Theorem Proving for Pointwise Metric Temporal Logic Over the Naturals via Translations

We study translations from metric temporal logic (MTL) over the natural numbers to linear temporal logic (LTL). In particular, we present two approaches for translating from MTL to LTL which preserve the complexity of the satisfiability problem for MTL. In each of these approaches we consider the case where the mapping between states and time points is given by (i) a strict monotonic function and by (ii) a non-strict monotonic function (which allows multiple states to be mapped to the same time point). We use this logic to model examples from robotics, traffic management, and scheduling, discussing the effects of different modelling choices. Our translations allow us to utilise LTL solvers to solve satisfiability and we empirically compare the translations, showing in which cases one performs better than the other. We also define a branching-time version of the logic and provide translations into computation tree logic.



Introduction
Linear and branching-time temporal logics have been used for a long time for the specification and verification of reactive systems. In linear-time temporal logic (LTL) [24,48] we can, for example, express that a formula ψ holds now or at some point in the future using the formula ♦ψ (ψ holds eventually). However, some applications require not just that a formula ψ will hold eventually but that it holds within a particular time-frame, for example, between 3 and 7 moments from now.
To express such constraints, a range of Metric Temporal Logics (MTL) have been proposed [6,7], considering different underlying models of time and operators allowed. MTL has been used to formalise vehicle routing problems [35], monitoring of algorithms [28,53] and cyberphysical systems [2], among others. A survey about MTL and its fragments can be found in [46]. It is known that MTL over the reals is undecidable, though, decidable fragments have been investigated [5,10,12].
Here we consider MTL with pointwise semantics over the natural numbers, following [6], where each state in the sequence is mapped to a time point on a time line isomorphic to the natural numbers. In this instance of MTL, temporal operators are annotated with intervals, which can be finite or infinite. For example, ♦ [3,7] p means that p should hold in a state that occurs in the interval [3,7] of time, while [2,∞) p means that p should hold in all states that occur at least 2 moments from now. In contrast to LTL, where the time difference from one state to the next is always one, in MTL, time is allowed to irregularly 'jump' from one state to the next. The semantics uses a mapping from states to time points to keep track of the time difference between consecutive states. MTL formulae can then express constraints on such time differences. For example, using [2,2] p we can state that the time difference from the current state to the next state is two while [3,∞] p states that the next state is at least three moments from now.
Following Alur and Henzinger [6], the mapping between states and time points is given by a (weakly) monotonic function, which allows multiple states to be mapped to the same time point. Underlying this semantics is the so-called digital-clock assumption: different states that are associated with the same discrete clock record events happening between successive clock ticks. If no events occur over one or more successive clock ticks, no state will be associated with those clock ticks. In this work, we also consider the semantics where the mapping between states and time points is given by a strictly monotonic function, which forces time to progress from one state to another.
We provide two approaches for translating from MTL to LTL: in the first approach we introduce a fresh propositional variable that we call 'gap', which is used to encode the 'jumps' between states, as mentioned above; the second approach is inspired by [6], where fresh propositional variables encode time differences between states. In each approach we consider the case where the mapping between states and time points is given by: (i) a strict monotonic function and by (ii) a non-strict monotonic function (which allows multiple states to be mapped to the same time point). All translations are polynomial w.r.t. the largest constant occurring in an interval (although exponential in the size of the MTL formula assuming a binary encoding of the constants). Since the satisfiability problem for LTL is PSpacecomplete [51], our translations preserve the ExpSpace complexity of the MTL satisfiability problem over the natural numbers [6]. We provide a range of examples from robotics, traffic management, and scheduling. We present and discuss different modelling choices and their effect, including the choice between strict and non-strict semantics as the basis for the formalisation of a domain.
The translations allow us to use existing LTL solvers to determine the satisfiability of MTL formulae. To the best of our knowledge, there are no implementations of solvers for MTL with pointwise discrete semantics. We use several LTL solvers, covering a wide range of calculi and methods, to experimentally investigate the properties of the LTL formulae resulting from the translation of MTL formulae. We provide experimental results for both the modelled examples and we propose specific formulae to investigate and analyse the difference between the translations and provers.
Finally we consider a branching-time version of MTL and provide a translation into Computation Tree Logic (CTL) using the gap translation.
Our contributions are: -translations from MTL to LTL which preserve the ExpSpace complexity of the MTL satisfiability problem and allow the use of LTL solvers to determine the satisfiability of MTL formulae; -an experimental analysis of the behaviour of LTL solvers on the resulting formulae; -encodings of problems from robotics, traffic management, and the classical multiprocessor job-shop scheduling problem [16,27] into MTL, as examples of the kind of problems that can be solved using MTL; -discussions about the modelling of these examples that illuminate interesting aspects of MTL specifications; and -a translation from a branching-time version of the logic into CTL that gives a tight 2EXPTIME upper bound to the satisfiability problem.
This paper is a revised and extended version of [33]. It includes a range of examples specified in MTL, full proofs, full details, updated and extended experimental results, a branching-time version of the logic with its translation into CTL and a more comprehensive discussion of related work.
In Sect. 2 we provide the syntax and semantics of LTL and MTL. We provide a range of examples in Sect. 3 encoding problems in MTL from robotics, traffic management, and job-shop scheduling. Our translations from MTL to LTL are provided in Sects. 4 and 5. Experimental results are provided in Sects. 6 and 7. A branching-time version of the logic and its translation into CTL is given in Sect. 8. We discuss related work in Sect. 9 and provide concluding remarks in Sect. 10.

Preliminaries
We briefly state the syntax and semantics of LTL and MTL. Let P be a (countably infinite) set of propositional variables. Well formed formulae in LTL are formed according to the rule: where p ∈ P. We often omit parentheses if there is no ambiguity. We denote by c a sequence of c next operators, i.e., 0 ϕ = ϕ and n+1 ϕ = n ϕ, for every n ∈ N. An LTL model or state sequence σ over (N, <) is an infinite sequence of states σ i ⊆ P, i ∈ N. The semantics of LTL is defined as follows.
MTL formulae are constructed in a way similar to LTL, with the difference that temporal operators are now bounded by an interval I with natural numbers as end-points or ∞ on the right side. Note that since we work with natural numbers as end-points we can assume w.l.o.g that all our intervals are of the form [c 1 , c 2 ] or [c 1 , ∞), where c 1 , c 2 ∈ N. We sometimes write k ∈ j + [c 1 , c 2 ] with the meaning that k ∈ [c 1 + j, c 2 + j]. Well formed formulae in MTL are formed according to the rule: where p ∈ P. A timed state sequence ρ = (σ, τ ) over (N, <) is a pair consisting of an infinite sequence σ of states σ i ⊆ P, i ∈ N, and a function τ : N → N that maps every i corresponding to the i-th state to a time point τ (i) such that τ (i) < τ(i + 1). A non-strict timed state sequence ρ = (σ, τ ) over (N, <) is a pair consisting of an infinite sequence σ of states σ i ⊆ P, i ∈ N, and a function τ : N → N that maps every i corresponding to the i-th state to a time point τ (i) such that τ (i) ≤ τ (i + 1). We assume w.l.o.g. that τ (0) = 0. The semantics of MTL is defined as follows: and ∀ j, i ≤ j < k : (ρ, j) | ϕ.
Further connectives are defined as usual: ♦ I ϕ ≡ (true U I ϕ) and I ϕ ≡ ¬♦ I ¬ϕ. A timed state sequence ρ = (σ, τ ) is a model of an MTL formula ϕ iff (ρ, 0) | ϕ. An MTL formula ϕ is satisfiable iff there exists a model of ϕ and it is valid iff every timed state sequence is a model of it. To transform an MTL formula into Negation Normal Form, one uses the constrained dual untilŨ I operator [46], defined as (ϕŨ I ψ) ≡ ¬(¬ϕ U I ¬ψ). An MTL formula ϕ is in Negation Normal Form (NNF) iff the negation operator (¬) occurs only in front of propositional variables. One of the differences between MTL and LTL is that in LTL we have the equivalence ¬( p) ≡ ¬ p, whereas in MTL ¬( [2,2] p) ≡ [2,2] ¬ p. If ¬( [2,2] p) then either p does not occur in the next state or the next state does not occur with time difference two. We can express this as follows: ¬( [2,2] p) ≡ [2,2] ¬ p ∨ [0,1] true ∨ [3,∞) true.
To see this, consider the formula ¬( p U [2,2] q). It is satisfied by a timed state sequence in which p never holds, state 0 is mapped to time point 0, state 1 is mapped to time point 1, and q only holds in state 2 which is mapped to time point 2. The formula is satisfied because p does not hold at state 0 or 1. However this timed state sequence does not satisfy [2,2] ¬q ∨ ((¬q) U [2,2] (¬ p ∧ ¬q)) as the eventuality of the second disjunct does not hold within the interval [2,2]. Note that in LTL the equivalence holds. In our example, if we remove the intervals from the equivalence and interpret the timed state sequence as an LTL model we would have the LTL formula ¬q ∨ ((¬q) U (¬ p ∧ ¬q)) holding at state 0 as the eventuality of the second disjunct holds at state 0 and 1. The intervals in MTL prevent this.
An MTL formula ϕ is in Flat Normal Form (FNF) iff it is of the form p 0 ∧ i [0,∞) ( p i → ψ i ) where p 0 , p i are propositional variables or true and ψ i is either a formula of propositional logic or it is of the form I ψ 1 , ψ 1 U I ψ 2 or ψ 1ŨI ψ 2 where ψ 1 , ψ 2 are formulae of propositional logic.
One can transform an MTL formula into FNF by renaming subformulae with nested operators, as in [23,55]. For example, assume that we are given the following MTL formula: [2,3] (¬ [1,2] q). We first transform our formula into NNF and obtain: [2,3] (♦ [1,2] ¬q). We then transform it into FNF: The transformations into NNF and FNF are satisfiability preserving and can be performed in polynomial time.

Examples
We consider a range of examples that can be represented using MTL relating to robotics, traffic management, and job-shop scheduling.
First we consider a scenario relating to foraging robots based on a state transition system with timing constraints relating how long robots can spend in each state searching for food, moving home, etc. We first model a single robot using the strict semantics with timing constraints on the next operators to indicate the change from one state to another. We discuss the difficulties with this modelling approach for multiple robots and show how the scenario can be re-modelled to represent multiple robots of the same type. Next we consider an example related to traffic management, in particular, to traffic lights, again with the strict semantics. This has two traffic lights that are not identical, modelled using until operators with timing constraints that enforce the correct order and timings of the traffic light colours. The third example formulates multiprocessor job-shop scheduling. We have multiple processors and show how this can be modelled using both the strict and non-strict semantics.

Foraging Robots
This example is based on the models for foraging robot swarms [38]. Robots are located in an arena with a "home" for them, they leave the home, carry out a random walk to locate "food". If food is detected they move towards the food, attempt to grab it and return home. If food is not found or another robot grabs the detected food and the time for searching for food is over the robot will move home without food. The food is deposited at home and increases the overall energy of the swarm but searching for food decreases this energy. Here we focus on the timing constraints rather than energy. Initially we consider one robot and later we consider multiple robots. Robots can be in one of nine states: resting resting at home; leavingHome leaving home; randomWalk moving around looking for food; moveToFood moving towards food having located it; scanArena looking for food; grabFood attempting to grab food that has been found; moveToHome the robot moves home with food; deposit the robot deposits the food at home, and homing the robot moves home without food.
The state transition system representing their movement between states is shown in Fig. 1.
There are three parameters: the maximum time T r that can be spent resting, the maximum time T s that can be spent searching for food (leavingHome, randomWalk, scanArena, and moveToFood), and the maximum time T d to get home with or without food (moveToHome and homing). The latter is based on an assumption that there is a maximum distance between the food and home. We assume that grabFood and leavingHome takes between two and three time units and deposit takes three to four time units. Initially the robot is resting (resting). Next we specify that the robot must be in exactly one of the states at any moment. Let S = {resting, leavingHome, randomWalk, moveToFood, grabFood, moveToHome, deposit, homing, scanArena} We require that each time point is 'marked' with exactly one of the states.
If the robot is searching then there is a maximum amount of time it can stay searching.
There are a number of properties we could try to prove.
-Having left home the robot will eventually reach home again.
-The maximum time the robot needs to return home is x In particular, the lowest value x for which we can prove this property is the maximum time the robot can stay away from home. -The minimum time the robot needs to return home is y.
Here the highest value y for which we can prove this property is the minimum time the robot needs to return home.
For a single robot, we believe that the most natural way to represent the foraging robot scenario is as above, with most timing constraints on the next operator. However, to represent multiple robots we would need a copy of each state and the formulae representing the transitions for each robot, i.e. propositions such as resting and grabFood would be parameterised by robot number (for example resting i and grabFood i for robot i). In this type of scenario and modelling, the next operator is working as a synchronisation point: all robots must move into another state together. In general, this does not accurately reflect the intended behaviour of robots as some robots may stay in the state they are currently in whilst others may change state. A potential solution to this would be to include the current state of the robot on the right hand side of the formulae under a next operator, as follows so that the robots do not have to change state at the same time. However this introduces other issues as the robot can now stay in the resting state for longer than T r time units.
To model this correctly we would need to adopt an approach more like how we have dealt with the timings for searching, i.e. formulae for each transition in the state transition system, one denoting the possible next states and one denoting the required timing constraints to move out of the current state [like Eq. (1)]. We also need to introduce a new propositional variable for each robot, for each state, to denote the place where the proposition for that state changes from being false to becoming true. We need this so we can identify when we first entered some state so we can formalise the maximum time we can stay in this state. To illustrate this approach, we focus on the state resting i in the following. Here, we denote the new propositional variable that indicates a state change by startResting i and impose the following constraint on it.
Next, for robot i, to represent the transition out of the state resting i we would have the following formulae, the first denoting the next possible states of robot i and the second enforcing the maximum time that robot i can be in the resting state.
An alternative to the above two formulae would be using an until operator as follows Although we have introduced the proposition startResting i to ensure the relevant timed formulae only hold from where resting i first became true it is only essential here when the left hand side of the timing constraint is greater than one. Consider the following timed state sequence as an example. Let ρ = (σ, τ ) be the timed state sequence where τ (0) = 0, τ (1) = 3, τ (2) = 4, and τ (3) = 10 where (ρ, 0) | resting i , (ρ, 1) | resting i , (ρ, 2) | ¬resting i and (ρ, 3) | ¬resting i . We consider using [0,∞) (resting i → ♦ [3,5] rather than [0,∞) (startResting i → ♦ [3,5] ¬resting i ) In ρ, resting i changes from true to false within 3-5 time units from where resting i was first true, as τ (2) − τ (0) ∈ [3,5]. So (ρ, 0) | ♦ [3,5] ¬resting i and therefore (ρ, 0) | (resting i → ♦ [3,5] ¬resting i ) However (ρ, 1) | ♦ [3,5]  The timing aspects of other examples relating to robots could also be modelled. For example a personal robot assistant located in a house equipped with sensors that inform the robot about the state of the house and its participants is considered in [18,19,57]. The robot actions are controlled by a set of behaviours. These are of the form of "if …then …" where the "if" part depends on state of the robot, sensor data and internal variables and the "then" part contains a sequence of robot actions. These contain several timing aspects for example "wait ten seconds", "wait an hour" etc that we could model using this logic.

Traffic Lights
Consider a pair of traffic lights at a junction with two roads, R1 and R2, crossing each other. Traffic light one is for road R1 and traffic light two is for road R2. As road R1 is busier, there is a camera to detect when there are cars waiting for traffic light 1. This makes the lights have different behaviour so the problem is not symmetric.
We use the following propositional variables to denote the states that the traffic lights and the detection sensor can be in: r i traffic light i is at red; a r i traffic light i is at amber following being at red; a g i traffic light i is at amber following being at green; a i traffic light i is at amber (i.e. one of the above holds); g i traffic light i is at green; detect traffic light one detects cars waiting; change i traffic light i has just changed colour; Traffic light i ∈ {1, 2} is exactly red, amber or green at every moment in time.
Traffic light i ∈ {1, 2} is at amber if and only if either it is at amber after red or amber after green (at every moment in time). Note that while our modelling here does not explicitly allow the red and amber lights to both be on together, as is common in traffic light sequences in Europe, our use of two different propositional variables for amber after red and amber after green allows us to differentiate between these situations.
Traffic light i ∈ {1, 2} cannot be both amber after red and amber after green at the same moment in time.
[0,∞) (¬a r i ∨ ¬a g i ) If one traffic light is green the other is not green.
The sequence of the traffic lights is red, then amber, then green, then amber, then red, and so on. Both traffic lights eventually change to amber after having been at green, stay at amber after green between one and two time units before changing to red, and stay at amber after red between one and three time units before changing to green. The formalisation of these constraints requires some careful consideration. For instance, one might consider the formula [0,∞) (a g 1 U [2,3] r 1 ) as a possible way of expressing that red follows amber after green within two or three time units. However, together with the constraints above, it is unsatisfiable: suppose there is a timed state sequence ρ = (σ, τ ) that satisfies our constraints. For any i ∈ N, (a g 1 U [2,3] r 1 ) is true at (ρ, i) and there exists k ≥ i with τ (k) − τ (i) ∈ [2, 3] and r 1 is true at (ρ, k). But since (a g 1 U [2,3] r 1 ) is always true, it is also true at (ρ, k) and since 0 / ∈ [2, 3], a g 1 must be true at (ρ, k). This contradicts the constraint that a g 1 and r 1 cannot both be true at any state. In the following we make use of the proposition change i together with a particular colour as a guard making sure that the timing constraints hold when a light changes to that colour.
The variable change i holds in the first moment in time and also if the traffic light was not red, (respectively amber, green) in the previous moment and is now red (respectively amber, green).
Strictly, for a formula such as [0,∞) (g 1 U [0,∞) a g 1 ), expressing that traffic light 1 stays green until it eventually changes to amber after green, where the lower bound on the interval restricting the until operator is 0, we do not need a guard, but add one anyway in order to obtain the following more uniform formalisation.
Regarding the change from red to amber, the two traffic lights behave differently. The following two formulae state that traffic light 1 will eventually change to amber after having been red, while traffic light 2 will do so after 0 to 4 time units.
Finally, if the car detection sensor on road R1 detects a car and the traffic light is not green then it will be green within 3 time units.
Properties we would like to check are as follows.
-Infinitely often each traffic light will be green.
-If a car is detected on road R1 then the wait will be at most x time units.
It is worthwhile to note that the property [0,∞) (detect → ♦ [1,x ] g 1 ) is not provable for any value of x . In a countermodel, g 1 always holds at exactly the same states as detect, i.e. it is true in states where detect is true and false in states where detect is false. This satisfies the constraint (5) trivially. Also (6) is still satisfied due to the until constraints forcing the correct light sequence thereby falsifying ♦ [1,x ] g 1 . -If traffic light 2 is currently red then it will be green within 1 to y time units.
[0,∞) (r 2 → ♦ [1,y] Here the property [0,∞) (r 2 → ♦ [0,y] g 2 ) would hold for exactly the same values of y as property (8). This follows from the constraint that the traffic lights cannot be red and green at the same time.
-If a traffic light is currently amber or red, then a car has to wait at most z time units until the traffic light will be green. We could try to formalise this property as However, the first conjunct of (9) does not follow from our specification as there is no upper bound on the time that traffic light 1 can stay red if no car is detected. In order to correctly formalise the property we have to include that the presence of a car makes detect true:

Multiprocessor Job-Shop Scheduling
Our next example is a generalisation of the classical job-shop scheduling problem, called the Multiprocessor Job-shop Scheduling (MJS) problem [16,27]. The representation provided is based on that in [17]. Here a set of jobs have to be processed on a set of machines running in parallel. Each job requires a number of processor steps to complete (this number may also depend on the machine, i.e., job i may run faster in machine j than in machine l). The question is whether there is a schedule such that after t time units all jobs will have been processed by the machines. We use this example to illustrate encodings with both the strict and non-strict semantics. Under the strict semantics we use propositional variables run j i m l to encode that job j i is running on machine m l , whereas in the non-strict semantics we use separate propositional variables m l for machines and run j i for (the execution of) jobs. So, the strict semantics uses quadratically more propositional variables than the non-strict semantics. This is due to the fact that in the non-strict semantics we can encode parallelism by associating multiple states with the same time point. Our encodings have the property that there is a schedule if and only if there is a model for the resulting MTL formulae. One can use any model of the MTL formulae to create a schedule satisfying the constraints of an instance of the problem.
We first show how one can encode the problem in MTL with the strict semantics and then we show the encoding with the non-strict semantics.

Strict Semantics
Assume we have n jobs j 1 , j 2 , . . . , j n and k machines m 1 , m 2 , . . . , m k . Let start Run j i , run j i and has Run j i denote the start, the execution and the end of the execution of job j i on some machine, respectively; start Run j i m l and run j i m l denote the start and the execution of job j i on machine m l , respectively; and t j i m l to denote the time taken to run job j i on machine m l .
The following formulae state that (11) once a job starts running it must start running on one of the machines and that (12) once a job starts running on a machine it must run on that machine (where 1≤i≤n and 1≤i≤n,1≤l≤k in front of the formulas is omitted for brevity) [0,∞) (start Run j i m l → run j i m l ) (12) The parametric formula (13) states that: if a job is running on one machine then it cannot be running on another (integrity of jobs); and another job cannot be running on the same machine (integrity of machines). By parametric formula (14), once a job has started it cannot be started again.
[0,∞) (run j i m l → ( k p=1, p =l ¬run j i m p ∧ n q=1,q =i ¬run j q m l )) (13) [0,∞) (start Run j i → [0,∞) [0,∞) ¬start Run j i ) (14) We write ¬run j i as a short hand for k l=1 ¬run j i m l . We can use (15) to denote that once job j i is started to run on machine m l it takes time t j i m l and (16) to denote that once job j i has finished running on machine m l it will not run again. Further, parametric formula (17) denotes that job j i cannot be run until it has started.
[0,∞) (start Run j i m l → [0,t j i m l −1] run j i m l ∧ ¬has Run j i ) (15) [0,∞) (start Run j i m l → [t j i m l ,∞) (¬run j i ∧ has Run j i )) (16) [0,∞) (¬run j i U start Run j i ) (17) We assume that initially no jobs have run, i.e., n i=1 ¬has Run j i ; and that (18) if a job has not run and is currently not running then it will not have run in the next moment.
We can now check whether we can achieve a schedule after at most t time points by adding has Run j i . We can also specify constraints on jobs such as [1,∞) start Run j m ): job j i must start before job j m (note that this formalisation relies on the fact that each job is started exactly once); -♦ [c,d] start Run j i : job j i must start at a point within the interval [c, d].

Non-Strict Semantics
We again assume we have n jobs j 1 , j 2 , . . . , j n and k machines m 1 , m 2 , . . . , m k . Let start Run j i and has Run j i denote the start and the end of job j i on some machine, respectively; run j i denote that job j i is running on some machine; and t j i m l denote the time taken to run job j i on machine m l .
In each state exactly one of the variables of the form m l is true. Also, in each state at most one job is running, but now we may have multiple states at the same time. Let Π m = {m 1 , . . . , m k } and Π j = {run j 1 , . . . , run j n }. The following states the constraints mentioned above (the meaning of ⊕ =1 and ⊕ ≤1 is as described in Sect. 2): Parametric formula (20) specifies that if a job is running on one machine then it cannot be running on another. Parametric formula (21) states that once a job is started it cannot be started again (where 1≤i≤n,1≤l≤k and 1≤i≤n is again omitted).
to denote that once job j i started to run on machine m l it takes time t j i m l and (23) to denote that once job j i has finished running on machine m l it will not run again. Further, we use [0,∞) (¬run j i U start Run j i ) to state a job j i cannot be run until it is started and [0,∞) (¬has Run j i U start Run j i ) to state that a job cannot have run before it starts (another rule above will make sure that has Run j i will hold after the run has finished). We assume that initially no jobs have run, i.e., n i=1 ¬has Run j i . We can now check whether we can achieve a schedule after at most t time points by adding ♦ [0,t] n i=1 has Run j i and checking for satisfiability.

From MTL to LTL: Encoding 'Gaps'
Next we provide satisfiability preserving translations from MTL formulae for discrete time models into LTL using a new propositional variable gap, which is intended to hold at LTL states corresponding to unmapped time points in MTL models. Assume that our MTL formulae are in NNF and FNF. The main idea for our translation is to map each timed state sequence ρ = (σ, τ ) into a state sequence σ such that ρ = (σ, τ ) is a model of an MTL formula if, and only if, σ is a model of our LTL translation. We first present our translation using the strict semantics and then show how to adapt it for the non-strict semantics, where multiple states are allowed to be mapped to the same time point. Our LTL translations are exponential in the size of the input formula in MTL due to the binary encoding of the numbers in the intervals. This blow up is unavoidable and optimal, since reasoning in MTL is ExpSpace-hard and an exponential size LTL translation gives an ExpSpace upper bound.

Strict Semantics
For every model of a MTL formula there is going to be a model of the translated formula, such that ¬gap is true in those states σ j of σ such that there is i ∈ N with τ (i) = j and gap is true in all other states of σ . We now define our mappings between MTL and LTL models. Definition 1 Given a timed state sequence ρ = (σ, τ ), we define a state sequence σ = σ 0 σ 1 . . ., where σ j is as follows:  [2,3] p. Table 1 presents the translation of formulae of the form I α, Observe that, in the definition of · , recursion is only used to deal with the case where 0 occurs on the left side of an interval. As shown in Table 1, we translate [2,3] Note that the state sequence represented on the right side of Fig. 2 is a model of the translation. Since gap is a propositional variable not occurring in σ , the time points mapped by the image of τ do not contain gap. Definition 2 Given a state sequence σ such that (σ , 0) | ¬gap ∧ (♦¬gap), we inductively define ρ = (σ 0 , τ (0))(σ 1 , τ (1)) . . ., where (σ 0 , τ (0)) = (σ 0 , 0) and, for i, j, k ∈ N and i > 0, (σ i , τ (i)) is as follows: The following two propositions are useful for the proof of Theorem 1. Since gap is a propositional variable not occurring in σ , the time points mapped by the image of τ do not contain gap. Then, it is easy to see the following.

Proposition 1 Given a timed state sequence
The state sequence σ in Definition 2 is such that (σ , 0) | ¬gap ∧ (♦¬gap). Consequently, for the timed state sequence constructed in Definition 2 we have that for each i ∈ N, τ (i) ∈ N. Also, for i > 0, τ (i) > τ(i − 1) and, so, τ : N → N is well defined. The following proposition states this property.

Proposition 2 Given a state sequence σ such that
We are ready for Theorem 1, which states the correctness of our translation from MTL to LTL using 'gap's. One can use similar arguments to show Theorem 2.
be the result of replacing each ψ i in ϕ by ψ i as in Table 1.
Thus, following Table 1, we only need to show correspondences between ψ i and ¬gap ∧ ψ i . This follows from Claims 1-3 below (other cases are similar), where ρ = (σ, τ ) is a timed state sequence and j ∈ N. Let C − 1 be the greatest number occurring in an interval in ϕ or 1, if none occur. We argue that, for all natural numbers c 1 with 0 < c 1 ≤ c 2 < C, the following claims hold.
. By Definitions 1 and 2, this happens iff (σ , τ ( j +1)) | ¬gap∧α and there is no Proof By the semantics ofŨ, we have that Example Assume that we are given the following MTL formula in NNF and FNF: Table 1, we translate ϕ into LTL as follows (recall that

Non-Strict Semantics
We now show how we modify the Gap translation for non-strict timed state sequences. We introduce a fresh propositional variable called 'same'. same is true exactly in those states σ j of σ such that there is i ∈ N with τ (i) = j and, for i > 0, τ (i) = τ (i − 1). Note that same and gap cannot both be true in any state. We say that a state s is a gap state if gap ∈ s. We now define our mappings between MTL and LTL models. Definition 3 Let ρ = (σ, τ ) be a non-strict timed state sequence. We define σ = σ 0 σ 1 . . . by initially setting σ = σ and then modifying σ with the two following steps:   Table 2 presents our translation of formulae of the form I α, α 1 U I β or αŨ I β, as in Table 1. As shown in Table 2, we translate ♦ [2,2] The main distinction from the translation presented in Table 1 is that here we use nested until operators to make progress in our encoding of the time line whenever we find a state with ¬same. Note that the state sequence represented on the right side of Fig. 3 is a model of the translation (recall that ♦ [2,2] q ≡ (true U [2,2] q)).

Definition 4 Let σ be a state sequence such that
We first define τ : N → N by setting τ (0) = 0 and, for i > 0, τ (i) is as follows: if σ j is the i+1-th non-gap state and same ∈ σ j τ (i−1)+k+1 otherwise, where k ≥ 0 is the number of gap states between the i-th and i + 1-th non-gap states. We now define σ as follows: We are ready for Theorem 2, which states the correctness of our translation from MTL to LTL using the variables 'gap' and 'same'. Table 2. Then, ϕ is satisfiable if, and only if, Proof (Sketch) We use Definitions 3 and 4 to map models of ϕ into models of ϕ ∧ ¬gap ∧ (♦¬gap) and vice versa. The correctness of our translation is again given by a structural inductive argument. As mentioned, the main difference w.r.t. to Theorem 1 is that here we use the propositional variable same to encode multiple states mapped to the same time point.  Table 1 MTL Non-strict gap translation

From MTL to LTL: Encoding Time Differences
Next we provide satisfiability preserving translations from MTL formulae for discrete time models into LTL using new propositional variables to denote the time differences from the previous state. Assume that our MTL formulae are in NNF and FNF. Similar to the previous section our proof strategy relies on mapping each timed state sequence ρ = (σ, τ ) to a state sequence σ such that ρ = (σ, τ ) is a model of an MTL formula if, and only if, σ is a model of our LTL translation. We first show a translation under the strict semantics and then we show how to adapt it for the non-strict semantics. Our LTL translations here are also exponential in the size of the input formula in MTL due to the binary encoding of the numbers in the intervals, and thus, yield tight ExpSpace upper bounds.

Strict Semantics
We denote by C − 1 the greatest number occurring in an interval in an MTL formula ϕ or 1, if none occur. We say that a timed state sequence To map a timed state sequence ρ = (σ, τ ) to a state sequence σ we employ the following result adapted from [7].
Definition 5 Given a timed sequence ρ = (σ, τ ) and C ∈ N, we define a timed sequence ρ C = (σ C , τ C ) as follows: The following proposition states the main property of Definition 5.
We are now ready for Theorem 3.
Assume w.l.o.g. that ϕ is in NNF. Let sub(ϕ) be the set of all subformulae of ϕ. To prove this lemma, we argue by structural induction and show that for In the base case, ϕ is a propositional formula. Then, as is the left end-point of I ; or 3. (ρ, l) | χ for some l ∈ N such that τ (l) ∈ τ (i) + I and for all l ∈ N such that We make a case distinction. In Case (1), we have to establish that, for (2) and (3) can be proved with similar arguments.
By Theorem 3, w.l.o.g., we can consider only timed state sequences where the time difference from a state to its previous state is bounded by C. Then, we can encode time differences using propositional variables of the form s n m with the meaning that 'the sum of the time differences from the last n states to the current state is m'. For our translation, we only need to define these variables up to sums bounded by 2 · C. We can now define our mapping from an MTL model to an LTL model. 1 Definition 6 Given a C-bounded timed state sequence ρ = (σ, τ ), we define σ = σ 0 σ 1 . . . by setting σ 0 = σ 0 and, for i > 0: In Definition 6, if, for example, τ (2)−τ (0) = 4 then (σ , 2) | s 2 4 . Intuitively, the variable s 2 4 allow us to group together all the cases where the sum of the time differences from the last 2 states to the current state is 4. This happens when: By definition of σ , Lemma 1 is immediate (see definition of ⊕ ≤1 and ⊕ ≥1 in the Preliminaries).
Lemma 1 Let S C be the conjunction of the following: There is exactly one value k, 1 ≤ k ≤ C, that is going to be equal to the sum of the time difference of the last state to the current. This is encoded by s 1 k (Point 1). Point 2 ensures that at all times we cannot have more than one value for the sum of the time differences of the last i states. Finally, Point 3 has the propagation of sum variables: if the sum of the last j states is l and the time difference to the next is k then the next state should have that the sum of the last j + 1 states is l + k.

Remark 1
To simplify the presentation, in this section we used variables of the form s n m , where n ranges from 1 to C − 1 and m ranges from 1 (or from 0 for the non-strict semantics) to 2 · C (in fact 2·C −1 would be enough for the translation). As mentioned in Sect. 1, the exponential blow-up of the translations cannot be avoided. Though, we can have a slightly more succinct translation by encoding m in binary. So in our experiments, we encode variables of the form s n m with n · log m variables, where for each n we represent m in binary. For example, s 2 4 is encoded with s 2 2 ∧ ¬s 2 1 ∧ ¬s 2 0 . We now define our mapping from an LTL model of S C to an MTL model (for this mapping, we actually only need Point 1).

Definition 7 Given a state sequence
and: Note that ρ, in particular, τ , in Definition 7 is well-defined because for every i ∈ N there is exactly one k such that (σ , i) | s 1 k . Table 3 presents our translation of formulae of the form I α, α 1 U I β or αŨ I β, as in Tables 1 and 2. As shown in Table 3, we translate, for example, [2,3] The following two propositions are useful for the proof of Theorem 4.
We now show Theorem 4, which states the correctness of our translation using time differences. One can use similar arguments to show Theorem 5.

an MTL formula in NNF and FNF. Let
be the result of replacing each ψ i in ϕ by ψ i as in Table 3.
Also, ϕ ∧ S C is satisfiable if, and only if, there is a state sequence σ such that (σ , 0) | ϕ ∧ S C . Given σ , let ρ = (σ, τ ) be a C-bounded timed state sequence as in Definition 7. By definition of σ , for all propositional variables p i occurring in σ but not in 1≤i <C Π i and all j ∈ N, we have (ρ, j) | p i iff (σ , j) | p i . Clearly, for any propositional formula Thus, following Table 3, we only need to show correspondences between ψ i and ψ i . This follows from Claims 4-6 below (other cases are similar), where ρ = (σ, τ ) is a C-bounded timed state sequence. We argue that, for all natural numbers c 1 with 0 < c 1 ≤ c 2 < C, the following claims hold.

Non-Strict Semantics
We now show how we modify the Time Difference translation for non-strict timed state sequences. We extend the set Π 1 = {s 1 i | 1 ≤ i ≤ C} of propositional variables representing time differences with s 1 0 , which holds whenever the time difference to the previous state is 0. We say that a state is non-zero if the time difference to the previous state is non-zero. For m > 0, the meaning of the variables of the form s n m also needs to change. It now indicates that 'the sum of the time differences from the last n non-zero states to the current state is m'. As before, for our translation, we only need to define these variables up to sums bounded by 2 · C. We can now define our mapping from an MTL model to an LTL model.
Given a C-bounded non-strict timed state sequence (σ, τ ), we define a state sequence σ as in Definition 6, with the difference that, whenever τ (i) = τ (i − 1), we now make s 1 0 true in σ i and, for m > 0, we copy all variables of the form s n m in σ i−1 to σ i . Let S C be the conjunction of the following: in the same way as in Definition 7 (but now the time difference k can be zero). To simplify the notation, in Table 4 we write φ U n γ, χ as a shorthand for φ U (γ ∧ (φ U n−1 γ, χ)), where φ U 1 γ, χ = (φ U χ). Theorem 5 states the correctness of our translation (Table 4) using non-strict time differences. It can be proved with ideas similar to those used in the proof of Theorem 4. The main distinction appears in the translation of the 'until' formulas, where we nest until operators so that we can count n non-zero states and then check whether a variable of the form s n m holds (in the strict case all states are non-zero, so in Table 3 we can count these states with next operators). Table 4. Then, ϕ is satisfiable if, and only if, ϕ ∧ S C is satisfiable.
Proof (Sketch) We use our modified versions of Definitions 6 and 7 for the non-strict semantics to map models of ϕ into models of ϕ ∧ S C and vice versa. The correctness of our translation is again given by a structural inductive argument. As mentioned, the main difference w.r.t. to Theorem 4 is that here we use the propositional variable s 1 0 to encode multiple states mapped to the same time point.

Empirical Evaluation of the Translations
In order to empirically evaluate the translations, we have implemented them in SWI-Prolog and have used them together with the LTL satisfiability solvers Aalta, Leviathan, LS4, LWB-MOD, LWB-SAT, NuSMV-BDD, NuSMV-SBMC, pltl (graph), pltl (tree), TRP ++ , and TSPASS. The sources of the implementation of the translations and all auxiliary files necessary to replicate the evaluation can be found at [31].
Aalta [1] implements the obligation-based LTL satisfiability checking algorithm for finite and infinite traces devised by Li et al. [37]. We have performed experiments with both versions 1.2 and 2.0 of Aalta. As Aalta 2.0 was consistently several orders of magnitude faster than Aalta 1.2, we will only report the results for the latest version of Aalta.
NuSMV 2.6.0 [45] uses a reduction of the LTL satisfiability problem to the LTL model checking problem [15]. It is then possible to decide the latter problem either using a BDD-based algorithm (NuSMV-BDD) or a SAT-based algorithm (NuSMV-SBMC). We considered these to be two different solvers as they often exhibit different behaviours. We use NuSMV-BDD with the options dynamic for dynamic reordering and elbwd for backward image computation, for NuSMV-SBMC we have enabled the completeness check.
The Logics Workbench 1.1 (LWB) [39] contains implementations of two different LTL solvers. The first is a two-pass tableau-based decision procedure developed by Janssen [34] which underlies the provable and satisfiable functions of the pltl module of LWB. In the following we denote this procedure by LWB-SAT. The second is a one-pass tableau calculus by Schwendimann [50] which underlies the model function of the pltl module. In the following we denote this procedure by LWB-MOD. In contrast to LWB-SAT, LWB-MOD returns a model for satisfiable formulae. We again, consider these to be two different solvers as the underlying calculi are distinct.
Leviathan [36] is an LTL satisfiability checking and model building tool that implements a novel one-pass tableau calculus by Reynolds [11,49].
The pltl [47] system implements two tableau-based methods. The tree method is again based on Schwendimann's one-pass tableau calculus, the graph method is based on a one-pass and-or tree tableau calculus [26] resulting in a time complexity optimal decision procedure for LTL. We denote the former by pltl (tree) and the latter by pltl (graph). Neither of the two methods returns a model. In this section we will only report results for pltl (graph) as it always performs better than pltl (tree).
TRP ++ 2.2 [54] is based on an ordered resolution calculus that operates on LTL formulae in a clausal normal form [32], while TSPASS [56] extends that calculus to monodic firstorder linear time temporal logic over expanding domains [42]. We use TSPASS with the ModelConstruction option so that it returns a model for satisfiable formulae [41]. It should be noted that this model construction potentially requires significantly more resolution inferences to be performed than are necessary to just decide the satisfiability of a formula. Thus, the way we use TSPASS puts it as a distinct performance disadvantage over TRP ++ although both perform very similar inference steps when just deciding the satisfiability of an LTL formula.
LS4 [40] is an LTL-prover based on labelled superposition with partial model guidance developed by Suda and Weidenbach [52]. It operates on LTL formulae in the same clausal normal form as TRP ++ . LS4 optionally returns a model for satisfiable formulae.
We focus on formulae where differences between the two translations could lead to differences in the behaviour of solvers on these formulae. In particular, for (α U [c 1 ,c 2 ] β) or ♦ [c 1 ,c 2 ] β, the Strict and Non-Strict Time Difference Translations contain disjunctive subformulae of the form c 1 ≤ j≤c 2 s i j that have no equivalence in the Strict and Non-Strict Gap Translations of that formula. Each sum variable s i j is also subject to the constraints expressed by S C . The hypothesis is that the Gap Translations lead to better behaviour of solvers on such formulae. On the other hand, for [c 1 ,∞) α both Gap Translations contain an eventuality formula gap U (α ∧ ¬gap) that is not present in the Time Difference Translations of this formula. Here, the hypothesis is that the Time Difference Translations lead to better behaviour of solvers.
To test our two hypotheses, we consider the unsatisfiable parametrised formulae After transformation to Flat Normal Form, we apply one of the four translations, and run a solver five times on the resulting LTL formula (with a timeout of 1000 CPU seconds), and then determine the median CPU time over those five runs. We refer to that median CPU time as the runtime. The repeated runs are necessary to moderate the fluctuations shown by all LTL solvers in the CPU time used to solve a particular formula. The experiments were conducted on a PC with Intel i7-2600 CPU @ 3.40 GHz and 16 GB main memory.
Recall that for the Time Difference Translations we encode variables of the form s n m with n · log m variables, where for each n we represent m in binary, e.g., s 2 4 is encoded with s 2 2 ∧ ¬s 2 1 ∧ ¬s 2 0 . In the following tables and graphs we denote this variant by 'bTD' to distinguish it from the variant used for related experiments in [33] and denoted by 'TD' there. Tables 5 and 6 show the runtimes for the combination of our translations with the various LTL solvers on θ 1 b 1 , with values of b 1 between 1 and 10, and on θ 2 b 2 , with values of b 2 between 10 and 100 in steps of 10, respectively. An entry 'T/O' indicates that the timeout of 1000 CPU seconds was exceeded by an LTL solver while an entry 'Fail' indicates that the LTL solver encountered some other error condition and stopped before the timeout was reached. This is often a memory allocation error or some internal data structure running out of space. Figures 4 and 5 show the same data in the form of 'heat maps' where different colours are used to represent different ranges of runtimes. This allows us to easily recognise significant differences in the performance of the various combinations of translations and LTL solver.

Table 5
Runtime, in CPU seconds, required to solve  Table 5 continued TD  Table 6 Runtime, in CPU seconds, required to solve Each rectangle represents the runtime in CPU seconds of a particular combination of a translation with respect to the strict/nonstrict semantics and an LTL solver on one instance of θ 1 b 1 , with runtimes given in colours as follows: The results in Table 5 and Fig. 4 confirm our hypothesis that on θ 1 b 1 the Gap translations will lead to better performance than the Time Difference translations. For both the strict and nonstrict semantics, for all LTL solvers, and for all values of b 1 considered, the Gap translations result in better or equal performance than the Time Difference translations (highlighted in bold in the Table 5), with the vast majority of entries indicating a significantly worse performance for the Time Difference translations.
Regarding the strict versus the non-strict translations, we would expect that a non-strict translation results in worse performance compared to the corresponding strict translation as the search space for an LTL solver is larger. This is indeed the case for all provers.
The best performing combination is Gap + Aalta. The most 'robust' LTL solver, in the sense of producing the lowest total runtime across all translations and all instances of The results in Table 6 and Fig. 5 also largely confirm our hypothesis that on θ 2 b 2 the Time Difference translations will lead to better performance than the Gap translations. In total we have considered ten LTL solvers with two translations under two different semantics, giving us twenty points of comparison between a Time Difference translation and a Gap translation, each over ten instances of θ 2 b 2 . In Table 6 we have highlighted in bold all instances where a Time Difference translation leads to better or equal performance and in italics all instances where the opposite is true. We see that for only seven instances the latter is the case, six of them for pltl (graph).
The reason is that most of background theories S C and S C that form part of the Time Difference Translations turn out not to be relevant to the (un)satisfiability of (θ 2 b 2 ) . Most , with runtimes given in colours as follows: provers appear to be able to derive a contradiction without too many inferences involving S C or S C , while pltl (graph) does not. If one restricts S C and S C by hand to smaller sets strictly necessary to establish the (un)satisfiability of (θ 2 b 2 ) , then pltl (graph) also performs better with the Time Difference Translations than with the Gap Translations on all instances.

Strict Semantics Non-Strict Semantics bTD + Aalta
Aalta, LS4 and TRP ++ with a Time Difference translation as well as pltl (graph) with a Gap translation can solve all instances in negligible time. The most 'robust' LTL solver on θ 2 b 2 over all translations is pltl (graph). Overall the evaluation presented in this section confirms that no translation is always strictly 'better' than the other. It will depend on the characteristics of the formula and sometimes on the LTL solver whether a Time Difference translation or a Gap translation results in better performance and therefore in a greater likelihood of deciding a formula in reasonable time. However, the experiments also show the significant performance improvements that can be achieved by choosing the 'right' translation and, arguably, the simplicity of the Gap translations means that more often than not it is the translation to use. The experimental results presented in the next section provide additional support for this.

Examples Revisited
In the following we revisit the examples given in Sect. 3. For the foraging robots, traffic lights and multiprocessor job-shop scheduling scenarios, we have stated a range of properties that we will now attempt to prove using our translations together with the LTL solvers Aalta, Leviathan, LS4, LWB-MOD, LWB-SAT, pltl (graph), NuSMV-BDD, NuSMV-SBMC, TRP ++ , and TSPASS. The collection of MTL formulae for the specifications and properties can again be found at [31].

Foraging Robots
For the foraging robots example we use the specification given in Sect. 3.1 with the maximum time that the robot can be spent resting T r = ∞, the maximum time that the robot be spent searching for food T s = 5, and the maximum time that the robot needs to get home with our without food T d = 2. Let Σ FR denote the conjunction of the formulae in the specification. We want to prove that the following properties follow from Σ FR : -Having left home the robot will eventually reach home again.
The lowest value x for which we can prove that (F x 2 ) follows from Σ FR is the maximum time the robot needs to return home. For our choice of T d , T r and T s that lowest value of x is 9 and in our experiments we consider F 8 2 and F 9 2 , i.e., x = 8 and x = 9, respectively. -The minimum time the robot needs to return home is y.
3 ) The highest value y for which we can prove that (F y 3 ) follows from Σ FR can be proved is the minimum time the robot needs to return home. This value is independent of the choice of T d , T r and T s , instead it depends on the lower bounds in relevant intervals. For Σ FR that highest value of y is 3 and in our experiments we consider F 3 3 and F 4 3 , i.e., y = 3 and y = 4, respectively.
To prove that Σ FR → ϕ holds, we check the unsatisfiability of Σ FR ∧¬ϕ. In Table 7 we denote Σ FR ∧ ¬ϕ byφ in the first column. The second column indicates whetherφ is satisfiable (S) or unsatisfiable (U). The remaining columns of the table show the runtime for each translation and each prover. We again have used a timeout of 1000 CPU seconds and as before 'T/O' in the table indicates that a prover was not able to determine the satisfiability of the translated formula within that time while 'Fail' indicates that an LTL solver encountered some other error condition and stopped before the timeout was reached.
On all formulae each LTL solver, except TSPASS, performs better with the Gap Translation than with the Time Difference Translation. Only LS4 is able to decide the satisfiability of all formulae with both translations. LWB-MOD and NuSMV-BDD are able to decide the satisfiability of all formulae with the Gap Translation but fail to decide any of the formulae with the Time Difference Translation. The latter is also true for LWB-SAT, pltl, and TRP ++ . TSPASS is the only system showing better performance with the Time Difference Translation, it can solve two unsatisfiable formulae with that translation but none with the Gap Translation.

Traffic Lights
For the traffic lights example we use the specification given in Sect. 3.2, denoted by Σ TR . We want to prove that the following properties follow from Σ TR : Table 7 Runtime, in CPU seconds, required to solve Foraging Robot properties by a particular combination of a translation and an LTL solver -If a car is detected on road R1 then the wait will be at most x 1 time units.
(T x 2 ) This property holds for x ≥ 3 but not 0 ≤ x < 3. In our experiments we consider T 2 2 and T 3 2 , i.e., x = 2 and x = 3, respectively. -If traffic light 2 is currently red then it will be green within 1 to y time units.
3 ) This property holds for y ≥ 7 but not 0 ≤ y < 7. Consequently, we will consider T 6 3 and T 7 3 , i.e., y = 6 and y = 7. -If a traffic light is currently amber or red, then a car has to wait at most z time units until the traffic light will be green.
This property should hold for z ≥ 9 but not 0 ≤ z < 9 and we focus on T 8 4 and T 9 4 .
As for the Foraging Robots example, in order to prove Σ TR → ϕ for an MTL formula ϕ, we check the unsatisfiability of Σ TR ∧ ¬ϕ. In Table 8 we denote Σ TR ∧ ¬ϕ byφ in the first column. The second column indicates whetherφ is satisfiable (S) or not (U). The remaining columns show the runtime for each translation and each prover. We have for the first time included results for pltl (tree), as there are instances on which it performs better than pltl (graph).
As we can see, these formulae are much more challenging than those for the Foraging Robots example. This is not surprising if, for instance, one considers the state space of potential models for our specifications. A robot could only be in one of nine states. In contrast, each of the two traffic lights can be in one of four states plus we have a sensor that can be in one of two states. That already gives us 32 global states, only two of which are straightforwardly excluded by the constraint that not both traffic lights can be green at the same time. Furthermore, for the Foraging Robots example we only had one 'defined' propositional variable searching that had a rather straightforward definition while in the Traffic Lights example we have change 1 and change 2 that are subject to much more complicated temporal constraints.
As a consequence, only NuSMV-BDD with the Gap Translation and LS4 with the Time Difference Translation can solve all formulae. For LS4 the Gap Translation still results in better performance on all formulae that can be solved by both translations within the time limit. The same is true for NuSMV-SBMC and for Aalta. LWB-SAT, pltl, TRP ++ and TSPASS fail to solve a single formula with either translation within the timeout.

Multiprocessor Job-Shop Scheduling
Regarding the Multiprocessor Job-shop Scheduling problems (MJS problems for short) we made the simplifying assumption that a job j i , for each i, 1 ≤ i ≤ n, takes the same amount of time t i on whichever machine it is processed on. We can then characterise an MJS problem by stating (i) a job list J consisting of a list of durations (t 1 , . . . , t n ), (ii) the number k of machines available, and (iii) the time bound t. In Eqs. 15, 16, 22 and 23, for every i, 1 ≤ i ≤ n, and every l, 1 ≤ l ≤ k, t j i m l will be given by t j i . The time bound t is used in the formula ♦ [0,t] n i=1 has Run j i that expresses the requirement for a schedule that completes all n jobs on k machines in at most t time points.

Table 8
Runtime, in CPU seconds, required to solve traffic lights properties by a particular combination of a translation and an LTL solver It is an interesting characteristic of the MTL formulae for MJS instances that unsatisfiable MTL formulae are smaller than satisfiable MTL formulae. A time bound t that is too small leads to an MJS problem for which no schedule exists that can complete all jobs within the given time bound while a sufficiently large time bound guarantees that such a schedule can be found. By our encodings, a small time bound results in a smaller LTL formula than a large time bound. The difference in size is more pronounced for the Time Difference Translations than for the Gap Translations. This is in contrast to, say, random 3CNF formulae or random modal K 3CNF formulae that are often used for benchmarking SAT solvers or modal logic provers, where unsatisfiable formulae tend to be larger than satisfiable formulae.
For our experiments we created 36 MJS problems with a number n of jobs between 1 and 4, a duration t i of a job between 1 and 4, a number k of machines between 1 and 3 and finally a time bound t between 0 and 5. We then constructed MTL formulae for the strict semantics and the non-strict semantics according to the formalisations in Sect. 3.3. Finally, we used a combination of one the encodings with an LTL solver to determine the satisfiability of each MTL formula, or if the LTL solver has that capability, attempt to find a model for it, with a timeout of 1000 CPU seconds.
If an LTL solver reports that the formula resulting from an MJS problem with n jobs, k machines and time bound t is satisfiable, then a schedule exists that completes all n jobs on k machines within t time points. However, this provides us with no information about what that schedule might be. If for a satisfiable formula the LTL solver also returns a model, then the information at which time point start Run j i m l (or start Run j i ∧ m l for the non-strict semantics) becomes true indicates when a particular job has to be started on a particular machine in order to complete all jobs within the time bound, thus, the model provides us with a schedule.
Among the systems included in our experiments, only Leviathan, LS4, LWB-MOD, NuSMV-BDD, NuSMV-SBMC, and TSPASS can produce models and have been used with the command line options that require them to do so. Tables 9, 10, 11, 12, 13, 14 show the results for the formalisation of MJS problems in MTL with strict semantics and non-strict semantics, respectively. The first three columns in each table show the job list J , the number k of machines and the time bound t. The fourth column indicates whether the corresponding MTL formula is satisfiable (S) or unsatisfiable (U). The remaining columns of the table show the runtime for each translation and each prover ('T/O' indicates timeout, 'Fail' indicates that the solver encountered some error condition before reaching the timeout). Figure 6 shows the same data in the form of a heat map.
Regarding the formalisation of MJS problems in the strict semantics, we see in Fig. 6 and Tables 9, 10, 11 for the 296 MJS problem for which an LTL solver can determine its satisfiability with either the Gap or the Time Difference Translation, for 183 problems the Gap Translation results in better performance, for 32 problems the opposite is true, while for 81 problems we get the same performance. The two LTL solvers for which the Time Difference Translation regularly results in better performance are TRP ++ and TSPASS. The Gap Translation together with LS4 offers the best performance for every instance.
Regarding the formalisation of MJS problems in the non-strict semantics, the most striking observation we can make from Fig. 6 and from the data in Tables 12, 13, 14 is how much more challenging the corresponding LTL satisfiability problems are for all the provers. In total there are 36 MJS problems on which we benchmarked 11 LTL solvers / settings with 2 different translations producing a total of 792 results. Of these 449 were timeouts, compared to 206 timeouts for MJS problems in the strict semantics. In a further 130 instances an LTL solver failed, that is, it encountered a memory allocation error, exhausted the limited size of some internal data structure, or produced some other internal failure before reaching the timeout. Table 9 Runtime, in CPU seconds, required to solve MJS problems by a particular combination of a translation with respect to the strict semantics and an LTL solver (LWB-MOD,

Table 12
Runtime, in CPU seconds, required to solve MJS problems by a particular combination of a translation with respect to the non-strict semantics and an LTL solver

Table 13
Runtime, in CPU seconds, required to solve MJS problems by a particular combination of a translation with respect to the non-strict semantics and an LTL solver 1.02 Non-Strict Semantics bTD + Aalta Gap + Aalta bTD + Leviathan Gap + Leviathan bTD + LS4 Gap + LS4 bTD + LWB-MOD Gap + LWB-MOD bTD + LWB-SAT Gap + LWB-SAT bTD + NuSMV-BDD Gap + NuSMV-BDD bTD + NuSMV-SBMC Gap + NuSMV-SBMC bTD + pltl (graph) Gap + pltl (graph) bTD + pltl (tree) Gap + pltl (tree) bTD + TRP ++ Gap + TRP ++ bTD + TSPASS Gap + TSPASS Fig. 6 Heat map for the performance of LTL provers on MJS problems. Each rectangle represents the runtime of our two encodings of the MJS problem, with runtimes given in colours as follows:  It is worth pointing out that MJS is not our intended domain of application for the translations we have presented. There is a lot of symmetry in these problems that a more specialised solver can take advantage of while LTL solvers are oblivious to it, e.g., the order in which jobs are executed on a particular machine does not affect the overall time to completion nor does the choice of machine. However it provides us with a parameterised problem set on which we can experiment for both semantics. For problems containing less symmetry that can naturally be formalised in MTL, and for which scheduling or planning is just one part of it, the approach used here can be beneficial.
In     Table 15, we translate E [2,3] p into: ∧ p)))). Note that the state tree represented on the right side of Fig. 7 is a model of this CTL formula. Since gap is a propositional symbol not occurring in , the states from W ⊆ W do not contain gap.
The next proposition follows straightforwardly from Definition 10.
We are ready for Theorem 6, which shows correctness of our translation from CTL M to CTL using 'gap's.
be an CTL M formula in NNF and FNF. Let ϕ = p 0 ∧ i A( ( p i → (¬gap ∧ ψ i ))) be the result of replacing each ψ i in ϕ by ψ i as in Table 15. Then, ϕ is satisfiable if, and only if, ϕ ∧ ¬gap ∧ A( (A♦¬gap)) is satisfiable.
Thus, following our translation in Table 15, we only need to show correspondences between ψ i and ¬gap ∧ ψ i . This follows from Claims 7-9 below (other cases are similar).
In our claims, we use the following bijection between (infinite) paths π in T and π in T , which is implied by Definitions 10 and 11: π ∼ π if, and only if, π[0] = π [0] and ∀ j ∈ N, We now argue that, for all natural numbers c 1 , c 2 with 0 < c 1 ≤ c 2 < C, the following claims hold.

Claim 8 ( , w) |
Proof ( , w) | A(α U [c 1 ,c 2 ] β) iff for each π in T with π[0] = w, there is k ∈ N such that τ (π[k]) ∈ τ (w) + [c 1 , c 2 ] and ( , π[k]) | β; and ∀ j ∈ N, 0 ≤ j < k implies ( , π[ j]) | α. By Definitions 10 and 11, this happens iff there is a π in T such that π ∼ π and, for k = τ (π[k]) − τ (π[0]), ( , π [k ]) | ¬gap ∧ β and ∀ j ∈ N with 0 ≤ j < k , ( , π [ j]) | gap ∨ α. Since π was arbitrary, this holds for all such π. As ∼ is a bijection, we obtain this for all such π in T . Thus, ( , w) | A(α U [c 1 ,c 2 ] β) iff ( , w) | ¬gap ∧ (A(α U [c 1 ,c 2 ] β)) . Due to the binary encoding of constants, our translation is exponential in the size of the input. Then, since satisfiability of CTL can be decided in EXPTIME [21], we obtain 2EXPTIME as upper bound of this problem for CTL M . Our lower bound follows from the fact that we can translate CRTCTL (which is 2EXPTIME-complete), presented in [20], to CTL M . In CRTCTL, the models are the same as in CTL (infinite trees with a labelling function that maps nodes to propositional symbols) and the syntax extends CTL with formulae of the form Q(φ U ≤k ψ) and Q(φ U =k ψ), where Q ∈ {A, E} and k ∈ N. For example, E(trueU ≤5 p) means that there is a path in which p occurs within 5 states from now. In fact, we can see CRTCTL models as a special case of CTL M models where time differences from one state to another can only be 1. Then, one can easily translate CRTCTL formulae into CTL M by replacing temporal operators U ≤k with U [0,k] and U =k with U [k,k] . For the CTL temporal operators we add the interval [0, ∞). Finally we include A [0,∞) ( [1,1] true) to ensure that the time difference between states is always 1. For example, we translate E p ∧ A( p U ≤3 q) into E [0,∞) p ∧ A( p U [0,3] q) ∧ A [0,∞) ( [1,1] true).

Theorem 7 Satisfiability of CTL M is 2EXPTIME-complete.
As already mentioned in the introduction, propositional MTL has been proposed in the 90's by Alur and Henzinger [6,7] as a formalism for specifying quantitative temporal constraints. More recently, combinations of MTL with Description Logic [9,29] and Datalog [13,14] have also been investigated.
Since its proposal, several authors have used MTL to specify problems from a range of domains (security, robotics, among others). Karaman and Frazzoli use a fragment of MTL to specify some aspects of Vehicle Routing Problems (VRP) [35]. VRPs are a generalisation of the traveling salesman problem with a fleet of vehicles leaving from and returning to one or more departure locations, to delivery locations via a network of communication links e.g. roads or rail tracks, that also must satisfy certain constraints and minimizes transportation costs. In the mentioned work, their focus is on Unmanned Aerial Vehicles (UAVs) with target, launch and landing sites, times spent at the locations, as well as between them and parameters relating to relative risk for using a particular UAV and the time a UAV can be used without re-fueling [35]. This is solved by developing a Mixed-Integer Linear Programming (MILP) algorithm. The style of these problems is very similar to the job-shop scheduling examples we provided in Sect. 3.3, but an important difference is that problem specifications are not fully given in a logical formalism. A similar approach is taken by Zhou et al. [59], they applied a variant of MTL to formalise some constraints in motion planning problems in a dynamic environment for a UAV and for a car. Again, problems are translated into MILP.
Luo et. al define SMTL, an augmented version of a fragment of MTL, suitable for Scheduling Algorithms [43]. This language differs from ours as it has no next operator and the semantics is not pointwise. Fragments of SMTL are considered by restricting aspects of the language so each event can only occur a fixed number of times. They provide examples discussing how these fragments can be used to specify both Job Shop Scheduling and Temporal Networks. To find a schedule, a translation is provided into first order temporal logic and then to Satisfiability Modulo Theory (SMT).
Hoxha et. al describe a tool (Visual Specification Tool, VISPEC) that allows users that are not expert in logics or MTL to specify problems using a graphical formalism [30]. This is automatically translated into MTL. A usability study of the tool is provided and two applications relating to robot surgery and quadcopters are presented. The focus is on specifications rather than satisfiability checking that we consider here.
The robustness of signals modelling or controlling physical processes is considered by Fainekos and Pappas [22]. Robustness relates to how much a trajectory can be perturbed without changing the truth value of a specification expressed in the LTL or MTL. This work is used by Alqahtani et. al to consider safety in relation to path planning applied to an autonomous drone in an adversarial environment where specifications are given in MTL [3]. Robustness is further considered by Abbas et. al in the context of cyber physical systems [2]. They provide a testing framework that returns counterexamples using an MTL specification that minimises a robustness metric.
Thati and Roşu propose a runtime verification and monitoring approach for checking MTL formulae over execution traces of algorithms [53]. An algorithm is presented where both past and future-time MTL formulae are checked against timestamped execution traces. As we do, the authors also restrict the intervals on temporal operators to be natural numbers (or infinity) but also allow past-time operators. Models are timed state sequences allowing real-valued time points. Two subsets of MTL are also considered limiting the specifications to be checked to past-time MTL formulae and LTL. We note that this is a runtime verification approach rather than related to theorem proving.
A runtime verification and monitoring approach using MTL specifications applied to the security domain is presented by Gunadi and Tiu [28]. In particular, the authors consider the privilege escalation attack in the Android operating system. A privilege escalation attack occurs when access services or resources that the attacker doesn't have permissions for is obtained. The past-time fragment of MTL is considered and models are based on the natural numbers and the intervals on temporal operators are natural numbers (where the left hand side is always 0). Similarly to the work by Thati and Roşu [53], the focus is on presenting and implementing an algorithm to check formulae over traces along with its application to the privilege escalation attack.

Conclusions
This work considers MTL, a temporal logic that allows timing constraints on the temporal operators, with a pointwise semantics over the natural numbers. We presented four satisfiability preserving translations from MTL to LTL. The translations using time difference are based on the MTL decision procedure presented in [6] and use the bounded model property. Note that the translations using 'gap' are proved independently of this property.
Our translations provide a route to practical reasoning about MTL over the naturals via LTL solvers. We specified examples from robotics, traffic management, and scheduling using MTL.
Modelling these examples showed that using the next operator to specify the timing constraints on the next state a robot can move into acts a synchronisation point for all robots in multi-robot systems. Additional care has to be taken using until or eventually operators with intervals where the left hand side is greater than zero (for example U [1,8] ) in the scope of an always operator [0,∞) as this can inadvertently lead to unsatisfiable timing constraints.
For the scheduling example we gave specifications based both on the strict semantics and on the non-strict semantics of MTL. We then used ten different LTL solvers to explore the extent these can solve satisfiability problems based on these specifications. Our experiments seem to indicate that (i) a formalisation based on the non-strict semantics results in poor performance compared to a formalisation based on the strict semantics, (ii) for the vast majority of problems a Gap translation results in better performance than a Time Difference translation, and (iii) LTL solvers that consistently perform well on translated formulae meaning a combination of translation and use of an LTL solver provides a viable means for MTL satisfiability checking and MTL theorem proving.
We have explored the question on what classes of formulae the use of each translation could be advantageous. We have defined two sets of parametrised formulae and again used a range of LTL solvers to verify that for one a Gap translation results in better performance while for the other the Time translation leads to better performance.
We also introduced an branching-time variant of MTL and provided a translation using 'gaps' into the branching-time temporal logic CTL. This opens up the opportunity to use CTL solvers such as [58] in a similar way as we have done for LTL solvers.
As future work, we intend to investigate whether we can translate PDDL3.0 statements [25] into MTL and apply our translations to the planning domain.
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is