An Algorithmic approach for abstracting transient states in timed systems

In previous works, the timed logic TCTL was extended with importants modalities, in order to abstract transient states that last for less than k time units. For all modalities of this extension, called TCTL , the decidability of the model-checking problem has been proved with an appropriate extension of Alur and Dill’s region graph. But this theoretical result does not support a natural implementation due to its state-space explosion problem. This is not surprising since, even for TCTL timed logics, the model checking algorithm that is implemented in tools like UPPAAL or KRONOS is based on a so-called zone algorithm and data structures like DBMs, rather than on explicit sets of regions. In this paper, we propose a symbolic model-checking algorithm which computes the characteristic sets of some TCTL formulae and checks their truth values. This algorithm generalizes the zone algorithm for TCTL timed logics. We also present a complete correctness proof of this algorithm, and we describe its implementation using the DBM data structure.


I. INTRODUCTION
Timed verification.Temporal logic is a convenient formalism for specifying systems and reasoning about them.Furthermore, model-checking techniques lead to the automatic verification that a model of a system satisfies some temporal logic specification.These methods have been extended to real-time verification: systems are modeled with timed automata [6], [7] and timed logics like TCTL [3] are used to express timed specification like "any problem is followed by an alarm within 3 seconds".Analysis tools have been developped [22], [25], [30] and successfully applied to numerous case studies.

Timed temporal logics and duration properties.
Along with the study of timed automata, various timed logics have been defined to extend the classical temporal logics with quantitative modalities.For example, this was done with MTL [29], [8], [31], an extension of LTL, and TCTL [9], [3], [26], where CTL modalities are augmented with time comparisons of the form ∼ c, where ∼ is a comparison operator.Another related logic is the Parametrized TCTL [18] where TCTL and the timed model are in turn extended with parameters.In another direction, since the introduction of the duration calculus [19] in order to express duration properties, numerous works have been devoted to the algorithmic computation of such properties for timed systems.Since clocks, which evolve at the rate of time (as in timed automata), are sometimes not expressive enough, hybrid variables (with multiple slopes) have been considered.The resulting model of hybrid automata has been largely studied in the subsequent years [27].However, while some decidability results could be obtained [5], [28], using stopwatches (i.e.variables with slopes 0 and 1) already leads to undecidability for the reachability problem [4].Further research has thus been devoted to weaker models where hybrid variables are only used as observers, i.e. are not tested in the automaton and thus play no role during a computation.These variables, sometimes called costs or prices in this context can be used in an optimization criterium [5], [10], [11], [16] or as constraints in temporal logic formulas.For instance, the logic WCTL [17], [15], interpreted over timed automata extended with costs, adds cost contraints on modalities: it is possible to express that a given state is reachable within a fixed cost bound.

Abstracting transient states.
When practical examples are considered, the need for abstracting transient states often happens.This is the case for systems which handle variables, subject to instantaneous changes of value.This motivated the work in [12], [13], where events that do not last continuously for at least k time units could be abstracted by introducing an extension of TCTL called TCTL Δ .The theoretical decidability result of TCTL Δ model-checking problem rely on an extension of the region graph proposed in [13].However, the region graph is not used for implementation, but tools like UPPAAL or KRONOS use a so-called "zone algorithm".This algorithm computes on-the-fly the set of reachable symbolic states, that is pairs (q, Z) where q is a control state and Z a zone.One of the major advantage of zones is that they can be easily implemented using data structures like DBMs [24].
Contribution.The aim of this paper is to provide an implementable algorithm for TCTL Δ model-checking.The algorithm we propose is an extension of the zone algorithm used for TCTL timed logics in tools like UPPAAL and KRONOS.We also provide a possible implementation of this algorithm using the DBM data structure.The main result of this paper is the proof of correctness of our algorithm.This proof uses several techniques, from properties of zones and symbolic model-checking to properties of fixed point theory.
Outline.The structure of the paper is the following: we first recall the main features of timed automata model and give definitions for the syntax and semantics of TCTL Δ timed logic (Section 2); we present after some known decidability results of the TCTL Δ model-checking (Section 3); we then describe the classical zone algorithm for TCTL timed logics (Section 4); we present thereafter our algorithm, we give a complete proof of its correctness (Section 5) and the following section is devoted to explain how to implement it using the DBMs (Section 6); we end this paper with some concluding remarks (Section 7).

II. BASIC NOTIONS
Let N and R denote the sets of natural and non-negative real numbers, respectively.Let X be a set of real valued clocks.We write C(X) for the set of boolean expressions over atomic formulae of the form x ∼ k with x ∈ X, k ∈ N, and ∼ ∈ {<, ≤, =, ≥, >}.Constraints of C(X) are interpreted over valuations for clocks, i.e. mappings from X to R. The set of valuations is denoted by R X .For every v ∈ R X and d ∈ R, we use v + d to denote the time assignment which maps each clock x ∈ X to the value v(x) + d.For every r ⊆ X, we write v[r ← 0] for the valuation which maps each clock in r to the value 0 and agrees with v over X \ r.Let AP be a set of atomic propositions.

A. Timed Automata
a finite set of action transitions: for (q, g, r, q ) ∈ → A , g is the enabling condition and r is a set of clocks to be reset with the transition (we write q g,r labels every location with a subset of AP. A state (or configuration) of a TA A is a pair (q, v), where q ∈ Q A is the current location and v ∈ R X is the current clock valuation.The initial state of A is (q init , v 0 ) with v 0 (x) = 0 for any x in X.There are two kinds of transition.From (q, v), it is possible to perform the action transition q g,r − → A q if v |= g and v[r ← 0] |= Inv A (q ) and then the new configuration is (q , v[r ← 0]).It is also possible to let time elapse, and reach (q, v + d) for some d ∈ R whenever the invariant is satisfied along the delay.Formally the semantics of a TA A is given by a Timed Transition System (TTS) T A = (S, s init , → TA , l) where: . This is an action transition -we write (q, v) → a (q , v ).
• l : S → 2 AP labels every state (q, v) with the subset l A (q) of AP .
An execution (or run) of A is an infinite path s 0 → TA s 1 → TA s 2 . . . in T A such that (1) time diverges and (2) there are infinitely many action transitions.Note that an execution can be described as an alternating infinite sequence Such an execution ρ goes through any configuration s reachable from some s i by a delay transition of duration d ∈ [0, d i ].Let Exec(s) be the set of all executions from s.With a run ρ : (q 0 , v 0 ) d1 − →→ a (q 1 , v 1 ) d2 − →→ a . . . of A, we associate the sequence of absolute dates defined by t 0 = 0 and t i = j≤i d j for i ≥ 1, and in the sequel, we often write ρ as the sequence ((q i , v i , t i )) i≥0 .Example 1.An example of timed automaton is given below (Fig. 1), where P is an atomic proposition and x, y are clocks.
A state (q, v) can occur several times along a run ρ, the notion of position1 allows us to distinguish them: every occurrence of a state is associated with a unique position.Given a position p, the corresponding state is denoted by s p .The standard notions of prefix, suffix and subrun apply to paths in TTS: given a position p ∈ ρ, ρ ≤p is the prefix leading to p, ρ ≥p is the suffix issued from p. Finally a subrun σ from p to p is denoted by p σ → p .Note that the set of positions along ρ is totally ordered by < ρ .Given two positions p and p , we say that p precedes strictly p along ρ (written p < ρ p ) iff there exists a finite subrun σ of ρ s.t.p σ → p and σ contains at least one non null delay transition or one action transition (i.e.σ is not reduced to 0 − →).We write σ < ρ p when for any position p in the subrun σ, we have p < ρ p.Given a position p ∈ ρ, the prefix ρ ≤p has a duration, Time(ρ ≤p ), defined as the sum of all delays along ρ ≤p .Since time diverges along an execution, we have: for any t ∈ R, there exists p ∈ ρ such that Time(ρ ≤p ) > t.For a subset P ⊆ ρ of positions in ρ, we define a natural measure μ(P ) = μ{Time(ρ ≤p ) | p ∈ P }, where μ is Lebesgue measure on the set of real numbers.In the sequel, we only use this measure when P is a subrun of ρ: in this case, for a subrun σ such that p σ → p , we simply have μ(σ) = Time(ρ ≤p ) − Time(ρ ≤p ).

B. Definition of TCTL Δ .
The syntax of TCTL was extended in [13] to express that a formula holds everywhere except on subruns with duration a parameter k ∈ N: TCTL Δ is obtained by adding to TCTL the modalities E U k ∼c and A U k ∼c , where k ∈ N. Definition 2 (Syntax of TCTL Δ ).TCTL Δ formulae are given by the following grammar: The following clauses define when a state s of some TTS T = S, s init , →, l satisfies a TCTL Δ formula ϕ, written s |= ϕ, by induction over the structure of ϕ.
Modality EϕU k ∼c ψ means that it is possible to reach a sufficiently long interval (> k) where ψ is true, around a position at a distance ∼ c and, before this position, ϕ is everywhere true except along negligible duration subpaths (≤ k).Whereas modality AϕU k ∼c ψ means that along any path, ψ lasts long enough (> k) around a position at a distance ∼ c and, before this position, ϕ is everywhere true except along negligible duration subpaths (≤ k).

III. DECIDABILITY RESULT FOR TCTL Δ
In this section we recall the decidability result for the TCTL Δ model checking [13].First, we remind that the classical notion of region proposed by Alur, Courcoubetis and Dill [3] for TCTL is also correct for TCTL Δ .Nevertheless it needs a stronger notion of equivalence for the runs in order to preserve the truth value of TCTL Δ formulae [13].Then we recall that adding the modalities U k does not increase the complexity of the verification.

A. Region graph Given a set X of clocks and M
An equivalence class of ∼ = is called a region; and a region is called a boundary region if it contains valuations v s.t. the fractional part of v(x) is 0, for some clock x.Given a TA A, we use M A to denote the maximal constant occurring in A (in its guards or invariants).We write simply ∼ = instead of ∼ =M when M is clear from the context.Example 2. Consider a automaton with two clocks x and y and the constant M equal to 2. The set of regions associated with this automaton can be described by the figure beside (Fig. 2).The region drawn in gray corresponds to the valuations satisfying the following constraints:

Moreover, the equivalence
To illustrate this result, consider the formula Φ = EϕU k ∼c ψ and assume that (q, v) |= Φ, i.e. there exists a run ρ = ((q i , v i , t i )) i≥0 from (q, v) satisfying ϕU k ∼c ψ.The consistency of ∼ = for TCTL Δ timed logics, means that there exists an equivalent run ρ from (q, v ) which also satisfies ϕU k ∼c ψ, with v, v are in the same region.For this, the equivalence over runs is defined as follows [13]: Given a TA A, two runs ρ = (( Such that the equivalence ∼ = is extended to pairs (v i , t i ) as follows: The equivalence on runs used in [3] to prove that regions are compatible with TCTL formulae only requires conditions (ER 1) and (ER 2).This is however not sufficient for proving the compatibility of regions with TCTL Δ formulae.Indeed, back to the Example 1 and consider the two following runs (Fig. 3), which are equivalent in [3]: − →→a (q2, (0.9, 0.8)) − →→a (q2, (0.9, 0.1)) The runs ρ and ρ satisfy conditions (ER 1) and (ER 2) but the delays spent in state q2 where P does not hold are respectively 0.3 and 1.05, so that ρ |= G 1 P whereas ρ |= G 1 P .This is why we need the stronger equivalence above which also requires condition (ER 3).Note that the proof of the equivalence www.ijacsa.thesai.org∼ =M A consistency for TCTL Δ timed logics is given in [13].

B. Labeling algorithm
The main result of the labeling algorithm is reducing the model-checking problem A |= Φ with a TA A = X, QA, qinit, →A, InvA, lA and Φ ∈ TCTL Δ , to a model-checking problem A |= Φ where A is a region graph (i.e. a finite Kripke structure) and Φ is a CTL-like formula [13].Let X * be the set of clocks X ∪{z, zr, zl}.The three extra clocks are used to verify timing constraints in the formula: z is used to handle subscripts ∼ c in U modalities (as in TCTL model checking) and the clock zl (resp zr) is used to measure time elapsing when the left (resp.right) part in U k modalities is false (resp true).Let MΦ be the maximal constant occurring in the timing constraints in Φ and km be the maximal k occurring in a modality U k in Φ.Let M be max(MA, MΦ + km).The region graph RA,Φ = (V, →, l, F ) for A and Φ is defined as usual over X * and M [3]: its set of states / ∼ =M }, the transitions correspond to action transitions (→a) in A or delay transitions (→t, leading to the successor region denoted by succ(γ)).The states are labeled with atomic propositions AP and we also use additional propositions for the extra clocks: a state (q, γ) is labeled with the proposition y ∼ a with y ∈ {z, zl, zr} and 0 ≤ a ≤ M , when γ |= y ∼ a (see [3], [12] for the detailed construction of RA,Φ).
Due to these changes, in R ϕ l ,ϕr A,Φ , the clock zl (resp.zr) measures the time elapsed since ¬ϕ l (resp.ϕr) is true : they are reset when the truth value of the corresponding formula changes.In the following we will use two abbreviations: The first one states that ϕ l holds or did hold less than k t.u.ago.And the second one states that ϕr lasts for more than k t.u.We will also use the abbreviation −− ¬ϕ l to denote ¬ϕ l ∧ zl > k : the formula ¬ϕ l has held for more than k t.Furthermore, for all TA A and TCTL Δ formula Ψ the labeling algorithm labels (q, γ) with Ψ in RA,Φ iff (q, v) |= Ψ for any v ∈ γ [13].The proof of this decidability result is based on a generalization of the construction of the region graph for TCTL timed logics (as presented in [6], [7]).Instead of it, and for reasons of efficiency to avoid the state-space explosion problem, model-checkers like UPPAAL or KRONOS use a symbolic analysis algorithm to explore finitely the reachable state-space (this algorithm is called the "zone algorithm").The implementation of this algorithm uses a data structure initially proposed by [24], the Difference Bounded Matrices, DBMs for short.The aim of this paper is precisely to propose such an algorithm for decidable TCTL Δ model-checking.The algorithm we propose is an extension of the algorithm used in UPPAAL and KRONOS.Hence, we will first recall the zone algorithm for TCTL timed logics.After this brief presentation of a so much used algorithm, we will come back to TCTL Δ timed logic and present our algorithm for its symbolic model-checking.The remainder of the paper is devoted to present a complete correctness proof of our algorithm and we describe its implementation using the DBM data structure.

IV. CLASSICAL ZONE ALGORITHM, STATE OF THE ART
In this section, we describe the on-the-fly analysis algorithm, which is implemented in some tools for the verification of classical timed logics [14], [21], [33], [23], [2].

A. Zones
For timed automata, the set of configurations is infinite.To check this model, it is therefore necessary to manipulate sets of configurations, and therefore to provide a symbolic representation, called zone.A zone is a set of valuations defined by a conjunction of simple constraints x ∼ c or x − y ∼ c where x and y are clocks, ∼ is a comparison sign, and c is a integer constant.In forward and backward analysis, the objects that will be handled are pairs (q, Z) where q is a control state of the automaton and Z a zone.
On zones, multiple operations can be performed: These operations, defined through the first order formulas on the zones, preserve zones [32].
Taking the operation Future of Z, − → Z is drawn in light gray and in dark gray; it is defined by the clock constraint x

B. The Algorithm
We give now an idea about how it is possible to check the TCTL properties [33].The construction to be described avoids building region graph, because such an approach would not be very effective, and there's no data structures really adapted to the regions in terms of complexity.The idea of the algorithm [33] is to calculate for each formula, its characteristic set defined as set of pairs (q, Z) where q is a control state of the automaton and Z a zone, i.e.
Where w is a valuation on clocks corresponding to the Until operators in the TCTL formula.The construction is by induction on the structure of the formula: It remains to describe the characteristic sets of formulas that have the Until operator.For the formula Eϕ1U∼cϕ2, the characteristic set is given by the following recurrent sequence [33]: Where z is the clock corresponding to the operator U and P re[R1](Ei) represents the set of configurations that allow to reach Ei by letting time pass while staying in R1, while P re(Ei) represents the configurations that allow to reach Ei by taking an action transition.A clock is attached to each U operator in the formula.it's used to handle subscripts ∼ c in Until modalities.We note that the above analysis is in fact a backward analysis.We do not describe the algorithm of Aϕ1U∼cϕ2 which also uses a backward analysis, but slightly more complicated, it is described for example in [26].
V. BACK TO TCTL Δ TIMED LOGIC: SYMBOLIC MODEL-CHECKING ALGORITHM In this section, we propose a symbolic model-checking algorithm which computes the characteristic sets of some TCTL Δ formulae and checks their truth values using a backward analysis.This algorithm extends the zone algorithm for TCTL timed logics.We also present a complete correctness proof of this algorithm, and we describe its implementation using the DBM data structure in the next section.

A. Modality Eϕ
For this modality, the approach we have opted is to split the semantics of formula Eϕ1U k ∼c ϕ2 in two parts, the right and the left part (as depicted in Fig. 5).The left part represents the subrun where ϕ1 is true everywhere except along negligible duration subpaths (≤ k), until reaching the right part which represents the subrun where ϕ2 lasts long enough around a position (z ∼ c), and before this position ϕ1 is true except along negligible duration subpaths.1) Eϕ 1 U k ∼c ϕ 2 Right part:

First case: ∼∈ {<, ≤}
In this case, it is necessary and sufficient that constraint z ∼ c be verified at the beginning of the subrun where ϕ2 lasts long enough (> k).Thus all the right part of EϕU k ∼c ϕ2, as depicted in the figure above (Fig. 6), can be reduced andx expressed using the following TCTL formula : Second case: ∼∈ {>, ≥, =} In this case, we will split the subrun where ϕ2 is true for more than k t.u into two parts, one satisfying (ϕ1 ∨ zl ≤ k), followed by the other which satisfying z ∼ c at its first position as depicted in the figure above (Fig. 6).Thus, the semantic of the EϕU k ∼c ϕ2 Right part is deduced from Definition 3 as follows: Let s be a state of some TTS T = S, sinit, →, l which satisfies the EϕU k ∼c ϕ2 Right part, written s |= RP(Eϕ1U k ∼c ϕ2), we have : Now, we propose and prove that the following sequence is increasing by inclusion, stationary, and its least upper bound represents the set of all symbolic states (i.e., characteristic sets defined in section 4.2, as set of pairs (q, Z) where q is a control state of the automaton and Z a zone) that satisfying RP(Eϕ1U k ∼c ϕ2): Note that zr is reset when the stationary value of the sequence Yn is reached, i.e. after that the set of symbolic states satisfying RP(Eϕ1U k ∼c ϕ2) is computed.
The recurrent sequence Yn computes for each iteration the predecessors of current states represented by Yn.As we said in section 3.2, the clock zl measures time elapsing when ϕ1 is false, so it will be reset at each transition from set of states satisfying ϕ1 to another satisfying not ¬ϕ1.Without losing information about clock zl, and in order to further optimize our sequence, zl can also be reset when transition from set of states satisfying ϕ1 to set of states satisfying ϕ1, and therefore the sequence Yn becomes as follows: Now we define the operator as follows: Definition 4 (Predecessor operator ).Given a TA A, a TTS T = S, sinit, →, l , an alphabet Σ which denotes a finite set of actions and two characteristic sets Q1 and Q2.Calculate Q1 Q2 is to determine: • Q1 Q2 : • All the instantaneous predecessors of Q2 states that verify Q1, i.e. the states satisfying Q1 and can reach Q2 by an action transition denoted Q1 a Q2.
• Union, all temporal predecessors of Q2 that verify Q1, i.e. all states that can reach a state of Q2 by a delay transition, such that all intermediates states are in Q1.
. q + t ∈ Q2 and ∀t < t q + t ∈ Q1 Back to our sequence Yn, it can be written as follows : The particularity of the backward analysis is that the iterative calculating described by the sequence Yn terminates, the reason is quite simple; it is fairly easy to show that if Z is a zone and that this zone is an union of regions, then the zone Z = g(Z ) is not only a zone, but also is an union of regions [1].As there's a finite number of regions, the number of pairs (q, Z) that can be computed in a backward analysis is finite.Thus we show that the sequence Yn is increasing by inclusion, stationary, and its least upper bound represents the characteristic set of RP(Eϕ1U k ∼c ϕ2): Proof: (sketch.).In order to prove this result we show at first that the least upper bound of the sequence Yn is the least fixpoint of g.Let be E the set of symbolic states defined as : We know that E is a finite set, hence the power set P (E) is also finite.Furthermore, the first term of Yn is given as the characteristic set of a TCTL formula, then we have Y0 ∈ P (E).As all operations in the function g preserve zones [32], so ∀n ∈ N Yn = g n (Y0) ∈ P (E).The sequence Yn is monotonic by inclusion, because Yn ⊆ Yn+1 ∀n ∈ N. Thus Yn is monotonic in the finite set P (E), so Yn is stationary, i.e. ∃ r ∈ N such that ∀ n ≥ r, Yn = Yr.Moreover, since (P (E), ⊆) is a complete partially ordered set, then its finite subset (W, ⊆) defined as W = {Y0, Y1, ..., Yn, ...} is also a complete totally ordered set.Also, g : (immediate using the definition of the operator ).Since in finite sets, monotonic function is always Scott-continuous, so using Kleene's fixed-point theorem, the least fixpoint of g is the least upper bound of the sequece g n (Y0) = Yn, such that Y0 is the least element of W (intersection of its elements).
Suppose that q ∈ [[ϕ2 ∧ (¬ϕ1 ∧ zl ≤ k)]] Q , in the same manner as the previous proof, we show taht q ∈ Q. Consequently it follows that: ∀q ∈ g(Q) we have q ∈ Q, i.e.: 2. Now we prove that Q = [zr ← 0]μ.Y.g(Y ): In other words, ∃ σ ∈ Exec(q) : σ = q α 0 q1 α 1 ... α i−1 qi ..., with αi ∈ R * + ∪ Σ, and zr is reset at the beginning of σ, such that qi and ∀j < i, we have: Let be qi−1 from the subrun σ, we have qi−1 α i−1 qi.So qi−1 is a predecessor of qi ∈ Y0, that verifies ϕ2 ∧ (ϕ1 ∨ zl ≤ k ).Then, according to the definition of the function g, qi−1 ∈ g(Y0) = Y1.By the same reasoning we deduce that qi−2 ∈ g 2 (Y0) = Y2.This is repeated until reaching q ∈ Since we proved that the least fixpoint of g is the least upper bound of the sequence Yn, we have finally: Now we propose and prove that the characteristic set of Eϕ1U k ∼c ϕ2 (deduced from the left part modality Fig. 7) is given by least upper bound of the following stationary and increasing (by inclusion) sequence: Where z, zl are reset when the stationary value of the sequence Xn is reached, i.e. after that the set of symbolic states satisfying Eϕ1U k ∼c ϕ2 is computed.
Proof: (sketch.).We show in the same way as the previous proof that: Therefore we have the following result: Note that when computing iterations of the sequence Xn (resp Yn), the stop condition is given by convergence to the fixed point of f (resp g), i.e.Xn+1 = Xn (resp Yn+1 = Yn).

VI. IMPLEMENTATION OF THE ALGORITHM USING DBMS
To prove that the DBMs are appropriate to implement algorithms proposed in the previous section, we will show how to compute using the DBMs the new operations on zones appearing in the TCTL Δ model-checking algorithm.Indeed, we first recall the main features of the DBM data structure, then we give an effective method for computing the operation Q1 Q2.We present after pseudocode for Eϕ1U k ∼c ϕ2 Model-Checking algorithm.

A. The Implementation: the DBM Data Structure
In order to implement the TCTL model-checking algorithm, we need a data structure to represent the zones and this data structure must allow to test for inclusion of zones and to compute easily the different operations used in the algorithm, that is the intersection of two zones, the past of a zone, the image of a zone by a reset and the normalization of a zone.Tools like UPPAAL or KRONOS use the data structure proposed by Dill in [24], the DBM data structure.A detailed presentation of this data structure can be found in [20].
A difference bounded matrice (say DBM for short) for n clocks is an (n + 1)-square matrice of pairs: A DBM M = (mi,j ; ≺i,j)i,j=1...n defines the following subset of R n (the clock x0 is supposed to be always equal to zero, i.e. for each valuation v, v(x0) = 0 ): where γ < ∞ means that γ is some real (there is no bound on it).This subset of R n is a zone and will be denoted Thus the DBMs are not a canonical representation of zones.Moreover, it isn't possible to test syntactically whether A normal form has thus been defined for representing zones.Its computation uses the Floyd-Warshall algorithm and some syntactic rewritings (see [24], [20] for a description of this procedure).In what follows, we denote by Φ(M ) the normal form of M .Before stating some very important properties of the normal form, we define a total order on V in the following way: if (m; ≺), (m ; ≺ ) ∈ V, then Of course, for each m ∈ Z, it holds that m < ∞.We define >, ≥ and < in a natural way.These orders are extended to the DBMs in the following way: let M = (mi,j; ≺i,j)i,j=0...n and M = (m i,j ; ≺ i,j )i,j=0...n be two DBMs, then M ≤ M ⇐⇒ for evry i, j = 0...n, (mi,j; ≺i,j ) ≤ (m i,j ; ≺ i,j ).
We can now state some (very useful) properties of normal forms.If M and M are DBMs, then: The last point expresses the fact that the test for inclusion of zones can be checked syntactically on the normal forms of the DBMs (representing the zones The quantifier is removed by the same procedure.The result is then: (q2, Z1) t (q2, Z2) = q2, (y ≤ 10 ∧ y − z < −25) Finally, using operators pre and t it is possible to compute the operation Q1 Q2.Therefore, we reduce all operations appearing in the TCTL Δ model checking algorithm to known operations on zones, which are obviously implemented through the DBM data structure.

VII. CONCLUSION
In this paper, we proposed a symbolic model-checking algorithm that computes the characteristic sets of some TCTL Δ formulae and checks their truth values.Moreover, we gave an accurate description of an implementation of our algorithm using zones and DBMs, the same approach as the one used in model-checkers like UPPAAL or KRONOS, in order to avoid the state-space explosion problem caused by the explicit construction of region graphs.Indeed, to get a tool from this algorithm, no much work is now necessary : the computation of each step of the algorithm is precisely described in this paper.Moreover, our algorithm appears really as an extension of the zone algorithm for TCTL timed logic, and its complexity is not more important.Thus, this work is the link that was missing between the theoretical work did by (Houda Bel Mokadem et al.) to abstract transient events in [13] (namely decidability and expressiveness) and a tool that would deal with TCTL Δ timed logic.

Figure 3 :
Figure 3: Example of equivalence over runs.
u.And we use ••• • ¬ϕr for ¬ϕr ∨ zr ≤ k .Therefore, the construction of the region graph R ϕ l ,ϕr A,Φ allows us to decide the values of •• ϕ l and − −− − (¬ϕ l ), for any formula Ψ of the form Eϕ l U k ∼c ϕr or Aϕ l U k ∼c ϕr.

Example 3 .
Consider the zone Z drawn in (dark) gray on the figure beside (Fig. 4): Z is defined by the clock constraint

Example 4 .
, in what follows, by [[M ]].Each DBM on n clocks represents a zone of R n .Note that several DBMs can define the same zone.The zone defined by the equations x1 > 3 ∧ x2 ≤ 5 ∧ x1 − x2 < 4 can be represented by the two DBMs ⎛