TIMED AUTOMATA ROBUSTNESS ANALYSIS VIA MODEL CHECKING

. Timed automata (TA) have been widely adopted as a suitable formalism to model time-critical systems. Furthermore, contemporary model-checking tools allow the designer to check whether a TA complies with a system speciﬁcation. However, the exact timing constants are often uncertain during the design phase. Consequently, the designer is often able to build a TA with a correct structure, however, the timing constants need to be tuned to satisfy the speciﬁcation. Moreover, even if the TA initially satisﬁes the speciﬁcation, it can be the case that just a slight perturbation during the implementation causes a violation of the speciﬁcation. Unfortunately, model-checking tools are usually not able to provide any reasonable guidance on how to ﬁx the model in such situations. In this paper, we propose several concepts and techniques to cope with the above mentioned design phase issues when dealing with reachability and safety speciﬁcations.


Introduction
Timed automata (TA) [AD94] extend finite automata with a set of real-time variables, called clocks.The clocks enrich the semantics and the constraints on the clocks restrict the behavior of the automaton, which are particularly important in modeling time-critical systems.The examples of TA models of critical systems include scheduling of real-time systems [Feh99, DILS09, GGD `07], medical devices [KMPP15,JPAM14], rail-road crossing systems [Wan04] and home-care plans [GBST14].
Model-checking methods allow for verifying whether a given TA meets a given system specification.Contemporary model-checking tools, such as UPPAAL [BDL `06] or Imitator [AFKS12], have proved to be practically applicable on various industrial case studies [BDL `06, AFMS19,HPW01].Unfortunately, during the system design phase, the system information is often incomplete.A designer is often able to build a TA with correct structure, i.e., exactly capturing locations and transitions of the modeled system, however the exact clock (timing) constraints that enable/trigger the transitions can be uncertain.information on which constraints are effective in avoiding unsafe behaviors and how the verification result changes if some of the constraints are relaxed or removed.The second problem we study aims to provide additional information on a positive verification result for a safety specification described as avoiding a set of "unsafe" locations.In particular, we study the following problem: given a timed automaton A and a safety property that is satisfied by A, remove and/or relax the clock constraints of A such that the resultant automaton A 1 still satisfies the safety property.Here, our primary goal is to minimize the number of constraints that need to be left in the TA to prevent reaching the unsafe locations.Equivalently, we maximize the number of constraints that can be removed from the TA while keeping the unsafe locations unreachable.Our secondary goal is to maximize the total change in the timing constants used in the remaining clock constraints, where we consider two scenarios: (1) maximize the total change (as in the reachability case) (2) relax each clock constraint with the same amount and maximize this amount.Again, we present a two step solution to the considered problem.In the first step, we identify a minimal guarantee (MG) of A that is a minimal set of constraints that need to be left in the automaton to ensure that the unsafe locations are still unreachable.In other words the automaton A 2 obtained by removing the constraints that are not in the MG still satisfies the safety specification and removing any additional constraint results in a violation.In the second step, we relax the thresholds of the constraints from the MG (i.e.clock constraints of A 2 ).For both of the aforementioned relaxation scenarios, we parametrize the constraints of A 2 and employ a parameter synthesis tool.
The methods we develop to solve the second problem allows us to relax the TA as much as possible without violating the safety specification.In general, during the design of the automaton, redundant constraints can be added unintentionally to ensure safety.The results of our analysis allows the designer to identify and remove such unnecessary constraints.Furthermore, the constraint constants can be too tight unnecessarily restricting the set of possible behaviors of the automaton.The results obtained in the second step help the designer to relax such constants.On the other hand, if it is not possible to further relax the constraints in the MG, small perturbations results in violation of the specification, in which case, the designer might choose to further restrict some of the constraint constants from the MG.Consequently, the developed method is intended to assist the designer to improve the model that is generated in a best-effort manner.
The proposed approach for tuning a TA for reachability specifications first appeared in [BSG Č21].This paper extends [BSG Č21] by introducing the minimal guarantee concepts and the corresponding methods to (i ) generate MG and (ii ) the corresponding relaxations for tuning TA for safety specifications.
Outline.The rest of the paper is organized as follows.Section 2 introduces basic concepts used throughout the paper and formally defines the problems we deal with.Subsequently, in Sections 3 and 4, we describe our approaches for identifying Minimal Sufficient Reductions (MSRs) and Minimal Guarantees (MGs), respectively.In Section 6, we describe how to just relax timing constraints in an MSR instead of completely removing the constraints from the TA.Similarly, in Section 7 we show how to further relax an MG via parameter synthesis.In Section 8, we provide an overview of related work.Finally, we experimentally evaluate the proposed techniques in Section 9, and conclude in Section 10.

Preliminaries
2.1.Timed Automata.A timed automaton (TA) [Alu99, AD94, LY93] is a finite-state machine extended with a finite set C of real-valued clocks.A clock x P C measures the time spent after its last reset.In a TA, clock constraints are defined for locations (states) and transitions.A simple clock constraint is defined as x ´y " c where x, y P C Y t0u, "P tă, ďu and c P Z Y t8u. 1 Simple clock constraints and constraints obtained by combining these with the conjunction operator (^) are called clock constraints.The sets of simple and all clock constrains are denoted by Φ S pCq and ΦpCq, respectively.For a clock constraint φ P ΦpCq, Spφq denotes the simple constraints from φ, e.g., Spx´y ă 10^y ď 20q " tx´y ă 10, y ď 20u.A clock constraint is called parametric if the numerical constant (i.e.c) is represented by a parameter.A clock valuation v : C Ñ R `assigns non-negative real values to each clock.The notation v |ù φ denotes that the clock constraint φ evaluates to true when each clock x is replaced with vpxq.For a clock valuation v and d P R `, v `d is the clock valuation obtained by delaying each clock by d, i.e., pv `dqpxq " vpxq `d for each x P C. For λ Ď C, vrλ :" 0s is the clock valuation obtained after resetting each clock from λ, i.e., vrλ :" 0spxq " 0 for each x P λ and vrλ :" 0spxq " vpxq for each x P Czλ.Definition 2.1 (Timed Automata).A timed automaton A " pL, l 0 , C, ∆, Invq is a tuple, where L is a finite set of locations, l 0 P L is the initial location, C is a finite set of clocks, ∆ Ď L ˆ2C ˆΦpCq ˆL is a finite transition relation, and Inv : L Ñ ΦpCq is an invariant function.
For a transition e " pl s , λ, φ, l t q P ∆, l s is the source location, l t is the target location, λ is the set of clocks reset on e and φ is the guard (i.e., a clock constraint) tested for enabling e.A Parametric TA (PTA) extends TA by allowing the use of parametric constraints.Given a PTA A with parameter set P and a parameter valuation p : P Ñ N, a (non-parametric) TA Appq is obtained by replacing each parameter p P P in A with the corresponding valuation pppq.The semantics of a TA is given by a labelled transition system (LTS).An LTS is a tuple T " pS, s 0 , Σ, Ñq, where S is a set of states, s 0 P S is an initial state, Σ is a set of symbols, and Ñ Ď S ˆΣ ˆS is a transition relation.A transition ps, a, s 1 q P Ñ is also denoted as s a Ñ s 1 .Definition 2.2 (LTS semantics for TA).Given a TA A " pL, l 0 , C, ∆, Invq, the labelled transition system T pAq " pS, s 0 , Σ, Ñq is defined as follows: , where 0pxq " 0 for each x P C, ‚ Σ " tactu Y R `, and ‚ the transition relation Ñ is defined by the following rules: delay transition: pl, there exists pl, λ, φ, l 1 q P ∆ such that v |ù φ, v 1 " vrλ :" 0s, and v 1 |ù Invpl 1 q.
The notation s Ñ d s 1 is used to denote a delay transition of duration d followed by a discrete transition from s to s 1 , i.e., s d Ñ s act Ñ s 1 .A run ρ of A is either a finite or an infinite 1 Simple constraints are only defined as upper bounds to simplify the presentation.This definition is not restrictive since x ´y ě c and x ě c are equivalent to y ´x ď ´c and 0 ´x ď ´c, respectively.A similar argument holds for strict inequality pąq.x ď 10 l 6 x ď 10 l 7 x ď 10 x :" 0, z :" 0 e 1 x ě 9 e 2 z ě 3 y :" 0 e 3 z :" 0 e 4 u ě 22 ^z ě 9 z :" 0 z ě 9 ^x ě 25 e 5 t ď 45ê 6 x ě 9 x :" 0, y :" 0 e 7 x ě 9 ^z ď 15 x :" 0, z :" 0 e 8 x ě 9 ^u ě 35 x :" 0, u :" 0 y ď 15 ^x ě 9 e 9 t ď 45F igure 1.An illustration of a TA used in Examples 2.3, 2.13 and 2.14.alternating sequence of delay and discrete transitions, i.e., ρ " The set of all runs of A is denoted by rrAss.
A path π of A is an interleaving sequence of locations and transitions, π " l 0 , e 1 , l 1 , e 2 , . .., where e i`1 " pl i , λ i`1 , φ i`1 , l i`1 q P ∆ for each i ě 0. A path π " l 0 , e 1 , l 1 , e 2 , . . . is realizable if there exists a delay sequence d 0 , d 1 , . . .such that pl 0 , 0qÑ d 0 pl 1 , v 1 qÑ d 1 pl 1 , v 2 qÑ d 2 ¨¨¨is a run of A and for every i ě 1, the ith discrete transition is taken according to e i , i.e., e i " pl i´1 , λ i , φ i , l i q, v i´1 `di´1 |ù φ i , v i " pv i´1 `di´1 qrλ i :" 0s and v i |ù Inv 1 pl i q.
For a TA A and a subset of its locations L T Ď L, L T is said to be reachable on A if there exists ρ " pl 0 , 0qÑ d 0 pl 1 , v 1 qÑ d 1 . . .Ñ d n´1 pl n , v n q P rrAss such that l n P L T ; otherwise, L T is unreachable.In this study, L T is used to denote the set of target locations for reachability specifications and the set of unsafe locations for safety specifications.In the latter case, A is called safe if L T is unreachable; otherwise A is unsafe.The reachability problem, isReachablepA, L T q, is decidable and implemented in various verification tools including UPPAAL [BDL `06].The verifier either returns "No" indicating that such a run does not exist, or it generates a run (counter-example) leading from the initial state of A to a location v n P L T .
2.2.Timed Automata Relaxation.For a timed automaton A " pL, l 0 , C, ∆, Invq, the set of pairs of transition and associated simple constraints is defined in (2.1) and the set of pairs of location and associated simple constraints is defined in (2.2).
Intuitively, the TA A ăD,I,rą emerges from A by relaxing the guards of the transitions from the set D and relaxing invariants of the locations from I with respect to r.
Proposition 2.6.Let A " pL, l 0 , C, ∆, Invq be a timed automaton, D Ď Ψp∆q and I Ď ΨpInvq be sets of simple guard and invariant constraints, and r : D Y I Ñ N Y t8u be a relaxation valuation.Then rrAss Ď rrA ăD,I,rą ss.

Reductions and Guarantees.
Definition 2.7.A reduction is a relaxation A ăD,I,rą of A such that rpaq " 8 for each a P D Y I.Moreover, since r is fixed, we simply denote the reduction by A ăD,Ią .
Intuitively, a reduction A ăD,Ią effectively removes all the simple constraints D Y I from A. Also, note that A " A ăH,Hą .Hereafter, we use two notations for naming a reduction; either we simply use capital letters, e.g., M, N, K to name a reduction, or we use the notation A ăD,Ią to also specify the sets D, I of simple clock constraints.Given a reduction N " A ăD,Ią , |N | denotes the cardinality |D Y I|.Furthermore, R A denotes the set of all reductions of A. We define a partial order relation We say that a reduction A ăD,Ią is a sufficient reduction (w.r.t.A and L T ) iff L T is reachable on A ăD,Ią ; otherwise, A ăD,Ią is an insufficient reduction.Crucially, observe that the property of being a sufficient reduction is monotone w.r.t. the partial order: Proposition 2.8.Let A ăD,Ią and A ăD 1 ,I 1 ą be reductions such that A ăD,Ią Ď A ăD 1 ,I 1 ą .If A ăD,Ią is sufficient then A ăD 1 ,I 1 ą is also sufficient.
Proof.Note that A ăD 1 ,I 1 ą is a (D 1 zD,I 1 zI)-reduction of A ăD,Ią .By Proposition 2.6, rrA ăD,Ią ss Ď rrA ăD 1 ,I 1 ą ss, i.e., the run of A ăD,Ią that witnesses the reachability of L T is also a run of A ăD 1 ,I 1 ą .Definition 2.9 (MSR).A sufficient reduction A ăD,Ią is a minimal sufficient reduction (MSR) iff there is no c P DYI such that the reduction A ăDztcu,Iztcuą is sufficient.Equivalently, due to Proposition 2.8, A ăD,Ią is an MSR iff there is no sufficient reduction A ăD 1 ,I 1 ą such that A ăD 1 ,I 1 ą Ĺ A ăD,Ią .
Definition 2.10 (MIR).An insufficient reduction A ăD,Ią is a maximal insufficient reduction (MIR) iff there is no c P pΨp∆q Y ΨpInvqqzpD Y Iq such that the reduction A ăD 1 ,I 1 ą with D 1 Y I 1 " D Y I Y tcu is insufficient.Equivalently, due to Proposition 2.8, A ăD,Ią is an MIR iff there is no insufficient reduction A ăD 2 ,I 2 ą such that A ăD,Ią Ĺ A ăD 2 ,I 2 ą .
Intuitively, an MSR represents a minimal set of constraints that need to be removed from A to make the target location(s) L T reachable, whereas an MIR represents a maximal set of constraints whose removal does not make the target location(s) reachable.
Recall that a reduction A ăD,Ią is determined by D Ď Ψp∆q and I Ď ΨpInvq.Consequently, |R A | " 2 |Ψp∆qYΨpInvq| (i.e., there are exponentially many reductions w.r.t.|Ψp∆q Y ΨpInvq|).Moreover, there can be up to `k k{2 ˘MSRs (MIRs) where k " |Ψp∆q Y ΨpInvq|. 2 Also note, that the minimality (maximality) of a reduction does not mean a minimum (maximum) number of simple clock constraints that are removed by the reduction; there can exist two MSRs (MIRs), M and N , such that Note that there can be also up to `k k{2 ˘minimum MSRs and up to `k k{2 ˘maximum MIRs.
In some applications, instead of thinking about an MIR of A, i.e. a maximal set of simple clock constraints whose removal does not make the target location(s) reachable, it might be more natural to think about the complement of an MIR, i.e, a minimal set of simple clock constraints that need to be left in A to ensure that the target location is still unreachable.We define this complementary notion as a minimal guarantee: Definition 2.11 (MG).Given a reduction A ăD,Ią , the set D Y I of simple clock constraints constitutes a guarantee (for A) iff the reduction A ăΨp∆qzD,ΨpInvqzIą is insufficient.Furthermore, a guarantee D Y I is a minimal guarantee (MG) iff for every c P D Y I the reduction 2 There are `k k{2 ˘pair-wise incomparable elements of RA w.r.t.Ĺ (see Sperner's theorem [Spe28]) and all of them can be MSRs (or MIRs).A ăΨp∆qzpDztcuq,ΨpInvqzpIztcuqą is sufficient.Equivalently, due to Proposition 2.8, D Y I is an MG iff there is no guarantee Note that due to technical reasons, we define the concept of an MG as a set D Y I of simple clock constraints, whereas the concept of an MIR is defined as a reduction A ăD 1 ,I 1 ą (i.e., a TA) that is determined by a set D 1 Y I 1 of simple clock constraints.
Example 2.13.Assume the TA A and L T " tl 4 u from Example 2.3 (Fig. 1).There are 24 MSRs and 4 of them are minimum.For example, A ăD,Ią with D " tpe 5 , x ě 25qu and I " tpl 3 , u ď 26qu is a minimum MSR, and A ăD 1 ,I 1 ą with D 1 " tpe 9 , y ď 15q, pe 7 , z ď 15qu and I 1 " tpl 6 , x ď 10qu is a non-minimum MSR.There are 40 MGs (and hence MIRs) and 21 of them are minimum.For instance, D Y I with D " tpe 5 , z ě 9q, pe 8 , u ě 35q, pe 1 , x ě 9q, pe 4 , z ě 9qu and I " tpl 5 , x ď 10q, pl 6 , x ď 10q, pl 0 , z ď 10q, pl 3 , u ď 26qu is a nonminimum MG, and D 1 Y I 1 with D 1 " tpe 7 , x ě 9q, pe 9 , y ď 15q, pe 8 , x ě 9q, pe 5 , x ě 25qu and Finally, note that in some situations, we might not want to include the whole set Ψp∆q Y ΨpInvq of all simple clock constraints in the analysis but rather just its subset (e.g., because some simple clock constraints simply could not be modified).Our definitions of (D, I, r)-relaxations, reductions, and guarantees, can be naturally extended also to work with just a subset of Ψp∆q Y ΨpInvq.We illustrate this on a simple example.
Example 2.14.Assume that only 4 of the simple clock constraints from the TA in Fig. 1 can be removed/relaxed and the other simple clock constraints represent physical limitations that can not be changed.The tunable simple clock constraints are c 1 " x ě 9, c 2 " z ě 9, c 3 " x ď 14 and c 4 " u ď 26 that appear on edge e 1 , edge e 5 , location l 1 , and location l 3 , respectively.Note that these constraints are highlighted using green color in Fig. 1.If we restrict our analysis only to those four constraints, then there are 2 MSR: tc 3 , c 4 u and tc 1 , c 2 , c 3 u, and three MGs: tc 3 u, tc 1 , c 4 u and tc 2 , c 4 u.We provide a power-set illustration of this example in Fig. 2 Algorithm 1: Minimum MSR Extraction Scheme In this paper, we are mainly concerned with the following two problems.The first problem and the proposed solution were presented in our conference paper [BSG Č21].
Problem 2.15.Given a TA A " pL, l 0 , C, ∆, Invq and a set of target locations L T Ă L that is unreachable on A, find a minimal (D, I, r)-relaxation A ăD,I,rą of A such that L T is reachable on A ăD,I,rą .In particular, the goal is to identify a (D, I, r)-relaxation that minimizes the number |D Y I| of relaxed constraints, and, secondly, we tend to minimize the overall change of the clock constraints ř cPDYI rpcq.Our solution to Problem 2.15 is described in detail in Sections 3 and 6.Briefly, we solve Problem 2.15 in two steps.First, we identify a minimum MSR A ăD,Ią for A, i.e., a minimal set D Y I of simple clock constraints whose removal from A makes the target locations L T reachable.Second, instead of completely removing the constraints, we turn the MSR A ăD,Ią into the resultant (D, I, r)-relaxation.To construct the (D, I, r)-relaxation, we propose two alternative approaches: (1) an approach based on Mixed Integer Linear Programming (MILP) and (2) an approach based on parameter synthesis for PTA.
Problem 2.16.Given a TA A " pL, l 0 , C, ∆, Invq and a set of target locations L T Ă L that is unreachable on A, find a maximal (D, I, r)-relaxation A ăD,I,rą of A such that L T is still unreachable on A ăD,I,rą .In particular, the goal is to identify a (D, I, r)-relaxation that maximizes the number |tc P D Y I | rpcq " 8u| of constraints that are completely removed, and, secondary, maximizes the overall change of the clock constraints ř cPtc 1 PDYI | rpc 1 q‰8u rpcq that are not completely removed.
Our solution to Problem 2.16 is presented in Sections 4 and 7. Briefly, we first identify a minimum MG D 1 Y I 1 for A, i.e., a minimal set D 1 Y I 1 of simple clock constraints that need to be left in A to ensure that the target location L T is still unreachable.Subsequently, we employ parameter synthesis to further relax (as much as possible) the constraints D 1 Y I 1 that are left in the system.For both of the considered problems, we assume that there is a path from the initial state to the target set L T (unrealizable since L T is not reachable).Thus, the target set can become reachable via constraint removals/relaxations.

Finding Minimal Sufficient Reductions
In this section, we gradually describe our approach for finding a minimum minimal sufficient reduction.

12:10
Algorithm 2: shrinkpA ăD,Ią , Iq Base Scheme For Computing a Minimum MSR.Algorithm 1 shows a high-level scheme of our approach for computing a minimum MSR.The algorithm iteratively identifies an ordered set of MSRs, Each of the MSRs, say M i , is identified in two steps.First, the algorithm finds an s-seed3 , i.e., a reduction N i such that N i is sufficient and , the reduction that removes all simple clock constraints (which makes all locations of A trivially reachable).Once there is no sufficient reduction Note that the algorithm also maintains two auxiliary sets, I and S, to store all identified insufficient and sufficient reductions, respectively.In particular, whenever we identify a new MSR M i , we add every reduction X such that M i Ď X to S since, by Proposition 2.8, every such X is sufficient.Dually, since M i is an MSR, then every reduction Y such that Y Ĺ M i is necessarily insufficient, and hence we add it to I. The sets I and S are used during the process of finding and shrinking an s-seed which we describe below.
3.2.Shrinking an S-Seed.Our approach for shrinking an s-seed N into an MSR M is based on two concepts: a critical simple clock constraint and a reduction core.
for a sufficient reduction A ăD,Ią then c is critical for every sufficient reduction A ăD 1 ,I 1 ą such that A ăD 1 ,I 1 ą Ď A ăD,Ią .Moreover, by Definitions 2.9 and 3.1, A ăD,Ią is an MSR iff every c P D Y I is critical for A ăD,Ią .
Intuitively, the reduction core of A ăD,Ią w.r.t.ρ removes from A only the simple clock constraints that appear on the witness path.
Proposition 3.4.Let A ăD,Ią be a sufficient reduction, ρ the witness of reachability of L T on A ăD,Ią , and A ăD 1 ,I 1 ą the reduction core of A ăD,Ią w.r.t.ρ.Then A ăD 1 ,I 1 ą is a sufficient reduction and A ăD 1 ,I 1 ą Ď A ăD,Ią .
Proof.By Definition 3.3, D 1 Ď D and I 1 Ď I, thus A ăD 1 ,I 1 ą Ď A ăD,Ią .As for the sufficiency of A ăD 1 ,I 1 ą , we only sketch the proof.Intuitively, both A ăD,Ią and A ăD 1 ,I 1 ą originate from A by only removing some simple clock constraints (D Y I, and D 1 Y I 1 , respectively), i.e., the graph structure of A ăD,Ią and A ăD 1 ,I 1 ą is the same, however, some corresponding paths of A ăD,Ią and A ăD 1 ,I 1 ą differ in the constraints that appear on the paths.By Definition 3.3, the path π that corresponds to the witness run ρ of A ăD,Ią is also a path of A ăD 1 ,I 1 ą .Since realizability of a path depends only on the constraints along the path, if π is realizable on A ăD,Ią then π is also realizable on A ăD 1 ,I 1 ą .
Our approach for shrinking a sufficient reduction N is shown in Algorithm 2. The algorithm iteratively maintains a sufficient reduction A ăD,Ią and a set X of known critical constraints for A ăD,Ią .Initially, A ăD,Ią " N and X " H.In each iteration, the algorithm picks a simple clock constraint c P pD Y IqzX and checks the reduction A ăDztcu,Iztcuą for sufficiency.If A ăDztcu,Iztcuą is insufficient, the algorithm adds c to X. Otherwise, if A ăDztcu,Iztcuą is sufficient, the algorithm obtains a witness run ρ of the sufficiency from the verifier and reduces A ăD,Ią to the corresponding reduction core.The algorithm terminates when pD Y Iq " X.An invariant of the algorithm is that every c P X is critical for A ăD,Ią .Thus, when pD Y Iq " X, A ăD,Ią is an MSR (Proposition 3.2).
Note that the algorithm also uses the set I of known insufficient reductions.In particular, before calling a verifier to check a reduction for sufficiency (line 4), the algorithm first checks (in a lazy manner) whether the reduction is already known to be insufficient.Also, whenever the algorithm determines a reduction A ăDztcu,Iztcuą to be insufficient, it adds A ăDztcu,Iztcuą and every N , N Ď A ăDztcu,Iztcuą , to I (by Proposition 2.8, every such N is also insufficient).
Finally, note that the algorithm does not add any reduction to the set S even though it can identify some sufficient reductions during its computation.The reason is that every such identified reduction is larger (w.r.t.Ď) than the resultant MSR, and hence all these sufficient reductions are added to S in the main procedure (Algorithm 1) after the shrinking.

3.3.
Finding an S-Seed.We now describe the procedure findSSeed that, given the latest identified MSR M , identifies an s-seed, i.e., a sufficient reduction N such that |N | ă |M |, or returns null if there is no s-seed.Let us denote by CAND the set of all candidates on an s-seed, i.e., CAND " tN P R A | |N | ă |M |u.A brute-force approach would be to check individual reductions in CAND for sufficiency until a sufficient one is found, however, this can be practically intractable since |CAND| " 12:12 Algorithm 3: findSSeedpM, I, Sq We provide two observations to prune the set CAND of candidates that need to be tested for being an s-seed.The first observation exploits the set I of already known insufficient reductions: no N P I can be an s-seed.The second observation is stated below: Observation 3.5.For every sufficient reduction N P CAND there exists a sufficient reduction . By definition of CAND, N 1 P CAND.Moreover, since N Ĺ N 1 and N is sufficient, then N 1 is also sufficient (Proposition 2.8).
Based on the above observations, we build a set C s of indispensable candidates on s-seeds that need to be tested for sufficiency: The procedure findSSeed, shown in Algorithm 3, in each iteration picks a reduction N P C s and checks it for sufficiency (via the verifier).If N is sufficient, findSSeed returns N as the s-seed.Otherwise, when N is insufficient, the algorithm first enlarges N into a maximal insufficient reduction (MIR) E such that N Ď E. By Proposition 2.8, every reduction N 1 such that N 1 Ď E is also insufficient, thus all these reductions are subsequently added to I and hence removed from C s (note that this includes also N ).If C s becomes empty, then there is no s-seed.
The purpose of enlarging N into E is to quickly prune the candidate set C s .We could just add all the insufficient reductions tN The enlargement of N into an MIR E is carried out via Algorithm 5 and it is described later on in Section 4. Note that Algorithm 5 exploits and updates the set S of already known sufficient reductions.
Finally, let us note that we need to somehow efficiently represent and maintain the sets I, S and C s .In particular, we need to be able to add elements to these sets and obtain elements from these sets.The problem is that there can be up to exponentially many reductions w.r.t.|Ψp∆q Y ΨpInvq|, and hence these sets can be also exponentially large and cannot be stored explicitly.In Section 5, we describe how we efficiently maintain these sets.

Example Execution.
We illustrate an execution of Algorithm 1 on the TA A defined in Example 2.3 (Fig. 1) with an initial location l 0 and a target unreachable set of locations L T " tl 4 u.For the sake of a graphical illustration, we restrict our analysis to possible removal of only 4 simple clock constraints: c 1 " x ě 9, c 2 " z ě 9, c 3 " x ď 14 and c 4 " u ď 26 that appear on edge e 1 , edge e 5 , location l 1 , and location l 3 , respectively (same as in Example 2.14).We will use a bitvector notation to denote the individual reductions, e.g., A 1011 represents the reduction A ăD,Ią where D Y I " tc 1 , c 3 , c 4 u.
The computation starts by setting N to A 1111 , I " H and S " H. Subsequently, in the first iteration of Algorithm 1, N is shrunk into an MSR M .Assume that M " A 0011 , and that I was enlarged to I " tA 0001 , A 0010 , A 0000 u.After the shrinking, Algorithm 1 also enlarges the sets I and S by adding to them reductions that are smaller and larger than M w.r.t.Ď and Ě, respectively.We depict the situation at this moment in Figure 3.The power-set in the figure represents all possible reductions of A (in the picture, we denote a reduction A B by the bitvector B).The reductions with dashed border are insufficient, and the reductions with solid border are sufficient.We use green and red background color to highlight the reductions in sets S and I, respectively.Moreover, we highlight in blue two reductions, A 0100 and A 1000 , that will form the set C s in the subsequent call of findSSeedpM, I, Sq.
During the execution of findSSeedpM, I, Sq, assume we first pick the candidate reduction N " A 0100 P C s and check it for sufficiency.It is insufficient, hence we enlarge it (via enlargepN, Sq) to an insufficient reduction E; assume E " A 1101 .Subsequently, we add to I every reduction N 1 such that N 1 Ď E. The situation at this moment is depicted in Figure 4.At this point, C s is empty, i.e., we have the guarantee that there is no s-seed that would be smaller than M w.r.t.Ĺ.Hence, findSSeed terminates, and Algorithm 1 then also terminates determining that the M from the first (and only) iteration is a minimum MSR.
Finally, let us note that there are different possible executions of our algorithm on the given example.In particular, in Algorithm 3, we choose a reduction N from the candidate set C s and the choice determines which sufficient reduction will be produced (if any).Similarly, in Algorithm 2, we pick constraints c in some order and this order determines which MSR will be produced.We observed that different reduction and constraint choices affect the performance of the overall algorithm, both in the runtime and the number of performed verifier calls.However, we postpone a development of a suitable heuristic for making good choices here for a future work.

Finding Maximal Insufficient Reductions
In this section, we describe our approach for finding maximum maximal insufficient reductions (MIRs), and consequently also their complementary minimum minimal guarantees (MGs).
4.1.Base scheme for Computing a Maximum MIR.Our scheme for computing a maximum MIR is shown in Algorithm 4 and it works in a dual way to the scheme for computing a minimum MSR (Algorithm 1).We iteratively identify a sequence and the last MIR, M k , is a maximum MIR.To find each MIR M i in the sequence, we proceed in two steps.First, we identify an i-seed, i.e., an insufficient reduction Once there is no more i-seed, it is guaranteed that the last identified MIR M i´1 " M k is a maximum MIR.The initial i-seed N 1 is the reduction A ăH,Hą " A (we assume that L T is indeed unreachable on the input TA A).Same as in case of Algorithm 1, this scheme also maintains the auxiliary sets I and S to store all identified insufficient and sufficient reductions, respectively.4.2.Enlarging an I-Seed.The procedure enlarge is based on a concept of conflicting simple clock constraints.

Definition 4.1 (conflicting constraint). Given an insufficient reduction
Exploiting the above two observations, we build a set C i of indispensable candidates on i-seeds that need to be tested for sufficiency to either find an i-seed or to prove that there are no more i-seeds: 1) The procedure findISeed (Algorithm 6) iteratively picks a reduction N P C i and checks it for sufficiency via the verifier.If N is found to be insufficient, it is returned as the i-seed.Otherwise, when N is sufficient, the algorithm shrinks N to an MSR E via Algorithm 2. By Proposition 2.8, every reduction N 1 such that N 1 Ě E is also sufficient; hence, we add all these reductions to S (and thus implicitly remove them from C i ).If C i becomes empty, then there is no i-seed.

Representation of I, S, C s , and C i
Let us now describe how to efficiently represent and maintain the sets I, S, C s and C i that are used in our algorithms.Recall that we need to be able to add elements to these sets, obtain elements from these sets, and in case of C s and C i also perform emptiness checks.The problem is that the size of these sets can be expontential w.r.t.|Ψp∆q Y ΨpInvq| (there are exponentially many reductions), and thus, it is practically intractable to maintain the sets explicitly.Instead, we use a symbolic representation.
Given a timed automaton A with simple clock constraints Ψp∆q " tpe 1 , ϕ 1 q, . . ., pe p , ϕ p qu and ΨpInvq " tpl 1 , ϕ 1 q, . . ., pl q , ϕ q qu, we introduce two sets of Boolean variables X " tx 1 , . . ., x p u and Y " ty 1 , . . ., y q u.Note that every valuation of the variables X Y Y oneto-one maps to the reduction A ăD,Ią such that pe i , ϕ i q P D iff x i is assigned True and pl j , ϕ j q P I iff y j is assigned True.
The sets I and S are used both in Algorithm 1 and Algorithm 4, and in both cases, they are gradually maintained during the whole computation of the algorithms.To represent I, we build a Boolean formula I such that a reduction N does not belong to I iff N does correspond to a model of I. Initially, I " H, thus I " True.To add an insufficient reduction A ăD,Ią and all reductions N , N Ď A ăD,Ią , to I, we add to I the clause p Ž pe i ,ϕ i qPΨp∆qzD x i q_ p Ž pl j ,ϕ j qPΨpInvqzI y j q.To test if a reduction N is in the set I, we check if the valuation of X Y Y that corresponds to N is not a model of I.
Similarly, to represent S, we build a Boolean formula S such that a reduction N does not belong to S iff N does correspond to a model of S. Initially, S " H, thus S " True.To add a sufficient reduction A ăD,Ią and all reductions N , N Ě A ăD,Ią , to S, we add to S the clause p Ž pe i ,ϕ i qPD x i q _ p Ž pl j ,ϕ j qPI y j q.The set C s is used only in Algorithm 1; namely in its subroutine findSSeed.We build the set C s repeatedly during each call of findSSeedpM, M, I, Sq based on Equation (3.1) and we encode it via a Boolean formula C s such that every model of C s does correspond to a reduction N P C s : C s " I ^truesp|M| ´1q (5.1) where truesp|M| ´1q is a cardinality encoding forcing that exactly |M | ´1 variables from X Y Y are set to True.To check if C s " H or to pick a reduction N P C s , we ask a SAT solver for a model of C s .To remove an insufficient reduction from C s , we update the formula I (and thus also C s ) as described above.
Finally, the set C i is used in the subroutine findISeed of Algorithm 4. We build the set repeatedly during each call of findISeedpM, M, I, Sq and to represent it, we maintain a Boolean formula C i such that every model of C i does correspond to a reduction N P C i : where truesp|M| `1q is a cardinality encoding forcing that exactly |M | `1 variables from X Y Y are set to True.To check if C i " H or to pick a reduction N P C i , we ask a SAT solver for a model of C i , and to remove a sufficient reduction from C i , we update the formula S.

Relaxing Minimal Sufficient Reductions
In Section 3, we considered a timed automaton A " pL, l 0 , C, ∆, Invq and a set of its locations L T Ď L, and we presented an efficient algorithm to find a sufficient reduction (see Definition 2.9), i.e., a set of simple clock constraints D Ď Ψp∆q (2.1) (over transitions) and I Ď ΨpInvq (2.2) (over locations) such that L T is reachable when constraints D and I are removed from A. In other words, L T is reachable on A ăD,Ią .Here, instead of completely removing D Y I, our goal is to find a relaxation valuation r : D Y I Ñ N Y t8u such that L T is reachable on A ăD,I,rą .In addition, we intend to minimize the total change in the timing constants, i.e., ř φPDYI rpφq.We present two methods to find such a valuation.The first one solves an MILP using a witness path π 1 L T of A ăD,Ią that ends in L T .The second one parametrizes each constraint from D Y I and solves a parameter synthesis problem on the resulting parametric timed automata.While the second method assumes all witness paths of A ăD,Ią and hence it is guaranteed to find the relaxation r with minimal ř φPDYI rpφq for the considered MSR, the first method is computationally more efficient.6.1.MILP Based Relaxation.By the definition of a sufficient reduction, the set L T is reachable on A ăD,Ią .Consequently, when a verifier is used to check the reachability of L T , it generates a finite witness run ρ 1 L T " pl 0 , 0qÑ d 0 pl 1 , v 1 qÑ d 1 . . .Ñ d n´1 pl n , v n q of A ăD,Ią such that l n P L T .Let π 1 L T " l 0 , e 1 1 , l 1 , . . ., e 1 n´1 , l n be the corresponding path on A ăD,Ią , i.e., π 1 L T is realizable on A ăD,Ią due to the delay sequence d 0 , d 1 , . . ., d n´1 and the resulting run is ρ 1 L T .The corresponding path on the original TA A is defined in (2.4): π 1 L T " M pπ L T q, and π L T " l 0 , e 1 , l 1 , . . ., e n´1 , l n , (6.1) While π 1 L T is realizable on A ăD,Ią , π L T is not realizable on A since L T is not reachable on A. We present an MILP based method to find a relaxation valuation r : D Y I Ñ N Y t8u such that the path induced by π L T is realizable on A ăD,I,rą .
For a given automaton path π " l 0 , e 1 , l 1 , . . ., e n´1 , l n with e i " pl i´1 , λ i , φ i , l i q for each i " 1, . . ., n ´1, we introduce real valued delay variables δ 0 , . . ., δ n´1 that represent the time spent in each location along the path except the last one (l n ).For a particular path, the value of a clock on a given constraint (invariant or guard) can be mapped to a sum of delay variables as each clock measures the time passed since its last reset: The value of clock x equals to Γpx, π, iq on the i-th transition e i along π.In (6.2), k is the index of the transition where x is last reset before e i along π, and it is 0 if it is not reset.Γp0, π, iq is defined as 0 for notational convenience.Next, we define an MILP (6.3) for the path π.By using the transformation (6.2), we map each clock constraint along the given path π to constraints over the sequence of 12:18 delay variables δ 0 , . . ., δ n´1 as shown in (6.4),(6.5),(6.6).In addition, we introduce integer valued constraint relaxation variables tp l,ϕ | pl, ϕq P Iu and tp e,ϕ | pe, ϕq P Du for each simple constraint from D Y I.In particular, for each transition e i , the simple constraints ϕ " x ´y " c P Spφ i q of the guard φ i of e i are mapped to the new delay variables (6.4), where p e i ,ϕ is the integer valued relaxation variable if pe i , ϕq P D, otherwise it is set to 0. On the other hand, for each location l i , the simple clock constraints ϕ " x ´y " c P SpInvpl i qq of the invariant Invpl i q of l i are mapped to arriving (6.5) and leaving (6.6) constraints over the delay variables.In (6.5) and (6.6),I is a binary function mapping true to 1 and false to 0, and p l i ,ϕ i is the integer valued variable if pl i , ϕ i q P I, otherwise it is set to 0 as in (6.4).Note that if the invariant is satisfied when arriving and leaving, then, due to the convexity of the constraints, it is satisfied at every time when A is at the corresponding location along π. minimize ÿ pl,ϕqPI p l,ϕ `ÿ pe,ϕqPD p e,ϕ subject to (6.3) Γpx, π, iq ´Γpy, π, iq " c `pe i ,ϕ pguardq for each i " 1, . . ., n ´1, and ϕ " x ´y " c P Spφ i q (6.4) Γpx, π, iq ¨Ipx R λ i q ´Γpy, π, iq ¨Ipy R λ i q " c `pl i ,ϕ parriving, invariantq for each i " 1, . . ., n, ϕ " x ´y " c P SpInvpl i qq (6.5) Γpx, π, i `1q ´Γpy, π, i `1q " c `pl i ,ϕ pleaving, invariantq for each i " 0, . . ., n ´1, ϕ " x ´y " c P SpInvpl i qq (6.6) p l,ϕ P Z `for each pl, ϕq P I (6.7) p e,ϕ P Z `for each pe, ϕq P D (6.8) δ i ě 0 for each i " 0, . . ., n ´1 (6.9) Let tp ‹ l,ϕ | pl, ϕq P Iu, tp ‹ e,ϕ | pe, ϕq P Du, and δ ‹ 0 , . . ., δ ‹ n´1 denote the solution of MILP (6.3).Define a relaxation valuation r with respect to the solution as rpl, ϕq " p ‹ l,ϕ for each pl, ϕq P I, rpe, ϕq " p ‹ e,ϕ for each pe, ϕq P D. (6.10) Theorem 6.1.Let A " pL, l 0 , C, ∆, Invq be a timed automaton, π " l 0 , e 1 , l 1 , . . ., e n , l n be a finite path of A, and D Ď Ψp∆q, I Ď ΨpIq be guard and invariant constraint sets.If the MILP constructed from A, π, D and I as defined in (6.3) is feasible, then l n is reachable on A ăD,I,rą with r as defined in (6.10).
A linear programming (LP) based approach was used in [BBBR07] to generate the optimal delay sequence for a given path of a weighted timed automata.In our case, the optimization problem is in MILP form since we find an integer valued relaxation valuation (r) in addition to the delay variables.
Recall that we construct relaxation sets D and I via Algorithm 1, and define π L T (6.1) that reach L T such that the corresponding path π 1 L T is realizable on A ăD,Ią .Then, we define MILP (6.3) with respect to π L T , D and I, and define r (6.10) according to the optimal solution.Note that this MILP is always feasible since π 1 L T is realizable on A ăD,Ią .Finally, by Theorem 6.1, we conclude that L T is reachable on A ăD,I,rą .6.2.Parameter Synthesis Based Relaxation.As our second approach, we parametrize each simple constraint in the considered MSR.In particular, for each pv, ϕ " x ´y " cq P D Y I (v is either a transition e or a location l), we introduce a positive valued parameter p v,ϕ and replace the corresponding constraint with x ´y " c `pv,ϕ .The resulting TA A DYI is parametric with parameter set P " tp pv,ϕq | pv, ϕq P D Y Iu.A DYI has |D Y I| parametric constraints and each parameter appears in a single constraint.Subsequently, we use a parameter synthesis tool that generates the set of all parameter valuations P Ď R

|P | for
A DYI such that the target set L T becomes reachable, i.e., for each p P P, L T is reachable on A DYI ppq, where A DYI ppq is a non-parametric TA obtained from A DYI and p by replacing each parameter p v,ϕ with the corresponding valuation ppp v,ϕ q.Then, we choose the integer valued parameter valuation p ‹ : P Ñ N that minimizes the total change, i.e, p ‹ " arg min pPPXN ř pv,ϕqPDYI ppp v,ϕ q.The parameter synthesis method ensures that L T is reachable on A ăD,I,rą , where r is defined from p ‹ as in (6.10).

Comparison of the MSR Relaxation Methods.
The MILP based relaxation method minimizes the total change in the timing constants ( ř φPDYI rpφq) for a particular path π L T .Thus, the resulting relaxation valuation (6.10) is not necessarily minimal for the considered MSR D Y I. Whereas, the parameter synthesis based relaxation method is guaranteed to find the minimal valuation (as it considers all paths of A ăD,Ią ).However, it is computationally more expensive compared to the MILP approach due to the complexity of the parameter synthesis for timed automata.
Let us note that both our approaches work with a fixed minimum MSR A ăD,Ią .However, observe that there might exist another minimum MSR A ăD 1 ,I 1 ą with |D 1 Y I 1 | " |D Y I| that would lead to a smaller overall change of the constraints (i.e., smaller ř cPD 1 YI 1 rpcq).While our approach can be applied to a number of minimum MSRs, processing all of them can be practically intractable.

Relaxing Minimal Guarantees
In Section 4, we presented a method to find a minimal guarantee D Y I (MG), i.e., a minimal subset of the constraints that need to be left in the system to ensure that a target (unsafe) location is still not reachable.In particular, L T is not reachable on A 1 " A ăΨp∆qzD,ΨpInvqzIą (see Definition 2.11).In this section, we attempt to relax the timing constraints in the resulting TA A 1 , i.e., D Y I, as much as possible while ensuring that L T is still unreachable.Thus, we analyze how robust the resulting TA is against constraint perturbations with respect to the safety specification.We consider two settings for relaxing the constraints from the MG.First, as in the MSR case, we find the maximal total relaxation of the remaining clock constraints such that L T is still unreachable.Second, we find a single relaxation value δ such that L T is still unreachable when each constraint is relaxed by δ, that is referred as the robustness degree in literature [BMS13].
7.1.Maximizing the Total Change.As described in Section 6.2, we parametrize each simple constraint from the considered constraint set, i.e. in this case, it is the MG D Y I on A 1 " A ăΨp∆qzD,ΨpInvqzIą .Note that each constraint in the resulting TA that is denoted by A DYI is parametric and the parameter set is P " tp pv,ϕq | pv, ϕq P D Y Iu.Then, we use a parameter synthesis tool that generates the set of all parameter valuations P Ď R

|P |
`for A DYI such that the set L T is still unreachable.Finally, we chose the integer valued parameter valuation p ‹ : P Ñ N that maximize the total change, i.e, p ‹ " arg max pPPXN ř pv,ϕqPDYI ppp v,ϕ q.Note that, the maximal total change is finite since ppp v,ϕ q is finite for each valuation p P P and constraint pv, ϕq P D Y I due to the minimality of the MG.The integer valued parameter valuation identifies the maximal total change in the constraint thresholds that can be applied to the TA A ăΨp∆qzD,ΨpInvqzIą without violating the safety specification.In particular, for any relaxation valuation r over D Y I with ř pv,ϕqPDYI rpv, ϕq ą ř pv,ϕqPDYI p ‹ pp v,ϕ q, the automaton A 1 ăD,I,rą violates the safety specification.7.2.Finding the Robustness Degree.A timed automaton A " pL, l 0 , C, ∆, Invq is said to δ-robustly satisfy a linear-time property, such as a safety property, if the TA A ăΨp∆q,ΨpInvq,r δ ą obtained by relaxing each simple constraint of A by δ satisfies the property [BMS13,WDMR08], where r δ pv, ϕq " δ for each pv, ϕq P Ψp∆q Y ΨpInvq.
A robustness value δ can be found via parametric analysis [BMS13,AS11].Here, our goal is to find the maximal robustness value δ ‹ for the timed automaton A 1 such that L T is not reachable on A 1 ăD,I,r δ ‹ ą (recall that A 1 " A ăΨp∆qzD,ΨpInvqzIą ).Let P be the parameter valuation set defined as in Section 7.1.Then, L T is not reachable on A 1 ăD,I,r δ ‹ ą for each δ P D (A 1 δ´robustly satisfies the safety specification), where D " tδ | p P P and ppv, ϕq ě δ for each pv, ϕq P D Y Iu Alternatively, one can use the same parameter p for each simple constraint of A 1 to obtain a parametric TA A 1DYI from A 1 by replacing each simple constraint pv, x ´y " cq P D Y I with pv, x ´y " c `pq.The resulting TA A 1DYI has a single parameter p and | D Y I | parametric constraints.Then, a parameter synthesis tool generates the set of all parameter valuations for A 1DYI such that the set L T is still unreachable.Note that the set obtained in the second case is equal to D.
In literature, the robustness analysis is studied considering the imperfect implementations of the A, e.g, timing or measuring errors, thus real valued robustness is used.In this work, we analyze the properties of the timed automata model itself, i.e., constraints and the constraint thresholds.Hence, we focus on integer valued relaxations of the TA.For this reason, we define the optimal relaxation value as δ ‹ " max D X N.

Related Work
8.1.Timed Automata.In the literature, the uncertainties about timing constants are handled by representing such constants as parameters in a parametric timed automaton (PTA), i.e., a TA where clock constants can be represented with parameters.Subsequently, a parameter synthesis method, such as [AFKS12, LRST09, BB ČB18], is used to find suitable values of the parameters for which the resultant TA satisfies the specification.However, most of the parameter synthesis problems are undecidable [And19b].While symbolic algorithms without termination guarantees exist for some subclasses [AS11, BBB Č16, JLR15, AKL `19], these algorithms are computationally very expensive compared to model checking (see [And19a]).Furthermore, it is not straightforward to integrate the minimization of the number of modified constraints in the parameter synthesis method for the reachability properties in an efficient way.For example, Imitator tool [AFKS12] generates all parameter valuations such that the reachability or the safety property holds when the synthesis algorithm terminates.One approach would be parametrizing each simple constraint of the TA, then finding the valuation minimizing the number of non-zero parameters returned by the tool for the reachability problem.However, due to the dependence of the computation time on the number of parameters, this approach would be impractical.Similarly, for the safety problem, each constraint can be parametrized and further analysis can be performed on the result returned by the synthesis tool in order to find the minimal set of constraints that need to be left in the TA to ensure safety.While assigning 0 to a parameter that bounds a clock from below (i.e.p ď x) or infinity to a parameter that bounds a clock from above (i.e.x ă p) are equivalent to removing these constraints, it is not straightforward to deduce the constraint removal decision for constraints that involve multiple clocks (i.e x ´y ď p).Moreover, as mentioned for reachability, it would be impractical to solve the parameter synthesis problem when each constraint is parametrized.
Repair of a TA has been studied in recent works [KLW19, EYG21, AAGR19], where, similar to the reachability problem considered in this paper, the goal is to modify a given timed automaton such that the repaired TA satisfies the specification.In [AAGR19], it is assumed that some of the clock constraints are incorrect and the goal is to make the TA compliant with an oracle that decides if a trace of the TA belongs to a system or not.To repair the TA, the authors of [AAGR19] parametrize the initial TA and generate parameters by analyzing traces of the TA.They minimize the total change of the timing constraints, while we primarily minimize the number of changed constraints and then the total change.Furthermore, their approach cannot handle reachability properties.In [KLW19,EYG21], the goal is to repair the TA to avoid undesired behaviors, e.g., traces violating universal properties such as safety.In particular, in [KLW19], a single violating trace is analyzed by running an SMT solver on a linear arithmetic encoding of the trace.The generated repair suggestions include introducing clock resets and changing the clock constraints (both constraint bounds and constraint operators).As these operations can significantly change the set of traces of the automaton, they check the equivalence of the original and the repaired models after applying the suggested repair.In [EYG21], new clocks and constraints over these new clocks are introduced to restrict the behavior of the automaton to eliminate the violating traces.Neither of these approaches can handle reachability properties.For safety properties, we consider a timed automaton satisfying the property, identify the constraints of the automaton that are effective in the satisfaction of the property and further analyze these constraints.On the other hand, both [KLW19] and [EYG21] aim at repairing a TA that violates the given property.
The robustness of timed automata is studied considering non-ideal implementations of the model, i.e., imprecise clocks, measuring errors, etc. [BMS13,WDMR08].A timed automaton is said to be robust against clock perturbations and drifts for safety specifications when a TA obtained by allowing the clocks to drift within the given limits and relaxing each constraint by a certain amount satisfies the specification.A complementary approach to robustness analysis is called shrinkability [SBM11,San13]: tighten (shrink) all of the constraints by a positive amount while guaranteeing that the resulting automaton is nonblocking and/or time abstract simulates the original one (thus preserves the safety and reachability properties).Consequently, the shrunk automaton is robust against constraint perturbations.Region automata construction and difference bound matrices are used for the computation of the robustness degree in [BMS13,WDMR08,SBM11,San13].A parameter synthesis method is also utilized to find the robustness in [AFKS12].In this work, a similar constraint relaxation approach is used for reachability and safety specifications.To satisfy reachability specifications, we relax the constraints from minimal sufficient reductions.For safety specifications, we first identify a set of constraints that are active in satisfying the safety specification (minimal guarantee, MG), and then perform robustness analysis only over these constraints.In order to relax the identified constraints, we present an MILP based approach and also employ parameter synthesis by parametrizing constraints from the identified sets.8.2.Minimal Sets over a Monotone Predicate.Although the concepts of minimal sufficient reductions (MSRs) and minimal guarantees (MGs) are novel in the context of timed automata, similar concepts appear in other areas of computer science.For example, see minimal unsatisfiable subsets [dlBSW03], minimal correction subsets [MHJ `13], minimal inconsistent subsets [BBB `16, Ben17], or minimal inductive validity cores [GWG17].All these concepts can be generalized as minimal sets over monotone predicates (MSMPs) [MJB13,MJM17].The input is a reference set R and a monotone predicate P : PpRq Ñ t1, 0u, and the goal is to find minimal subsets of R that satisfy the predicate.In the case of MSRs, the reference set is the set of all simple constraints Ψp∆q Y ΨpInvq and, for every D Y I Ď Ψp∆q Y ΨpInvq, the predicate is defined as PpD Y Iq " 1 iff A ăD,Ią is sufficient.Similarly, in the case of MGs, the reference set is the set of all simple constraints Ψp∆q Y ΨpInvq and, for every D Y I Ď Ψp∆q Y ΨpInvq, the predicate is defined as PpD Y Iq " 1 iff A ăΨp∆qzD,ΨpInvqzIą is insufficient.
Many algorithms for finding MSMPes were proposed (e.g., [IPLM15, LML `09, LPMM16, BK16, BB ČB16, B ČB18, B Č20a, MHJ `13, B Č20b, IMMV16, GWG17, BGW Č18]), including also several algorithms (e.g.[IPLM15, LML `09, IJM16]) for extracting minimum MSMPs.Most of the existing algorithms are domain-specific, i.e. tailored to a particular instance of MSMP and extensively exploiting specific properties of the instances (such as we exploit reduction cores in case of MSRs).Hence, the domain-specific solutions cannot be directly used for finding MSRs and/or MGs.Several domain-agnostic MSMP identification algorithms (e.g.[BS05, SKFP12, LPMM16]) were also proposed, i.e., algorithms that can be used for any type of MSMPs.Due to their universality, domain-agnostic approaches are usually not as efficient as the domain-specific solutions.However, it is often the case that a domainagnostic algorithm serves as a basis while building a domain-specific solution [B Č18, Ben21].Some techniques we presented in this paper, including mainly the symbolic representation (Section 5) and the shrinking and growing procedures, are specializations of existing domain-agnostic solutions (see [LPMM16,Ben21]).

Experimental Evaluation
We implemented the proposed reduction, guarantee and relaxation methods in a tool called Tamus.We use UPPAAL [BDL `06] for sufficiency checks and witness computation, Imitator [AFKS12] for parameter synthesis for PTA and CBC solver from Or-tools library [PF] for the MILP part.All experiments were run on a laptop with Intel i5 quad core processor at 2.5 GHz and 8 GB ram using a time limit of 20 minutes per benchmark.The tool and used benchmarks are available at https://github.com/jar-ben/tamus.
As discussed in Section 8, an alternative approach to solve the MSR problem (Problem 2.15) is to parameterize each simple clock constraint of the TA.Then, we can run a parameter synthesis tool on the parameterized TA to identify the set of all possible valuations of the parameters for which the TA satisfies the reachability property.Subsequently, we can choose the valuations that assign non-zero values (i.e., relax) to the minimum number of parameters, and out of these, we can choose the one with a minimum cumulative change of timing constants.In our experimental evaluation, we evaluate the state-of-the-art parameter synthesis tool Imitator [AFKS12] to run such analysis.Although Imitator is not tailored for our problem, it allows us to measure the relative scalability of our approach compared to a well-established synthesis technique.In addition, we employ Imitator to solve the parameter synthesis problems for finding the optimal relaxation for a given MSR (Section 6.2), to find the maximal total change for a given MG (Section 7.1) and to find the robustness degree for the MG (Section 7.2).
We used two collections of benchmarks to evaluate the proposed methods: one is obtained from the literature, and the other are crafted timed automata modeling a machine scheduling problem.In the following, we introduce these benchmarks and present the results of the experiments for reductions and guarantees.9.1.Experimental Results on Machine Scheduling Automata.A scheduler automaton is composed of a set of paths starting in location l 0 and ending in location l 1 .Each path π " l 0 e k l k e k`1 . . .l k`M ´1e k`M l 1 represents a particular scheduling scenario where an intermediate location, e.g.l i for i " k, . . ., k `M ´1, belongs to a unique path (only one incoming and one outgoing transition).Thus, a TA that has p paths with M intermediate locations in each path has M ¨p `2 locations and pM `1q ¨p transitions.Each intermediate location represents a machine operation, and periodic simple clock constraints are introduced to mimic the limitations on the corresponding durations.For example, assume that the total time to use machines represented by locations l k`i and l k`i`1 is upper (or lower) bounded by c for i " 0, 2, . . ., M ´2.To capture such a constraint with a period of t " 2, a new clock x is the number of reachability checks during minimum MSR/MG computation, t R {t G is the computation time in seconds for minimum MSR/MG computation (including the reachability checks), c R is the optimal cost of (6.3), c G is the maximal total change ř pv,ϕqPDYI p ‹ pp v,ϕ q for the MG, δ ‹ R is the real valued maximal robustness value, and δ ‹ is the integer valued optimal relaxation value.t IT G and t IT S G are the Imitator computation times for maximizing the total change and finding the robustness degree, respectively.is introduced and it is reset and checked on every t th transition along the path, i.e., for every m P ti ¨t `k | i ¨t ď M ´1u, let e m " pl m , λ m , φ m , l m`1 q, add x to λ m , set φ m :" φ m ^x ď c (x ě c for lower bound).A periodic constraint is denoted by pt, c, "q, where t is its period, c is the timing constant, and " P tă, ď, ą, ěu.A set of such constraints are defined for each path to capture possible restrictions.In addition, a bound T on the total execution time is captured with the constraint x ď T on transition e k`M over a clock x that is not reset on any transition.A realizable path to l 1 represents a feasible scheduling scenario.We have generated 24 test cases.A test case A pc,p,M q represents a timed automaton with c P t3, 5, 7u clocks, and p P t1, 2u paths with M P t12, 18, 24, 30u intermediate locations in each path.R c,i is the set of periodic restrictions defined for the i th path of an automaton with c clocks: R 3,1 " tp2, 11, ěq, p3, 15, ďqu R 3,2 " tp4, 17, ěq, p5, 20, ďqu R 5,1 " R 3,1 Y tp4, 21, ěq, p5, 25, ďqu R 5,2 " R 3,2 Y tp8, 33, ěq, p9, 36, ďqu R 7,1 " R 5,1 Y tp6, 31, ěq, p7, 35, ďqu R 7,2 " R 5,2 Y tp12, 49, ěq, p12, 52, ďqu Note that A pc,2,M q emerges from A pc,1,M q by adding a path with restrictions R c,2 .

Name
MSR analysis.A path to l 1 describes a scheduling scenario for a scheduler automaton (A pc,p,M q ).However, location l 1 is unreachable for each of the introduced automata.Thus, our goal is to find a realizable path to l 1 by performing a minimum amount of change.In order to achieve this, we define the target set as L T " tl 1 u and run the developed MSR methods.The results obtained on the scheduler automata are summarized in Table 1.Tamus solved all models and the longest computation time was 16.75 seconds.As expected, the computation time t R is depends on the number |Ψ| of simple clock constraints in the model.When each simple constraint is parametrized, Imitator solved A p3,1,12q , A p3,2,12q , A p3,1,18q , and A p5,1,12q within 0.09, 0.5, 62, and 71 seconds, respectively, and timed-out for the other models.In addition, we run Imitator with a flag "witness" that terminates the computation when a satisfying valuation is found.The use of this flag reduced the computation time for the aforementioned cases, and it allowed to solve two more models: A p3,2,18q and A p5,2,12q .However, using this flag, Imitator often did not provide a solution that minimizes the number of relaxed simple clock constraints.MG analysis.We also run the developed methods to find MGs, the corresponding maximal total changes and robustness values over the scheduler automata models with L T " tl 1 u.The results are reported in Table 1.Tamus was also able to generate MG results for all models and A p5,2,24q took the longest with 40.46 seconds.In the MG case, when any of the |Ψ| ´dG `1 simple constraints are removed from the original scheduler automata A pc,p,M q , L T becomes reachable.In addition, we run Imitator to find the maximal total change (Section 7.1) and the robustness degree (Section 7.2) for the identified MG D Y I. Specifically we first ran Tamus on TA A pc,p,M q and then removed every constraint that is not in D Y I (i.e., obtained A pc,p,M q,ăΨp∆qzD,ΨpInvqzIą ) and parameterized every constraint that is in D Y I.A different parameter is used for every constraint to find the maximal total change and the same parameter is used for every constraint to find the robustness degree.Since d G is much smaller than |Ψ|, Imitator generated the results for every model within 0.2 seconds for both parameter synthesis approaches.Both integer valued and real valued results for the parameters are reported in Table 1.Location l 1 becomes reachable when each simple constraint in A pc,p,M q,ăΨp∆qzD,ΨpInvqzIą is relaxed by δ ‹ `1.9.2.Experimental Results on Benchmarks from Literature.We collected 10 example models from the literature that include models with a safety specification that requires avoiding a set of locations L T , and models with a reachability specification with a set of target locations L T .In both cases, the original models satisfy the given specification.Eight of the examples are networks of TAs, and while a network of TAs can be represented as a single product TA and hence our methods can handle it, Tamus currently supports only

Conclusion
We proposed the novel concept of a minimum MSR for a TA, i.e., a minimal set of simple clock constraints that need to be relaxed to satisfy a given specification.Moreover, we developed efficient techniques to find a minimum MSR, and presented MILP and parameter synthesis methods how to further tune the constraints in the MSR.We also introduced the concept of a maximum MIR, i.e., a maximal set of simple clock constraints that can be removed from the TA without violating the specification.Dually, one can represent an MIR via its complementary MG, i.e., a minimal set of simple clock constraints that need to be left in the TA to ensure that the specification is not violated.Moreover, we proposed parameter synthesis based approaches that can further relax the constraints in the MG while still keeping the specification satisfied.
Our empirical analysis showed that our tool, Tamus, can generate minimum MSRs and minimum MGs within seconds even for large systems.For the task of MSR relaxation, we have shown that the MILP method is faster than the parameter synthesis approach (MSR + Imitator).However, the MILP approach minimizes the cumulative change of the constraints from a minimum MSR by considering a single witness path.If the goal is to find a minimal relaxation globally, i.e., w.r.t.all witness paths for the MSR, we recommend using the combined version of MSR and Imitator, i.e., first run Tamus to find a minimum MSR, parametrize each constraint from the MSR and run Imitator to find all satisfying parameter valuations, including the global optimum.

Figure 2 .
Figure 2.An illustration of the set of all TA reductions from Example 2.14.We denote individual reductions of A using a bit-vector representation; for instance, 1101 represents the reduction A ăD,Ią where D Y I " tc 1 , c 2 , c 4 u.The reductions with a red dashed border are the insufficient reductions, and the reductions with solid green border are sufficient reductions.The MRSes and MIRs are filled with a background color.

Figure 3 .Figure 4 .
Figure 3.The situation before the first call of findSSeed.

Table 1 .
Results for the scheduler TA, where |Ψ| " |Ψp∆qYΨpIq| is the total number of constraints, d R {d G " |DYI| is the minimum MSR/MG size, v R {v G