Abstract
Probabilistic timed automata can be used to model systems in which probabilistic and timing behaviour coexist. Verification of probabilistic timed automata models is generally performed with regard to a single reference valuation π _{0} of the timing parameters. Given such a parameter valuation, we present a method for obtaining automatically a constraint K _{0} on timing parameters for which the reachability probabilities (1) remain invariant and (2) are equal to the reachability probabilities for the reference valuation. The method relies on parametric analysis of a nonprobabilistic version of the probabilistic timed automata model using the “inverse method”. The method presents the following advantages. First, since K _{0} corresponds to a dense domain around π _{0} on which the system behaves uniformly, it gives us a measure of robustness of the system. Second, it allows us to obtain a valuation satisfying K _{0} which is as small as possible while preserving reachability probabilities, thus making the probabilistic analysis of the system easier and faster in practice. We provide examples of the application of our technique to models of randomized protocols, and introduce an extension of the method allowing the generation of a “probabilistic cartography” of a system.
Similar content being viewed by others
Notes
The verification engine used was the sparse matrix engine.
The only difference with regard to [18, 23] is the use of a single parameter TRANSTIME for the length of a packet transmission, instead of lower and upper bounds on this length, namely TRANSTIMEMIN and TRANSTIMEMAX, respectively. This simplifies the model with no consequence, since TRANSTIMEMAX had no incidence on the (timeabstract) behaviour of the system, and was only constrained to be greater or equal to TRANSTIMEMIN. An advantage of considering a single transmission time is that the model trivially satisfies the criterion of anchored PPTAs. Furthermore, in contrast to [18, 23], we set the upper limit of the backoff counter to 1.
References
Alur R, Dill DL (1994) A theory of timed automata. Theor Comput Sci 126(2):183–235
Alur R, Henzinger TA, Vardi MY (1993) Parametric realtime reasoning. In: Proceedings of the twentyfifth annual ACM symposium on theory of computing, STOC’93. ACM, New York, pp 592–601
André É. (2010) An inverse method for the synthesis of timing parameters in concurrent systems. Thèse de doctorat, Laboratoire Spécification et Vérification, ENS Cachan, France
André É., Chatain Th, Encrenaz E, Fribourg L (2009) An inverse method for parametric timed automata. Int J Found Comput Sci 20(5):819–836
André É., Fribourg L (2010) Behavioral cartography of timed automata. In: Kučera A, Potapov I (eds) Proceedings of the 4th workshop on reachability problems in computational models (RP’10). Lecture notes in computer science, vol 6227. Springer, Berlin, pp 76–90
André É., Fribourg L, Kühne U, Soulat R (2012) IMITATOR 2.5: A tool for analyzing robustness in scheduling problems. In: 18th international symposium on formal methods (FM’12). Lecture notes in computer science, vol 7436. Springer, Berlin, pp 33–36
André É., Fribourg L, Sproston J (2009) An extension of the inverse method to probabilistic timed automata. In: Roggenbach M (ed) AVoCS’09, electronic communications of the EASST, vol 23. European Association of Software Science and Technology
Chamseddine N, Duflot M, Fribourg L, Picaronny C, Sproston J (2008) Computing expected absorption times for parametric determinate probabilistic timed automata. In: Proceedings of the 5th international conference on quantitative evaluation of systems (QEST’08). IEEE Comput Soc, Los Alamitos, pp 254–263
Daws C (2004) Symbolic and parametric model checking of discretetime Markov chains. In: Proc. ICTAC’04. LNCS, vol 3407. Springer, Berlin, pp 280–294
Gregersen H, Jensen HE (1995) Formal design of reliable real time systems. Master’s thesis, Department of Mathematics and Computer Science, Aalborg University
Han T, Katoen JP, Mereacre A (2008) Approximate parameter synthesis for probabilistic timebounded reachability. In: Proc. RTSS’08. IEEE Press, New York, pp 173–182
Hinton A, Kwiatkowska M, Norman G, Parker D (2006) PRISM: a tool for automatic verification of probabilistic systems. In: TACAS’06, LNCS, vol 3920. Springer, Berlin, pp 441–444
Hune T, Romijn J, Stoelinga M, Vaandrager F (2002) Linear parametric model checking of timed automata. J Log Algebr Program 52–53:183–220
Kemeny JG, Snell JL, Knapp AW (1976) Denumerable Markov chains, 2nd edn. Graduate texts in mathematics. Springer, Berlin
Kwiatkowska M, Norman G, Parker D (2009) Stochastic games for verification of probabilistic timed automata. In: FORMATS’09. LNCS, vol 5813. Springer, Berlin, pp 212–227
Kwiatkowska M, Norman G, Parker D, Sproston J (2006) Performance analysis of probabilistic timed automata using digital clocks. Form Methods Syst Des 29:33–78
Kwiatkowska M, Norman G, Segala R, Sproston J (2002) Automatic verification of realtime systems with discrete probability distributions. Theor Comput Sci 282:101–150
Kwiatkowska M, Norman G, Sproston J (2002) Probabilistic model checking of the IEEE 802.11 wireless local area network protocol. In: Proc. PAPM/PROBMIV’02. LNCS, vol 2399. Springer, Berlin, pp 169–187
Kwiatkowska M, Norman G, Sproston J (2003) Probabilistic model checking of deadline properties in the IEEE 1394 FireWire root contention protocol. Form Asp Comput 14(3):295–318
Kwiatkowska M, Norman G, Sproston J, Wang F (2007) Symbolic model checking for probabilistic timed automata. Inf Comput 205(7):1027–1077
Lanotte R, MaggioloSchettini A, Troina A (2007) Parametric probabilistic transition systems for system design and analysis. Form Asp Comput 19(1):93–109
Segala R (1995) Modeling and verification of randomized distributed realtime systems. Ph.D. thesis, Massachusetts Institute of Technology
Prism Web page: Prism web page. http://www.prismmodelchecker.org/
Acknowledgements
We are grateful to the anonymous referees for their helpful comments. Étienne André and Laurent Fribourg have been partially supported by the Agence Nationale de la Recherche, grant ANR06ARFU005, and by Institute Farman (project SIMOP). Jeremy Sproston is supported in part by the project AMALFI—Advanced Methodologies for the AnaLysis and management of the Future Internet (Università di Torino/Compagnia di San Paolo).
Author information
Authors and Affiliations
Corresponding author
Appendices
Appendix A: Proof of Proposition 1
In order to prove Proposition 1, we show that, for any scheduler σ of \(\mathsf{T}_{\mathcal{A}[\pi]}\), we can construct a scheduler σ′ of \(\mathsf{T}_{\mathcal{A}[\pi']}\) such that σ and σ′ generate the same timeabstract trace distributions (from the initial state). For this task, we require a number of preliminary definitions and results. First, we present a sufficient condition for two schedulers to generate the same timeabstract trace distributions. Recall that, given that we assume reset unicity, for all of the distributions μ∈Dist(Q×(X→ℝ_{≥0})) we consider in the transition relation of \(\mathsf{T}_{\mathcal {A}[\pi]}\) and \(\mathsf{T}_{\mathcal{A}[\pi']}\), for each location q there will be at most one clock valuation w such that μ(q,w)>0. We will use \(w^{\mu}_{q}\) to denote this clock valuation. In the following, given two distributions μ,μ′∈Dist(Q×(X→ℝ_{≥0})), we write μ≃μ′ if, for each q∈Q, we have \(\mu(q,w^{\mu}_{q}) = \mu'(q,w^{\mu'}_{q})\). Given a triple (d,a,μ)∈ℝ_{≥0}×Σ×Dist(Q×(X→ℝ_{≥0})), we let dist(d,a,μ)=μ.
Lemma 1
Let σ be a scheduler of \(\mathsf{T}_{\mathcal{A}[\pi]}\) and σ′ be a scheduler of \(\mathsf{T}_{\mathcal{A}[\pi']}\). If dist(σ(ω))≃dist(σ(ω′)) for each \(\omega\in\mathit{Path}^{\sigma}(\overline{q},\mathbf {0})\) and \(\omega' \in \mathit{Path}^{\sigma'}(\overline{q},\mathbf{0})\) such that ω≡ω′, then \(\mathsf{td}^{{\sigma}}_{{(\overline{q},\mathbf{0})}} = \mathsf{td}^{{\sigma'}}_{{(\overline{q},\mathbf{0})}}\).
Proof
The scheduler σ induces a Markov chain M ^{σ} (see [14]), the states of which are finite paths (starting from \((\overline{q} ,\mathbf{0})\)), and the transition matrix of which assigns to a transition from path ω to path \(\omega\xrightarrow{d,a,\mu} (q,w)\) probability μ(q,w) if σ(ω)=(d,a,μ) (probability 0 is assigned to transitions from ω to paths not resulting from ω by appending the choice of σ(ω)). Similarly, scheduler σ′ induces a Markov chain M ^{σ′}. The Markov chains M ^{σ} and M ^{σ′} are isomorphic: that is, given a bijection \(f: \mathit{Path}^{\sigma}(\overline {q},\mathbf{0}) \rightarrow \mathit{Path} ^{\sigma'}(\overline{q},\mathbf{0})\) such that f(ω)=ω′, where ω′ is the unique path of \(\mathit{Path}^{\sigma'}(\overline{q},\mathbf{0})\) such that ω≡ω′, we have that the Markov chain obtained from M ^{σ} by substituting each \(\omega\in\mathit{Path}^{\sigma}(\overline {q},\mathbf{0})\) by f(ω) (in the state space and transition matrix) is equal to M ^{σ′}. Because f preserves traces (that is, trace(ω)=trace(f(ω))), we can then derive that \(\mathsf{td}^{{\sigma}}_{{(\overline {q},\mathbf{0})}} = \mathsf{td}^{{\sigma '}}_{{(\overline {q},\mathbf{0})}}\). □
Recall that the assumption of determinism on actions implies that, for any transition \((q,w) \xrightarrow{d,a,\mu} (q',w')\), the probabilistic edge (q,_,a,_)∈prob associated with the transition is unique. A transition \((q,w) \xrightarrow{d,a,\mu} (q',w')\) is a uniquetime transition if the probabilistic edge (q,_,a,_)∈prob is a uniquetime probabilistic edge. Similarly, a transition \((q,w) \xrightarrow{d,a,\mu} (q',w')\) is a probability1 transition if the probabilistic edge (q,_,a,_)∈prob is a probability1 edge, otherwise it is a probabilisticallybranching transition. A state (q,w) is clock0 state if w=0. The next lemma follows immediately from the definition of anchored PPTAs.
Lemma 2
Let \(\omega= (q_{0},w_{0})\xrightarrow{d_{0},a_{0},\mu_{0}} \cdots \xrightarrow {d_{n1},a_{n1}, \mu_{n1}} (q_{n},w_{n})\) be a path in either \(\mathit{Path}^{\mathcal{A}[\pi]}(\overline{q},\mathbf {0})\) or \(\mathit{Path}^{\mathcal{A} [\pi ']}(\overline{q},\mathbf{0})\). Then there do not exist indices 0≤i<j≤n, determining the subpath \(\omega=(q_{i},w_{i})\xrightarrow{d_{i},a_{i},\mu_{i}} \cdots\xrightarrow{d_{j1},a_{j1}, \mu_{j1}} (q_{j},w_{j})\) such that

(1)
\((q_{j1},w_{j1}) \xrightarrow{d_{j1},a_{j1}, \mu_{j1}} (q_{j},w_{j})\) is a probabilisticallybranching transition,

(2)
\((q_{i},w_{i}) \xrightarrow{d_{i},a_{i},\mu_{i}} (q_{i+1},w_{i+1})\) is not a uniquetime transition, and

(3)
(q _{ k },w _{ k }) is not a clock0 state for each i≤k<j.
The following lemma states that ≡ preserves the “type” of transitions (where by “type” we mean uniquetime transition/nonuniquetime transition and probability1/probabilistically branching transition), and follows immediately from the definition of ≡.
Lemma 3
Let \(\omega= (q_{0},w_{0})\xrightarrow{d_{0},a_{0},\mu_{0}} \cdots \xrightarrow {d_{n1},a_{n1}, \mu_{n1}} (q_{n},w_{n})\) be a path in \(\mathit{Path}^{\mathcal{A}[\pi]}(\overline{q},\mathbf{0})\) and let \(\omega' = (q_{0}',w_{0}')\xrightarrow{d_{0}',a_{0},\mu_{0}'} \cdots \xrightarrow{d_{n1}',a_{n1}, \mu_{n1}'} (q_{n}',w_{n}')\) be a path in \(\mathit{Path}^{\mathcal{A}[\pi']}(\overline {q},\mathbf{0})\). Then if ω≡ω′, we have that the ith transition \((q_{i1},w_{i1}) \xrightarrow {d_{i1},a_{i1}, \mu_{i1}} (q_{i},w_{i})\) of ω is a uniquetime transition (probability1 transition, respectively) if and only if the ith transition \((q_{i1}',w_{i1}') \xrightarrow {d_{i1}',a_{i1}, \mu_{i1}'} (q_{i}',w_{i}')\) of ω is a uniquetime transition (probability1 transition, respectively), for 1≤i≤n.
In the following, for any path \(\omega= (q_{0},w_{0}) \xrightarrow {d_{0},a_{0},\mu_{0}} \cdots\xrightarrow{d_{n1},a_{n1}, \mu_{n1}} (q_{n},w_{n})\) and any 0≤i≤n, we recall that pref(ω,i) is the path prefix \((q_{0},w_{0}) \xrightarrow{d_{0},a_{0},\mu_{0}} \cdots\xrightarrow{d_{i1},a_{i1}, \mu _{i1}} (q_{i},w_{i})\) comprising the transitions up to the (i+1)th state. We also write suf(ω,i) to denote the path suffix \((q_{i},w_{i}) \xrightarrow{d_{i},a_{i},\mu_{i}} \cdots\xrightarrow{d_{n1},a_{n1}, \mu _{n1}} (q_{n},w_{n})\) comprising the transitions from the (i+1)th state (as previously, we also refer to states as being paths of length 0, so pref(ω,0) is (q _{0},w _{0}) and suf(ω,n) is (q _{ n },w _{ n })). For 0≤i≤j≤n, we write ω _{ i…j } for the path \((q_{i},w_{i}) \xrightarrow{d_{i},a_{i},\mu_{i}} \cdots \xrightarrow {d_{j1},a_{j1},\mu_{j1}} (q_{j},w_{j})\). We use ω(i) to denote (q _{ i },w _{ i }), for 0≤i≤n. We say that a path ω′ is an extension of a path ω if ω=pref(ω′,i) for some 0≤i≤ω′.
Henceforth, we assume that \(\mathit{Path}^{\mathcal{A}[\pi ]}(\overline{q},\mathbf{0}) \equiv\mathit{Path}^{\mathcal{A}[\pi']}(\overline{q},\mathbf{0})\). Given that we will construct the scheduler σ′ of \(\mathcal {A}[\pi']\) by induction on the length of paths, we need to avoid blocking situations in which the paths of σ′ replicate the paths of σ (in the sense of having the same timeabstract traces) only up to a certain path length, from which point at least one path of σ cannot be replicated by σ. For example, consider the path ω of σ and the path ω′ of σ′ such that ω≡ω′; our aim is to define σ′ so that it replicates the choice σ(ω)=(d,a,μ) in the sense of choosing some (d′,a,μ′) such that μ≃μ′. The problematic situation, that we must avoid during the construction of σ′, is that in which, from last(ω′), no transition of the form (d′,a,μ′) can be taken because the guard g of the probabilistic edge (q,g,a,_) cannot be enabled from last(ω′) after letting time pass. The next technical lemma explains how this situation is avoided in the case of nonuniquetime transitions: it states that, for any path ω of \(\mathcal{A}[\pi]\) ending in a sequence of nonuniquetime transitions, any path of \(\mathcal{A}[\pi']\) that is timeabstract equivalent to a prefix of ω which ends in the sequence of nonuniquetime transitions can be extended to a path of \(\mathcal{A}[\pi']\) that is timeabstract equivalent to the entire path ω.
Lemma 4
Let σ be a scheduler of \(\mathsf{T}_{\mathcal{A}[\pi]}\) and let ω be a path of σ for which the last transition is not a uniquetime transition. Let 0≤i<ω be the smallest i such that suf(ω,i) comprises only nonuniquetime transitions. Let ω′ be a path of \(\mathit{Path}^{\mathcal{A}[\pi ']}(\overline{q},\mathbf{0})\) such that pref(ω,i)≡ω′. Then there exists a path \(\hat{\omega}' \in\mathit{Path}^{\mathcal {A}[\pi ']}(\overline{q} ,\mathbf{0})\) such that (1) \(\mathsf{pref}({\hat{\omega}'},{i}) = \omega'\) and (2) \(\omega\equiv\hat{\omega}'\).
Proof
Observe that, because \(\mathcal{A}\) is an anchored PPTA, any path of either \(\mathcal{A}[\pi]\) or \(\mathcal{A}[\pi']\) cycles through the following phases: visit to a clock0 state, then a (possibly empty) sequence of uniquetime transitions, then a (possibly empty) sequence of nonuniquetime transitions, then a visit to a clock0 state, etc. Let 0≤j≤i be the largest j such that ω(j) is a clock0 state. Then from pref(ω,i)≡ω′, we have that ω′(j) is a clock0 state. Furthermore, suf(ω′,j) contains only uniquetime transitions, which follows from the following facts: ω _{ i…j } contains only uniquetime actions, ω _{ i…j }≡suf(ω′,j), and Lemma 3.
Now, from \(\mathit{Path}^{\mathcal{A}[\pi]}(\overline{q},\mathbf {0}) \equiv\mathit{Path} ^{\mathcal{A} [\pi']}(\overline{q},\mathbf{0})\), we have that the existence of the path \(\omega\in\mathit {Path}^{\mathcal{A}[\pi ]}(\overline{q},\mathbf{0})\) implies the existence of a path \(\tilde{\omega} \in\mathit {Path}^{\mathcal{A} [\pi ']}(\overline{q},\mathbf{0})\) such that \(\omega\equiv\tilde{\omega}\). Let \(\hat{\omega}' = \omega' \cdot\mathsf{suf}({\tilde{\omega}},{i})\) (where, in the usual manner, \(\omega' \cdot\mathsf{suf}({\tilde {\omega}},{i})\) denotes the concatenation of ω′ and \(\mathsf{suf}({\tilde {\omega}},{i})\)). Then \(\hat{\omega}' \in\mathit{Path}^{\mathcal{A}[\pi ']}(\overline{q},\mathbf{0})\), from the following facts.
First, note that \(\hat{\omega}'(j)\) is a clock0 state (from pref(ω,i)≡ω′ and the fact that ω(j) is a clock0 state).
Second, because the fragment of the path ω from point j to point i (that is, ω _{ i…j }) contains only uniquetime transitions, together with the fact that ω≡ω′ and Lemma 3, we have that ω′_{ i…j } contains only uniquetime transitions. Furthermore, note that, after a clock0 state followed by a sequence of uniquetime transitions, there is only one possible clock valuation: this clock valuation is determined completely by the sequence of uniquetime transitions.
From these facts, we can arrive at the following conclusion: after the fragment of ω′ from point j to point k, there is only one possible clock valuation for the state ω′(k), and that \(\omega'(k) = \tilde{\omega}(k)\). Intuitively, this means that if \(\mathsf{suf}({\tilde{\omega}},{i})\) is a possible extension of the path \(\tilde{\omega}\) from point i, then \(\mathsf{suf}({\tilde{\omega}},{i})\) is a also possible extension of the path ω′. This allows us to conclude that \(\tilde{\omega} \in\mathit{Path}^{\mathcal{A}[\pi']}(\overline {q},\mathbf{0})\) implies \(\hat{\omega}' \in\mathit{Path}^{\mathcal{A}[\pi']}(\overline {q},\mathbf{0})\). With regard to the two further conditions on \(\hat{\omega}'\) given in the lemma, we note that condition (1) (\(\mathsf{pref}({\hat{\omega}'},{i}) = \omega'\)) follows immediately from the definition of \(\hat{\omega}'\), and condition (2) (\(\omega\equiv\hat{\omega}'\)) follows from the fact that we assume in the statement of the lemma that pref(ω,i)≡ω′, and from the fact that \(\omega\equiv\tilde{\omega}\) implies trivially that \(\mathsf{suf}({\omega},{i}) \equiv\mathsf {suf}({\tilde{\omega}},{i})\). □
Let ω be a path of σ for which the last transition is not a uniquetime transition. Let ω′ be a path of \(\mathit{Path}^{\mathcal{A}[\pi ']}(\overline{q},\mathbf{0})\) such that pref(ω,i)≡ω′ and where 0≤i<ω be the smallest i such that suf(ω,i) comprises only nonuniquetime transitions. Lemma 4 allows us to choose a particular \(\langle \! \langle{{\omega }} \rangle\! \rangle_{{\omega'}} \in\mathit {Path}^{\mathcal{A}[\pi']}(\overline{q},\mathbf{0})\), which depends on ω and ω′, such that (1) pref(〈〈ω〉〉_{ ω′},i)=ω′ and (2) ω≡〈〈ω〉〉_{ ω′}.
We now proceed to the proof of Proposition 1. In the standard way, given \(\omega= (q_{0},w_{0})\xrightarrow{d_{0},a_{0},\mu _{0}} \cdots\xrightarrow{d_{n1},a_{n1}, \mu_{n1}} (q_{n},w_{n})\), we write \(\omega\xrightarrow{d,a,\mu} (q,w)\) to denote the path \((q_{0},w_{0})\xrightarrow{d_{0},a_{0},\mu_{0}} \cdots\xrightarrow {d_{n1},a_{n1}, \mu_{n1}} (q_{n},w_{n}) \xrightarrow{d,a,\mu} (q,w)\). In the following, we write \((\omega\xrightarrow{d,a,\mu}) \in \mathit{Path} ^{\mathcal{A}[\pi]}(\overline{q},\mathbf{0})\) if there exists some state (q,w) such that \(\omega\xrightarrow {d,a,\mu} (q,w) \in\mathit{Path}^{\mathcal{A}[\pi]}(\overline {q},\mathbf{0})\); analogous notation is used for \(\mathcal{A}[\pi']\).
Proof (Proposition 1)
By Lemma 1, it suffices to show the following result: for any scheduler σ of \(\mathsf{T}_{\mathcal{A}[\pi]}\), we can construct a scheduler σ′ of \(\mathsf{T}_{\mathcal {A}[\pi']}\) such that, for each \(\omega\in\mathit{Path}^{\sigma}(\overline {q},\mathbf{0})\) and \(\omega' \in\mathit{Path}^{\sigma'}(\overline{q},\mathbf{0})\) such that ω≡ω′, we have dist(σ(ω))≃dist(σ(ω′)).
We proceed the construction of σ′ by considering paths of progressively greater length. In the following, we let \(\mathit{Path}^{\sigma}_{i}(\overline {q},\mathbf{0})\) be the set of paths of \(\mathit{Path}^{\sigma}(\overline{q},\mathbf{0})\) of length i; similarly, \(\mathit{Path}^{\sigma'}_{i}(\overline{q},\mathbf{0})\) denotes the set of paths of \(\mathit{Path}^{\sigma'}(\overline{q},\mathbf{0})\) of length i.
Let i≥0. Assume that we have defined σ′ for all paths of \(\mathit{Path} ^{\sigma '}_{j}(\overline{q},\mathbf{0})\) for all 0≤j<i. Now we define σ′ for paths of \(\mathit{Path}^{\sigma '}_{i}(\overline{q} ,\mathbf{0})\) Let \(\omega\in\mathit{Path}^{\sigma}_{i}(\overline{q},\mathbf{0})\) be a path of \(\mathcal{A} [\pi]\) of length i, and let \(\omega' \in\mathit{Path}^{\sigma'}_{i}(\overline{q},\mathbf{0})\) be the unique (by determinism on actions) path of \(\mathcal{A}[\pi']\) of length i such that ω≡ω′. Let σ(ω)=(d,a,μ). Our aim is to show the existence of (last(ω′),d′,a,μ′) in the probabilistic transition relation of \(\mathsf{T}_{\mathcal{A}[\pi']}\) such that μ≃μ′. Then we let σ′(ω′)=(d′,a,μ′).
In the case in which last(ω) is a clock0 state, we proceed as follows. We note that, from \(\mathit{Path}^{\mathcal{A}[\pi]}(\overline {q},\mathbf{0}) \equiv \mathit{Path} ^{\mathcal{A}[\pi']}(\overline{q},\mathbf{0})\), the existence of \((\omega\xrightarrow{d,a,\mu}) \in\mathit {Path}^{\mathcal{A} [\pi ]}(\overline{q},\mathbf{0})\) implies the existence \((\tilde{\omega} \xrightarrow{d',a,\mu'}) \in \mathit{Path}^{\mathcal{A}[\pi']}(\overline{q},\mathbf{0})\) such that \(\omega\equiv\tilde{\omega}\) and μ≃μ′. Given that \(\omega\equiv\tilde{\omega}\) and ω≡ω′, and that last(ω) is a clock0 state, we must have that \(\mathit{last}(\omega) = \mathit{last}(\tilde {\omega}) = \mathit{last} (\omega')\). In this case it is immediate to see that the fact that \((\mathit {last}(\tilde {\omega}),d',a,\mu')\) is in the probabilistic transition relation of \(\mathsf{T}_{\mathcal {A}[\pi']}\) implies that (last(ω′),d′,a,μ′) is in the probabilistic transition relation of \(\mathsf{T}_{\mathcal{A}[\pi']}\). Hence we let σ′(ω′)=(d′,a,μ′). From μ≃μ′, it follows that dist(σ(ω))≃dist(σ(ω′)).
Now we consider the case in which last(ω) is not a clock0 state. We consider two subcases.
 Subcase: the last transition of ω is a uniquetime transition.:

Given that \(\mathcal{A}\) is an anchored PPTA and from Lemma 2, there exists 0≤j<i such that ω(j) is a clock0 state and suf(ω,j) contains only uniquetime transitions.
From \(\mathit{Path}^{\mathcal{A}[\pi]}(\overline{q},\mathbf{0}) \equiv\mathit{Path}^{\mathcal{A} [\pi ']}(\overline{q},\mathbf{0})\), the existence of the path \((\omega\xrightarrow{d,a,\mu}) \in\mathit{Path} ^{\mathcal{A}[\pi]}(\overline{q},\mathbf{0})\) implies the existence of a path \((\tilde{\omega} \xrightarrow {d',a,\mu '}) \in\mathit{Path}^{\mathcal{A}[\pi']}(\overline{q},\mathbf{0})\) such that \(\omega\equiv\tilde{\omega}\) and μ≃μ′. Now consider suf(ω,j) and \(\mathsf{suf}({\tilde {\omega}},{j})\). Observe that only uniquetime transitions feature along \(\mathsf {suf}({\tilde {\omega}},{j})\) (this follows from the fact that suf(ω,j) contains only uniquetime transitions, from the fact that \(\omega\equiv\tilde{\omega}\) implies that \(\mathsf{suf}({\omega},{j}) \equiv\mathsf{suf}({\tilde{\omega}},{j})\), and from Lemma 3). Given that \(\mathsf{suf}({\tilde{\omega}},{j})\) is a clock0 state, and that \(\mathsf{suf}({\tilde{\omega}},{j})\) features only uniquetime transitions, it must be the case that, for each state visited along \(\mathsf {suf}({\tilde {\omega}},{j})\), there is only one possible clock valuation. Hence we must have \(\mathsf{suf}({\omega'},{j}) = \mathsf {suf}({\tilde{\omega}},{j})\). This implies that \(\mathit{last}(\omega') = \mathit{last}(\tilde {\omega})\). Given that the existence of \((\tilde{\omega} \xrightarrow{d',a,\mu'}) \in\mathit{Path}^{\mathcal{A}[\pi']}(\overline{q},\mathbf{0})\) implies that \((\mathit{last}(\tilde{\omega}),d',a,\mu')\) is in the probabilistic transition relation of \(\mathsf{T}_{\mathcal{A}[\pi']}\), it follows trivially that (last(ω′),d′,a,μ′) is in the probabilistic transition relation of \(\mathsf{T}_{\mathcal{A}[\pi']}\). Hence we let σ′(ω′)=(d′,a,μ′).
 Subcase: the last transition of ω is not a uniquetime transition.:

Given that \(\mathcal{A}\) is an anchored PPTA and from Lemma 2, there exists 0≤j<i such that suf(ω,j) contains only nonuniquetime transitions.
First, suppose that there exists some path of σ that is an extension of ω and which ends in a clock0 state; then let \({{\omega}} \uparrow^{{\sigma}}_{0}\) be the shortest such path. Given that the last transition of ω is not a uniquetime transition, by Lemma 2, the last transition of \({{\omega}} \uparrow^{{\sigma}}_{0}\) is not a uniquetime transition. Given that pref(ω,k)≡pref(ω′,k), we can employ Lemma 4 to define the path \(\langle\! \langle{{{{\omega}} \uparrow^{{\sigma }}_{0}}} \rangle\! \rangle_{{\mathsf{pref}({\omega'},{k})}}\): the path \(\langle\! \langle{{{{\omega}} \uparrow^{{\sigma}}_{0}}} \rangle\! \rangle_{{\mathsf{pref}({\omega'},{k})}}\) is in \(\mathit{Path} ^{\mathcal{A}[\pi']}(\overline{q},\mathbf{0})\), extends pref(ω′,k), and is such that \({{\omega}} \uparrow^{{\sigma}}_{0} \equiv\langle\! \langle{{{{\omega}} \uparrow^{{\sigma}}_{0}}} \rangle\! \rangle_{{\mathsf{pref}({\omega'},{k})}}\). Let \((q,w) \xrightarrow{d',a,\mu'} (q',w')\) be the (i+1)th transition of \(\langle\! \langle{{{{\omega}} \uparrow^{{\sigma }}_{0}}} \rangle\! \rangle_{{\mathsf{pref}({\omega'},{k})}}\). Then we let σ′(ω′)=(d′,a,μ′). From the fact that \({{\omega}} \uparrow^{{\sigma}}_{0} \equiv\langle \! \langle{{{{\omega }} \uparrow^{{\sigma}}_{0}}} \rangle\! \rangle _{{\mathsf{pref}({\omega'},{k})}}\), we have that μ≃μ′ (in fact, because (last(ω),d,a,μ) and (last(ω′),d′,a,μ′) are not uniquetime transitions, we must have μ(q′)=μ′(q′)=1).
Alternatively, suppose that there does not exist a path of σ which extends ω and which ends in a clock0 state. Note that, by the definition of anchored PPTAs, this means that all paths of σ that are extensions of ω feature only nonuniquetime (and hence probability1) transitions. Hence we can conclude the following: all paths of σ that are extensions of ω are of the form \(\overline{\omega} \xrightarrow{d,a,\mu_{(q,w)}} (q,w)\), where \(\sigma(\overline{\omega}) = (d,a,\mu_{(q,w)})\) and \(\overline{\omega}\) is either ω itself or a path of σ that is an extension of ω. These extensions of ω derive a countably infinite sequence of paths progressively extending ω. We can also find a countably infinite sequence of paths progressively extending ω′, given the definition of σ′ up to ω′, such that each extension of ω′ is equivalent under ≡ to the associated extension of ω with the same length. This sequence of paths is obtained by considering each extension of ω and applying Lemma 4. This countably infinite sequence defines the transitions chosen by σ′ for any extension of ω′. It can then be seen that, for any extension of ω under σ, and any ≡equivalent extension of ω′ under σ′, the distributions in the transitions of σ and σ′ are ≃equivalent.
Given Lemma 1, we have completed the proof of Proposition 1. □
Appendix B: The inverse method
Given a (classical) parametric timed automaton \(\mathcal{A}\) and a reference valuation π of parameters, the inverse method outputs a constraint K such that:

1.
π⊨K,

2.
\(\mathit{Path}^{\mathcal{A}[\pi]}\equiv\mathit{Path}^{\mathcal{A}[\pi']}\), for all π′⊨K.
The algorithm IM can be summarized as follows. Starting with K:=true, we iteratively compute a growing set of reachable symbolic states. A symbolic state of the system is a couple (q,C), where q is a location of \(\mathcal{A}\), and C a constraint on the clocks and the parameters. When a πincompatible state (q,C) is encountered (i.e. when \(\pi\not\models C\)), K is refined as follows: a πincompatible inequality J (i.e. such that \(\pi\not \models J\)) is selected within C, and ¬J is added to K. The procedure is then started again with this new K, and so on, until no new reachable state is computed.
The algorithm IM is given in Algorithm 1. Given a linear inequality J of the form e<e′ (resp. e≤e′), the expression ¬J denotes the negation of J and corresponds to the linear inequality e′≤e (resp. e′<e). Given a constraint C on the clocks and the parameters, the expression ∃X:C denotes the constraint on the parameters obtained from C after elimination of the clocks.
We define \(\mathcal{A}(K)\) as \(\{ \mathcal{A}[\pi] \mid\pi\models K\}\), \(\mathit{Post}_{\mathcal{A}(K)}^{i}(S)\) as the set of states reachable from S in exactly i steps, and \(\mathit{Post}_{\mathcal{A}(K)}^{*}(S)\) as the set of all states reachable from S in \(\mathcal{A}(K)\) (i.e. \(\mathit{Post}_{\mathcal{A}(K)}^{*}(S)=\bigcup_{i\geq0 }\mathit {Post}_{\mathcal{A}(K)}^{i}(S)\)). Given two sets of states S and S′, we write S⊑S′ iff ∀s∈S,∃s′∈S′ s.t. s=s′.
Appendix C: The behavioural cartography algorithm
We recall algorithm BC in Algorithm 2.
Imitator also implements the behavioural cartography algorithm in a fully automated way.
Rights and permissions
About this article
Cite this article
André, É., Fribourg, L. & Sproston, J. An extension of the inverse method to probabilistic timed automata. Form Methods Syst Des 42, 119–145 (2013). https://doi.org/10.1007/s107030120169x
Published:
Issue Date:
DOI: https://doi.org/10.1007/s107030120169x