Weak Alternating Timed Automata

Alternating timed automata on infinite words are considered. The main result is a characterization of acceptance conditions for which the emptiness problem for these automata is decidable. This result implies new decidability results for fragments of timed temporal logics. It is also shown that, unlike for MITL, the characterisation remains the same even if no punctual constraints are allowed.


Introduction
Timed automata [5] are widely used models of real-time systems.They are obtained from finite automata by adding clocks that can be reset and whose values can be compared with constants.The crucial property of timed automata is that their emptiness is decidable.Some other properties, like universality, are undecidable though.Alternating timed automata have been introduced in [16,22] following a sequence of results [1,2,21] indicating that a restriction to one clock can influence decidability.Indeed, the emptiness and universality problems for one clock alternating timed automata are decidable over finite words.On the contrary, over infinite words both problems remain undecidable even for automata with one clock [25,17].All undecidability arguments rely on the ability to express "infinitely often" properties.Our main result shows that once these kind of properties are forbidden the emptiness problem is decidable.
To say formally what are "infinitely often" properties we look at the theory of infinite sequences.We borrow from that theory the notion of an index of a language.It is known that the index hierarchy is infinite with "infinitely often" properties almost at its bottom.From this point of view, the undecidability result mentioned above leaves open the possibility that safety properties and "almost always" properties can be decidable.This is indeed what we prove here.
The automata theoretic approach to temporal logics [27] is by now a standard way of understanding these formalisms.For example, we know that the modal µ-calculus corresponds to all automata, and LTL to very weak alternating automata, or equivalently, to the emptiness problem for ATA over infinite words by reduction to the repeated reachability problem for incremental machines with occurrence testing (ICMOT) [23].While paper [11] gives a finer analysis of the complexity of several problems for ICMOT, using well-quasi orders it is easy to show that the existence of a computation satisfying "almost always" property is decidable for ICMOT.Nevertheless this observation does not imply decidability of the same problem for ATA, whose structure is more complicated.It is worth to mention that checking the existence of a run satisfying "almost always" property is in general more difficult than checking reachability.Recall for example that the former problem is not decidable for lossy counter machines [18], while reachability is decidable for this model.
The depth of nesting of positive and negative conditions of type "infinitely often" is reflected in the concept of the index of an automaton.Wagner [28], as early as in 1977, established the strictness of the hierarchy of indices for deterministic automata on infinite words.Weak conditions were first considered by Staiger and Wagner [29].There are several results testifying their relevance.For example Mostowski [19] has shown a direct correspondence between the index of weak conditions and the alternation depth of weak second-order quantifiers.For recent results on weak conditions see [20] and references therein.
The next preliminary section is followed by a presentation of our main decidability result (Theorem 3.1).Section 4 introduces Constrained TPTL, gives a translation of the logic into a decidable class of alternating timed automata, and discusses relations with FlatMTL.The last section presents the accompanying undecidability result (Theorem 5.2).

Preliminaries
A timed word over a finite alphabet Σ is a sequence w = (a 1 , t 1 )(a 2 , t 2 ) . . . of pairs from Σ × R + .We require that the sequence {t i } i=1,2,... is strictly increasing and unbounded.If t i describes the time when event a i has occurred then these restrictions say that there cannot be two actions at the same time instance and that there cannot be infinitely many actions in a finite time interval (non Zeno behavior).
We will consider alternating timed automata (ATA) with one clock [17].Let x be this clock and let Φ denote the set of all comparisons of x with constants, eg.(x < 1 ∧ x ≥ 0).
A one-clock ATA over an alphabet Σ is a tuple where Q is a finite set of states and Ω determines the parity acceptance condition.The transition function of the automaton δ is a finite partial function where B + (Q×{nop, reset}) is the set of positive boolean formulas over atomic propositions of the form ⊤, ⊥, and (q, f ) with q ∈ Q and f ∈ {nop, reset}.
Intuitively, automaton being in a state q, reading a letter a, and having a clock valuation satisfying θ can proceed according to the positive boolean formula δ(q, a, θ).It means that if a formula is a disjunction then it chooses one of the disjuncts to follow, if it is a conjunction then it makes two copies of itself each following one conjunct.If a formula is "atomic", i.e., of the form (q, reset) or (q, nop) then the automaton changes the state to q and either sets the value of the clock to 0 or leaves it unchanged, respectively.To simplify the definition of acceptance there is also one more restriction on the transition function: (Partition) For every q ∈ Q, a ∈ Σ and v ∈ R + , there is at most one θ s.t.δ(q, a, θ) is defined, and v satisfies θ.It is easy to transform an automaton to this form.
The acceptance condition of the automaton determines which infinite sequences of states (runs of the automaton) are accepting.A sequence q 1 , q 2 , . . .satisfies: • weak parity condition if min{Ω(q i ) : i = 1, 2, . . .} is even, • strong parity condition if lim inf i=1,2,... Ω(q i ) is even.Observe that the difference between weak and strong conditions is that in the weak case we consider all occurrences of states and in the strong case only those that occur infinitely often.In this paper we will mostly consider automata with weak conditions.Whenever we will be considering strong conditions we will say it explicitly.
For an alternating timed automaton A and a timed word w = (a 1 , t 1 )(a 2 , t 2 ) . . .we define the acceptance game G A,w between two players: Adam and Eve.Intuitively, the objective of Eve is to accept w, while the aim of Adam is the opposite.A play starts at the initial configuration (q 0 , 0).It consists of potentially infinitely many phases.The (k+1)-th phase starts in (q k , v k ), ends in some configuration (q k+1 , v k+1 ) and proceeds as follows.Let v ′ := v + t k+1 − t k .Let θ be a unique (by the partition condition) constraint such that v ′ satisfies θ and δ(q k , a k+1 , θ) is defined; if there is no such θ then Eve is blocked.Now the outcome of the phase is determined by the formula b = δ(q k , a k+1 , θ).There are four cases: • b = (q, f ) ∈ Q × {nop, reset}: the phase ends with the result (q k+1 , v k+1 ) := (q, f (v ′ )) and a new phase starts from this configuration; • b = ⊤, ⊥: the play ends.The winner of such a play is Eve if she is not blocked, and the sequence ends in ⊤, or it is infinite and the states appearing in the sequence satisfy the acceptance condition of the automaton.
Formally, a play is a finite sequence of consecutive game positions of the form k, q, v or k, q, v, b , where k is the phase number, b a boolean formula, q a location and v a valuation.A strategy of Eve is a mapping which assigns to each such sequence ending in Eve's position a next move of Eve.A strategy is winning if all the plays respecting the strategy are winning.Definition 2.1 (Acceptance).An automaton A accepts w iff Eve has a winning strategy in the game G A,w .By L(A) we denote the language of all timed words w accepted by A.
The Mostowski index of an automaton with the, strong or weak, acceptance condition given by Ω is the pair consisting of the minimal and the maximal value of Ω: (min(Ω(Q)), max(Ω(Q))).We may assume without a loss of generality that min(Ω(Q)) ∈ {0, 1}.(Otherwise we can scale down the rank by Ω(q) := Ω(q) − 2.) Automata with strong conditions of index (0, 1) are traditionally called Büchi automata and their acceptance condition is given by a set of accepting states Q + ⊆ Q; in our presentation these are states with rank 0.

Decidability for one-clock timed automata
We are interested in the emptiness problem for one clock ATA.As it was mentioned in the introduction, the problem is undecidable for automata with strong Büchi conditions (strong (0, 1) conditions).Here we will show a decidability result for automata with weak acceptance conditions of index (0, 1).Theorem 3.1.It is decidable whether a given one-clock alternating timed automaton with weak (0, 1) condition accepts some non Zeno timed word.The complexity of the problem is non-primitive recursive.
The lower bound for the complexity holds already for automata over finite words [17].So in the rest of this section we give a decidability proof.
Before we start, it will be useful to make a couple of remarks that allow to restrict the form of automata.A weak (0, 1) automaton can be also presented as an automaton with a strong (0, 1) condition where all transitions from an accepting state, state of rank 0, go only to accepting states.Indeed, once the automaton sees a state of priority 0 then any infinite run is accepting (but there may be runs that get blocked).In the following we will write Q + for accepting states and Q − for the other states.For automata presented in this way the strong (0, 1) condition says simply: there are only finitely many states from Q − in the run.So the automaton accepts if Eve has a strategy to reach ⊤, or to satisfy this condition.
We can also make some restrictions on a form of the transition function.We can require that every boolean formula that appears as a value of the function is in a disjunctive normal form.Moreover, we can eliminate the ⊥ and ⊤ propositions.Proposition ⊥ can be simulated by a state q ⊥ from which there is no transition, and ⊤ by an accepting state q ⊤ on which the automaton loops on all letters.Observe that this is fine as we have put no restriction on transitions going to accepting states.Finally, we can assume that every disjunct of every transition of A has some pair with reset and some pair with nop.This can be guaranteed by adding conjuncts (q ⊤ , nop) and (q ⊤ , reset).
To fix the notation we take a one clock ATA in a form as described above: This means that for every q, a, and θ, the formula δ(q, a, θ) is in a disjunctive normal form; every disjunct contains a pair with nop and a pair with reset; there are no ⊤ or ⊥; if q ∈ Q + then only states from Q + appear in the formula; Our first step will be to construct some infinite transition system H(A), so that the existence of an accepting run of A is equivalent to the existence of some good path in H(A).
In the second step we will use some structural properties of this transition system to show decidability of the problem stated in the theorem.
3.1.An abstract transition system.The goal of this subsection is to define a transition system H(A) such that existence of an accepting computation of A is reduced to existence of some special infinite path in H(A) (Corollary 3.9).This system will be some abstraction of the transition system of configurations of A. While H(A) will be infinite, it will have some well-order structure and other additional properties that will permit to analyze it.
First, consider an auxiliary labeled transition system S(A) whose states are finite sets of configurations, i.e., finite sets of pairs (q, v), where q ∈ Q and v ∈ R + .The initial position in S(A) is P 0 = {(q 0 , 0)} and there are transitions of two types P t ֒→ P ′ and P a ֒→ P ′ .Transition P t ֒→ P ′ is in S(A) iff P ′ can be obtained from P by changing every configuration (q, v) ∈ P to (q, v + t).Transition P a ֒→ P ′ is in S(A) iff P ′ can be obtained from P by the following nondeterministic process: • First, for each (q, v) ∈ P , do the following: − let b = δ(q, a, θ) for the uniquely determined θ satisfied in v, − choose one of disjuncts of b, say Observe that there may be no P ′ such that P a ֒→ P ′ because for some (q, v) ∈ P the value δ(q, a, θ) required above is not defined.Definition 3.2.We will call a sequence P 0 , P 1 , . . . of the states of S(A) accepting if the states from Q − appear only in a finite number of P i .Lemma 3.3.A accepts an infinite timed word (a 0 , t 0 )(a 1 , t 1 ) . . .iff there is an accepting sequence in S(A): Proof.The right to left implication is obvious.For the left to right implication, recall that acceptance of a word by an automaton is defined as existence of a winning strategy for Eve in the acceptance game.This is a game with Büchi conditions, so if Eve has a winning strategy, then she has a memoryless winning strategy.This strategy gives a run of the form required by the lemma.
Our next goal is to remove time labels on transitions.But we cannot just erase them, as then we will not be able to say if a word is Zeno or not.We start by introducing regions.
Let us try to give an intuition behind the way time information will be eliminated.Recall that a state P is a finite set of pairs (q, v).If v ∈ I ∞ then the precise value of v does not matter from the point of view of the automaton.For other values it is important to look at their fractional parts.Among all v ∈ I ∞ appearing in P take the one with the biggest fractional part.Then, by making the time pass we can get v to a new region without changing the regions of valuations with smaller, but positive, fractional parts.Intuitively this is the smallest delay that makes a visible change to P .We will introduce a special label to signal when time progresses in this way.As integer valuation would force us to introduce a cumbersome case distinction we will set things so that they can be avoided.
These remarks lead us to consider a new alphabet: and three new kinds of transitions.
Transition on a will do the action and make some time pass without any valuation changing the region.
֒→ P ′ for some P 1 , and t 1 > 0 such that for every (q, v) ∈ P , the value v + t 1 is in the same region as v.For a transition on a letter (delay, ε), pick a valuation v among these with reg(v) = I ∞ with a maximal fract(v).The transition will make the time pass so that v goes to the next interval region but all valuations with smaller fractional parts do not change their regions: ֒→ P ′ for some P ′ 1 and t 1 , t 2 > 0 such that there is (q, v) ∈ P , with v + t 1 being an integer and v + t 1 + t 2 in the following interval region.Moreover, for all (q ′ , v ′ ) ∈ P if fract(v) = fract(v ′ ) then the value v ′ + t 1 + t 2 is in the same region as v ′ .Finally, we come to the most complex (delay, a) transition.Even though we did not allow transitions (delay, ε) to reach one-point regions, it is still important to be able to execute actions in those regions.A transition on (delay, a) permits to reach a one-point region, execute the action, and leave the region.
֒→ P ′ for some P 1 , P 2 and t 1 , t 2 > 0 such that there is (q, v) ∈ P , with v +t 1 being an integer and v +t 1 +t 2 in the following interval region.Moreover for all (q ′ , v ′ ) ∈ P if fract(v) = fract(v ′ ) then the value v ′ + t 1 + t 2 is in the same region as v ′ .The following lemma shows that with a new alphabet we can replace non Zeno condition by a simple infinitary condition.
The next step in the construction is to abstract from valuations in the states of the transition system.Intuitively, we will replace every valuation by its region.To compensate for erasing fractional parts, we will also keep information about the relative order between them.With the construction described in the definition below the states become words from Definition 3.5.For a state P of S(A) we define a word H(P ) from Λ * I • Λ ∞ as the one obtained by the following procedure: • replace each (q, v) ∈ P by a triple q, reg(v), fract(v) if v ≤ d max (this yields a finite set of triples) • sort all these triples w.r.t.fract(v) (this yields a finite sequence of triples) • group together triples having the same value of fract(v) (this yields a finite sequence of finite sets of triples) • forget fract(v), that is, change every triple q, reg(v), fract(v) into a pair (q, reg(v)) (this yields a finite sequence of finite sets of pairs, a word in Λ * I ).• Add at the end the letter ({q : (q, v) Finally, we can define H(A).
). Definition 3.8.We say that a path (equivalently: run, computation) in H(A) is good, if it passes through infinitely many transitions labeled by letters (delay, •).We say that a path (equivalently: run, computation) in H(A) is accepting, if it is good and passes through only finitely many configurations containing states from Q − .Corollary 3.9.A accepts an infinite non Zeno timed word iff there is an accepting path in H(A) starting in configuration ({(q 0 , I 1 )}, {∅, I ∞ }).
Proof.A accepts a non Zeno word iff there is a path in S(A) satisfying the acceptance condition.By Lemma 3.4 it is equivalent to having a good path in S(A) with transitions from the alphabet Σ satisfying the acceptance conditions.Lemma 3.7 implies that this is equivalent to having an accepting path in H(A).
We finish the section with a more explicit characterization of transitions in H(A) that will be used extensively in the decidability proof.The characterisation is spelled out in the next three lemmas whose proofs are obtained directly from the definitions.
Observe that there are as many transitions a −→ from λ as there are choices of different conjuncts for each pair (q, r) in λ.In particular there is no transition if for some pair the transition function of the automaton is not defined.Notice also that the clock after reseting, described by elements of γ ′ , is in interval I 1 , not in {0}; this is because we describe a transition of the original automaton followed by a small time elapse.Lemma 3.11.In H(A) transitions on an action a have the form i may be empty.Finally, we have the most complicated case of (delay, a) action.Lemma 3.12.In H(A) the transitions on an action (delay, a) have the form , where the elements on the right are obtained by preforming the following steps: • First, we change regions in λ k .Every pair (q, I d ) ∈ λ k becomes (q, {d}).Let us denote the result by ։ c ′ to denote that we may go from a configuration c to c ′ using one transition, one transition reading a letter of the form (delay, •), any number of transitions or any number of transitions reading only letters from Σ, respectively.

Finding an accepting path in H(A).
Here we overview the decision procedure, which is described in details in the next subsections.By Corollary 3.9, our problem reduces to deciding if in H(A) there is a good path with only finitely many appearances of states from Q − .The decision procedure works in two steps.In the first step we compute the set G of all configurations of H(A) from which there exists a good path.Observe that if a configuration from G has only states from Q + then there exists an accepting run from this configuration.So, in the second step it remains to consider configurations that have states from both Q − and Q + .This is relatively easy as an accepting run from such a configuration consists of a finite prefix ending in a configuration without states from Q − and a good run from that configuration.Hence, there is an accepting run from a configuration iff it is possible to reach from it a configuration from G that has only Q + states.Once we know G, the later problem can be solved using the standard reachability tree technique.

3.3.
Computing accepting configurations.We start with the second step of our procedure as it is much easier than the first one.We need to decide if from an initial state one can reach a configuration from G having only Q + states.We can assume that we are given G but we need to discuss a little how it is represented.It turns out that there are useful well-quasi-orders on configurations that allow to represent G in a finitary way (Corollary 3.15) A well-quasi-order is a relation with a property that for every infinite sequence c 1 , c 2 , . . .there exist indexes i < j such that the pair (c i , c j ) is in the relation.
The order we need is the relation, denoted , over configurations of H(A): and there exists a strictly increasing function f : {1, . . ., k} → {1, . . ., k ′ } such that λ i ⊆ λ ′ f (i) for each i.Observe that here we use the fact that each λ i is a set so we can compare them by inclusion.This relation is somehow similar to the relation of being a subsequence, but we do not require that the corresponding letters are equal, only that the one from the smaller word is included in the one from the greater word.The first property of this order is proved by a standard application of Higman's lemma.
Lemma 3.13.The relation is a well-quasi-order.
The following shows an important interplay between relation and transitions of H(A).
and the second computation has the length not greater than the first one.Similarly, when from c 1 there exists a good computation, then from c ′ 1 such a computation exists.Proof.For the first statement of the lemma we will simulate one transition from c 1 by at most one transition from −→ c 2 we have two cases depending on the relation between one before last element of the two configurations.To be more precise, suppose that For the second statement we need to show that the computation from c ′ 1 obtained by matching steps as described above is good (if the one from c 1 has been good).This is not immediate as we remove some (delay, •) letters in the matching computation.
Fix a good computation from c 1 .Let c 2 be a configuration in a computation starting from c 1 , and let c ′ 2 be the corresponding configuration in the matching computation from c ′ 1 .To arrive at a contradiction assume that there are no delays after Let us take the biggest possible i.If some a-action is done from c 2 then it is matched by an a-action from c ′ 2 , and for the resulting configurations the inclusion is preserved.This can happen only finitely many times though, as there are infinitely many (delay, •) actions after c 2 .If a (delay, •) action is done from c 2 and i = k then it is matched by a (delay, •) action from c ′ 2 , a contradiction with the choice of c i .If i < k then the element λ ′ k ′ is left on its position in c ′ 2 , while in c 2 we remove λ k , hence λ i covering λ ′ k ′ gets closer to the end of the sequence.Repeating this argument, we get that the covering λ i finally becomes the last element and the previous case applies.
Corollary 3.15.The set G is downward closed, so it can be described by the finite set of minimal elements that do not belong to it.
As we have mentioned before, there is a good accepting computation from a configuration iff it is possible to reach from it a configuration from G that has only Q + states.The following lemma says that this property is decidable.Lemma 3.16.Let X be a downward closed set of configurations of H(A), represented by the (finite) set of all its minimal elements.It is decidable whether from a given configuration one can reach a configuration in a given set X that has only states from Q + .
Proof.We will use a standard reachability tree argument.The reachability tree is a tree in which the initial configuration is in the root, and every configuration has as children all configurations that may be reached by reading one letter.The algorithm constructs a portion t of the tree according to the following rule: do not add a node c ′ to t in a situation when among its ancestors there is some c c ′ .Each path of t is finite because is a well-quasi-order.Furthermore, since the degree of every node is finite, t is a finite tree.Then we check t for a configuration from X without states from Q − .
We only need to prove that, if in the whole reachability tree there is a configuration as above (which means that H(A) may accept), then there is also some in t.Let c be such a configuration reachable from the initial configuration of H(A) by a path π of the shortest length.Assume that c is not in t, i.e. there are two nodes on π, say c 1 and c 2 , such that c 1 is an ancestor of c 2 and c 1 c 2 (i.e.c 2 was not added to t).Then from Lemma 3.14, there exists c ′ c that may be reached from c 1 and the path from c 1 to c ′ will be not longer than that from c 2 to c.So the path leading to c ′ from the initial configuration is strictly shorter than π.Moreover, as c ′ c and X is downward closed, we immediately deduce that c ′ ∈ X, and c ′ does not contain states from Q − which is a contradiction.

Computing G.
In this subsection we deal with the main technical problem of the proof that is computing the set G of all configurations from which there exist a good computation.We will actually compute the complement of G.While we will use wellorderings in the proof, standard termination arguments do not work in this case.We will need to examine more closely the definition of H(A) an in particular the mechanics of its transition as described in Lemmas 3.10, 3.11, and 3.12.
We write X↑ for an upward closure of set X, Observe that by Corollary 3.15 the complement of G is upward closed.Let set pre ∀ delay (respectively pre ∀ Σ * ) contain all configurations, from which after reading any letter (delay, •) (any number of letters from Σ), we have to reach a configuration from X, Now we can use these pre operations to compute a sequence of sets of configurations It is important that we may effectively represent and compare all the sets Z i ↑.Because the relation is a well-quasi-order, any upward closed set X↑ may be represented by finitely many elements c 1 , . . ., c k (called generators) such that X ↑= {c 1 , . . ., c k }↑.Moreover, an easy induction shows that Z i−1 ↑⊆ Z i ↑ for every i (because both pre ∀ operations preserve inclusion).Once again, because relation is a well-quasi-order, there has to be i such that First, we show that Z ∞ is indeed the complement of G. Lemma 3.17.There is a good computation from a configuration c iff c ∈ Z ∞ ↑.
Proof.(⇒) We show by induction that c ∈ Z i for i = −1, 0, 1 . . . .For i = −1 it is obvious.Assume for contradiction that there exists a good computation from c, but c ∈ Z i ↑.Then there exists c ′ c with c ′ ∈ Z i .From Lemma 3.14 we know that a good infinite computation exists also from c ′ .This computation may first read some letters from Σ, but finally it has to read a letter (delay, •), that results in a configuration c 2 .Definition of Z i tells us that c 2 ∈ Z i−1 ↑.But from c 2 there is also a good infinite computation, a contradiction.
(⇐) Assume that every computation (finite or infinite) from c reads at most k letters (delay, •).An easy induction on k shows that c ∈ Z k .
To compute Z ∞ it is enough to show how to compute Z i ↑ from Z i−1 ↑.This is the most difficult part of the proof that will occupy the rest of the subsection.Once this is done we will calculate all the sets Z i ↑, starting with Z −1 = ∅ and ending when The main idea in calculating pre ∀ Σ * (pre ∀ delay (X)) is that the length of its generators may be bounded by some function in the length of generators of X.This is expressed by the following lemma.Lemma 3.18.Given an upward closed set X we can compute a constant D(X) (which depends also on our fixed automaton A) such that the size of every minimal element of pre ∀ Σ * (pre ∀ delay (X)) is bounded by D(X) Once we know the bound on the size of generators, we can try all potential candidates.The following lemma shows that it is possible.Lemma 3.19.For every upper-closed set X, the membership in pre ∀ Σ * (pre ∀ delay (X)) is decidable.
Together Lemmas 3.18 and 3.19 allow us to compute the sequence Z 0 , Z 1 , . . ., Z ∞ and hence also G.
To finish the proof of the theorem, it remains to give proofs of the two lemmas.The first is substantially more complicated, and will occupy most of the space, while the second we will get as a rather simple corollary.In the first proof, we will calculate separately bounds for pre ∀ delay (X) and for pre ∀ Σ * (X).In the sequel we will need to use some special representation for sets of configurations.
Observe that the value f (λ) for λ not appearing in λ 0 1 . . .λ 0 k does not matter; moreover if some f (λ 0 i ) = ∅ then the result of expanding is the empty set.We use compressed configurations, because the set of successors of a configuration may be described by a bounded number of compressed configurations.This is not true for ordinary configurations due to nondeterminism.For example, when there is more than one choice of a transition on action a form a letter λ then every occurrence of λ in a configuration may make a choice independently, so the number of successor configurations grows with the number of occurrences of λ in a configuration.
Let us see how to calculate pre ∀ delay (X).Some care is needed as this set is not upward closed with respect to the relation.This is because the a (delay, •) action treats the one before the last element of a configuration in a special way.So if something is inserted after λ k in (λ 1 . . .λ k , λ ∞ ) then the delay operation uses this inserted element instead of λ k .As a side remark let us mention that using the upward closure of pre ∀ delay (Z i−1 ↑) in the definition of Z i would be incorrect (Lemma 3.17 would not be true).
To remedy this problem we use a refined relation r .Given two configurations The following lemma tells us that successors of a configuration may be described using compressed configurations and that there are not too many of them.Lemma 3.22.For every configuration c 0 = (λ 1 . . .λ k , λ ∞ ), k > 0 there exists a finite set of compressed configurations C(λ k , λ ∞ ) (depending only on λ k and λ ∞ ) such that: Now consider transitions reading (delay, a).A result of this transition is not unique and depends on the choice of a transition for each element of the configuration.We fix a set T of transitions λ a −→ A (λ ′ , γ ′ ); intuitively these are allowed transitions from λ 1 , . . ., λ k−1 .We also fix transitions λ where λ 1 k is λ k with increased regions as in Lemma 3.12).This choice of transitions gives us a compressed configuration c = (γ, f, λ ′′ ∞ ), where We add c into C(λ k , λ ∞ ).We now show that the constructed C(λ k , λ ∞ ) has the required properties.Consider a successor c of c 0 that is reached using the transitions we have fixed.In particular, we require that each transition from T is used at least once.Take c as calculated above.Directly from the definition we get c ∈ exp( c, λ 1 . . .λ k−1 ).As the choice of transitions was arbitrary, this gives the first statement of the lemma.
) is obtained by a choice of some T and some transitions from λ 1 k and λ ∞ .For every i let us choose some transition λ i a It is easy to check that there is a transition c 0 (delay,a) −→ c ′ .
We need to find all minimal elements of pre ∀ delay (Z i−1 ↑).The following lemma will allow us to get a bound on their size.Lemma 3.23.For a given C and a set X upward closed with respect to the r relation there exists a constant B(X, C) (and we may compute it) such that if for some λ 0 Proof.First suppose that C is a singleton { c}; where c = (λ 1 . . .λ l , f, λ ∞ ).We describe a construction of a finite automaton A X c accepting the language Recall that X is an upward closed set with respect to r relation.This implies that L X c is upward closed with respect to the standard subsequence relation ⊑.It is easy to check that for every letter λ ∈ Λ I , if L ⊆ Λ * I is ⊑-upward closed then the quotient L/λ is also ⊑-upward closed.Moreover L ⊆ L/λ, as if w ∈ L then aw ∈ L that implies w ∈ L/λ.Because ⊑ is a well-quasi-order, this last property implies that the set of all possible quotients of L X c , i.e. the languages L X c /w for w ∈ Λ * I , is finite.These quotients are the states of A X c we were looking for.Indeed A X c is the minimal deterministic automaton for L X c .Take B(X, { c}) to be the size of the automaton.From the pumping lemma it follows that if the word λ 0 1 . . .λ 0 k is accepted by A X c then there is a subsequence of length ≤ B(X, { c}) accepted by A X c .Now consider a general situation.For every c ∈ C from above we have some subsequence λ 0 i 1 . . .λ 0 im of length m ≤ B(X, { c}), such that exp( c, λ 0 i 1 . . .λ 0 im ) ⊆ X.We take all the elements from all these subsequences, getting a subsequence of length ≤ B(X, C) := c∈ C B(X, { c}) such that all the inclusions hold.
The above two lemmas allow to compute a bound on the size of minimal elements in pre ∀ delay (Z i−1 ↑).Lemma 3.24.There is an algorithm that given X↑ computes a constant M delay (X↑) such that the size of every minimal element of pre ∀ delay (X↑) is bounded by M delay (X↑).Proof.There are only finitely many different C(λ k , λ ∞ ) as constructed in Lemma 3.22.Let M delay be the maximal possible value of B(X↑, C(λ k , λ ∞ )).

Now we describe how to calculate pre ∀
Σ * (Y )↑ for any set Y upward closed with respect to r relation.The first lemma says that we may represent successors using compressed configurations.
Observe that γ ′ may be a proper subset of γ if not all transitions from T have been used.Then c ′ r c and there is a transition c 0 a −→ c ′ .
The following lemma says that we may list a big enough portion of all configurations reachable from some c 0 (similarly like in step two of the decision procedure, Lemma 3.16) and moreover that size of this portion is bounded by a constant.
We define a set C of compressed configurations as a closure of { c 0 } on the operation defined in Lemma 3.25.This set may be infinite but we do not worry about it for the moment.We show first that it satisfies the requirements of the lemma.
Take some λ 1 . . .λ k ∈ Λ * I and c such that (λ We need to show that we can find an extended configuration c ∈ C such that c ∈ exp( c, λ 1 . . .λ k ).The proof is by easy induction on the number of transitions.For the base step we have (λ 1 . . .λ k , λ ∞ ) ∈ exp( c 0 , λ 1 . . .λ k ), and the induction step is given by the first statement of Lemma 3.25.Now, suppose that c ∈ C and c ∈ exp( c, λ 1 . . .λ k ).An induction using the second statement of Lemma 3.25 shows that there is c ′ r c such that (λ 1 . . .λ k , λ ∞ ) In order to reduce C to a finite set we once again use well-quasi-orders.We define a relation ⊑ on compressed configurations: This relation is a well-quasi-order.We take C Σ * (λ ∞ ) to be the set of minimal elements in this quasi-order.It is clear that Suppose . Take the set C(λ 0 ∞ ) as given by Lemma 3.26.We have that Exp( C Σ * (λ 0 ∞ ), λ 0 1 . . .λ 0 k ) ⊆ Y by the second statement of this lemma.From Lemma 3.23 we get a subsequence λ . By the minimality of c 0 , we have that c 0 = (λ ′ 1 . . .λ ′ l , λ 0 ∞ ), so its length is bounded by M Σ * + 1.The last step before proving Lemmas 3.18 and 3.19 consists of two simple observations.Lemma 3.28.For every set X upward closed with respect to relation, the membership in Y = pre ∀ delay (X) is decidable.Moreover Y is a r -upward closed set.Proof.The first part of the lemma is obvious, it suffices to test all possible transitions that are explicitly characterized in Lemmas 3.10 and 3.12.The second part follows from the property that we have already noticed before (page 13 Lemma 3.29.For every set Y upward closed with respect of r relation, the membership in pre ∀ Σ * (Y ) is decidable.Proof.Given a configuration c we need to decide if c ∈ pre ∀ Σ * (Y ).We apply successively a −→ transitions to c constructing a part of the reachability tree.We stop the development in a node if it has an ancestor smaller with respect to r -relation.As r is a well-quasi-order, and the branching at each node is finite, we get a finite tree t.
It remains to argue that this construction is correct.If in the above process we find a configuration that is not in Y then clearly c is not in pre ∀ Σ * (Y ).For the other direction, assume conversely that there is ։ c ′ is the smallest possible.We show that c ′ ∈ t.Recall that Lemma 3.11 characterizes transitions on letters.Directly from this characterization we obtain that if Using this fact, we get that if c ′ is not in t then there is d ′ c ′ such that the derivation c This is impossible by the choice of c ′ .Proof (of Lemma 3.18) Take an upward closed set X.By Lemma 3.24 we can compute a constant M delay that bounds the size of minimal elements in Y = pre ∀ delay (X).Using Lemma 3.28 we can find the minimal elements of Y by enumerating all configurations of size bounded by M delay .Observe that Y is r upward closed.
Once we have computed Y , Lemma 3.27 gives us a constant

Proof (of Lemma 3.19)
We first compute the set Y = pre ∀ delay (X) as described above.We can then use Lemma 3.29 to test for the membership in pre ∀ Σ * (Y ) = pre ∀ Σ * (pre ∀ delay (X)).

Constrained TPTL
In this section we present a fragment of TPTL (timed propositional temporal logic) that can be translated to automata whose emptiness problem is decidable by Theorem 3.1.We compare this fragment with other known logics for real time.We will be rather brief in presentations of different formalisms, and refer the reader to recent surveys [9,26].TPTL [8] is a timed extension of linear time temporal logic that allows to explicitly set and compare clock variables.We will consider the logic with only one clock variable that we denote TPTL 1 .The syntax of the logic is: where p ranges over action letters, x is the unique clock variable, and x ∼ c is a comparison of x with a constant with ∼ being one of =, =, <, ≤, >, ≥.We do not have negation in the syntax, but from the semantics it will be clear that negation is definable.
The logic is evaluated over timed sequences w = (a 1 , t 1 )(a 2 , t 2 ) . . .We define a satisfaction relation w, i, v α saying that a formula α is true at a position i of a timed word w with a valuation v of the unique clock variable: As usual, "until" operators permit us to introduce "sometimes" and "always" operators: For the following it will be interesting to note that the two "until" operators are interdefinable once we have "always" and "sometimes" operators: Observe that TPTL 1 subsumes metric temporal logic (MTL).For example: αU (0,j) β of MTL is equivalent to x.(αU((x < j) ∧ β)).We will not present MTL here, but rather refer the reader to [10] where it is also shown that the following TPTL 1 formula is not expressible in MTL (when considered in the pointwise semantics): The satisfiability problem over infinite timed sequences is undecidable for MTL [22], hence also for TPTL 1 .Using our decidability result for alternating timed automata, we can nevertheless find a decidable fragment that we call Constrained TPTL.The definition of this fragment will use an auxiliary notion of positive TPTL 1 formulas.These formulas can be translated into alternating automata where all states are accepting.The set of positive formulas is given by the following grammar: The set of formulas of Constrained TPTL is: Observe that the formula (4.1) belongs to the positive fragment if we add redundant (x ≤ 2) after b.
Theorem 4.1.For a given Constrained TPTL formula α it is decidable whether there is a non Zeno timed word that is a model of α.The complexity of the problem cannot be bounded by a primitive recursive function.
Proof.It is enough to give a translation from formulas to automata in the class from Theorem 3.1.The translation is on the syntax of the formula.We start with the automaton for positive formulas.The set of states of an automaton for a formula will consists of all subformulas of the formula.A state associated to a formula α will be denoted by [α].The intended semantics is that a timed word w is accepted from [α] iff w, 1, 0 α.
The transition relation of the automaton is given in the following table. [p] The transitions follow directly the semantics of formulas; state ⊤ is a special state from which every timed word is accepted.As our automaton is alternating, on the right hand side of the transition we can write a boolean expression on successor states.We should also explain labels * and ε over transitions.Transition * −→ is just a shorthand for transitions on all letters of the alphabet.Transitions can be seen as eager ε-transitions of the automaton: they are executed as soon as they are enabled.The other way is to consider them as rewrite rules where the real transition of the automaton is obtained at the end of the rewriting, i.e., reaching a transition on a letter.In this interpretation we should not forget to accumulate resets.For example, the above rules give as a "real" transition of the automaton.
All the states are accepting.Notice that in the case of positive formulas we will have a state [F β] only when β is of the form (x ≤ c) ∧ β ′ .As we consider only non Zeno words, this assures that the language accepted from this state is correct even if the state [F β] is accepting.
For other formulas of Constrained TPTL we first assume that for every positive formula we have already an automaton constructed by the above procedure.We then use the clauses above and the clause for the U operator to construct the part of the automaton corresponding the remaining formulas.The accepting states are all those corresponding to positive formulas.All the other states are rejecting.
A standard argument based on induction on the size of the formula shows that the translation is correct.For the complexity bound announced in the statement of the theorem, it is enough to check that the proof of the same complexity bound for alternating timed automata over finite words [17] can be translated into Constrained TPTL.

4.1.
Relation with other logics.Safety MTL [24] can be seen as an MTL fragment of positive TPTL.Indeed, both formalisms can be translated to automata with only accepting states, but the automata obtained from MTL formulas also have the locality property (cf.[24]).This property ensures that the clock is always reset when changing state.The example (4.1) shows that this is not the case for positive TPTL.The satisfiability problem for both logics is non-elementary [25].
Using equivalences mentioned above FlatMTL [12] with pointwise non Zeno semantics can be defined as a set of formulas of the grammar: where MITL is a version of MTL in which we do not allow equality constraints [6].The original definition admits more constructs, but they are redundant in the semantics we consider.
Both FlatMTL and Constrained TPTL use two different sets of formulas.The MTL part of the later logic would look like From this presentation it can be seen that there are at least two important differences: (i) constrained TPTL does not have restrictions on the left hand side of "until", and (ii) it uses the positive fragment instead of MITL.We comment on these two aspects below.Allowing unrestricted "until" makes the logic more expressive but also more difficult algorithmically.For example, to get the non primitive recursive bound it is enough to use the formulas generated by the later grammar without the clause for positive formulas.This should be contrasted with the Expspace-completeness result for FlatMTL [12].
The use of positive fragment instead of MITL is also important.The two formalisms are very different in expressive power.The crucial technical property of MITL is that a formula of the form αU I β can change its value at most three times in every unit interval.This is used in the proof of decidability of FlatMTL, as the MITL part can be described in a "finitary" way.The crucial property of the positive fragment is that it can express only safety properties (and all such properties).We can remark that by reusing the construction of [22] we get undecidability of the positive fragment extended with a formula expressing that some action appears infinitely often.Theorem 5.2 presented in the next section implies that this is true even if we do not use punctual constraints in the positive fragment.In conclusion, we cannot add MITL to the positive fragment without losing decidability.

Undecidability without testing for equality
Ouaknine and Worrell [22] have proved undecidability of MTL over infinite words in the case of pointwise semantics.Their construction immediately implies that the decidability result from the last section is optimal if classes of accepting conditions are concerned.Theorem 5.1 (Ouaknine, Worrell).It is undecidable whether a given one-clock universal timed automaton A with weak (1, 2) conditions accepts some non Zeno word.
Recall that weak parity conditions were defined on page 4; weak (1, 2) condition means that each accepting run contains only accepting states, or reaches ⊤.The construction in op.cit.relies on equality constraints.Indeed, if we do not allow equality constraints in MTL then we get a fragment called MITL, and the satisfiability problem for MITL over infinite words is decidable [6].
In this section we would like to show that a similar phenomenon is very particular to MTL and does not occur in the context of automata.We show that the undecidability result holds even when automata are only allowed to test if the clock is bigger than 1.
Theorem 5.2.It is undecidable if a given one-clock universal timed automaton A with weak (1, 2) conditions accepts some non Zeno word, even when A does not use tests for equality.

Remark:
The above theorems stay true if we replace "non Zeno word" by "any word".This is because we can restrict the language of an automaton to non Zeno words: the set of non Zeno words is accepted by an automaton with weak (1, 1) conditions.
To prove Theorem 5.2 we encode a problem of deciding whether there is a run of a counter machine with insertion errors satisfying a (strong) Büchi condition.This section is split in two parts.In the first we introduce counter machines with insertion errors, and show undecidability of the problem in question.In the second we give an encoding of this problem into the emptiness problem for automata with weak (1, 2) conditions.
Machines with insertion errors.A k-counter machine with insertion errors M g has configurations (q, c 1 , . . ., c k ) consisting of a control state q ∈ Q and values of the counters c i ∈ N.There are three kinds of transitions: (q : c i := c i + 1; goto q ′ ) or (q : if c i = 0 then goto q ′ ) or (q : if c i > 0 then c i := c i − 1; goto q ′ ).The set of transitions δ of M g gives rise to a relation between configurations, describing a single step of M g .The machine has insertion errors, which means that before and after every step it may increase any of its counters by any value.We will denote this by (q, c 1 , . . ., c k ) −→ (q ′ , c ′1 , . . ., c ′k ), to say that we may reach configuration (q ′ , c ′1 , . . ., c ′k ) from (q, c 1 , . . ., c k ) using some transition from δ and possibly increasing some counters before and after the transition.The initial configuration of the machine M g is (q 0 , 0, . . ., 0).Together with the machine there is given some subset of states Q acc ⊆ Q.We say that a run of M g satisfies the Büchi condition if in infinitely many of its configurations there appears a state from Q acc .Theorem 5.3 (Ouaknine, Worrell [22]).It is undecidable whether a given 5-counter machine with insertion errors M g has a run satisfying the Büchi condition.
For completeness, we give a short proof of Theorem 5.3 by reduction to boundedness of a lossy 4-counter machine.The principle of lossy k-counter machine is similar to that with insertion errors, with a difference that before or after every step it may decrease any of its counters by any value (instead of increasing).We say that a run of such a machine is bounded, iff there is a common bound for values of all counters in all configurations throughout the run.We will use the following result.Theorem 5.4 (Mayr [18]).It is undecidable whether every run of a given lossy 4-counter machine M l is bounded.
Proof of Theorem 5.3.Coming back to insertion errors, first note that a counter machine with insertion errors is exactly the same as lossy counter machine working backward.Let M l be a given lossy 4-counter machine.We construct a 5-counter machine M g that can simulate in a backward fashion a computation of M l on the first four counters.This machine is able to go from a configuration (q, c 1 , c 2 , c 3 , c 4 , c 5 ) to a configuration (q 0 , 0, 0, 0, 0, c 5 ) iff M l can go from (q 0 , 0, 0, 0, 0), that is the initial configuration, to (q, c 1 , c 2 , c 3 , c 4 ).Additionally to the states of M l , the machine has some auxiliary states, among them an accepting state q acc .The machine will start in the state q acc , and this state will be reachable only from a configuration (q 0 , 0, 0, 0, 0, c 5 ).In the state q acc , the machine increases c 5 by 1 and then (in a nondeterministic way) increases counters c 1 , c 2 , c 3 , c 4 , so that c 1 + c 2 + c 3 + c 4 ≥ c 5 .To do that it may the move value of c 5 simultaneously into c 1 and c 2 , then move value from c 2 back to c 5 and finally while decreasing c 1 increase c 2 , c 3 , c 4 .After that it chooses a state of M l and starts computing backward (using only the first four counters).When configuration (q 0 , 0, 0, 0, 0, c 5 ) is reached we make the machine to go to (q acc , 0, 0, 0, 0, c 5 ).
Assume that M l has an unbounded computation.We will show that M g has a run visiting q acc infinitely often.Suppose that some initial fragment of this run is already constructed and we are in a configuration (q acc , 0, 0, 0, 0, c 5 ) for some value of c 5 .As M l has an unbounded computation, it can reach a configuration (q, c 1 , c 2 , c 3 , c 4 ) with the sum of the counters bigger than c 5 + 1.We increase c 5 by 1, distribute c 5 into other counters to get the values c 1 , c 2 , c 3 , c 4 , we choose the state q and then execute the computation of M l backwards, starting from (q, c 1 , c 2 , c 3 , c 4 ).When reaching (q 0 , 0, 0, 0, 0, c 5 + 1) we go to (q acc , 0, 0, 0, 0, c 5 + 1) and repeat this process.This gives the required infinite computation.
For the opposite direction, assume that there is a computation of M g satisfying the Büchi condition.Every appearance of q acc is followed by some initialization, and by a backward computation of M l , starting in a configuration of size bigger than the value of c 5 and ending in (q 0 , 0, 0, 0, 0).However, every time this happens the value of c 5 increases by at least one.So we get computations of M l ending in bigger and bigger configurations.By König's lemma, there exists also an unbounded computation of M l .
Encoding machines into alternating automata.Now we return to the proof of Theorem 5.2, which occupies the rest of this section.For given 5-counter machine with insertion errors M g we will construct an alternating one-clock timed automaton A that accepts some infinite word iff M g has a run satisfying the Büchi condition.The input alphabet of A will consist of the instructions of M g and some auxiliary letters whose use will be explained later, Σ = δ ∪ {shc, sh$, new, init}.As states of A we take States Q M ∪ {1, 2, 3, 4, 5} will be used to represent configurations of M g : the current state and the values of the five counters.States q ∞ and q − will encode the condition on successful runs.State $ is important for technical reasons explained later.State q init is just the initial state that will not be reachable from other states.
In our description below we will consider the characterization of acceptance given by Lemma 3.3.In this presentation a run of A is a sequence where each P i ⊆ P(Q A ×R + ) is a set of pairs (q, v) consisting of a state of A and a valuation of the clock.We call such a set an extended configuration of A, or an e-configuration for short.Compared with Lemma 3. • For every (q, v) ∈ P : if q ∈ {1, . . ., 5, $} then v ∈ I 1 , and v ∈ I ∞ otherwise.
• For every v ∈ I 1 there is at most one q with (q, v) ∈ P .
• In P there is exactly one pair with a state from Q M , exactly one pair with the state q ∞ , and no pairs with q init .• Suppose (q, v) is in P where q ∈ {1, . . ., 5}.Then this pair is immediately preceded by some ($, v ′ ) (there is no pair (q ′′ , v ′′ ) in P with v ′ < v ′′ < v).
Intuitively, a well-formed e-configuration is divided into two parts: the set of pairs with the clock value in I 1 and those in I ∞ .The first part can be seen as representing a word over {1, . . ., 5, $} that is obtained by using the standard order on clock values.From the conditions above it follows that this word is of the form $ + q i 1 $ + q i 2 . . .$ + q in $ * ; where q i k ∈ {1, . . ., 5}.Such a word represents values of the counters when the value of the counter c j is equal to the number of j in the word.The clock values of pairs in I ∞ will not matter, so this part can be seen as a multiset of states.In this multiset there will be exactly one state from Q M representing the state of the simulated machine.State q ∞ plus some number of states q − will be there to encode a condition on a successful run.
The automaton A will pass also through e-configurations that are not well-formed, but in its accepting run it will have to repeatedly return to well-formed e-configurations.
Example 5.6.Consider an e-configuration {$ 0.1 , 1 0.2 , $ 0.3 , $ 0.4 , 2 0.6 , $ 0.8 , 1 0.9 , q 5 , q 5 − , q 5 ∞ } where for readability we write a pair ($, 0.1) as $ 0.1 ; and similarly for all other elements of the set.This e-configuration is well-formed and encodes the configuration (q, 2, 1, 0, 0, 0) of M g .Observe that there are infinitely many well-formed e-configurations encoding this configuration of M. Now we describe transitions of the automaton.In order to have an intuition for reading the rules below it is important to observe that if the automaton reads a letter σ then all states in its current e-configuration have to make a transition according to some rule labeled σ.In consequence, if there is a state in the e-configuration that does not have a rule for σ then the automaton cannot read σ.
The automaton starts in the state q init and waits at least one time unit to start its two copies: one in a state q 0 and another in q ∞ (where q 0 is the initial state of M g ), This means that the e-configuration becomes {(q 0 , v), (q ∞ , v)} with v ∈ I ∞ .
Note that the transition on $ reads a different letter than that on i.In consequence, if in a e-configuration there are pairs with both $ and i having clock values in I ∞ then neither sh$ nor shc are possible.As we will have no more transitions from ($, I ∞ ) this means that the automaton will be blocked in such e-configuration.Now we consider moves on transitions of the machine M g .For σ = (q : if c i = 0 then goto q ′ ) we just do q, I ∞ σ −→ q ′ .Note that, thanks to earlier restriction, the transition is possible only when there are no i states in the e-configuration.For σ = (q : if c i > 0 then c i := c i − 1; goto q ′ ) we do q, I ∞ σ −→q ′ , i, I ∞ σ −→⊤.
As the machine should allow insertion errors, we add a transition q, I ∞ new −→ q ∧ $ ∧ (i, reset).
Finally, we have special states q ∞ and q − , that are used to ensure that states from Q acc appear infinitely The state q ∞ produces repeatedly new q − states, The state q − is the only one, which is in Q − , so in the accepting run every q − state has to disappear after some time.States q − disappear, when there is a transition ending in a state from Q acc , q − , I ∞ σ −→ ⊤ ∀σ = (. . .goto q ′ ), q ′ ∈ Q acc , q − , I ∞ σ −→ q − for all other σ.Example 5.7.Let us see how a transition σ = (q : if c 2 > 0 then c 2 := c 2 − 1; goto q 2 ) is simulated from the e-configuration in Example 5.6.One possibility is to immediately execute a transition reading σ.We get the e-configuration {$ 0.1 , 1 0.2 , $ 0.3 , $ 0.4 , 2 0.6 , $ 0.8 , 1 0.9 , q 5  2 , q 5 − , q 5 ∞ } which is well-formed and encodes the configuration (q 2 , 2, 1, 0, 0, 0) of M g .The second counter has not been decreased, but this is correct as the machine is allowed to do incremental errors.
Adam chooses one of subformulas b 1 , b 2 and the play continues with b replaced by the chosen subformula; • b = b 1 ∨ b 2 : dually, Eve chooses one of subformulas;

Definition 3 . 6 .
H(A) is a transition system which has Λ * I × Λ ∞ as a set of configurations, and for every letter σ ∈ Σ there is a transition c σ −→ c ′ if there are states P, P ′ of S(A) such that P a −→ P ′ and H(P ) = c, H(P ′ ) = c ′ .Direct examination of the definition gives us the following.Lemma 3.7.If H(P 1 ) = H(P 2 ) and P 1 σ

2 c 2 . 1 c 2 ,
we may do (delay, ǫ) from c ′ 1 and we get c ′ Otherwise already c ′ we do not do any action and take c ′ 2 = c ′ 1 .Similarly for (delay, a): either we match it with (delay, a) or just with a.An obvious induction gives a proof of the first statement.

16 P
. PARYS AND I. WALUKIEWICZ by the above observations the second property of the lemma holds.For the first property observe that whenever c ′ ⊑ c and c ∈ exp( c, λ 1 . . .λ k ) then there isc ′ ∈ exp( c ′ , λ 1 . . .λ k ) with c ′ r c.Lemma 3.27.There is an algorithm that given a set Y upward closed with respect to the r relation computes a constant M Σ * (Y ) such that the size of every minimal element of pre ∀ Σ * (Y ) is bounded by M Σ * (Y ).Proof.There are only finitely many different C(λ ∞ ) constructed in the above lemma.Let M Σ * be the maximal possible value of B(Y, C(λ ∞ )) (cf.Lemma 3.23) 3 we have joined together a transition letting the time pass with an action transition and write just a,t ֒→ transitions.In what follows we will use only two regions: I 1 = [0, 1] and I ∞ = (1, ∞).Definition 5.5.An e-configuration P of A is well-formed if: