Specification of Real-time Systems using a Timed Automata Model

with Shared Variables and Verification of Partial-deadlock Freeness

Kozo OKANO, Satoshi HATTORI, Akira YAMAMOTO, Teruo HIGASHINO and Kenichi TANIGUCHI
Graduate School of Engineering Science, Osaka University
okano,hattori,akira-y,higashino,taniguchi
@ics.es.osaka-u.ac.jp

Abstract
We propose a timed automata model with shared variables
(TASV). A TASV is a set of extended timed automata (ETAs) with
shared boolean variables. For this model, we propose (1) an algorithm which decides whether a given TASV is partial-deadlock
free, and (2) a sufficient condition that we can efficiently prove a
given TASV is partial-deadlock free. Each ETA in a TASV can access to /modify shared boolean variables independently. By constructing a tuple automaton for all ETAs in a given TASV, we can
decide the existence of deadlocks. However, such an approach
causes the state explosion problem. Our algorithm and our proposed sufficient condition reduce the possibility of the state explosion by dividing the ETAs into some sets and proving their
partial-deadlock freeness independently.

1 Introduction
For real-time systems, it is important to prove timing
correctness of their behaviors as well as logical correctness of their behaviors. In order to guarantee the correctness, it is very desirable that at abstract levels of a formal
specification of a real-time system, a designer can automatically prove several properties of the system. Many
models for real-time systems are proposed such as timed
automaton[1, 3], time petri net [5], mode chart[6] and so
on.
For a large real-time system, it is desirable that the system can be described as a set of its sub-systems. For example, timed automata can represent a system in such a
way. Each sub-system represented in a timed automaton
simultaneously executes its transition with the same event.
On the other hand, in UNITY[2], a parallel program with
shared variables, such communication can be performed
by access to /modification of shared variables independently. The communication mechanism of timed automata
can be seen as synchronous, while that of UNITY can be
seen as asynchronous.
In this paper, we propose a model, named timed automata model with shared variables (TASV). A TASV is
a set of extended timed automata with shared boolean variables 1 . Each sub-system described as an extended timed
1 We

can easily extend the model to a model with shared bounded in-

automaton (ETA) communicates each other by accessing

and modifying the values of the global shared variables.
We also propose (1) an algorithm which decides whether
a given TASV is partial-deadlock free and (2) a sufficient
condition with which we can efficiently prove that a TASV
is partial-deadlock free. Here, we informally say a TASV
is a partial deadlock free, if an ETA in the TASV cannot
run any more.
For a given TASV, we can decide the existence of deadlocks by constructing a tuple automaton of the TASV. It,
however, causes the state explosion. To overcome such a
problem, we divide the given TASV into some sets of automata, and check the property on each set of automata
independently.
In 2, we define our timed automata model with shared
variables, In 3, we describe the algorithms. 4 is conclusion.

Extended time automata

In this section, we define the extended timed automaton

and the timed automata model with shared variables.
2.1 Extended timed automaton
Definition 1 An extended timed automaton
tuple  
   .


is a seven-

is a set of events, where  is a set of

 "!
internal events and ! is a set of external events with
#$!%'& .
 is a finite set of states.
 )($ denotes an initial state.
 is a finite set of clocks.
 is a finite set of boolean variables.
 *  is a set of boolean variables whose initial values are TRUE. Other variables in ,+ have FALSE
as initial values.








.-/0-12-/3540-/37698;:=<?> @BAC-1DEGFH-1IJEK)F

is a set of transitions, where DEKGF and IJEL)F are a set

of clock constraints on  and a set of boolean expressions on  , respectively.
teger variables.

A transition from a state  to a state M for an event

N
is denoted by PO > QR+X> SW > TU> V YMKE=(ZF , where [\(%354
and ]^(,35698_:`<?> @BA are a set of clocks reset and a set of
boolean assignments. A clock constraint and a guard
expression of the transition are denoted by ab(1DEGF
and cd(,IJEL)F , respectively.
Definition 2 The time domain is a non-negative rational
set Q.
A clock constraint a is defined as follows: a^efhg op i/j
k
is a clock, io( Q is a
a1jlam/anj NULL, where g0(0
constant, and op (1pqGrG stGRuCv .
A guard expression c is defined as follows: c$ewyx"j k c/j
cHmncJj NULL, where xP(P .
Without loss of generality, we can regard that the clock
constraint does not contain not and z .
2.2 Semantics of ETA
Here, we explain the behavior of a single extended timed
automaton.
We consider two class of events: internal events and external events.
In an extended timed automaton, let us assume that the
current state is  and  has a transition bO > QR+X> {YW > TU> V YM . The
following is the behavior of the automaton. Let |}
(the time when ~ occurred) + (the time when the control
reached at  ).


aoz NULL and cz NULL:

Case 1. ~ is an internal event: if the evaluation of c is
true, then ~ must occur at a time when a holds. The
current state is changed to M .
Case 2. ~ is an external event: if the event ~ occurs,
and, c and a hold, then the current state is changed to
YM .
For both cases, the value of every clock in +Z[
increases by | .

aG NULL and cz NULL:

Case 1. ~ is an internal event: if c evaluates to be true,
then ~ must immediately occur. The current state is
changed to M . No clocks except clocks in [ proceed.
Case 2. ~ is an external event: if the event ~ occurs,
and c evaluates to be true, then the current state is
changed to YM . The value of every clock in +2[
increases by | .
aoz NULL and c NULL:
Case 1. ~ is an internal event: ~ must occur at a time
when a holds. The current state is changed to YM .
Case 2. ~ is an external event: if event ~ occurs, and
a holds, then the current state is changed to YM .
For both cases, the value of every clock in +Z[
increases by | .

a) NULL and c NULL:

Case 1. ~ is an internal event: ~ must immediately
occur. The current state is changed to M . No clocks
except clocks in [ proceed.
Case 2. ~ is an external event: when ~ occurs, the
current state is changed to M . The value of every clock
in 2+[ increases by | .

For every case, clocks in [ reset to 0. The values of shared

boolean variables are changed according to ] .
If  has more than one transition with the same event, c
or a must be exclusive among these transitions.
2.3 Timed automata model with shared variables
A timed automata model with shared variables (TASV)
is a set of extended timed automata.
In a TASV, every extended timed automaton can access
shared boolean variables, whereas, each extended timed
automaton can access only its clocks. No automaton can
access others clocks. Every clock proceeds simultaneously. We also restrict that every automaton does not share
events each other.
Definition 3 Timed automata model with shared variables
Let EF be a set of extended timed automata in a
timed automata model with shared variables  .
The behavior of a TASV is given as that of the tuple automaton of the TASV.
For a given timed automata model with shared variables
( ), a state of the tuple automaton is a tuple of states of
EF . Clocks of the tuple automaton is a union set of
each set of clocks. Each transition of the tuple automaton
is defined as usual way.
2.4 An example
Fig. 1 shows an example of a movie player described
in a TASV. The movie player is a client application which
plays movies sent from a server. Each frame is sent at constant rate (30fps). The client displays each frame according to QoS (Quality of Service). If the load of the system
is light then the value of QoS is high and the client displays every frame. If it is heavy, then the value of QoS
becomes low. In this case, the client skips one of two successive frames. QoS is represented as a boolean variable
HIGH. The client consists of a display controller, a QoS
controller and a central controller. Internal events  and
external events ! are the following:
= p Read Data, Decode, Draw, Check, Rate Down,

Rate Up, Sleep, Suspend, Resume v .
! = p Arrive, Good, Bad, Play, Stop v .
The initial values of shared boolean variables HIGH and
PLAY are FALSE and TRUE, respectively. In this example, we assume that data from the server do not disappear
and that drawing fault does not happen.

ETA A (display controller)

The automaton  controls the boolean variable PLAY,

which affects the behavior of and .

Arrive
HIGH
p2

Suspend

p6

Arrive

p1

not PLAY

Read Data
p3

Decode
p4

p5

Arrive
PLAY

not HIGH

Resume

Draw

K

Sleep

q3

Rate Down
HIGH:=FALSE

Good

not PLAY

q1

q6

Suspend

q5

q2

Check

Bad
PLAY
Resume

not HIGH

q4

K

Rate Up
HIGH:=TRUE

Sleep 

In this section, first we give the definition of partialdeadlock free. Then we give the algorithm and the sufficient condition.
3.1

ETA B (QoS controller)

HIGH

Verification

K
Sleep

ETA C (central controller)

Partial-deadlock free

We want to check whether a given TASV is partialdeadlock free. Deadlock is a well-known term which
means a system stops forever, while partial-deadlock informally means a sub-system stops forever in a given system.
In order to define partial-deadlock free, at first, we define an automaton of a given TASV; each state of the automaton consists of a combination of the values of the variables, a time region and a state of the tuple automaton of
the given TASV.
Definition 4 For a given TASV, , we define an automaton ELF as follows. Let sEF be the tuple automaton
of  . Using Algorithm 2 and Algorithm 3 that will be described in 3.4, we can construct a timed automaton. We
can construct EF by translating the obtained timed
automaton into a region automaton[1].
In our model, partial-deadlock freeness is defined as follows.

PLAY:=FALSE
Stop

r1

r2
Play

PLAY:=TRUE

Figure 1: An example (a movie player)

First, the automata ) and  are at the initial state
xB and , respectively. If a frame is arrived from the
server, then external event Arrive occurs. changes its
state to x_ with receiving event Arrive and then to state
x_ with receiving another event Arrive , if the value of the
boolean variable HIGH is FALSE. Thus, skips one frame
of two successive frames. If the value of the boolean variable HIGH is TRUE then changes its state to xX .
reads the data (Read Data) and decodes it (Decode), then
changes the current state to x_ . Thus, displays a frame
(Draw) within 20ms after the frame is arrived. changes
its state to xl and repeats the whole process.
The automaton checks the load of the system (Check).
If the load is light (Good) (or heavy (Bad)), then it changes
the value of the boolean variable HIGH to TRUE (or
FALSE). repeats the above process at 300ms interval.

Definition 5 For a given TASV , we say the TASV is

partial-deadlock free, if there is not any finite transition
sequence starting from the initial state of EF , such
that:
at the end state of the sequence, an ETA of the stops
forever.
3.2

A general (but naive) algorithm

For a given timed automata with shared variables AS, we

can decide whether AS is partial-deadlock free as follows.
1. Make ELF according to Definition 4.
2. Find a state that satisfies the following Property 1 in
ELF .
3. If there is such a state, then the given AS is not partialdeadlock free. If there is not such a state, then the
given AS is partial-deadlock free.
Property 1 Let GEKF be a set of states in extended
timed automata corresponding to a state  in EKF . In
ELF , there is not any executable transition outgoing
from  or there exists a state C(.GEYF , such that for
any reachable state YM from  , Y(PGEYMF holds.
This algorithm, however, results in the state explosion.

3.3 Outline of our algorithm

We introduce an equivalence called an influence equivalence, which makes a partition of a given set of automata,
We can check the property on each subset independently.
Thus, it reduces possibility of the state explosion.
3.4 The algorithm
Here, we assume that every guard expression in an ETA
is in a disjunctive normal form.
Definition 6 an influence relation
An influence relation W on a set of ETAs is defined as
follows.
We let W iff the following holds.
has a transition referring the value of a boolean variable
and the value of the variable is changed in some transition
in  .
Definition 7 an influence equivalence
An influence equivalence is the minimum relation satisfying:
W
and W
 then 0 .
Here, W is reflective and transitive closure of an influence
relation W .
We first describe some sub-algorithms of the main algorithm.
Algorithm 1 divides a set s of extended timed automata pY )7RRR)Xv into the partition of  at first.
The algorithm finally outputs a directed acyclic graph
(DAG), where each of its node is the tuple automaton of
 and each of its arc is corresponding to the influence relation W .
Algorithm 1 :
INPUT
: A set  of extended timed automata
OUTPUT : A directed acyclic graph
Let /pYJ RR v .
1. Let p RRYv be the partition of  induced by
the influence equivalence ( ).
2. Make the tuple automaton for each  E=Gr"9rPF .
3. Make a directed acyclic graph , where each of its
node is l . Each arc N of is defined as follows.
Arc N E ;YF is in the arc set of if and only if
there exists  and , such that ( , ( and
W hold.
Let GsHELF be a set of boolean variables which are
referred by an extended timed automaton  and is changed
by only  .
Algorithm 2 translates  into )M which does not use
GsHELF

Algorithm 2 :
INPUT
:
OUTPUT :

An extended timed automaton 

An extended timed automaton 
M

Let 
GsEKF

be
.

?
 R  

and let

pxlYRRRKx v

be

1. Let J be ?5Y M    . Initial state  M is

a tuple  7=ExFRRREfx F , where Ex F is the initial value of x .
 is a set of tuple K=5RR  , where s(/
= (
p TRUE  FALSE v .
> {YW > TU> V
YMG(% , add K= RRR5 QR> O +X
to  , where M RR= M are boolean
values obtained from RR=5 and ] .
2. Simplify each c of a transition in  by substituting
each occurrence of xXE=Gr"9rF in c to its value. Let
   Y M   H be the obtained automaton.
3. Return ? Y M    +^GsEKFH

For

QR> O +X
> {YW > T> V

K=M RR= M 

Algorithm 3 translates extended timed automaton 

with no guard expressions into another extended timed automaton  M . In Algorithm 3, we add some clock constraints to  in order to treat every transition (both the
transitions with internal events and external events) as a
transition in the timed automaton model. Therefore, we
can regard )M as a timed automaton.
Algorithm 3 :
INPUT
: An extended timed automaton 
OUTPUT : An extended timed automaton )M
Let N =E`GrrF be a transition with an internal event
outgoing from a state  .
1. Introduce a new clock .
2. Add time constraint ' to N .
3. Return the resulting automaton M
Definition 8 an ancestor set
For a given DAG and its node , let HEUF be a set
consisting of and its all ancestor nodes of .
Algorithm 4 is the central part of our algorithm. Algorithm 4 uses the property that for each leaf of the DAG ,
we can check partial-deadlock free independently.
If Algorithm 4 returns YES, then there is a partialdeadlock in the automaton (input leaf). If Algorithm 4 returns No, then the automaton is partial-deadlock free.
Algorithm 4 :
INPUT
:
:
OUTPUT :
1.
2.
3.
4.

A DAG
a leaf of
YES or NO

Construct EL ELF=F .

Find a state satisfying Property 1 on ELlHEKKF=F .
If there is such a state, return YES.
If there is not such a state, return No.

The following is the main algorithm.


Other events
Algorithm 5 (Decision algorithm) :
except

INPUT
: A set  of extended timed automata in a given TASV
OUTPUT : YES or NO
1. Construct a DAG by applying Algorithm 1 for  .

2. To each leaf of , apply Algorithm 4.
Other events

except

If Algorithm 4 returns YES, then return
YES.
Figure 2: Timed automaton

If Algorithm 4 always returns NO then reAlgorithm 7 :
turns NO.
INPUT
: A conjunction term
Proposition 1 If Algorithm 5 returns YES, then there is
: dELd lF
a partial-deadlock in  . If Algorithm 5 returns NO,
:
then  is partial-deadlock free.
OUTPUT : YES or NO
Here, is the conjunction term of c in  .
3.5 The sufficient condition and more efficient algoFor each  in dEKdlF , check the following.
rithm
9M be a timed automaton obtained by applying AlLet
If we reduce the number of elements in an ancestor
gorithm
2 and Algorithm 3 to the tuple automaton of
set, then we can check the partial-deadlock freeness on a
 EF .
smaller sized automaton.


Here, we give the sufficient condition, with which we

can reduce the number of elements in an ancestor set.
Definition 9 A parent concerning to
For an extended automaton  and a conjunction term
, let dEKdlF be a set of extended timed automata, such
that each of the extended timed automata changes every
boolean variable in .
Condition 1 For a given extended timed automaton , let
N
and c be a transition of and a guard expression of N ,
respectively. Note that c is a disjunctive normal form. Let
be one of conjunction terms in c . There is another automaton in dELolF and the following Property 2 holds
on .


Property 2 At any state in , eventually holds.

Case 1: M has transitions which make be TRUE

and transitions make be FALSE.
Let T pRRR=?v and F pYR v be sets
of transitions which make be TRUE and which make
be FALSE, respectively.
Construct a timed automaton  in Fig. 2 for a pair
of transitions l and .
Let s be the complement of .
For every pair of l and , check that the language
accepted by the product of 9M and s is empty [1]. If
it is true then return YES.
Case 2: M has only transitions which make be
TRUE.
If there is an executable transition in 9M which makes
be TRUE and is reachable from any state in 9M ,
then return YES.
Case 3: has only transitions which make be
FALSE.
Skip and select a new .

Algorithm 6 improves the input DAG using the sufficient

condition (Condition 1).


Algorithm 6 :
INPUT
: DAG
OUTPUT : DAG GM
Check each node in as follows, in breadth-first search
order. Let be the current node.

If there is not such an return NO.

1. If is a root of , then skip.

2. If is not a root of , then apply Algorithm 7 to each
conjunction term of c of , dEL lF and . If Algorithm 7 returns YES, delete from c .
Note that it implies the influence relation is also
changed.
Construct a new DAG GM according to the new influence
relation.
Algorithm 7 checks the sufficient condition (Condition
1).

The following is the revised algorithm.

Algorithm 8 (Decision algorithm (Revised version)) :
INPUT
: A set s of extended timed automata
OUTPUT : YES or NO
1. Construct a DAG by applying Algorithm 1 to input
 .
2. Apply Algorithm 6 to . Let GM be the result.
3. To each leaf of GM , apply Algorithm 4.

If Algorithm 4 returns YES, then return
YES.

If Algorithm 4 always returns NO then returns NO.

3.6 Validity of the algorithms

If Algorithm 8 returns NO for  , then s is partialdeadlock free. The reason is as follows.
Consider Algorithm 1. First, it generates the partitions
of  induced by the influence equivalence. Second, for
each subset, it constructs the tuple automaton =E`Grr
F of the subset. The behavior of the tuple automaton of
pYRRR v is equivalent to that of  . This algorithm
obviously terminates.
Next, let us consider Algorithm 2. Input is equivalent
to the resulting automaton M by the construction method.
The algorithm stops obviously.
Take Algorithm 3. Input is also equivalent to the resulting automaton M by the construction method. The termination of the algorithm is also obvious.
Then consider Algorithm 4. This algorithm constructs
the tuple automaton of an automaton at the leaf of the DAG
and all ancestors of it, and checks the existence of a partialdeadlock in the tuple automaton. If node ~ is not reachable
from node in the DAG, then it means the automaton ~ is
not influenced by through shared boolean variables. This
is the reason why we must check only the tuple automaton
of each leaf of the DAG.
Algorithm 4 stops when every leaf in the DAG is translated into a region automaton.
For Algorithm 6, we show that a transition N is executable if Condition 1 holds.
By the construction method in the algorithm 1, the clock
constraints a of N in the obtained automaton must be the
form gPu%E`tF=i .
During the condition 1 holds, the guard expression c of
N
can become true many times.
Therefore, the value of the clock g increases whenever c
becomes true. Hence, we can conclude that a holds sometime and then the transition N occurs at that time.
Next, we consider how a modified transition by Algorithm 6 affects deciding the partial-deadlock freeness. In
this algorithm, for a transition , if Condition 1 holds, then
remove its guard expressions. At a region automaton level,
it means that we check the existence of deadlocks regarding that the transition is executable, even though may
not be executable. Therefore, if Algorithm 8 returns NO,
we can say that the automata is partial-deadlock free.
Conversely, we cannot say, however, the automata has
a partial-deadlock, when Algorithm 8 returns YES, because the algorithm may detect a deadlock which cannot
occur actually.
Thus, we can say that automata are partial-deadlock
free, if Algorithm 8 returns NO from the DAG obtained
by applying the algorithms 1, 2, 6, and 4 to  .

3.7 Verification example

For the example movie player, because every transition
modifying proposition variables has no timing constraint,
thus we can easily check that each ETA has P property 2.
Every ETA A, B and C actually has Property 2. Therefore,
we can check partial-deadlock freeness on each of three
sub-systems (ETA A, B and C) independently, As a result
we can conclude that the movie player is partial-deadlock
free.

Conclusion

In this paper, we proposed a timed automata model with

shared variables which can represent real-time systems
with asynchronous actions. We also proposed an algorithm
which can decide whether a given timed automata model
with shared variables is partial-deadlock free, and a sufficient condition that allows to prove partial-deadlock freeness efficiently.
Our proposed algorithm works well on systems as follows.

The number of sub-systems in the influence equivalence is smaller than that of all sub-systems.

The form of DAG of the system is a simple tree
rather than a complex DAG.
For example, a simple signal controller that has several
censors and several signals for railway is one of such systems. Our future work includes applying our algorism to
the simple signal controller. Proposing an efficient algorithm to prove liveness property and safety property of a
given timed automata model with shared variables and extending our model to one with integer variables are also
considered as future work.

References
[1] K.M. Chandy and J. Misra : Parallel Program Design: A
Foundation, Addison-Wesley, New York. 1989.
[2] R. Alur and D.L. Dill : A theory of timed automata, Theoretical Computer Sciences, 126, pp.183-235, 1994.
[3] R. Alur and D.L. Dill : Automata-theoretic Verification
of Real-Time Systems, In Formal Methods for Real-Time
Computing, Trends in Software Series, pp.55-82, 1996.
[4] R. Alur, L. Fix and T.A. Henzinger : Event-Clock Automata
: A Determinizable Class of Timed Automata, Theoretical
Computer Science, 211, pp. 253-273, 1999.
[5] B. Berthmieu and M. Diaz : Modeling and Verification
of Time Dependent Systems using Time Petri Nets, IEEE
Transaction on Software Engineering, Vol.17, No.3, pp.259273, 1991.
[6] F. Jahanian and D.A. Stuart : A Method for Verifying Properties of Modechart Specification, Proceedings of the IEEE
Real-Time Systems Symposium, pp. 12-21, 1988.