Bounded Model Checking for Metric Temporal Logic Properties of Timed Automata with Digital Clocks ^†

Abstract

Metric temporal logic (MTL) is a popular real-time extension of linear temporal logic (LTL). This paper presents a new simple SAT-based bounded model-checking (SAT-BMC) method for MTL interpreted over discrete infinite timed models generated by discrete timed automata with digital clocks. We show a new translation of the existential part of MTL to the existential part of linear temporal logic with a new set of atomic propositions and present the details of the new translation. We compare the new method’s advantages to the old method based on a translation of the hard reset LTL (HLTL). Our method does not need new clocks or new transitions. It uses only one path and requires a smaller number of propositional variables and clauses than the HLTL-based method. We also implemented the new method, and as a case study, we applied the technique to analyze several systems. We support the theoretical description with the experimental results demonstrating the method’s efficiency.

1. Introduction

This paper is a full version of the extended abstract published in informal proceedings of the 25th International Workshop on Concurrency, Specification and Programming [1]. Improvements and extensions compared to that paper are listed in Appendix A.

There are many ways to check the model. Hardware- and software-based systems are increasingly used in safety-critical situations to control and connect physical systems, e.g., simple cardiac pacemakers or very complex space rockets. The complexity and criticality of systems also increase the need for effective verification techniques.

The specification language and the system model usually depend on the type of property we want to verify. Suppose we want to verify the discrete-time execution properties of a system. In that case, discrete-time logic may be the correct specification choice, and the system may best be represented as a discrete timed automaton.

Integrating specialized components is fundamental to many embedded engineering projects. The behavior of these components is often specified in informal timing diagrams that engineers interpret during interface hardware and software design [2,3,4,5,6,7]. The timed automata are one of the models that enable the formal modeling of those components.

Timed automata (TA) [8] are finite-state automata augmented with a finite set of variables called clocks. The clocks are used to measure the elapsed time. Timed automata are very convenient for modeling and reasoning about timed systems: they combine a powerful formalism with advanced expressiveness and efficient algorithmic and tool support. The timed automata formalism is applied to the analysis of software and asynchronous circuits [9] and real-time control programs [10].

The model-checking technique is widely used in sensor verification [2,3,4,5,6,7]. The sensor networks are modeled, e.g., by the network of timed automata, and their properties are specified in terms of temporal logic.

One of the most famous frameworks in the specification and verification of computer systems is temporal logic. There are many types of temporal logic to express the requirements of the systems: computation tree logic (CTL) [11], soft real-time CTL (RTCTL) [12], linear temporal logic (LTL) [13], and metric temporal logic (MTL) [14].

Linear temporal logic (LTL) allows expressing properties about each execution of a system, such as the fact that any occurrence of a problem eventually triggers the alarm. Metric temporal logic (MTL) extends LTL by constraining the temporal operators with time intervals. It was introduced by Koymans [14] in 1990 and has appeared as a real-time specification formalism. MTL has two main semantics: “continuous” and “pointwise” [15,16,17,18]. The pointwise semantics is based on timed words, the widespread interpretation for systems modeled as timed automata [8]. Both semantics have been extensively studied [15,16,17,18]. MTL allows expressing, for example, that any occurrence of a problem in a system will trigger the alarm within at most five units of time. Here, we consider MTL with pointwise semantics interpreted over linear discrete infinite digital-clock models [19] generated by timed automata with integer time.

Bounded model checking [20,21,22] (BMC) is one of the symbolic model-checking techniques designed for finding witnesses for existential properties or counterexamples for universal properties. Its main idea is to consider a model reduced to a specific depth. The method works by mapping a BMC problem to the satisfiability problem (SAT). The MTL satisfiability and model-checking problems are undecidable over interval-based semantics [23]. It has led to various restrictions being considered on MTL to recover decidability [24,25].

We provide a new, efficient method of the bounded model-checking technique for metric temporal logic properties of timed automata with digital clocks, which can be successfully used to verify sensor networks.

Developing new model-checking techniques for a network of automata is an essential research direction. It is due to the fact that timed automata are used to verify the modes of, often, life-critical time systems. Systems and their properties are becoming more and more complex. It results in developing model-checking methods that will work faster than the older methods. To be successfully applied, these methods should be faster than the old ones and use as little memory as possible. However, they should also be easy to implement and understand so that everything is evident at the design stage of such a method. For such a reason, in this paper, we developed a completely new and much faster method of bounded model checking than the one presented in [26].

The main contributions of the paper are as follows:

• Defining the translation of the existential model-checking problem for MTL to the existential model-checking problem for linear temporal logic with additional propositional variables $q_I$ (this logic is denoted by ${\mathrm{LTL}}_q$);
• Clarification of the steps of the new method;
• Proving the correctness of the above translation;
• Defining bounded semantics for ${\mathrm{LTL}}_q$;
• Defining the BMC algorithm;
• Implementing the new method;
• A detailed experimental evaluation of the old and the new methods on two earlier presented benchmarks: a timed generic pipeline paradigm (TGPP) and a timed train controller system (TTCS),
• Modeling a dining philosophers problem with time as the timed dining philosophers problem (TDPP);
• A detailed experimental evaluation of the old and the new methods on TDPP.

In this paper, we used the weakly monotonic semantics [27] for timed automata with digital clocks [19,27]. The main steps of our new method for MTL and TA with discrete time can be described as follows: first, the infinite timed model is reduced to a finite model. Next, the MTL formulae are translated to ${\mathrm{LTL}}_q$ formulae [1], and eventually, since the interval modalities in MTL appear as literals in the ${\mathrm{LTL}}_q$ formula, existential properties are reduced to a satisfiability problem (SAT). Our method’s main advantages are that the translation from MTL to ${\mathrm{LTL}}_q$ requires neither new clocks nor new transitions. Moreover, our BMC method needs only one path, whereas the BMC method from [26] needs many paths depending on a given formula $\phi$. Thus, one may expect that our method is much more effective since the intuition is that an encoding that results in fewer variables and clauses is usually easier to solve.

We evaluate the BMC method using a timed generic pipeline paradigm (TGPP), a timed train controller system (TTCS), and the timed dining philosophers problem (TDPP), which we model by a network of discrete timed automata and compare with the corresponding method [26].

Related Work

Timed automata were introduced in the early 1990s by Alur and Dill [8] to model real-time systems. Timed automata cause the specification and verification of models of real-time systems to be easier. The two primary semantics are discussed in the literature: the discrete-time and dense-time semantics [8]. However, the dense-time semantics is more natural from a real-life point of view. It allows us to model real-time systems easily.

Our choice of time domain is $\mathbb{N}$, the set of natural numbers. In our method, the key property of the time domain is its discreteness, which implies that a finite amount of events can happen at different times in any interval of nonzero length. There are many methods for verifying real-time systems using discrete-time models [12,28,29,30,31]. Authors of [19] established that the timed reachability problem has the same answer, irrespective of the choice between $\mathbb{N}$ and $\mathrm{I}\mathrm{R}$ under certain restrictions.

The other formalisms for discrete time modeling apart from discrete timed automata were presented, such as durational transition graphs (DTG [32]) and embedded system modeling language (EMLAN [33]).

Discrete time models were also widely used for modeling systems’ behaviors [34,35,36,37,38].

MTL has been widely discussed in the literature. Checking properties expressed in MTL in timed automata is still an actual research topic [39,40,41,42,43,44]. In [45], the authors took into account MTL over the $\mathbb{N}$. They also used the pointwise semantics over the $\mathbb{N}$ and considered two semantic variants: the non-strict and strict semantics. They devised two translations from MTL to LTL:

• The time difference translation for strict semantics, where new propositional variables encode time differences between states (the time difference translation is similar to the method presented in [1]).
• The gap translation for the strict semantics uses a new propositional variable, called gap, to encode the jumps between states. The gap is intended to be true in LTL states corresponding to unmapped time points in MTL models. The main idea for their translation is to map each timed state sequence into a state sequence. Both LTL translations are exponential in the size of the MTL input formula due to the binary encoding of the numbers in the intervals.

In [26], the authors investigated a SAT-based BMC method for MTL that is also interpreted over linear discrete infinite time models generated by discrete timed automata. They translated the existential model-checking problem for MTL into the existential model-checking problem for a variant of linear temporal logic (called HLTL). They also provided a SAT-based BMC technique for HLTL. The presented translation requires as many new clocks as there are intervals in a given formula. It also requires adding exponential resetting transitions and many paths that depend on a given MTL formula. The complexity of the satisfiability and model-checking problems for fragments of MTL concerning different semantic models were studied in [46] and in [15]. MTL expressiveness was extensively discussed in [17,47,48]. The BMC problem for MTL properties of timed automata with the dense time was discussed in [49]. However, experimental results have shown that this is not feasible.

Additionally, other types of logic were used for the specification of discrete-time systems, such as QsCTL [29], which extends CTL [11] with quantitative bounded temporal operators and is a variant of RTCTL [11], discrete-time CTL [33], and HyperLTL [50], which is a temporal logic for hyper-properties, which allows reasoning about multiple execution paths simultaneously.

2. Discrete Timed Automata and MTL

In this paper, we used the weakly monotonic semantics [27] for timed automata with digital clocks [19,27]. The paper [19] shows that bounded invariance MTL properties and bounded-response MTL properties are digitizable. That is why we consider timed automata with digital clocks.

The formalism of timed automata was defined in [8] by Alur and Dill for representing systems with real-time constraints. A timed automaton is a finite automaton which manipulates finitely many variables called clocks.

2.1. Discrete Timed Automata

Let $\mathbb{N}=\{0,1,2,\dots \}$ be the set of natural numbers, and ${\mathbb{N}}_{+}=\mathbb{N}\backslash \left\{0\right\}$. We assume a finite set $\mathcal{X}=\{x_0,\dots ,x_{n-1}\}$ of variables, called clocks. Each clock is a variable ranging over $\mathbb{N}$. A clock valuation is a total function $v:\mathcal{X}\to \mathbb{N}$ that assigns to each clock x a non-negative integer value $v\left(x\right)$. The set of all the clock valuations is denoted by ${\mathbb{N}}^{\mathcal{X}}$. For $X\subseteq \mathcal{X}$, the valuation $v^{\prime }=v[X:=0]$ is defined as $\forall x\in X$, $v^{\prime }\left(x\right)=0$ and $\forall x\in \mathcal{X}\backslash X$, $v^{\prime }\left(x\right)=v\left(x\right)$. By $\delta$, we denote a delay of $\delta >0$ time units. For $\delta \in {\mathbb{N}}_{+}$, $v+\delta$ denotes the valuation $v^{″}$ such that $\forall x\in \mathcal{X},v^{″}\left(x\right)=v\left(x\right)+\delta$; let $x\in \mathcal{X}$, $c\in \mathbb{N}$, and $\sim \in \{<,⩽,=,⩾,>\}$. The set $\mathcal{C}\left(\mathcal{X}\right)$ of clock constraints over the set of clocks $\mathcal{X}$ is defined by the abstract grammar:

$$\begin{array}{c}\mathfrak{cc}:=x\sim c|\mathfrak{cc}\wedge \mathfrak{cc}.\end{array}$$

Let v be a clock valuation, and $\mathfrak{cc}\in \mathcal{C}\left(\mathcal{X}\right)$. A clock valuation v satisfies a clock constraint $\mathfrak{cc}$, written as $v\models \mathfrak{cc}$ if $\mathfrak{cc}$ evaluates to true using the clock values given by the valuation v.

 Definition 1. 

A discrete timed automaton (DTA for short) is a tuple

$$\mathcal{A}=(Act,Loc,{\ell }^0,\mathcal{X},T,Inv,\mathcal{AP},V),\mathit{where}$$

• $Act$ is a finite set of actions,
• $Loc$ is a finite set of locations,
• ${\ell }^0\in Loc$ is the initial location,
• $\mathcal{X}$ is a finite set of clocks,
• $T\subseteq Loc\times Act\times \mathcal{C}\left(\mathcal{X}\right)\times 2^{\mathcal{X}}\times Loc$ is a transition relation,
• $Inv:Loc\to \mathcal{C}\left(\mathcal{X}\right)$ is a state invariant function,
• $\mathcal{AP}$ is a set of atomic propositions, and 
• $V:Loc\to 2^{\mathcal{AP}}$ is a valuation function assigning to each location a set of atomic propositions true in this location.

Each $t\in T$, denoted by $\ell \stackrel{\sigma ,\mathfrak{cc},X}{⟶}{\ell }^{\prime }$, represents a transition from ℓ to ${\ell }^{\prime }$ on the action σ. $X\subseteq \mathcal{X}$ is the set of the clocks to be reset upon this transition, and $\mathfrak{cc}\in \mathcal{C}\left(\mathcal{X}\right)$ is the enabling condition for t.

2.2. Product of a Network of Discrete Timed Automata

A network of discrete timed automata can be composed into a global (product) discrete timed automaton [51] in the following way. The transitions of the discrete timed automata that do not correspond to a shared action are interleaved, whereas the transitions labeled with a shared action, are synchronized.

Let $n\in \mathbb{N}$, $I=\{1,\dots ,n\}$ be a non-empty and finite set of indices, $\{{\mathcal{A}}_i\mid i\in I\}$ be a family of discrete timed automata ${\mathcal{A}}_i=(Ac{t}_i,Lo{c}_i,{\ell }_i^0,{\mathcal{X}}_i,T_i,{Inv}_i,{\mathcal{AP}}_i,V_i)$ such that ${\mathcal{X}}_i\cap {\mathcal{X}}_j=\varnothing$ and ${\mathcal{AP}}_i\cap {\mathcal{AP}}_j=\varnothing$ for $i\ne j$. Moreover, let $I\left(\sigma \right)=\{i\in I\mid \sigma \in Ac{t}_i\}$. The parallel compositioni of the family $\{{\mathcal{A}}_i\mid i\in I\}$ of discrete timed automata is the discrete timed automaton $\mathcal{A}$ = $(Act,Loc,{\ell }^0,\mathcal{X},T,Inv,\mathcal{AP},V)$ such that:

• $Act={\prod }_{i\in I}\left(Ac{t}_i\right)$,
• $Loc={\prod }_{i\in I}Lo{c}_i$,
• ${\ell }^0=({\ell }_1^0,\dots ,{\ell }_n^0)$,
• $\mathcal{X}={\bigcup }_{i\in I}{\mathcal{X}}_i$,
• $Inv(l_1,\dots ,l_n)={\bigwedge }_{i=1}^n{Inv}_i\left(l_i\right)$,
• $\mathcal{AP}={\bigcup }_{i\in I}{\mathcal{AP}}_i$,
• $V({\ell }_1,\dots ,{\ell }_n)={\bigcup }_{i=1}^n{V}_i\left({\ell }_i\right)$

and a transition is defined as follows:

$$\begin{array}{c}(({\ell }_1,\dots ,{\ell }_n),({\sigma }_1,\dots ,{\sigma }_n),{\bigwedge }_{i\in I}{\mathfrak{cc}}_i,{\bigcup }_{i\in I}{X}_i,({\ell }_1^{\prime },\dots ,{\ell }_m^{\prime }))\in T\\ \mathrm{iff}(\forall i\in I)\left)\right({\ell }_i,{\sigma }_i,{\mathfrak{cc}}_i,X_i,{\ell }_i^{\prime })\in T_i)\mathrm{and}(\forall i\in I\backslash I\left(\sigma \right)){\ell }_i^{\prime }={\ell }_i.\end{array}$$

2.3. Concrete Model

The semantics of the DTA is defined by associating with it a transition system, which we call a concrete model.

 Definition 2. 

Let $\mathcal{A}=(Act,Loc,{\ell }^0,\mathcal{X},T,Inv,\mathcal{AP},V)$ be a DTA, and $v^0$ a clock valuation such that $\forall x\in \mathcal{X}$, $v^0\left(x\right)=0$.

The concrete model for $\mathcal{A}$ is a tuple

$${\mathcal{M}}_{\mathcal{A}}=(Q,q^0,\stackrel{}{⟶},\mathcal{V})\mathit{where},$$

• $Q=Loc\times {\mathbb{N}}^{\mathcal{X}}$ is the set of the concrete states.
• $q^0=({\ell }^0,v^0)$ is the initial state.
• A valuation function $\mathcal{V}:Q\to 2^{\mathcal{AP}}$ is defined as $\mathcal{V}\left(\right(\ell ,v\left)\right)=V(\ell )$ for each state $(\ell ,v)\in Q$$\stackrel{}{⟶}\subseteq Q\times (Act\cup {\mathbb{N}}_{+})\times Q$ is a transition relation on Q defined by action and time transitions as follows.
• For $a\in Act$ and $\delta \in {\mathbb{N}}_{+}$:

  1.

  Action transition: $(\ell ,v)\stackrel{a}{⟶}({\ell }^{\prime },v^{\prime })$ if there is a transition $\ell \stackrel{a,\mathfrak{cc},X}{⟶}{\ell }^{\prime }\in T$ such that $v\models \mathfrak{cc}\wedge Inv(\ell )$ and $v^{\prime }=v[X:=0]$ and $v^{\prime }\models Inv\left({\ell }^{\prime }\right)$,

  2.

  Time transition: $(\ell ,v)\stackrel{\delta }{⟶}(\ell ,v+\delta )$ iff $v\models Inv(\ell )$ and $(\forall 0<{\delta }^{\prime }\le \delta )v+\delta \models Inv(\ell )$.

Let us observe that for the considered set of clock constraints $\mathcal{C}\left(\mathcal{X}\right)$, the condition of the time transition $\left(l,v\right)\stackrel{\delta }{⟶}\left(l,v+\delta \right)$ can be replaced by a simpler one. Namely, $v\models Inv(\ell )$ and $v+\delta \models Inv(\ell )$.

A path $\rho$ in $\mathcal{A}$ is an infinite sequence of concrete states $q_0,q_1,q_2,\dots$ such that for all $j\in \mathbb{N}$, $q_j\stackrel{{\mu }_j}{⟶}{q}_{j+1}$ for some ${\mu }_j\in {\mathbb{N}}_{+}\cup Act$. Such a definition of the path permits two consecutive actions to be performed one after the other, i.e.,  no time has to elapse between two consecutive actions. It means that we are dealing with the point-based weakly monotonic integer-time semantics.

From now on, for a path $\rho =q_0,q_1,q_2,\dots$, by $\rho \left(m\right)$, we denote the state $q_m$.

2.4. MTL Logic

MTL [14,15] (metric LTL) is the extension of LTL in which temporal operators are replaced by its time-constrained versions. MTL can express many time constraints. For example, we can express a system property: if a system is in the state q, then it will be in the state $q^{\prime }$ exactly 3 time units later.

2.4.1. Syntax

We begin with some preliminary definitions. Let $p\in \mathcal{AP}$ be an atomic proposition and $\mathcal{I}$ the set of all the intervals in $\mathbb{N}$ of the form $[a,b)$ or $[a,\infty )$, where $a,b\in \mathbb{N}$ and $a<b$, and let $\mathrm{I}\in \mathcal{I}$. Observe that we do not exclude one-element intervals since $[a,a]$ can be expressed as $[a,a+1)$. The MTL logic in positive normal form is defined in the following way:

$$\alpha :=\mathbf{true}\mid \mathbf{false}\mid p\mid \neg p\mid \alpha \wedge \alpha \mid \alpha \vee \alpha \mid \alpha {\mathbf{U}}_{\mathrm{I}}\alpha \mid {\mathbf{G}}_{\mathrm{I}}\alpha .$$

The operators ${\mathbf{U}}_{\mathrm{I}}$ and ${\mathbf{G}}_{\mathrm{I}}$ are called bounded until and bounded always, respectively, and they are read as “until in the interval $\mathrm{I}$” and “always in the interval $\mathrm{I}$”. The operator ${\mathbf{F}}_{\mathrm{I}}$ is defined in the standard way: ${\mathbf{F}}_{\mathrm{I}}\alpha \stackrel{\mathit{df}}{=}\mathbf{true}{\mathbf{U}}_{\mathrm{I}}\alpha$.

2.4.2. Semantics

There are two possible semantics for metric temporal logic: the “pointwise” semantics and the “continuous” semantics [15]. In the pointwise approach, temporal assertions are interpreted only at time points where the action happens in the observed timed behavior of a system. In the continuous one, it is allowed to assert formulae at arbitrary time points between actions as well. In the presented method, we use the pointwise semantics.

Let $\mathcal{A}$ be a DTA, and ${\mathcal{M}}_{\mathcal{A}}$ the concrete model for $\mathcal{A}$. For a path $\rho =q_0,q_1,\dots$, let ${\mathsf{\Gamma }}_{\rho }\left(j\right)=\{i\in \mathbb{N}\mid i<j\mathrm{and}\mathrm{for}\mathrm{some}{\delta }_i\in \mathbb{N},q_i\stackrel{{\delta }_i}{⟶}{q}_{i+1}\}$, i.e ${\mathsf{\Gamma }}_{\rho }\left(j\right)$ is a set of indices of time transitions. Now, we define a function ${\zeta }_{\rho }:\mathbb{N}\to \mathbb{N}$ such that, for all $j⩾0$, ${\zeta }_{\rho }\left(j\right)={\sum }_{i\in {\mathsf{\Gamma }}_{\rho }\left(j\right)}{\delta }_i$. For all $j⩾0$, the function ${\zeta }_{\rho }\left(j\right)$ returns the value of the global time (called “duration” in [15]).

Here and in what follows, we use the convention to omit the model from expressions with ⊨ for the sake of brevity.

 Definition 3. 

Let α and β be MTL formulae. The satisfaction relation ${\models }_{\mathrm{MTL}}$, which defines truth of an  MTL formula in the concrete model ${\mathcal{M}}_{\mathcal{A}}$ along a path ρ starting at position $m\in \mathbb{N}$, is defined inductively:

• $(\rho ,m){\models }_{\mathrm{MTL}}\mathbf{true}$,
• $(\rho ,m){⊭}_{\mathrm{MTL}}\mathbf{false}$,
• $(\rho ,m){\models }_{\mathrm{MTL}}p\mathit{iff}p\in \mathcal{V}\left(\rho \left(m\right)\right)$,
• $(\rho ,m){\models }_{\mathrm{MTL}}\neg p\mathit{iff}p\notin \mathcal{V}\left(\rho \left(m\right)\right)$,
• $(\rho ,m){\models }_{\mathrm{MTL}}\alpha \wedge \beta \mathit{iff}(\rho ,m){\models }_{\mathrm{MTL}}\alpha \mathit{and}(\rho ,m){\models }_{\mathrm{MTL}}\beta$,
• $(\rho ,m){\models }_{\mathrm{MTL}}\alpha \vee \beta \mathit{iff}(\rho ,m){\models }_{\mathrm{MTL}}\alpha \mathit{or}(\rho ,m){\models }_{\mathrm{MTL}}\beta$,
• $(\rho ,m){\models }_{\mathrm{MTL}}\alpha {\mathbf{U}}_{\mathrm{I}}\beta \mathit{iff}(\exists j\ge m)({\zeta }_{\rho }\left(j\right)-{\zeta }_{\rho }\left(m\right)\in \mathrm{I}\mathit{and}$$(\rho ,m+j){\models }_{\mathrm{MTL}}\beta \mathit{and}(\forall m⩽j^{\prime }<j)(\rho ,m+j^{\prime }){\models }_{\mathrm{MTL}}\alpha )$,
• $(\rho ,m){\models }_{\mathrm{MTL}}{\mathbf{G}}_{\mathrm{I}}\beta \mathit{iff}(\forall j\ge m)({\zeta }_{\rho }\left(j\right)-{\zeta }_{\rho }\left(m\right)\in \mathrm{I}\mathit{implies}(\rho ,m+j){\models }_{\mathrm{MTL}}\beta ).$

For simplicity of notation, we write $\rho$ instead of $(\rho ,0)$. Therefore, we shall write ${\mathcal{M}}_{\mathcal{A}},\rho {\models }_{\mathrm{MTL}}\phi$ for ${\mathcal{M}}_{\mathcal{A}},(\rho ,0){\models }_{\mathrm{MTL}}\phi$. An MTL formula $\phi$ is existentially valid in the model ${\mathcal{M}}_{\mathcal{A}}$, which is denoted as ${\mathcal{M}}_{\mathcal{A}}{\models }_{\mathrm{MTL}}\mathbf{E}\phi$, if and only if ${\mathcal{M}}_{\mathcal{A}},\rho {\models }_{\mathrm{MTL}}\phi$ for some path $\rho$ starting in the initial state of ${\mathcal{M}}_{\mathcal{A}}$. Determining whether an MTL formula $\phi$ is existentially valid in a given model is called the existential model-checking problem.

3. Bounded Model Checking

The verification method presented in this paper is based on the translation of MTL formula to ${\mathrm{LTL}}_q$ formula. We extend a standard $\mathrm{LTL}$ logic by adding an extra set of propositional variables. We compare our new method with the corresponding method presented in [26].

3.1. The Translation

The set of all the clock valuations is infinite, which means that the model has an infinite set of states. We need to abstract the proposed model before we can apply the BMC technique.

3.1.1. Abstract Model

Let $\mathcal{A}=(Act,Loc,{\ell }^0,T,\mathcal{X},$$Inv,\mathcal{AP},V)$ be a discrete timed automaton with $\mathcal{X}=\{x_0,\dots ,x_{n-1}\}$. For each $j\in \{0,\dots ,n-1\}$, let $c_j^{max}$ be the largest constant appearing in any clock constraint involving clock $x_j$ and used in the state invariants and guards of $\mathcal{A}$. Two clock valuations v and $v^{\prime }$ in ${\mathbb{N}}^{\mathcal{X}}$ are equivalent, which is denoted by $v\simeq v^{\prime }$, if and only if for each $0⩽j<n$ either $v\left(x_j\right)>c_j^{max}$ and $v^{\prime }\left(x_j\right)>c_j^{max}$ or $v\left(x\right)⩽c_j^{max}$ and $v^{\prime }\left(x\right)⩽c_j^{max}$ and $v\left(x\right)=v^{\prime }\left(x\right)$.

It is easy to see that the relation ≃ is an equivalence relation, which enables us to construct a finite abstract model.

To this end, we define the set of possible values of clock $x_j$ in the abstract model as ${\mathrm{I}\mathrm{D}}_j=\{0,\dots ,c_j^{max}+1\}$ for $0⩽j<n$. Moreover, for two clock valuations v and $v^{\prime }$ in ${\mathrm{I}\mathrm{D}}_0\times \dots \times {\mathrm{I}\mathrm{D}}_{n-1}$, we say that $v^{\prime }$ is the time successor of v (denoted $succ\left(v\right)$) as follows: for each $0⩽j<n$,

$$\begin{array}{c}succ\left(v\right)\left(x_j\right)=\left\{\begin{array}{cc}v\left(x_j\right)+1,\hfill & \mathrm{if}v\left(x_j\right)⩽c_j^{max},\hfill \\ c_j^{max}+1,\hfill & \mathrm{if}v\left(x_j\right)=c_j^{max}+1.\hfill \end{array}\right.\end{array}$$

 Definition 4. 

Let $\mathcal{A}=(Act,Loc,{\ell }^0,\mathcal{X},T,Inv,\mathcal{AP},V)$ be a discrete timed automaton. The abstract model for $\mathcal{A}$ is a tuple

$$\widehat{\mathcal{M}}=(\widehat{S},s^0,\stackrel{}{\hookrightarrow },\widehat{\mathcal{V}})\mathit{where},$$

• $\widehat{S}=L\times ({\mathrm{I}\mathrm{D}}_0\times \dots \times {\mathrm{I}\mathrm{D}}_{n-1})$ is the set of abstract states;
• $s^0=({\ell }^0,{\left\{0\right\}}^n)$ is the initial state;
• $\widehat{\mathcal{V}}:\widehat{S}\to 2^{\mathcal{AP}}$ is a valuation function such that for all $p\in \mathcal{AP}$, $p\in \widehat{\mathcal{V}}\left((\ell ,v)\right)$ if and only if $p\in V(\ell )$;
• $\stackrel{}{\hookrightarrow }\subseteq S\times Ac{t}^{\prime }\times S$, where $Ac{t}^{\prime }=Act\cup \left\{\tau \right\}$ is a transition relation defined by the time and action transitions.

  −

  The time transition is defined as $(\ell ,v)\stackrel{\tau }{\hookrightarrow }(\ell ,v^{\prime })$ if and only if $v\models Inv(\ell )$, $v^{\prime }=succ\left(v\right)$ and $v^{\prime }\models Inv(\ell )$.

  −

  The action transition is defined as follows: for any $a\in Act$, $(\ell ,v)\stackrel{a}{\hookrightarrow }({\ell }^{\prime },v^{\prime })$ if and only if there exists a transition $\ell \stackrel{a,\mathfrak{cc},X}{⟶}{\ell }^{\prime }\in T$ such that $v\models \mathfrak{cc}\wedge Inv(\ell )$, $v^{\prime }=v[X:=0]$ and $v^{\prime }\models Inv\left({\ell }^{\prime }\right)$.

 Definition 5. 

Apathin the abstract model $\widehat{\mathcal{M}}$ is a sequence $\pi =(s_0,s_1,\dots )$ of states such that for each $j\in \mathbb{N}$, either $\left(s_j\stackrel{\tau }{\hookrightarrow }{s}_{j+1}\right)$ or $\left(s_j\stackrel{a}{\hookrightarrow }{s}_{j+1}\right)$, for some action $a\in Act$.

For a given path $\pi$, $\pi \left(j\right)$ denotes the j-th state $s_j$ of the path $\pi$, $\pi [..j]=\left(\pi \right(0),\dots ,\pi (j\left)\right)$ denotes the j-th prefix of the path $\pi$ ending with $\pi \left(j\right)$. Given a path $\pi$ one can define a function ${\zeta }_{\pi }:\mathbb{N}\mapsto \mathbb{N}$ such that, for each $j⩾0$, ${\zeta }_{\pi }\left(j\right)$ is equal to the number of time transitions on the prefix $\pi [..j]$.

 Definition 6. 

Let ${\mathcal{M}}_{\mathcal{A}}$ be the concrete model for $\mathcal{A}$ and $\widehat{\mathcal{M}}$ the abstract model for $\mathcal{A}$. We say that a state $q=(l,v)$ in the concrete model ${\mathcal{M}}_{\mathcal{A}}$, and a state $s=(l^{\prime },v^{\prime })$ in the abstract model $\widehat{\mathcal{M}}$ areequivalent, which is denoted by $q\cong s$, if and only if $l=l^{\prime }$ and $v\simeq v^{\prime }$.

It is well-known [52] that the relation ≅ is weak-time-bisimulation equivalent between the concrete model and the abstract model. The reason is that one can replace one $\delta$-value time transition in the concrete model by $\delta$ individual transitions in the abstract model, whereas $\delta$ individual transitions in the abstract model can be replaced by one $\delta$-value time transition in the concrete model.

3.1.2. MTL Semantics in the Abstract Model

 Definition 7. 

The satisfiability relation ${\models }_{\mathrm{MTL}}^d$, which defines the truth of an MTL formula in the abstract model $\widehat{\mathcal{M}}$ along the abstract path π with the starting point m at the depth $d⩾m$, is inductively defined as follows:

• $(\pi ,m){\models }_{\mathrm{MTL}}^d\mathbf{true}$,
• $(\pi ,m){⊭}_{\mathrm{MTL}}^d\mathbf{false}$,
• $(\pi ,m){\models }_{\mathrm{MTL}}^{d}p$ iff $p\in \widehat{\mathcal{V}}\left(\pi \left(d\right)\right)$,
• $(\pi ,m){\models }_{\mathrm{MTL}}^d\neg p$ iff $p\notin \widehat{\mathcal{V}}\left(\pi \left(d\right)\right)$,
• $(\pi ,m){\models }_{\mathrm{MTL}}^d\alpha \wedge \beta \mathit{iff}(\pi ,m){\models }_{\mathrm{MTL}}^d\alpha$ and $(\pi ,m){\models }_{\mathrm{MTL}}^d\beta$,
• $(\pi ,m){\models }_{\mathrm{MTL}}^d\alpha \vee \beta \mathit{iff}(\pi ,m){\models }_{\mathrm{MTL}}^d\alpha$ or $(\pi ,m){\models }_{\mathrm{MTL}}^d\beta$,
• $(\pi ,m){\models }_{\mathrm{MTL}}^d\alpha {\mathbf{U}}_{\mathrm{I}}\beta \mathit{iff}(\exists j\ge d)({\zeta }_{\pi }\left(j\right)-{\zeta }_{\pi }\left(d\right)\in \mathrm{I}\mathit{and}(\pi ,d){\models }_{\mathrm{MTL}}^j\beta$
  $\mathit{and}(\forall d⩽i<j)(\pi ,d){\models }_{\mathrm{MTL}}^i\alpha )$,
• $(\pi ,m){\models }_{\mathrm{MTL}}^d{\mathbf{G}}_{\mathrm{I}}\beta$ iff $(\forall j\ge d)({\zeta }_{\pi }\left(j\right)-{\zeta }_{\pi }\left(d\right)\in \mathrm{I}$ implies $(\pi ,d){\models }_{\mathrm{MTL}}^j\beta )$.

In the above definition, m does not play itself a part in the satisfaction relation. However, this notation is helpful for Definition 8.

 Theorem 1 

(The equivalence of the $\mathrm{MTL}$ semantics in the concrete and abstract models). Let $\widehat{\mathcal{M}}$ be the abstract model for the discrete timed automaton $\mathcal{A}$ and ${\mathcal{M}}_{\mathcal{A}}$ the concrete model for $\mathcal{A}$. Then, for each MTL formula φ, the following equivalence holds: $\widehat{\mathcal{M}},(\pi ,m){\models }_{\mathrm{MTL}}^d\phi \iff {\mathcal{M}}_{\mathcal{A}},(\rho ,m){\models }_{\mathrm{MTL}}\phi$.

 Proof. 

The proof of Theorem 1 follows from the definition of the satisfiability relation and the weak-timed-bisimulation equivalence of the models ${\mathcal{M}}_{\mathcal{A}}$ and $\widehat{\mathcal{M}}$.    □

3.1.3. ${\mathrm{LTL}}_q$ Logic

Let $\mathcal{I}$ be the set of all intervals and ${\mathcal{AP}}_{\mathcal{I}}=\{q_{\mathrm{I}}\mid \mathrm{I}\in \mathcal{I}\}$ a set of the new propositional variables. An ${\mathrm{LTL}}_q$ formula in the negation normal form is defined by the following grammar:

$$\psi ::=\mathbf{true}\mid \mathbf{false}\mid p\mid \neg p\mid q_{\mathrm{I}}\mid \neg q_{\mathrm{I}}\mid \psi \wedge \psi \mid \psi \vee \psi \mid \psi \mathbf{U}\psi \mid \mathbf{G}\psi ,$$

where $p\in \mathcal{AP}$ and $q_{\mathrm{I}}\in {\mathcal{AP}}_{\mathcal{I}}$.

 Definition 8. 

The satisfaction relation ${\models }^d$, which defines the truth of an ${\mathrm{LTL}}_q$ formula in the abstract model $\widehat{\mathcal{M}}$ along the abstract path π at the position m, at depth $d⩾m$ is inductively defined as follows:

• $(\pi ,m){\models }^d\mathbf{true}$,
• $(\pi ,m){⊭}^d\mathbf{false}$,
• $(\pi ,m){\models }^{d}p$ iff $p\in \widehat{\mathcal{V}}\left(\pi \left(d\right)\right)$,
• $(\pi ,m){\models }^d\neg p$ iff $p\notin \widehat{\mathcal{V}}\left(\pi \left(d\right)\right)$,
• $(\pi ,m){\models }^d{q}_{\mathrm{I}}$ iff ${\zeta }_{\pi }\left(d\right)-{\zeta }_{\pi }\left(m\right)\in \mathrm{I}$,
• $(\pi ,m){\models }^d\neg q_{\mathrm{I}}$ iff ${\zeta }_{\pi }\left(d\right)-{\zeta }_{\pi }\left(m\right)\notin \mathrm{I}$,
• $(\pi ,m){\models }^d\alpha \wedge \beta$ iff $(\pi ,m){\models }^d\alpha$ and $(\pi ,m){\models }^d\beta$,
• $(\pi ,m){\models }^d\alpha \vee \beta$ iff $(\pi ,m){\models }^d\alpha$ or $(\pi ,m){\models }^d\beta$,
• $(\pi ,m){\models }^d\alpha \mathbf{U}\beta$ iff $(\exists j⩾d)((\pi ,d){\models }^j\beta$ and $(\forall d⩽i<j)(\pi ,d){\models }^i\alpha \left)\right)$,
• $(\pi ,m){\models }^d\mathbf{G}\beta$ iff $(\forall j⩾d)\left((\pi ,d){\models }^j\beta \right)$.

An ${\mathrm{LTL}}_q$ formula $\psi$ is existentially valid in the abstract model $\widehat{\mathcal{M}}$, denoted as $\widehat{\mathcal{M}}\models \mathbf{E}\psi$, if and only if $\widehat{\mathcal{M}},(\pi ,0){\models }^0\psi$ on some path $\pi$ starting in the initial state of $\widehat{\mathcal{M}}$.

3.1.4. The Translation from MTL to ${\mathrm{LTL}}_q$

Two translations from MTL to $\mathrm{LTL}$ were described in [45]. However, in the first translation, the new propositional variables encode time differences between states, and in the second translation a new propositional variable called gap encodes the jumps between states. In the translation presented below, we use global time approach [1]. However, in [1] the strongly monotonic semantics was used.

 Definition 9. 

Let $p\in \mathcal{AP}$, and α, β a MTL formulae. The translation from MTL to ${\mathrm{LTL}}_q$ is defined as a function $\mathrm{tr}:\mathrm{MTL}\to {\mathrm{LTL}}_q$ by the following equations:

• $\mathrm{tr}\left(\mathbf{true}\right)=\mathbf{true}$,
• $\mathrm{tr}\left(\mathbf{false}\right)=\mathbf{false}$,
• $\mathrm{tr}\left(p\right)=p$,
• $\mathrm{tr}(\neg p)=\neg p$,
• $\mathrm{tr}(\alpha \wedge \beta )=\mathrm{tr}\left(\alpha \right)\wedge \mathrm{tr}\left(\beta \right)$,
• $\mathrm{tr}(\alpha \vee \beta )=\mathrm{tr}\left(\alpha \right)\vee \mathrm{tr}\left(\beta \right)$,
• $\mathrm{tr}\left(\alpha {\mathbf{U}}_{\mathrm{I}}\beta \right)=\mathrm{tr}\left(\alpha \right)\mathbf{U}(q_{\mathrm{I}}\wedge \mathrm{tr}\left(\beta \right))$, and
• $\mathrm{tr}\left({\mathbf{G}}_{\mathrm{I}}\beta \right)$ = $\mathbf{G}(\neg q_{\mathrm{I}}\vee \mathrm{tr}\left(\beta \right))$.

The translation of the ${\mathbf{F}}_I$ operator follows from its definition in terms of the ${\mathbf{U}}_I$ operator. Observe that the translation of literals, as well as logical connectives, is straightforward. The translation of the operator ${\mathbf{U}}_{\mathrm{I}}$ ensures that the formula $\beta$ holds at some point in the interval $\mathrm{I}$ (it is expressed by the requirement $q_{\mathrm{I}}\wedge \mathrm{tr}\left(\beta \right)$) and $\alpha$ holds everywhere before $\beta$ holds. Similarly, the translation of the ${\mathbf{G}}_{\mathrm{I}}$ operator ensures that $\beta$ holds at every point in the interval $\mathrm{I}$ (it is expressed by the requirement $\neg q_{\mathrm{I}}\vee \mathrm{tr}\left(\beta \right)$).

The translation from EMTL to E${\mathrm{LTL}}_q$ is more straightforward than the one presented in [48], e.g., TPTL expressiveness is higher than ${\mathrm{LTL}}_q$. In our case, we do not need this extension of the logic to solve the given problem.

 Theorem 2. 

Let $\mathcal{A}$ be a discrete timed automaton, φ an MTL formula, and $\widehat{\mathcal{M}}$ the abstract model for $\mathcal{A}$. Then $\widehat{\mathcal{M}}{\models }_{\mathrm{MTL}}\mathbf{E}\phi$ if, and only if $\widehat{\mathcal{M}}\models \mathbf{E}\mathrm{tr}\left(\phi \right)$.

4. Proof of the Theorem 2

A proof of the Theorem 2 follows directly from the Lemmas 1 and 2.

 Lemma 1. 

Let $\mathcal{A}$ be a discrete timed automaton, φ an MTL formula, $\widehat{\mathcal{M}}$ an abstract model for discrete timed automaton $\mathcal{A}$, and π an abstract path in the abstract model $\widehat{\mathcal{M}}$. If $(\pi ,m){\models }_{\mathrm{MTL}}^d\phi$, then $(\pi ,m){\models }^d\mathrm{tr}\left(\phi \right)$.

 Proof. 

We proceed by induction on the length of a given formula.

Assume that $(\pi ,m){\models }_{\mathrm{MTL}}^d\phi$. Consider the following cases:

• $\phi \in \mathcal{AP}$. Because $\mathrm{tr}\left(\phi \right)=\phi$, it is obvious that $\mathrm{tr}\left(\phi \right)\in \mathcal{AP}$. Therefore, $(\pi ,m){\models }_{\mathrm{MTL}}^d\phi$$\iff \phi \in \widehat{\mathcal{V}}\left(\pi \left(d\right)\right)\iff \mathrm{tr}\left(\phi \right)\in \widehat{\mathcal{V}}\left(\pi \left(d\right)\right)\iff (\pi ,m){\models }^d\mathrm{tr}\left(\phi \right)$.
• $\phi =\neg p$, where $p\in \mathcal{AP}$. Thus, $\mathrm{tr}\left(\phi \right)=\phi$. Therefore, $(\pi ,m){\models }_{\mathrm{MTL}}^d\phi \iff \phi \notin \mathcal{V}\left(\pi \left(d\right)\right)\iff (\pi ,m){\models }_{\mathrm{MTL}}\neg p\iff (\pi ,m){\models }^d\phi \iff (\pi ,m){\models }^d\mathrm{tr}\left(\phi \right)$.
• $\phi =\alpha \wedge \beta$. From the definition of the satisfiability relation (Definition 7) it follows that $(\pi ,m){\models }_{\mathrm{MTL}}^d\alpha$ and $(\pi ,m){\models }_{\mathrm{MTL}}^d\beta$. By inductive hypothesis, we obtain $(\pi ,m){\models }^d\mathrm{tr}\left(\alpha \right)$ and $(\pi ,m){\models }^d\mathrm{tr}\left(\beta \right)$. Therefore, $(\pi ,m){\models }^d\mathrm{tr}\left(\alpha \right)\wedge \mathrm{tr}\left(\beta \right)$, and hence $(\pi ,m){\models }^d\mathrm{tr}(\alpha \wedge \beta )\iff (\pi ,m){\models }^d\mathrm{tr}\left(\phi \right)$.
• $\phi =\alpha \vee \beta$. From the definition of the satisfiability relation (Definition 7) it follows that $(\pi ,m){\models }_{\mathrm{MTL}}^d\alpha$ or $(\pi ,m){\models }_{\mathrm{MTL}}^d\beta$. By inductive hypothesis, we obtain that $(\pi ,m){\models }^d\mathrm{tr}\left(\alpha \right)$ or $(\pi ,m){\models }^d\mathrm{tr}\left(\beta \right)$. Therefore, $(\pi ,m){\models }^d\mathrm{tr}\left(\alpha \right)\vee \mathrm{tr}\left(\beta \right)$, and hence $(\pi ,m){\models }^d\mathrm{tr}(\alpha \vee \beta )\iff (\pi ,m){\models }^d\mathrm{tr}\left(\phi \right)$.
• $\phi =\alpha {\mathbf{U}}_{\mathrm{I}}\beta$. Assume that $(\pi ,m){\models }_{\mathrm{MTL}}^d\phi$. From the definition of the satisfiability relation (Definition 7), it follows that ${\zeta }_{\pi }\left(j\right)-{\zeta }_{\pi }\left(d\right)\in \mathrm{I}$ and $((\pi ,d){\models }_{\mathrm{MTL}}^j\beta$ and $(\forall d⩽i<j)(\pi ,d){\models }_{\mathrm{MTL}}^i\alpha )$, for some $j\ge d$. By inductive hypothesis, we obtain ${\zeta }_{\pi }\left(j\right)-{\zeta }_{\pi }\left(d\right)\in \mathrm{I}$ and $(\pi ,d){\models }^j\mathrm{tr}\left(\beta \right)$, for some $j\ge d$ and $(\pi ,d){\models }^i\mathrm{tr}\left(\alpha \right)$, for all $d⩽i<j$. Therefore, $(\pi ,d){\models }^j{q}_{\mathrm{I}}\wedge \mathrm{tr}\left(\beta \right)$, for some $j\ge d$, and $(\pi ,d){\models }^i\mathrm{tr}\left(\alpha \right)$, for all $d⩽i<j$. Therefore, we conclude that $(\pi ,m){\models }^d\mathrm{tr}\left(\alpha {\mathbf{U}}_{\mathrm{I}}\beta \right)$.
• $\phi ={\mathbf{G}}_{\mathrm{I}}\beta$. Assume that $(\pi ,m){\models }_{\mathrm{MTL}}^d\phi$. From the definition of the satisfiability relation (Definition 7), it follows that $(\forall j\ge d)({\zeta }_{\pi }\left(j\right)-{\zeta }_{\pi }\left(d\right)\in \mathrm{I}$ implies $(\pi ,d){\models }_{\mathrm{MTL}}^j\beta )$, which means that ${\zeta }_{\pi }\left(j\right)-{\zeta }_{\pi }\left(d\right)\notin \mathrm{I}\vee (\pi ,d){\models }_{\mathrm{MTL}}^j\beta$, for all $j\ge d$. By inductive hypothesis, we obtain ${\zeta }_{\pi }\left(j\right)-{\zeta }_{\pi }\left(d\right)\notin \mathrm{I}\vee (\pi ,d){\models }^j\mathrm{tr}\left(\beta \right)$, for all $j\ge d$. Hence, $(\pi ,d){\models }^j\neg q_{\mathrm{I}}\wedge \mathrm{tr}\left(\beta \right)$, for all $j\ge d$. From the semantics of ${\mathrm{LTL}}_q$, it follows that $(\pi ,m){\models }^d\mathbf{G}(\neg q_{\mathrm{I}}\vee \mathrm{tr}\left(\beta \right))$. So, we can conclude that $(\pi ,m){\models }^d\mathrm{tr}\left({\mathbf{G}}_{\mathrm{I}}\beta \right)$.

□

 Lemma 2. 

Let $\mathcal{A}$ be a discrete timed automaton, φ an MTL formula, $\widehat{\mathcal{M}}$ an abstract model for the discrete timed automaton $\mathcal{A}$, and π an abstract path in the abstract model $\widehat{\mathcal{M}}$. If $(\pi ,m){\models }^d\mathrm{tr}\left(\phi \right)$, then $(\pi ,m){\models }_{\mathrm{MTL}}^d\phi$.

 Proof. 

We proceed by induction on the length of a given formula.

• $\phi \in \mathcal{AP}$. Since $\phi =\mathrm{tr}\left(\phi \right)$, it follows that $\phi \in \mathcal{AP}$. Therefore, $(\pi ,m){\models }^d\mathrm{tr}\left(\phi \right)\iff \mathrm{tr}\left(\phi \right)\in \widehat{\mathcal{V}}\left(\pi \left(d\right)\right)\iff \phi \in \widehat{\mathcal{V}}\left(\pi \left(d\right)\right)\iff (\pi ,m){\models }_{\mathrm{MTL}}^d\phi$.
• $\phi =\neg p$, where $p\in \mathcal{AP}$. Then $\phi =\mathrm{tr}\left(\phi \right)$. Therefore, $(\pi ,m){\models }^d\mathrm{tr}\left(\phi \right)\iff \mathrm{tr}\left(\phi \right)\notin \mathcal{V}\left(\pi \left(d\right)\right)\iff \phi \notin \mathcal{V}\left(\pi \left(d\right)\right)\iff (\pi ,m){\models }_{\mathrm{MTL}}^d\neg p\iff (\pi ,m){\models }_{\mathrm{MTL}}^d\phi$.
• $\phi =\alpha \wedge \beta$. Thus, $\mathrm{tr}\left(\phi \right)=\mathrm{tr}(\alpha \wedge \beta )=\mathrm{tr}\left(\alpha \right)\wedge \mathrm{tr}\left(\beta \right)$. From the definition of the satisfiability relation (Definiton 8) it follows that $(\pi ,m){\models }^d\mathrm{tr}\left(\alpha \right)$ and $(\pi ,m){\models }^d\mathrm{tr}\left(\beta \right)$. By inductive hypothesis, we obtain $(\pi ,m){\models }_{\mathrm{MTL}}^d\alpha$ and $(\pi ,m){\models }_{\mathrm{MTL}}^d\beta$. Hence, $(\pi ,m){\models }_{\mathrm{MTL}}^d\alpha \wedge \beta$ and thus $(\pi ,m){\models }_{\mathrm{MTL}}^d\alpha \wedge \beta \iff (\pi ,m){\models }_{\mathrm{MTL}}^d\phi$.
• $\phi =\alpha \vee \beta$. Then $\mathrm{tr}\left(\phi \right)=\mathrm{tr}(\alpha \vee \beta )=\mathrm{tr}\left(\alpha \right)\vee \mathrm{tr}\left(\beta \right)$. From the definition of the satisfiability relation (Definition 8) it follows that $(\pi ,m){\models }^d\mathrm{tr}\left(\alpha \right)$ or $(\pi ,m){\models }^d\mathrm{tr}\left(\beta \right)$. By inductive hypothesis, we obtain $(\pi ,m){\models }_{\mathrm{MTL}}^d\mathrm{tr}\left(\alpha \right)$ or $(\pi ,m){\models }_{\mathrm{MTL}}^d\mathrm{tr}\left(\beta \right)$. Hence, $(\pi ,m){\models }^d\alpha \vee \beta$, and thus $(\pi ,m){\models }_{\mathrm{MTL}}^d\alpha \vee \beta \iff (\pi ,m){\models }_{\mathrm{MTL}}^d\phi$.
• $\phi =\alpha {\mathbf{U}}_{\mathrm{I}}\beta$. Assume that $(\pi ,m){\models }_{\mathrm{MTL}}^d\phi$. From the definition of the translation, it follows that $(\pi ,m){\models }^d\mathrm{tr}\left(\alpha \right)\mathbf{U}(q_{\mathrm{I}}\wedge \mathrm{tr}\left(\beta \right))$. From the definition of the satisfiability relation 8, it follows that $(\pi ,d){\models }^j{q}_{\mathrm{I}}\wedge \mathrm{tr}\left(\beta \right)$ and $(\forall d⩽i<j)(\pi ,d){\models }^i\mathrm{tr}\left(\alpha \right)$, for some $j⩾d$. Therefore, $(\pi ,d){\models }^j{\zeta }_{\pi }\left(j\right)-{\zeta }_{\pi }\left(d\right)\in \mathrm{I}\wedge (\pi ,d){\models }^j\mathrm{tr}\left(\beta \right)$ and $(\forall d⩽i<j)(\pi ,d){\models }^i\mathrm{tr}\left(\alpha \right)$, for some $j⩾d$. From the inductive hypothesis, we obtain $(\pi ,d){\models }_{\mathrm{MTL}}^j{\zeta }_{\pi }\left(j\right)-{\zeta }_{\pi }\left(d\right)\in \mathrm{I}\wedge (\pi ,d){{\models }_{\mathrm{MTL}}}^j\beta$ and $(\forall d⩽i<j)(\pi ,d){\models }_{\mathrm{MTL}}^i\alpha$, thus $(\pi ,d){\models }_{\mathrm{MTL}}^j{\zeta }_{\pi }\left(j\right)-{\zeta }_{\pi }\left(d\right)\in \mathrm{I}\wedge \beta$ and $(\forall d⩽i<j)(\pi ,d){\models }_{\mathrm{MTL}}^i\alpha$. Thus, we conclude that $(\pi ,m){\models }_{\mathrm{MTL}}^d\alpha {\mathbf{U}}_{\mathrm{I}}\beta$.
• $\phi ={\mathbf{G}}_{\mathrm{I}}\beta$. Assume that $(\pi ,m){\models }^d\phi$. From the definition of the translation, it follows that $(\pi ,m){\models }^d\mathbf{G}(\neg q_{\mathrm{I}}\vee \mathrm{tr}\left(\beta \right))$. From the definition of the satisfiability relation $(\forall j⩾d)((\pi ,d){\models }^j\neg q_{\mathrm{I}}$ or $(\pi ,d){\models }^j\mathrm{tr}\left(\beta \right))$, which means $((\pi ,d){\models }^j{\zeta }_{\pi }\left(j\right)-{\zeta }_{\pi }\left(d\right)\notin \mathrm{I}$ or $(\pi ,d){\models }^j\mathrm{tr}\left(\beta \right))$, for all $j⩾d$. By inductive hypothesis, we obtain $(\forall j⩾d)((\pi ,d){\models }_{\mathrm{MTL}}^j{\zeta }_{\pi }\left(j\right)-{\zeta }_{\pi }\left(d\right)\notin \mathrm{I}$ or $(\pi ,d){\models }^j\beta )$, which is equivalent to $(\forall j⩾d)((\pi ,d){\models }_{\mathrm{MTL}}^j{\zeta }_{\pi }\left(j\right)-{\zeta }_{\pi }\left(d\right)\notin \mathrm{I}\vee \beta )$. Therefore, $(\pi ,m){{\models }_{\mathrm{MTL}}}^d{\mathbf{G}}_{\mathrm{I}}\beta$.

□

 Proof of Theorem 2. 

(⟹) Assume that $\widehat{\mathcal{M}}{\models }_{\mathrm{MTL}}\mathbf{E}\phi$. Therefore, $\widehat{\mathcal{M}},\pi {\models }_{\mathrm{MTL}}^0\phi$, for some abstract path $\pi$ in $\widehat{\mathcal{M}}$ such that $\pi \left(0\right)=s_0$. It means that $\widehat{\mathcal{M}},(\pi ,0){\models }_{\mathrm{MTL}}^0\phi$. From Lemma 1, it follows that $(\pi ,0){\models }^0\mathrm{tr}\left(\phi \right)$. Therefore, $(\pi ,m){\models }^0\mathrm{tr}\left(\phi \right)$, for $m=0$. Thus $\widehat{\mathcal{M}}\models \mathbf{E}\mathrm{tr}\left(\phi \right)$.

(⟸) Assume that $\widehat{\mathcal{M}}\models \mathbf{E}\mathrm{tr}\left(\phi \right)$. Hence, $\widehat{\mathcal{M}},\pi {\models }^0\mathrm{tr}\left(\phi \right)$, for some abstract path $\pi$ in $\widehat{\mathcal{M}}$ such that $\pi \left(0\right)=s_0$. It means that $(\pi ,0){\models }^0\mathrm{tr}\left(\phi \right)$. From Lemma 2, it follows that $\widehat{\mathcal{M}},(\pi ,0){\models }_{\mathrm{MTL}}^0\phi$. Therefore, $\widehat{\mathcal{M}},(\pi ,m){\models }_{\mathrm{MTL}}^0\phi$, for $m=0$. Thus $\widehat{\mathcal{M}}{\models }_{\mathrm{MTL}}\mathbf{E}\phi$.    □

4.1. Bounded Semantics

To define the bounded semantics, we need to represent infinite paths in the abstract model using k-paths and loops [20,21].

 Definition 10. 

Let $\widehat{\mathcal{M}}$ be an abstract model, $k\in \mathbb{N}$ and $0⩽l⩽k$. A k-path is a pair $(\pi ,l)$, which is also denoted as ${\pi }_l$, where π is a finite sequence of the abstract states $\pi =(s_0,\dots ,s_k)$ such that for each $0⩽j<k$, either $\left(s_j\stackrel{\tau }{\hookrightarrow }{s}_{j+1}\right)$ or $\left(s_j\stackrel{a}{\hookrightarrow }{s}_{j+1}\right)$, for some $a\in Act$. Moreover, every action transition is preceded by at least one time transition. A k-path ${\pi }_l$ is a loop, written as $⅁\left({\pi }_l\right)$ for short, if $l<k$ and $\pi \left(k\right)=\pi \left(l\right)$.

If a k-path ${\pi }_l$ is a loop, it represents the infinite path of the form $u{v}^{\omega }$, where $u=\left(\pi \right(0),\dots ,\pi (l\left)\right)$ and $v=\left(\pi \right(l+1),\dots ,\pi (k\left)\right)$. We denote this unique path by $\widetilde{{\pi }_l}$. Note that for each $j\in \mathbb{N}$, $\widetilde{{\pi }_l}(l+j)=\widetilde{{\pi }_l}(k+j)$.

Given a path $\widetilde{{\pi }_l}$, one can define a function ${\zeta }_{\widetilde{{\pi }_l}}:\mathbb{N}\mapsto \mathbb{N}$ such that for each $j⩾0$, ${\zeta }_{\widetilde{{\pi }_l}}\left(j\right)$ is equal to the number of time transitions on the prefix $\widetilde{{\pi }_l}[..j]$. Note that for each $j⩾0$, ${\zeta }_{\widetilde{{\pi }_l}}\left(j\right)$ gives the value of the global time in the j-th state.

In the definition of bounded semantics for variables from ${\mathcal{AP}}_{\mathcal{I}}$, one needs to use only a finite prefix of the sequence $({\zeta }_{\widetilde{{\pi }_l}}\left(0\right),{\zeta }_{\widetilde{{\pi }_l}}\left(1\right),\dots )$. Namely, for a k-path ${\pi }_l$ that is not a loop, the prefix of the length k is needed, and for a k-path ${\pi }_l$ that is a loop, the prefix of the length $k+k-l$ is needed.

 Definition 11 

(Bounded semantics). Let $\widehat{\mathcal{M}}$ be the abstract model, ${\pi }_l$ a k-path in $\widehat{\mathcal{M}}$, $0⩽m⩽k$, and $0⩽d⩽k$. The relation ${\models }_k^d$ is defined inductively as follows:

$$\begin{array}{lll}({\pi }_l,m){\models }_k^d\mathbf{true},& & \\ ({\pi }_l,m){⊭}_k^d\mathbf{false},& & \\ ({\pi }_l,m){\models }_k^{d}p& \mathit{iff}& p\in \mathcal{V}\left({\pi }_l\left(d\right)\right),\\ ({\pi }_l,m){\models }_k^d\neg p& \mathit{iff}& p\notin \mathcal{V}\left({\pi }_l\left(d\right)\right)\\ ({\pi }_l,m){\models }_k^d{q}_{\mathrm{I}}& \mathit{iff}& \left\{\begin{array}{cc}{\zeta }_{{\pi }_l}\left(d\right)-{\zeta }_{{\pi }_l}\left(m\right)\in \mathrm{I},\hfill & \mathit{if}\neg ⅁\left({\pi }_l\right),\hfill \\ {\zeta }_{{\pi }_l}\left(d\right)-{\zeta }_{{\pi }_l}\left(m\right)\in \mathrm{I},\hfill & \mathit{if}⅁\left({\pi }_l\right)\mathit{and}d⩾m,\hfill \\ {\zeta }_{\widetilde{{\pi }_l}}(d+k-l)-{\zeta }_{\widetilde{{\pi }_l}}\left(m\right)\in \mathrm{I},\hfill & \mathit{if}⅁\left({\pi }_l\right)\mathit{and}d<m,\hfill \end{array}\right.\\ ({\pi }_l,m){\models }_k^d\neg q_{\mathrm{I}}& \mathit{iff}& ({\pi }_l,m)\neg {⊭}_k^d{q}_{\mathrm{I}},\\ ({\pi }_l,m){\models }_k^d\alpha \wedge \beta & \mathit{iff}& ({\pi }_l,m){\models }_k^d\alpha \mathit{and}({\pi }_l,m){\models }_k^d\beta ,\\ ({\pi }_l,m){\models }_k^d\alpha \vee \beta & \mathit{iff}& ({\pi }_l,m){\models }_k^d\alpha \mathit{or}({\pi }_l,m){\models }_k^d\beta ,\\ ({\pi }_l,m){\models }_k^d\alpha \mathbf{U}\beta & \mathit{iff}& \left({\exists }_{d⩽j⩽k}\right)\left(({\pi }_l,d){\models }_k^j\beta \mathit{and}\right({\forall }_{d⩽i<j}\left)\right({\pi }_l,d\left){\models }_k^i\alpha \right)\mathrm{or}(⅁({\pi }_l\left)\mathit{and}\right({\exists }_{l<j<d}\left)\right({\pi }_l,d\left){\models }_k^j\beta \mathit{and}\right({\forall }_{l<i<k}\left)\right({\pi }_l,d\left){\models }_k^j\alpha \mathit{and}\right({\forall }_{d⩽i⩽k}\left)\right({\pi }_l,d\left){\models }_k^i\alpha \right),\\ ({\pi }_l,m){\models }_k^d\mathbf{G}\beta & \mathit{iff}& ⅁\left({\pi }_l\right)\mathit{and}\left({\forall }_{j⩽k}\right)j⩾min(d,l)\mathit{implies}({\pi }_l,d){\models }_k^j\beta .\end{array}$$

The proof of Lemma 3 below is based on induction on the length of the given formula. It is analogous to the proof of Lemma 7 from the paper [20].

 Lemma 3. 

Let $\mathcal{A}$ be a discrete timed automaton, φ an ${\mathrm{LTL}}_q$ formula, and $\widehat{\mathcal{M}}$ the abstract model for the automaton $\mathcal{A}$. For each ${\mathrm{LTL}}_q$ formula φ, each $k-$ path ${\pi }_l$ in $\widehat{\mathcal{M}}$, each $0\le m\le k$ and each $0\le d\le k$, if  $({\pi }_l,m){\models }_k^d\phi$, there exists a path ${\pi }^{\prime }$ such that ${\pi }^{\prime }[..k]={\pi }_l$ and $m\le d$ and $({\pi }^{\prime },m){\models }^d\phi$ or $m>d$ and $({\pi }^{\prime },m){\models }^{d+k-l}\phi$.

The proof of the Lemma 4 below is based on the well-known fact that if the LTL formula is true on some infinite path, it is also true on an infinite path of the form $u{v}^{\omega }$, where u and v are finite sequences of states [20].

 Lemma 4. 

Let $\mathcal{A}$ be a discrete timed automaton, φ an ${\mathrm{LTL}}_q$ formula, $\widehat{\mathcal{M}}$ the abstract model for the automaton $\mathcal{A}$, π a path in the abstract model, and $k\ge 0$. For each ${\mathrm{LTL}}_q$ formula φ, each $0\le m\le k$ and each $0\le d\le k$, if  $(\pi ,m){\models }^d\phi$, there exists a $k-$ path ${\pi }_l$ such that $({\pi }_l,m){\models }_k^d\phi$.

An ${\mathrm{LTL}}_q$ formula $\phi$ existentially k-holds in the model $\widehat{\mathcal{M}}$, written as $\widehat{\mathcal{M}}{\models }_k\mathbf{E}\phi$, if and only if $\widehat{\mathcal{M}},({\pi }_l,0){\models }_k^0\phi$ for some $k-$ path ${\pi }_l$ starting at the initial state.

Theorem 3 shows that for some specific bound, bounded and unbounded semantics are equivalent. The proof of Theorem 3 follows directly from Lemmas 3 and 4.

 Theorem 3. 

Let $\widehat{\mathcal{M}}$ be the abstract model and φ an ${\mathrm{LTL}}_q$ formula. Then, $\widehat{\mathcal{M}}\models \mathbf{E}\phi$ if and only if there exists a $k⩾0$ such that $\widehat{\mathcal{M}}{\models }_k\mathbf{E}\phi$.

 Example 1. 

Figure 1 shows an automaton modeling a simple light switch. It consists of two locations, $\mathrm{a}$ and b. When the action $\mathrm{on}$ is performed, the clock $x_0$ is reset. The automaton can stay in the location b until the valuation of the clock $x_0$ is less or equal to 6. The transition from location b to location a (action off) can be performed when the valuation of the clock $x_0$ is greater than 3.

Figure 2 shows an abstract path in the abstract model for the simple light switch. Under the states, we show the global time at the given position.

 Example 2. 

Let us check the satisfiability of formula $q_{\mathrm{I}}$ for the case when ${\pi }_l$ is not a loop. Let $\mathrm{I}=[0,5)$, $k=2$, $m=3$ and $d=5$.

$$({\pi }_2,3){\models }_8^5{q}_{\mathrm{I}}\iff {\zeta }_{\pi }\left(5\right)-{\zeta }_{\pi }\left(3\right)\in \mathrm{I}\iff 2\in \mathrm{I}.$$

Figure 3 shows an example of the $k-$ path, which is a loop. Note that for $l=2$ and $k=8$, $u=\left(\pi \right(0),\pi (1),\pi (2\left)\right)$, and $v=\left(\pi \right(3),\pi (4),\pi (5),\pi (6),\pi (7),\pi (8\left)\right)$. Under the states, we show the global time in the given state.

 Example 3. 

Let us check the satisfiability of formula $q_{\mathrm{I}}$ for the case when ${\pi }_l$ is a loop and $d\ge m$. Let $\mathrm{I}=[0,5)$, $k=8$, $l=2$, $m=3$ and $d=5$.

$$({\pi }_2,3){\models }_8^5{q}_{\mathrm{I}}\iff {\zeta }_{\widetilde{{\pi }_l}}\left(5\right)-{\zeta }_{\widetilde{{\pi }_l}}\left(3\right)\in \mathrm{I}\iff 2\in \mathrm{I}.$$

 Example 4. 

Let us check the satisfiability of the formula $q_{\mathrm{I}}$ for the case when ${\pi }_l$ is a loop and $d<m$. Let $\mathrm{I}=[0,5)$, $k=8$, $l=2$, $m=8$ and $d=5$.

$$({\pi }_2,8){\models }_8^5{q}_{\mathrm{I}}\iff {\zeta }_{\widetilde{{\pi }_l}}(5+8-2)-{\zeta }_{\widetilde{{\pi }_l}}\left(8\right)\in \mathrm{I}\iff {\zeta }_{\widetilde{{\pi }_l}}\left(11\right)-{\zeta }_{\widetilde{{\pi }_l}}\left(8\right)\in \mathrm{I}\iff 4\in \mathrm{I}.$$

4.2. Translation to SAT

The last step of our method is the standard one ([26,53]). It consists in encoding the transition relation of $\widehat{\mathcal{M}}$ and the ${\mathrm{LTL}}_q$ formula $\mathrm{tr}\left(\phi \right)$. The only novelty lies in the encoding of the finite prefix of the sequence $({\zeta }_{\widetilde{{\pi }_l}}\left(0\right),{\zeta }_{\widetilde{{\pi }_l}}\left(1\right),\dots )$.

Let $\widehat{\mathcal{M}}$ be the abstract model for the automaton $\mathcal{A}$, $\mathrm{tr}\left(\phi \right)$ be the ${\mathrm{LTL}}_q$ formula, and $k\ge 0$ a bound. The formula ${\left[\mathrm{tr}\left(\phi \right)\right]}_k$ encodes a bounded semantics of the ${\mathrm{LTL}}_q$ formula $\mathrm{tr}\left(\phi \right)$. It is defined over the same set of the propositional variables as the propositional formula ${\left[{\widehat{\mathcal{M}}}^{\mathrm{tr}\left(\phi \right),s^0}\right]}_k$.

The definition of the formula ${\left[{\widehat{\mathcal{M}}}^{\mathrm{tr}\left(\phi \right),s^0}\right]}_k$ assumes that, states and actions in the abstract model $\widehat{\mathcal{M}}$, and passage of time are encoded symbolically. This is possible if the set of states and the set of actions are finite. Formally, each symbolic abstract state $\widehat{s}\in \widehat{S}$ is represented by a vector, $\overline{\mathbf{w}}=((w_1,v_1),\dots ,(w_r,v_r))$ of propositional variables, where the length r depends on the number of states in the abstract model. This vector is called a symbolic state. Each action $a\in Act$ is represented by a vector $\overline{\mathbf{a}}=(a_1,\dots ,a_t)$ of propositional variables, where the length t depends on number of local actions in $\mathcal{A}$. It is called a symbolic action.

A pair consisting of a sequence of the symbolic transitions and a symbolic number is called a symbolic k-path. Let $\pi$ be a pair which represents a symbolic k-path: $(({\overline{\mathbf{w}}}_0,{\overline{\mathbf{w}}}_1,\dots ,{\overline{\mathbf{w}}}_{k-1},{\overline{\mathbf{w}}}_k),\overline{\mathbf{u}})$, where ${\overline{\mathbf{w}}}_i$ is a symbolic state, for $0\le i\le k$, and $\overline{\mathbf{u}}$ is a symbolic number, which is a vector $\overline{\mathbf{u}}=(u_1,\dots ,u_y)$ of propositional variables with $y=max(1,\lceil {log}_2(k+1)\rceil )$. Moreover, let ${\overline{\mathbf{a}}}_i$, for $0<i\le k$, be a symbolic action.

Let $\overline{\mathbf{w}}$ and ${\overline{\mathbf{w}}}^{\prime }$ be two different symbolic states, $\overline{\mathbf{a}}$ a symbolic action and $\overline{\mathbf{u}}$ a symbolic number. To define the formula ${\left[{\widehat{\mathcal{M}}}^{\mathrm{tr}\left(\phi \right),s^0}\right]}_k$, we use the following auxiliary propositional formulae: $I_{\widehat{s}}\left(\overline{\mathbf{w}}\right)$ encodes a state $\widehat{s}$ in the abstract model $\widehat{\mathcal{M}}$, $H(\overline{\mathbf{w}},{\overline{\mathbf{w}}}^{\prime })$ encodes the equality of two global states, ${\mathcal{T}}_{Act}\left(\overline{\mathbf{w}},\overline{\mathbf{a}},{\overline{\mathbf{w}}}^{\prime }\right)$ encodes an action transition in $\widehat{\mathcal{M}}$, ${\mathcal{T}}_{\tau }\left(\overline{\mathbf{w}},\tau ,{\overline{\mathbf{w}}}^{\prime }\right)$ encodes a time transition in $\widehat{\mathcal{M}}$, ${\mathcal{B}}_j^{\sim }\left(\overline{\mathbf{u}}\right)$, for $\sim \in \{<,\le ,=,>,\ge \}$ encodes the relation ∼ between j and $\overline{\mathbf{u}}$, and ${\mathcal{L}}_{k,m}^l\left(\pi \right)$ encodes the existence of a loop for path $\pi$ at position l.

The propositional formula ${\left[{\widehat{\mathcal{M}}}^{\mathrm{tr}\left(\phi \right),s^0}\right]}_k$, encodes the unfolding of the transition relation of the abstract model $\widehat{\mathcal{M}}$ to the depth k in the following way:

$${\left[{\widehat{\mathcal{M}}}^{\mathrm{tr}\left(\phi \right),s^0}\right]}_k:={\bigvee }_{s\in s^0}{I}_s\left({\overline{\mathbf{w}}}_0\right)\wedge {\bigvee }_{l=0}^k{\mathcal{B}}_l^{=}\left(\overline{\mathbf{u}}\right)\wedge \left({\bigwedge }_{j=0}^{k-1}\left({\mathcal{T}}_{\tau }\left({\overline{\mathbf{w}}}_j,\tau ,{\overline{\mathbf{w}}}_{j+1}\right)\vee {\mathcal{T}}_{Act}\left({\overline{\mathbf{w}}}_j,{\overline{\mathbf{a}}}_j,{\overline{\mathbf{w}}}_{j+1}\right)\right)\right)$$

, where ${\overline{\mathbf{w}}}_i$, ${\overline{\mathbf{a}}}_i$ and $\overline{\mathbf{u}}$ are, respectively, symbolic states, symbolic actions and the symbolic number for $0\le i\le k$.

The next step of the method is the translation of the ${\mathrm{LTL}}_q$ formula $\mathrm{tr}\left(\phi \right)$ into the propositional formula ${\left[\mathrm{tr}\left(\phi \right)\right]}_k:={\left[\mathrm{tr}\left(\phi \right)\right]}_{[k,0]}^0$. To translate the formula $\mathrm{tr}\left(\phi \right)$ to SAT problem, we use the auxiliary propositional formulae defined in [53] and the propositional formula ${Gt}_{\mathrm{I}}^{d,m}\left(\pi \right)$. The formula ${Gt}_{\mathrm{I}}^{d,m}\left(\pi \right)$ encodes the condition that says that the difference of the symbolic global time at the depth d and in the starting point m on the symbolic path $\pi$ belongs to the interval $\mathrm{I}$.

 Definition 12 

(The translation from ${\mathbf{ELTL}}_{\mathbf{q}}$ to SAT). Let $\widehat{\mathcal{M}}$ be the abstract model, $\mathrm{tr}\left(\phi \right)$ an ${\mathrm{LTL}}_q$ formula, and $k\ge 0$ a bound. The translation of the formula $\mathrm{tr}\left(\phi \right)$ on the path starting at point m at the depth d is defined inductively:

$$\begin{array}{c}\hfill {\left[\mathbf{true}\right]}_{[k,m]}^d:=\mathbf{true},\\ \hfill {\left[\mathbf{false}\right]}_{[k,m]}^d:=\mathbf{false},\\ \hfill {\left[p\right]}_{[k,m]}^d:=p\left({\overline{\mathbf{w}}}_d\right),\\ \hfill {\left[\neg p\right]}_{[k,m]}^d:=\neg p\left({\overline{\mathbf{w}}}_d\right),\\ \hfill {\left[q_{\mathrm{I}}\right]}_{[k,m]}^d:=& \left\{\begin{array}{cc}\underset{l=0}{\overset{k-1}{\bigvee }}\left({Gt}_{\mathrm{I}}^{d,m}\left(\pi \right)\wedge \neg H({\overline{\mathbf{w}}}_k,{\overline{\mathbf{w}}}_l)\right)\vee \hfill & \\ \underset{l=0}{\overset{k-1}{\bigvee }}\left({Gt}_{\mathrm{I}}^{d,m}\left(\pi \right)\wedge H({\overline{\mathbf{w}}}_k,{\overline{\mathbf{w}}}_l)\right),\hfill & \mathit{if}d\ge m\hfill \\ \underset{l=0}{\overset{k-1}{\bigvee }}\left({Gt}_{\mathrm{I}}^{d,m}\left(\pi \right)\wedge \neg H({\overline{\mathbf{w}}}_k,{\overline{\mathbf{w}}}_l)\right)\vee \hfill & \\ \underset{l=0}{\overset{k-1}{\bigvee }}\left({Gt}_{\mathrm{I}}^{d+k-l,m}\left(\pi \right)\wedge H({\overline{\mathbf{w}}}_k,{\overline{\mathbf{w}}}_l)\right),\hfill & \mathit{if}d<m\hfill \end{array}\right.\hfill \\ \hfill {\left[\neg q_{\mathrm{I}}\right]}_{[k,m]}^d:=& \neg {\left[q_{\mathrm{I}}\right]}_{[k,m]}^d,\hfill \\ \hfill {\left[\alpha \wedge \beta \right]}_{[k,m]}^d:=& {\left[\alpha \right]}_{[k,m]}^d\wedge {\left[\beta \right]}_{[k,m]}^d,\hfill \\ \hfill {\left[\alpha \vee \beta \right]}_{[k,m]}^d:=& {\left[\alpha \right]}_{[k,m]}^d\vee {\left[\beta \right]}_{[k,m]}^d,\hfill \\ \hfill {\left[\alpha \mathbf{U}\beta \right]}_{[k,m]}^d:=& \underset{j=d}{\overset{k}{\bigvee }}\left({\left[\beta \right]}_{[k,m]}^j\wedge \underset{i=d}{\overset{j-1}{\bigwedge }}{\left[\alpha \right]}_{[k,m]}^i\right)\vee (\underset{l=0}{\overset{d-1}{\bigvee }}\left({\mathcal{L}}_{k,m}^l\left(\pi \right)\right)\wedge \underset{j=0}{\overset{d-1}{\bigvee }}({\mathcal{B}}_j^{>}\left(\overline{\mathbf{u}}\right)\hfill \\ \hfill & \wedge {\left[\beta \right]}_{[k,m]}^j\wedge \underset{i=0}{\overset{j-1}{\bigvee }}({\mathcal{B}}_i^{>}\left(\overline{\mathbf{u}}\right)\to {\left[\alpha \right]}_{[k,m]}^i)\wedge \underset{i=d}{\overset{k}{\bigwedge }}{\left[\alpha \right]}_{[k,m]}^i\left)\right),\hfill \end{array}$$

$$\begin{array}{cc}\hfill {\left[\mathbf{G}\alpha \right]}_{[k,m]}^d:=& \underset{l=0}{\overset{k-1}{\bigvee }}\left({\mathcal{L}}_{k,m}^l\left(\pi \right)\right)\wedge \underset{j=0}{\overset{d-1}{\bigwedge }}\left({\mathcal{B}}_j^{⩾}\left(\overline{\mathbf{u}}\right)\to {\left[\alpha \right]}_{[k,m]}^j\right)\wedge \underset{j=d}{\overset{k}{\bigwedge }}{\left[\alpha \right]}_{[k,m]}^j.\hfill \end{array}$$

 Theorem 4. 

Let $\widehat{\mathcal{M}}$ be the abstract model. Then for every $k\in \mathbb{N}$, at the depth $d\le k$, $\widehat{\mathcal{M}}{\models }_k^d\mathbf{E}\mathrm{tr}\left(\phi \right)$ if, and only if, the propositional formula ${\left[{\widehat{\mathcal{M}}}^{\mathrm{tr}\left(\phi \right),s^0}\right]}_k\wedge {\left[\mathrm{tr}\left(\phi \right)\right]}_k$ is satisfiable.

The proof of the above theorem is analogous to the proofs presented in [26,53].

5. Experimental Results

In this section, we experimentally evaluate the performance of our new translation (We performed our experimental results on a computer equipped with I7-3770 processor, 32 GB of RAM, and the operating system Arch Linux. All the benchmarks together with instructions on how to reproduce our experimental results can be found at the web page https://tinyurl.com/satbmc4dtta-emtl, accessed on 3 November 2022). Our SAT-based BMC algorithm is implemented as a standalone program written in the programming language C++. We compared the new method with the corresponding one from [26]. For both methods, we used the state-of-the-art Kissat SAT solver [54]. We conducted the experiments using the slightly modified TGPP [26], the TTCS [26], and TDPP, and we compared our result with the results generated using the implementation from [26].

5.1. Timed Dining Philosophers

As the first benchmark, we used the well-known dining philosophers problem [55], and we extended it using clocks. The system consists of n discrete timed automata, each of which models a philosopher, together with n automata, each of which models a fork, together with one automaton which models the lackey. The latter automaton is used to coordinate the philosophers’ access to the dining room. In fact, this automaton ensures that no deadlock is possible. The global system is obtained as the parallel composition of the components, which are shown in Figure 4.

We assume that one unit of time represents 30 min. A philosopher has to think at least 30 min (1 time unit, $x_j\ge T_2$) and at most 2 h and 30 min (5 time units $x_j\le T_1$). He also has to eat for, at most, one hour (2 time units, $x_j\le E_1$ ), but he also can finish eating earlier ($x_j\ge E_2$).

Let us consider the following formulae:

• ${\phi }_1={\mathbf{F}}_{[0,T_2+E_2+1)}\left({\bigvee }_{j=1}^{n}Lfrealease{d}_j\right)$. At least one philosopher will eventually eat and put down both forks.
• ${\phi }_2={\mathbf{F}}_{[0,T_2+1)}\left({\bigwedge }_{j=\{1,3,5,\dots \}}^{n-1}Eatin{g}_j\right)$. Eventually, every second philosopher (starting with the first one) eats.
• ${\phi }_3=\mathbf{G}({\mathbf{F}}_{[0,T_2+1)}\left({\bigvee }_{j=1}^{n}Lfrealease{d}_j\right)$. Every second philosopher (starting with the first one) always eats in the end.

All these formulae are existentially valid in the model of TDPP.

Figure 5 shows experimental results for ${\phi }_1$ and ${\phi }_2$. For the simple eventually formula ${\phi }_1$ we can observe that time usage for the method based on the old translation is better than for the method based on the new one. However there is a noticeable difference in memory usage. In this case, the new method is better. For the formulae ${\phi }_2$ and ${\phi }_3$, we can see the advantages of the new method.

Figure 6 shows experimental results for ${\phi }_3$.

Figure 7 shows generated clauses and variables for ${\phi }_1$ and ${\phi }_3$.

5.2. Timed Generic Pipeline Paradigm

The TGPP (Figure 8) discrete timed automata model [26] consists of a producer producing data within the time interval ($[a,b]$) or being inactive, a consumer receiving data within the time interval ($[c,d]$) or being inactive within the time interval ($[g,h]$), and a chain of n intermediate nodes which can be ready for receiving data within the time interval ($[c,d]$), processing data within the time interval ($[e,f]$) or sending data. We assume that $a=c=e=g=1$ and $b=d=f=h=2·n+2$, where n represents number of nodes in the TGPP.

To compare our experimental results with [26], we tested the TGPP discrete timed automata model on the following MTL formulae that existentially hold in the model of TGPP (n is the number of nodes). In the below formulae, we use $pro{d}_0$, $pro{d}_1$, $con{s}_0$, and $con{s}_1$ for $ProdReady$, $ProdSend$, $ConsReady$, and $ConsFree$ respectively. Moreover, we write $\mathbf{G}$ for ${\mathbf{G}}_{[0,\infty )}$. Let us consider the following formulae:

• ${\phi }_1=\mathbf{G}(pro{d}_0\vee con{s}_0)$. It states that always either the producer has sent the data or the consumer has received the data.
• ${\phi }_2={\mathbf{F}}_{[0,2·n+3)}\left(\mathbf{G}(pro{d}_1\vee con{s}_1)\right)$. It states that eventually in time less then $2·n+3$, it is always the case that the producer is ready to send the data or the consumer has received the data.
• ${\phi }_3=\mathbf{G}\left({\mathbf{F}}_{[0,2·n+3)}\left(con{s}_1\right)\right)$. It states that the Consumer infinitely often eventually receives the data in time less than $2·n+3$ units.

All these formulae are existentially valid in the model of TGPP.

Charts in Figure 9 show the total time usage and total memory usage for TGPP needed for verification ${\phi }_1$ and ${\phi }_2$. In both cases, the new method outperforms the old one. For ${\phi }_2$, the ${\mathrm{LTL}}_q$-based method was able to verify the system with 19 nodes, and the HLTL-based method was able to verify the system only with 9 nodes. For ${\phi }_3$, the memory usage is similar in both cases. However, the time usage for the old method exponentially grows. The second plot shows the number of generated clauses and variables.

Charts in Figure 10 shows the total time usage and total memory usage for TGPP needed for verification ${\phi }_3$. The second plot shows the number of generated clauses and variables.

5.3. Timed Train Controller System

The TTCS (Figure 11) consists of n (for $n\ge 2$) trains $T_1,\dots ,T_n$, each one using its own circular track for traveling in one direction and containing its own clock $x_i$, together with controller C used to coordinate the access of trains to the tunnel through which all trains have to pass at a certain point. There is only one track in the tunnel, so trains arriving from each direction cannot use it in the same time. There are signals on both sides of the tunnel, which can be either red or green. All trains notify the controller when they request entry to the tunnel or when they leave the tunnel. The controller controls the color of the displayed signal, and the behavior of the scenario depends on the values $\delta$ and $\Delta$ ($\Delta >\delta +1$ makes it incorrect—the mutual exclusion does not hold).

Controller C has $n+1$ locations, with the location 0 being the initial one. The action $Star{t}_i$ of train $T_i$ denotes the passage from the location away to the location where the train wishes to obtain access to the tunnel. This is allowed only if controller C is in location 0. Similarly, train $T_i$ synchronizes with controller C on action $approac{h}_i$, which denotes setting C to location $i>0$, as well as $ou{t}_i$, which denotes setting C to location 0. Finally, action $i{n}_i$ denotes the entering of train $T_i$ into the tunnel.

Moreover, we assume the following set of propositional variables: $\mathcal{AP}=\{tunne{l}_1,\cdots ,$$tunne{l}_n\}$.

Let us consider the following formulae:

• ${\phi }_1={\mathbf{F}}_{[0,2·\delta +4)}\left({\bigvee }_{i=1}^{n-1}{\bigvee }_{j=i+1}^n\right)(tunne{l}_i\wedge tunne{l}_j)$. It expresses that the system violates the mutual exclusion property.
• ${\phi }_2=\mathbf{G}\left({\mathbf{F}}_{[0,2·\delta +1)}tunne{l}_1\right)$. It expresses that the first train can infinitely often and from any state enter the tunnel in time less than $2·\delta +1$.
• ${\phi }_3=\mathbf{G}({\mathbf{F}}_{[0,2·\delta +7)}tunne{l}_1\wedge {\mathbf{F}}_{[0,2·\delta +7)}\neg tunne{l}_1)$. It expresses that the first train is infinitely often in the tunnel and outside the tunnel in time less than $2·\delta +7$.

All these formulae are existentially valid in the model of TTCS.

As we can see in Figure 12, Figure 13 and Figure 14, the new method surpasses the old one. As we expected, the difference between the two methods is smaller for the simple formula that expresses reachability problem (${\phi }_1$). However, a significant difference can be seen for the formulae ${\phi }_2$ and ${\phi }_3$. Figure 14 also shows the number of clauses and variables for the new and the old method. As we can see, the numbers of variables and clauses grow exponentially for the old method.

6. Statistics

We performed one- and two-sided Wicoxon tests for DPTT (Figure 15). Tests showed that the new method outperforms the old one: the new method used less time ($p=0.36$), and used less memory ($p=0.99$).

We performed the two-sided and one-sided Wilcoxon tests for all the experiments. As a dataset, we took the whole set of the experimental results (note that we deleted some results in the figures in Section 5 to make them clear—whole data can be found in the .tar.xz file we delivered).

7. Conclusions

In this work, we proposed a new SAT-based BMC for soft real-time systems modeled by discrete time automata with digital clocks and for properties expressible in metric temporal logic with semantics over discrete time automata with digital clocks.

The first step of this method is translating the existential model-checking problem for MTL into the existential model-checking problem for ${\mathrm{LTL}}_q$ logic by replacing temporal operators with intervals (MTL) with temporal operators and new propositional variables corresponding to these intervals (${\mathrm{LTL}}_q$). The second step is translating the existential model-checking problem for ${\mathrm{LTL}}_q$ into the satisfiability problem for the propositional formulae. The efficiency of the new method is due to the fact that only one additional clock for measuring global time is needed, unlike the earlier method [26], which translates the existential model-checking problem for MTL into the existential model-checking problem translation to HLTL.

The earlier method [26] needs to add to a timed automaton one extra clock, one extra path, and an extra transition for each occurrence of the temporal operator in the formula.

We implemented our method as a standalone program written in the programming language C++. This implementation allowed us to experimentally evaluate and compare the new approach with the old one.

The experimental results show that our approach is significantly better than the approach based on translation to HLTL. The new method substantially reduces the conjunction normal form (CNF) formula’s size, an input formula for the SAT solver. The reduced size of the CNF formula causes the SAT solver to use much less time and memory to determine the satisfiability of the input formula.

In future work, we plan to extend our method by adding discrete data [56]. We also would like to improve and develop and prove the method presented in [49].