Safe Decomposition of Startup Requirements: Verification and Synthesis

The initialization of complex cyber-physical systems often requires the interaction of various components that must start up with strict timing requirements on the provision of signals (power, refrigeration, light, etc.). In order to safely allow an independent development of components, it is necessary to ensure a safe decomposition, i.e. the specification of local timing requirements that prevent later integration errors due to the dependencies. We propose a high-level formalism to model local timing requirements and dependencies. We consider the problem of checking the consistency (existence of an execution satisfying the requirements) and compatibility (absence of an execution that reaches an integration error) of the local requirements, and the problem of synthesizing a region of timing constraints that represents all possible correct refinements of the original specification. We show how the problems can be naturally translated into a model checking and synthesis problem for timed automata with shared variables. Exploiting the linear structure of the requirements, we propose an encoding of the problem into SMT. We evaluate the SMT-based approach using MathSAT and show how it scales better than the automata-based approach using Uppaal and nuXmv.


Introduction
Complex industrial cyber-physical systems often have an initialization procedure that requires to reach a startup mode within a specified design target time interval. In order for the system as a whole to complete the startup within the required interval, each subcomponent of the system may have to go through a number of intermediate phases, within their own target intervals, each of which may itself be dependent upon other subcomponents reaching startup or intermediate phases. E.g. for a power generation system to startup at full power, it may need to transition first through a low power output phase and a number of subsidiary systems (perhaps cooling or fuel supply) may first have to undergo their own phase transitions. In turn, these subsidiary systems may require transitions to occur in systems subsidiary to them and so on.
Traditionally, the integration of these distributed transition targets are validated via simulation and testing, which while sufficient to reach a desired design performance are labor and time intensive. Having a more efficient process for arriving at and validating a set of design targets that satisfy the overall system requirements is clearly beneficial in these contexts. Firstly, we would like to verify that these requirements prevent failed transitions in which the time performance of the subsidiary systems lead to outcomes where our main system (e.g., the power generation system) cannot perform a transition within its time window. For example, suppose the power system has a time window within which it must transition from low-power mode to high-power mode; in order for it to achieve this transition, however, it requires that two subsidiary systems, a cooling system and a fuel supply system, must themselves transition from a low-output mode to a high-output mode, each within their own target transition time windows. If these time windows are not compatible, the power generator may fail to provide the high power in time. Secondly, if our starting set of requirements is inadequate to provide this guarantee, we would like to be able to synthesize a set of requirements that is adequate to this task.
In this paper, we formalize the problem starting from a simple industrially relevant setting, where the components have a linear sequence of phases, must progress to the next phase within a certain interval of time, and must respect some dependencies upon the phases of other components. Dependencies are expressed as Boolean combinations of variables representing the component phases and are divided into two types: (i) signal dependencies, where the entering of a component into a phase is conditioned by the presence of other components in some specific phases; (ii) state dependencies, where a component can stay in a phase only if, during all its stay, other components are in some specific phases. We are interested in the following problems: 1) checking if the requirements are compatible, i.e., if all reachable states can be extended with an execution satisfying the requirements; thus, if the components satisfy the local requirements, they cannot lead the system to an illegal state (where a component does not receive the input in time); 2) checking if the requirements are consistent, i.e., there exists an execution of the components satisfying all requirements (inconsistency is actually a pathological case of incompatibility); 3) synthesizing the set of refinements (same requirements with stricter intervals) that are consistent and compatible. We show how the first two verification problems can be naturally translated into a model checking problem for timed automata with shared variables. Exploiting the linear structure of the requirements, we propose an encoding of the problem into SMT. If all intervals are bounded, the encoding is quantifier-free. Finally, both approaches have been extended to solve also the synthesis problem, using synthesis for parametrized model checking of TAs and quantifier elimination in SMT, respectively.
We implemented the SMT-based approach in a tool called TRICker and carried out experimental evaluation, comparing it with other tools for the verifica-tion of timed automata. We used Uppaal [6] and nuXmv [7] to model check TAs and MathSAT [12] to solve the SMT problems. We performed an experimental evaluation based on a test-set of randomly generated local requirements. When comparing the SMT-based approach with the automata-based one, the results highlight a better performance of the former technique on all three problems.
Related Work The problem of the integration and compatibility of input/output timed automata has been extensively studied in the literature. Typically, works in the literature focus on deadlock checking (see, e.g., [4,5]). The work of [2] also addresses the parameter synthesis to avoid deadlocks in timed automata. In order to check for livelocks, liveness properties can be addressed with approaches proposed in [10,7]. A general definition of illegal states for timed interface automata is given in [13]. As shown in the extended version of the paper the compatibility problem addressed in this paper can be seen as a subcase of the homonym problem for input/output timed interface automata. As we are considering a closed system, the problem reduces to the existence of a deadlock or livelock in a phase of some component (depending if the related time interval is bounded or not). Moreover, compared to the above model checking approaches we are considering a specific fragment of timed automata with a linear structure that can be exploited for specialized solutions.
Related problems have been addressed in the context of task scheduling. In the formalism introduced in [16,17], called DRT (short for digraph real-time task model), in which tasks and deadlines are expressed as directed graphs, the problem of determining whether a schedule exists (feasibility problem) bears some similarities with the consistency checking problem we study here. The DRT model allows the use of very general graph topologies, with multiple outgoing branches and loop-backs, but it does not consider dependencies across different tasks. The main difference with our work is that the problem is addressed from a global point of view (i.e., the existence of a global scheduler that can coordinate the execution of the tasks), whereas we are interested in local solutions, in which each requirement can be considered in isolation. Another difference is the approach used to tackle the problem: while in [16] dynamic programming is used to deal with the possible explosion of the search space, we use SMT [14] as the main framework for all the three above-mentioned problems.
Outline. In Sec. 2, we introduce a suitable formalism to model local requirements and we formalize the three problems. In Sec. 3, we propose the reductions of compatibility checking and consistency checking into TAs and SMT. The corresponding solutions for the synthesis problem are then described in Sec. 4. The experimental results are described in Sec. 5. In Sec. 6, we draw some conclusions and highlight possible future directions of this work.

Problem Statement
Domain formalization We propose a high level formalism to model the local requirements.   [4,6] (b) Example of system with two local requirements and two signal dependencies.

Definition 1 (Local Requirements)
A specification S is given by a set of local (or component) requirements, where each local requirement C ∈ S is given by an (ordered) sequence P C 1 , . . . , P C n of phases. In turn, each phase P i of C is associated when i > 1 with a closed real interval β Pi with non-negative lower limit l Pi and (finite or infinite) upper limit u Pi , with a formula φ Pi (called signal dependency) and, when i > 0 with a formula ψ Pi (called state dependency). Both φ Pi and ψ Pi are Boolean formulae over the atoms in { D, Q } D∈S\{C},Q∈D (i.e., the phases of other components).
If a dependency ψ P is just a conjunction of atoms, then we say that ψ P is convex. With the notation |C|, we will refer to the number of phases of C.
Figs. 1a and 1b show two examples of sets of local requirements. In Fig. 1a, we have two local requirements A and B (i.e., S = {A, B}); each local requirement has two phases Off and On (i.e., P A 1 = Off and P A 2 = On and similarly for B); the bounds are depicted in square brackets (thus, for example β A On = [3,6]); all dependencies are trivially true apart from the state dependency ψ B On = A, On of the local requirement B, which is plotted as an arrow from the phase On of B to phase On of A. In Fig. 1b, we have another example with three components and some signal dependencies; for example, signal dependency φ C Normal = E, Normal is plotted as an arrow from the transition to phase Normal of C to phase Normal of E.
Definition 2 (Stronger local requirements) We say that a local requirement Given two specifications S = {C 1 , . . . , C n } and S = {C 1 , . . . , C n }, we say that S is stronger than S (written S S) iff for all i, 1 ≤ i ≤ n, In defining the semantics of a composition of local requirements C 1 . . . C n , every local requirement C i is associated with a local clock, which is reset each time it enters a new phase. Given a local requirements specification {C 1 , . . . , C n }, we define its semantics formally by defining the predicate Reach((C 1 , j 1 , t 1 ), . . . , (C n , j n , t n )), which is true iff the phases P C1 j1 . . . P Cn jn are reachable at local times t 1 . . . t n .
Definition 3 (Reachability for local requirements) Given the specification {C 1 . . . C n } and the time points t 1 ∈ R . . . t n ∈ R, we inductively define the predicate Reach((C 1 , j 1 , t 1 ), . . . , (C n , j n , t n )) as follows: -(base case) Reach((C 1 , 1, 0), . . . , (C n , 1, 0)) holds and for all i ∈ {1 . . . n} it holds that (state dependencies): . , (C n , j n , t n )) and there exists a δ ∈ R and a M ⊆ {1, . . . , n} such that: 3. for all i ∈ M , it holds that (state dependencies -entry): We define the predicate Comp S to be true iff there are no reachable states in S such that no component can proceed to its next phase.
Definition 4 (Compatibility for local requirements) Given the set of local requirements S = {C 1 . . . C n }, the predicate Comp S is true iff: If Comp S holds, we say that C 1 . . . C n are compatible, or equivalently that S is compatible.

Strict Semantics
The above definition adopts a weakly-monotonic model of time, where discrete transitions are instantaneous and, therefore, the system may be in two different states at the same instant. The definition and the reductions to model checking and SMT can be easily adapted to have a strict semantics.
Verification and Synthesis Problems The core problem we address is to check if a given specification S = {C 1 , . . . , C n } is compatible, i.e., if Comp S holds. The consistency checking problem amounts to checking if there exists a time point in which the final phase of all the local requirements is reached, that is it amounts to checking if the following formula holds: If this is the case, then we say that S is consistent. Finally, we can formalize the synthesis problem as the problem of computing (a symbolic representation of) the set: {S | Comp S ∧ S S}

NP-hardness
In this section, we show that the simplest of the problems defined above is already NP-hard. In fact, we show a reduction from SAT to the consistency checking problem. Let ϕ(x) be a Boolean formula over the variablesx = x 1 . . . x n ; without loss of generality, we assume ϕ(x) to be in negated normal form, i.e., with all the negations only in front of literals. For all 1 ≤ i ≤ n, we define the local requirement corresponding to variable the idea is to encode the values ⊥ and of each x i with the two phases P i 1 and P i 2 , respectively. Moreover, we define the local requirement G, which will be useful as a gadget for the reduction, as follows: The specification S ϕ corresponding to the Boolean formula ϕ(x) is defined as S ϕ = {G, C 1 , . . . , C n }. It holds that ϕ(x) is satisfiable if and only if S ϕ is consistent. In fact, if S ϕ is consistent, then there exists a time point in which the signal dependency of the second phase of G has been satisfied, and thus ϕ(x) is satisfiable. Viceversa, let's suppose that ϕ(x) is satisfiable and let M be an arbitrary model of it, expressed as the set of true atoms, in which we also substitute every x i in it with the pair C i , P i 2 . Since the local requirements C 1 . . . C n have no dependencies and, together with G, have only infinite bounds, there exists a time t such that predicate . . , (C n , P n 2 , t)) holds, i.e., S is consistent.
In Sec. 3.2, we will give an encoding of the consistency checking problem based on SMT(DL) (i.e., Satisfiability Modulo Theory of Difference Logic). In particular, we will show that the problem can be reduced to the satisfiability of a formula in SMT(DL). Since the latter belongs to NP [15], the consistency checking problem belongs to NP as well, having that consistency checking is NP-complete.

Reduction to Model Checking
In order to formalize the two verification problems into ones of model checking networks of timed automata, we use timed automata with shared variables. To this end, besides the clock constraints Ξ(C), we define L = {l A , l B , . . . } as a set of location variables (one for each automaton A in the network), and Θ(L) as the set of all Boolean combinations of atoms of type l A = v A , where A is a timed automata, l A ∈ L and v A is a state of A.
Definition 5 (Timed Automata with Shared Variables) A timed automaton with shared variables (TASV, for short) Given a set of clocks C, we denote with ν : C → R a clock valuation, that is a function assigning a rational value to each clock; with V C , we denote the set of all possible clock valuations over C. For t ∈ R, ν + t is the clock valuation which maps every clock c ∈ C to the value ν(c) + t. For R ⊆ C, we define ν[R → 0] to be the valuation that maps x to 0 if x ∈ R, and to ν(x) otherwise. When defining the product of two TASVs, we will deal with tuples (l A1 , . . . , l An ) of location variables; in this context, we usually denote with λ any function from the set of n-tuples of location variables to the set V A1 × · · · × V An . Moreover, we write that λ |= Φ (where Φ ∈ Θ(L)) iff Φ[l Ai → v Ai , for all 1 ≤ i ≤ n] is true and λ((. . . , l Ai , . . . )) = (. . . , v Ai , . . . ). We give the semantics of a TASV in terms of traces and we define their product as described below.

Definition 6 (Trace of a TASV) A trace τ of a TASV
Definition 7 (Product of TASVs) Given two TASVs A and B, their product is the TASV A ⊗ B defined as follows: , for all (v, u) ∈ V A⊗B ; the transition relation is defined as follows: It is worth noting that each TASV corresponds to a timed automaton defined in the standard way [1], and viceversa. We define now the TASV corresponding to a local requirement.
Definition 8 (TASV for a Local Requirement) Let C = P C 1 , . . . , P C n be a local requirement. We define the corresponding TASV A , inv loc A , T A } as follows: for each phase P C i of local requirement C, v i A is the corresponding location in V A ; P C 0 corresponds to v 0 A and C A = {c A }; for each phase P C i (but the last) of C, inv cl A (v i A ) := c A ≤ u P C i+1 ; -(discrete transition) for each phase P C i (but the last) of C, it holds that , for each phase P (the same holds for Ψ );  Example. Consider Fig. 1a: the corresponding TASV is depicted in Fig. 2. Each phase of each local requirement corresponds to a location of the corresponding TASV; in the example, phase off is mapped into location off. The first locations of automata A and B have attached the invariants c A ≤ 6 and c B ≤ 4, respectively. Automaton A proceeds to location on (corresponding to phase A.on) by a transition labelled with clock constraint 3 ≤ c A ≤ 6 and clock reset c A := 0. Since the second phase of local requirement A has no dependencies, the transition to on has no constraints on the location variables. The situation is different for automaton B, for which the transition to on is labelled with 2 ≤ c B ≤ 4 and c B := 0, and also with ψ on := (l A = on), that is the state dependency of phase B.on; moreover, ψ on is also an invariant for the second location of automaton B, since it is a state dependency.
Given a network S := A 1 × · · · × A n of TASVs, the problem of consistency checking can be expressed as the reachability of location (A 1 .last, . . . , A n .last) ∈ V S . A deadlock of a TASV A is defined as a state (v, t) ∈ V A × R such that A can take neither a timed nor a discrete transition from (v, t). We call livelock a state (v, t) such that A can take only timed transitions. The compatibility checking problem can be expressed as the problem of checking if there exists a trace of S such that (i) either the trace is finite and its final state is a deadlock of S; we can check this property by adding a sink location to the TASV S to which all locations can transition to and by checking the reachability of it; (ii) or the trace is infinite and there exists a location v ∈ V S and a point k ≥ 0 such that l S = v = (A 1 .last, . . . , A n .last), for all the states after k in the trace, where the i th component of v together with the time of the current state is a livelock for automata A i , for some 1 ≤ i ≤ n. The second point is fundamental for local requirements featuring infinite bounds: in these automata, it is not sufficient to check for deadlocks, since a timed transition could be always enabled; instead, an illegal state can be described by a trace of the system that reaches a livelock whose location has no invariants attached and then stays constantly in this location. Having reached a livelock, the automaton can proceed only with timed moves: in particular, it can't proceed to the next location because its dependencies are violated. We can check the second point in this way: we first add a sink location sink Ai v for each location v ∈ A i (and of course a transition from the latter to the former), for each 1 ≤ i ≤ n, and we attach to it the invariant ¬inv loc Ai (v). Now, in the product S of these modified automata, we look for a trace such that, from a certain time point onwards, it stays constantly in a location (l 1 , . . . , l n ) such that at least one l i is a sink state. This property can be formalized in Linear Temporal Logic as F G( 1≤i≤n,v∈Ai sink Ai v ).

Encoding into SMT(DL)
We describe the encoding into SMT(DL) (Satisfiability Modulo Theory of Difference Logic) for the problems of consistency checking and compatibility checking. For all 1 ≤ c ≤ n and 1 ≤ i ≤ |c|, we introduce the following variables: (i) r c i ∈ B represents the fact that phase i of local requirement c is reachable; (ii) s c i = (t c i , p c i ) represents the superdense time instant in which local requirement c enters phase i, where t c i ∈ R and p c i ∈ N. We can compare two superdensevalued variables (t, p) and (t , p ) with the lexicographical order, which we define as follows: (t, p) (t , p ) iff t ≤ t ∧ (t = t → p ≤ p ). We now give the set of (conjunctively related) constraints which form our SMT(DL) encoding.
Initialization. Each local requirement starts in its first phase at the same time, i.e., the real time point 0. Hence, for all 1 ≤ c ≤ n, we add the constraint t c 0 = 0.
Reachability. For all local requirements c and all phases i, it holds that if i − 1 is not reachable then so is phase i, i.e., ¬r c i−1 → ¬r c i . Moreover, we require the monotonicity over time, i.e., r c i → (s c i−1 ≺ s c i ).

Bounds. For all local requirements c and all phases i, c can move to i only if it respects the bounds [l
Moreover, we have to guarantee that the state dependencies hold as well. In particular, if phase i is reachable, then surely the time point in which c enters i has to be strictly greater than the time point in which the other local requirement reaches the target phase.
Since state dependencies are invariant properties, i.e., they have to hold for each time instant a local requirement is in a particular phase, if one state dependency is violated at some time point of phase i − 1, then phase i is not reachable. The contrapositive means that if phase i is reachable, then the state dependencies of phase i − 1 have to be invariant for phase i − 1, namely: Illegal States. If phase i of local requirement c is not reachable, i.e., i is an illegal state, then there exists a time point s c ill such that, for all the next (remaining) time pointss between s c ill and the upperbound of the transition, at least one dependency is not satisfied. where We interprets s c i−1 + u c i as ∀p(s s c i−1 + (u c i ,p)) and the + symbol as the pairwise sum. In the case the upperbound of the transition is infinite, we simply do not add thes s c i−1 + u c i inequality. We refer to the conjunction of all these constraints as W.
For consistency checking, we define END := 1≤c≤n r |c| and we call W cons the conjunction of W with END. We check consistency by checking the satisfiability of W cons . For compatibility checking, we define ILL := 1≤c≤n 1≤i≤|c| ¬r c i and we call W ill the conjunction of W with ILL. We check the existence of an illegal state in the system by checking the satisfiability of W ill , i.e., W ill is satisfiable iff the local requirements are not compatible.
Strict Semantics In the strict semantics setting, we forbid two events to occur at the same real-time point. For strict semantics, the encoding is equal to W except that we interpret ≺ and as < and ≤, respectively, and all the s c i variables as single real-valued variables t c i ∈ R. We call S this encoding and we define S cons and S ill as above.
Finite bounds and convex dependencies. Despite being very close to the problem formalization, the W encoding features a high number of quantifications, also in alternation; therefore, in the general case, it is very burdensome for an SMT solver to first perform quantifier elimination on W and then to solve the resulting formula. Nevertheless, if we make some restrictions on the type of local requirements we consider, we are able to remove upfront all the quantifiers from W, without the need to use quantifier elimination techniques. In fact, suppose we consider only local requirements with finite bounds and convex state dependencies (see Sec. 2). We call W ill fin the encoding equal to W except that Eq. (1) is replaced by: and we add the following constraint: and we replace Eq. (2) with: where: We can prove that W ill and W ill fin are equisatisfiable for every set of local requirements with only finite bounds and convex dependencies. Notably, there are no quantifiers in W ill fin : as said before, this makes the encoding dramatically more efficient with respect to W: in Sec. 5, we will consider only local requirements of this type. The details of the proofs are reported in the extended version of the paper in which, given that the proofs are a bit involved, we proceed incrementally, showing first how we can remove upfront the quantifiers in case of finite bounds with strict semantics, then in the case with weak semantics and finally in case of convex dependencies.

Synthesis
In this section, we tackle the synthesis problem, i.e., computing the set of all stronger local requirements (as defined in Def. 2) of the initial local requirements such that their composition is compatible. We solve this problem by reducing it to a parameter synthesis problem (see [9] for a more detailed description); given a local requirement C, its corresponding parametric local requirement C, π is defined as C (see Sec. 2), except that the bounds l P and u P of each phase P are now the parametersl P andū P , respectively, and π := {l P | P is a phase of C} ∪ {ū P | P is a phase of C}. Given a set of local requirements S = {C 1 , . . . , C n }, we write S, Π for its parametric version { C 1 , π 1 , . . . , C n , π n }, where the set of parameters is defined as Π := n i=1 π i . A parameter valuation γ : Π → Q assigns a rational value to each parameter; moreover, for each 1 ≤ i ≤ n, it also induces a (concrete) local requirement C i , γ(π i ) , obtained from C i , π i by replacing every parameter p ∈ π i with the concrete value γ(p). In the same way, we can define the concrete version S, γ(π) of S, π . γ is said to be feasible for S if C i , γ(π i ) is a stronger local requirement of C i , for all 1 ≤ i ≤ n, and S, γ(π) is compatible. A feasible region is a set R := {γ | γ is feasible for S}. Also in this case, we can either use parameter synthesis algorithms over timed automata [3] or reduce the problem to SMT(LRA); we focus on the latter and in particular, we will synthesize a symbolic representation of the region R, namely an SMT formula ϕ R with the following property: γ |= ϕ R iff γ ∈ R, for each valuation γ.
Let W ill be the encoding equal to W ill except that each number l c i (resp. u c i ) is replaced with the variablel c i (resp.ū c i ) and each phase is required to have finite bounds. We define the sets of variables R := {r c i | c ∈ S, i is a phase of c} and S := {s c i | c ∈ S, i is a phase of c}: these are the variables we are going to remove by means of quantifier elimination. Finally, we define: The symbolic representation of the feasible region R is given by: By removing the existential quantification on S and R (this can be done by means of quantifier elimination techniques), we obtain a quantifier-free formula over the variables in Π. By construction, we have that each model γ of SYNTH is a feasible valuation, and viceversa. Therefore SYNTH is the symbolic representation of the feasible region R.

Experimental Evaluation
We implemented the encoding described in Sec. 3.2 in a tool called TRICker (Timing Requirements Integration Checker) 6 , which uses MathSAT [12] as the backend SMT engine. We compared TRICker with Uppaal [6] and Timed-nuXmv [8], both using the automata-based encoding described in Sec. 3.1. The test set is partitioned into three categories: (i) bounded convex contains only systems with finite bounds and convex state dependencies; (ii) bounded contains systems with only finite bounds, but with arbitrary dependencies (not necessarily convex); (iii) general contains systems with infinite bounds and arbitrary dependencies (this is the most general fragment). Each category in turn consists of ca. 500 randomly-generated systems, divided in 10 sub-categories, namely 2c3p, 2c15p, 5c3p, 5c20p, 10c4p, 10c30p, 50c5p, 50c30p, 100c3p and 100c10p, where N cM p is the category containing only systems with N components and (approximately) M phases for each component. Inside each sub-category, each benchmark is randomly generated, meaning that the exact number of phases for each component and the density of its signal and state dependencies was chosen uniformly at random. For each benchmark, we compare the time spent by the three tools on the consistency checking and compatibility checking problems. We ran the experiments on a cluster of Linux machines with a 2.27GHz Xeon CPU, with a timeout of 360 seconds for each instance.
We consider first the bounded convex category. Fig. 3 shows the comparison of TRICker with Timed-nuXmv and Uppaal on the two verification problems. In both cases, Timed-nuXmv runs the infinite-state variant of IC3 described in [11] after discretizing the timed automata. As for Uppaal, we verify a property in the form EF ϕ, where ϕ is a Boolean formula. For both problems, the SMTbased approach implemented in TRICker outperforms the model checkers. While there are a number of instances for which the model checkers perform better than TRICker (especially for Uppaal), the latter overall solves a significantly larger amount of problems within the timeout, showing a clear improvement in scalability. This can be seen also in the survival plots comparing the three tools with the Virtual Best Solver (vbs for short). We can make similar considerations for the bounded and general categories, shown respectively in Fig. 4 and Fig. 5. (Note that for the general case, we could not evaluate Uppaal as it does not support the verification of fairness properties.) We remark that we did not note any kind of correlation between the number of signal or state dependencies in the benchmarks and the time spent by the solver. Finally, Fig. 6 shows the correlation between the memory (measured in MB) and the time (in seconds) spent by TRICker on consistency and compatibility checking, respectively.
We also evaluated the parameter synthesis algorithm described in Sec. 4. Since Uppaal currently does not support parameter synthesis for timed automata, we could not include it in the comparison. We therefore compared TRICker with Timed-nuXmv, for which we used the ParamIC3 parameter synthesis algorithm described in [9]. The algorithm is based on the inverse method, i.e., it finds a bad configuration for the parameters and it tries to generalize it, maximizing the set of bad parameters removed from the current approximation of the region. We took all the consistent benchmarks of the previous test sets, which amounts to approximately 100 instances (note that for each instance of the class NcMp, the number of parameters is ≈ 2 · N · M 7 ). The results of the comparison are shown in Fig. 7; as in the previous cases, TRICker shows better performance and scalability than ParamIC3, though there are several instances for which synthesis via quantifier elimination is still very expensive.

Conclusions
In this paper, we defined verification and synthesis problems of industrial relevance focused on the decomposition of startup requirements into local timing constraints and dependencies on components. Namely, we addressed the problem of checking if the local requirements are free of integration errors (i.e., consistent and compatible), and the problem of synthesizing the region of refinements of the original specification that are error free. The problem can be naturally translated into model checking and synthesis problems for timed automata with shared variables. Exploiting the structure of the requirements, we provide an encoding into SMT where consistency and incompatibility correspond to satisfiability queries, while synthesis is resolved by means of quantifier elimination.
In the future, we will consider various directions, such as extending the applicability of the approach to more general structures with loops, enriching the synthesis problem with cost functions to repair the specification driven by specific industrial goals, and considering more complex representations of signals exchanged between components.