Timed-Automata-Based Veriﬁcation of MITL over Signals ∗

It has been argued that the most suitable semantic model for real-time formalisms is the non-negative real line (signals), i.e. the continuous semantics, which naturally captures the continuous evolution of system states. Existing tools like Uppaal are, however, based on ω -sequences with timestamps (timed words), i.e. the pointwise semantics. Furthermore, the support for logic formalisms is very limited in these tools. In this article, we amend these issues by a compositional translation from Metric Temporal Interval Logic ( MITL ) to signal automata. Combined with an emptiness-preserving encoding of signal automata into timed automata, we obtain a practical automata-based approach to MITL model-checking over signals. We implement the translation in our tool MightyL and report on case studies using LTSmin as the back-end.


Introduction
Many computer programs nowadays control critical applications, and need to enforce complex requirements in order to guarantee safe, dependable and efficient operation of the whole system.Among these requirements, real-time specifications (such as 'every request is eventually followed by an acknowledgement within 3 time units') are common.In this framework, computers interact with an environment that is intrinsically continuous, and ensuring complex real-time constraints is known to be a very difficult task.Different kinds of formalisms have been proposed over the past 30 years to specify those real-time models (often by means of automata) and requirements (usually by means of some logic language).On the automata side, the model of timed automata [2] is arguably widely accepted today, a success which is due in part to the tool support provided by Uppaal [35] and other verification tools such as Kronos [11], TiAMo [10]. . .As far as logics are concerned, several proposals have been made in the literature during the past 30 years (such as MTL [33], TPTL [6], TCTL [1]. . . ) but the recent research seems to focus mainly on MTL, for theoretical reasons (we think here of the works of Ouaknine and Worrell on the decidability of MTL [38]); and on MITL [3] for more practical motivations [36,12,31,13,15,9].Indeed, since its introduction in 1996, MITL has been advocated as a good 'trade-off between realistic modelling of time and feasible verification of timing properties' [3].MITL is at the same time a real-time extension of LTL, the most widely accepted logic in the non-real-time case; and a restriction of MTL, whose expressive power makes it undecidable in most practical cases [5,38].Unfortunately, tool support for MITL is still lacking today, albeit MITL's clear practical interest (and indeed, the need for such tool support is repeatedly emphasised in several papers [3,36,9]).Uppaal, the most prominent real-time model checker, supports only a restricted subset of TCTL; and the alternatives are either not publicly available, or too restricted, or too experimental (see the related work hereinafter for a more comprehensive picture).We believe this is due to the relative lack of maturity of automata-based support for MITL, at least when compared with LTL.
Another point of debate in the community is the choice of the semantics for real-time models.The two different options are known as the pointwise and continuous semantics.In the pointwise semantics, executions of the system are timed words, i.e. sequences of pairs (timestamp, system state).That is, the system's states can only be observed at selected timestamps (which are non-negative real values).In the continuous semantics, executions are signals, i.e. sequences of contiguous intervals during which the state of the system does not change and can be continuously observed.While the pointwise semantics is the most common today (probably due to the success of timed automata which have initially been defined in this framework), it has been argued [7,29] that the continuous semantics models time more faithfully, and it is indeed adopted in many works about control of hybrid systems [41], synthetic biology [8], etc. Apart from these practical considerations, the difference between these two semantics matters as it changes the expressive power of the logic. 1 For example, the following formula (which requires p to hold exactly in [0, a] for some a ≥ 0) is satisfiable in the continuous semantics only: p ∧ F(¬p) ∧ G ¬p ⇒ G(¬p) ∧ ¬ p U (¬p) .

Contribution.
In order to remedy the lack of comprehensive tool support for MITL in the pointwise semantics, we have recently introduced MightyL [14], an efficient tool that turns MITL formulae into a network of timed automata (expressed in the Uppaal language) accepting the same language.These timed automata can then be used to perform satisfiabilty or model-checking, using off-the-shelf model checkers such as Uppaal or LTSMin.The central point of the efficiency of our construction is its compositional feature: we output a network of timed automata (one per subformula) instead of a single, monolithic, one.In the present work, we extend this line of research to the realm of continuous semantics by revisiting the compositional translation of MITL into signal automata (i.e.automata akin to timed automata, but that accept signals instead of timed words).
More precisely, we introduce, in Section 3, a compositional translation that turns an MITL formula ϕ into a network of signal automata C init × χ C χ , one for each subformula χ in ϕ, plus an extra signal automaton C init (extending the ideas of our previous work [14] to the continuous setting).However, as is, this translation would not allow us to rely on the currently available tools for timed systems since most of them (and in particular, Uppaal) rely on the pointwise semantics.So, in Section 4, we present an emptiness-preserving and compositional transformation from signal automata to timed automata (see Theorem 11).

7:3
Concretely, given a signal automaton A modelling a system, and a property ϕ to be checked on A, we can perform model-checking by: (i)± building the network of signal automata C init × χ C χ from ¬ϕ using the procedure of Section 3; (ii) translating, using the techniques of Section 4, A, C init and all C χ into corresponding timed automata B A , B init and B χ (for all subformulae χ) respectively; and (iii) checking (using a model-checker for timed automata) whether the language B A × B init × χ B χ is empty.If this is the case, then our translation ensures that the language of A × C init × χ C χ is empty, which in turn holds if and only if A |= ϕ, by construction.We have implemented this approach as an extension of MightyL and report on experiments in Section 5.The preliminary results are very encouraging, as our approach compares well or outperforms previous approaches from the literature.

Related work.
The most similar work to ours is [32] where the authors propose a compositional translation from MITL with past operators [4] to signal automata.The translation works by rewriting the input formula into one with only past operators using projections [21].Each past subformula can then be handled by a simple component, and the resulting automaton is obtained by synchronising the components via newly introduced propositions.An advantage of this approach is that it directly supports past operators.Unfortunately, the rewriting step does not work for unbounded future operators; this severely limits the applicability of the translation (for example, the liveness property GFp cannot be expressed in the bounded-future fragment).Also, as far as we know, it has never been implemented.By contrast, while our translation deals only with future MITL, one may use projections to remove past operators from the input formula.
Compositional translations that support unbounded future operators also exist in the literature [36,37,20].One difference of these with our translation is that they are formulated in terms of non-standard models such as timed signal transducers or hierarchical timed automata.This deviation from the more common models, we believe, has contributed to the lack of implementation of these translations. 2Another difference is that the components constructed by these approaches are testers whereas those constructed by ours are positive testers [40,16,23]; that is, suppose we introduce a new proposition p χ for the subformula χ = ϕ 1 U ϕ 2 , a tester enforces p χ ⇔ ϕ 1 U ϕ 2 to hold at all times while a positive tester only enforces the weaker formula p χ ⇒ ϕ 1 U ϕ 2 to hold at all times.This may affect the performance of verification algorithms [43].Moreover, the weaker condition allows us to impose some minimality criteria on transitions for further performance gains (see Section 5).
The original translation from MITL to signal automata in [3] is a monolithic tableaubased procedure which follows roughly the same lines as the tableau-based translation from LTL to Büchi automata [27]: the locations of the resulting automaton are labelled by sets of subformulae, and the transitions between them are obtained by 'expanding' the labels.Like our translation, it also enforces minimality when generating transitions.However, the procedure is much more involved than the LTL counterpart and seems difficult to realise in practice.A simplified tableau-based translation is given in [26,25] where an implementation -the only implementation of an MITL to signal automata translation we are aware of -is also reported.Nevertheless, the translation only works for the upper-bound fragment of MITL, and the tool is not publicly available.
Besides automata-based approaches, there are also proposals to apply SMT (Satisfiability Modulo Theories) solvers [18] to satisfiability/model-checking for MITL over signals [31,9].The SMT approach is straightforward to implement and there are publicly available tools.

Metric Interval Temporal Logic (MITL).
We consider the satisfiability and model-checking problems for Metric Interval Temporal Logic (MITL), a real-time extension of Linear Temporal Logic (LTL), allowing temporal operators to be labelled with non-singular intervals.Formally, MITL formulae over AP are generated by the grammar: where p ∈ AP and I is a non-singular interval with endpoints in N ≥0 ∪ {∞} (I is assumed to be (0, ∞) when omitted).
In this work, we focus on the continuous semantics for MITL, in which formulae are interpreted over signals.Given a signal γ over 2 AP , t ∈ R ≥0 , and an MITL formula ϕ, the satisfaction relation γ, t |= ϕ is defined as follows (following [3], we adopt the strict-future semantics for the temporal operators): We write S(ϕ) for the set of all signals γ such that γ |= ϕ.
We will use standard syntactic sugar, e.g.
the 'eventually' operator F I ϕ ≡ U I ϕ, the 'globally' operator G I ϕ ≡ ¬F I ¬ϕ, and the 'release' operator ϕ 1 R I ϕ 2 ≡ ¬((¬ϕ 1 ) U I (¬ϕ 2 )).Hence, the semantics of the release operator can be defined as follows: In particular, we can make use of these operators to transform every formula ϕ into its negative normal form where the negations are pushed inwards so that they range on atomic propositions only.
Signal automata.Our tool support for MITL will be based on automata.We first give a formal definition of signal automata, and we will also present classical timed automata afterwards.Like [3], we equip these automata with generalised Büchi acceptance conditions.From now on, a propositional constraint φ over AP is a set of states over AP; that we denote by means of a Boolean formula over AP.For example, assuming AP = {p, q, r}, the propositional constraint p ∧ ¬q denotes {{p, r}, {p}}.Let X be a finite set of clocks.The set G(X) of clock constraints g over X is generated by the grammar g We denote by 0 the valuation that maps every clock to 0. The satisfaction of a constraint g by a valuation v is defined in the usual way and denoted v |= g.For t ∈ R ≥0 , let v + t be the valuation defined by where L is a finite set of locations; L 0 ⊆ L is the set of initial locations; α is the location labelling function that assigns to each location ∈ L a propositional constraint α( ) ⊆ 2 AP ; X is a finite set of clocks; β is the location labelling function that assigns to each location ∈ L a clock constraint β( ) ∈ G(X); ∆ ⊆ L × 2 X × L is the set of transitions where each transition consists of the source location, the clocks to be reset with this transition, and the target location; F ⊆ 2 L is the family of sets of accepting locations.A run π of A on a signal γ over 2 AP is an infinite sequence of the following form: for all i ≥ 0: v i is a valuation of X; and that satisfies the following: Initialisation: 0 ∈ L 0 and v 0 = 0; and Consecution: For all i ≥ 0: there is an accepting run of A on γ.We write S(A) for the set of signals accepted by A. For two SAs A 1 and A 2 , we denote by A 1 × A 2 their (asynchronous) product, defined in a manner similar to [3]: intuitively, in each location of this product, we can either fire only a transition of A 1 (provided that the guard in the current location of A 2 holds after the transition), or only a transition of A 2 , or one in A 1 and one in A 2 , provided that the guards on their (respective) target locations are satisfied afterwards.In particular, we have T I M E 2 0 1 7

Timed-Automata-Based Verification of MITL over Signals
We focus on the class of bipartite SA whose runs are bipartite by construction.An SA A = (L, L 0 , α, X, β, ∆, F) is bipartite if there exists a partition of L into L s , L o respecting the conditions given hereinafter.Intuitively, on reading a signal γ, A is in a location of L s (L o ) when it sees a singular (respectively open) interval of κ ∈ γ bp : , then there is a clock x ∈ X such that x ∈ λ and β( 2) has x = 0 as a conjunct.In the rest of the paper, we will assume that all SAs are bipartite. 3There is no loss of generality, thanks to the following proposition from [3] (see Appendix A for a proof): From now on, when depicting bipartite SA, we use rectangle and rounded rectangles for the locations from L s and L o respectively.Figure 1 shows an example of bipartite SA.

Satisfiability and model-checking problems.
In this work, we consider two classical problems: satisfiability and model-checking of MITL.The satisfiability problem asks, given an MITL formula ϕ, whether S(ϕ) = ∅ (if it is the case, we say that ϕ is satisfiable).The model-checking problem asks, given an SA A and an MITL formula ϕ whether S(A) ⊆ S(ϕ).If it is the case, we write A |= ϕ.

3
From MITL to signal automata Our approach to MITL model-checking over signals is based upon a compositional translation from MITL to signal automata.The core idea is similar to the translation for the pointwise semantics reported in our previous work [14]: we keep track of the satisfiability of each temporal subformula (i.e. a subformula whose outermost operator is temporal) χ with an SA C χ .From now on, we fix a set AP of atomic propositions and a negative normal form MITL formula ϕ over AP.To simplify the exposition, we restrict ourselves to a fragment of MITL in which only untimed and upper-bound operators are allowed, i.e. each bounding interval I is either (0, ∞) or (0, a), or (0, a] for some positive integer a.This fragment, however, is already expressively complete for the full MITL [28,37].Moreover, we regard all temporal subformulae of ϕ as distinct formulae. Triggers.Let Φ be the set of temporal subformulae of ϕ.We introduce a new atomic proposition p χ for each χ ∈ Φ and we let AP Φ = {p χ | χ ∈ Φ}.Each p χ is called a trigger (for χ).Intuitively, pulling the trigger p χ (i.e.setting p χ to true) at some point means that χ is required to hold at that point.On the other hand, p χ being false at some point does not mean that χ must not hold at that point -its satisfaction is simply not required there.The point of the triggers is to enable communication between the different component automata: when χ is a subformula of ψ, the component SA C ψ will pull the trigger p χ whenever the satisfaction of χ is needed to check the value of ψ.A key point of our construction is to avoid unnecessary pulling of triggers, in order to reduce the number of behaviours of the product automaton and mitigate the state explosion problem during the model checking phase.This is the point of the formulae ψ, * ψ, ∼ ψ and ψ that we introduce hereinafter.Concretely, the outcome of our construction for an MITL formula ϕ is a network of SA that accepts an AP Φ -decorated version of S(ϕ).In other words, the signals accepted by our construction are over AP ∪ AP Φ and their projections on AP yields S(ϕ), as stated in Theorem 8 at the end of the section.For each (not necessarily temporal) subformula ψ of ϕ, we denote by P ψ the set of atomic propositions p χ ∈ AP Φ such that χ is a top-level temporal subformula of ψ, i.e. the outermost operator of χ is U I or R I , yet χ does not occur under the scope of another U I or R I in ψ.For instance, P pU I q∨rU I (sRt) = {p pU I q , p rU I (sRt) }.For a signal γ over 2 P (where P is a set of atomic propositions) and P ⊆ P , we denote by proj P (γ ) the projection of γ onto P, i.e. the signal obtained from γ by hiding all the atomic propositions p / ∈ P. For a set of signals S over 2 P and P ⊆ P , we write proj P (S) = {proj P (γ ) | γ ∈ S}.Conversely, we say a signal γ over 2 P extends a signal γ over 2 P (P ⊆ P ) if proj P (γ ) = γ.
Formulae over AP ∪ AP Φ .We define some syntactic operations on Boolean combinations over AP ∪ AP Φ that will be used in the components described later.Specifically, for a subformula ψ of ϕ, we define formulae ψ (introducing the trigger variables), * ψ (ensuring that we do not pull any trigger of ψ), ∼ ψ (checking that ψ does not hold, while none of its triggers are pulled), and ψ (checking ψ while triggering a minimal set of triggers).
The formula ψ is obtained from ψ by replacing all top-level temporal subformulae with their corresponding triggers.Formally, ψ is defined inductively as follows (where p ∈ AP): The formula * ψ, read as "do not pull the triggers of ψ", is used to ensure that our components only follow the 'minimal models' of ψ.It is defined as the conjunction of the negations of all p χ ∈ P ψ (if The formula ∼ ψ asserts that ψ is false and none of its triggers are pulled: ∼ ψ = ¬ψ ∧ * ψ. Finally, the formula ψ is defined as mm(ψ) where mm(φ) is defined inductively as follows: First of all, we notice that formulae ψ and ψ are equivalent, once we have projected away the propositions that are not in AP, in the following sense: Proposition 3.For a subformula ψ of ϕ, if σ |= ψ for some state σ over AP ∪ P ψ , there is a state σ over AP ∪ P ψ such that σ |= ψ and proj AP (σ) = proj AP (σ ) (and vice versa).

Minimality of triggers.
The real impact of ψ with respect to ψ is to ensure the minimality of triggers pulled during an execution.Indeed, we now show that if ϕ is satisfied by a signal γ (over 2 AP ), then there must be a way to extend γ into a signal γ over 2 AP∪AP Φ such that the triggers AP Φ are only pulled when necessary in γ , and vice versa.This will be crucial to make our approach efficient in practice, as it reduces the behaviours of the product SA that accepts the whole formula ϕ.This observation is formalised in the following two propositions.
Proof.Assume that χ = ψ 1 U I ψ 2 and let ζ be a signal over 2  The components.We are now ready to present the components C χ for χ ∈ Φ.
The component C χ for χ = ψ 1 U ψ 2 is given in Figure 1.We now explain how it has been produced.Thanks to Proposition 2, we provide a bipartite SA (in particular, we will read timed sequences with bipartite interval sequences only), where 'singular' locations are on top, and 'open' locations at the bottom.First, we focus on locations s 0 and o 0 , that are used as long as trigger p χ is not pulled: then, there is no need to pull any trigger of ψ 1 nor ψ 2 , which is ensured via the use of formula * ψ 1 ∧ * ψ 2 .Consider then the first time when trigger p χ is pulled (by another component automaton): it is either in a singular interval in which case we jump into location s 1 (this creates a pending obligation, since such an 'until' with our strict semantics cannot be fulfilled right away in a singular interval: this means, in particular, that we do not need to pull any trigger for ψ 1 or ψ 2 , thus checking * ψ 1 ∧ * ψ 2 ), or in an open interval in which case we jump either into location o 1 if ψ 2 does not hold (i.e. if ∼ ψ 2 holds), or into location o 3 if ψ 2 holds (i.e. if ψ 2 is in the guard) which fulfils right away the new obligation (notice that, in the figure, we did not put p χ in the guard of this location, for simplification: we will discuss this point more in detail afterwards).
When p χ is first pulled in an open interval (which means we jump into location o 1 or o 3 ), by the semantics of the 'until' operator, ψ 1 must also hold in that interval.When in o 3 , the successors are the same as in o 0 .When in o 1 with a pending obligation, there are two cases for the next jump: either ψ 2 holds in the next singular interval, and then no trigger of ψ 1 needs to be pulled (i.e.guard * ψ 1 ∧ ψ 2 ): if there are no new pulled trigger p χ , we jump into location s 3 ; otherwise, we jump into location s 4 where we still have a new pending obligation, but the location is still made accepting to record the fact that the previous obligation has been fulfilled.or ψ 2 does not hold, in which case ψ 1 should hold (i.e.guard ψ 1 ∧ ∼ ψ 2 ): we then jump into location s 2 whether or not a new trigger p χ is pulled.When p χ is first pulled in a singular interval (which means we jump into location s 1 ), there is no need to pull any trigger of ψ 1 nor ψ 2 .Then, while in one of the 'singular' locations no pending obligations some pending obligations

sing. interval open interval
Figure 2 The component SA Cχ for ψ1 U (0,a) ψ2.We use a Boolean variable si to signify whether the oldest pending obligation has been pulled in a singular interval or not.The transitions with or reset x; the ones with (resp.) set si to true (resp.false).The clock constraint g is defined as Initially, we do not want to pull any trigger of ψ 1 or ψ 2 , therefore, s 0 and s 1 are the two initial locations, depending on whether trigger p χ is initially pulled or not.Accepting locations are the one where either there are no more pending obligations, or a pending obligation has been fulfilled while a new trigger is being pulled (location s 4 ).Notice that, thanks to the use of * ψ i and ψ i formulae, only the necessary triggers in P ψ1 ∪ P ψ2 are pulled during an execution of this component.Indeed, this is not true for location o 3 : when going from locations s 0 or s 3 , to pull only minimal sets of triggers, we must make sure to go in o 3 only when a new trigger p χ is pulled.This requires to split this location into two (one where p χ holds, the other where it does not).For simplicity, we did not do it in the figure, but we apply this splitting in the next component we present.
This next component C χ is the one for χ = ψ 1 U (0,a) ψ 2 (Figure 2), that is obtained by adding a clock x and suitable clock constraints.Intuitively, it suffices to use only one clock because for I = (0, a), all new obligations are implied by the oldest pending obligation.This means that the clock should be reset when entering in a location where a trigger is pulled while all the previous obligations have been fulfilled: this is a priori the case when entering in locations s 1 , o 1 , and s 4 from locations { s 0 , s 3 , o 0 , o 3 , o 3 }.Now, the valuation of x would fix a deadline for the satisfaction of ψ 2 .Indeed, as long as ψ 2 does not hold, we must check that x < a.When ψ 2 is next fulfilled, we also check that x < a.However, this is not correct for two reasons.
First, when checking the requirements x < a, this is not correct if the oldest pending obligations appeared in an open interval: indeed, it is still correct to fulfil ψ 2 in a singular interval where x = a.This requires that we register, when resetting clock x, if the trigger is pulled in a singular interval or not.To ease the presentation, we use a Boolean variable si to record that the trigger has been pulled in a singular interval.Pictorially, we use transitions with heads to reset the clock x and setting si to true, while transitions with heads reset clock x and set si to false.Then, the clock constraint that must be checked in singular interval (whether or not ψ 2 is currently fulfilled) is not x < a but g defined by (si ∧ x < a) ∨ (¬si ∧ x ≤ a): in particular, the guard g in location s 2 models the fact that if the oldest obligation has been triggered in an open interval (si is false), it is not a contradiction to not yet fulfil ψ 2 at time x = a, but then, the only fireable transitions are the one towards o 3 and o 3 where ψ 2 then holds.This also explains why guard g does not need to be checked when entering in o 3 and o 3 .Second, this cannot be done as such when entering location s 4 since the guard g must be checked before resetting clock x that records the deadline of the next pending obligation.Indeed, we simply delay the reset and modification of variable si to the next transition towards o 1 or o 4 .The component for ψ 1 U (0,a] ψ 2 is similar and hence omitted.The components for 'release' operators follow the same pattern as the ones for 'until'.Due to lack of space, we present them in Appendix B. Then: Proposition 7.For each χ ∈ Φ, component C χ accepts exactly all signals γ over 2 AP∪AP Φ such that γ, t |= p χ ⇒ Expand χ for all t ∈ R ≥0 (where Expand χ is one of the formulae in Proposition 5).
Finally, we need a simple initial component C init which enforces ϕ at t = 0 and * ϕ at all t > 0, as suggested by Proposition 5. We can now state the main theorem of this section.

4
From signal automata to timed automata In this section, we provide a new approach to check the emptiness of signal automata that can be implemented by relying on existing tools for timed automata.To this end, we explain how to encode an SA A into a timed automaton B A that accepts exactly the 'timed words' counterparts of the signals accepted by A. Moreover, the construction can be used in a compositional manner: if A is the product of a number of component SAs, B A can be obtained as the product of the TAs that result from applying the construction to the components of A.
As the construction is emptiness-preserving, it can serve as a bridge between the MITL-to-SA translation in the previous section and existing TA-based tools.We start by recalling the formal definition of timed automata.

Definition 9.
A timed automaton (TA) over 2 AP is a tuple A = (L, L 0 , X, ∆, F) where L is a finite set of locations; L 0 ⊆ L is the set of initial locations; X is a finite set of clocks; T I M E 2 0 1 7

7:12
Timed-Automata-Based Verification of MITL over Signals and that satisfies the following: Initiality: 0 ∈ L 0 ; and Consecution: for all i ≥ 0: We say that π is accepting if for all accepting sets F ∈ F, the set {i | i ∈ F } is infinite.A timed word ρ is accepted by A if there is an accepting run of A on ρ.We write L(A) for the set of timed words accepted by A. For two TAs A 1 and A 2 , we denote by A 1 × A 2 their (synchronous) product [2].In particular, we have Translation from SA to TA.We first explain how we map signals to timed words.To do so, we select a bipartite state sequence κ corresponding to γ, and we express the state changes along κ in a timed word.Formally, for a signal γ and a timed state sequence κ = (σ 0 , I 0 )(σ 1 , I 1 ) • • • s.t.κ ∈ γ bp (i.e., I i is singular for all even i ≥ 0), we define: Note that we represent a state change at time t by two events with timestamp t (note that sup(I i ) = inf(I i+1 ) for each even i ≥ 0).Abusing notations, we write tw for a set S of signals.
Proposition 10.Given a (bipartite) SA A, we can construct a TA B A such that L(B A ) = [S(A)] tw .In particular, if Proof (Sketch).For a clock constraint g ∈ G(X), let g ← be the clock constraint obtained from g by replacing all clauses of the form 'x ≤ c' with 'x < c' and all 'x > c' with 'x ≥ c'.Likewise, let g → be the clock constraint obtained from g by replacing all 'x < c' with 'x ≤ c' and all 'x ≥ c' with 'x > c'.The following statements hold (for a valuation v of X): v |= g ← if and only if for some δ ∈ R >0 , we have v + t |= g for all t ∈ (0, δ].v |= g → if and only if for some δ ∈ R >0 , we have v |= g for all valuations v of X such that v + t = v for some t ∈ (0, δ].In what follows, we write g[λ ← 0] for the clock constraint obtained from g by replacing all occurrences of clocks x ∈ λ with 0. For A = (L, L 0 , α, X, β, ∆, F) (which by assumption is bipartite and

Figure 3
The component TA Bχ for χ = ϕ1 U (0,a) ϕ2.We use a Boolean variable si to signify whether the current pχ-interval is left-closed.The transitions with (respectively, ) set si to true (respectively, false).The clock constraint g is defined as Intuitively, the 'dotted' locations ˙ s , ˙ o are used to allow interleaving and stuttering as A stays in ∈ L o : this is crucial to make the asynchronous product A 1 × • • • × A n and the synchronous product B A1 × • • • × B An match.Finally, for pragmatic reasons, we make suitable modifications to B to obtain a strongly non-Zeno TA B A (i.e. a TA in which time progresses), as in [22].
The proposition above works for any (bipartite) SA.For C init or each component C χ (χ ∈ Φ) in the previous section, however, we can suppress all the 'dotted' locations ˙ s , ˙ o and build a much simpler TA (which we denote by B init or B χ , respectively). 5 Our main result can then be stated as the following theorem, where the projection operator proj is defined in a similar way as in the setting of signals.
tw for any given SA A over 2 AP∪AP Φ whose propositional constraints can be written as Boolean combinations over AP (i.e.do not involve atomic propositions in AP Φ ).
As an example, the component TA B χ for χ = ψ 1 U (0,a) ψ 2 (in which we use a new atomic proposition p sing that holds on 'singular' transitions) is depicted in Figure 3.

Implementation and experiments
We have implemented the translation as an extension of our tool MightyL [14].Given a formula ϕ over AP in MITL, 6 the tool generates the model TA B A where A is a universal SA over 2 AP∪AP Φ , the initial component TA B init , and the corresponding component TAs B χ for each temporal subformula χ of ϕ in the Uppaal xml format.The user can, of course, replace B A with the model TA M of their choice and perform model-checking with existing TA-based tools. 7Our implementation is publicly available and can be executed directly on the webpage: http://www.ulb.ac.be/di/verif/mightyl.In the following experiments, 5 Alternatively, one may translate ¬ϕ into a 'pointwise' formula and invoke the approach in [14] directly; the number of temporal subformulae (and hence the number of clocks) would be doubled, however. 6More precisely, our tool accepts all temporal operators that are labelled with intervals of the form (0, ∞), [0, ∞), (0, a), [0, a), (0, a] or [0, a].If 0 is included in the interval, the temporal operator is given a weak-future interpretation [39], e.g., ψ1 U w [0,a) ψ2 ⇐⇒ ψ2 ∨ (ψ1 ∧ ψ1 U (0,a) ψ2).Remember that general MITL formulae can be rewritten into formulae of this fragment, e.g., F (a,∞) ψ ⇐⇒ G (0,a] Fψ. 7 We require M to be strongly non-Zeno and L(M) = [S(A)] tw where A is an SA over 2 AP∪APΦ that satisfies the conditions in Theorem 11.
Table 1 Execution times for the 'parametric formulae' benchmark set.The columns 'Pointwise' correspond to the approach of [14] and the columns 'Continuous' correspond to the approach of this article (where OOM stands for out-of-memory).The three numbers of each entry correspond to the time taken by opaal to translate Uppaal xml into C++, the time taken by the g++ compiler, and the actual model-checking time taken by LTSmin, respectively.Satisfiability of parametric formulae.We consider the satisfiability of a set of parametric MITL formulae modified from [24,13].The goal of this benchmark set is to give a rough comparison between the performance of our approach in the pointwise semantics (the original aim of MightyL; we refer the reader to [39,14] for more details) with that in the continuous semantics (this article).For k ≥ 2 and an interval I, let: where F w I , G w I , etc., are weak-future temporal operators [39].The formulae in the benchmark set are given in Table 1.For the pointwise case, these are the actual formulae that we pass to MightyL; for the continuous case, standard rewriting rules are applied to handle the lower-bound temporal operators (e.g.F (5,∞) p ⇐⇒ G (0,5] Fp). 8 From the execution times in Table 1, it is evident that opaal and g++ are not performance bottlenecks.For smaller formulae, the times taken by LTSmin are very short.For larger formulae, however, as LTSmin uses depth-first search for opaal-generated models, it sometimes goes very deep into the state space and results in out-of-memory.
Table 2 Execution times for the satisfiability, validity and redundancy checks in [19].

Formula
Our approach Our approach w/o minimality Figure 4 The SA A lamp .The transitions with solid tips reset clock x.
Validity and redundancy of specifications.We say that an MITL formula ϕ is valid if ¬ϕ is not satisfiable.If ϕ is of the form 1≤i≤k ϕ i , we say that the conjunct ϕ i is redundant in ϕ if the formula ( 1≤j≤k j =i ϕ j ) ⇒ ϕ i is valid.In [19], MITL specifications created by non-expert users are checked for satisfiability, validity and We the execution times of our approach on some of their checks in Table 2. To see the effect of forcing minimal triggers, we also give the execution times when this is not imposed.We also reproduce the execution times reported in [19] in the table; since we do not impose a priori bounds on state changes (as opposed to [19]) and we use a much less powerful CPU, these numbers are not meant for direct comparison but rather for reference.
Model-checking a timed lamp.We consider a case study of a timed lamp from [9].The lamp is controlled by two buttons 'on' and 'off', which can only be pressed instantaneously but not simultaneously.The buttons turn the lamp on and off as expected, and the lamp turns off automatically 5 time units after the last time 'on' was pressed.In [9], the system is given as an MITL formula (with past temporal operators) over atomic propositions { , on, off}.
While we can make use of projections to remove the past temporal operators [44,28], it turned out that the resulting formula is too large.For this reason, we model the system directly as an SA A lamp (Figure 4).Then, via Proposition 10 and Theorem 11, we perform the same verification tasks as [9]: (1) checking the emptiness of A lamp ; (2) model-checking A lamp against ϕ 1 = G [0,∞) F [0,5] (¬ ) , i.e. the lamp never stays lit for more than 5 time units; (3) model-checking A lamp against ϕ 2 = F [0,∞) G [0,5] ⇒ F [0,∞) on ∧ F (0,5] on , i.e. if at some point the light stays on for more than 5 time units, then there is an instant when 'on' is pressed, and then it is pressed again before 5 time units.The execution times (with and without minimality criteria) are given in Table 3, where we also reproduce the execution times reported in [9].Again, these numbers are not meant to be compared directly.

Conclusion and future work
We proposed a translation from MITL to signal automata based on the same principles as our previous work in the pointwise setting [14].The main advantages of this translation over the existing ones are that it is compositional and integrates easily with existing tools.To the best of our knowledge, this is the first practical automata-based approach to MITL model-checking over signals.or by components) and other temporal operators (such as those from ECL [28]).A possible future theoretical direction is to investigate whether the translation can be generalised (possibly with the techniques in [17] or [42]) to deal with signals that are not finitely-variable.
no pending obligations some pending obligations
no pending obligations some pending obligations

B The components for 'release' operators
The component C χ for χ = ψ 1 R ψ 2 (Figure 5) is based on similar ideas as the component for ψ 1 U ψ 2 .In this case, an obligation can be satisfied by either ψ 1 ∧ ψ 2 holding in a singular interval or ψ 1 ∧ * ψ 2 holding in an open interval.The component C χ for χ = ψ 1 R (0,a) ψ 2 is given in Figure 6.In this case, all old obligations are implied by the newest one.We therefore reset the clock x when p χ becomes false.The component for ψ 1 R (0,a] ψ 2 is similar and hence omitted.

s 1 , s 2 or s 4 ,
with a pending obligation, in the next jump, there are two cases: We plan to add to MightyL support for general MITL operators (via rewriting
. either ψ 2 holds in the next open interval, in which case ψ 1 should still hold (because of the semantics of the 'until' operator): we can jump into the previously introduced location o 3 .or ψ 2 does not hold (then, ψ 1 should hold anyway) and we jump either in location o 1 if a new trigger p χ is pulled, or in o 2 is no new trigger p χ is pulled.Location o 2 has the same successors as o 1 but we still need to distinguish them since o 1 must check that a new pending obligation is pulled.