On the verification of strictly deterministic behavior of Timed Finite State Machines

. Finite State Machines (FSMs) are widely used as formal models for solving numerous tasks in software engineering, VLSI design, development of telecommunication systems, etc. To describe the behavior of a real-time system one could supply FSM model with clocks — a continuous time parameters with real values. In a Timed FSM (TFSM) inputs and outputs have timestamps, and each transition is equipped with a timed guard and an output delay to indicate time interval when the transition is active and how much time does it take to produce an output. A variety of algorithms for equivalence checking, minimization and test generation were developed for TFSMs in many papers. A distinguishing feature of TFSMs studied in these papers is that the order in which output letters occur in an output timed word does not depend on their timestamps. We think that such behavior of a TFSM is not realistic from the point of view of an outside observer. In this paper we consider a more advanced and adequate TFSM functioning; in our model the order in which outputs become visible to an outsider is determined not only by the order of inputs, but also by de lays required for their processing. When the same sequence of transitions is performed by a TFSM modified in a such way, the same outputs may follow in different order depending on the time when corresponding inputs become available to the machine. A TFSM is called strictly deterministic if every input timed word activates no more than one sequence of transitions (trace) and for any input timed word which activates this trace the letters in the output words always follows in the same order (but, maybe, with different timestamps). We studied the problem of checking whether a behavior of an improved model of TFSM is strictly deterministic. To this end we showed how to verify whether an arbitrary given trace in a TFSM is steady, i.e. preserves the same order of output letters for every input timed word which activates this trace. Further, having the criterion of trace steadiness, we developed an exhaustive algorithm for checking the property of strict determinacy of TFSMs. Exhaustive search in this case can hardly be avoided: we proved that determinacy checking problem for our model of TFSM is co-NP-hard.


Introduction
Finite State Machines (FSMs) are widely used as formal models for analysis and synthesis of information processing systems in software engineering, VLSI design, telecommunication, etc. The most attractive feature of this model of computation is its simplicitymany important synthesis and analysis problems (equivalence checking, minimization, test derivation, etc.) for classical FSMs can be solved in time which is almost linear or quadratic of the size of an FSM under consideration. The concept of FSM is rather flexible. Since in many applications time aspects such as durations, delays, timeouts are very important, FSMs can be augmented with some additional features to describe the dependence of the behavior of a system on events occurring in real time. One of the most advanced timed extension of FSMs is the concept of Timed Automata which was developed and studied in [1]. Timed Automata are supplied with clocks (timers) for indicating real time moments, measuring durations of events, providing timeout effects. Transitions in such automata depends not only on the incoming of the outside messages and signals but also on the values of clocks. Further research showed that this model of computation is very expressive and captures many important features of real-time systems behavior. On the other side, Timed Automata in the full scope of their computing power are very hard for analysis and transformations. The reachability problem for Timed Automata is decidable [2], and, therefore, this model of computation is suitable for formal verification of real-time computer systems. But many other problems such as universality, inclusion, determinability, etc. are undecidable (see [2], [8]), and this hampers considerably formal analysis of Timed Automata. When a Timed Automaton is capable to selectively reset timers, it can display rather sophisticated behavior which is very difficult for understanding and analysis. In some cases, such ability is very important; see, e.g. [9]. But a great deal of real-time programs and devices operate with timers much more simply: as soon as such a device switches to a new mode of operation (new state), it resets all timers. Timed Finite State Machines (TFSM) of this kind were studied in [5], [10], [13], [14]. TFSM has the only timer which it resets "automatically" as soon as it moves from one state to another. On the other hand, TFSMs, in contrast to Timed Automata introduced in [1], operate like transducers: they receive a sequence of input signals augmented with their timestamps (input timed word) and output a sequence of responses also labeled by timestamps (output timed word). The timestamps are real numbers which indicate the time when an input signal becomes available to a TFSM or an output response is generated. Transitions of a TFSM are equipped with time guards to indicate time intervals when transitions are active. Therefore, a reaction of a TFSM to an input signal depends not only on the signal but also on its timestamp. Some algorithms for equivalence checking, minimization and test generation were developed for TFSMs in [6], [5], [13], [14], [15]. It can be recognized that this model of TFSM combines a sufficient expressive power for modeling a wide class of real-time information processing systems and a developed algorithmic support.
As it was noticed above a behavior of a TFSM is characterized by a pair sequences: an input timed word and a corresponding output timed word. A distinguishing feature of TFSMs studied in [5], [10], [13], [14], [15] is that an output timed word is formed of timestamped output letters that follows in the same order as the corresponding input letters regardless of their timestamps. Meanwhile, suppose that a user of some file management system gives a command «Save» and immediately after that a command «Exit». Then if a file to be saved is small then the user will observe first a response «File is saved» and then a notification «File Management System is closed». But if a file has a considerable size then it takes a lot of time to close it. Therefore, it can happen that a user will detect first a notification «File Management System is closed» and then, some time later, he/she will be surprised to find an announcement «File is saved». Of course, the user may regard such behavior of the system enigmatic. But much worse if the order in which these notifications appear may vary in different sessions of the system. If a File Management System interacts with other service programs such an interaction will almost certainly lead to errors. However, if a behavior of TFSMs is defined as in the papers referred above then such a model can not adequately capture behavioral defects of real-time systems, similar to the one that was considered in the example. To avoid this shortcoming of conventional TFSMs and to make their behavior more "realistic" from the point of view of an outside observer we offer some technical change to this model. We will assume that an output timed word consists of timestamped letters, and these letters always follow in ascending order of their timestamps regardless of an order in which the corresponding input letters entered a TFSM. In this model it may happen so that an input follows an input but a response to appears before a response to is computed. Clearly, the defect with File Management System discussed above becomes visible to an outside observer "through" the model of TFSMs thus modified. At first sight, it may seem that this change only slightly complicates the analysis of the behavior of such models. But this is a false impression. In the initial model of TFSM the formation of an output timed word is carried out by local means for each state of the system. In our model this is a global task since to find the proper position of a timestamped output letter one should consider the run of TFSM as a whole. Therefore, even the problem of checking whether a behavior of an improved model of TFSM is deterministic can not be solved as easy and straightforwardly as in the case of the initial model of TFSM. It should be noticed that the property of deterministic behavior is very important in theory real-time machines. As it was said above, universality, inclusion and equivalence checking problems are undecidable for Timed Automata in general case [2] but all these problems have been shown to be decidable for deterministic Timed Automata [3], [11]. However, testing whether a Timed Automaton is determinable has been proved undecidable [8]. Understanding and coping with these weaknesses have attracted lots of research, and classes of timed automata have been exhibited, that can be effectively determinized [3], [12]. A generic construction that is applicable to every Timed Automaton, and which, under certain conditions, yields a deterministic Timed Automaton, which is language-equivalent to the original timed automaton, has been developed in [4]. We studied the determinacy checking problem for improved TFSMs and present the results of our research in this paper. First, we offer a criterion to determine whether a given sequence of transition (trace) in a TFSM is steady, i.e. for any input timed word which activates this trace the letters of output words always follow in the same order (but, maybe, with different timestamps). Then, using this criterion we developed an exhaustive algorithm for checking the property of strict determinacy of TFSMs. This property means that every input timed word activates no more than one trace and all traces in a TFSM are steady. Exhaustive search, although been time consuming, can hardly be avoided in this case: we proved that determinacy checking problem for improved version of TFSMs is co-NP-hard by polynomially reducing to its complement the subset-sum problem [7] which is known to be NPcomplete. The structure of the paper is as follows. In Section II we define the basic notions and introduce an improved concept of TFSM (or, it would be better said, a concept of TFSM with an improved behavior). In Section III we present necessary and sufficient conditions for steadiness of traces in a TFSM and show how to use this criterion to check whether a given TFSM is strictly deterministic. Section IV contains the results on the complexity of checking the properties of strictly deterministic behavior of TFSM. In the Conclusion we briefly outline the consequences of our results and topics for further research.

Formatting overview
Consider two non-empty finite alphabets and ; the alphabet is an input alphabet and the alphabet is an output alphabet. The letters from can be regarded as control signals received by some real-time computing system, whereas the letters from may be viewed as responses (actions) generated by the system. A finite sequence = 1 , 2 , … , of input letters is called an input word, whereas a sequence = 1 , 2 , … , of output letters is called an output word. As usual, the time domain is represented by the set of non-negative reals ℝ 0 + . The set of all positive real numbers will be denoted by ℝ + . When such a system receives a control signal (a letter ) its output depends not only on the input signal but also on  a current internal state of the system,  a time instance when becomes available to a system, and  time required to process the input (output delay).
These aspects of real-time behavior can be formalized with the help of timestamps, time guards and delays. A timestamp as well as a delay is a real number from ℝ + . A timestamp indicates a time instance when the system receives an input signal or generates a response to it. A delay is time the system needs to generate an output response after receiving an input signal. A time guard is an interval = ⟨ , ⟩, where ⟨∈ {(, [}, ⟩ ∈ {), ]}, and , are timestamps such that 0 < < . Time intervals indicate the periods of time when transitions of a system are active for processing input signals. As usual, the term time sequences is reserved for an increasing sequence of timestamps. For the sake of simplicity we will deal only with time guards of the form ( , ]: all the results obtained in this paper can be adapted with minor changes to arbitrary time guards. Let = , , … and = , , … , be an input (output) word and a time sequence, respectively, of the same length. Then a pair ( , ) is called a timed word. Every pair of corresponding elements and , ≤ ≤ , indicates that an input signal (or an output response) appears at time instance . In order to make this correspondence clearer we will often write timed words as sequences of pairs ( , ) = ( , ), ( , ), … , ( , ) whose components are input signals (or output responses) and their timestamps.
A Finite State Machine (FSM) over the alphabets and is a triple = ⟨ , , ⟩ where is a finite non-empty set of states, is an initial state, ⊆ ( × × × ) is a transition relation. A transition ( , , , ′) means that FSM when being at the state and receiving an input signal moves to the state ′ and generates the output response .
FSMs can not measure time and, therefore, they are unsuitable for modeling the behavior of real-time systems. The authors of [1] proposed to equip FSMs with clocksvariables which take non-negative real values. To manipulate with clocks machines use reset instructions, timed guards and output delays. Time guards indicate time intervals when transitions are active for processing input signals. An output delay indicates how much time does it take to process an input. Thus, every transition in such a machine is a quadruple ⟨ , , , ⟩. Input signals and output responses are accompanied by timestamps. If an input is marked by a timestamp which satisfies the time guard then the transition fires, the machine moves to the next state and generates the output. This output is marked by a timestamp which is equal to the timestamp of the input plus the delay. For real-time machines of this kind usual problems from automata theory (equivalence and containment checking, minimization, etc.) may be set up and solved. The minimization problem for realtime machines is very important, since the complexity of many analysis and synthesis algorithms depend on the size of machines. In [14] this problem was studied under the so called "slow environment assumption": next input becomes available only after an output response to the previous one is generated.
In this paper, we consider a more advanced real-time machine; in this model the order in which outputs become visible to an outside observer is determined not only by the order in which inputs follow, but also by the delay required for their processing. When the same sequence of transitions is performed by such a machine the same outputs may follow in different order depending on the arriving time of the corresponding inputs. Our main goal is to develop equivalence checking and minimization algorithms for real-time machines of this kind. But, as the results of Automata Theory show, these problems may have efficient solution only for deterministic machines. Thus, our first step toward the solution of these problems is to find a way to check if the behavior of a machine is deterministic.
But there is also another reason to study the problem of checking the determinism of the behavior of real-time machines. Unlike traditional discrete models of computation, the behavior of real-time machines depends not only on the control signals as such, but also on the time of their arrival. However, the latter factor has a greater degree of uncertainty. In most cases, in practice, it is desirable to reduce the effect of this uncertainty to a minimum. Therefore, the determinacy checking problem for real-time machines can be considered as a special version of the verification problemchecking that the time factor does not have an unforeseen influence on the behavior of the system. • is such a permutation of the sequence = ( 1 , 1 + 1 ), ( 2 , 2 + ( , ) is defined then we say that the input timed word activates the trace . We will say that the output word 1 , 2 , … , is a plain response to the input timed word on the trace ; it will be denoted as ( , ).

Steady traces and strictly deterministic TFSMs
As can be seen from the above example, a pair of input timed words that differ only in timestamps of input signals may activate the same trace in a TFSM, although plain responses of TFSM to these words are different. Generally speaking, there is nothing unusual in this: in real-time models not only the input signals, but also the values of timers influence a run of a model. Nevertheless, in many applications it is critically important to be sure that the behavior of a real-time system is predictable: once a system choose a mode of computation (i.e. a trace in TFSM) it will behave in a similar way (i.e. give the same plain response) in all computations of this mode. Traditionally, computer systems in which for any input data the processing mode is uniquely determined by the system are called deterministic. But for our model of real-time systems this requirement should be clarified and strengthened. For this purpose, we introduce the notion of steady traces and the property of strict determinacy of a real-time system. This requirement means that every timestamped input letter can activate no more than one transition from an arbitrary given state . It also implies that every input timed word can activate no more than one trace in . A deterministic TFSM is called strictly deterministic iff every initial trace in which starts from the initial state is steady. It is easy to see that TFSM, depicted in Fig. 1, is not strictly deterministic.
The Strict Determinacy Checking Problem (in what follows, SDCP) is that of checking, given a TFSM, if it is strictly deterministic. It is easy to check whether a TFSM is deterministic by considering one by one all pairs of transitions that emerge from the same state. But local means alone are not enough to check whether a given trace in a TFSM is steady. A simple criterion for steadiness of traces is presented as a Theorem below. be a trace in a TFSM . Then the following theorem holds.

Theorem 1. A trace is steady iff for all pairs of integers , such that ≤ < ≤ at least one of the two inequalities
Proof. (⇒) Suppose that there exists a pair , such that ≤ < ≤ , and a double inequality holds: It is easy to see that both words activate . Such permutation of output letters is possible iff the following inequalities hold ′ + = ′ < ′ = ′ + , ″ + = ″ > ″ = ″ + .
But since both input timed words ′ and ″ activate , we have the following chain of inequalities: Thus, if is not steady then there exists a pair of integers such that ≤ < ≤ and

End of proof.
As it follows from Theorems 1 and 2, to guarantee that a given TFSM

Strict Determinacy Checking Problem for TFSMs is co-NPhard
Clearly, the decision procedure, based on Theorem 2, is time consuming since may be exponential of the size of and the number of traces of length in TFSM is exponential of . In this section we show that such an exhaustive search can hardly be avoided because SDCP for improved version of TFSMs is co-NP-hard. We are aimed to show that the complement of SDCP is NP-hard. To this end we consider the Subset-Sum Problem (see [7]) which is known to be NP-complete and demonstrate that this problem can be reduced in polynomial time to the complement of SDCP for TFSMs. The Subset-Sum Problem (SSP) is that of checking, given a set of integers and an integer , whether there is any subset ′, ′ ⊆ , such that the sum of all its elements is equal to . More formally, the variant of the SSP we are interested in is defined as follows. Let = , , … , be a sequence of positive integers, and be also a positive integer. A solution to ( , )-instance of SSP is a binary tuple = ⟨ , , … , ⟩ such that ∑ = = . In [7] it was proved that the problem of checking the existence of a solution to a given ( , )-instance of SSP is NPcomplete. First, we make some observations. 1) Since all transitions outgoing from the states , ≤ < , have the same delay , every trace from a state to a state , where < < ≤ , is strictly deterministic.
3) For the same reason the inequalities hold for every , ≤ < , and a binary tuple = ⟨ , , … , ⟩. By Theorem 1, this guarantees that every initial trace leading to a state , ≤ ≤ is strictly deterministic.
As for the initial traces that lead to the state + , due to our choice of and , we can trust the following chain of reasoning. By definition, a ( , )-instance of SSP has a solution = ⟨ , , … , ⟩ iff ∑ = = . The latter is possible iff two following inequalities hold: But in the context of observations 1) -3) above, the latter inequalities, as it follows from Theorem 1, provide the necessary and sufficient conditions that the initial trace in TFSM , activated by the input word = ⟨ , , … , ⟩ is not strictly deterministic. Thus, a ( , )-instance of SSP has a solution iff TFSM , is not strictly deterministic.
The considerations above bring us to Theorem 3. SDCP for TFSMs is co-NP-hard. (1)

Conclusion
The main contributions of this paper are 1. the development of a modified version of TFSM which, in our opinion, provides a more adequate model of real-time computing systems; 2. the introduction of the notion of strict deterministic behaviour of TFSM and setting up the Strict Determinacy Checking Problem (SDCP) for a modified version of TFSMs; 3. the establishing of an effectively verifiable criterion for the strict determinacy property of TFSMs; 4. the proving that SDCP for TFSMs is co-NP-hard. However, some problems concerning strict deterministic behavior of TFSMs still remain open. They will be topics for our further research. 1.
In As it can be seen from the proof of Theorem 3, SDCP for TFSMs is intractable only if timed parameters of transitions (time guards and delays) depend on the number of states in TFSM. But this is not a typical phenomenon in real-time systems since in practice the performance of individual components of a system does not depend on the size of the system. Therefore, it is reasonable to confine ourselves to considering only such TFSMs, in which the time guards and the delays are chosen from some fixed finite set. As it follows from Theorem 2, for this class of TFSMs SDCP is decidable in polynomial time. One may wonder what is the degree of such a polynomial, or, in other words, how efficiently the strict determinacy property can be checked for TFSMs corresponded to real systems. 3.