An Extension of the Inverse Method to Probabilistic Timed Automata


Electronic Communications of the EASST
Volume 23 (2009)

Proceedings of the
Ninth International Workshop on

Automated Verification of Critical Systems
(AVOCS 2009)

An Extension of the Inverse Method to Probabilistic Timed Automata

Étienne André, Laurent Fribourg, Jeremy Sproston

18 pages

Guest Editor: Markus Roggenbach
Managing Editors: Tiziana Margaria, Julia Padberg, Gabriele Taentzer
ECEASST Home Page: http://www.easst.org/eceasst/ ISSN 1863-2122

http://www.easst.org/eceasst/


ECEASST

An Extension of the Inverse Method to Probabilistic Timed
Automata

Étienne André1, Laurent Fribourg1, Jeremy Sproston2

1 LSV – ENS de Cachan & CNRS, France
2 Dipartimento di Informatica, Università di Torino, Italy

Abstract: Probabilistic timed automata can be used to model systems in which
probabilistic and timing behavior coexist. Verification of probabilistic timed au-
tomata models is generally performed with regard to a single reference valuation of
the timing parameters. Given such a parameter valuation, we present a method for
obtaining automatically a constraint on timing parameters for which the reachability
probabilities (1) remain invariant and (2) are equal to the reachability probabilities
for the reference valuation. The method relies on parametric analysis of a non-
probabilistic version of the probabilistic timed automata model using the “inverse
method”. Our approach is useful for avoiding repeated executions of probabilistic
model checking analyses for the same model with different parameter valuations.
We provide examples of the application of our technique to models of randomized
protocols.

Keywords: Probabilistic Model Checking, Parametric Timed Automata, Random-
ized Protocols

1 Introduction

Timed automata are finite control automata equipped with clocks, which are real-valued vari-
ables which increase uniformly [1]. This model is useful for reasoning about real-time systems,
because one can specify quantitatively the interval of time during which the transitions can occur,
using the bounds involved in invariants and guards labeling the nodes and arcs of the automa-
ton. An extension of timed automata to the probabilistic framework, where discrete actions are
replaced by discrete probability distributions over discrete actions, has been defined in [14, 17].
This model has been applied to a number of case studies [16]. Model-checking analysis of prob-
abilistic timed automata normally proceeds by reducing the model to a finite-state probabilistic
system and then employing a probabilistic model-checking tool such as PRISM [12, 23].

The constants used in some timing constraints of a real-time system may not be known, or
may be known with some uncertainty. Therefore methods for automatically generating values on
parameters in timing constraints for which the system behaves correctly are desirable. Methods
for synthesizing such parameters in timed automata have first been presented in [2]. In [3],
the following inverse problem has been considered: given a parametric timed automaton and
a reference valuation, which is a particular valuation of the parameters of the model, find a
constraint K0 on the parameters which is satisfied by the reference valuation and in which the
model behaves in the same manner as in the case of the reference valuation. For example, if the

1 / 18 Volume 23 (2009)



An Extension of the Inverse Method to Probabilistic Timed Automata

reference valuation is known to exhibit good behavior, such as the impossibility of reaching an
error state, then our aim is to find a constraint on the parameters within which such good behavior
is guaranteed. In particular, this allows the system designer to optimize some parameters of the
system.

In this paper, we consider the application of the inverse method to probabilistic timed automata
models. We aim at synthesizing a constraint such that, for any valuation of the parameters
satisfying K0, the model is “time-abstract” equivalent to the model for the reference valuation.
In the context of probabilistic timed automata, the computed constraint K0 defines parameter
valuations for which, in particular, minimum (resp., maximum) probabilities of satisfying a given
property (e.g., reachability of a certain location) are all equal. Therefore, given the computation
of K0, it suffices to compute a minimum (resp., maximum) probability for a single parameter
valuation satisfying K0. In order to infer such a constraint K0, we transform the system into a
non-probabilistic timed automaton, and apply the original inverse method of [3] to this timed
automaton. As in the method of [18], some attention has to be dedicated to the non-probabilistic
model construction so that the results of the inverse method apply to the original probabilistic
timed automaton.

Motivation. This approach is particularly important for probabilistic timed automata for the
following reason. As mentioned above, model checking for probabilistic timed automata in
practice generally relies on the reduction of the model to a finite-state system. The effectiveness
of the discrete-time semantics method most commonly used is sensitive to the timing constants
used in the description of the model: more precisely, the greater the timing constants, the larger
the state space of the finite-state system obtained from the discrete-time semantics construction,
and the more difficult the verification (the zone-based algorithm of [20] does not have this prop-
erty, but does not always perform better in practice than the discrete-time semantics approach).
In case studies it is standard to rescale the time unit used in the model to reduce the magnitude of
the timing constraints in order to reduce the size of the resulting finite-state system. This rescal-
ing operation possibly involves rounding lower bounds on clocks downwards, and upper bounds
upwards [16], which results in an abstraction in which the computed maximum (minimum, re-
spectively) probabilities may be greater (or less than, respectively) the actual probabilities in
the original model. The inverse method presents an alternative to this rescaling approach. By
applying the inverse method to obtain the constraint K0, we can choose the parameter valuation
satisfying K0 with the lowest possible values for the timing constraints: then, by performing
analysis on the model with this parameter valuation, we can obtain the same minimum and max-
imum probabilities as on the model using the reference valuation of the parameters. Hence, as
in the rescaling approach, we can obtain discrete-time models of limited size by reducing the
magnitude of the timing constants; however, in contrast to the rescaling approach, we can avoid
rounding of lower and upper bounds, thereby resulting in a model exhibiting the same proba-
bilities as obtained for the model corresponding to the reference valuation. We note that this
motivation also applies when considering discrete-time approaches to timed automata verifica-
tion, such as in [11, 7, 6].

Proc. AVOCS 2009 2 / 18



ECEASST

INIT
true

TRANSMIT
true

COLLIDE
y ≤ δ

send1
y := 0

send2
y := 0

end1

end2

y ≤ δ
send1
y := 0

y ≤ δ
send2
y := 0

y ≥ δ
busy1

y ≥ δ
busy2

cd

Figure 1: CSMA/CD Medium

Comparison to Related Work. In contrast to [21, 9, 10], we do not consider parameters over
probabilities, but only over timing constraints. A parametric probabilistic timed automata frame-
work which did not feature non-deterministic choice was considered in [8]. In contrast, the
framework we introduce in this paper features both nondeterministic and probabilistic choice.

An Illustrative Example. Consider the CSMA/CD protocol, as studied in the context of prob-
abilistic timed automata in [20]. We consider the case when there are two stations 1 and 2 trying
to send data at the same time. The overall model is given by the parallel composition of three
probabilistic timed automata representing the medium and two stations trying to send data.

The probabilistic timed automaton representing the medium is given in Fig. 1. The medium is
initially ready to accept data from any station (event send1 or send2). Once a station, say 1, starts
sending its data there is an interval of time (at most δ ), representing the time it takes for a signal
to propagate between the stations. In this interval the medium can accept data from station 2
(resulting in a collision). After this interval, if station 2 tries to send data it will get the busy
signal (busy2). When a collision occurs, there is a delay (again at most δ ) before the stations
realize there has been a collision, after which the medium will become free (event cd). If the
stations do not collide, then when station 1 finishes sending its data (event end1) the medium
becomes idle.

The probabilistic timed automaton representing a station i (i = 1, 2) is given in Fig. 2. Station i
starts by sending its data. If there is no collision, then, after λ time units, the station finishes send-
ing its data (event endi). On the other hand, if there is a collision (event cd), the station attempts
to retransmit the packet, where the scheduling of the retransmission is determined by a truncated
binary exponential backoff process. The delay before retransmitting is an integer number of time
slots (each of length slot). The number of slots that station i waits after the nth transmission
failure is chosen as a uniformly distributed random integer in the range: 0, 1, 2, . . . , 2bci+1 −1,
where bci = min(n, bcmax), and bcmax is a fixed upper bound for bci (initially: bci = n = 0).
This random choice is depicted in Fig. 2 by the assignment backoff i := RAND(bci)∗slot. Once
this time has elapsed, if the medium appears free the station resends the data (event sendi), while
if the medium is sensed busy (event busyi) the station repeats this process.

3 / 18 Volume 23 (2009)



An Extension of the Inverse Method to Probabilistic Timed Automata

TRANSMIT
xi ≤ λ

INIT
true

DONE
true

WAIT
xi ≤ backoff i

COLLIDE
xi = 0

sendi
xi := 0

xi = λ
endi

cd
xi := 0

bci := min(bci + 1, bcmax)

xi = backoff i
sendi

xi := 0

xi = backoff i
busyi

xi := 0
bci := min(bci + 1, bcmax)

backoff i := RAND(bci)∗slot

Figure 2: CSMA/CD Station i

We consider in the following that bcmax is a constant equal to 1, and that δ , λ and slot are
parameters. The reference valuation for these parameters, taken from the IEEE standard 802.3
for 10 Mbps Ethernet, is: δ = 26µ s, λ = 808µ s, and slot = 2δ = 52µ s. The method for in-
ferring a constraint K0 on the parameters, which is satisfied by the reference valuation and in
which the behavior of the model remains the same, consists in transforming the system into
a non-probabilistic parametric timed automaton. We replace the random choice backoff i :=
RAND(bci)∗slot with a non-deterministic choice, i.e., a set of 2bci+1 transitions associated with
assignments of the form backoff i := j ∗slot, for j = 0, 1, 2, . . . , 2bci+1 −1. In the case where
bcmax = 1, the application of the inverse method to the non-probabilistic parametric timed au-
tomaton (see Section 4.1) infers for K0 the following constraint: (0 < δ < slot)∧(15slot < λ <
16slot). In particular, the minimum and maximum probabilities for a message sent by a station
to be transmitted (i.e., to reach the location DONE) after having collided exactly k times with
another message (action cd) are the same under the reference valuation and another parameter
valuation satisfying K0. This has two practical implications. Firstly, in order to compute the
aforementioned minimum and maximum probabilities for δ = 26, λ = 808, slot = 52, it suffices
to compute the minimum and maximum probabilities for δ = 1, λ = 31, slot = 2 (because both
valuations satisfy the constraint (0 < δ < slot)∧(15slot < λ < 16slot) generated by the inverse
method). Note that the valuation δ = 26, λ = 808, slot = 52 results in a model with 5240 states
using the discrete-time semantics construction, whereas the valuation δ = 1, λ = 31, slot = 2
results in a model with 282 states. The second practical implication concerns the case in which
the system designer wishes to understand the behavior of the system, in terms of minimum and
maximum probabilities, for a number of parameter valuations. The approach of obtaining such
information by changing manually the timing parameters and repeating model-checking analy-
sis is potentially time consuming. Instead, the application of the inverse method shows that the
minimum and maximum probabilities remain invariant for all parameter valuations satisfying the
constraint K0.

Proc. AVOCS 2009 4 / 18



ECEASST

Plan of the paper. In Section 2, we present the definition of parametric probabilistic timed
automata. In Section 3, we apply the inverse method to probabilistic timed automata in the
following way: we construct a non-probabilistic version of the model, which is then subject to
the inverse method for parametric timed automata. In Section 4, we apply the method to three
probabilistic protocols with timing parameters (CSMA/CD, IEEE 1394 root contention, IEEE
802.11 WLAN). We conclude in Section 5.

2 Parametric Probabilistic Timed Automata

In Section 2.1, we review the definition of timed probabilistic systems, as defined in [17], which
is a variant of Segala’s probabilistic timed automata [22]. In Section 2.2, we extend the definition
of probabilistic timed automata [17] to the parametric case, and give its semantics in terms of
timed probabilistic systems (Section 2.3).

2.1 Timed Probabilistic Systems

Let R≥0 be the set of non-negative real numbers. A (discrete) probability distribution over a
countable set Z is a function µ : Z → [0, 1] such that ∑z∈Z µ(z) = 1. We define support(µ) =
{z ∈ Z | µ(z) > 0}. Then for an uncountable set Z we define Dist(Z) to be the set of functions µ :
Z → [0, 1], such that support(µ) is a countable set and µ restricted to support(µ) is a (discrete)
probability distribution. A point distribution is a distribution µ ∈ Dist(Z) such that µ(z) = 1 for
some (unique) z ∈ Z. Often we write µz for the point distribution such that µ(z) = 1.

A timed probabilistic system (TPS) is a tuple T = (S, S0, Act,⇒) where: S is a set of states,
including a set S0 of initial states; Act is a finite set of actions (disjoint from R≥0); ⇒⊆ S×
R≥0 ×Act ×Dist(S) is a probabilistic transition relation.

A transition s
d,a,µ
−−−→ s′ is made from a state s ∈ S by first nondeterministically selecting a

duration-action-distribution triple (d, a, µ) such that (s, d, a, µ) ∈⇒, and second by making a
probabilistic choice of target state s′ according to distribution µ , such that µ(s′) > 0. A path of a

TPS is a non-empty finite sequence of transitions ω = s0
d0,a0,µ0−−−−→ s1

d1,a1,µ1−−−−→···
dn−1,an−1,µn−1−−−−−−−−→ sn.

Given a path ω = s0
d0,a0,µ0−−−−→ s1

d1,a1,µ1−−−−→···
dn−1,an−1,µn−1−−−−−−−−→ sn, we let last(ω) = sn. The set of paths

of a TPS T is denoted by PathTfin. When clear from the context we omit the superscript T and
write Pathfin. We let Pathfin(s) denote the set of paths commencing in the state s ∈ S.

A scheduler is a partial function which chooses an outgoing transition in the last state of a
path, if a transition from the last state of a path exists. Formally, a scheduler of a TPS is a
partial function σ such that, for each path ω of the TPS, we have (1) if σ (ω) = (d, a, µ) then
(last(ω), d, a, µ) ∈⇒, and (2) if σ (ω) is undefined then there does not exist any (d, a, µ) such
that (last(ω), d, a, µ) ∈⇒. A scheduler resolves the nondeterminism by choosing a transition
based on the path executed so far. Intuitively, if a TPS is guided by scheduler σ and has the path
ω as its history, then it will be in state s in the next step with probability µ(s), where σ (ω) =
(d, a, µ); alternatively, if there is no available transition from ω , then the system deadlocks, and
the choice of the scheduler will be undefined. We denote the set of paths induced by a given

scheduler σ to be Pathσfin = {ω = s0
d0,a0,µ0−−−−→···

dn−1,an−1,µn−1−−−−−−−−→ sn | σ (ω↓i) = (di, ai, µi) for all i <

5 / 18 Volume 23 (2009)



An Extension of the Inverse Method to Probabilistic Timed Automata

n}, where ω↓i returns the prefix of ω up to length i. Then we define Pathσfin(s) = Path
σ
fin ∩

Pathfin(s). A scheduler σ a TPS is said to be admissible if, for all s ∈ S0 and ω ∈ Pathσfin(s), there
exists some transition (last(ω), d, a, µ) ∈⇒. For each s ∈ S and scheduler σ , we can define the
probability measure Probσs over measurable sets of paths in the standard way [15].

2.2 Syntax of Parametric Probabilistic Timed Automata

We now extend the definition of probabilistic timed automata [17] to the parametric case. A clock
is a variable xi which takes values in R≥0. All clocks evolve linearly at the same rate. We denote
a set of clocks by X = {x1, . . . , xH}. We define a clock valuation as a function w : X → R≥0
assigning a non-negative real value to each clock. We will often identify a valuation w with the
point (w(x1), . . . , w(xH )) ∈ RH≥0. For d ∈ R≥0, we write w + d to denote the valuation such that
(w + d)(x) = w(x) + d for all x ∈ X . Given a clock valuation w and a set ρ ⊆ X of clocks, we
denote by ρ(w) the clock valuation such that ρ(w)(x) = 0 if x∈ρ and ρ(w)(x) = w(x) otherwise.

Let P = {p1, . . . , pM} be a set of parameters. A parameter valuation π is a function π : P →
R≥0 assigning a non-negative real value to each parameter. We will often identify a valuation
π with the point (π(p1), . . . , π(pM)) ∈ RM≥0. A linear inequality on the parameters P (linear
inequality on the clocks X and the parameters P, respectively) is an inequality e ≺ e′, where
≺∈{<,≤}, and e, e′ are two linear terms of the form:

∑
i

αi pi + d, ( ∑
i

αi pi + ∑
j

β jx j + d, respectively)

where 1 ≤ i ≤ M, 1 ≤ j ≤ H and αi, β j, d ∈ N. A constraint on the parameters P (constraint on
the clocks X and the parameters P, respectively) is a conjunction of inequalities on P (on X and
P, respectively).

In the sequel, the letter K (C, respectively) denotes a constraint on the parameters (on the
clocks and the parameters, respectively). We consider true as a constraint on P, corresponding
to the set of all possible values for P.

Given a parameter valuation π and a constraint C, we denote by C[π] the constraint obtained
by replacing each parameter p in C with π(p). Likewise, given a clock valuation w, we denote by
C[π][w] the expression obtained by replacing each clock x in C[π] with w(x). A clock valuation w
satisfies C[π], denoted by w |= C[π], if C[π][w] evaluates to true. We say that π satisfies C,
denoted by π |= C, if the set of clock valuations that satisfy C[π] is nonempty. Similarly, we say
that π satisfies K, denoted by π |= K, if the expression obtained by replacing each parameter p
in K with π(p) evaluates to true.

The following definition is an extension of the class of probabilistic timed automata to
the parametric case. Parametric probabilistic timed automata allow the use of parameters
in place of constants within guards and invariants, and are based on parametric timed au-
tomata [2]. A parametric probabilistic timed automaton (PPTA) A is a tuple of the form
A = (Σ, Q, q, X , P, I, prob), where:

• Σ is a finite set of actions,

• Q is a finite set of locations with an initial location q ∈ Q,

Proc. AVOCS 2009 6 / 18



ECEASST

• X is a finite set of clocks,

• P is a finite set of parameters,

• I is the invariant function, assigning to every q ∈ Q a constraint I(q) on the clocks X and
the parameters P, and

• prob is the probabilistic edge relation consisting of elements of the form (q, g, a, η), where
q ∈ Q, g is a constraint on the clocks X and the parameters P, a ∈ Σ, and η ∈Dist(2X ×Q).

We make the following assumptions on PPTAs.

Determinism on actions: Given a location q ∈ Q and action a ∈ Σ, there is at most one proba-
bilistic edge of the form (q, , a, ) ∈ prob.

Reset unicity: For any probabilistic edge (q, g, a, η) ∈ prob and location q′ ∈ Q, there exists at
most one ρ ∈ 2X such that η(ρ, q′) > 0.

Neither of these assumptions is restrictive, because a PPTA not satisfying the assumptions can
be transformed into a PPTA which does: for determinism on actions, it is necessary to add
and rename actions, whereas, for reset unicity, it suffices to add an extra clock and additional
locations. The assumptions of determinism on actions and reset unicity are commonly met in
practice, and they simplify the proofs of our subsequent results.

Let A be a PPTA. If, for each location q ∈ Q, we have that I(q) is a constraint only on clocks,
and, for each edge (q, g, a, η) ∈ prob, we have that g is a constraint only on clocks, we say that
A is a probabilistic timed automaton (PTA).

Remark. We make use in Figure 2 of several forms of syntactic sugar consisting in merging
several transitions issued from the same location, using assignments of the form bci := min(bci +
1, bcmax), or backoff i := RAND(bci)∗slot, following the conventions used, e.g., in [16].

2.3 Semantics of Parametric Probabilistic Timed Automata

In this section, we will consider the PPTA A = (Σ, Q, q, X , P, I, prob). Given a parameter
valuation π = (π(p1), . . . , π(pM)), we denote by A [π] the PTA obtained from A by substi-
tuting every occurrence of a parameter pi by π(pi) in the guards and invariants. Formally,
A [π] = (Σ, Q, q, X , P, I′, prob′), where I′ and prob′ are defined in the following way: for each
location q ∈ Q, we let I′(q) = I(q)[π], and we let prob′ be the smallest set such that, for each
(q, g, a, η) ∈ prob, we have (q, g[π], a, η) ∈ prob′.1

In the following, we consider the PTA A [π] resulting from a given valuation π of the param-
eters. A state of A [π] is a pair (q, w) ∈ Q×RH≥0 such that w |= I(q)[π]. Informally, the behavior
of A [π] can be understood as follows. The model starts in the initial location q with all clocks
set to 0. In this, and any other state (q, w), there is a nondeterministic choice of either (1) making
a discrete (probabilistic) transition or (2) letting time pass. In case (1), a discrete transition can

1 Strictly speaking, A [π] is a PTA only when π assigns a natural number (rather than a real) to each parameter, but
this does not matter in our context.

7 / 18 Volume 23 (2009)



An Extension of the Inverse Method to Probabilistic Timed Automata

be made according to any probabilistic edge (q, g, a, η) ∈ prob with source location q which is
enabled; that is the constraint g is satisfied by the current clock valuation w. Then the probability
of moving to the location q′ and resetting all of the clocks in ρ to 0 is given by η(ρ, q′). In case
(2), the option of letting time pass is available only if the invariant I(q) is satisfied while time
elapses.

Formally, we define the semantics of a PTA as an associated infinite-state, infinite-branching
TPS, defined as follows. The TPS (or semantics) associated with A [π] is TA [π] = (S, S0, Σ,⇒)
with S = {(q, w) ∈ Q×(X → R≥0) | w |= I(q)[π]}, S0 = {(q, 0)} where 0(x) = 0 for all x ∈ X ,
and where ((q, w), d, a, µ) ∈⇒ if both of the following conditions hold :

Time elapse: w + d |= I(q)[π] ;

Edge traversal: there exists a probabilistic edge (q, g, a, η) ∈ prob such that w + d |= g[π] and,
for each (ρ, q′) ∈ support(η), we have µ(q′, ρ(w + d)) = η(ρ, q′).

Observe that the rule for discrete transitions is a simplified version of the standard rule [17],
and relies on the assumption of reset unicity. The definition of TA [π] also relies on the fact that A
and π satisfy the following well-formedness assumption. First, a PTA is said to be well-formed if
whenever a probabilistic edge is enabled it can be taken, i.e.: all of the probabilistic alternatives
(pairs of target location and clock reset) result in states. Formally, a PTA is said to be well-
formed if, for each probabilistic edge (q, g, a, η) ∈ prob and state (q, w) ∈ S such that w |= g[π],
we require that (q′, ρ(w)) ∈ S for each (ρ, q′) ∈ support(η). 2 Then we say that a PPTA is
well-formed if, for each parameter valuation, the resulting PTA is well-formed. A PPTA can
be transformed into a well-formed PPTA by incorporating the invariant associated to the target
location into the guard of each probabilistic edge (along the lines of the transformation in [20]).
For the remainder of the paper we assume that all of the PPTAs we consider are well-formed.

Note that a (P)PTA A for which all probabilistic edges feature point distributions can be
interpreted as a (parametric) timed automaton. More precisely, the (parametric) timed automaton
differs from A only in the edge relation: we represent a probabilistic edge (q, g, a, η) ∈ prob
of A , for which η(ρ, q′) = 1 for some ρ ⊆X and q′∈Q (recall that A features point distributions
only) by a single edge in the (parametric) timed automaton.

Networks of PPTAs can be defined by using parallel composition based on the synchronization
of discrete transitions of different components sharing the same action in a similar manner to
networks of PTAs [19].

Given a path ω = (q0, w0)
d0,a0,µ0−−−−→ (q1, w1)

d1,a1,µ1−−−−→···
dn−1,an−1,µn−1−−−−−−−−→ (qn, wn), we let the time-

abstract trace of ω be the sequence of alternating locations and actions q0a0q1a1 ···an−1qn.
Given a scheduler σ , we let traceσ : Pathσfin → (Q×Σ)

∗ be the function associating the time-
abstract trace with each path of Pathσfin. Then the time-abstract trace distribution of σ and state
s ∈ S is the probability measure over traces denoted by tdσs defined according to traceσ and
the trace distribution construction of Segala [22]. Although we do not consider the details of
the construction of trace distributions in this paper, we note that, for example, the probability

2 A counter-example of well-formed PTA is the following: let (q, w) be a state where w(x) = 2, let (q, x ≤ 2, a, η) be
a probabilistic edge such that η(q′, /0) = 12 and η(q

′′, /0) = 12 , and let inv(q
′) = (x ≤ 1) and inv(q′′) = (x ≤ 2). Then

the invariant of q′ is not satisfied when taking the probabilistic edge (q, x ≤ 2, a, η), followed by the probabilistic
selection of (q′, /0), from (q, w).

Proc. AVOCS 2009 8 / 18



ECEASST

assigned by tdσs to traces in which a certain location is reached is defined to be the same as
the probability assigned by Probσs to the set of paths in which this location is reached. The
set of time-abstract trace distributions of the TPS TA [π] is denoted by tdist(TA [π]) = {td

σ
s |

σ is a scheduler of TA [π] and s ∈ S0}.
We say that A [π] and A [π′] are time-abstract trace distribution equivalent, written

A [π] ≈tdist A [π′], if tdist(TA [π]) = tdist(TA [π′]). If A [π] ≈tdist A [π′], we can conclude that
the TPSs have time-abstract equivalent finite behaviors: for example, they assign the same max-
imum and minimum probabilities of reaching a certain location [18] (in general, they assign the
same maximum and minimum probabilities to linear-time properties on finite traces). Finally,
we write PathA [π]fin for Path

TA [π]
fin .

3 Analysis of PPTAs Using the Inverse Method

In this section we consider an application of the inverse method to PPTAs. Our approach consists
in applying the inverse method to a non-probabilistic version of the PPTA. The constraint output
by the inverse method is also a solution to the inverse problem for the PPTA and the reference
instantiation. Ideally, we would like to generate a constraint which is as weak as possible (i.e.,
satisfied by as many valuations as possible).

We first present formally the problem we intend to resolve, then introduce a method for ob-
taining (non-probabilistic) parametric timed automata from PPTAs. Finally we explain how the
results on the inverse method applied to parametric timed automata can be used to infer con-
straints on parameters of PPTAs.

3.1 The Inverse Problem on PPTAs

Consider the PPTA A = (Σ, Q, q, X , P, I, prob), which we assume is fixed throughout this sec-
tion. Let π be a valuation of parameters in P, and let ((q, w), d, a, µ) ∈⇒ be a transition of
TA [π]. Recall that, by reset unicity and the definition of TA [π], for each distinct (q, w), (q

′, w′) ∈
support(µ), we have q 6= q′. We define the distribution loc(µ) ∈ Dist(Q) over locations in the
following way: for each (q, w) ∈ S, we let loc(µ)(q) = µ(q, w).

Let π′ be a valuation of parameters in P. The path ω = (q0, w0)
d0,a0,µ0−−−−→···

dn−1,an−1,µn−1−−−−−−−−→

(qn, wn) of TA [π], is time-abstract path equivalent to the path ω
′ = (q′0, w

′
0)

d′0,a
′
0,µ
′
0−−−−→

···
d′n−1,a

′
n−1,µ

′
n−1−−−−−−−−→ (q′n, w′n) of TA [π], written ω ≡path ω′, if qi = q′i, ai = a

′
i, and loc(µi) = loc(µ

′
i )

for all i = 0, . . . , n. We extend the notion of time-abstract path equivalence to sets of paths: two
sets Ω and Ω′ of paths are time-abstract path equivalent, written Ω ≡path Ω′, if (1) for each path
ω ∈ Ω, there exists ω′∈ Ω′ such that ω ≡path ω′, and (2) conversely, for each path ω ∈ Ω′, there
exists ω′ ∈ Ω such that ω ≡path ω′.

We recall below a result from [18, 19] which allows to relate time-abstract equivalence on
paths to time-abstract trace distribution equivalence.

Proposition 1 Let A be a PPTA, and let π and π′ be instantiations of parameters P. If
PathA [π]fin (q, 0) ≡

path PathA [π
′]

fin (q, 0), then A [π] ≈
tdist A [π′].

9 / 18 Volume 23 (2009)



An Extension of the Inverse Method to Probabilistic Timed Automata

In this paper, starting from an instantiation π0 of the set P of parameters, we are interested
in finding a constraint K0 on the parameters such that π0 |= K0, and for any valuation π of P
satisfying K0 we have time-abstract trace distribution equivalence between A [π0] and A [π].
Furthermore, we suppose that A [π0] has an admissible scheduler. The problem can be stated as
follows.

Consider a PPTA A and a valuation π0 of the parameters such that A [π0] has an
admissible scheduler. Find a constraint K0 such that :

1. π0 |= K0,

2. A [π] has an admissible scheduler, for all π |= K0, and

3. A [π] ≈tdist A [π0], for all π |= K0.

3.2 Non-probabilistic Version of a PPTA

In this subsection, we state formal properties relating a PPTA to its non-probabilistic version.
As explained in Section 2.3, it is straightforward to obtain a non-probabilistic parametric timed
automaton from a PPTA featuring point distributions only. Given a PPTA A , an edge generated
from (q, g, a, η)∈ prob is a tuple (q, g, a, η, ρ, q′) such that η(ρ, q′) > 0. Let edges(q, g, a, η) be
the set of the edges generated from (q, g, a, η), and let edges =

⋃
(q,g,a,η)∈prob edges(q, g, a, η)

denote the set of all edges of A .
The non-probabilistic version of A , written A ∗, is a PPTA which agrees with A on all ele-

ments apart from the probabilistic edge relation. Formally, let A ∗ = (Σ, Q, q, X , P, I, prob∗) be
the PPTA for which prob∗ is the smallest probabilistic edge relation such that for every edge
(q, g, a, η, ρ, q′) ∈edges, we have (q, g,〈〈q, g, a, η, ρ, q′〉〉, η(ρ,q′)) ∈ prob∗ (recall that η(ρ,q′) de-
notes the point distribution assigning probability 1 to the element (ρ, q′)). Observe that the state
sets of TA [π] and TA ∗[π] are equal. As noted in Section 2, from a PPTA for which all probabilistic
edges feature point distributions, we can obtain the corresponding parametric timed automaton.

In the following proposition, we use → to refer to a transition of the semantic TPS of A [π],
and →∗ to refer to a transition of the semantic TPS of A ∗[π].

Proposition 2 Let π be an instantiation of P and (q, w) be a state of TA [π] (and TA ∗[π]). For

each step (q, w)
d,a,µ
−−−→ (q′, w′) of TA [π], there exists the step (q, w)

d,〈〈q,g,a,η,ρ,q′〉〉,µ(q′,w′)−−−−−−−−−−−−−→∗ (q′, w′)
of TA ∗[π], where (q, g, a, η) ∈ prob is such that µ(q′, w′) = η(ρ, q′), and hence loc(µ)(q′) =

η(ρ, q′). Conversely, for each step (q, w)
d,〈〈q,g,a,η,ρ,q′〉〉,µ(q′,w′)−−−−−−−−−−−−−→∗ (q′, w′) of TA ∗[π], there exists the

step (q, w)
d,a,µ
−−−→(q′, w′) of TA [π] such that µ(q′, w′) = η(ρ, q′), and hence loc(µ)(q′) = η(ρ, q′).

Proposition 2 allows us to obtain a one-to-one mapping between transitions of A [π] and
A ∗[π]. By reasoning inductively, we can extend the proposition to obtain a one-to-one map-
ping between paths of A [π] and A ∗[π]. Note that the probability of the transitions of A [π] is
encoded in the actions of the associated transitions of A ∗[π]. This, together with the one-to-one
mapping between paths of A [π] and A ∗[π], implies that, for any pair ω∗, ω′∗ of paths such that

Proc. AVOCS 2009 10 / 18



ECEASST

ω∗ ∈ Path
A ∗[π]
fin (q, 0), ω

′
∗ ∈ Path

A ∗[π′]
fin (q, 0) and ω∗ ≡

path
ω
′
∗, we can generate the paths ω, ω

′,

such that ω ∈ PathA [π]fin (q, 0), ω
′∈ PathA [π

′]
fin (q, 0) and ω ≡

path
ω
′. Together, these facts allow us

to show the following.

Proposition 3 Let A be a PPTA, and let π and π′ be instantiations of parameters P. If
PathA

∗[π]
fin (q, 0) ≡

path PathA
∗[π′]

fin (q, 0), then Path
A [π]
fin (q, 0) ≡

path PathA [π
′]

fin (q, 0).

Proposition 4 Let A be a PPTA, and let π and π′ instantiations of parameters P. If
PathA [π]fin (q, 0) ≡

path PathA [π
′]

fin (q, 0), then A [π] has an admissible scheduler iff A [π
′] has an

admissible scheduler.

3.3 Resolution of the Inverse Problem for PPTAs

In [3], we have presented a method which solves the inverse problem for (the special case of)
non-probabilistic parametric timed automata. The inverse problem can be described formally in
the following way: given a non-probabilistic parametric timed automaton A and a valuation π0
of the parameters, find a constraint K0 such that π0 |= K0 and Path

A [π0]
fin (q, 0)≡

path PathA [π]fin (q, 0)
for all π |= K0. A brief explanation of the method is given in the appendix.

The following algorithm explains how to use the inverse method in the extended framework
of PPTAs.

ALGORITHM InverseMethodPPTA(A , π0)
Input A : PPTA

π0 : Valuation of the parameters
Output K0 : Constraint on the parameters

1. Construct the non-probabilistic version A ∗ of A .

2. Construct K0 for A ∗ using the classical inverse method.

Theorem 1 Given a PPTA A and a reference valuation π0 such that A [π0] has an admissible
scheduler, the constraint K0 returned by InverseMethodPPTA(A , π0) solves the inverse problem,
i.e., π0 |= K0, and, for all π |= K0, A [π] has an admissible scheduler, and A [π] ≈tdist A [π0].

Proof. Since K0 is a solution of the inverse problem for A ∗, we have Path
A ∗[π]
fin (q, 0) ≡

path

PathA
∗[π0]

fin (q, 0) for all π |= K0; hence, we have by Proposition 3 that Path
A [π]
fin (q, 0) ≡

path

PathA [π0]fin (q, 0) for all π |= K0. From Proposition 1, we conclude that A [π] ≈
tdist A [π0] for

all π |= K0. Furthermore, since A [π0] has an admissible scheduler, A [π] has an admissible
scheduler, for all π |= K0 (by Proposition 4).

As a consequence of Theorem 1, given the computation of K0 using
InverseMethodPPTA(A , π0), the maximum and minimum probabilities of satisfying linear-time
properties on finite traces will be the same in A [π] and A [π0].

11 / 18 Volume 23 (2009)



An Extension of the Inverse Method to Probabilistic Timed Automata

Remark. The constraint K0 output by our method is not (in general) the weakest constraint
satisfying the inverse problem as defined in Section 3.1. One reason for this is that the constraint
output by the inverse method defined in [3] for (non-probabilistic) parametric timed automata is
always in conjunctive form. In contrast, the weakest constraint may be in disjunctive form (see
final remarks of [4]).

4 Application of the Inverse Method to PPTAs: Case Studies

In this section, we show the interest of the inverse method in the context of three case stud-
ies. More precisely, we consider three protocols, each modeled as a PPTA, and each with an
associated standard reference valuation π0.3

Our approach consists of the following two phases:

1. Using the tool IMITATOR [5], which implements the inverse method in the non-
probabilistic framework, we generate a constraint K0 for the non-probabilistic version of
the protocol.

2. Using the probabilistic model-checking tool PRISM [12, 23], we compute mini-
mum/maximum reachability probabilities for various properties with regard to a number of
parameter valuations. For parameter valuations satisfying K0, the probabilities computed
by PRISM are equal (as stated by Theorem 1); we also compute the probabilities for some
parameter valuations not satisfying K0.

4.1 CSMA/CD Protocol

We first apply our method to the CSMA/CD Protocol described in Section 1. We consider the
three parameters λ , δ and slot as described in [20, 23]. The following instantiation π0 of the
parameters is the reference valuation taken from the IEEE standard 802.3 for 10 Mbps Ethernet:
λ = 808µ s, slot = 52µ s and δ = 26µ s. As sketched in Section 1, the non-probabilistic paramet-
ric timed automaton A ∗ is obtained as follows: we compose the (non-probabilistic) medium of
Fig. 1 with the non-probabilistic version of the station, obtained by replacing in Fig. 2 the random
choice backoff i := RAND(bci)∗slot with a non-deterministic choice (i.e., a set of 2bci+1 transi-
tions associated with assignments of the form backoff i := j∗slot, for j = 0, 1, 2, . . . , 2bci+1 −1).

Applying IMITATOR to this non-probabilistic model and the reference valuation π0, we obtain
the following constraint:

K0 : δ < slot ∧ 15slot < λ < 16slot.
This constraint is such that A [π] and A [π0] are time-abstract trace-distribution equivalent, for
any π |= K0.

We consider the following four properties, described also with their associated PRISM syntax:

• Prop j, for j ∈{0, 1, 2}: minimum probability that station 1 transmits its message after
exactly j collisions, i.e., Pmin =?[F(s1 = done & nbCol = j)].

3 Note that we consider acyclic versions of those protocols (roughly speaking, by bounding the maximal number of
collisions in Section 4.1 and Section 4.3, and by bounding the number of rounds in Section 4.2).

Proc. AVOCS 2009 12 / 18



ECEASST

Name λ slot δ |= K0 Prop0 Prop1 Prop2 Prop≤3 Same as π0
π0 808 52 26 yes 0 0.5 0.375 0.96875 -
π1 404 26 13 yes 0 0.5 0.375 0.96875 yes
π2 31 2 1 yes 0 0.5 0.375 0.96875 yes
π3 47 3 2 yes 0 0.5 0.375 0.96875 yes
π4 940 60 59 yes 0 0.5 0.375 0.96875 yes
π5 940 60 60 no 0 0 0.1875 0.609375 no
π6 832 52 26 no 0 0.5 0.375 0.96875 yes
π7 52 52 26 no 0 0.5 0.375 0.96875 yes

Table 1: Minimum probability that station 1 transmits its message

• Prop≤3: minimum probability that station 1 transmits its message with no more than 3
collisions, i.e., Pmin =?[F(s1 = done & nbCol≤3)].

We apply PRISM to the system with the parameters set to different valuations (including π0).
The results are given in Table 1. For all π |= K0 (i.e., π0 to π4), the probabilities remain the
same. An observation is that, as soon as we violate the constraint K0 by considering the limit
case where δ = slot (i.e., π5), the probabilities are different. A further observation is that, even
if the value of λ violates K0 (i.e., π6 and π7), the probabilities can remain the same. Indeed, the
constraint generated by our method is not necessarily the weakest, i.e., we can find valuations π
of P (e.g., π6 and π7) s.t. π 6|= K0 but the values of the probabilities remain the same as for π0.

4.2 IEEE 1394 Root Contention Protocol

This case study concerns the root contention protocol of the IEEE 1394 (“FireWire”) High Per-
formance Serial Bus, also considered in the parametric framework in [13]. We consider the
rescaled instantiation of the parameters given in [19, 23]. This instantiation π0 is as follows4:
rc fast max = 85, rc fast min = 76, rc slow max = 167, rc slow min = 159, and delay = 30.
Applying IMITATOR to a (non-probabilistic) parametric timed automaton version of this model
and the reference valuation π0, we obtain the following constraint:

K0 : 2delay < rc fast min∧rc fast max + 2delay < rc slow min.
Note that this constraint is exactly the same as the one synthesized in [13]. We consider the

following properties:

• Prop≤3: minimum probability that a leader is elected after 3 rounds or less:
Pmin =?[F((nbRounds1≤3) & (((s1 = 8) & (s2 = 7))|((s1 = 7) & (s2 = 8))))].

• Prop≤5: minimum probability that a leader is elected after 5 rounds or less:
Pmin =?[F((nbRounds1≤5) & (((s1 = 8) & (s2 = 7))|((s1 = 7) & (s2 = 8))))].

The results of the application of PRISM to different parameter valuations are given in Table 2
(some parameter names are abbreviated for reasons of space). We notice as expected that, for

4 Note that the model given on PRISM’s webpage allows both values 30 and 360 for delay. Moreover, the IEEE
reference instantiation is given in ns but, due to the rescaling, we omit the unit here.

13 / 18 Volume 23 (2009)



An Extension of the Inverse Method to Probabilistic Timed Automata

Name rf max rf min rs max rs min delay |= K0 Prop≤3 Prop≤5 Same as π0
π0 85 76 167 159 30 yes 0.875 0.96875 -
π1 40 35 80 75 15 yes 0.875 0.96875 yes
π2 4 3 8 7 1 yes 0.875 0.96875 yes
π3 85 61 167 159 30 yes 0.875 0.96875 yes
π4 85 76 167 146 30 yes 0.875 0.96875 yes
π5 85 76 167 159 36 yes 0.875 0.96875 yes
π6 85 76 167 159 37 no 0.71875 0.841796875 no

Table 2: Minimum probability that a leader is elected within 3 or 5 rounds

all π |= K0, the probabilities remain the same. Further experiments (including π6) show that, as
soon as the value of the parameters violates K0, the probabilities become different from π0. We
note that the parameter valuation π0 results in a state space of size 693107, for which Prop≤5
could be verified in time 319.512s, whereas π2 results in a state space of size 1393, for which
Prop≤5 could be verified in time 0.781s.

5

4.3 IEEE 802.11 Wireless Local Area Network Protocol

We also applied our method to the IEEE 802.11 Wireless Local Area Network Protocol, consider-
ing the following instantiation π0 of the parameters mentioned in [23] after rescaling from [18]6:

ASLOTTIME = 1 DIFS = 2 VULN = 1 TTMAX = 315
TTMIN = 4 ACK TO = 6 ACK = 4 SIFS = 1

Taking a parametric timed automaton version of the model and the parameter valuation π0 as
input, the tool IMITATOR computes the following constraint K0:

VULN > 0 ∧ SIFS > 0 ∧ ACK TO + DIFS < 15ASLOTTIME
∧ DIFS > 0 ∧ ASLOTTIME > 0 ∧ TTMIN + DIFS ≤ TTMAX
∧ ACK ≤ 2DIFS ∧ DIFS < TTMIN ∧ ACK TO + DIFS ≤ ACK + TTMIN
∧ SIFS < TTMIN ∧ TTMIN ≥ ACK ∧ TTMIN ≤ ACK TO
∧ VULN < ACK
We consider the maximum probability that either station’s backoff counter reaches k, for k =

1, 2, 3, as considered in [18]. The results of the application of PRISM are given in Table 3, where
the properties are denoted by Propk=i for k = 1, 2, 3. The parameters p1, p2, . . . , p8 stand for
ASLOTTIME, DIFS, VULN, TTMAX, TTMIN, ACK TO, ACK, SIFS respectively. Note that the
real timings originating from the IEEE 802.11 standard (viz., in µ s, ASLOTTIME = 50, DIFS =
128, VULN = 48, TTMAX = 15, 717, TTMIN = 224, ACK TO = 300, ACK = 205, SIFS = 28)
satisfy themselves the constraint K0. Our approach thus provides us with a justification of the
abstraction done in [18] consisting in reducing the time scale of the model. Also observe that,
as expected from the form of K0, the value of Probk=i is insensitive to important variations of
TTMAX, i.e. parameter p4 (provided its value remains greater or equal to TTMIN + TTDIFS, i.e
p4 ≥ p2 + p5). For example, Probk=i is equal for π0 and π2, in spite of the fact that p4 is changed
from 315 to 6.
5 Experiments were performed on an Intel Core 2 Duo with 2GB of RAM.
6 Note that, due to rescaling, the model given on PRISM’s webpage allows several values for the parameters, e.g., 2
and 3 for DIFS.

Proc. AVOCS 2009 14 / 18



ECEASST

Name p1 p2 p3 p4 p5 p6 p7 p8 |= K0 Propk=1 Propk=2 Propk=3 Same as π0
π0 1 2 1 315 4 6 4 1 yes 1 0.183593 0.017032 -
π1 1 2 1 150 4 6 4 1 yes 1 0.183593 0.017032 yes
π2 1 2 1 6 4 6 4 1 yes 1 0.183593 0.017032 yes
π3 1 2 1 315 10 12 4 1 yes 1 0.183593 0.017032 yes
π4 1 2 1 12 10 12 4 1 yes 1 0.183593 0.017032 yes
π5 2 4 2 630 8 12 8 2 yes 1 0.183593 0.017032 yes
π6 2 4 2 315 8 10 7 2 yes 1 0.183593 0.017032 yes

Table 3: Maximum probability of either station’s backoff counter reaching k

5 Final Remarks

In this paper we have shown that the inverse method presented in [3] can be applied, not just to
non-probabilistic parametric timed automata, but also to their probabilistic extension, for proving
time-abstract properties. The method relies on the conversion of PPTAs to non-probabilistic
parametric timed automata, then on the application of the inverse method of [3]. The method
has been shown to be successful in obtaining smaller parameter values, which can be helpful in
reducing the size of the integer-time semantic PTA models prior to model checking. In certain
cases, this makes possible probabilistic verification of systems which cannot be model checked
directly, due to the prohibitive size of the constants.

Since the constraint output by our method is not the weakest in general (see the remark in
Section 3.3), it is interesting to design methods for weakening it further. In particular, the incre-
mental method sketched in [3] could also be used in the probabilistic framework.

Let us finally point out that, in [18, 19, 16], another class of properties, named “soft deadline
properties”, is treated: for example, the minimum probability of a station delivering a packet
within some deadline. Such properties are not “time-abstract”, and fall beyond the class of those
considered here. We note that soft deadline properties can be reduced to time-abstract location
reachability properties, but with the addition of constraints within the model: hence, the inverse
problem must be solved on the modified model. We plan to explore this approach in future work.

Acknowledgement. Étienne André and Laurent Fribourg are partially supported by the
Agence Nationale de la Recherche, grant ANR-06-ARFU-005, and by Institute Farman
(project SIMOP). Jeremy Sproston is supported in part by the MIUR-PRIN project PaCo -
Performability-Aware Computing: Logics, Models and Languages.

Bibliography

[1] R. Alur and D. L. Dill. A theory of timed automata. TCS, 126(2):183–235, 1994.

[2] R. Alur, T. Henzinger, and M. Vardi. Parametric real-time reasoning. In Proc. STOC ’93,
pages 592–601. ACM, 1993.

15 / 18 Volume 23 (2009)



An Extension of the Inverse Method to Probabilistic Timed Automata

[3] É. André, T. Chatain, E. Encrenaz, and L. Fribourg. An inverse method for parametric
timed automata. International Journal of Foundations of Computer Science, 20(5):819–
836, 2009.

[4] É. André, E. Encrenaz, and L. Fribourg. Synthesizing parametric constraints on various
case studies using IMITATOR. Research Report LSV-09-13, Laboratoire Spécification et
Vérification, ENS Cachan, France, 2009.

[5] Étienne André. IMITATOR: A tool for synthesizing constraints on timing bounds of timed
automata. In Proc. ICTAC’09, volume 5684 of LNCS, pages 336–342. Springer, 2009.

[6] Dirk Beyer. Improvements in BDD-based reachability analysis of timed automata. In Proc.
FME’01, volume 2021 of LNCS, pages 313–343. Springer, 2001.

[7] M. Bozga, O. Maler, and S. Tripakis. Efficient verification of timed automata using dense
and discrete time semantics. In Proc. CHARME’99, volume 1703 of LNCS. Springer, 1999.

[8] N. Chamseddine, M. Duflot, L. Fribourg, C. Picaronny, and J. Sproston. Computing ex-
pected absorption times for parametric determinate probabilistic timed automata. In Proc.
QEST’08, pages 254–263. IEEE, 2008.

[9] Conrado Daws. Symbolic and parametric model checking of discrete-time Markov chains.
In Proc. ICTAC’04, volume 3407 of LNCS, pages 280–294. Springer, 2004.

[10] T. Han, J.-P. Katoen, and A. Mereacre. Approximate parameter synthesis for probabilistic
time-bounded reachability. In Proc. RTSS’08, pages 173–182. IEEE, 2008.

[11] T. Henzinger, Z. Manna, and A. Pnueli. What good are digital clocks? In Proc. ICALP’92,
volume 623 of LNCS, pages 545–558. Springer, 1992.

[12] A. Hinton, M. Kwiatkowska, G. Norman, and D. Parker. PRISM: A tool for automatic
verification of probabilistic systems. In Proc. TACAS’06, volume 3920 of LNCS, pages
441–444. Springer, 2006.

[13] T.S. Hune, J.M.T. Romijn, M.I.A. Stoelinga, and F.W. Vaandrager. Linear parametric model
checking of timed automata. Journal of Logic and Algebraic Programming, 2002.

[14] Henrik Ejersbo Jensen. Model checking probabilistic real time systems. In Proc. of the 7th
Nordic Work. on Progr. Theory. Chalmers Institute of Technology, 1996.

[15] J. G. Kemeny, J. L. Snell, and A. W Knapp. Denumerable Markov Chains. Graduate Texts
in Mathematics. Springer, 2nd edition, 1976.

[16] M. Kwiatkowska, G. Norman, D. Parker, and J. Sproston. Performance analysis of proba-
bilistic timed automata using digital clocks. FMSD, 29:33–78, 2006.

[17] M. Kwiatkowska, G. Norman, R. Segala, and J. Sproston. Automatic verification of real-
time systems with discrete probability distributions. TCS, 282:101–150, 2002.

Proc. AVOCS 2009 16 / 18



ECEASST

[18] M. Kwiatkowska, G. Norman, and J. Sproston. Probabilistic model checking of the IEEE
802.11 wireless local area network protocol. In Proc. PAPM/PROBMIV’02, volume 2399
of LNCS, pages 169–187. Springer, 2002.

[19] M. Kwiatkowska, G. Norman, and J. Sproston. Probabilistic model checking of deadline
properties in the IEEE 1394 FireWire root contention protocol. Formal Aspects of Comput-
ing, 14(3):295–318, 2003.

[20] M. Kwiatkowska, G. Norman, J. Sproston, and F. Wang. Symbolic model checking for
probabilistic timed automata. Information and Computation, 205(7):1027–1077, 2007.

[21] R. Lanotte, A. Maggiolo-Schettini, and A. Troina. Weak bisimulation for probabilistic
timed automata and applications to security. In Proc. SEFM’03, pages 34–43. IEEE, 2003.

[22] Roberto Segala. Modeling and Verification of Randomized Distributed Real-Time Systems.
PhD thesis, Massachusetts Institute of Technology, 1995.

[23] PRISM web page. http://www.prismmodelchecker.org/.

17 / 18 Volume 23 (2009)



An Extension of the Inverse Method to Probabilistic Timed Automata

ALGORITHM InverseMethod(A , π0)
Inputs A : Parametric timed automaton of initial location q

π0 : Reference valuation of the parameters
Output K0 : Constraint on the parameters
Variables i : Current iteration

S : Current set of symbolic states (S =
⋃i

j=0 Post
j
A (K)({(q, K)}))

K : Current constraint on the parameters
i := 0 ; K := True ; S := {(q, True)}
DO

DO UNTIL there are no π0-incompatible states in S
Select a π0-incompatible state (q,C) of S (i.e., s.t. π0 6|= C)
Select a π0-incompatible J in C (i.e., s.t. π0 6|= J)
K := K ∧¬J ; S :=

⋃i
j=0 Post

j
A (K)({(q, K)})

OD %% S is π0-compatible
IF PostA (K)(S) = /0 THEN RETURN K0 :=

⋂
(q,C)∈S(∃X : C) FI

i := i + 1 ; S := S∪PostA (K)(S) %% S =
⋃i

j=0 Post
j
A (K)({(q, K)})})

OD

Figure 3: Algorithm InverseMethod

Appendix: The Inverse Method

Given a (classical) parametric timed automaton A and a reference instantiation π0 of parameters,
the inverse method outputs a constraint K0 such that :

1. π0 |= K0,

2. PathA [π0]fin ≡
path PathA [π]fin , for all π |= K0.

The algorithm InverseMethod can be summarized as follows. Starting with K := True, we
iteratively compute a growing set of reachable symbolic states. A symbolic state of the system
is a couple (q,C), where q is a location of A , and C a constraint on the parameters7. When
a π0-incompatible state (q,C) is encountered (i.e., when π0 6|= C), K is refined as follows : a
π0-incompatible inequality J (i.e., such that π0 6|= J) is selected within C, and ¬J is added to K.
The procedure is then started again with this new K, and so on, until no new reachable state is
computed (we focus here on acyclic systems: see [3] for details).

A simplified version of algorithm InverseMethod is given in Fig. 3, where the clocks have
been disregarded for the sake of simplicity. We denote by PostiA (S) the set of symbolic states
reachable from S in at most i steps of A .

There is an implementation of this algorithm, called IMITATOR, which is written in Python,
and makes use of HYTECH for the computation of the Post operation. The Python program
contains about 1500 lines of code, and its writing took about 4 man-months of work (see [5]).
7 Strictly speaking, C is a constraint on the parameters and the clocks, but the clocks are omitted here for the sake of
simplicity. See [3] for more details.

Proc. AVOCS 2009 18 / 18


	Introduction
	Parametric Probabilistic Timed Automata
	Timed Probabilistic Systems
	Syntax of Parametric Probabilistic Timed Automata
	Semantics of Parametric Probabilistic Timed Automata

	Analysis of PPTAs Using the Inverse Method
	The Inverse Problem on PPTAs
	Non-probabilistic Version of a PPTA
	Resolution of the Inverse Problem for PPTAs

	Application of the Inverse Method to PPTAs: Case Studies
	CSMA/CD Protocol
	IEEE 1394 Root Contention Protocol
	IEEE 802.11 Wireless Local Area Network Protocol

	Final Remarks