Bounded determinization of timed automata with silent transitions

Deterministic timed automata are strictly less expressive than their non-deterministic counterparts, which are again less expressive than those with silent transitions. As a consequence, timed automata are in general non-determinizable. This is unfortunate since deterministic automata play a major role in model-based testing, observability and implementability. However, by bounding the length of the traces in the automaton, effective determinization becomes possible. We propose a novel procedure for bounded determinization of timed automata. The procedure unfolds the automata to bounded trees, removes all silent transitions and determinizes via disjunction of guards. The proposed algorithms are optimized to the bounded setting and thus are more efficient and can handle a larger class of timed automata than the general algorithms. We show how to apply the approach in a fault-based test-case generation method, called model-based mutation testing, that was previously restricted to deterministic timed automata. The approach is implemented in a prototype tool and evaluated on several scientific examples and one industrial case study. To our best knowledge, this is the first implementation of this type of procedure for timed automata.


Introduction
The design of modern embedded systems often involves the integration of interacting components I 1 and I 2 that realize some requested behavior.In early stages of the design, I 1 and I 2 are high-level and partial models that allow considerable implementation freedom to the designer.In practice, this freedom is reflected in the non-deterministic choices that are intended to be resolved during subsequent design refinement steps.In addition, the composition of two components involves their synchronization on some shared actions.Typically, the actions over which the two components interact are hidden and become unobservable to the user.It follows that the overall specification I = I 1 || I 2 can be a non-deterministic partially observable model.However, for many problems such as model-based testing, observability, implementability and language inclusion checking, it is desirable and in certain cases necessary to work with the deterministic model.
Many embedded systems must meet strict real-time requirements.Timed automata (TA) [3] are a formal modeling language that enables specification of complex real-time systems.In contrast to the classical automata theory, deterministic TA (DTA) are strictly less expressive than the fully observable non-deterministic TA (NTA) [3,16,12], whereas the latter are strictly less expressive than TA with silent transitions (eNTA) [5].This strict hierarchy of TA with respect to determinism and observability has an important direct consequence -NTA are not determinizable in general.In addition, due to their complexity, it is rarely the case that exhaustive verification methods are used during the design of modern embedded systems.Lighter and incomplete methods, such as model-based testing [15] and bounded model checking [8] are used in practice in order to gain confidence in the design-under-test and effectively catch bugs.
In this paper, we propose a procedure for bounded determinization of eNTA.Given an arbitrary strongly responsive 1 eNTA A and a bound k, our algorithm computes a DTA D(A) in the form of a timed tree, such that every timed trace consisting of at most k observable actions is a trace in A if and only if it is a trace in D(A).It provides the basis for effectively implementing bounded refinement checking and test case generation procedures.
Our concrete motivation behind determinizing the model was induced by our previous model-based testing approach [2].This approach uses fault-based techniques for the test generation and needs to perform language-inclusion between correct and faulty timed automata models.The language inclusion is implemented via SMT-solving and relies on deterministic models.Thus, the determinization enables the processing of a wider class of models and the restriction to bounded traces does not pose a problem, as testing only considers finite traces.
The proposed algorithms are performed in three steps: (1) we unfold the original automaton into a finite tree and rename the clocks in a way that only needs one clock reset per transition, (2) we remove the silent transitions from the tree, (3) we determinize it.Our determinization procedure results in a TA description which includes diagonal [9] and disjunctive constraints.Although non-standard, this representation is practical and optimized for the bounded setting -it avoids costly transformation of the TA into its standard form and exploits efficient heuristics in SMT solvers that can directly deal with this type of constraints.In addition, our focus on bounded determinization allows us to consider models, such as TA with loops containing both observable and silent transitions with reset, that could not be determinized otherwise.We implemented the procedure in a prototype tool and evaluated it on several examples.To our best knowledge, this is the first implementation of this type of procedure for timed automata.Running example.The different steps of the algorithms will be illustrated on a running example of a coffe-machine shown in Figure 1.After inserting a coin, the system heats up for zero to three seconds, followed by a beep-tone indicating its readyness.Alternatively, if there is no coffee or water left, the beep might occur after exactly two seconds, indicating that the refunding process has started and the coin will be returned within four seconds.
Heating up and graining the coffee together may only take between one and two seconds.Then the brewing process starts and finally the machine releases the coffee after one second of brewing.There is no observable signal indicating the transition from graining to brewing, thus this transition is silent.The rest of the paper is structured as follows: First, we give the basic definitions and notation of TA with silent transitions (Section 2).Then, we illustrate the first step of our procedure, the bounded-unfolding of the automaton and the renaming of clocks (Section 3).This is followed by the second step, the removal of silent transitions (Section 4) and the final step, our determinization approach (Section 5).Section 6 summarizes the complexity of the different steps.In Section 7 we evaluate our prototype implementation and in Section 8 we address related work.Finally, in Section 9 we conclude our work.Complete proofs of the propositions and theorems can be found in the appendices.

Timed Automata with Silent Transitions
A timed automaton is an abstract model aiming at capturing the real-time behaviour of systems.It is a finite automaton extended with a set of clocks defined over R ≥0 , the set of non-negative real numbers.We may represent the timed automaton by a graph whose nodes are called locations, which are defined through a set of upper bounds put on the clock values.These bounds are restricted to non-negative integer values.While being at a location, all clocks progress at the same rate.The edges of the graph are called transitions.Each transition may be subject to constraints, called guards, put on clock values in the form of integer inequalities.At each such transition an action occurs and some of the clocks may be reset.The actions take values in some finite domain denoted by Σ.Here we are dealing with the class of timed automata with an extended set of actions including also silent actions, denoted by .hese are internal actions that are non-observable from the outside, and we distinguish them from the actions that are not silent and called observable actions.We call a TA without silent transitions fully-observable.
Let X be a finite set of clock variables.A clock valuation v(x) is a function v : X → R ≥0 assigning a real value to every clock x ∈ X .We denote by V the set of all clock valuations and by 0 the valuation assigning 0 to every clock.For a valuation v and d ∈ R ≥0 we define v + d to be the valuation (v + d)(x) = v(x) + d for all x ∈ X .For a subset X rst of X , we denote by v[X rst ] the valuation such that for every x ∈ X rst , v[X rst ](x) = 0 and for every x ∈ X \ X rst , v[X rst ](x) = v(x).A clock constraint ϕ is a conjunction of predicates of the form x ∼ n, where x ∈ X , n ∈ N and ∼ ∈ {<, ≤, =, ≥, >}.Given a clock valuation v, we write v |= ϕ when v satisfies ϕ.We give now a formal definition of (non-deterministic) timed automata with silent transitions.Definition 2.1 (eNTA) A (non-deterministic) timed automaton with silent transitions A is a tuple (Q, q init , Σ , X , I, G, T , Q accept ), where Q is a finite set of locations and q init ∈ Q is the initial location; Σ = Σ ∪ { } is a finite set of actions, where Σ are the observable actions and represents a silent action, that is a non-observable internal action; X is a finite set of clock variables; I : L → LI is a mapping from locations to location invariants, where each location invariant li ∈ LI is a conjunction of constraints of the form true, x < n or x ≤ n, with x ∈ X and n ∈ N; G is a set of transition guards, where each guard is a conjunction of constraints of the form x ∼ n, where x ∈ X , ∼ ∈ {<, ≤, =, ≥, >} and n ∈ N; T ⊆ Q × Σ × G × P (X ) × Q is a finite set of transitions of the form (q, α, g, X rst , q ), where q, q ∈ Q are the source and the target locations; α ∈ Σ is the transition action; g ∈ G is the transition guard; X rst ⊆ X is the subset of clocks to be reset; Q accept ⊆ Q is the subset of accepting locations.
Example 2.1 For the eNTA illustrated in Figure 1 we have Q = {q 0 , . . ., q 4 }, T is the set containing all transitions, e.g. the transition from q 2 to q 3 , with α = (thus, it is a silent transition), g = 1 < x < 2 and X rst = {x}.
The semantics of an eNTA A is given by the timed transition system )×S is the transition relation consisting of timed and discrete transitions such that: Timed transitions (delay): ((q, v), d, (q, v + d)) ∈ T , where d ∈ R ≥0 , if v+d |= I(q); Discrete transitions (jump): ((q, v), α, (q , v )) ∈ T , where α ∈ Σ, if there exists a transition (q, α, g, X rst , q ) in T , such that: A finite well-behaving run ρ of an eNTA A is a finite sequence of alternating timed and discrete transitions, that ends with an observable action, of the form (q 0 , v 0 ) where q 0 = q init , v 0 = 0, τ i = (q i−1 , α i , g i , X rst(i) , q i ) ∈ T and α i ∈ Σ.In this paper we consider only finite and well-behaving runs.A run ρ is accepting if the last location q n is accepting.The run ρ of A induces the timed trace σ = (t 1 , α 1 ), (t 2 , α 2 ), . . ., (t n , α n ) defined over Σ , where t i = Σ i j=1 d i .From the latter we can extract the observable timed trace, which is obtained by removing from σ all the pairs containing silent actions while taking into account the passage of time.A TA is called deterministic if it does not contain silent transitions and whenever two timed traces are the same then they are induced by the same run.Otherwise, the TA is non-deterministic.The language accepted by an eNTA A, denoted L(A), is the set of observable timed traces induced by all accepting runs of A. Note, that the restriction to well-behaving runs is compatible with the definition of the language of the automaton, where silent actions that occur after the last observable action on a finite run are ignored.As a consequence, a location with in-going edges consisting of only silent transitions cannot be an accepting location.

k-Bounded Unfolding of Timed Automata
Given an eNTA A which is strongly responsive, its k-prefix language L k (A) ⊆ L(A) is the set of observable timed traces induced by all accepting runs of A q0 start q1 q4 q2 q3 q5 q6 (a) By unfolding A and cutting it at observable level k, the resulting TA, U k (A), satisfies U k (A) is in the form of a finite tree, where each path that starts at the root ends after at most k observable transitions, and we may also further cut A by requiring that all leaves are accepting locations.Note, that if we reach in U k (A) a copy of an accepting location q of A by a silent transition then it will not be marked as an accepting location (but another copy might be marked as an accepting location if reached by an observable transition).
Figure 2(a) shows the unfolding of the coffee-machine up to observable depth three.The left branch is longer than the right, as it contains a silent transition.

Renaming the Clocks
Every unfolded timed automaton can be expressed by an equivalent timed automaton that resets at most one clock per transition.This known normal form [4] crucially simplifies the next stages of our algorithm, where we do not need to bother with multiple clock resets in one transition.The basic idea is to substitute the clocks from the original automaton by new clocks, where multiple old clocks reset at the same transition are replaced by the the same new clock, as they measure the same time until they are reset again.The substitution of the clocks works straight forward: At each path from the root, at the i-th observable transition, a new clock x i is introduced and reset, and if this transition is followed by l > 0 silent transitions then new clocks x i,0 , . . ., x i,l−1 are introduced and reset.A clock x that occurs in a guard is substituted by the new clock that was introduced in the transition where the last reset of x happened, or by x 0 if it was never reset.Let τ i and τ j be two transitions on the same path in the original automata at observable depth i, j, s.t.i < j.Furthermore, a clock x appearing in the guard of τ j , is reset before in τ i , but is not reset on any transition in between τ i and τ j .Then, x i is introduced and reset at τ i and the original clock variable x is substituted by x i in the guard of τ j .Figure 2(b) illustrates the clock renaming applied to the coffee machine.In the guards of the two beep-transitions starting at q 1 , x is replaced by x 1 , since the last reset of x in the original automata was at depth one, while in the coffee-transition from q 3 it is replaced by x 2,0 , as x was reset in the first silent transition after depth two.

Removing the Silent Transitions
In this section we give an algorithm that removes the silent transitions from the eNTA A, which is in the form of a finite tree with renamed clocks.Thus, at each level i there will be a single clock x i reset on all transitions of that level.Algorithm 1 shows the workflow and Figure 3 illustrates the general idea.g s+1 g s+1 Silent Trans.q s τ s : α Bypass q s−1 q s−1 q s+1 q s+1 q s+1 q s+1 τ s,0 : We remove the silent transitions one at a time, where at each iteration we remove the first occurrence of a silent transition on some path from the root, until no silent transitions are left (e.g.we can pick a path and move one-byone all its silent transitions, then move to another path, and so on).So, let τ s,0 be such a first silent transition found by Line 2 of the algorithm, leading from location q s to location q s,0 with guard g s,0 and reset of clock x s,0 .Let q s be reached from location q s−1 with an observable transition τ s and with guard g s .The case where q s is the initial location is simpler, as it does not require building a bypass transition.In order to remove the silent transition τ s,0 after forming a transition that bypasses it, several steps are carried out, that will be explained in detail in the following subsections.First, we set an auxilliary lower bound on the clock that is reset on the silent transition by updating the guard (Line 3).Then, we create the bypass transition using an enabling guard eg(τ s,0 ) which represents the upper bound until when the silent transition τ s,0 is enabled (Line 4).In Line 5 we construct a taken guard tg(τ s,0 ) that ensures that the transitions from q s,0 come after the necessary delay that is forced by the silent transition.The taken guard is added to all transitions leaving q s,0 .Finally, in Lines 6-7, we remove the silent transition τ s,0 and update all future guards referring to the deleted clock x s,0 .
4.0.1 Setting a Lower Bound to the Silent Transition.We set a lower bound to the silent transition by augmenting the guard g s,0 of τ s,0 to be g s,0 = g s,0 ∧ (0 ≤ x s ), where x s is the clock that is reset on the transition τ s that precedes the silent transition, thus ensuring that when referring to the guard of the silent transition we do not refer to an earlier time.This additional constraint per definition always evaluates to true, but it is used in the next step to compute the unary constraints of the enabling guard.The guard of the silent transition in Figure 2 (b) after setting the lower bound is 1 4.0.2Creating a Bypass with the Enabling Guard.
The enabling guard eg(τ s,0 ) guarantees that each clock's constraint that was part of the silent transition is satisfied at some nonnegative delay and that these constraints are satisfied simultaneously, thus at some point during the bypass transition the silent transition would have been enabled as well.We describe here how the enabling guards are defined for

Algorithm 1 Removing the Silent Transitions
1: while there are silent transitions do 2: Find first (from root) silent transition τ s,0 from q s to q s,0

3:
Set lower bound to the silent transition

4:
Create bypass transition with enabling guard 5: Augment transitions from q s,0 with taken guard 6: Update guards on paths from q s,0

7:
Remove τ s,0 8: end while Silent Trans.Constraints Clock Reset Enabling Guard Constraint Table 1: Enabling guard constraints strict inequalities, as shown in the upper part of Table 1.The other cases are dealt similarly, as seen in the table, and the constraint x i = n i is treated as For every pair of a lower bound constraint m i < x i and an upper bound constraint x j < n j , where i = j and x i , x j = x s (x s is the clock that is reset at τ s ), that appear in g s,0 we form the enabling guard binary constraint x j − x i < n j − m i as shown in the first line of Table 1.
The next two lines consider constraints that involve the clock x s , where x s will be removed as it is the clock that will be reset on the bypass and is considered of value 0. Note, that for each upper bound constraint x j < n j we use the lower bound constraint 0 ≤ x s that was added in the previous step of the algorithm to compute the enabling guard unary constraint x j < n j , which guarantees that at the time of the bypass x j does not pass its upper bound constraint of the silent transition.An example of such a unary constraint is marked in red in the transition from q 1 to q 3 in Figure 4.The silent transition in the original automaton could not have been enabled if x 1 had already been higher than two after the beep-transition, thus the bypass can also only be enabled while x 1 is smaller than two.The running example does not contain any binary constraints.
To create the bypass, we split the paths through q s in the original automaton A into two.Those that do not take the silent transition τ s,0 continue as before from q s−1 to q s and then to some location different from q s,0 .The paths that went through τ s,0 are directed from q s−1 to q s,0 and then continue as before.The bypass τ s from q s−1 to q s,0 has the same observable actions as those of τ s , the same new clock reset x s , and the guard g s which is the guard g s of τ s augmented with the enabling guard eg(τ s,0 ) (see Figure 3).Figure 4 shows the removal of the silent transition illustrated on the coffee-machine.The transition from q 1 to q 3 is the bypass and the transition from q 1 to q 2 is the original transition.Since the silent transition was the only transition leaving q 2 , q 2 does not contain any outgoing transitions anymore, once the bypass is generated.

Augmenting the Taken Guard.
For each transition from q s,0 to q s+1 we augment its guard g s+1 by forming g s+1 = g s+1 ∧ tg(τ s,0 ) (see Figure 3), where tg(τ s,0 ) is the taken guard.tg(τ s,0 ) is composed of a single constraint: 0 ≤ x s,0 , where x s,0 is the clock that is reset at the silent transition τ s,0 .In the next stage of the algorithm of updating the future guards it will be transformed into the conjunction of the lower bound constraints m i < x i or m i ≤ x i that appear in g s,0 .These constraints make sure that we spend enough time at q s,0 before moving to the next locations, as if we had taken the silent transition.The constraint is also used for synchronization of the future guards in the next step.In Figure 4, the red-marked part of the guard from transition q 3 to q 6 shows the taken guard that has already been updated from 0 ≤ x 2,0 to 1 < x 1 .

Updating the Future Guards.
The removal of the silent transition τ s,0 enforces updating of the guards in the paths that start at q s,0 and that refer to the clock x s,0 , that is reset on the silent transition.The most simple case is when the the silent transition guard g s,0 contains an exact constraint x i = n i , because then any future constraint of the form x s,0 ∼ l can be replaced by x i ∼ n i + l.So, let us assume that the silent transition does not contain an exact constraint.The rules for updating the future guards are summarized in Table 2. Note, that an equality constraint x s,0 = n s+j in a future guard may be treated as n s+j ≤ x s,0 ≤ n s+j .
Let g s+1 , . . ., g s+p be the ordered list of guards of consecutive transitions τ s+1 , . . ., τ s+p along a path that starts at q s,0 .Then, if g s+j contains the constraint m s+j < x s,0 , it is replaced by the conjunction of constraints m i +m s+j < x i , for each constraint m i < x i that appear in g s,0 .Similarly, for upper bound constraints.In Figure 4, one future guard was updated in the transition from q 3 to q 6 : The original guard of this transition was x 2,0 = 1 (where x 2,0 was reset on the silent transition) and the guard of the silent transition was 1 < x 1 < 2. Thus, according to the update rules, the updated future guard is 2 < x 1 < 3 (written in black), conjuncted with the taken guard (marked in red).These rules ensure that each future constraint on the clock x s,0 separately conforms to and does not deviate from the possible time range of the silent transition.Yet, we need to satisfy a second condition: that along each path that starts at q s,0 these fu-Silent Trans.Constr.Future Constr.
Constr. of g s+j Constr. of g s+i , {x s+i }, i < j Sync.Constr. of g s+j m s+j < x s,0 Table 3: Synchronization constraints for future guards after removing silent transitions ture occurrences of x s,0 are synchronized.This is achieved by augmenting the future guards with constraints of the form that appear in Table 3.No transition in our running example needs synchronization, hence we use a different example: the upper automaton in Figure 5 shows one silent transition followed by two observable transitions.Using only the previous update rules when removing the silent transition, the first observable transition might occur between three and four seconds, and the second one between five and six seconds.If the first transition occurs after three seconds and the second one after six, this would not conform to the original automaton which required exactly two seconds between them.Thus, applying the last synchronization rule of Table 3, the constraint x 1 = 4 − 2 is conjuncted to the second guard.The lower automaton in Figure 5 illustrates the synchronization.Note, we do not need a bypass transition here, since the silent transition starts in the initial state.

Removing the Silent Transition.
Finally, we can safely remove the silent transition τ s,0 from q s to q s,0 after forming the bypass from q s−1 to q s,0 with the necessary modifications to the transition guards.

Determinization
Existing determinization algorithms (as e.g.applied in [17]) create the powerset of all transitions to be determinized, and build one transition for each subset in the powerset.We propose an alternative approach, that reduces the amount of locations and transitions in the deterministic automata, by shifting some complexity towards the guards.Our motivation is the use of SMT solvers for verifying the timed automata models.The larger guards can be directly converted into SMT-LIB formulas, and thus should not pose a problem.
The approach works under the following prerequisites: After the removal of the silent transitions the timed automaton A is in the form of a tree of depth k.
At each level i the same new clock x i is reset on each of the transitions of that level.This is the only clock reset on this level, and no clock is ever reset again.The basic idea behind the determinization algorithm is to merge all transitions of the same source location and the same action via disjunction, and to push the decision which of them was actually taken to the following transitions.The postponed decision which transition was actually taken can be solved later on by forming diagonal constraints (as in zones) that are invariants of the time progress, and are conjuncted to immediately following transitions.Note that the distinction between accepting and non-accepting locations increases complexity slightly: the determinization of transitions leading to accepting locations and transitions leading to non-accepting locations can not be done exclusively by disjunction of their guards.We therefore need to add an accepting and a non-accepting location to the deterministic tree, and merge all transitions leading to non-accepting locations and all transitions leading to accepting locations separately.To ensure determinism for these transitions, we conjunct the negated guard of the accepting transition to the guard of the non-accepting transition.
A pseudo-code description is given in Algorithm 2. The determinization is done in several steps applied to every location q with multiple outgoing transitions with the same action (Line 5), starting at the initial location (Line 1).Let q i be such a location with multiple α transitions (Line 8).First, we add an accepting and a non-accepting location q acc , q ¬acc replacing the target locations of the multiple α transitions (Line 7).Then, for each τ i in the α transitions with guard g from q i to q i+1 , let g be the result of subtracting the clock x i+1 that is reset on τ i from all clocks that appear in g (Lines 9-12).Next, g is conjuncted to the guards of each transition τ i+1 that follows τ i and the source location of τ i+1 is set to either q acc or q ¬acc , depending on whether q i+1 is accepting or not.Transitions leaving q ¬acc are additionally copied to q acc , in case the guards of α transitions overlap.(Lines 14,15).Note that g evaluates to true in every branch below τ i if τ i was enabled, thus the conjunction does not change the language of the automaton.Figure 6(a) illustrates the conjunction of the modified guards on our running example, marked in red.Note that the determinization did not involve any accepting locations, thus there was no splitting into q acc and q ¬acc .Next, all the α-transitions from q leading to accepting locations are merged into a transition leading to q acc (Line 22) and all others into a transition leading to q ¬acc (Line 23), by disjuncting their guards (Lines 18,19).The guard of the transition leading to q ¬acc is conjuncted to the negation of the other guard, to ensure determinism (Line 23).Finally, all merged τ i and their target locations can be removed (Line 20). Figure 6(b) shows the determinized coffee-machine.

Complexity
Bounded Unfolding.We unfold the timed automaton A into a tree and cut it when reaching observable level k.Let us assume that the tree is of depth K, K ≥ k, and of size N = O(d K ), with d ≥ 1 representing the approximate outdegree of the vertices in the graph of A. Since the analysis of the SMT solvers for different applications requires the exploration of all the transitions in the unfolded graph of A, the unfolding stage of our algorithm does not necessarily increase the overall time complexity of the algorithm.Removing Silent Transitions.Our algorithm does not increase the size of the tree since we only substitute the silent transitions by the bypass transitions.We do add, however, constraints.The number of enabling-guard constraints that we add to each bypass transition is of order O(K2 ).Each updated future constraint is of order O(K) (including on-the-fly simplification, so that each clock has at most one lower and one upper bound), and each future transition may be updated at most O(K) times.Hence, the updating step is also of order O(K 2 ), and the complexity of the whole algorithm is O(N K 2 ).Note, we do not need to transform the diagonal constraints introduced in the algorithm into unary constraints, nor do they introduce problems in the next algorithm of determinization.Determinization decreases the size of the unfolded automaton, if non-determinism exists.The complexity gain can be exponential in the number of locations and transitions, but is lost by a proportional larger complexity in the guards.

Implementation and Experimental Results
The algorithms were implemented in Scala (Version 2.10.3) and integrated into the test-case generation tool MoMuT::TA 2 , providing a significant increase in the capabilities of the tool.MoMuT::TA provides model-based mutation testing algorithms for timed automata [2], using UPPAAL's [14] XML format as input and output.The determinization algorithm use the SMT-solver Z3 [10] for checking satisfiability of guards.All experiments were run on a MacBook Pro with a 2.53 GHz Intel Core 2 Duo Processor and 4 GB RAM.
The implementation is still a prototype and further optimizations are planned.One already implemented optimization is the "on-the-fly" execution of the presented algorithms, allowing the unrolling, clock renaming, silent transition removal and determinization in one single walk through the tree.The combined algorithm does not suffer from the full exponential blow-up of the unfolding: if the automaton contains a location that can be reached via different traces, yet with the same clock resets, the unfolding splits it into several, separately processed, locations, while the on-the-fly algorithm only needs to process it once.
The following studies compare the numbers of locations and the runtimes of a) the silent transition removal, b) a standard determinization algorithm that works by splitting non-deterministic transitions into several transitions that contain each possible combination of their guards, c) the new determinization algorithm introduced in Section 5 and d) its on-the-fly version.start (a) Study 1.The first example, taken from Diekert et al. [11], is the timed automaton illustrated in Fig. 7 (a), which cannot be determinized.We then added another α-transition (Fig. 7 (b)), which causes non-determinism after removing the silent transition.The test results are shown in Table 4 (before and after modification).Study 2. The second example is taken from Baier et al. [4] and is illustrated in Fig. 7(c).We modified the automaton by adding a silent transition (Fig. 7(d)).
Table 5 shows the results of the two determinization approaches.Study 3.This study is part of a model of an industrial application: it is based on a car alarm system that was already used as an example in our work on model-based mutation testing from timed automata (see [2] for the whole model).In this evaluation, we introduced a silent transition that adds a nondeterministic delay of up to two seconds before the timer of the alarm starts, and our results are given in Table 6.We were able to perform the removal of silent transitions and the guard-oriented determinization up to depth 12, and the location-oriented determinization up to depth 8.As expected, the studies confirm that the complexity of the different algorithms depends vastly on the input models.For the current paper we picked two small examples that were introduced in previous papers on determinization and one example that was an industrial use case in a previous project.

Related Work
The main inspiration to our work comes from [5] and [4].Bérard et al. [5] show that silent transitions extend the expressive power of TA and identify a sub-class of eNTA for which silent transitions can be removed.By restricting our selves to the bounded setting, we can remove silent transition of all strongly-responsive eNTAs.In addition, our approach for removing silent transitions preserves diagonal constraints in the resulting automaton, thus avoiding a potential exponential blow-up in the size of its representation (see [9] for the practical advantages of preserving diagonal constraints in TA).Baier et al. [4] propose a procedure for translating NTA to infinite DTA trees, and then identify several classes of NTA that can be effectively determinized into finite DTA.In contrast to our work, their procedure works on the region graph, which makes it impractical for implementation.In addition, we also allow in our determinization procedure disjunctive constraints which results in a more succint representation that can be directly handled by the bounded model checking tools.Both [5] and [4] tackle non-determinism and observabilty in TA from a general theoretical perspective.We adapt the ideas from these papers and propose an effective procedure for the bounded determinization of eNTA.Wang et.al [17] use timed automata for language inclusion.Their procedure involves building a tree, renaming the clocks and determinization of the tree.Contrary to our work, they do not restrict themselves to the bounded setting, thus taking the risk that their algorithm does not terminate for some classes of timed automata.Also, they use the "standard" determinization method that involves splitting non-deterministic transitions into a possibly far larger set of deterministic transitions, whereas we join them into one transition.
Krichen and Tripakis [13] produce deterministic testers for non-deterministic timed automata in the context of model-based testing.They restrain the testers to using only one clock, which is reset upon receiving an input.The testers are sound, but not in general complete and might accept behavior of the system under test that should be rejected.Bertrand et al. [7] develop a game-based method for determinization of eNTA which generates either a language equivalent DTA when possible, or its approximation otherwise.A similar approach is proposed in [6] in the context of model-based testing, where it is shown that their approximate determinization procedure preserves the tioco relation.In contrast to our approach, which is language preserving up to a bound k, and thus appropriate for bounded model checking algorithms, determinization in the above-mentioned papers introduces a different kind of approximation than ours.

Conclusion
The bounded setting allows the handling of a larger class of TA and in a more efficient way than in the unbounded setting.The extension from standard unary constraints to diagonal and disjuncive constraints has a practical reason: it is more efficient to let the SMT solvers deal with them than to translate them into standard form.In this paper a novel procedure was presented, which transforms bounded, non-deterministic and partially-observable TA into deterministic and fully-observable TA with diagonal and disjunctive constraints.The procedure includes an algorithm for removing the silent transitions and a determinization algorithm.It was implemented, tested and integrated into a model-based test generation tool.Recently [1] we investigated ways of pruning the determinized tree, to reduce the state space of the unfolding.These appoaches look promising for applying the presented work to test-case generation in industrial studies.
10 Appendix A -Renaming of Clocks Algorithm 3 Renaming the Clocks Input: A ∈ eNTA K , a tree of depth K and observable depth k, clocks X , same clock reset at same (observable, silent) level x 0 is reset at the initial location 5: end for 6: RenameClocks(q 0 , X, l 1 , l 2 ) 7: procedure RenameClocks(q, X, l 1 , l 2 )

8:
for each τ = (q, α, g, X rst , q ) ∈ trans(q) do 9: renaming the clocks in the guard g 11: end for 12: if α = then silent transition 13: x ← x l1,l2 the new reset clock in case of a silent trans.

15:
else 16: x ← x l1 the new reset clock in case of an observable trans.for i ← 0, .., n − 1 do 21: end for 25: X rst ← {x} updating the reset clocks of τ 26: if l 1 < k then 27: RenameClocks(q , X, l 1 , l 2 ) recursive call with the target location 28: end for 30: end procedure The concrete algorithm used for renaming of the clocks is presented in pseudocode in Algorithm 3. The original clocks are x 0 , . . ., x n−1 .Each new clock has either one index (l 1 ) in case the transition in which it is reset is observable, or two indices (l 1 , l 2 ) in case of a silent transition.After the removal of the silent transitions stage we will be left with clocks with a single index and the same clock reset for the same level of the tree.The vector X[0..n − 1] holds the clock substitution list: X[i] refers to the new clock that substitutes the original clock x i .The the set of transition with source location q is denoted by trans(q).

Proof of Theorem 4.1 [Silent Transitions Removal]
Given a non-deterministic timed automaton with silent transitions A in the form of a finite tree, we need to show that our algorithm of removing the silent transitions results in an equivalent timed automaton, that is, L(O(A)) = L(A).That is, we will show that if A is the result of removing one first silent transition then A and A are equivalent: for every timed trace of A there is an equivalent timed trace of A and vice versa, in the sense that the corresponding observable timed traces are identical.
We claim that by induction the proof of equivalence for a single removal of a first silent transition suffices to prove the theorem.First, there are only finitelymany silent transitions in A. Secondly, the removal of a silent transition does not change the form of the guards at the part of the automaton that contains the remaining silent transitions: the introduction of diagonal constraints happens only at the enabling guard and so the algorithm for removal of the next silent transitions remains the same.
So, let τ s,0 be a first silent transition on a path γ that starts at the initial location.Let τ s,0 be from location q s to location q s,0 , let q s−1 be the location that leads to q s and let q s+1 be a location that follows q s,0 on the path.Let A be the automaton that results after removing τ and performing the steps as in Algorithm 1.Clearly, for every run that does not pass through τ s,0 there is an identical run in the other automaton.Thus, we restrict ourselves to runs though τ s,0 .

L(A) ⊆ L(A ).
Let ρ be a run on A through γ.We need to show that there exists a run ρ on A with the same observable trace as of ρ.The run ρ will go through the same locations and transitions as does ρ, except for the part q s−1 , τ s , q s , τ s,0 , q s,0 in A which will be replaced by the bypass q s−1 , τ s , q s,0 in A as in Fig. 3.The dates of the transitions will also be the same, except for the silent transition that is missing in ρ .That is, if t s , t s,0 and t s+1 are the dates of ρ at the transitions τ s , τ s,0 (the silent transition) and τ s+1 then the corresponding transitions of ρ will take place at t s (the time of the bypass) and t s+1 .
Since ρ goes through τ s,0 , we know that by the time t s after the reset of clock x s the guard g s,0 of τ s,0 is satisfied in some non-negative time.Thus, we know that each constraint of a clock x j that appears in g s,0 is satisfied at a nonnegative delay, and that all these constraints can be satisfied simultaneously.So, first we need to show that the corresponding guard g s = g s ∧ eg(τ s,0 ) of τ s in ρ is satisfied at the same time, that is, that the enabled guard eg(τ s,0 ) is satisfied at t s .
We will mostly restrict ourselves to strict inequalities, as the extension to the other cases (strict inequality versus weak inequality or weak inequality versus weak inequality) is straight forward.
For each clock x j that is not reset at τ s (that is, j = s) and that appears with an upper bound constraint x j < n j (or x j ≤ n j ) at g s,0 clearly the same constraint holds also at the not-later time t s .But that part is exactly what we have in eg(τ s,0 ) when comparing the upper bound constraint of x j with the lower bound constraint of the reset clock x s .Here the constraint in eg(τ s,0 ) is, in general, x j − x s < n j − m s , and since m s = 0 and x s is reset at τ s and replaced by 0 in the inequality the result is indeed x j < n j .
In addition to the above unary constraints, we know that each upper bound constraint on clock x j in g s,0 refers to a time which is of greater delay than the delay needed to reach each lower bound constraint on clock x i in g s,0 , that is, n j − x j > m i − x i at time t s,0 , otherwise these constraints couldn't have been satisfied simultaneously in ρ.But this is indeed the constraint x j − x i < n j − m i that appears in eg(τ s,0 ).
We have seen that all the constraints of eg(τ s,0 ) are satisfied at time t s and so the constraint g s of ρ is satisfied at t s and the transition τ s can be taken.
The next step is to show that the transition τ s+1 with guard g s+1 of ρ from location q s,0 to location q s+1 , as well as the next transitions τ s+j , j = 2, . . ., p, with guards g s+j can be taken at the same dates t s+j on which τ s+j are taken in ρ on guards g s+j , j = 1, . . ., p.
If the silent transition happens to be on an exact time: x i = n i then the update of the future guards that refer to the clock x s,0 that was reset at τ s,0 is clear: each occurrence of x s,0 is replaced by x i − n i , and we are done.So, suppose that there are no exact constraints at the silent transition.
For simplicity we will restrict ourselves mostly to strict inequalities and write the guard g s,0 of the silent transition τ s,0 as: where for some of the clocks x i there may be only a lower bound or only an upper bound constraint.
The constraints on x s,0 at the transitions τ s+j , j = 1, . . ., p contain 0 ≤ x s,0 in τ s+1 and are of the general (strict inequalities) form m s+j < x s,0 < n s+j in τ s+j .The corresponding updated constraints of A at time t s+j , j = 1, . . ., p, are i=1,...,r First, we need to show that the taken guard tg(τ s,0 ) is satisfied at time t s+1 .The taken guard is the constraint 0 ≤ x s,0 .After the update of the future guards this constraint is replaced by the conjunction of all the lower bound constraints m i < x i of g s,0 .But since these lower bound constraints are satisfied at the time t s,0 of the silent transition (in ρ) then clearly they are satisfied at t s+1 , t s+1 ≥ t s,0 , that is, the updated taken guard tg(τ s,0 ) is satisfied in ρ .
Let us look at the other updated future constraints.Since at the time of the silent transition x s,0 = 0 and m i < x i then at time t s+j when m s+j < x s,0 we have m i +m s+j < x i .With a similar argument for the upper bound constraints, we see that the constraints of (4) are satisfied in ρ .. Also the part of the synchronization rules is clear since it refers to the possible minimum and maximum time difference between every two transitions on which x s,0 occurs, and since the run ρ goes through these transitions it assures that these constraints can be satisfied.So, for example, the synchronization constraint m s+j − n s+i < x s+i < n s+j − m s+i that is added to the guard g s+j of τ s+j , refers to the time difference t s+j − t s+i between the transition τ s+i and the transition τ s+j , i < j.
Note that the synchronization with the constraint 0 ≤ x s,0 of τ s+1 results in adding to τ s+j , j = 1, . . ., p the constraint x s+1 < n s+j , that is t s+j − t s+1 < n s+j , which clearly is satisfied since t s+j − t s,0 < n s+j .
We showed that the observable trace of ρ is the same as that of ρ and this completes the proof of L(A) ⊆ L(A ).

L(A ) ⊆ L(A).
Let ρ be a run on A going through the bypass τ s .We will show that there exists a run ρ through τ s,0 in A with the same observable trace as of ρ .
The first thing we need to check is that the silent transition τ s,0 can be taken, given that the enabling guard eg(τ s,0 ) is satisfied at time t s .The unary constraints x j < n j ( x j ≤ n j ) of eg(τ s,0 ) guarantee that each of the constraints in the guard g s,0 of the silent transition τ s,0 can be satisfied separately at some time that is equal or is later than t s .Then, in order that all the constraints could be satisfied simultaneously, it suffices to show that the minimum upon the time delays to the upper bound constraints of the clocks appearing in g s,0 is greater than the maximum upon the time delays to the lower bound constraints in g s,0 (the 'greater' should be replaced by 'greater or equal' in case both the maximum and minimum come from weak inequalities): min But this condition is equivalent to the condition that n j − x j > m i − x i at time t s for every i, j, which is exactly the conjunction of diagonal constraints i =j of eg(τ s,0 ).Thus, we know that the silent transition τ s,0 can be taken in the run ρ at some time t s,0 after a delay of M = max i (m i − x i ) from t s (this delay is not negative since we introduced the constraint 0 ≤ x s ) and before a delay of N = min j (n j − x j ).
It remains to show that the transitions τ s+1 , . . ., τ s+p on guards g s+1 , . . ., g s+p of ρ can be taken at the same dates t s+1 , . . ., t s+p as the corresponding transitions on guards g s+1 , . . ., g s+p are taken in ρ .
To be more specific, it suffices to prove that there exists t s,0 with the following conditions: 1. t s ≤ t s,0 ≤ t s+1 ; 2. g s,0 is satisfied at t s,0 ; 3. the constraints on x s,0 are satisfied at t s+1 , . . ., t s+p , with x s,0 reset at t s,0 .
For condition 2. the constraints of g s,0 that should be satisfied at time t s,0 are i=1,...,r Equivalently, at each time t s+j , j = 1, . . ., p: or, i=1,...,r For condition 3. the constraints on x s,0 that should be satisfied at times t s+1 , . . ., t s+p are m s+j < x s,0 (t s+j ) < n s+j for j = 1, . . ., p.The constraint here at time t s+1 is 0 ≤ x s,0 (t s+1 ) possibly conjuncted with other constraints (for convenience we wrote all constraints as strict inequalities).This is equivalent to j=1,...,p m s+j < t s+j − t s,0 < n s+j (10) or j=1,...,p We need to show that the constraints on t s,0 of ( 9) and ( 11) do not define an empty set.This condition is equivalent to showing that the set S 1 of the above expressions to the left of t s,0 is smaller than the set S 2 of the expressions to the right of t s,0 (equivalently that the maximum of S 1 is smaller than the minimum of S 2 ), where S 1 = {m i −x i (t s+j )+t s+j | i = 1, . . ., r, j = 1, . . ., p}∪{−n s+j +t s+j | j = 1, . . ., p}, (12) and S 2 = {n i −x i (t s+j )+t s+j | i = 1, . . ., r, j = 1, . . ., p}∪{−m s+j +t s+j | j = 1, . . ., p}.
(13) There are two types of expressions in S 1 and two types of expressions in S 2 , hence we need to check that the following 4 cases are satisfied.11.1.3Case 1: m i − x i (t s+j ) + t s+j < n i − x i (t s+j ) + t s+j .
This inequality is equivalent to m i − x i (t s,0 ) + t s,0 < n i − x i (t s,0 ) + t s,0 , or to The latter is equivalent to which is (6), the enabling guard eg(τ s,0 ) that is satisfied at time t s of the run ρ .
11.1.4Case 2: m i − x i (t s+j ) + t s+j < −m s+j + t s+j .
This inequality is equivalent to The last inequality is no other than one of the left inequalities of (4), which are the updated future constraints in A of the reset clock x s,0 , and thus are given to be satisfied.
11.1.5Case 3: −n s+j + t s+j < n i − x i (t s+j ) + t s+j .
This inequality is equivalent to x i (t s+j ) < n i + n s+j .
But the last inequality is one of the right inequalities of (4), which are the updated future constraints in A of the reset clock x s,0 , and thus are given to be satisfied.This inequality is equivalent to The inequality certainly holds when i = j.When i < j we can write this inequality with the clock x s+i that is reset at time t s+i in A : But the last inequality can be found in the first row of Table 3 which contains the synchronization constraints of the updated future constraints in A of the reset clock x s,0 .Similarly, when j < i we need to satisfy the inequality which can be found in the forth row of Table 3.We showed that the set of possible time values t s,0 for the silent transition in ρ is not empty, that is, there is a solution to the set of inequalities ( 9) and (11) in the indeterminate t s,0 (again, the extension to weak inequalities is straight forward).
To complete the proof it remains to show that the solution for t s,0 satisfies condition 1., that is that t s ≤ t s,0 ≤ t s+1 .Well, the left inequality t s ≤ t s,0 comes from satisfying the inequality m i − x i (t s+j ) + t s+j ≤ t s,0 of (9) with x i = x s and m i = m s = 0 (it refers to augmenting the silent transition guard with the constraint 0 ≤ x s ).This inequality is equivalent to 0−x s (t s )+t s ≤ t s,0 or t s ≤ t s,0 since x s was reset at time t s .

Proof of Theorem 5.1 [Determinization]
The deterministic property of D(A) follows from the fact that when merging α-transitions into τ acc and τ ¬acc then the guard of τ ¬acc is a conjunction of some guard with the negation of the guard of τ acc .Hence, different runs will induce different time traces.
In general, by merging locations of A in D(A) we may only expand the language and conclude that L(A) ⊆ L(D(A)).On the other hand, the new constraints introduced in D(A) may restrict the language.So, let us examine the new transformed constraints and show that they do not impose additional restrictions.Suppose the guard of transition τ contains the constraint x ∼ n and that y is reset on τ .Then, at the time t 0 of τ , the constraint x(t 0 ) − y(t 0 ) ∼ n holds.But also at time t 1 > t 0 , the constraint x(t 1 ) − y(t 1 ) ∼ n holds since x and y progress at the same rate.Hence, for any run through τ in A there exists a corresponding run in D(A) with the same trace because the additional constraints of the form x−y ∼ n that are added to the future guards are satisfied automatically by all runs in D(A) that satisfy the guard of τ .Thus, it remains L(A) ⊆ L(D(A)).
To show that the language of D(A) does not contain accepting traces that are not in the language of A it suffices to show that when a transition in a merged location of D(A) is enabled then the corresponding original transition in A is enabled.But this is indeed the case since for each transition of D(A) we first copy to its guard the transformed guard of the transition that leads to it, and this transformed guard contains all the history: the transformed guards of the path that leads to this transition.That is, by induction one shows that

Figure 7 :
Figure 7: The four timed automata used in Study 1 and Study 2

Table 5 :
Runtime and number of locations for the automata of Fig. 7 (c) (first three rows) and Fig. 7 (d) (last three rows) next step will be a stronger evaluation on a larger case study.The tool and the current examples are available 3 .

Table 6 :
[2]time and number of locations for the Car Alarm System[2], modified by adding a silent transition causing a 0-2 seconds delay.