Currently, formal verification of reactive, critical or embedded systems is a crucial problem, and automatic verification, more specifically model checking, has been widely developed during the last 20 years (see [CLA 99, SCH 01] for surveys). In this approach, we build a formal model M (e.g. an automaton, Petri net, etc.) describing the behavior of the system under verification; the correctness property Φ is stated with a formal specification language (e.g. temporal logic), and then a model-checker is used to automatically decide whether M satisfies Φ or not.Often, it is necessary to consider real-time aspects: quantitative information about time elapsing has to be handled explicitly. This can be the case when describing a particular behavior (for instance, a time-out) or stating a complex property (for example, "the alarm has to be activated within at most 10 time units after a problem has occurred"). In 1990, Alur and Dill have proposed timed automata as a model to represent the behavior of real-time systems [ALU 90, ALU 94a]. This formalism extends classical automata with a set of real-valued variables -called clocks -that increase synchronously with time, and associates guards (specifying when, i.e. for which values of the clocks, the transition can be performed) and update operations (to be applied when the transition is performed) with every transition. Thanks to these clocks, it becomes possible to express constraints over delays between two transitions. In this chapter, we present the classical timed automata model. We explain the main characteristics of this model, and describe the famous region graph technique that is a crucial construction to obtain the decidability of many verification problems in this framework. We also mention several possible extensions of timed automata and several interesting subclasses. Finally, we describe algorithmic aspects and the basic data-structure that is used to implement verification algorithms, and we present the Uppaal tool [LAR 97b].
Timed automataTimed automata have been proposed by R. Alur and D. Dill in the 1990s [ALU 90, ALU 94a] as a model for real-time systems. A timed automaton is a classical finite automaton which can manipulate clocks, evolving continuously and synchronously with absolute time. Each transition of such an automaton is labeled by a constraint over clock values (also called guard), which indicates when the transition can be fired, and a set of clocks to be reset when the transition is fired. Each location is constrained by an invariant, which restricts the possible values of the clocks for being in the state, which can then enforce a transition to be taken. The time domain can be N, the set of non-negative integers, or Q, the set of non-negative rationals, or even R, the set of non-negative real numbers. In this chapter, we choose R as the time domain, but most results are unchanged when considering Q or N.
Some notationsLet X be a finite set of variables, called clocks, taking values in R. A (clock) valuation v over X is a function v : X →...