a wireless sensor network is composed of a certain number of identical sensors. At the design phase, the exact number of sensors might be unknown and would therefore be a parameter. 2. 2.
Choice of actions: different actions in the system might be possible in a given state. The designer having several possibilities in mind would model them and analyse the behaviour of the system with these actions enabled or disabled. In this case, the enabledness of each individual action is considered as a parameter. 3. 3.
Design choices: different system characteristics can be taken into account at the design phase so as to be evaluated. For example, when designing an electronic system, one might have the choice between different components, available of course at different prices, each providing its specific characteristics, such as a better or worse response time. In such a case, the designer may want to construct a single model, and use these timing characteristics as a parameter so as to evaluate which is the best possible choice according to his/her needs.
To handle the cases described, different kinds of parameters are used. They will influence the type of a formal model and verification techniques chosen. In the three previous cases, parameters would be:
Instances numbering allow for counting identical components in the system. 2. 2.
Controllable actions can be enabled or disabled, as opposed to the other ones which are always available for the system. 3. 3.
Time or probabilities provide means to handle different characteristics of the actual system components.
Therefore, many kinds of parameters can be considered according to the problem at hand.
1.2 Modelling languages
Among the popular traditional languages for modelling concurrent systems are automata and Petri nets, and their numerous extensions.
Unfortunately, these modelling languages are not completely suited to handle the systems of our interest. Indeed, numbering instances of components is easily achieved with high-level Petri nets such as Coloured Petri Nets (CPNs). In CPNs, the Petri net is enriched with data carried by tokens and modified when firing transitions. These data can very well be a numbering of an instance. Nevertheless, the number of instances is fixed a priori, as opposed to a parameter. Therefore, when the designer wants to analyse several configurations of the system, first the model is built for a given number of instances, then analysed, the number is changed, the model analysed again, and so on.
In Petri nets or automata, there is no specific handling of controllable actions. Hence, to test several options in the design, each of them must be modelled and analysed individually.
Finally, timed versions of Petri nets and automata are widely used, but suffer from the same defaults: values must be known in advance.
Hence, with traditional modelling languages, values are to be set before the analysis is performed, and the process must be repeated for all possible values. It is thus a tedious process which boils down to testing all values one by one, taking a huge amount of time.
1.3 Problems of interest in a parametric setting
The major objective for introducing parameters is to circumvent this repetition of analysis, by introducing parameters in the models. Furthermore, the analysis techniques are suited to find constraints on parameters such that desired properties are satisfied (e.g. the property is satisfied for all values of the parameter between 1 and 10) or even synthesize the set of all such parameters valuations.
The first advantage of this approach is that answering these questions provides all possible values in a single analysis step. Second, the set of parameters obtained can be infinite (e.g. ), a result that cannot in general be obtained with an enumerative approach.
1.4 Sources and references
Several sources of information are available to the reader, that provide additional details on the theoretical background, further examples, etc. Among these:
- •
the video of the tutorial presentation: youtube.com/playlist?list=PL9SOLKoGjbeqNcdQVqFpUz7HYqD1fbFIg;
- •
the slides of the tutorial: imitator.fr/tutorials/PN17/;
- •
the exercises with IMITATOR (imitator.fr/tutorials/PN17/) and Roméo (romeo.rts-software.org/doc/tutorial.html);
- •
the extensive literature that is referenced.
Outline.
In Section 2, we first consider parameters as unknown constants in timed automata, i.e. Parametric Timed Automata [AHV93]. We review decidability results, and report on decidable subclasses. Then, in Section 3, we consider parameters as unknown probabilities in Parametric Interval Markov Chains [DLP16]. Section 4 deals with parameters that are unknown numbers of tokens in Petri nets, yielding Parametric Time Petri Nets [Dav+15, Dav+17]. As a last formalism, we also consider in Section 5 the synthesis of actions (seen as Boolean parameters) [KMP15, KP15]. Finally we review some verification tools in Section 6.
2 Parametric Timed Automata
Classical qualitative model checking, implemented in powerful tools used successfully in industry, falls short when quantitative aspects of systems such as time, energy, probabilities, etc., are to be verified. Timed automata [AD94] allow for modeling and verifying time critical concurrent systems. This seminal work [AD94] received the CAV conference award in 2008, and since then numerous works have extended the formalism of timed automata.
However, despite of some success, (timed) model checking can be seen as slightly disappointing. There are two main reason of that:
the binary response to properties satisfaction may not be informative enough, and 2. 2.
the insufficient abstraction to cater for tuning and scalability of systems.
Adding parameters offers a higher level of abstraction by allowing unknown constants in a model. Parameters can be used to model unknown timing constants of timed systems. This approach has the following advantages:
- •
it becomes possible to verify a system at an earlier design stage, when not all timing constants are known with full certainty.
- •
it allows designers to cope with uncertainty even at runtime: some timings constants (e.g. periods of a real-time system) may be known up to a given precision only (e.g. given with an interval of confidence), and parameters can model this imprecision.
Parametric timed automata [AHV93] are an extension of timed automata where timing constants can become unknown, i.e. parameters. They represent a particularly expressive formalism: in fact, its expressiveness is Turing-complete [ALR16] and all non-trivial problems related to parametric timed automata are undecidable. For example, the mere existence of a parameter valuation for which there exists a run reaching some location is undecidable (see e.g. [And19a] for a survey).
Parametric timed automata suffer from negative decidability results, but they still remain a quite powerful formalism. They can be used to address robustness (in the sense of possibly infinitesimal variations of timing constants [BMS13]), to model and verify systems with uncertain constants, and to synthesize suitable (possibly unknown) valuations so that the system meets its specification.
In addition, several recent decidability results for subclasses of parametric timed automata (e.g. [BL09, BO14, JLR15, Ben+15, AL17]) has made this formalism more promising, while new algorithmic and heuristic techniques (e.g. [KP12, JLR15, And+15, Aşt+16, Li+17, And+19]) has made the parametric verification for some classes of problems more scalable and complete, or more often terminating.
Verification with parametric timed automata has had important outcomes in various areas, with verification of case studies such as the root contention protocol [Hun+02], Philip’s bounded retransmission protocol [Hun+02], a 4-phase handshake protocol [KP12], the alternating bit protocol [JLR15], an asynchronous circuit commercialised by ST-Microelectronics [Che+09], (non-preemptive) schedulability problems [JLR15], a distributed prospective architecture for the flight control system of the next generation of spacecrafts designed at ASTRIUM Space Transportation [Fri+12], and even analysis of music scores [FJ13].
In this section, we recall the syntax and semantics of parametric timed automata (Section 2.2) and their subclasses (Section 2.3). We introduce theoretical problems of interest (Section 2.4), and review decidability results (Section 2.5).
2.1 Basic notions
Let , , , and denote the sets of non-negative integers, integers, non-negative rational numbers, and non-negative real numbers, respectively.
We first define the notions necessary to deal with clocks. We begin with clock valuations.
Definition 1 (clock valuation)
Let be a finite set of clocks, i.e. real-valued variables that evolve at the same rate.
A clock valuation is a function .
We identify a clock valuation with the point .
The following notations allow for specifying null clocks, and adding simultaneously the same delay to all clocks.
Notation 1** (clock operations)**
**
- •
We write for .
- •
We also use a special zero-clock , always equal to 0 (as in e.g. **[Hun+02]**).
- •
Given , denotes the valuation such that , for all .
- •
Given , we define the reset of a valuation , denoted by , as follows: if , and otherwise.
The systems considered comprise a priori unknown timing constants that are thus parameters to be synthesized according to the targeted property.
Definition 2 (timing parameter valuation)
Let be a set of timing parameters, i.e. unknown timing constants.
A timing parameter valuation is a function .
We identify a valuation with the point .
Clocks and parameters are used together and thus can be combined.
Notation 2** (clocks and parameters valuations combined)**
Given a timing parameter valuation and a clock valuation , we denote by the valuation over such that for all clocks , and for all timing parameters , .
The expressions on clocks can concern clock themselves, but also involve parameters and constant delays.
Notation 3** (linear terms)**
**
- •
In the following, let denote a linear term over of the form , with , , and .
- •
Let denote a parametric linear term over , that is a linear term without clocks (i.e., for all ).
The synthesis of parameters leads to expressing constraints on their values in order to guarantee that the model satisfies the expected properties.
Definition 3 (constraints on clocks and timing parameters)
A constraint over is defined by the following grammar:
[TABLE]
where , is a linear term.
Definition 4 (constraint satisfaction)
A valuation satisfies a constraint , denoted , if the expression obtained by replacing in each timing parameter by its valuation as in evaluates to true.
Zones allow for defining convex sets of clocks and timing parameters values.
Definition 5 (zones and parametric guards)
A zone is a constraint such that each of its linear conjuncts can be written in the form , where . A parametric guard is a zone such that each of its linear conjuncts can be written in the form .
Definition 6 (satisfiability)
Given a zone , indicates that valuating each clock variable with and each timing parameter with within , evaluates to true. Zone is satisfiable if .
Time elapsing can be obtained by adding a new variable to all clocks, ensuring that this variable is non-negative, and eliminating it (see, e.g. [And+09]).
Definition 7 (time elapsing of a zone)
The time elapsing of a zone , denoted by , is the constraint over obtained from by delaying all clocks by any arbitrary amount of time.
That is,
[TABLE]
2.2 Syntax and semantics
2.2.1 Syntax
Definition 8 (parametric timed automaton [AHV93])
A parametric timed automaton (PTA) is a tuple , where:
is a finite set of actions, 2. 2.
is a finite set of locations, 3. 3.
is the initial location, 4. 4.
is a set of final or accepting locations, 5. 5.
is a finite set of clocks, 6. 6.
is a finite set of parameters, 7. 7.
is the invariant, assigning to every a parametric guard , 8. 8.
is a finite set of edges where are the source and target locations, , is a set of clocks to be reset, and is a parametric guard called the transition guard.
Given a parameter valuation , we denote by the non-parametric timed automaton where all occurrences of each parameter have been replaced by . If is such that all constants in guards and resets are integers, then is a timed automaton [AD94]. In the following, we refer to any structure as a timed automaton, by assuming a rescaling of the constants: by multiplying all constants in by the least common multiple of their denominators, we obtain an equivalent (integer-valued) timed automaton.
Example 1
Consider the coffee machine in Fig. 1, modelled using a PTA with 4 locations, 2 clocks ({\color[rgb]{0.4,0.4,1}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,1}x_{1}} and {\color[rgb]{0.4,0.4,1}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,1}x_{2}}) and 3 parameters ({\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}p_{1}},{\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}p_{2}},{\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}p_{3}}). Invariants are boxed. The only accepting location (with a double border) is . Observe that all guards and invariants are simple constraints.
The machine can initially be idle for an arbitrarily long time. Then, whenever the user presses the (unique) button (action {\color[rgb]{0.50,0.70,0.30}\definecolor[named]{pgfstrokecolor}{rgb}{0.50,0.70,0.30}\mathit{press}}), the PTA enters location , resetting both clocks. The machine can remain in this location as long as the invariant ({\color[rgb]{0.4,0.4,1}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,1}x_{2}}\leq{\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}p_{2}}) is satisfied; there, the user can add a dose of sugar by pressing the button (action {\color[rgb]{0.50,0.70,0.30}\definecolor[named]{pgfstrokecolor}{rgb}{0.50,0.70,0.30}\mathit{press}}), provided the guard ({\color[rgb]{0.4,0.4,1}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,1}x_{1}}\geq{\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}p_{1}}) is satisfied, which resets {\color[rgb]{0.4,0.4,1}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,1}x_{1}}. That is, the user cannot press twice the button (and hence add two doses of sugar) within a time less than {\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}p_{1}}. Then, {\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}p_{2}} time units after the machine left the idle mode, a cup is delivered (action {\color[rgb]{0.50,0.70,0.30}\definecolor[named]{pgfstrokecolor}{rgb}{0.50,0.70,0.30}\mathit{cup}}), and the coffee is being prepared; eventually, {\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}p_{2}} time units after the machine left the idle mode, the coffee (action {\color[rgb]{0.50,0.70,0.30}\definecolor[named]{pgfstrokecolor}{rgb}{0.50,0.70,0.30}\mathit{coffee}}) is delivered. Then, after 10 time units, the machine returns to the idle mode—unless a user again requests a coffee by pressing the button.
2.2.2 Concrete Semantics
Definition 9 (Concrete semantics of a TA)
Given a PTA , and a parameter valuation , the concrete semantics of is given by the timed transition system , with
- •
,
- •
, and
- •
consists of the discrete and (continuous) delay transition relations:
- –
discrete transitions: , if , there exists , , and .
- –
delay transitions: , with , if .
Moreover we write for a combination of a delay and discrete transition where if .
Given a TA with concrete semantics , we refer to the states of as the concrete states of . A (concrete) run of is a possibly infinite alternating sequence of concrete states of and edges starting from the initial concrete state of the form , such that for all : , and . Given a state , we say that is reachable (or that reaches ) if belongs to a run of . By extension, we say that is reachable in , if there exists a state that is reachable. By extension, given a set of locations ( stands for “target”), we say that is reachable in , if there exists a location that is reachable in . Given a set of locations , we say that a run stays in if all of its states are such that .
A maximal run is a run that is either infinite (i.e. contains an infinite number of discrete transitions), or that cannot be extended by a discrete transition. A maximal run is deadlocked if it is finite, i.e. contains a finite number of discrete transitions. By extension, we say that a TA is deadlocked if it contains at least one deadlocked run.
Example 2
Consider again the PTA modeling a coffee machine in Fig. 1. Let be the parameter valuation such that v({\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}p_{1}})=1, v({\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}p_{2}})=5 and v({\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}p_{3}})=8.
Given a clock valuation , we denote it by (w({\color[rgb]{0.4,0.4,1}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,1}x_{1}}),w({\color[rgb]{0.4,0.4,1}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,1}x_{2}})). For example, denotes that w({\color[rgb]{0.4,0.4,1}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,1}x_{1}})=0 and w({\color[rgb]{0.4,0.4,1}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,1}x_{2}})=4.2.
The following sequence is a concrete run of .
\big{(}{\color[rgb]{0.4,0.4,0.65}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,0.65}\mathrm{idle}},(0,0)\big{)}\stackrel{{\scriptstyle{\color[rgb]{0.50,0.70,0.30}\definecolor[named]{pgfstrokecolor}{rgb}{0.50,0.70,0.30}\mathit{press}}}}{{\mapsto}}\big{(}{\color[rgb]{0.4,0.4,0.65}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,0.65}\mathrm{add\_sugar}},(0,0)\big{)}\stackrel{{\scriptstyle{\color[rgb]{0.50,0.70,0.30}\definecolor[named]{pgfstrokecolor}{rgb}{0.50,0.70,0.30}\mathit{press}}}}{{\mapsto}}\big{(}{\color[rgb]{0.4,0.4,0.65}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,0.65}\mathrm{add\_sugar}},(0,1.78)\big{)}\stackrel{{\scriptstyle{\color[rgb]{0.50,0.70,0.30}\definecolor[named]{pgfstrokecolor}{rgb}{0.50,0.70,0.30}\mathit{press}}}}{{\mapsto}}\big{(}{\color[rgb]{0.4,0.4,0.65}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,0.65}\mathrm{add\_sugar}},(0,4.2)\big{)}\stackrel{{\scriptstyle{\color[rgb]{0.50,0.70,0.30}\definecolor[named]{pgfstrokecolor}{rgb}{0.50,0.70,0.30}\mathit{cup}}}}{{\mapsto}}\big{(}{\color[rgb]{0.4,0.4,0.65}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,0.65}\mathrm{preparing\_coffee}},(0.8,5)\big{)}\stackrel{{\scriptstyle{\color[rgb]{0.50,0.70,0.30}\definecolor[named]{pgfstrokecolor}{rgb}{0.50,0.70,0.30}\mathit{coffee}}}}{{\mapsto}}\big{(}{\color[rgb]{0.4,0.4,0.65}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,0.65}\mathrm{done}},(0,8)\big{)}\stackrel{{\scriptstyle{\color[rgb]{0.50,0.70,0.30}\definecolor[named]{pgfstrokecolor}{rgb}{0.50,0.70,0.30}\mathit{press}}}}{{\mapsto}}\big{(}{\color[rgb]{0.4,0.4,0.65}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,0.65}\mathrm{add\_sugar}},(0,0)\big{)}
As an abuse of notation, we write above each arrow the action name (instead of the edge), as edges are unnamed in Fig. 1.
This concrete run is not maximal (it could be extended).
2.2.3 Language of timed automata
Let be a (finite or infinite) run of a TA . The associated untimed word is , where is the action of edge , for all ; the associated trace111This is a non-standard definition of traces (compared to e.g. [Gla90]), but we keep this term as it is used in e.g. [And+09, AM15]. is
Given a run , we say that this run is accepting if .
We define the untimed language as the set of all untimed words associated with accepting runs of a TA.
Definition 10 (untimed language of a TA)
Given a PTA , and a parameter valuation , the untimed language of , denoted by , is the set of untimed words associated with all accepting runs of .
We define the trace set as the set of traces associated with the accepting runs.
Definition 11 (trace set of a TA)
Given a PTA , and a parameter valuation , the trace set of is the set of traces associated with all accepting runs of .
Example 3
Consider again the PTA modeling a coffee machine in Fig. 1. Let be the parameter valuation such that v({\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}p_{1}})=1, v({\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}p_{2}})=5 and v({\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}p_{3}})=8.
The untimed language of can be described as follows:
[TABLE]
where {\color[rgb]{0.50,0.70,0.30}\definecolor[named]{pgfstrokecolor}{rgb}{0.50,0.70,0.30}\mathit{\sigma}}^{[a,b]}, {\color[rgb]{0.50,0.70,0.30}\definecolor[named]{pgfstrokecolor}{rgb}{0.50,0.70,0.30}\mathit{\sigma}}^{?}, {\color[rgb]{0.50,0.70,0.30}\definecolor[named]{pgfstrokecolor}{rgb}{0.50,0.70,0.30}\mathit{\sigma}}^{*} denote between and occurrences, zero or one occurrence, and zero or more occurrence(s) of {\color[rgb]{0.50,0.70,0.30}\definecolor[named]{pgfstrokecolor}{rgb}{0.50,0.70,0.30}\mathit{\sigma}}, respectively.
The trace set of can be described as follows:
[TABLE]
2.2.4 Symbolic semantics
Let us now recall the symbolic semantics of PTAs (see e.g. [Hun+02, And+09, JLR15]).
Definition 12 (Symbolic state)
A symbolic state is a pair where is a location, and its associated parametric zone.
Definition 13 (Symbolic semantics)
Given a PTA , the symbolic semantics of is the labelled transition system called parametric zone graph , with
- •
,
- •
\mathbf{s}_{0}=\big{(}l_{0},(\bigwedge_{1\leq i\leq H}x_{i}=0)^{\nearrow}\land I(l_{0})\big{)}, and
- •
\big{(}(l,C),e,(l^{\prime},C^{\prime})\big{)}\in{\Rightarrow} if and
[TABLE]
with satisfiable.
That is, in the parametric zone graph, nodes are symbolic states, and arcs are labelled by edges of the original PTA.
If \big{(}(l,C),e,(l^{\prime},C^{\prime})\big{)}\in{\Rightarrow}, we write .
A graphical illustration of the computation of is given in Fig. 2.222This figure comes from [AS13], itself coming from an adaptation of a figure by Ulrich Kühne. Starting from the parametric zone , it is intersected with guard , leading to the parametric values that allow for taking the transition. Then the necessary clocks are reset. However, for the transition to be taken, the new values thus obtained must satisfy the invariant of the target location, . After this, when in , time can elapse as long as the invariant still holds, leading to the new zone .
A symbolic run of a PTA is an alternating sequence of symbolic states and edges starting from the initial symbolic state, of the form , such that for all , , and . Given a symbolic state , we say that is reachable if belongs to a symbolic run of . In the following, we simply refer to symbolic states belonging to a run of as symbolic states of .
Example 4
Consider again the coffee machine example in Fig. 1. A (non-maximal) symbolic run is as follows:
\big{(}{\color[rgb]{0.4,0.4,0.65}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,0.65}\mathrm{idle}},{\color[rgb]{0.4,0.4,1}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,1}x_{1}}={\color[rgb]{0.4,0.4,1}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,1}x_{2}}\land{\color[rgb]{0.4,0.4,1}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,1}x_{1}}\geq 0\big{)}\stackrel{{\scriptstyle{\color[rgb]{0.50,0.70,0.30}\definecolor[named]{pgfstrokecolor}{rgb}{0.50,0.70,0.30}\mathit{press}}}}{{\Rightarrow}}\big{(}{\color[rgb]{0.4,0.4,0.65}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,0.65}\mathrm{add\_sugar}},{\color[rgb]{0.4,0.4,1}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,1}x_{1}}={\color[rgb]{0.4,0.4,1}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,1}x_{2}}\land 0\leq{\color[rgb]{0.4,0.4,1}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,1}x_{2}}\leq{\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}p_{2}}\big{)}
\stackrel{{\scriptstyle{\color[rgb]{0.50,0.70,0.30}\definecolor[named]{pgfstrokecolor}{rgb}{0.50,0.70,0.30}\mathit{press}}}}{{\Rightarrow}}\big{(}{\color[rgb]{0.4,0.4,0.65}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,0.65}\mathrm{add\_sugar}},{\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}p_{1}}\leq{\color[rgb]{0.4,0.4,1}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,1}x_{2}}-{\color[rgb]{0.4,0.4,1}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,1}x_{1}}\leq{\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}p_{2}}\land 0\leq{\color[rgb]{0.4,0.4,1}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,1}x_{2}}\leq{\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}p_{2}}\big{)}
\stackrel{{\scriptstyle{\color[rgb]{0.50,0.70,0.30}\definecolor[named]{pgfstrokecolor}{rgb}{0.50,0.70,0.30}\mathit{press}}}}{{\Rightarrow}}\big{(}{\color[rgb]{0.4,0.4,0.65}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,0.65}\mathrm{add\_sugar}},2\times{\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}p_{1}}\leq{\color[rgb]{0.4,0.4,1}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,1}x_{2}}-{\color[rgb]{0.4,0.4,1}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,1}x_{1}}\leq{\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}p_{2}}\land 0\leq{\color[rgb]{0.4,0.4,1}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,1}x_{2}}\leq{\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}p_{2}}\big{)}
\stackrel{{\scriptstyle{\color[rgb]{0.50,0.70,0.30}\definecolor[named]{pgfstrokecolor}{rgb}{0.50,0.70,0.30}\mathit{cup}}}}{{\Rightarrow}}\big{(}{\color[rgb]{0.4,0.4,0.65}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,0.65}\mathrm{preparing\_coffee}},2\times{\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}p_{1}}\leq{\color[rgb]{0.4,0.4,1}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,1}x_{2}}-{\color[rgb]{0.4,0.4,1}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,1}x_{1}}\leq{\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}p_{2}}\land{\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}p_{2}}\leq{\color[rgb]{0.4,0.4,1}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,1}x_{2}}\leq{\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}p_{3}}\big{)}
\stackrel{{\scriptstyle{\color[rgb]{0.50,0.70,0.30}\definecolor[named]{pgfstrokecolor}{rgb}{0.50,0.70,0.30}\mathit{coffee}}}}{{\Rightarrow}}\big{(}{\color[rgb]{0.4,0.4,0.65}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,0.65}\mathrm{done}},0\leq{\color[rgb]{0.4,0.4,1}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,1}x_{1}}\leq 10\land{\color[rgb]{0.4,0.4,1}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,1}x_{2}}-{\color[rgb]{0.4,0.4,1}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,1}x_{1}}={\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}p_{3}}\land 2\times{\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}p_{1}}\leq{\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}p_{2}}\leq{\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}p_{3}}\big{)}
\stackrel{{\scriptstyle{\color[rgb]{0.50,0.70,0.30}\definecolor[named]{pgfstrokecolor}{rgb}{0.50,0.70,0.30}\mathit{press}}}}{{\Rightarrow}}\big{(}{\color[rgb]{0.4,0.4,0.65}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,0.65}\mathrm{add\_sugar}},{\color[rgb]{0.4,0.4,1}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,1}x_{1}}={\color[rgb]{0.4,0.4,1}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,1}x_{2}}\land 0\leq{\color[rgb]{0.4,0.4,1}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,1}x_{2}}\leq{\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}p_{2}}\land 2\times{\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}p_{1}}\leq{\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}p_{2}}\leq{\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}p_{3}}\big{)}
(For sake of readability, we use action names instead of edges along the transitions.)
The parametric zone graph of this example is infinite.
Given a concrete (respectively symbolic) run (respectively ), we define the corresponding discrete sequence as . Two runs (concrete or symbolic) are said to be equivalent if their associated discrete sequences are equal.
Two important results (see e.g. [Hun+02]) relate the concrete and the symbolic semantics, and are recalled below using our syntax. They provide a sort of equivalence between symbolic parametric zones and concrete runs. That is, they guarantee that the zones correspond to feasible runs (correctness) and that each run is represented by a zone (completeness).
Lemma 1 ([Hun+02, Proposition 3.17])
For each parameter valuation and clock valuation , if there is a symbolic run in reaching state , with , then there is an equivalent concrete run in reaching state .
Lemma 2 ([Hun+02, Proposition 3.18])
For each parameter valuation and clock valuation , if there is a concrete run in reaching state , then there is an equivalent symbolic run in reaching a state such that .
2.3 Subclasses of PTAs
Lower-bound/upper-bound parametric timed automata (L/U-PTAs), proposed in [Hun+02], restrict the use of parameters in the model.
Definition 14 (L/U-PTA)
An L/U-PTA is a PTA where the set of parameters is partitioned into lower-bound parameters and upper-bound parameters, where an upper-bound (resp. lower-bound) parameter is such that, for every guard or invariant constraint , we have: implies (resp. ), and implies (resp. ).
In [BL09], two additional subclasses are introduced: L-PTAs (resp. U-PTAs) are PTAs with only lower-bound (resp. upper-bound) parameters.
L/U-PTAs enjoy a well-known monotonicity property [Hun+02]: increasing upper-bound parameters or decreasing lower-bound parameters can only add behaviours.
Example 5
Consider again the coffee machine in Fig. 1, modelled using a PTA . This PTA is not an L/U-PTA; indeed, in the guard {\color[rgb]{0.4,0.4,1}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,1}x_{2}}={\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}p_{2}} (resp. {\color[rgb]{0.4,0.4,1}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,1}x_{2}}={\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}p_{3}}), {\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}p_{2}} (resp. {\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}p_{3}}) is compared with clocks both as a lower-bound and as an upper-bound. (Recall that stands for and .)
However, if one replaces {\color[rgb]{0.4,0.4,1}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,1}x_{2}}={\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}p_{2}} with {\color[rgb]{0.4,0.4,1}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,1}x_{2}}\leq{\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}p_{2}} and {\color[rgb]{0.4,0.4,1}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,1}x_{2}}={\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}p_{3}} with {\color[rgb]{0.4,0.4,1}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,1}x_{2}}\leq{\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}p_{3}}, then becomes an L/U-PTA with lower-bound parameter {\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}p_{1}} and upper-bound parameters \{{\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}p_{2}},{\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}p_{3}}\}. Note that equalities are not forbidden in L/U-PTAs (e.g. {\color[rgb]{0.4,0.4,1}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,1}x_{1}}=10), but only equalities involving parameters are.
Several case studies fit into the class of L/U-PTAs: the root contention protocol, the bounded retransmission protocol and the Fischer mutual exclusion protocol are all modelled with L/U-PTAs in [Hun+02]; in [Hun+02, KP12], both the Fischer mutual exclusion protocol and a producer-consumer are verified using L/U-PTAs. Interestingly, the two case studies of the seminal paper on PTAs [AHV93] (viz. a toy train gate controller model and a model of Fischer mutual exclusion protocol) are also L/U-PTAs, although the concept of L/U-PTAs had not yet been proposed at that time. In addition, most models of asynchronous circuits with bi-bounded delays (i.e. where each delay between the change of an input signal and the change of the corresponding output is a parametric interval) can be modelled using L/U-PTAs.
We will also consider bounded PTAs, i.e. PTAs with a bounded parameter domain that assigns to each parameter an infimum and a supremum, both integers.
Definition 15 (bounded PTA)
A bounded PTA is , where is a PTA, and assigns to each parameter an interval , , , or , with . We use and to denote the infimum and the supremum of , respectively. (Note that we rule out as a supremum.)
We say that a bounded PTA is a closed bounded PTA if, for each parameter , its ranging interval is of the form ; otherwise it is an open bounded PTA.
We define similarly bounded L/U-PTAs.
2.4 Decision and computation problems
2.4.1 TCTL
TCTL [ACD93] is the quantitative extension of CTL where temporal modalities are augmented with constraints on duration. Formulae are interpreted over timed transition systems.
Given and , the language of TCTL is given by the following grammar:
[TABLE]
A reads “always”, E reads “exists”, and U reads “until”.
Standard abbreviations include Boolean operators as well as for , for and for . F reads “eventually” while G reads “globally”.
Definition 16 (Semantics of TCTL)
Given a TA , the following clauses define when a state of its timed transition system satisfies a TCTL formula , denoted by , by induction over the structure of (semantics of Boolean operators is omitted:
if there is a maximal run in with () a prefix of s.t. , , and 2. 2.
if for each maximal run in there exists () a prefix of s.t. , , and .
where, given a concrete run , gives the total sum of the delays along .
In the classical until is extended by requiring that be satisfied within a duration (from the current state) verifying the constraint “”. Given , a PTA and a TCTL formula , we write when .
2.4.2 Decision problems
Emptiness and universality of the valuations set.
Let be a given a class of decision problems (reachability, unavoidability, etc.).
**-emptiness problem:
**Input: A PTA and an instance of
Problem: Is the set of parameter valuations such that satisfies empty?
**-universality problem:
**Input: A PTA and an instance of
Problem: For all parameter valuations , does satisfy ?
In this section, we mainly focus on the following decision problems:
- •
reachability (EF333The names “EF”, “AF”, “EG” come from the TCTL syntax, and are consistent with the notations introduced in [JLR15] and subsequently used in further papers (such as [ALR16, AL17]). ): given a TA , is there at least one run of that reaches a given location? That is, EF-emptiness asks: “is the set of parameter valuations such that the TA reaches a given location empty?” And EF-universality asks: “are all parameter valuations such that the corresponding TA reaches a given location?”
- •
unavoidability (AF): given a TA , do all runs of eventually reach a given location?
- •
EG: given a TA and a subset of its locations, is there at least one maximal run of that always stays in ?
- •
AG: given a TA and a subset of its locations, do all runs of stay in ?
- •
deadlock-existence (ED): given a TA , is there at least one maximal run of that is deadlocked, i.e. has no discrete successor (possibly after some delay)?
- •
cycle-existence (EC): given a TA , is there at least one run of with an infinite number of discrete transitions?
Note that AF-emptiness is equivalent to EG-universality, while AG-emptiness is equivalent to EF-universality.
We will finally consider the following two additional emptiness problems:
**Language-preservation-emptiness problem:
**Input: A PTA and a parameter valuation
Problem: Is the set of parameter valuations such that and for which has the same untimed language as empty?
**Trace-preservation-emptiness problem:
**Input: A PTA and a parameter valuation
Problem: Is the set of parameter valuations such that and for which has the same set of traces as empty?
2.4.3 Computation problem
Additionally, we define the following computation problem:
**-synthesis problem:
**Input: A PTA and an instance of
Problem: Compute the parameter valuations such that satisfies .
Example 6
Let us exemplify some decision and computation problems for the coffee machine PTA in Fig. 1. Assume the unique target location is , i.e. T=\{{\color[rgb]{0.4,0.4,0.65}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,0.65}\mathrm{done}}\}.
EF-emptiness asks whether the set of parameter valuations that can reach location for some run is empty, i.e. there is an execution in which the coffee is not delivered. This is false (e.g. {\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}p_{1}}=1, {\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}p_{2}}=2, {\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}p_{3}}=3 can reach ).
EF-universality asks whether all parameter valuations can reach location for some run, i.e. all executions allow for delivering the coffee, regardless of the parameters valuation. This is false (no parameter valuation such that {\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}p_{2}}>{\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}p_{3}} can reach ).
AF-emptiness asks whether the set of parameter valuations that can reach location for all runs is empty, i.e. if there is some parameters valuation for which coffee delivery is not guaranteed. This is false (e.g. {\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}p_{1}}=1, {\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}p_{2}}=2, {\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}p_{3}}=3 cannot avoid ).
EF-synthesis consists in synthesizing all valuations for which a run reaches location , i.e. identifies all parameters valuations for which a coffee will eventually be delivered. The resulting set of valuations is 0\leq{\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}p_{2}}\leq{\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}p_{3}}\leq 10\land{\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}p_{1}}\geq 0.
2.5 Decidability
2.5.1 The general class of PTAs
With the rule of thumb that all problems are undecidable for PTAs, we review the decidability of the aforementioned problems.
- •
EF-emptiness was shown to be undecidable [AHV93], with different flavours and settings: for a single bounded parameter [Mil00], for a single rational-valued or integer-valued parameter [Ben+15], with only one clock compared to parameters [Mil00], or with strict constraints only [Doy07].
- •
AF-emptiness was shown undecidable in [JLR15].
- •
AG-emptiness was shown undecidable in [ALR16].
- •
EG-emptiness (as well as EC and ED) were shown undecidable in [AL17].
- •
The language and trace-preservation problems were shown undecidable in [AM15].
A complete survey is available in [And19a].
Following the very negative results for PTAs, subclasses have been proposed. We review some in the following.
2.5.2 The class of L/U-PTAs
A main decidability result.
The first (and main) positive result for L/U-PTAs is the decidability of the EF-emptiness problem [Hun+02]. L/U-PTAs benefit from the following interesting monotonicity property: increasing the value of an upper-bound parameter or decreasing the value of a lower-bound parameter necessarily relaxes the guards and invariants, and hence can only add behaviours. Therefore, checking the EF-emptiness of an L/U-PTA can be achieved by replacing all lower-bound parameters with 0, and all upper-bound parameters with a sufficiently large constant; this yields a non-parametric TA, for which emptiness is PSPACE-complete [AD94]. This procedure is not only sound but also complete.
Undecidability results.
The first undecidability results for L/U-PTAs are shown in [BL09]: the constrained EF-emptiness problem and constrained EF-universality problem (for infinite runs acceptance properties) are undecidable for L/U-PTAs. By constrained it is meant that some parameters of the L/U-PTA can be constrained by an initial linear constraint, e.g. {\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}p_{1}}\leq 2\times{\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}p_{2}}+{\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}p_{3}}. Indeed, using linear constraints, one can constrain an upper-bound parameter to be equal to a lower-bound parameter, and hence build a 2-counter machine using an L/U-PTA. However, when no upper-bound parameter is compared to a lower-bound parameter (i.e. when no initial linear inequality contains both an upper-bound and a lower-bound parameter), these two problems become decidable [BL09]. The exact decidability frontier may have not been found yet: the case where a lower-bound parameter is constrained to be less than or equal to an upper-bound parameter fits in none of the considered cases.
A second negative result is shown in [JLR15]: the AF-emptiness problem is undecidable for L/U-PTAs. This restricts again the use of L/U-PTAs, as AF is essential to show that all possible runs of a system eventually reach a (good) state.
Third, in [AM15], the language- and trace-preservation problems were shown to be undecidable for L/U-PTAs.
Model-checking L/U-PTAs.
In [BL09], a parametric extension of the dense-time linear temporal logic (denoted “”) is proposed; when parameters are used only as lower or upper bound in the formula (to which we refer as L/U-), satisfiability and model checking are PSPACE-complete; this is obtained by translating the formula into an L/U-automaton and checking an infinite acceptance property.
Then, in [DLN15], an extension of MITL allowing parametric linear expressions in bounds is proposed (yielding PMITL). Two sets of (integer-valued) parameter valuations are considered:
the set of valuations for which a PMITL formula is satisfiable, i.e. for which there exists a timed sequence (possibly belonging to a given L/U-PTA) satisfying it, and 2. 2.
the set of valuations for which a PMITL formula is valid, i.e. for which all timed sequences (possibly belonging to a given L/U-PTA) satisfy it.
Under some assumptions, the emptiness and universality of the valuation set for which a PMITL property is satisfiable or valid (possibly w.r.t. a given L/U-PTA) are decidable, and EXPSPACE-complete. Essential assumptions for decidability include the fact that parameters should be used with the same polarity (positive or negative coefficient, as lower or upper bound in the intervals) within the entire PMITL formula, and each interval can only use parameters in one of the endpoints. Additional assumptions include that no interval of the PMITL formula should be punctual (nor empty), and linear parametric expressions are only used in right endpoints of the intervals (single parameters can still be used as left endpoints). In addition, two fragments of PMITL are showed to be in PSPACE, including one that allows for expressing parameterized response (“if an event occurs, then another event shall occur within some possibly parametric time interval”).
Finally, we showed that the emptiness-problem using nested quantifiers (i.e. beyond EF, EG, AF, AG) automatically leads to the undecidability, even for the very restricted class of U-PTAs with a single parameter (that can even be integer-valued) [ALR18]. In other words, the nested TCTL emptiness problem is undecidable for U-PTAs. We may wonder if the timed aspect of TCTL (and notably the urgency required by the TCTL formula ) is responsible for the undecidability. In fact, it is not, and we could modify the proof to show that CTL itself leads to undecidability, i.e. that EGAX-emptiness is undecidable.
Intractability of the synthesis.
A very disappointing result concerning L/U-PTAs is shown in [JLR15]: despite decidability of the underlying decision problems (EF-emptiness and EF-universality), the solution to the EF-synthesis problem for L/U-PTAs, if it can be computed, cannot be represented using a formalism for which the emptiness of the intersection with equality constraints is decidable. The proof relies on the undecidability of the constrained emptiness problem of [BL09]. A very annoying consequence is that such a solution cannot be represented as a finite union of polyhedra (since the emptiness of the intersection with equality constraints is decidable).
Liveness.
The EG-emptiness problem stands at the frontier between decidability and undecidability for the class of L/U-PTAs: while this problem is decidable for L/U-PTAs with a bounded parameter domain with closed bounds, it becomes undecidable if either the assumption of boundedness or of closed bounds is lifted [AL17].
The deadlock-existence emptiness problem is undecidable, even for the restricted class of closed bounded L/U-PTAs [AL17].
In contrast to deadlock-freeness that is consistently undecidable, and to EG-emptiness for which the frontier between decidability and undecidability is thin, the existence of a parameter valuation for which there exists at least one infinite run (EC-emptiness) is consistently decidable for L/U-PTAs [AL17].
2.5.3 The power of integer points
Following works related integer clock and parameter valuations with decidability in [JLR15], we introduced in [ALR16] integer-points parametric timed automata (IP-PTAs for short), i.e. a subclass of PTAs in which any symbolic state contains at least one integer point.
Definition 17
A PTA is an integer points PTA (in short IP-PTA) if, in any reachable symbolic state of , contains at least one integer point, i.e. .
Example 7
Consider the PTA in Fig. 3(a), containing two clocks {\color[rgb]{0.4,0.4,1}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,1}x_{1}} and {\color[rgb]{0.4,0.4,1}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,1}x_{2}}, and one parameter {\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}p}. This PTA is not an IP-PTA. Indeed, as can be seen on its parametric zone graph, the (unique) symbolic state with location {\color[rgb]{0.4,0.4,0.65}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,0.65}\mathrm{l_{3}}} contains only {\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}p}=\frac{1}{2}, and this symbolic state therefore contains no integer point.
In contrast, the PTA in Fig. 3(b) is an IP-PTA: each zone in its parametric zone graph contains an integer valuation of all parameters. The coffee machine in Fig. 1 (which has an infinite parametric zone graph) is also an IP-PTA.
In [ALR16], we studied the expressiveness of IP-PTAs: while the class of IP-PTAs is incomparable with the class of L/U-PTAs, any non-strict L/U-PTA, i.e. with only non-strict inequalities, is an IP-PTA.
Concerning decidability, the only non-trivial general class with a decidability result for EF-emptiness is L/U-PTAs [Hun+02]. We extended this class, by proving that EF-emptiness is decidable for bounded IP-PTAs [ALR16]. However, other studied problems turned out to be undecidable.
2.5.4 Summary
Table 1 summarises the decidability results. It gives from left to right the (un)decidability for U-PTAs, bounded L/U-PTAs (with either closed or open bounds), L/U-PTAs, bounded IP-PTAs, IP-PTAs, bounded PTAs, and PTAs. We review the emptiness of TCTL subformulas (EF, AF, EG, AG), full TCTL, cycle-existence, deadlock-existence and language- and trace-preservation. Decidability is given in green, whereas undecidability is given in italic red. Our contributions are emphasized in bold using a plain background, whereas existing results are depicted using a light background. When several papers in the literature proved the same result, we only give the earliest result, and not necessarily the best (in terms of number of clocks and parameters, or complexity).
Perspective: open subclasses
L-PTAs and U-PTAs [BL09] are very open classes, in the sense that the only known decidability results come from the larger class of PTAs, and no undecidability result was known—with the exception of our recent result concerning TCTL-emptiness [ALR18]. To summarize, the EG-emptiness, AG-emptiness and AF-emptiness problems, as well as the language- and trace-preservation problems, are all undecidable for (general) L/U-PTAs, but remain open for L-PTAs and U-PTAs. Similarly, the EF-synthesis problem (shown intractable for L/U-PTAs in [JLR15] despite the decidability of the EF-emptiness problem) remains open for rational-valued L- and U-PTAs, and would significantly increase the interest of these subclasses if it was shown to be computable.
3 Parametric Interval Markov Chains
Parametric probabilities are useful to capture imprecisions, robustness and dimensioning issues. Hence, in this section we consider Parametric Interval Markov Chains (PIMC).
3.1 Introduction to Parametric Markov Chains
Fig. 4 contains an example of the different flavours of Markov Chains we are addressing in this section. Fig. 4(a) is a Markov chain (MC). As in an automaton, there are states and transitions between them, but these are labelled by probabilities for the transition to occur. For example, from state {\color[rgb]{0.4,0.4,0.65}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,0.65}\mathrm{s_{0}}}, there is a probability of to go to state {\color[rgb]{0.4,0.4,0.65}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,0.65}\mathrm{s_{1}}} and of to go to state {\color[rgb]{0.4,0.4,0.65}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,0.65}\mathrm{s_{2}}}. Therefore, the sum of all probabilities labelling transitions exiting a state must be .
When probabilities are not known in advance, it might still be possible to know an interval to which they belong. Hence, we introduce Interval Markov Chains (IMC), as pictured in Fig. 4(b). The transitions are then no more labelled by a fixed probability but an interval meaning that the probability should be between the lower and the upper bound of the interval. For example, the probability to move from state {\color[rgb]{0.4,0.4,0.65}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,0.65}\mathrm{s_{1}}} to state {\color[rgb]{0.4,0.4,0.65}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,0.65}\mathrm{s_{3}}} is between and . The MC in Fig. 4(a) can be seen as an implementation of the IMC in Fig. 4(b) which stands as a specification. Notice that state {\color[rgb]{0.4,0.4,0.65}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,0.65}\mathrm{s_{4}}} does not appear in Fig. 4(a), which is equivalent to having a transition from state {\color[rgb]{0.4,0.4,0.65}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,0.65}\mathrm{s_{2}}} to state {\color[rgb]{0.4,0.4,0.65}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,0.65}\mathrm{s_{4}}} with a probability [math]. Once a probability is chosen in an interval, it imposes constraints on the other probabilities outgoing the same state since they must add up to . An IMC is said to be consistent if it admits at least one implementation.
When the upper or lower bounds are unknown, it is convenient to use parameters. Fig. 4(c) shows a Parametric Interval Markov Chain (PIMC). As compared with the IMC of Fig. 4(b), some of the bounds are replaced with parameters {\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}p} and {\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}q}. Notice that the same parameter occurs at several places in the PIMC, therefore imposing constraints on the interval. For example, from state {\color[rgb]{0.4,0.4,0.65}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,0.65}\mathrm{s_{1}}}, it is possible to stay in this state with a probability between {\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}q} and , or to move to state {\color[rgb]{0.4,0.4,0.65}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,0.65}\mathrm{s_{3}}} with a probability between and the same {\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}q}. When assigning a valuation to all parameters in a PIMC, we obtain an IMC.
3.2 Markov Chains definitions
We now formally define the different Markov Chain models. These definitions are detailed in [DLP16].
Definition 18 (Markov Chain)
A Markov Chain is a tuple , where is a finite set of states containing the initial state , is a set of atomic propositions, is a labelling function, and is a probabilistic transition function such that .
We now introduce the notation of parameters, and interval ranges that will be used throughout this section. A parameter is a variable ranging through the interval . A valuation for is a function that associates values with each parameter in . We write for the set of all closed parametric intervals of the form with . When , we write to denote closed intervals with real-valued endpoints. Given an interval of the form , and respectively denote the lower and upper endpoints of , i.e. and . Given an interval , we say that is well-formed whenever .
The definition of Interval Markov Chains is adapted from [Del+12].
Definition 19 (Interval Markov Chain [Del+12])
An Interval Markov Chain is a tuple , where , , and are as for MCs, and is a transition constraint that associates with each potential transition an interval of probabilities.
The following definition recalls the notion of satisfaction introduced in [Del+12]. Satisfaction (also called implementation in some cases) allows to characterise the set of MCs represented by a given IMC specification. Satisfaction abstracts from the syntactic structure of transitions in IMCs: a single transition in the implementation MC can contribute to satisfaction of more than one transition in the specification IMC, by distributing its probability mass against several transitions. Similarly many MC transitions can contribute to the satisfaction of just one specification transition. This crucial notion is embedded in the so-called correspondence function introduced below. Informally, such a function is given for all pairs of states in the satisfaction relation, and associates with each successor state of – in the implementation MC – a distribution over potential successor states of – in the specification IMC – specifying how the transition contributes to the transition .
Definition 20 (Satisfaction Relation [Del+12])
Let be an IMC and be a MC. A relation is a satisfaction relation if whenever ,
the labels of and agree: , 2. 2.
there exists a correspondence function such that
- (a)
for all such that , is a distribution on , 2. (b)
for all , we have , and 3. (c)
for all and , if , then .
We say that state satisfies state (written ) iff there exists a (minimal) satisfaction relation containing and that satisfies (written ) iff .
The set of MCs satisfying a given IMC is written . Formally, .
Definition 21
An IMC is consistent iff .
Although the satisfaction relation abstracts from the syntactic structure of transitions, we recall the following result from [Del15], that states that whenever a given IMC is consistent, it admits at least one implementation that strictly respects its structure.
Theorem 3.1 ([Del15])
An IMC is consistent iff it admits an implementation of the form where, for all reachable states in , it holds that for all .
In the following, we say that state is consistent in the IMC if there exists an implementation of in which state is reachable with a non-zero probability.
We now recall to the notion of Parametric Interval Markov Chain, previously introduced in [Del15].
Definition 22 (Parametric Interval Markov Chain)
A Parametric Interval Markov Chain is a tuple , where , , and are as for IMCs, is a set of variables (parameters) ranging over and associates with each potential transition a (parametric) interval.
Given a pIMC and a parameter valuation , we write for the IMC obtained by replacing by the function defined by . The IMC is called an instance of pIMC .
Finally, we say that a MC implements pIMC , written , iff there exists an instance of such that . We write for the set of MCs implementing and say that a pIMC is consistent iff its set of implementations is not empty.
3.3 Consistency of PIMCs
When considering IMCs, one question of interest is to decide whether it is consistent without computing its set of implementations. This problem has been addressed in [Del+12, Del15], yielding polynomial decision algorithms and procedures that produce one implementation when the IMC is consistent. The same question holds for pIMCs, although in a slightly different setting. [Del15] proposed a polynomial algorithm for deciding whether a given pIMC is consistent, in the sense that it admits at least one parameter valuation for which the resulting IMC is consistent.
In order to decide whether a given IMC is consistent, we need to address the set of potential successors of a given state . Let be the set of states that can be reached from with a probability interval not reduced to : .
We now introduce the notion of -consistency in the IMC setting and then adapt this notion to pIMCs. In practice, -consistency is defined by induction over the structure of .
Definition 23 (-consistency)
Let be an IMC and let be a function that assigns a distribution on to each state of . State is -consistent iff for all , , and, for , implies is -consistent.
We say that is -consistent if there exists such that is -consistent.
Definition 23 is thus equivalent to the following intuitive inductive definition: a state is -consistent iff there exists a distribution satisfying all of its outgoing probability intervals and such that for all , implies that is -consistent.
Theorem 3.2
Given an IMC , is consistent iff is -consistent.
Example 8
Let us consider the example in Fig. 4(b). All states but {\color[rgb]{0.4,0.4,0.65}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,0.65}\mathrm{s_{4}}} are [math]-consistent. Indeed it is possible to find probabilities within the exiting intervals that add up to . It is not the case for state {\color[rgb]{0.4,0.4,0.65}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,0.65}\mathrm{s_{4}}}, which has a probability of to which we should add one that is at least , so the sum is at least . Then, for state {\color[rgb]{0.4,0.4,0.65}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,0.65}\mathrm{s_{2}}} to be -consistent, it must not have {\color[rgb]{0.4,0.4,0.65}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,0.65}\mathrm{s_{4}}} has a successor. This is possible by choosing [math] as the probability to go from {\color[rgb]{0.4,0.4,0.65}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,0.65}\mathrm{s_{2}}} to {\color[rgb]{0.4,0.4,0.65}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,0.65}\mathrm{s_{4}}}. In the remaining two intervals, choosing probability leads to a sum of . Therefore, state {\color[rgb]{0.4,0.4,0.65}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,0.65}\mathrm{s_{2}}} is -consistent. One can check that all states but {\color[rgb]{0.4,0.4,0.65}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,0.65}\mathrm{s_{4}}} are -consistent, for all .
For the problem of consistency of pIMCs, the aim is not only to decide whether a given pIMC is consistent, but also to synthesise all parameter valuations that ensure consistency of the resulting IMC. For this purpose, we adapt the notion of -consistency defined above to pIMCs.
We first define the local consistency of a state w.r.t. some subset of its successors: the sum of upper bounds should be greater than , the sum of lower bounds smaller than , and all successors in have a valid interval.
Let us start by fixing a set of states that we want to avoid and then compute the set of valuations that ensure -consistency of through a distribution that avoids states from . Formally, is defined as: let and for ,
The set of valuations ensuring -consistency is then the union, for all potential choices of , of . We need to choose as a subset of the set of states which can be avoided, by transitions that have [math] or a parameter as lower bound. Therefore, we define .
Theorem 3.3
Given a pIMC and a parameter valuation , we have iff the IMC is consistent.
Example 9
It is easily shown that the consistency of the PIMC in Fig. 4(c) is [({\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}q}\leq 0.7)\cap({\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}q}\geq 0.3)]\cup({\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}q}=1).
This section has shown the crucial property of consistency in both parametric and non-parametric interval Markov chains. It thus sets the necessary elements before model checking such probabilistic models.
3.4 Further reading
The definitions and properties stated in this section are detailed in [DLP16]. They were revised in [PP18], where both inductive and co-inductive definitions of consistency are given, implemented with forward and backward algorithms. [DLP16] also addresses some properties: consistent avoidability, existential and universal consistent reachability.
4 Parametric Petri Nets
We now consider a parametric extension of Petri nets in which the weights of the arcs can be parameters. This extension was mainly studied in the Ph.D. thesis of Nicolas David [Dav17] and many of those results can also be found in [Dav+15, Dav+17].
Example 10
In order to illustrate the usefulness of this parameterised formalism, we consider the example, taken from [Dav17], of a financial loan. It is modelled in Fig. 5.
In the general case, a client has a certain amount of money, say {\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}a}, and is ensured to get income {\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}b} every month. To finance his project, the client needs to define with the bank the amount loaned {\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}c}, the duration of reimbursement {\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}d} (in months) and the amount of each reimbursement {\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}e}. At the end of the process, the bank expects to get back the initial amount loaned {\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}c} plus the interest {\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}f}. The amount of money possessed by the client is depicted in place {\color[rgb]{0.4,0.4,0.65}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,0.65}\mathrm{funds}}. The signature of the contract is symbolised through the firing of transition {\color[rgb]{0.50,0.70,0.30}\definecolor[named]{pgfstrokecolor}{rgb}{0.50,0.70,0.30}\mathit{grantLoan}} which imposes to the bank to loan an amount {\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}c} for a term of {\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}d} months. Each month, we can fire {\color[rgb]{0.50,0.70,0.30}\definecolor[named]{pgfstrokecolor}{rgb}{0.50,0.70,0.30}\mathit{reimburse}}: the client receives its own income {\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}b} that is added to its capital in {\color[rgb]{0.4,0.4,0.65}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,0.65}\mathrm{funds}} and in parallel an amount {\color[rgb]{1,0.6,0.0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0.6,0.0}e} is reimbursed to the bank. When we consider that the reimbursement is finished, we fire {\color[rgb]{0.50,0.70,0.30}\definecolor[named]{pgfstrokecolor}{rgb}{0.50,0.70,0.30}\mathit{endLoan}} that removes the token from {\color[rgb]{0.4,0.4,0.65}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,0.65}\mathrm{lock_{1}}} and allows us to enable the transitions of the second part of this example. We can then check if the bank can get its money back by testing if {\color[rgb]{0.4,0.4,0.65}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,0.65}\mathrm{loanOk}} can be marked and if the bank can get the interest by checking {\color[rgb]{0.4,0.4,0.65}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,0.65}\mathrm{interestOk}} can be marked or both by checking if {\color[rgb]{0.4,0.4,0.65}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,0.65}\mathrm{loanFinished}} can be marked.
With this example in mind, we now proceed to the corresponding formal definitions.
Definition 24 (Parametric Petri Net [Dav+15])
A (marked) parametric Petri Net (PPN) is a tuple where is a finite set of places, is a finite set of transitions such that , is a finite set of parameters, is the backward incidence function, is the forward incidence function, is the initial marking.
Let be a parametric Petri net. A valuation of the parameters of is a mapping from to .
We denote by the Petri net obtained by replacing all parameters by the value they are given by .
A marking of a (non-parametric) Petri net is a mapping from to . Markings can be compared component by component: if .
A transition is enabled by marking if for all , . A transition enabled by marking can be fired, leading to a new marking defined by . We note .
A run in the Petri net is a possibly infinite alternating sequence of markings and transitions such that and for all , .
4.1 Problems of interest
We extend classic problems defined for Petri nets to the parametric setting. These problems are reachability, coverability, and (un)boundedness.
A marking is reachable if there exists a finite run such that .
A marking is coverable if there exists a reachable marking such that .
A (non-parametric) Petri net is -bounded if for all reachable markings , we have . It is bounded if there exists some such that it is -bounded. If a net is not bounded, we say it is unbounded and then for all there exists a place and a reachable marking such that .
Similarly a Petri net is simultaneously unbounded [Dem13], for some subset of , if for all , there exists a reachable marking such that for all places , we have .
We consider two associated parametric decision problems: the existential and the universal problems. In the former we want to decide the existence of a parameter valuation for which some property holds, and in the latter we want to decide if it holds for all the possible parameter valuations. The property in question can be any of those defined above.
For instance, the existential parametric reachability problem asks, given a target marking , if there exists a parameter valuation such that is reachable in . Similarly, the universal coverability problem asks, given a target marking , if for all valuations of the parameters, is coverable in .
We finally define synthesis problems, in which we want to effectively compute the set of all parameter valuations for which some property holds. Note that if we can effectively compute this set, and check its emptiness or universality, then we can also solve the two decision problems above.
4.2 Undecidability Results for Parametric Petri Nets
We start with a few negative results.
Theorem 4.1 ([Dav+15])
The existential and universal parametric coverability, reachability, and (simultaneous) unboundedness problems are undecidable.
This theorem is proved by reducing the halting, and counter-boundedness problems for 2-counter machines [Min67] to those parametric problems for parametric Petri nets. We encode the value of each counter as the number of tokens in a place and we use parametric arcs to test for emptiness of that place (i.e. counter value [math]).
As a consequence, we need to consider meaningful subclasses for which we might obtain some decidability results.
4.3 Subclasses of Parametric Petri Nets
The basic observation guiding us in defining interesting subclasses of PPNs is that, in the 2-counter machine reduction briefly outlined above, we need both a post arc with a parametric weight and a pre arc with the same parametric weight .
We thus define preT-PPNs, postT-PPNs, and distinctT-PPNs according to whether the parameters are allowed only in pre arcs, in post arcs, or in both but not with the same parameters.
Definition 25 (preT- and postT-PPNs)
A preT-PPN (resp. postT-PPN) is a PPN in which the (resp. ) function has the form .
Definition 26 (distincT-PPNs)
A distinctT-PPN is a PPN in which the set of parameters used in the function and the set of those used in the function are disjoint.
We could also consider classic Petri nets in which the initial marking is parameterised. The corresponding formalism is called P-PPN. Such a parametric initial marking is easily simulated with an initial transition that has parametric weights in its post arcs and sets the initial marking. Interestingly, it can also be proved that postT-PPNs can be (weakly) simulated by P-PPNs [Dav+15].
Fig. 6 [Dav+15] summarises this hierarchy of subclasses.
4.4 Global Results
We now summarise the current state-of-the art for the study of PPNs. Table 2 gives the decidability results and whenever relevant the complexities for the universal problems, while Table 3 gives them for the existential problems.
In order to establish the decidability results, we use a variety of techniques. The most basic is that preT- and postT-PPNs have a strong monotonicity property [Dav+15]: increasing (resp. decreasing) the value of parameters in a postT-PPN (resp. preT-PPN) can only add behaviours. Second we can reduce universal coverability in preT-PPNs to simultaneous unboundedness, and existential coverability in postT-PPNs to coverability in the Petri nets of [Gee+15]. Both of these reductions can be found in [Dav+17]. Finally, we can adapt the Karp & Miller algorithm [KM69] to preT- and postT-PPNs [Dav17].
Table 4 presents results for the synthesis problem [Dav+17]. In the cases where we can compute the set of adequate valuations (✓), we mostly rely on the use of an algorithm to compute upward-closed sets by Valk and Jantzen [VJ85]. The negative results (✕) come from the fact that the emptiness or the universality of the set cannot be decided as a direct consequence of the undecidability results above, so there is little hope to find a useful representation of that set. The case of distinctT-PPNs is similar in so far as if we can compute the solution and test its intersection with equality constraints we can solve the synthesis problem for any PPN, by replacing parameters used both in pre and post arcs by different parameters (which gives a distinctT-PPN) and then constraining the solution set with equality constraints on these different parameters.
4.5 Conclusion
Parametric Petri nets are a powerful formalism to model flexible systems. In the general case, the interesting problems are undecidable but still useful subclasses can be obtained by restricting the use of parameters. For most of these subclasses, it is possible to actually synthesise the values of the parameters such that the net is unbounded, or such that some marking is coverable. It would nevertheless be interesting to design semi-algorithms or incomplete algorithms for the most expressive cases that do not fit in this restricted setting. A problem also remains open, i.e. the decidability of universal reachability for Petri nets with a parameterised initial marking.
5 Action synthesis
One of the classical approaches to verification and specification of concurrent systems employs Kripke structures as models and branching-time logics such as CTL as property description languages. In contrast to the models presented earlier, Kripke structures allow only for specifying sequential behaviours. Advanced data structures such as Binary Decision Diagrams [Bry86] (BDDs) together with algorithms based on fixed-point specification of CTL enable efficient verification of models whose state spaces exceed [Bur+90]. Here, we extend Action-Restricted Computation Tree Logic ARCTL [PR06] and its models with parameters, to obtain a framework that benefits from BDD-based fixed-point algorithms.
5.1 Mixed Transition Systems
Mixed Transition Systems [PR06] (MTS) are essentially Kripke structures with transitions labelled by actions.
Definition 27 (MTS)
Let be a set of propositional variables. A Mixed Transition System is a 5-tuple , where:
- •
is a finite set of states, and is the initial state,
- •
is a non-empty finite set of actions,
- •
is a transition relation,
- •
is a (state) valuation function.
We write if . Let and be a finite or infinite sequence of interleaved states and actions. By we denote the number of states in if is finite, and if is infinite. A sequence is a path over iff and for each and either is infinite or its final state does not have a -successor state in , i.e. for some and there is no and such that . By we denote the –th state of for all .
The set of all paths over in is denoted by , and the set of all paths starting from a given state is denoted by . We typically omit the symbol , writing and . By and we mean the corresponding sets restricted to the infinite paths only.
Example 11 (MTS)
A MTS with \mathit{AP}=\{{\color[rgb]{0.4,0.4,0.65}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,0.65}\mathbf{p}},{\color[rgb]{0.4,0.4,0.65}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,0.65}\mathbf{safe}}\}, {\mathcal{A}}=\{{\color[rgb]{0.50,0.70,0.30}\definecolor[named]{pgfstrokecolor}{rgb}{0.50,0.70,0.30}\mathit{left}},{\color[rgb]{0.50,0.70,0.30}\definecolor[named]{pgfstrokecolor}{rgb}{0.50,0.70,0.30}\mathit{right}},{\color[rgb]{0.50,0.70,0.30}\definecolor[named]{pgfstrokecolor}{rgb}{0.50,0.70,0.30}\mathit{forw.}},{\color[rgb]{0.50,0.70,0.30}\definecolor[named]{pgfstrokecolor}{rgb}{0.50,0.70,0.30}\mathit{back}}\}, and initial state {\color[rgb]{0.4,0.4,0.65}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,0.65}\mathrm{s_{0}}} is shown in Fig. 7. The path \pi=({\color[rgb]{0.4,0.4,0.65}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,0.65}\mathrm{s_{0}}},{\color[rgb]{0.50,0.70,0.30}\definecolor[named]{pgfstrokecolor}{rgb}{0.50,0.70,0.30}\mathit{left}},{\color[rgb]{0.4,0.4,0.65}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,0.65}\mathrm{s_{1}}},{\color[rgb]{0.50,0.70,0.30}\definecolor[named]{pgfstrokecolor}{rgb}{0.50,0.70,0.30}\mathit{right}},{\color[rgb]{0.4,0.4,0.65}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,0.65}\mathrm{s_{4}}}) belongs to {\Pi}(\{{\color[rgb]{0.50,0.70,0.30}\definecolor[named]{pgfstrokecolor}{rgb}{0.50,0.70,0.30}\mathit{left}},{\color[rgb]{0.50,0.70,0.30}\definecolor[named]{pgfstrokecolor}{rgb}{0.50,0.70,0.30}\mathit{right}}\}), but not to the set {\Pi}(\{{\color[rgb]{0.50,0.70,0.30}\definecolor[named]{pgfstrokecolor}{rgb}{0.50,0.70,0.30}\mathit{left}},{\color[rgb]{0.50,0.70,0.30}\definecolor[named]{pgfstrokecolor}{rgb}{0.50,0.70,0.30}\mathit{right}},{\color[rgb]{0.50,0.70,0.30}\definecolor[named]{pgfstrokecolor}{rgb}{0.50,0.70,0.30}\mathit{back}}\}). The reason is that while is a maximal path over \{{\color[rgb]{0.50,0.70,0.30}\definecolor[named]{pgfstrokecolor}{rgb}{0.50,0.70,0.30}\mathit{left}},{\color[rgb]{0.50,0.70,0.30}\definecolor[named]{pgfstrokecolor}{rgb}{0.50,0.70,0.30}\mathit{right}}\}, it is not maximal over \{{\color[rgb]{0.50,0.70,0.30}\definecolor[named]{pgfstrokecolor}{rgb}{0.50,0.70,0.30}\mathit{left}},{\color[rgb]{0.50,0.70,0.30}\definecolor[named]{pgfstrokecolor}{rgb}{0.50,0.70,0.30}\mathit{right}},{\color[rgb]{0.50,0.70,0.30}\definecolor[named]{pgfstrokecolor}{rgb}{0.50,0.70,0.30}\mathit{back}}\} as it can be extended e.g. into the infinite path \pi^{\prime}=({\color[rgb]{0.4,0.4,0.65}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,0.65}\mathrm{s_{0}}},{\color[rgb]{0.50,0.70,0.30}\definecolor[named]{pgfstrokecolor}{rgb}{0.50,0.70,0.30}\mathit{left}},{\color[rgb]{0.4,0.4,0.65}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,0.65}\mathrm{s_{1}}},{\color[rgb]{0.50,0.70,0.30}\definecolor[named]{pgfstrokecolor}{rgb}{0.50,0.70,0.30}\mathit{right}},{\color[rgb]{0.4,0.4,0.65}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,0.65}\mathrm{s_{4}}},{\color[rgb]{0.50,0.70,0.30}\definecolor[named]{pgfstrokecolor}{rgb}{0.50,0.70,0.30}\mathit{back}},{\color[rgb]{0.4,0.4,0.65}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,0.65}\mathrm{s_{0}}},{\color[rgb]{0.50,0.70,0.30}\definecolor[named]{pgfstrokecolor}{rgb}{0.50,0.70,0.30}\mathit{left}},{\color[rgb]{0.4,0.4,0.65}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,0.65}\mathrm{s_{1}}},{\color[rgb]{0.50,0.70,0.30}\definecolor[named]{pgfstrokecolor}{rgb}{0.50,0.70,0.30}\mathit{right}},{\color[rgb]{0.4,0.4,0.65}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,0.65}\mathrm{s_{4}}},{\color[rgb]{0.50,0.70,0.30}\definecolor[named]{pgfstrokecolor}{rgb}{0.50,0.70,0.30}\mathit{back}},{\color[rgb]{0.4,0.4,0.65}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,0.65}\mathrm{s_{0}}},\ldots)\in{\Pi}(\{{\color[rgb]{0.50,0.70,0.30}\definecolor[named]{pgfstrokecolor}{rgb}{0.50,0.70,0.30}\mathit{left}},{\color[rgb]{0.50,0.70,0.30}\definecolor[named]{pgfstrokecolor}{rgb}{0.50,0.70,0.30}\mathit{right}},{\color[rgb]{0.50,0.70,0.30}\definecolor[named]{pgfstrokecolor}{rgb}{0.50,0.70,0.30}\mathit{back}}\}).
5.2 Parametric Action-Restricted CTL
The main difference between ARCTL and CTL is that in ARCTL each path quantifier is subscripted with a set of actions, e.g. E_{\{{\color[rgb]{0.50,0.70,0.30}\definecolor[named]{pgfstrokecolor}{rgb}{0.50,0.70,0.30}\mathit{left}},{\color[rgb]{0.50,0.70,0.30}\definecolor[named]{pgfstrokecolor}{rgb}{0.50,0.70,0.30}\mathit{right}}\}}G(E_{\{{\color[rgb]{0.50,0.70,0.30}\definecolor[named]{pgfstrokecolor}{rgb}{0.50,0.70,0.30}\mathit{forw.}}\}}F{\color[rgb]{0.4,0.4,0.65}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,0.65}\mathbf{safe}}) may be read as “there exists a path over {\color[rgb]{0.50,0.70,0.30}\definecolor[named]{pgfstrokecolor}{rgb}{0.50,0.70,0.30}\mathit{left}} and {\color[rgb]{0.50,0.70,0.30}\definecolor[named]{pgfstrokecolor}{rgb}{0.50,0.70,0.30}\mathit{right}}, on which it holds globally that a state satisfying is reachable along some path over {\color[rgb]{0.50,0.70,0.30}\definecolor[named]{pgfstrokecolor}{rgb}{0.50,0.70,0.30}\mathit{forw.}}”.
Parametric ARCTL (pmARCTL) extends ARCTL by allowing free variables in place of sets of actions, e.g. E_{Y}G(E_{Z}F{\color[rgb]{0.4,0.4,0.65}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,0.65}\mathbf{safe}}) is a formula of pmARCTL, where and are free variables.
Definition 28 (pmARCTL syntax)
Let be a finite set of actions, a finite set of variables, a set of propositional variables, and . The set of formulae of pmARCTL is defined by the following grammar:
[TABLE]
where and .
The basic path quantifiers and modalities of pmARCTL have the same meaning as in CTL. The superscript ω restricts the quantification to the infinite paths, whereas the subscript α restricts the quantification to the paths over .
The semantics of pmARCTL is defined w.r.t. parameter valuations, i.e. functions . denotes the set of all parameter valuations. For conciseness, for we write if and if . Moreover, we assume that , for .
Definition 29 (pmARCTL semantics)
Let be an MTS and a parameter valuation. The relation is defined as follows:
- •
iff ,
- •
iff ,
- •
iff or ,
- •
iff and , for some ,
- •
iff for all , for some ,
- •
iff for some and for all , for some ,
where , , , and .
Example 12
For the MTS in Fig. 7 we have {\color[rgb]{0.4,0.4,0.65}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,0.65}\mathrm{s_{0}}}\models_{\upsilon}E_{Y}G(E_{Z}F{\color[rgb]{0.4,0.4,0.65}\definecolor[named]{pgfstrokecolor}{rgb}{0.4,0.4,0.65}\mathbf{safe}}) iff {\color[rgb]{0.50,0.70,0.30}\definecolor[named]{pgfstrokecolor}{rgb}{0.50,0.70,0.30}\mathit{forw.}}\in\upsilon(Z).
5.3 Parameter Synthesis for pmARCTL
In this subsection we show how to recursively characterise pmARCTL using the basic operator of parametric pre-image. These equivalences give rise to fixed-point algorithms that can be implemented using BDDs.
Let . Our goal is to construct the function s.t. for all we have . In other words, the set consists of all the parameter valuations that make true in state . Let us show how to build this function recursively, case by case. We omit the treatment of non-parametric modalities as the classical non-parametric methods of symbolic verification carry here with minimal alterations [HR04, RL07].
Boolean Connectives and Non-parametric Modalities.
For each , we have if and otherwise; ; and .
Parametric Pre-image and NeXt.
Let be a function. The parametric pre-image of w.r.t. is defined as the function s.t. for each . Intuitively, for each in we collect all the parameter valuations s.t. some state satisfying can be reached by firing in an action from . We therefore have
Parametric Temporal Modalities.
We employ the following equations to deal with two versions of the Globally modality:
[TABLE]
The following equation characterises the Until modality:
[TABLE]
We refer to [KMP15, KP15] on how to turn the above equations into fixed-point algorithms and implement them using BDDs. In all the cases, the returned result of running the overall synthesis algorithm for is the BDD that represents . This structure can be then queried for individual parameter valuations; for a certain class of formulae it is possible to synthesise minimal parameter valuations using prime implicants.
As a closing note let us mention that the emptiness problem for pmARCTL, i.e. the question whether for is known to be NP-complete [KMP15].
6 Tools
In this section, we finally briefly review tools related to the aforementioned formalisms.
6.1 IMITATOR
IMITATOR [And+12] is a software tool for parametric verification and robustness analysis of PTAs augmented with integer variables and stopwatches. Parameters can be used both in the model and in the properties. Verification capabilities include reachability-synthesis, deadlock-freeness-synthesis [And16], non-Zeno model checking [And+17], minimal-time synthesis [And+19], and trace-preservation-synthesis. IMITATOR is fully written in OCaml, and makes use of the Parma Polyhedra Library [BHZ08]. It also features distributed capabilities to run over a cluster.
IMITATOR comes with a benchmarks library available under an open source license [And19].
IMITATOR was successfully used in several application domains such as parametric schedulability analysis of a prospective architecture for the flight control system of the next generation of spacecrafts designed at ASTRIUM Space Transportation [Fri+12], formal timing analysis of music scores [FJ13], verification of software product lines [Lut+17], monitoring logs from the automotive domain against parametric properties [AHW18], and was used to propose a solution to a challenge related to a distributed video processing system by Thales [SAL15].
6.1.1 Related tools
The first tool to support modelling and verification using parametric timed automata was HyTech [HHW97]. In fact, HyTech supports linear hybrid automata (including clocks, parameters, stopwatches and general continuous variables); it can compute the state space, and perform operations (such as intersection, convex hull, difference) between sets of symbolic states. Therefore, it can be used to perform parametric model checking using reachability checking [Ace+98]. HyTech is not maintained anymore, but can still be found online in the form of a standalone binary for Linux.444https://embedded.eecs.berkeley.edu/research/hytech/
In [Hun+02], an extension of Uppaal implementing parametric difference bound matrices (PDBMs) and hence allowing for verification using PTAs is mentioned. However, this tool does not seem to be available anywhere online.
PHAVer [Fre08] is a tool for verifying safety properties of hybrid systems. It notably relies on exact arithmetic (with unlimited precision) using the Parma Polyhedra Library [BHZ08]; on the other hand, it also supports approximations.
SpaceEx [Fre+11] can be seen as a successor of PHAVer, and also tackles verification of reachability properties for hybrid systems. Parameters are not natively supported, but can be encoded using variables that are arbitrarily set up upon system start, and then remain subsequently constant (with a 0-slope). SpaceEx seems to have a lot of interesting recent developments.
PSyHCoS [And+13] allows the synthesis of parameters for a parametric extension of the process algebra Stateful timed CSP [Sun+13], itself a timed extension of Hoare’s communicating sequential processes [Hoa85]. When compared to other formalisms such as (parametric) timed automata, (parametric) stateful timed CSP has the advantage of giving the designer the ability to specify hierarchical systems.
Finally, Symrob is not strictly a tool for synthesis, but allows robustness measurement for timed automata [San15].
6.2 Roméo
Roméo [Lim+09] is a model-checking tool for a selection of hybrid extensions of Petri nets, enriched with discrete variables. In particular, it supports parametric time Petri nets, a formalism shown to be close to PTAs in terms of expressiveness [Bér+05, TLR09]. Roméo allows the use of parametric linear expressions in the time intervals of the transitions, and the addition of linear constraints on the parameters to restrict their domain. Roméo provides a simulator and an integrated model-checker supporting a subset of parametric TCTL (including reachability-synthesis and unavoidability-synthesis), in which “Until” modalities cannot be nested. It also features optimal cost reachability and parameter synthesis for cost-bounded reachability. Roméo implements in particular an original algorithm for integer parameter synthesis using a symbolic (continuous) representation [JLR15]. Roméo is mainly written in C++, and makes use of the Parma Polyhedra Library [BHZ08]. It has been successfully used in a few and diverse case-studies including the analysis of resilience properties in oscillatory biological systems [AMI16]; the synthesis of environment requirements for an aerial video tracking system [Par+16]; and the analysis of operational scenarios modelling in the DGA OMOTESC project [Sei09].
6.3 Spatula
Spatula [Kna, KMP15] implements the theory of action synthesis outlined in Section 5. The tool is written in C++ and employs CUDD library [Som] for representing and manipulating BDDs. Spatula accepts models represented as networks of automata written in a simplified C-like input language and pmARCTL as property description language. The result of synthesis for a given property is a BDD that represents all the valuations that make the property true. Spatula can also list all the minimal valuations (w.r.t. bitwise comparison) for the existential part of the logic.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[ACD 93] Rajeev Alur, Costas Courcoubetis and David L. Dill “Model-Checking in Dense Real-Time” In Information and Computation 104.1 Academic Press, 1993, pp. 2–34 DOI: 10.1006/inco.1993.1024 · doi ↗
- 2[Ace+98] Luca Aceto, Patricia Bouyer, Augusto Burgueño and Kim Guldstrand Larsen “The Power of Reachability Testing for Timed Automata” In FSTTCS 1530 , Lecture Notes in Computer Science Chennai, India: Springer, 1998, pp. 245–256 DOI: 10.1007/978-3-540-49382-2˙22 · doi ↗
- 3[AD 94] Rajeev Alur and David L. Dill “A theory of timed automata” In Theoretical Computer Science 126.2 Essex, UK: Elsevier Science Publishers Ltd., 1994, pp. 183–235 DOI: 10.1016/0304-3975(94)90010-8 · doi ↗
- 4[AHV 93] Rajeev Alur, Thomas A. Henzinger and Moshe Y. Vardi “Parametric real-time reasoning” In STOC San Diego, California, United States: ACM, 1993, pp. 592–601 DOI: 10.1145/167088.167242 · doi ↗
- 5[AHW 18] Étienne André, Ichiro Hasuo and Masaki Waga “Offline timed pattern matching under uncertainty” In ICECCS Melbourne, Australia: IEEE CPS, 2018, pp. 10–20 DOI: 10.1109/ICECCS 2018.2018.00010 · doi ↗
- 6[AL 17] Étienne André and Didier Lime “Liveness in L/U-Parametric Timed Automata” In ACSD Zaragoza, Spain: IEEE, 2017, pp. 9–18 DOI: 10.1109/ACSD.2017.19 · doi ↗
- 7[ALR 16] Étienne André, Didier Lime and Olivier H. Roux “Decision Problems for Parametric Timed Automata” In ICFEM 10009 , Lecture Notes in Computer Science Tokyo, Japan: Springer, 2016, pp. 400–416 DOI: 10.1007/978-3-319-47846-3˙25 · doi ↗
- 8[ALR 18] Étienne André, Didier Lime and Mathias Ramparison “TCTL model checking lower/upper-bound parametric timed automata without invariants” In FORMATS 11022 , Lecture Notes in Computer Science Beijing, China: Springer, 2018, pp. 1–17 DOI: 10.1007/978-3-030-00151-3˙3 · doi ↗
