Abstract
Probabilistic timed automata can be used to model systems in which probabilistic and timing behaviour coexist. Verification of probabilistic timed automata models is generally performed with regard to a single reference valuation π 0 of the timing parameters. Given such a parameter valuation, we present a method for obtaining automatically a constraint K 0 on timing parameters for which the reachability probabilities (1) remain invariant and (2) are equal to the reachability probabilities for the reference valuation. The method relies on parametric analysis of a non-probabilistic version of the probabilistic timed automata model using the “inverse method”. The method presents the following advantages. First, since K 0 corresponds to a dense domain around π 0 on which the system behaves uniformly, it gives us a measure of robustness of the system. Second, it allows us to obtain a valuation satisfying K 0 which is as small as possible while preserving reachability probabilities, thus making the probabilistic analysis of the system easier and faster in practice. We provide examples of the application of our technique to models of randomized protocols, and introduce an extension of the method allowing the generation of a “probabilistic cartography” of a system.
Similar content being viewed by others
Notes
The verification engine used was the sparse matrix engine.
The only difference with regard to [18, 23] is the use of a single parameter TRANSTIME for the length of a packet transmission, instead of lower and upper bounds on this length, namely TRANSTIMEMIN and TRANSTIMEMAX, respectively. This simplifies the model with no consequence, since TRANSTIMEMAX had no incidence on the (time-abstract) behaviour of the system, and was only constrained to be greater or equal to TRANSTIMEMIN. An advantage of considering a single transmission time is that the model trivially satisfies the criterion of anchored PPTAs. Furthermore, in contrast to [18, 23], we set the upper limit of the backoff counter to 1.
References
Alur R, Dill DL (1994) A theory of timed automata. Theor Comput Sci 126(2):183–235
Alur R, Henzinger TA, Vardi MY (1993) Parametric real-time reasoning. In: Proceedings of the twenty-fifth annual ACM symposium on theory of computing, STOC’93. ACM, New York, pp 592–601
André É. (2010) An inverse method for the synthesis of timing parameters in concurrent systems. Thèse de doctorat, Laboratoire Spécification et Vérification, ENS Cachan, France
André É., Chatain Th, Encrenaz E, Fribourg L (2009) An inverse method for parametric timed automata. Int J Found Comput Sci 20(5):819–836
André É., Fribourg L (2010) Behavioral cartography of timed automata. In: Kučera A, Potapov I (eds) Proceedings of the 4th workshop on reachability problems in computational models (RP’10). Lecture notes in computer science, vol 6227. Springer, Berlin, pp 76–90
André É., Fribourg L, Kühne U, Soulat R (2012) IMITATOR 2.5: A tool for analyzing robustness in scheduling problems. In: 18th international symposium on formal methods (FM’12). Lecture notes in computer science, vol 7436. Springer, Berlin, pp 33–36
André É., Fribourg L, Sproston J (2009) An extension of the inverse method to probabilistic timed automata. In: Roggenbach M (ed) AVoCS’09, electronic communications of the EASST, vol 23. European Association of Software Science and Technology
Chamseddine N, Duflot M, Fribourg L, Picaronny C, Sproston J (2008) Computing expected absorption times for parametric determinate probabilistic timed automata. In: Proceedings of the 5th international conference on quantitative evaluation of systems (QEST’08). IEEE Comput Soc, Los Alamitos, pp 254–263
Daws C (2004) Symbolic and parametric model checking of discrete-time Markov chains. In: Proc. ICTAC’04. LNCS, vol 3407. Springer, Berlin, pp 280–294
Gregersen H, Jensen HE (1995) Formal design of reliable real time systems. Master’s thesis, Department of Mathematics and Computer Science, Aalborg University
Han T, Katoen JP, Mereacre A (2008) Approximate parameter synthesis for probabilistic time-bounded reachability. In: Proc. RTSS’08. IEEE Press, New York, pp 173–182
Hinton A, Kwiatkowska M, Norman G, Parker D (2006) PRISM: a tool for automatic verification of probabilistic systems. In: TACAS’06, LNCS, vol 3920. Springer, Berlin, pp 441–444
Hune T, Romijn J, Stoelinga M, Vaandrager F (2002) Linear parametric model checking of timed automata. J Log Algebr Program 52–53:183–220
Kemeny JG, Snell JL, Knapp AW (1976) Denumerable Markov chains, 2nd edn. Graduate texts in mathematics. Springer, Berlin
Kwiatkowska M, Norman G, Parker D (2009) Stochastic games for verification of probabilistic timed automata. In: FORMATS’09. LNCS, vol 5813. Springer, Berlin, pp 212–227
Kwiatkowska M, Norman G, Parker D, Sproston J (2006) Performance analysis of probabilistic timed automata using digital clocks. Form Methods Syst Des 29:33–78
Kwiatkowska M, Norman G, Segala R, Sproston J (2002) Automatic verification of real-time systems with discrete probability distributions. Theor Comput Sci 282:101–150
Kwiatkowska M, Norman G, Sproston J (2002) Probabilistic model checking of the IEEE 802.11 wireless local area network protocol. In: Proc. PAPM/PROBMIV’02. LNCS, vol 2399. Springer, Berlin, pp 169–187
Kwiatkowska M, Norman G, Sproston J (2003) Probabilistic model checking of deadline properties in the IEEE 1394 FireWire root contention protocol. Form Asp Comput 14(3):295–318
Kwiatkowska M, Norman G, Sproston J, Wang F (2007) Symbolic model checking for probabilistic timed automata. Inf Comput 205(7):1027–1077
Lanotte R, Maggiolo-Schettini A, Troina A (2007) Parametric probabilistic transition systems for system design and analysis. Form Asp Comput 19(1):93–109
Segala R (1995) Modeling and verification of randomized distributed real-time systems. Ph.D. thesis, Massachusetts Institute of Technology
Prism Web page: Prism web page. http://www.prismmodelchecker.org/
Acknowledgements
We are grateful to the anonymous referees for their helpful comments. Étienne André and Laurent Fribourg have been partially supported by the Agence Nationale de la Recherche, grant ANR-06-ARFU-005, and by Institute Farman (project SIMOP). Jeremy Sproston is supported in part by the project AMALFI—Advanced Methodologies for the AnaLysis and management of the Future Internet (Università di Torino/Compagnia di San Paolo).
Author information
Authors and Affiliations
Corresponding author
Appendices
Appendix A: Proof of Proposition 1
In order to prove Proposition 1, we show that, for any scheduler σ of \(\mathsf{T}_{\mathcal{A}[\pi]}\), we can construct a scheduler σ′ of \(\mathsf{T}_{\mathcal{A}[\pi']}\) such that σ and σ′ generate the same time-abstract trace distributions (from the initial state). For this task, we require a number of preliminary definitions and results. First, we present a sufficient condition for two schedulers to generate the same time-abstract trace distributions. Recall that, given that we assume reset unicity, for all of the distributions μ∈Dist(Q×(X→ℝ≥0)) we consider in the transition relation of \(\mathsf{T}_{\mathcal {A}[\pi]}\) and \(\mathsf{T}_{\mathcal{A}[\pi']}\), for each location q there will be at most one clock valuation w such that μ(q,w)>0. We will use \(w^{\mu}_{q}\) to denote this clock valuation. In the following, given two distributions μ,μ′∈Dist(Q×(X→ℝ≥0)), we write μ≃μ′ if, for each q∈Q, we have \(\mu(q,w^{\mu}_{q}) = \mu'(q,w^{\mu'}_{q})\). Given a triple (d,a,μ)∈ℝ≥0×Σ×Dist(Q×(X→ℝ≥0)), we let dist(d,a,μ)=μ.
Lemma 1
Let σ be a scheduler of \(\mathsf{T}_{\mathcal{A}[\pi]}\) and σ′ be a scheduler of \(\mathsf{T}_{\mathcal{A}[\pi']}\). If dist(σ(ω))≃dist(σ(ω′)) for each \(\omega\in\mathit{Path}^{\sigma}(\overline{q},\mathbf {0})\) and \(\omega' \in \mathit{Path}^{\sigma'}(\overline{q},\mathbf{0})\) such that ω≡ω′, then \(\mathsf{td}^{{\sigma}}_{{(\overline{q},\mathbf{0})}} = \mathsf{td}^{{\sigma'}}_{{(\overline{q},\mathbf{0})}}\).
Proof
The scheduler σ induces a Markov chain M σ (see [14]), the states of which are finite paths (starting from \((\overline{q} ,\mathbf{0})\)), and the transition matrix of which assigns to a transition from path ω to path \(\omega\xrightarrow{d,a,\mu} (q,w)\) probability μ(q,w) if σ(ω)=(d,a,μ) (probability 0 is assigned to transitions from ω to paths not resulting from ω by appending the choice of σ(ω)). Similarly, scheduler σ′ induces a Markov chain M σ′. The Markov chains M σ and M σ′ are isomorphic: that is, given a bijection \(f: \mathit{Path}^{\sigma}(\overline {q},\mathbf{0}) \rightarrow \mathit{Path} ^{\sigma'}(\overline{q},\mathbf{0})\) such that f(ω)=ω′, where ω′ is the unique path of \(\mathit{Path}^{\sigma'}(\overline{q},\mathbf{0})\) such that ω≡ω′, we have that the Markov chain obtained from M σ by substituting each \(\omega\in\mathit{Path}^{\sigma}(\overline {q},\mathbf{0})\) by f(ω) (in the state space and transition matrix) is equal to M σ′. Because f preserves traces (that is, trace(ω)=trace(f(ω))), we can then derive that \(\mathsf{td}^{{\sigma}}_{{(\overline {q},\mathbf{0})}} = \mathsf{td}^{{\sigma '}}_{{(\overline {q},\mathbf{0})}}\). □
Recall that the assumption of determinism on actions implies that, for any transition \((q,w) \xrightarrow{d,a,\mu} (q',w')\), the probabilistic edge (q,_,a,_)∈prob associated with the transition is unique. A transition \((q,w) \xrightarrow{d,a,\mu} (q',w')\) is a unique-time transition if the probabilistic edge (q,_,a,_)∈prob is a unique-time probabilistic edge. Similarly, a transition \((q,w) \xrightarrow{d,a,\mu} (q',w')\) is a probability-1 transition if the probabilistic edge (q,_,a,_)∈prob is a probability-1 edge, otherwise it is a probabilistically-branching transition. A state (q,w) is clock-0 state if w=0. The next lemma follows immediately from the definition of anchored PPTAs.
Lemma 2
Let \(\omega= (q_{0},w_{0})\xrightarrow{d_{0},a_{0},\mu_{0}} \cdots \xrightarrow {d_{n-1},a_{n-1}, \mu_{n-1}} (q_{n},w_{n})\) be a path in either \(\mathit{Path}^{\mathcal{A}[\pi]}(\overline{q},\mathbf {0})\) or \(\mathit{Path}^{\mathcal{A} [\pi ']}(\overline{q},\mathbf{0})\). Then there do not exist indices 0≤i<j≤n, determining the sub-path \(\omega=(q_{i},w_{i})\xrightarrow{d_{i},a_{i},\mu_{i}} \cdots\xrightarrow{d_{j-1},a_{j-1}, \mu_{j-1}} (q_{j},w_{j})\) such that
-
(1)
\((q_{j-1},w_{j-1}) \xrightarrow{d_{j-1},a_{j-1}, \mu_{j-1}} (q_{j},w_{j})\) is a probabilistically-branching transition,
-
(2)
\((q_{i},w_{i}) \xrightarrow{d_{i},a_{i},\mu_{i}} (q_{i+1},w_{i+1})\) is not a unique-time transition, and
-
(3)
(q k ,w k ) is not a clock-0 state for each i≤k<j.
The following lemma states that ≡ preserves the “type” of transitions (where by “type” we mean unique-time transition/non-unique-time transition and probability-1/probabilistically branching transition), and follows immediately from the definition of ≡.
Lemma 3
Let \(\omega= (q_{0},w_{0})\xrightarrow{d_{0},a_{0},\mu_{0}} \cdots \xrightarrow {d_{n-1},a_{n-1}, \mu_{n-1}} (q_{n},w_{n})\) be a path in \(\mathit{Path}^{\mathcal{A}[\pi]}(\overline{q},\mathbf{0})\) and let \(\omega' = (q_{0}',w_{0}')\xrightarrow{d_{0}',a_{0},\mu_{0}'} \cdots \xrightarrow{d_{n-1}',a_{n-1}, \mu_{n-1}'} (q_{n}',w_{n}')\) be a path in \(\mathit{Path}^{\mathcal{A}[\pi']}(\overline {q},\mathbf{0})\). Then if ω≡ω′, we have that the i-th transition \((q_{i-1},w_{i-1}) \xrightarrow {d_{i-1},a_{i-1}, \mu_{i-1}} (q_{i},w_{i})\) of ω is a unique-time transition (probability-1 transition, respectively) if and only if the i-th transition \((q_{i-1}',w_{i-1}') \xrightarrow {d_{i-1}',a_{i-1}, \mu_{i-1}'} (q_{i}',w_{i}')\) of ω is a unique-time transition (probability-1 transition, respectively), for 1≤i≤n.
In the following, for any path \(\omega= (q_{0},w_{0}) \xrightarrow {d_{0},a_{0},\mu_{0}} \cdots\xrightarrow{d_{n-1},a_{n-1}, \mu_{n-1}} (q_{n},w_{n})\) and any 0≤i≤n, we recall that pref(ω,i) is the path prefix \((q_{0},w_{0}) \xrightarrow{d_{0},a_{0},\mu_{0}} \cdots\xrightarrow{d_{i-1},a_{i-1}, \mu _{i-1}} (q_{i},w_{i})\) comprising the transitions up to the (i+1)-th state. We also write suf(ω,i) to denote the path suffix \((q_{i},w_{i}) \xrightarrow{d_{i},a_{i},\mu_{i}} \cdots\xrightarrow{d_{n-1},a_{n-1}, \mu _{n-1}} (q_{n},w_{n})\) comprising the transitions from the (i+1)-th state (as previously, we also refer to states as being paths of length 0, so pref(ω,0) is (q 0,w 0) and suf(ω,n) is (q n ,w n )). For 0≤i≤j≤n, we write ω i…j for the path \((q_{i},w_{i}) \xrightarrow{d_{i},a_{i},\mu_{i}} \cdots \xrightarrow {d_{j-1},a_{j-1},\mu_{j-1}} (q_{j},w_{j})\). We use ω(i) to denote (q i ,w i ), for 0≤i≤n. We say that a path ω′ is an extension of a path ω if ω=pref(ω′,i) for some 0≤i≤|ω′|.
Henceforth, we assume that \(\mathit{Path}^{\mathcal{A}[\pi ]}(\overline{q},\mathbf{0}) \equiv\mathit{Path}^{\mathcal{A}[\pi']}(\overline{q},\mathbf{0})\). Given that we will construct the scheduler σ′ of \(\mathcal {A}[\pi']\) by induction on the length of paths, we need to avoid blocking situations in which the paths of σ′ replicate the paths of σ (in the sense of having the same time-abstract traces) only up to a certain path length, from which point at least one path of σ cannot be replicated by σ. For example, consider the path ω of σ and the path ω′ of σ′ such that ω≡ω′; our aim is to define σ′ so that it replicates the choice σ(ω)=(d,a,μ) in the sense of choosing some (d′,a,μ′) such that μ≃μ′. The problematic situation, that we must avoid during the construction of σ′, is that in which, from last(ω′), no transition of the form (d′,a,μ′) can be taken because the guard g of the probabilistic edge (q,g,a,_) cannot be enabled from last(ω′) after letting time pass. The next technical lemma explains how this situation is avoided in the case of non-unique-time transitions: it states that, for any path ω of \(\mathcal{A}[\pi]\) ending in a sequence of non-unique-time transitions, any path of \(\mathcal{A}[\pi']\) that is time-abstract equivalent to a prefix of ω which ends in the sequence of non-unique-time transitions can be extended to a path of \(\mathcal{A}[\pi']\) that is time-abstract equivalent to the entire path ω.
Lemma 4
Let σ be a scheduler of \(\mathsf{T}_{\mathcal{A}[\pi]}\) and let ω be a path of σ for which the last transition is not a unique-time transition. Let 0≤i<|ω| be the smallest i such that suf(ω,i) comprises only non-unique-time transitions. Let ω′ be a path of \(\mathit{Path}^{\mathcal{A}[\pi ']}(\overline{q},\mathbf{0})\) such that pref(ω,i)≡ω′. Then there exists a path \(\hat{\omega}' \in\mathit{Path}^{\mathcal {A}[\pi ']}(\overline{q} ,\mathbf{0})\) such that (1) \(\mathsf{pref}({\hat{\omega}'},{i}) = \omega'\) and (2) \(\omega\equiv\hat{\omega}'\).
Proof
Observe that, because \(\mathcal{A}\) is an anchored PPTA, any path of either \(\mathcal{A}[\pi]\) or \(\mathcal{A}[\pi']\) cycles through the following phases: visit to a clock-0 state, then a (possibly empty) sequence of unique-time transitions, then a (possibly empty) sequence of non-unique-time transitions, then a visit to a clock-0 state, etc. Let 0≤j≤i be the largest j such that ω(j) is a clock-0 state. Then from pref(ω,i)≡ω′, we have that ω′(j) is a clock-0 state. Furthermore, suf(ω′,j) contains only unique-time transitions, which follows from the following facts: ω i…j contains only unique-time actions, ω i…j ≡suf(ω′,j), and Lemma 3.
Now, from \(\mathit{Path}^{\mathcal{A}[\pi]}(\overline{q},\mathbf {0}) \equiv\mathit{Path} ^{\mathcal{A} [\pi']}(\overline{q},\mathbf{0})\), we have that the existence of the path \(\omega\in\mathit {Path}^{\mathcal{A}[\pi ]}(\overline{q},\mathbf{0})\) implies the existence of a path \(\tilde{\omega} \in\mathit {Path}^{\mathcal{A} [\pi ']}(\overline{q},\mathbf{0})\) such that \(\omega\equiv\tilde{\omega}\). Let \(\hat{\omega}' = \omega' \cdot\mathsf{suf}({\tilde{\omega}},{i})\) (where, in the usual manner, \(\omega' \cdot\mathsf{suf}({\tilde {\omega}},{i})\) denotes the concatenation of ω′ and \(\mathsf{suf}({\tilde {\omega}},{i})\)). Then \(\hat{\omega}' \in\mathit{Path}^{\mathcal{A}[\pi ']}(\overline{q},\mathbf{0})\), from the following facts.
First, note that \(\hat{\omega}'(j)\) is a clock-0 state (from pref(ω,i)≡ω′ and the fact that ω(j) is a clock-0 state).
Second, because the fragment of the path ω from point j to point i (that is, ω i…j ) contains only unique-time transitions, together with the fact that ω≡ω′ and Lemma 3, we have that ω′ i…j contains only unique-time transitions. Furthermore, note that, after a clock-0 state followed by a sequence of unique-time transitions, there is only one possible clock valuation: this clock valuation is determined completely by the sequence of unique-time transitions.
From these facts, we can arrive at the following conclusion: after the fragment of ω′ from point j to point k, there is only one possible clock valuation for the state ω′(k), and that \(\omega'(k) = \tilde{\omega}(k)\). Intuitively, this means that if \(\mathsf{suf}({\tilde{\omega}},{i})\) is a possible extension of the path \(\tilde{\omega}\) from point i, then \(\mathsf{suf}({\tilde{\omega}},{i})\) is a also possible extension of the path ω′. This allows us to conclude that \(\tilde{\omega} \in\mathit{Path}^{\mathcal{A}[\pi']}(\overline {q},\mathbf{0})\) implies \(\hat{\omega}' \in\mathit{Path}^{\mathcal{A}[\pi']}(\overline {q},\mathbf{0})\). With regard to the two further conditions on \(\hat{\omega}'\) given in the lemma, we note that condition (1) (\(\mathsf{pref}({\hat{\omega}'},{i}) = \omega'\)) follows immediately from the definition of \(\hat{\omega}'\), and condition (2) (\(\omega\equiv\hat{\omega}'\)) follows from the fact that we assume in the statement of the lemma that pref(ω,i)≡ω′, and from the fact that \(\omega\equiv\tilde{\omega}\) implies trivially that \(\mathsf{suf}({\omega},{i}) \equiv\mathsf {suf}({\tilde{\omega}},{i})\). □
Let ω be a path of σ for which the last transition is not a unique-time transition. Let ω′ be a path of \(\mathit{Path}^{\mathcal{A}[\pi ']}(\overline{q},\mathbf{0})\) such that pref(ω,i)≡ω′ and where 0≤i<|ω| be the smallest i such that suf(ω,i) comprises only non-unique-time transitions. Lemma 4 allows us to choose a particular \(\langle \! \langle{{\omega }} \rangle\! \rangle_{{\omega'}} \in\mathit {Path}^{\mathcal{A}[\pi']}(\overline{q},\mathbf{0})\), which depends on ω and ω′, such that (1) pref(〈〈ω〉〉 ω′,i)=ω′ and (2) ω≡〈〈ω〉〉 ω′.
We now proceed to the proof of Proposition 1. In the standard way, given \(\omega= (q_{0},w_{0})\xrightarrow{d_{0},a_{0},\mu _{0}} \cdots\xrightarrow{d_{n-1},a_{n-1}, \mu_{n-1}} (q_{n},w_{n})\), we write \(\omega\xrightarrow{d,a,\mu} (q,w)\) to denote the path \((q_{0},w_{0})\xrightarrow{d_{0},a_{0},\mu_{0}} \cdots\xrightarrow {d_{n-1},a_{n-1}, \mu_{n-1}} (q_{n},w_{n}) \xrightarrow{d,a,\mu} (q,w)\). In the following, we write \((\omega\xrightarrow{d,a,\mu}) \in \mathit{Path} ^{\mathcal{A}[\pi]}(\overline{q},\mathbf{0})\) if there exists some state (q,w) such that \(\omega\xrightarrow {d,a,\mu} (q,w) \in\mathit{Path}^{\mathcal{A}[\pi]}(\overline {q},\mathbf{0})\); analogous notation is used for \(\mathcal{A}[\pi']\).
Proof (Proposition 1)
By Lemma 1, it suffices to show the following result: for any scheduler σ of \(\mathsf{T}_{\mathcal{A}[\pi]}\), we can construct a scheduler σ′ of \(\mathsf{T}_{\mathcal {A}[\pi']}\) such that, for each \(\omega\in\mathit{Path}^{\sigma}(\overline {q},\mathbf{0})\) and \(\omega' \in\mathit{Path}^{\sigma'}(\overline{q},\mathbf{0})\) such that ω≡ω′, we have dist(σ(ω))≃dist(σ(ω′)).
We proceed the construction of σ′ by considering paths of progressively greater length. In the following, we let \(\mathit{Path}^{\sigma}_{i}(\overline {q},\mathbf{0})\) be the set of paths of \(\mathit{Path}^{\sigma}(\overline{q},\mathbf{0})\) of length i; similarly, \(\mathit{Path}^{\sigma'}_{i}(\overline{q},\mathbf{0})\) denotes the set of paths of \(\mathit{Path}^{\sigma'}(\overline{q},\mathbf{0})\) of length i.
Let i≥0. Assume that we have defined σ′ for all paths of \(\mathit{Path} ^{\sigma '}_{j}(\overline{q},\mathbf{0})\) for all 0≤j<i. Now we define σ′ for paths of \(\mathit{Path}^{\sigma '}_{i}(\overline{q} ,\mathbf{0})\) Let \(\omega\in\mathit{Path}^{\sigma}_{i}(\overline{q},\mathbf{0})\) be a path of \(\mathcal{A} [\pi]\) of length i, and let \(\omega' \in\mathit{Path}^{\sigma'}_{i}(\overline{q},\mathbf{0})\) be the unique (by determinism on actions) path of \(\mathcal{A}[\pi']\) of length i such that ω≡ω′. Let σ(ω)=(d,a,μ). Our aim is to show the existence of (last(ω′),d′,a,μ′) in the probabilistic transition relation of \(\mathsf{T}_{\mathcal{A}[\pi']}\) such that μ≃μ′. Then we let σ′(ω′)=(d′,a,μ′).
In the case in which last(ω) is a clock-0 state, we proceed as follows. We note that, from \(\mathit{Path}^{\mathcal{A}[\pi]}(\overline {q},\mathbf{0}) \equiv \mathit{Path} ^{\mathcal{A}[\pi']}(\overline{q},\mathbf{0})\), the existence of \((\omega\xrightarrow{d,a,\mu}) \in\mathit {Path}^{\mathcal{A} [\pi ]}(\overline{q},\mathbf{0})\) implies the existence \((\tilde{\omega} \xrightarrow{d',a,\mu'}) \in \mathit{Path}^{\mathcal{A}[\pi']}(\overline{q},\mathbf{0})\) such that \(\omega\equiv\tilde{\omega}\) and μ≃μ′. Given that \(\omega\equiv\tilde{\omega}\) and ω≡ω′, and that last(ω) is a clock-0 state, we must have that \(\mathit{last}(\omega) = \mathit{last}(\tilde {\omega}) = \mathit{last} (\omega')\). In this case it is immediate to see that the fact that \((\mathit {last}(\tilde {\omega}),d',a,\mu')\) is in the probabilistic transition relation of \(\mathsf{T}_{\mathcal {A}[\pi']}\) implies that (last(ω′),d′,a,μ′) is in the probabilistic transition relation of \(\mathsf{T}_{\mathcal{A}[\pi']}\). Hence we let σ′(ω′)=(d′,a,μ′). From μ≃μ′, it follows that dist(σ(ω))≃dist(σ(ω′)).
Now we consider the case in which last(ω) is not a clock-0 state. We consider two sub-cases.
- Sub-case: the last transition of ω is a unique-time transition.:
-
Given that \(\mathcal{A}\) is an anchored PPTA and from Lemma 2, there exists 0≤j<i such that ω(j) is a clock-0 state and suf(ω,j) contains only unique-time transitions.
From \(\mathit{Path}^{\mathcal{A}[\pi]}(\overline{q},\mathbf{0}) \equiv\mathit{Path}^{\mathcal{A} [\pi ']}(\overline{q},\mathbf{0})\), the existence of the path \((\omega\xrightarrow{d,a,\mu}) \in\mathit{Path} ^{\mathcal{A}[\pi]}(\overline{q},\mathbf{0})\) implies the existence of a path \((\tilde{\omega} \xrightarrow {d',a,\mu '}) \in\mathit{Path}^{\mathcal{A}[\pi']}(\overline{q},\mathbf{0})\) such that \(\omega\equiv\tilde{\omega}\) and μ≃μ′. Now consider suf(ω,j) and \(\mathsf{suf}({\tilde {\omega}},{j})\). Observe that only unique-time transitions feature along \(\mathsf {suf}({\tilde {\omega}},{j})\) (this follows from the fact that suf(ω,j) contains only unique-time transitions, from the fact that \(\omega\equiv\tilde{\omega}\) implies that \(\mathsf{suf}({\omega},{j}) \equiv\mathsf{suf}({\tilde{\omega}},{j})\), and from Lemma 3). Given that \(\mathsf{suf}({\tilde{\omega}},{j})\) is a clock-0 state, and that \(\mathsf{suf}({\tilde{\omega}},{j})\) features only unique-time transitions, it must be the case that, for each state visited along \(\mathsf {suf}({\tilde {\omega}},{j})\), there is only one possible clock valuation. Hence we must have \(\mathsf{suf}({\omega'},{j}) = \mathsf {suf}({\tilde{\omega}},{j})\). This implies that \(\mathit{last}(\omega') = \mathit{last}(\tilde {\omega})\). Given that the existence of \((\tilde{\omega} \xrightarrow{d',a,\mu'}) \in\mathit{Path}^{\mathcal{A}[\pi']}(\overline{q},\mathbf{0})\) implies that \((\mathit{last}(\tilde{\omega}),d',a,\mu')\) is in the probabilistic transition relation of \(\mathsf{T}_{\mathcal{A}[\pi']}\), it follows trivially that (last(ω′),d′,a,μ′) is in the probabilistic transition relation of \(\mathsf{T}_{\mathcal{A}[\pi']}\). Hence we let σ′(ω′)=(d′,a,μ′).
- Sub-case: the last transition of ω is not a unique-time transition.:
-
Given that \(\mathcal{A}\) is an anchored PPTA and from Lemma 2, there exists 0≤j<i such that suf(ω,j) contains only non-unique-time transitions.
First, suppose that there exists some path of σ that is an extension of ω and which ends in a clock-0 state; then let \({{\omega}} \uparrow^{{\sigma}}_{0}\) be the shortest such path. Given that the last transition of ω is not a unique-time transition, by Lemma 2, the last transition of \({{\omega}} \uparrow^{{\sigma}}_{0}\) is not a unique-time transition. Given that pref(ω,k)≡pref(ω′,k), we can employ Lemma 4 to define the path \(\langle\! \langle{{{{\omega}} \uparrow^{{\sigma }}_{0}}} \rangle\! \rangle_{{\mathsf{pref}({\omega'},{k})}}\): the path \(\langle\! \langle{{{{\omega}} \uparrow^{{\sigma}}_{0}}} \rangle\! \rangle_{{\mathsf{pref}({\omega'},{k})}}\) is in \(\mathit{Path} ^{\mathcal{A}[\pi']}(\overline{q},\mathbf{0})\), extends pref(ω′,k), and is such that \({{\omega}} \uparrow^{{\sigma}}_{0} \equiv\langle\! \langle{{{{\omega}} \uparrow^{{\sigma}}_{0}}} \rangle\! \rangle_{{\mathsf{pref}({\omega'},{k})}}\). Let \((q,w) \xrightarrow{d',a,\mu'} (q',w')\) be the (i+1)-th transition of \(\langle\! \langle{{{{\omega}} \uparrow^{{\sigma }}_{0}}} \rangle\! \rangle_{{\mathsf{pref}({\omega'},{k})}}\). Then we let σ′(ω′)=(d′,a,μ′). From the fact that \({{\omega}} \uparrow^{{\sigma}}_{0} \equiv\langle \! \langle{{{{\omega }} \uparrow^{{\sigma}}_{0}}} \rangle\! \rangle _{{\mathsf{pref}({\omega'},{k})}}\), we have that μ≃μ′ (in fact, because (last(ω),d,a,μ) and (last(ω′),d′,a,μ′) are not unique-time transitions, we must have μ(q′)=μ′(q′)=1).
Alternatively, suppose that there does not exist a path of σ which extends ω and which ends in a clock-0 state. Note that, by the definition of anchored PPTAs, this means that all paths of σ that are extensions of ω feature only non-unique-time (and hence probability-1) transitions. Hence we can conclude the following: all paths of σ that are extensions of ω are of the form \(\overline{\omega} \xrightarrow{d,a,\mu_{(q,w)}} (q,w)\), where \(\sigma(\overline{\omega}) = (d,a,\mu_{(q,w)})\) and \(\overline{\omega}\) is either ω itself or a path of σ that is an extension of ω. These extensions of ω derive a countably infinite sequence of paths progressively extending ω. We can also find a countably infinite sequence of paths progressively extending ω′, given the definition of σ′ up to ω′, such that each extension of ω′ is equivalent under ≡ to the associated extension of ω with the same length. This sequence of paths is obtained by considering each extension of ω and applying Lemma 4. This countably infinite sequence defines the transitions chosen by σ′ for any extension of ω′. It can then be seen that, for any extension of ω under σ, and any ≡-equivalent extension of ω′ under σ′, the distributions in the transitions of σ and σ′ are ≃-equivalent.
Given Lemma 1, we have completed the proof of Proposition 1. □
Appendix B: The inverse method
Given a (classical) parametric timed automaton \(\mathcal{A}\) and a reference valuation π of parameters, the inverse method outputs a constraint K such that:
-
1.
π⊨K,
-
2.
\(\mathit{Path}^{\mathcal{A}[\pi]}\equiv\mathit{Path}^{\mathcal{A}[\pi']}\), for all π′⊨K.
The algorithm IM can be summarized as follows. Starting with K:=true, we iteratively compute a growing set of reachable symbolic states. A symbolic state of the system is a couple (q,C), where q is a location of \(\mathcal{A}\), and C a constraint on the clocks and the parameters. When a π-incompatible state (q,C) is encountered (i.e. when \(\pi\not\models C\)), K is refined as follows: a π-incompatible inequality J (i.e. such that \(\pi\not \models J\)) is selected within C, and ¬J is added to K. The procedure is then started again with this new K, and so on, until no new reachable state is computed.
The algorithm IM is given in Algorithm 1. Given a linear inequality J of the form e<e′ (resp. e≤e′), the expression ¬J denotes the negation of J and corresponds to the linear inequality e′≤e (resp. e′<e). Given a constraint C on the clocks and the parameters, the expression ∃X:C denotes the constraint on the parameters obtained from C after elimination of the clocks.
We define \(\mathcal{A}(K)\) as \(\{ \mathcal{A}[\pi] \mid\pi\models K\}\), \(\mathit{Post}_{\mathcal{A}(K)}^{i}(S)\) as the set of states reachable from S in exactly i steps, and \(\mathit{Post}_{\mathcal{A}(K)}^{*}(S)\) as the set of all states reachable from S in \(\mathcal{A}(K)\) (i.e. \(\mathit{Post}_{\mathcal{A}(K)}^{*}(S)=\bigcup_{i\geq0 }\mathit {Post}_{\mathcal{A}(K)}^{i}(S)\)). Given two sets of states S and S′, we write S⊑S′ iff ∀s∈S,∃s′∈S′ s.t. s=s′.
Appendix C: The behavioural cartography algorithm
We recall algorithm BC in Algorithm 2.
Imitator also implements the behavioural cartography algorithm in a fully automated way.
Rights and permissions
About this article
Cite this article
André, É., Fribourg, L. & Sproston, J. An extension of the inverse method to probabilistic timed automata. Form Methods Syst Des 42, 119–145 (2013). https://doi.org/10.1007/s10703-012-0169-x
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10703-012-0169-x