Skip to main content
Log in

An extension of the inverse method to probabilistic timed automata

  • Published:
Formal Methods in System Design Aims and scope Submit manuscript

Abstract

Probabilistic timed automata can be used to model systems in which probabilistic and timing behaviour coexist. Verification of probabilistic timed automata models is generally performed with regard to a single reference valuation π 0 of the timing parameters. Given such a parameter valuation, we present a method for obtaining automatically a constraint K 0 on timing parameters for which the reachability probabilities (1) remain invariant and (2) are equal to the reachability probabilities for the reference valuation. The method relies on parametric analysis of a non-probabilistic version of the probabilistic timed automata model using the “inverse method”. The method presents the following advantages. First, since K 0 corresponds to a dense domain around π 0 on which the system behaves uniformly, it gives us a measure of robustness of the system. Second, it allows us to obtain a valuation satisfying K 0 which is as small as possible while preserving reachability probabilities, thus making the probabilistic analysis of the system easier and faster in practice. We provide examples of the application of our technique to models of randomized protocols, and introduce an extension of the method allowing the generation of a “probabilistic cartography” of a system.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4

Similar content being viewed by others

Notes

  1. The verification engine used was the sparse matrix engine.

  2. The only difference with regard to [18, 23] is the use of a single parameter TRANSTIME for the length of a packet transmission, instead of lower and upper bounds on this length, namely TRANSTIMEMIN and TRANSTIMEMAX, respectively. This simplifies the model with no consequence, since TRANSTIMEMAX had no incidence on the (time-abstract) behaviour of the system, and was only constrained to be greater or equal to TRANSTIMEMIN. An advantage of considering a single transmission time is that the model trivially satisfies the criterion of anchored PPTAs. Furthermore, in contrast to [18, 23], we set the upper limit of the backoff counter to 1.

References

  1. Alur R, Dill DL (1994) A theory of timed automata. Theor Comput Sci 126(2):183–235

    Article  MathSciNet  MATH  Google Scholar 

  2. Alur R, Henzinger TA, Vardi MY (1993) Parametric real-time reasoning. In: Proceedings of the twenty-fifth annual ACM symposium on theory of computing, STOC’93. ACM, New York, pp 592–601

    Chapter  Google Scholar 

  3. André É. (2010) An inverse method for the synthesis of timing parameters in concurrent systems. Thèse de doctorat, Laboratoire Spécification et Vérification, ENS Cachan, France

  4. André É., Chatain Th, Encrenaz E, Fribourg L (2009) An inverse method for parametric timed automata. Int J Found Comput Sci 20(5):819–836

    Article  MATH  Google Scholar 

  5. André É., Fribourg L (2010) Behavioral cartography of timed automata. In: Kučera A, Potapov I (eds) Proceedings of the 4th workshop on reachability problems in computational models (RP’10). Lecture notes in computer science, vol 6227. Springer, Berlin, pp 76–90

    Chapter  Google Scholar 

  6. André É., Fribourg L, Kühne U, Soulat R (2012) IMITATOR 2.5: A tool for analyzing robustness in scheduling problems. In: 18th international symposium on formal methods (FM’12). Lecture notes in computer science, vol 7436. Springer, Berlin, pp 33–36

    Google Scholar 

  7. André É., Fribourg L, Sproston J (2009) An extension of the inverse method to probabilistic timed automata. In: Roggenbach M (ed) AVoCS’09, electronic communications of the EASST, vol 23. European Association of Software Science and Technology

  8. Chamseddine N, Duflot M, Fribourg L, Picaronny C, Sproston J (2008) Computing expected absorption times for parametric determinate probabilistic timed automata. In: Proceedings of the 5th international conference on quantitative evaluation of systems (QEST’08). IEEE Comput Soc, Los Alamitos, pp 254–263

    Chapter  Google Scholar 

  9. Daws C (2004) Symbolic and parametric model checking of discrete-time Markov chains. In: Proc. ICTAC’04. LNCS, vol 3407. Springer, Berlin, pp 280–294

    Google Scholar 

  10. Gregersen H, Jensen HE (1995) Formal design of reliable real time systems. Master’s thesis, Department of Mathematics and Computer Science, Aalborg University

  11. Han T, Katoen JP, Mereacre A (2008) Approximate parameter synthesis for probabilistic time-bounded reachability. In: Proc. RTSS’08. IEEE Press, New York, pp 173–182

    Google Scholar 

  12. Hinton A, Kwiatkowska M, Norman G, Parker D (2006) PRISM: a tool for automatic verification of probabilistic systems. In: TACAS’06, LNCS, vol 3920. Springer, Berlin, pp 441–444

    Google Scholar 

  13. Hune T, Romijn J, Stoelinga M, Vaandrager F (2002) Linear parametric model checking of timed automata. J Log Algebr Program 52–53:183–220

    Article  MathSciNet  Google Scholar 

  14. Kemeny JG, Snell JL, Knapp AW (1976) Denumerable Markov chains, 2nd edn. Graduate texts in mathematics. Springer, Berlin

    Book  MATH  Google Scholar 

  15. Kwiatkowska M, Norman G, Parker D (2009) Stochastic games for verification of probabilistic timed automata. In: FORMATS’09. LNCS, vol 5813. Springer, Berlin, pp 212–227

    Google Scholar 

  16. Kwiatkowska M, Norman G, Parker D, Sproston J (2006) Performance analysis of probabilistic timed automata using digital clocks. Form Methods Syst Des 29:33–78

    Article  MATH  Google Scholar 

  17. Kwiatkowska M, Norman G, Segala R, Sproston J (2002) Automatic verification of real-time systems with discrete probability distributions. Theor Comput Sci 282:101–150

    Article  MathSciNet  MATH  Google Scholar 

  18. Kwiatkowska M, Norman G, Sproston J (2002) Probabilistic model checking of the IEEE 802.11 wireless local area network protocol. In: Proc. PAPM/PROBMIV’02. LNCS, vol 2399. Springer, Berlin, pp 169–187

    Google Scholar 

  19. Kwiatkowska M, Norman G, Sproston J (2003) Probabilistic model checking of deadline properties in the IEEE 1394 FireWire root contention protocol. Form Asp Comput 14(3):295–318

    Article  Google Scholar 

  20. Kwiatkowska M, Norman G, Sproston J, Wang F (2007) Symbolic model checking for probabilistic timed automata. Inf Comput 205(7):1027–1077

    Article  MathSciNet  MATH  Google Scholar 

  21. Lanotte R, Maggiolo-Schettini A, Troina A (2007) Parametric probabilistic transition systems for system design and analysis. Form Asp Comput 19(1):93–109

    Article  MATH  Google Scholar 

  22. Segala R (1995) Modeling and verification of randomized distributed real-time systems. Ph.D. thesis, Massachusetts Institute of Technology

  23. Prism Web page: Prism web page. http://www.prismmodelchecker.org/

Download references

Acknowledgements

We are grateful to the anonymous referees for their helpful comments. Étienne André and Laurent Fribourg have been partially supported by the Agence Nationale de la Recherche, grant ANR-06-ARFU-005, and by Institute Farman (project SIMOP). Jeremy Sproston is supported in part by the project AMALFI—Advanced Methodologies for the AnaLysis and management of the Future Internet (Università di Torino/Compagnia di San Paolo).

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Jeremy Sproston.

Appendices

Appendix A: Proof of Proposition 1

In order to prove Proposition 1, we show that, for any scheduler σ of \(\mathsf{T}_{\mathcal{A}[\pi]}\), we can construct a scheduler σ′ of \(\mathsf{T}_{\mathcal{A}[\pi']}\) such that σ and σ′ generate the same time-abstract trace distributions (from the initial state). For this task, we require a number of preliminary definitions and results. First, we present a sufficient condition for two schedulers to generate the same time-abstract trace distributions. Recall that, given that we assume reset unicity, for all of the distributions μDist(Q×(X→ℝ≥0)) we consider in the transition relation of \(\mathsf{T}_{\mathcal {A}[\pi]}\) and \(\mathsf{T}_{\mathcal{A}[\pi']}\), for each location q there will be at most one clock valuation w such that μ(q,w)>0. We will use \(w^{\mu}_{q}\) to denote this clock valuation. In the following, given two distributions μ,μ′∈Dist(Q×(X→ℝ≥0)), we write μμ′ if, for each qQ, we have \(\mu(q,w^{\mu}_{q}) = \mu'(q,w^{\mu'}_{q})\). Given a triple (d,a,μ)∈ℝ≥0×Σ×Dist(Q×(X→ℝ≥0)), we let dist(d,a,μ)=μ.

Lemma 1

Let σ be a scheduler of \(\mathsf{T}_{\mathcal{A}[\pi]}\) and σbe a scheduler of \(\mathsf{T}_{\mathcal{A}[\pi']}\). If dist(σ(ω))≃dist(σ(ω′)) for each \(\omega\in\mathit{Path}^{\sigma}(\overline{q},\mathbf {0})\) and \(\omega' \in \mathit{Path}^{\sigma'}(\overline{q},\mathbf{0})\) such that ωω′, then \(\mathsf{td}^{{\sigma}}_{{(\overline{q},\mathbf{0})}} = \mathsf{td}^{{\sigma'}}_{{(\overline{q},\mathbf{0})}}\).

Proof

The scheduler σ induces a Markov chain M σ (see [14]), the states of which are finite paths (starting from \((\overline{q} ,\mathbf{0})\)), and the transition matrix of which assigns to a transition from path ω to path \(\omega\xrightarrow{d,a,\mu} (q,w)\) probability μ(q,w) if σ(ω)=(d,a,μ) (probability 0 is assigned to transitions from ω to paths not resulting from ω by appending the choice of σ(ω)). Similarly, scheduler σ′ induces a Markov chain M σ. The Markov chains M σ and M σ are isomorphic: that is, given a bijection \(f: \mathit{Path}^{\sigma}(\overline {q},\mathbf{0}) \rightarrow \mathit{Path} ^{\sigma'}(\overline{q},\mathbf{0})\) such that f(ω)=ω′, where ω′ is the unique path of \(\mathit{Path}^{\sigma'}(\overline{q},\mathbf{0})\) such that ωω′, we have that the Markov chain obtained from M σ by substituting each \(\omega\in\mathit{Path}^{\sigma}(\overline {q},\mathbf{0})\) by f(ω) (in the state space and transition matrix) is equal to M σ. Because f preserves traces (that is, trace(ω)=trace(f(ω))), we can then derive that \(\mathsf{td}^{{\sigma}}_{{(\overline {q},\mathbf{0})}} = \mathsf{td}^{{\sigma '}}_{{(\overline {q},\mathbf{0})}}\). □

Recall that the assumption of determinism on actions implies that, for any transition \((q,w) \xrightarrow{d,a,\mu} (q',w')\), the probabilistic edge (q,_,a,_)∈prob associated with the transition is unique. A transition \((q,w) \xrightarrow{d,a,\mu} (q',w')\) is a unique-time transition if the probabilistic edge (q,_,a,_)∈prob is a unique-time probabilistic edge. Similarly, a transition \((q,w) \xrightarrow{d,a,\mu} (q',w')\) is a probability-1 transition if the probabilistic edge (q,_,a,_)∈prob is a probability-1 edge, otherwise it is a probabilistically-branching transition. A state (q,w) is clock-0 state if w=0. The next lemma follows immediately from the definition of anchored PPTAs.

Lemma 2

Let \(\omega= (q_{0},w_{0})\xrightarrow{d_{0},a_{0},\mu_{0}} \cdots \xrightarrow {d_{n-1},a_{n-1}, \mu_{n-1}} (q_{n},w_{n})\) be a path in either \(\mathit{Path}^{\mathcal{A}[\pi]}(\overline{q},\mathbf {0})\) or \(\mathit{Path}^{\mathcal{A} [\pi ']}(\overline{q},\mathbf{0})\). Then there do not exist indices 0≤i<jn, determining the sub-path \(\omega=(q_{i},w_{i})\xrightarrow{d_{i},a_{i},\mu_{i}} \cdots\xrightarrow{d_{j-1},a_{j-1}, \mu_{j-1}} (q_{j},w_{j})\) such that

  1. (1)

    \((q_{j-1},w_{j-1}) \xrightarrow{d_{j-1},a_{j-1}, \mu_{j-1}} (q_{j},w_{j})\) is a probabilistically-branching transition,

  2. (2)

    \((q_{i},w_{i}) \xrightarrow{d_{i},a_{i},\mu_{i}} (q_{i+1},w_{i+1})\) is not a unique-time transition, and

  3. (3)

    (q k ,w k ) is not a clock-0 state for each ik<j.

The following lemma states that ≡ preserves the “type” of transitions (where by “type” we mean unique-time transition/non-unique-time transition and probability-1/probabilistically branching transition), and follows immediately from the definition of ≡.

Lemma 3

Let \(\omega= (q_{0},w_{0})\xrightarrow{d_{0},a_{0},\mu_{0}} \cdots \xrightarrow {d_{n-1},a_{n-1}, \mu_{n-1}} (q_{n},w_{n})\) be a path in \(\mathit{Path}^{\mathcal{A}[\pi]}(\overline{q},\mathbf{0})\) and let \(\omega' = (q_{0}',w_{0}')\xrightarrow{d_{0}',a_{0},\mu_{0}'} \cdots \xrightarrow{d_{n-1}',a_{n-1}, \mu_{n-1}'} (q_{n}',w_{n}')\) be a path in \(\mathit{Path}^{\mathcal{A}[\pi']}(\overline {q},\mathbf{0})\). Then if ωω′, we have that the i-th transition \((q_{i-1},w_{i-1}) \xrightarrow {d_{i-1},a_{i-1}, \mu_{i-1}} (q_{i},w_{i})\) of ω is a unique-time transition (probability-1 transition, respectively) if and only if the i-th transition \((q_{i-1}',w_{i-1}') \xrightarrow {d_{i-1}',a_{i-1}, \mu_{i-1}'} (q_{i}',w_{i}')\) of ω is a unique-time transition (probability-1 transition, respectively), for 1≤in.

In the following, for any path \(\omega= (q_{0},w_{0}) \xrightarrow {d_{0},a_{0},\mu_{0}} \cdots\xrightarrow{d_{n-1},a_{n-1}, \mu_{n-1}} (q_{n},w_{n})\) and any 0≤in, we recall that pref(ω,i) is the path prefix \((q_{0},w_{0}) \xrightarrow{d_{0},a_{0},\mu_{0}} \cdots\xrightarrow{d_{i-1},a_{i-1}, \mu _{i-1}} (q_{i},w_{i})\) comprising the transitions up to the (i+1)-th state. We also write suf(ω,i) to denote the path suffix \((q_{i},w_{i}) \xrightarrow{d_{i},a_{i},\mu_{i}} \cdots\xrightarrow{d_{n-1},a_{n-1}, \mu _{n-1}} (q_{n},w_{n})\) comprising the transitions from the (i+1)-th state (as previously, we also refer to states as being paths of length 0, so pref(ω,0) is (q 0,w 0) and suf(ω,n) is (q n ,w n )). For 0≤ijn, we write ω ij for the path \((q_{i},w_{i}) \xrightarrow{d_{i},a_{i},\mu_{i}} \cdots \xrightarrow {d_{j-1},a_{j-1},\mu_{j-1}} (q_{j},w_{j})\). We use ω(i) to denote (q i ,w i ), for 0≤in. We say that a path ω′ is an extension of a path ω if ω=pref(ω′,i) for some 0≤i≤|ω′|.

Henceforth, we assume that \(\mathit{Path}^{\mathcal{A}[\pi ]}(\overline{q},\mathbf{0}) \equiv\mathit{Path}^{\mathcal{A}[\pi']}(\overline{q},\mathbf{0})\). Given that we will construct the scheduler σ′ of \(\mathcal {A}[\pi']\) by induction on the length of paths, we need to avoid blocking situations in which the paths of σ′ replicate the paths of σ (in the sense of having the same time-abstract traces) only up to a certain path length, from which point at least one path of σ cannot be replicated by σ. For example, consider the path ω of σ and the path ω′ of σ′ such that ωω′; our aim is to define σ′ so that it replicates the choice σ(ω)=(d,a,μ) in the sense of choosing some (d′,a,μ′) such that μμ′. The problematic situation, that we must avoid during the construction of σ′, is that in which, from last(ω′), no transition of the form (d′,a,μ′) can be taken because the guard g of the probabilistic edge (q,g,a,_) cannot be enabled from last(ω′) after letting time pass. The next technical lemma explains how this situation is avoided in the case of non-unique-time transitions: it states that, for any path ω of \(\mathcal{A}[\pi]\) ending in a sequence of non-unique-time transitions, any path of \(\mathcal{A}[\pi']\) that is time-abstract equivalent to a prefix of ω which ends in the sequence of non-unique-time transitions can be extended to a path of \(\mathcal{A}[\pi']\) that is time-abstract equivalent to the entire path ω.

Lemma 4

Let σ be a scheduler of \(\mathsf{T}_{\mathcal{A}[\pi]}\) and let ω be a path of σ for which the last transition is not a unique-time transition. Let 0≤i<|ω| be the smallest i such that suf(ω,i) comprises only non-unique-time transitions. Let ωbe a path of \(\mathit{Path}^{\mathcal{A}[\pi ']}(\overline{q},\mathbf{0})\) such that pref(ω,i)≡ω′. Then there exists a path \(\hat{\omega}' \in\mathit{Path}^{\mathcal {A}[\pi ']}(\overline{q} ,\mathbf{0})\) such that (1) \(\mathsf{pref}({\hat{\omega}'},{i}) = \omega'\) and (2) \(\omega\equiv\hat{\omega}'\).

Proof

Observe that, because \(\mathcal{A}\) is an anchored PPTA, any path of either \(\mathcal{A}[\pi]\) or \(\mathcal{A}[\pi']\) cycles through the following phases: visit to a clock-0 state, then a (possibly empty) sequence of unique-time transitions, then a (possibly empty) sequence of non-unique-time transitions, then a visit to a clock-0 state, etc. Let 0≤ji be the largest j such that ω(j) is a clock-0 state. Then from pref(ω,i)≡ω′, we have that ω′(j) is a clock-0 state. Furthermore, suf(ω′,j) contains only unique-time transitions, which follows from the following facts: ω ij contains only unique-time actions, ω ij suf(ω′,j), and Lemma 3.

Now, from \(\mathit{Path}^{\mathcal{A}[\pi]}(\overline{q},\mathbf {0}) \equiv\mathit{Path} ^{\mathcal{A} [\pi']}(\overline{q},\mathbf{0})\), we have that the existence of the path \(\omega\in\mathit {Path}^{\mathcal{A}[\pi ]}(\overline{q},\mathbf{0})\) implies the existence of a path \(\tilde{\omega} \in\mathit {Path}^{\mathcal{A} [\pi ']}(\overline{q},\mathbf{0})\) such that \(\omega\equiv\tilde{\omega}\). Let \(\hat{\omega}' = \omega' \cdot\mathsf{suf}({\tilde{\omega}},{i})\) (where, in the usual manner, \(\omega' \cdot\mathsf{suf}({\tilde {\omega}},{i})\) denotes the concatenation of ω′ and \(\mathsf{suf}({\tilde {\omega}},{i})\)). Then \(\hat{\omega}' \in\mathit{Path}^{\mathcal{A}[\pi ']}(\overline{q},\mathbf{0})\), from the following facts.

First, note that \(\hat{\omega}'(j)\) is a clock-0 state (from pref(ω,i)≡ω′ and the fact that ω(j) is a clock-0 state).

Second, because the fragment of the path ω from point j to point i (that is, ω ij ) contains only unique-time transitions, together with the fact that ωω′ and Lemma 3, we have that ω ij contains only unique-time transitions. Furthermore, note that, after a clock-0 state followed by a sequence of unique-time transitions, there is only one possible clock valuation: this clock valuation is determined completely by the sequence of unique-time transitions.

From these facts, we can arrive at the following conclusion: after the fragment of ω′ from point j to point k, there is only one possible clock valuation for the state ω′(k), and that \(\omega'(k) = \tilde{\omega}(k)\). Intuitively, this means that if \(\mathsf{suf}({\tilde{\omega}},{i})\) is a possible extension of the path \(\tilde{\omega}\) from point i, then \(\mathsf{suf}({\tilde{\omega}},{i})\) is a also possible extension of the path ω′. This allows us to conclude that \(\tilde{\omega} \in\mathit{Path}^{\mathcal{A}[\pi']}(\overline {q},\mathbf{0})\) implies \(\hat{\omega}' \in\mathit{Path}^{\mathcal{A}[\pi']}(\overline {q},\mathbf{0})\). With regard to the two further conditions on \(\hat{\omega}'\) given in the lemma, we note that condition (1) (\(\mathsf{pref}({\hat{\omega}'},{i}) = \omega'\)) follows immediately from the definition of \(\hat{\omega}'\), and condition (2) (\(\omega\equiv\hat{\omega}'\)) follows from the fact that we assume in the statement of the lemma that pref(ω,i)≡ω′, and from the fact that \(\omega\equiv\tilde{\omega}\) implies trivially that \(\mathsf{suf}({\omega},{i}) \equiv\mathsf {suf}({\tilde{\omega}},{i})\). □

Let ω be a path of σ for which the last transition is not a unique-time transition. Let ω′ be a path of \(\mathit{Path}^{\mathcal{A}[\pi ']}(\overline{q},\mathbf{0})\) such that pref(ω,i)≡ω′ and where 0≤i<|ω| be the smallest i such that suf(ω,i) comprises only non-unique-time transitions. Lemma 4 allows us to choose a particular \(\langle \! \langle{{\omega }} \rangle\! \rangle_{{\omega'}} \in\mathit {Path}^{\mathcal{A}[\pi']}(\overline{q},\mathbf{0})\), which depends on ω and ω′, such that (1) pref(〈〈ω〉〉 ω,i)=ω′ and (2) ω≡〈〈ω〉〉 ω.

We now proceed to the proof of Proposition 1. In the standard way, given \(\omega= (q_{0},w_{0})\xrightarrow{d_{0},a_{0},\mu _{0}} \cdots\xrightarrow{d_{n-1},a_{n-1}, \mu_{n-1}} (q_{n},w_{n})\), we write \(\omega\xrightarrow{d,a,\mu} (q,w)\) to denote the path \((q_{0},w_{0})\xrightarrow{d_{0},a_{0},\mu_{0}} \cdots\xrightarrow {d_{n-1},a_{n-1}, \mu_{n-1}} (q_{n},w_{n}) \xrightarrow{d,a,\mu} (q,w)\). In the following, we write \((\omega\xrightarrow{d,a,\mu}) \in \mathit{Path} ^{\mathcal{A}[\pi]}(\overline{q},\mathbf{0})\) if there exists some state (q,w) such that \(\omega\xrightarrow {d,a,\mu} (q,w) \in\mathit{Path}^{\mathcal{A}[\pi]}(\overline {q},\mathbf{0})\); analogous notation is used for \(\mathcal{A}[\pi']\).

Proof (Proposition 1)

By Lemma 1, it suffices to show the following result: for any scheduler σ of \(\mathsf{T}_{\mathcal{A}[\pi]}\), we can construct a scheduler σ′ of \(\mathsf{T}_{\mathcal {A}[\pi']}\) such that, for each \(\omega\in\mathit{Path}^{\sigma}(\overline {q},\mathbf{0})\) and \(\omega' \in\mathit{Path}^{\sigma'}(\overline{q},\mathbf{0})\) such that ωω′, we have dist(σ(ω))≃dist(σ(ω′)).

We proceed the construction of σ′ by considering paths of progressively greater length. In the following, we let \(\mathit{Path}^{\sigma}_{i}(\overline {q},\mathbf{0})\) be the set of paths of \(\mathit{Path}^{\sigma}(\overline{q},\mathbf{0})\) of length i; similarly, \(\mathit{Path}^{\sigma'}_{i}(\overline{q},\mathbf{0})\) denotes the set of paths of \(\mathit{Path}^{\sigma'}(\overline{q},\mathbf{0})\) of length i.

Let i≥0. Assume that we have defined σ′ for all paths of \(\mathit{Path} ^{\sigma '}_{j}(\overline{q},\mathbf{0})\) for all 0≤j<i. Now we define σ′ for paths of \(\mathit{Path}^{\sigma '}_{i}(\overline{q} ,\mathbf{0})\) Let \(\omega\in\mathit{Path}^{\sigma}_{i}(\overline{q},\mathbf{0})\) be a path of \(\mathcal{A} [\pi]\) of length i, and let \(\omega' \in\mathit{Path}^{\sigma'}_{i}(\overline{q},\mathbf{0})\) be the unique (by determinism on actions) path of \(\mathcal{A}[\pi']\) of length i such that ωω′. Let σ(ω)=(d,a,μ). Our aim is to show the existence of (last(ω′),d′,a,μ′) in the probabilistic transition relation of \(\mathsf{T}_{\mathcal{A}[\pi']}\) such that μμ′. Then we let σ′(ω′)=(d′,a,μ′).

In the case in which last(ω) is a clock-0 state, we proceed as follows. We note that, from \(\mathit{Path}^{\mathcal{A}[\pi]}(\overline {q},\mathbf{0}) \equiv \mathit{Path} ^{\mathcal{A}[\pi']}(\overline{q},\mathbf{0})\), the existence of \((\omega\xrightarrow{d,a,\mu}) \in\mathit {Path}^{\mathcal{A} [\pi ]}(\overline{q},\mathbf{0})\) implies the existence \((\tilde{\omega} \xrightarrow{d',a,\mu'}) \in \mathit{Path}^{\mathcal{A}[\pi']}(\overline{q},\mathbf{0})\) such that \(\omega\equiv\tilde{\omega}\) and μμ′. Given that \(\omega\equiv\tilde{\omega}\) and ωω′, and that last(ω) is a clock-0 state, we must have that \(\mathit{last}(\omega) = \mathit{last}(\tilde {\omega}) = \mathit{last} (\omega')\). In this case it is immediate to see that the fact that \((\mathit {last}(\tilde {\omega}),d',a,\mu')\) is in the probabilistic transition relation of \(\mathsf{T}_{\mathcal {A}[\pi']}\) implies that (last(ω′),d′,a,μ′) is in the probabilistic transition relation of \(\mathsf{T}_{\mathcal{A}[\pi']}\). Hence we let σ′(ω′)=(d′,a,μ′). From μμ′, it follows that dist(σ(ω))≃dist(σ(ω′)).

Now we consider the case in which last(ω) is not a clock-0 state. We consider two sub-cases.

Sub-case: the last transition of ω is a unique-time transition.:

Given that \(\mathcal{A}\) is an anchored PPTA and from Lemma 2, there exists 0≤j<i such that ω(j) is a clock-0 state and suf(ω,j) contains only unique-time transitions.

From \(\mathit{Path}^{\mathcal{A}[\pi]}(\overline{q},\mathbf{0}) \equiv\mathit{Path}^{\mathcal{A} [\pi ']}(\overline{q},\mathbf{0})\), the existence of the path \((\omega\xrightarrow{d,a,\mu}) \in\mathit{Path} ^{\mathcal{A}[\pi]}(\overline{q},\mathbf{0})\) implies the existence of a path \((\tilde{\omega} \xrightarrow {d',a,\mu '}) \in\mathit{Path}^{\mathcal{A}[\pi']}(\overline{q},\mathbf{0})\) such that \(\omega\equiv\tilde{\omega}\) and μμ′. Now consider suf(ω,j) and \(\mathsf{suf}({\tilde {\omega}},{j})\). Observe that only unique-time transitions feature along \(\mathsf {suf}({\tilde {\omega}},{j})\) (this follows from the fact that suf(ω,j) contains only unique-time transitions, from the fact that \(\omega\equiv\tilde{\omega}\) implies that \(\mathsf{suf}({\omega},{j}) \equiv\mathsf{suf}({\tilde{\omega}},{j})\), and from Lemma 3). Given that \(\mathsf{suf}({\tilde{\omega}},{j})\) is a clock-0 state, and that \(\mathsf{suf}({\tilde{\omega}},{j})\) features only unique-time transitions, it must be the case that, for each state visited along \(\mathsf {suf}({\tilde {\omega}},{j})\), there is only one possible clock valuation. Hence we must have \(\mathsf{suf}({\omega'},{j}) = \mathsf {suf}({\tilde{\omega}},{j})\). This implies that \(\mathit{last}(\omega') = \mathit{last}(\tilde {\omega})\). Given that the existence of \((\tilde{\omega} \xrightarrow{d',a,\mu'}) \in\mathit{Path}^{\mathcal{A}[\pi']}(\overline{q},\mathbf{0})\) implies that \((\mathit{last}(\tilde{\omega}),d',a,\mu')\) is in the probabilistic transition relation of \(\mathsf{T}_{\mathcal{A}[\pi']}\), it follows trivially that (last(ω′),d′,a,μ′) is in the probabilistic transition relation of \(\mathsf{T}_{\mathcal{A}[\pi']}\). Hence we let σ′(ω′)=(d′,a,μ′).

Sub-case: the last transition of ω is not a unique-time transition.:

Given that \(\mathcal{A}\) is an anchored PPTA and from Lemma 2, there exists 0≤j<i such that suf(ω,j) contains only non-unique-time transitions.

First, suppose that there exists some path of σ that is an extension of ω and which ends in a clock-0 state; then let \({{\omega}} \uparrow^{{\sigma}}_{0}\) be the shortest such path. Given that the last transition of ω is not a unique-time transition, by Lemma 2, the last transition of \({{\omega}} \uparrow^{{\sigma}}_{0}\) is not a unique-time transition. Given that pref(ω,k)≡pref(ω′,k), we can employ Lemma 4 to define the path \(\langle\! \langle{{{{\omega}} \uparrow^{{\sigma }}_{0}}} \rangle\! \rangle_{{\mathsf{pref}({\omega'},{k})}}\): the path \(\langle\! \langle{{{{\omega}} \uparrow^{{\sigma}}_{0}}} \rangle\! \rangle_{{\mathsf{pref}({\omega'},{k})}}\) is in \(\mathit{Path} ^{\mathcal{A}[\pi']}(\overline{q},\mathbf{0})\), extends pref(ω′,k), and is such that \({{\omega}} \uparrow^{{\sigma}}_{0} \equiv\langle\! \langle{{{{\omega}} \uparrow^{{\sigma}}_{0}}} \rangle\! \rangle_{{\mathsf{pref}({\omega'},{k})}}\). Let \((q,w) \xrightarrow{d',a,\mu'} (q',w')\) be the (i+1)-th transition of \(\langle\! \langle{{{{\omega}} \uparrow^{{\sigma }}_{0}}} \rangle\! \rangle_{{\mathsf{pref}({\omega'},{k})}}\). Then we let σ′(ω′)=(d′,a,μ′). From the fact that \({{\omega}} \uparrow^{{\sigma}}_{0} \equiv\langle \! \langle{{{{\omega }} \uparrow^{{\sigma}}_{0}}} \rangle\! \rangle _{{\mathsf{pref}({\omega'},{k})}}\), we have that μμ′ (in fact, because (last(ω),d,a,μ) and (last(ω′),d′,a,μ′) are not unique-time transitions, we must have μ(q′)=μ′(q′)=1).

Alternatively, suppose that there does not exist a path of σ which extends ω and which ends in a clock-0 state. Note that, by the definition of anchored PPTAs, this means that all paths of σ that are extensions of ω feature only non-unique-time (and hence probability-1) transitions. Hence we can conclude the following: all paths of σ that are extensions of ω are of the form \(\overline{\omega} \xrightarrow{d,a,\mu_{(q,w)}} (q,w)\), where \(\sigma(\overline{\omega}) = (d,a,\mu_{(q,w)})\) and \(\overline{\omega}\) is either ω itself or a path of σ that is an extension of ω. These extensions of ω derive a countably infinite sequence of paths progressively extending ω. We can also find a countably infinite sequence of paths progressively extending ω′, given the definition of σ′ up to ω′, such that each extension of ω′ is equivalent under ≡ to the associated extension of ω with the same length. This sequence of paths is obtained by considering each extension of ω and applying Lemma 4. This countably infinite sequence defines the transitions chosen by σ′ for any extension of ω′. It can then be seen that, for any extension of ω under σ, and any ≡-equivalent extension of ω′ under σ′, the distributions in the transitions of σ and σ′ are ≃-equivalent.

Given Lemma 1, we have completed the proof of Proposition 1. □

Appendix B: The inverse method

Given a (classical) parametric timed automaton \(\mathcal{A}\) and a reference valuation π of parameters, the inverse method outputs a constraint K such that:

  1. 1.

    πK,

  2. 2.

    \(\mathit{Path}^{\mathcal{A}[\pi]}\equiv\mathit{Path}^{\mathcal{A}[\pi']}\), for all π′⊨K.

The algorithm IM can be summarized as follows. Starting with K:=true, we iteratively compute a growing set of reachable symbolic states. A symbolic state of the system is a couple (q,C), where q is a location of \(\mathcal{A}\), and C a constraint on the clocks and the parameters. When a π-incompatible state (q,C) is encountered (i.e. when \(\pi\not\models C\)), K is refined as follows: a π-incompatible inequality J (i.e. such that \(\pi\not \models J\)) is selected within C, and ¬J is added to K. The procedure is then started again with this new K, and so on, until no new reachable state is computed.

The algorithm IM is given in Algorithm 1. Given a linear inequality J of the form e<e′ (resp. ee′), the expression ¬J denotes the negation of J and corresponds to the linear inequality e′≤e (resp. e′<e). Given a constraint C on the clocks and the parameters, the expression ∃X:C denotes the constraint on the parameters obtained from C after elimination of the clocks.

Algorithm 1
figure 5

\(\mathit{IM}(\mathcal{A}, \pi)\)

We define \(\mathcal{A}(K)\) as \(\{ \mathcal{A}[\pi] \mid\pi\models K\}\), \(\mathit{Post}_{\mathcal{A}(K)}^{i}(S)\) as the set of states reachable from S in exactly i steps, and \(\mathit{Post}_{\mathcal{A}(K)}^{*}(S)\) as the set of all states reachable from S in \(\mathcal{A}(K)\) (i.e. \(\mathit{Post}_{\mathcal{A}(K)}^{*}(S)=\bigcup_{i\geq0 }\mathit {Post}_{\mathcal{A}(K)}^{i}(S)\)). Given two sets of states S and S′, we write SS′ iff ∀sS,∃s′∈S′ s.t. s=s′.

Appendix C: The behavioural cartography algorithm

We recall algorithm BC in Algorithm 2.

Algorithm 2
figure 6

Behavioural Cartography Algorithm \(\mathit{BC}(\mathcal{A}, V_{0})\)

Imitator also implements the behavioural cartography algorithm in a fully automated way.

Rights and permissions

Reprints and permissions

About this article

Cite this article

André, É., Fribourg, L. & Sproston, J. An extension of the inverse method to probabilistic timed automata. Form Methods Syst Des 42, 119–145 (2013). https://doi.org/10.1007/s10703-012-0169-x

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10703-012-0169-x

Keywords

Navigation