Skip to main content
Springer Nature - PMC COVID-19 Collection logoLink to Springer Nature - PMC COVID-19 Collection
. 2020 Jan 7;12038:170–183. doi: 10.1007/978-3-030-40608-0_11

Expressiveness and Conciseness of Timed Automata for the Verification of Stochastic Models

Susanna Donatelli 12,, Serge Haddad 13
Editors: Alberto Leporati8, Carlos Martín-Vide9, Dana Shapira10, Claudio Zandron11
PMCID: PMC7206655

Abstract

Timed Automata are a well-known formalism for specifying timed behaviours. In this paper we are concerned with Timed Automata for the specification of timed behaviour of Continuous Time Markov Chains (CTMC), as used in the stochastic temporal logic CSLInline graphic. A timed path formula of CSLInline graphic is specified by a Deterministic Timed Automaton (DTA) that features two kinds of transitions: synchronizing transitions (triggered by CTMC transitions) and autonomous transitions (triggered when a clock reaches a given threshold). Other definitions of CSLInline graphic are based on DTAs that do not include autonomous transitions. This raises the natural question: do autonomous transitions enhance expressiveness and/or conciseness of DTAs? We prove that this is the case and we provide a syntactical characterization of DTAs for which autonomous transitions do not add expressive power, but allow one to define exponentially more concise DTAs.

Introduction

Stochastic logics like CSL [5] allow one to express assertions about the probability of timed executions of Continuous Time Markov Chains (CTMC). In CSL, model executions (typically called “paths”) are specified by two operators: timed neXt and timed Until. CSL has been extended in several ways to include action names (name of the events in the paths) and path properties specified using regular expressions leading to asCSL [6], or rewards, leading to CSRL [7]. Note that asCSL can specify rather complex path behaviour, expressed by regular expressions, but the timing requirements cannot be mixed within these expressions. GCSRL [14] is an extension of CSRL for model checking of CTMC generated by Generalized Stochastic Petri nets (GSPN) [1] taking into account both stochastic and immediate events.

Automata with time constraints have been used to specify path-based performance indices [16] for Stochastic Activity Networks [15], while hybrid automata have been used to define rather complex forms of passage of time [2] for GSPN, as well as generic performance properties [9] that are estimated using simulation. The use of a Deterministic Timed Automaton (DTA) in the stochastic logic CSLInline graphic [12] allows to specify paths in terms of state propositions and action names associated to CTMC states and transitions (respectively) and in terms of the timed behaviour of portions of the paths. The CTMC actions are the input symbols for the DTA, and two types of transitions are distinguished: synchronizing transitions that read the input symbols of the CTMC, and autonomous transitions, that are taken by the DTA when the clock reaches some threshold, with priority over synchronizing ones. The determinism requirement ensures that the synchronized product of the DTA and the CTMC is still a stochastic process as all sources of non-determinism are eliminated. CSLInline graphic strictly includes [12] CSL and asCSL. Various extensions of CSLInline graphic have been presented in the literature. DTA with multiple clocks have been used for defining an extension of CSLInline graphic [10, 13] but autonomous transitions are not allowed. In this paper we concentrate on single-clock CSLInline graphic with autonomous transitions, as in the original definition of CSLInline graphic. Indeed the single-clock limitation is a necessary requirement to reduce the CSLInline graphic model-checking problem to the (steady-state) solution of a Markov Regenerative Process, which is the largest class of stochastic processes for which we can compute an exact numerical solution, supported by efficient solution tools [3, 4]. The single-clock setting allows also to investigate whether the definition of CSLInline graphic in [10, 13], once limited to a single clock, is equivalent to the original definition of CSLInline graphic (introduced in [12]).

Paper Contributions. This paper addresses two research questions. The first one (Sect. 3) is whether the presence of autonomous transitions enhances the expressiveness of DTAs both in terms of timed languages (qualitative comparison) and in terms of probability of accepting the random path of a CTMC (quantitative comparison). We establish that autonomous transitions do enhance expressiveness. Given that eliminating autonomous transitions from a DTA is not always feasible, the second question (Sect. 4) is which are the uses of autonomous transitions that can be emulated by DTA w/o autonomous transitions. We have identified a hierarchy of subclasses of DTA in which the presence of autonomous transitions does not extend expressiveness (and autonomous transitions can therefore be eliminated), but that exponentially improves the DTA size. Only the most interesting proofs and properties have been included in this paper. Missing proofs and the full set of properties can be found in [11].

Context and Definitions

Although our motivations rely on the acceptance of paths of CTMCs featuring atomic propositions that label states and actions that label transitions, we set our work in the general context of acceptance of timed paths, where the Inline graphic-th state of a timed path is identified by Inline graphic (we count indices from 0), the boolean evaluation of the atomic propositions in that state. Inline graphic indicates a delay, or a sojourn time in state i, and Inline graphic indicates the time elapsed until exiting state i. A timed path leaves state Inline graphic with action Inline graphic after a sojourn time in the state equal to Inline graphic. The elapsed time can be computed as: Inline graphic, with Inline graphic.

Definition 1 (Timed Path)

Given a set Inline graphic of atomic propositions and a set Inline graphic of actions, a timed (infinite) path is a sequence Inline graphic such that for all Inline graphic.

Example 1

(Timed Path). In writing timed paths we indicate functions Inline graphic as the set of elements in Inline graphic that evaluate to Inline graphic. Given Inline graphic and Inline graphic, a timed path Inline graphic, is interpreted as the system staying in a state that satisfies Inline graphic in the time interval [0, 0.5[, at time 0.5 action a takes place and the system moves to a state that satisfies Inline graphic, stays there for 1.3 time units and then action b takes place (at the global time Inline graphic).

DTA definition includes a clock x and two types of constraints: boundary ones, BoundC = Inline graphic and inner ones, InC = Inline graphic, with Inline graphic, and Inline graphic. In the sequel, Inline graphic is the largest time constant occurring in a DTA. Before formally defining the syntax and semantic of a DTA (Definitions 2, 3 and 4), let us introduce its main ingredients. During the execution of a stochastic discrete event system (e.g. a Markov chain) that can be represented by a timed path, one manages (1) an index i of the timed path (2) a location, say Inline graphic, is matched with the current state of the path indexed by i, and (3) a delay Inline graphic until the next state change from i to Inline graphic. The function Inline graphic mapping the set of locations to the set of boolean expressions over atomic propositions, Inline graphic, restricts the possible matchings since the valuation Inline graphic must satisfy the formula Inline graphic. This matching evolves in three ways depending on the delay Inline graphic, elapsed until the next transition Inline graphic of the path.

  • Either after some delay Inline graphic, there is an outgoing autonomous transition from Inline graphic whose boundary condition (say Inline graphic) is satisfied and such that Inline graphic fulfills Inline graphic where Inline graphic is the target location of the transition. Then Inline graphic is matched with i, delay Inline graphic becomes Inline graphic, the clock x is increased by Inline graphic and the index i is unchanged.

  • Else if there is a synchronizing transition outgoing from Inline graphic such that (1) after time Inline graphic has elapsed its inner condition (say Inline graphic) is satisfied, (2) the action Inline graphic belongs to the subset of actions associated with the synchronizing transition, and (3) Inline graphic satisfies Inline graphic where Inline graphic is the target location of the transition. Then Inline graphic is matched with Inline graphic, the new delay Inline graphic is set to Inline graphic, the clock x is either increased by Inline graphic or reset depending on the transition, and the index becomes Inline graphic.

  • Otherwise there is no possible matching and the timed path is rejected by the DTA.

In the first two cases above, when Inline graphic, the final location, the timed path is accepted by the DTA whatever its future. This is ensured due to Inline graphic and the existence of the unique (looping) synchronizing transition from Inline graphic with no timing and action conditions. Observe that the synchronization may last forever without visiting Inline graphic: in this case the timed path is rejected. Furthermore the synchronization of the stochastic system with the DTA should not introduce non determinism. So (1) the formulas associated with the initial locations are mutually exclusive, (2) synchronizing transitions outgoing from the same location are never simultaneously enabled, (3) autonomous transitions outgoing from the same location are never simultaneously enabled, and (4) autonomous transitions have priority over synchronizing transitions.

Definition 2

(DTA). A single-clock Deterministic Timed Automaton with autonomous transitions is defined by a tuple Inline graphic where L is a finite set of locations, Inline graphic is the set of initial locations, Inline graphic is the final location, Inline graphic is a function that assigns to each location a boolean expression over the set of propositions Inline graphic, Inline graphic is the set of synchronizing transitions, and Inline graphic is the set of autonomous transitions, with Inline graphic. Inline graphic denotes the transition Inline graphic.

Furthermore Inline graphic fulfills the following conditions.

  • Initial determinism. Inline graphic.

  • Determinism on actions. Inline graphic

    if Inline graphic and Inline graphic then Inline graphic or Inline graphic.

  • Determinism on autonomous transitions. Inline graphic

    if Inline graphic and Inline graphic then Inline graphic or Inline graphic.

  • Conditions on the final location Inline graphic. Inline graphic and Inline graphic.

Given a clock constraint Inline graphic and a clock valuation Inline graphic, Inline graphic denotes the satisfaction of Inline graphic by Inline graphic. Similarly given a boolean formula Inline graphic and a valuation of atomic propositions v, Inline graphic denotes the satisfaction of Inline graphic by v.

Example 2

(DTA). Figure 1, left, shows a DTA with five locations: Inline graphic and Inline graphic. There is a single initial location, Inline graphic. Autonomous transitions are depicted as dotted arcs, while synchronizing are depicted as solid arcs. For readability we omit: (1) the symbol Inline graphic on autonomous transitions; (2) the set r when there is no reset; (3) Inline graphic if a transition accepts all actions; (4) trivially true guards (like Inline graphic) and boolean conditions; (5) the name x of the clock in Inline graphic guards. As a result an autonomous transition is depicted as either Inline graphic, as between Inline graphic and Inline graphic, or as Inline graphic, as between Inline graphic and Inline graphic. We informally write “a transition with reset” or “a transition without reset” to indicate the condition Inline graphic and Inline graphic respectively. The arc from Inline graphic to Inline graphic represents a synchronizing transition with a clock reset. The arc from Inline graphic to Inline graphic represents an autonomous transition to be taken when the clock is equal to 1, with no clock reset. Boolean expression of locations are: p, associated with Inline graphic and Inline graphic, associated with Inline graphic.

Fig. 1.

Fig. 1.

Some examples of DTA.

Let us describe a possible run of this DTA. At time 0.5, it goes from Inline graphic to Inline graphic by performing action a and resets x. Then at time 1.5, it autonomously comes back to location Inline graphic and clock x is again reset. Then it autonomously goes to Inline graphic at time 2.5 and later to Inline graphic at time 3.5. While irrelevant, x has current value 2.

Definition 3

(Run of Inline graphic). A run of a DTA Inline graphic is a sequence: Inline graphic such that for all Inline graphic: Inline graphic

graphic file with name 492458_1_En_11_Equ4_HTML.gif

To enforce priority of autonomous transitions,

  • let Inline graphic (Inline graphic)

  • If Inline graphic then Inline graphic and Inline graphic else Inline graphic.

A run is therefore a path in the DTA where the visited locations are coupled with a valuation of propositions, a clock value and a delay in a consistent way w.r.t. the DTA.

Example 3

(DTA run). Given that v is described in terms of the subset of Inline graphic that evaluate to Inline graphic, a run for the DTA of Fig. 1, left, is: Inline graphic Inline graphic Inline graphic

A timed path Inline graphic is recognized by a run Inline graphic of Inline graphic such that the occurrences of the actions in Inline graphic are matched by the synchronizing transitions in Inline graphic. This requires to define a mapping to match the points in the paths in which synchronizing transitions take place. This can be done by identifying a strictly increasing mapping for the indices of the timed path Inline graphic to the subset of the indices of the run Inline graphic that correspond to a synchronizing transition. Note that, due to determinism, if such a run exists, it is unique.

Definition 4

(Path recognized by Inline graphic and Inline graphic). Let Inline graphic be a timed path and Inline graphic Inline graphic be a run of a DTA Inline graphic. Then Inline graphic is recognized by Inline graphic if there is a strictly increasing mapping Inline graphic (extended to Inline graphic, such that for all Inline graphic

  • Inline graphic and Inline graphic

  • Inline graphic, Inline graphic and Inline graphic

A timed path Inline graphic is accepted by Inline graphic if Inline graphic is recognized by a run Inline graphic and Inline graphic visits Inline graphic.

The language Inline graphic of Inline graphic is the set of the timed paths Inline graphic accepted by Inline graphic.

Example 4

(Path recognized by a run). A timed path Inline graphic is recognized by the run of Example 3 with mapping Inline graphic: Inline graphic Inline graphic. The run visits Inline graphic and the path is accepted.

We consider timed paths generated by a CTMC with state properties and actions.

Definition 5

(CTMC representation). A continuous time Markov chain with state and action labels is represented by a tuple Inline graphic, where S is a finite set of states, Inline graphic the initial state, Inline graphic is a finite set of action names, Inline graphic is a finite set of atomic propositions, Inline graphic is a state-labeling function that assigns to each state s a valuation of the atomic propositions, Inline graphic is a rate function. If Inline graphic, we write Inline graphic.

We assume that each state has at least one successor: for all Inline graphic, exists Inline graphic, Inline graphic such that Inline graphic. CTMC executions lead to timed paths, and a CTMC is a generator of a random path. We define by Inline graphic the probability that the random path of Inline graphic is accepted by Inline graphic (probability measure of all paths accepted by Inline graphic as in [8]).

Autonomous Transitions and Expressiveness

We indicate with Inline graphic the whole family of automata of Definition 2 and with Inline graphic the subclass of automata with no autonomous transitions: Inline graphic The comparison of the expressive power of Inline graphic and Inline graphic is both qualitative (based on the timed path language) and quantitative (based on accepting probabilities).

Definition 6

Let Inline graphic and Inline graphic be families of DTA. Then:

  • Inline graphic is at least as expressive as Inline graphic w.r.t. language, denoted Inline graphic, if for all Inline graphic there exists Inline graphic such that Inline graphic;

  • Inline graphic is at least as expressive as Inline graphic w.r.t. Markov chains, denoted Inline graphic, if for all Inline graphic there exists Inline graphic such that for all Markov chains Inline graphic, Inline graphic.

As usual, we derive other relations between such families. Inline graphic and Inline graphic are equally expressive w.r.t. language (resp. Markov chains), denoted Inline graphic (resp. Inline graphic) if Inline graphic and Inline graphic (resp. Inline graphic and Inline graphic). Inline graphic is strictly more expressive than Inline graphic w.r.t. language (resp. Markov chains), denoted Inline graphic (resp. Inline graphic) if Inline graphic and not Inline graphic (resp. Inline graphic and not Inline graphic).

Observe that by definition Inline graphic implies Inline graphic. We now establish that autonomous resetting transitions extend the expressive power of DTA w.r.t. Markov chains (Inline graphic). The weaker result w.r.t. language (Inline graphic) is shown in [11].

Theorem 1

There exists Inline graphic such that for all Inline graphic there exists a Markov chain Inline graphic with Inline graphic.

Before proving this theorem, we prove some intermediate properties. We first establish a kind of 0-1 law for DTA in Inline graphic and Markov chains. In order to obtain this intermediate result, we introduce some objects. Simple chains are Markov chains with a single action, no atomic proposition (or equivalently with the same valuation for all states) and such that each state s has a single successor state sc(s) reached with rate Inline graphic. W.r.t. the acceptance probability of simple chains, we can consider DTAs without actions and atomic propositions. Moreover we add to each DTA an additional garbage location and we split the transitions, so that, w.l.o.g. one can assume that for each location Inline graphic of a DTA in Inline graphic, there are Inline graphic outgoing transitions: Inline graphic where Inline graphic is the maximal constant occurring in the DTA. The shape of the guards is not a restriction in the context of Markov chains. For all clock valuations Inline graphic, the clock valuation Inline graphic is defined by:

  • Let Inline graphic with Inline graphic;

  • If Inline graphic then Inline graphic else Inline graphic.

Observe the difference between Inline graphic, defined at the syntactical level, which maps a location to its Inline graphic successor and sc, defined at the semantical level, which maps a pair consisting in a location and a clock valuation to the new clock valuation obtained by firing the single transition enabled w.r.t. the clock valuation.

We also define the region (multi-)graph Inline graphic of such a DTA Inline graphic as follows.

  • V, the set of vertices, is defined by Inline graphic;

  • Let Inline graphic be a vertex, then for all j s.t. Inline graphic, there is a transition from Inline graphic to Inline graphic labelled by j with Inline graphic if Inline graphic and Inline graphic otherwise.

One interprets Inline graphic as follows. The vertex Inline graphic corresponds to the region defined by location Inline graphic with clock valuation 0. The vertex Inline graphic corresponds to the region defined by location Inline graphic with clock valuation in ]0, 1[. The vertex Inline graphic for Inline graphic corresponds to the region defined by location Inline graphic with clock valuation in Inline graphic. The vertex Inline graphic corresponds to the region defined by location Inline graphic with clock valuation in Inline graphic. The transition outgoing from Inline graphic labelled by j corresponds to the combination of time elapsing to enter the region Inline graphic followed by an action of the Markov chain, leading to either Inline graphic or to Inline graphic, in case of reset.

Given s a state of a Markov chain, Inline graphic a location of DTA, and Inline graphic a clock valuation, Inline graphic denotes the probability of acceptance when the Markov chain starts in s and the DTA starts in Inline graphic with clock valuation Inline graphic. In particular for a DTA Inline graphic applied to a Markov chain Inline graphic, Inline graphic where Inline graphic is the initial state of Inline graphic and Inline graphic is the initial location of Inline graphic such that Inline graphic.

Lemma 1

Let s be a state of a simple Markov chain Inline graphic and Inline graphic be a location of a DTA in Inline graphic. Then the function that maps t to Inline graphic is continuous and for Inline graphic it is equal to:

graphic file with name M302.gif 1

The above formula represents the probability of acceptance when the Markov chain starts in s and the DTA starts in Inline graphic with clock valuation t, with Inline graphic, therefore within the region (li). This probability is computed in terms of the probability of having the next CTMC transition within the region (li) itself, or any later region (lj), multiplied by the probability of acceptance from the state reached by accepting the CTMC transition.

Proof

Define Inline graphic as the probability that the run associated with a random timed path of Inline graphic starting in s when the DTA starts in Inline graphic with clock valuation t reaches location Inline graphic after performing n actions. Then for Inline graphic, Inline graphic and Inline graphic. Assume that Inline graphic is continuous (and so measurable) for all s and Inline graphic. Then the following equation holds for Inline graphic:

graphic file with name M315.gif

Observe that for Inline graphic, Inline graphic is constant since if there is a reset then Inline graphic and if there is no reset then Inline graphic and so the valuation of the clock is irrelevant. Thus the equation can be rewritten as follows.

graphic file with name M320.gif

Observe that Inline graphic is uniformly continuous. So pick Inline graphic such that for all Inline graphic Inline graphic. Let Inline graphic. Then for all Inline graphic, one bounds Inline graphic by the sum of three terms using the above equation to establish that Inline graphic. Thus Inline graphic is continuous. When Inline graphic, Inline graphic is constant and so continuous.

Observe that Inline graphic. So the mapping Inline graphic is measurable as a limit of continuous mappings. Thus Eq. 1 holds for Inline graphic: Repeating the same argument as the one for the inductive case yields the result. When Inline graphic, Inline graphic is constant and so continuous.

Proposition 1

Let Inline graphic and Inline graphic such that for all Markov chains Inline graphic, Inline graphic, then Inline graphic.

Proof

We will even prove this result when restricting the quantification to Markov chains with a single action and a single valuation of propositions for all states and a single successor for all states. Thus we can omit propositions and actions in the DTA and only consider simple chains.

Let Inline graphic be an automaton that satisfies the hypothesis. We want to establish that for all configurations Inline graphic in some region of Inline graphic reachable from Inline graphic, and for all states s of a simple Markov chain, Inline graphic. We do this by induction on the distance from the initial region in the region graph and then we prove that z is either 0 or 1. The basis case of the induction corresponds to the assumption Inline graphic, for all Inline graphic.

For the inductive step we assume that for a given Inline graphic, and for all states s of a simple chain, Inline graphic and we prove that the Inline graphic, for all Inline graphic reachable in one step from Inline graphic.

Let Inline graphic be an arbitrary simple chain and define Inline graphic as the simple chain with a single transition outgoing from its initial state to the initial state of Inline graphic whose rate is Inline graphic. Let s be the initial state of Inline graphic.

By assumption, Inline graphic. Define Inline graphic by Inline graphic when Inline graphic and by Inline graphic when Inline graphic. Equation 1 can be rewitten as Inline graphic. Since for all Inline graphic, Inline graphic, the Laplace transform of Inline graphic is equal to Inline graphic, i.e. the Laplace transform of the constant function z. By the theorem of unicity of Laplace transforms, this entails that Inline graphic except for a set of null measure. However, consider a successor region Inline graphic of location Inline graphic with clock valuation Inline graphic.

  • Either Inline graphic (meaning that there has been a reset) and the region has a single point reached with non null probability. So Inline graphic.

  • Or Inline graphic, so by Lemma 1, Inline graphic is continuous inside the region w.r.t. Inline graphic and thus everywhere equal to z.

So the induction is established. So if a region of Inline graphic is reachable in the region graph, then Inline graphic. Otherwise Inline graphic is not reachable implying that no run is accepting, and thus Inline graphic.

We can now prove Theorem 1 (Inline graphic).

Proof of Theorem 1. The DTA Inline graphic in Fig. 1 (lower right) has an action set reduced to a singleton Inline graphic (omitted in the figure) and an empty set of propositions. The language of Inline graphic is the set of timed paths whose first action occurs at time Inline graphic for some Inline graphic. Assume by contradiction that there exists Inline graphic such that for all Markov chain Inline graphic, Inline graphic.

Pick an arbitrary Markov chain Inline graphic and define Inline graphic as the Markov chain which has a single transition from its initial state to the initial state of Inline graphic with rate Inline graphic. It is routine to check that Inline graphic (as only the first transition of Inline graphic is relevant) and, consequently, Inline graphic and, given the hypothesis, also Inline graphic.

Inline graphic can be decomposed as Inline graphic where Inline graphic is the probability to accept the random timed path and that the first action takes place at most at time Inline graphic and Inline graphic is the probability to accept the random timed path and that the first action takes place after Inline graphic, where Inline graphic is the maximal constant of Inline graphic. But Inline graphic and therefore Inline graphic.

On the other hand, let Inline graphic be the location of Inline graphic reached from its initial location when the value of the clock is greater than Inline graphic, its maximal constant. There must be one, if not Inline graphic, which contradicts what derived above. We want to design an automaton Inline graphic equivalent to Inline graphic when reaching Inline graphic with clock value greater than Inline graphic: any timed path is accepted by Inline graphic iff it is accepted by Inline graphic when starting in Inline graphic with clock valuation greater than Inline graphic. For the construction we duplicate the automaton and merge the final location, the initial location is location Inline graphic of the first copy, and in the first copy we add to the guard of all transitions the formula Inline graphic and redirect the transitions that reset the clock to the corresponding location of the second copy.

But then Inline graphic. Since Inline graphic and Inline graphic is arbitrary, this contradicts Proposition 1 applied to Inline graphic.

The DTA in Fig. 1 (upper right) shows that the above counter-example is of practical interest. Consider a periodic system that cycles over phases of duration 2, each split in two sub-phases of duration 1 (for example a running and a reset phase) and that can experience good (G), bad (B), and neutral (N) actions, generated from a CTMC of arbitrary complexity. The depicted DTA allows one to compute the probability of the CTMC behaviours characterized by a good action in the running sub-phase, given that in the preceding phases no bad action has happened in the running phase. Any action is instead allowed during the reset phase.

Autonomous Transitions and Conciseness

We have established that there exists DTAs that cannot be translated into DTAs without autonomous transitions (Inline graphic). We now investigate whether restricted forms of use of autonomous transitions are as expressive as Inline graphic. To this goal we identify two additional subclasses of Inline graphic, namely Inline graphic and Inline graphic, characterized by a limited presence of autonomous transitions and that are in the following subset relationship: Inline graphic.

  • Restricted cycles. Inline graphic is the subclass of automata Inline graphic in which all cycles of Inline graphic including an autonomous transition with a reset also include a synchronizing transition Inline graphic with Inline graphic or Inline graphic.

  • No reset on autonomous transitions. Inline graphic is the subclass of automata Inline graphic in which there is no autonomous transition that resets the clock: Inline graphic.

The DTA on the left of Fig. 1 belongs to Inline graphic: indeed there is an autonomous transition with reset (from Inline graphic to Inline graphic), therefore it is not in Inline graphic, but although the transition is part of a cycle, that cycle also includes a synchronizing transition with reset (from Inline graphic to Inline graphic). Any DTA with no reset on autonomous transitions is an example of Inline graphic. The family Inline graphic has been introduced to provide an accurate syntactical characterization of DTA for which the autonomous transitions do not add expressive power. In some sense, the DTA of Theorem 1 emphasizes the interest of Inline graphic since the cycle performed by the autonomous resetting transition points out what increases the expressive power. Inline graphic, which forbids clock resets on autonomous transitions, removes from CSLInline graphic the capacity of combining time constants depending on the time elapsed during (a portion of) an execution. As observed in [12](section 4), clock resets on autonomous transitions are what makes CSLInline graphic more expressive than asCSL [6].

The following frame summarizes the results for Inline graphic subclasses. graphic file with name 492458_1_En_11_Figa_HTML.jpg

We first establish that in Inline graphic the autonomous resetting transitions can be mimicked in Inline graphic using additional finite memory, but with exponential cost.

Proposition 2

There exists an algorithm operating in exponential time that takes as input Inline graphic and outputs Inline graphic with Inline graphic.

Sketch of Proof. The construction (1) duplicates locations by memorizing in the location an integer value, (2) take into account this value for modifying the guard and the destination of the outgoing transitions, and (3) deletes the reset of autonomous transitions. This value corresponds to the accumulated value of constants in the guards of resetting autonomous transitions since the last visit of a synchronizing transition with a reset or a guard Inline graphic. The restriction over Inline graphic ensures that this value is bounded by some finite integer K. However K may be exponential in the size of Inline graphic and thus this transformation is exponential.

The exponential blowup due to the duplication of locations is unavoidable:

Proposition 3

There exists a family Inline graphic in Inline graphic such that the size of Inline graphic is Inline graphic and for all Inline graphic with Inline graphic, Inline graphic.

We now prove that autonomous transitions in Inline graphic can be eliminated, also at an exponential cost.

Proposition 4

There exists an algorithm operating in exponential time that takes as input Inline graphic and outputs Inline graphic with Inline graphic.

Sketch of Proof. The construction proceeds in two steps: at first, cycles of autonomous transitions are eliminated, then all (linear) paths of autonomous transitions are eliminated. The first construction is quadratic, as we duplicate each location to store in the location the information on the number of autonomous transitions visited since the last visit of a synchronized transition. The idea of this construction is that if a path exceeds the number of autonomous transitions it must visit twice the same autonomous transition without visiting a synchronized transition and so diverges. In words: in the resulting DTA, divergence has been transformed into deadlock. This finite memory has a linear size w.r.t. the size of the original DTA.

The second step consists in eliminating autonomous transitions when there are no such cycles. The key point is to select a location Inline graphic which is the source of the last autonomous transition of a maximal path of such transitions. Thus every autonomous transition outgoing from Inline graphic reaches some location Inline graphic where only synchronized transitions are possible. Roughly speaking, the construction builds a synchronized transition corresponding to a sequence of an autonomous transition followed by a synchronized transition. However the construction is more involved since Inline graphic has to be duplicated in order to check which autonomous transition can be triggered (or if no autonomous transition can be triggered). This duplication also has an impact on the incoming transitions of Inline graphic. Repeating (at most |L| times) this transformation eliminates all autonomous transitions. The exponential blowup due to the repetition of duplication of locations is unavoidable:

Proposition 5

There exists a family of automata Inline graphic in Inline graphic such that the size of Inline graphic belongs to Inline graphic and for all Inline graphic with Inline graphic the number of its locations is at least Inline graphic.

Conclusion and Future Work

We have established that autonomous transitions do enhance expressiveness of single clock DTAs, and more precisely for the less discriminating case of the probability of the random paths of a CTMC accepted by the DTA. This is the most relevant one for comparing some variations of (1-clock) CSLInline graphic defined in the literature. This enhanced expressiveness is due to the possibility of associating clock resets with autonomous transitions that occur in a cycle. The small counterexample of Proposition 1 can be seen as the basic construct to study systems with periodic behaviours or periodic phases, with clear practical implications. Even in DTA subclasses for which the autonomous transitions do not enhance expressiveness, they do play a role in defining concise DTAs: removing autonomous transitions may lead to an exponential blow up of the DTA.

We plan to investigate whether the precise identification of the characteristics that enhance expressiveness and conciseness can help the identification of the best algorithms for CSLInline graphic model-checking, in particular for the component-based method [4]. Moreover, following the suggestion by an anonymous reviewer, we intend to investigate further consequences of Proposition 1, for example to study systems that include probabilistic choices of autonomous transitions.

Contributor Information

Alberto Leporati, Email: alberto.leporati@unimib.it.

Carlos Martín-Vide, Email: carlos.martin@urv.cat.

Dana Shapira, Email: shapird@g.ariel.ac.il.

Claudio Zandron, Email: zandron@disco.unimib.it.

Susanna Donatelli, Email: donatelli@di.unito.it.

Serge Haddad, Email: haddad@lsv.fr.

References

  • 1.Ajmone-Marsan M, Balbo G, Conte G, Donatelli S, Franceschinis G. Modelling with Generalized Stochastic Petri Nets. Hoboken: Wiley; 1995. [Google Scholar]
  • 2.Amparore EG, Ballarini P, Beccuti M, Donatelli S, Franceschinis G. Expressing and computing passage time measures of GSPN models with HASL. In: Colom J-M, Desel J, editors. Application and Theory of Petri Nets and Concurrency; Heidelberg: Springer; 2013. pp. 110–129. [Google Scholar]
  • 3.Amparore, E.G., Donatelli, S.: MC4CSLInline graphic: an efficient model checking tool for CSLInline graphic. In: QEST 2010, pp. 153–154. IEEE Computer Society (2010)
  • 4.Amparore EG, Donatelli S. Efficient model checking of the stochastic logic CSLTA. Perform. Eval. 2018;123–124:1–34. doi: 10.1016/j.peva.2018.03.002. [DOI] [Google Scholar]
  • 5.Aziz A, Sanwal K, Singhal V, Brayton R. Model-checking continuous-time Markov chains. ACM Trans. Comput. Log. 2000;1(1):162–170. doi: 10.1145/343369.343402. [DOI] [Google Scholar]
  • 6.Baier C, Cloth L, Haverkort BR, Kuntz M, Siegle M. Model checking Markov chains with actions and state labels. IEEE TSE. 2007;33:209–224. [Google Scholar]
  • 7.Baier C, Haverkort B, Hermanns H, Katoen J-P. On the logical characterisation of performability properties. In: Montanari U, Rolim JDP, Welzl E, editors. Automata, Languages and Programming; Heidelberg: Springer; 2000. pp. 780–792. [Google Scholar]
  • 8.Baier C, Haverkort B, Hermanns H, Katoen J-P. Model-checking algorithms for continuous-time Markov chains. IEEE TSE. 2003;29(6):524–541. [Google Scholar]
  • 9.Ballarini P, Barbot B, Duflot M, Haddad S, Pekergin N. HASL: a new approach for performance evaluation and model checking from concepts to experimentation. Perform. Eval. 2015;90:53–77. doi: 10.1016/j.peva.2015.04.003. [DOI] [Google Scholar]
  • 10.TChen, T., Han, T., Katoen, J.-P., Mereacre, A.: Model checking of continuous-time Markov chains against timed automata specifications. Log. Methods Comput. Sci. 7(1:12), 1–34 (2011)
  • 11.Donatelli, S., Haddad, S.: Autonomous Transitions Enhance CSAInline graphic Expressiveness and Conciseness. Research report, Inria Saclay Ile de France, LSV, ENS Cachan, CNRS, INRIA, Université Paris-Saclay, Cachan, France, Universita degli Studi di Torino, October 2019. https://hal.inria.fr/hal-02306021
  • 12.Donatelli S, Haddad S, Sproston J. Model checking timed and stochastic properties with CSLInline graphic IEEE TSE. 2009;35(2):224–240. [Google Scholar]
  • 13.Feng Y, Katoen J-P, Li H, Xia B, Zhan N. Monitoring CTMCs by multi-clock timed automata. In: Chockler H, Weissenbacher G, editors. Computer Aided Verification; Cham: Springer; 2018. pp. 507–526. [Google Scholar]
  • 14.Kuntz, M., Haverkort, B.R.: GCSRL-a logic for stochastic reward models with timed and untimed behaviour. In: 8th PMCCS, pp. 50–56 (2007)
  • 15.Meyer, J.F., Movaghar, A., Sanders, W.H.: Stochastic activity networks: structure, behavior, and application. In: International Workshop on Timed Petri Nets, pp. 106–115. IEEE CS (1985)
  • 16.Obal WD, II, Sanders WH. State-space support for path-based reward variables. Perform. Eval. 1999;35:233–251. doi: 10.1016/S0166-5316(99)00010-3. [DOI] [Google Scholar]

Articles from Language and Automata Theory and Applications are provided here courtesy of Nature Publishing Group

RESOURCES