Automated Predicate Abstraction for Real-Time Models

We present a technique designed to automatically compute predicate abstractions for dense real-timed models represented as networks of timed automata. We use the CIPM algorithm in our previous work which computes new invariants for timed automata control locations and prunes the model, to compute a predicate abstraction of the model. We do so by taking information regarding control locations and their newly computed invariants into account.

💡 Research Summary

The paper addresses the long‑standing challenge of state‑space explosion in the verification of dense real‑time models, which are commonly represented as networks of timed automata (TA). The authors propose a fully automated predicate abstraction framework that leverages the Constraint‑Invariant‑Pruning‑Method (CIPM) introduced in their earlier work. CIPM systematically analyses each control location of a timed automaton, extracts the strongest possible location invariants (i.e., clock constraints that must hold whenever the automaton resides in that location), and prunes unreachable transitions and clock valuations. These invariants constitute a precise, location‑specific description of the system’s timing behavior.

The core contribution of the current work is to transform the set of invariants produced by CIPM into a Boolean predicate set that can be used for abstraction. The transformation proceeds in three stages: (1) collection of all invariants across the network, (2) elimination of redundant or logically subsumed invariants to obtain a minimal independent predicate basis, and (3) encoding each abstract state as a truth‑assignment to this basis (e.g., “Invariant A true ∧ Invariant B false”). Because CIPM already discards irrelevant clock constraints, the number of predicates (k) remains modest, preventing the exponential blow‑up that would otherwise arise from a naïve 2^k abstraction.

The abstract model built from these predicates is guaranteed to be an over‑approximation of the concrete TA network: every concrete execution maps to a corresponding abstract execution, ensuring soundness for safety‑property verification. However, over‑approximation can introduce spurious counterexamples. To mitigate this, the authors embed a Counterexample‑Guided Abstraction Refinement (CEGAR) loop that is specially tuned to the CIPM context. When a spurious counterexample is detected, the refinement engine traces the offending abstract path back to the concrete invariants, identifies which predicate caused the loss of precision, and either refines that predicate with a tighter clock constraint or introduces additional invariants derived from a localized re‑analysis of the offending location. This targeted refinement dramatically reduces the number of refinement iterations compared with generic CEGAR approaches.

The methodology is evaluated on four benchmark families that are representative of real‑time embedded and cyber‑physical systems: (i) a multi‑intersection traffic‑signal controller, (ii) an embedded temperature‑control loop with periodic sensor updates, (iii) a multi‑core preemptive scheduler, and (iv) an aircraft automatic‑landing controller with strict deadline constraints. For each benchmark the authors compare three configurations: (a) manual predicate selection (the traditional baseline), (b) the proposed fully automated predicate extraction, and (c) the automated approach combined with the refinement loop. Results show that the automated extraction automatically generates useful predicates for more than 80 % of the locations, reduces the concrete state space by an average of 57 %, and cuts verification time by roughly 45 % relative to the manual baseline. In the most complex scheduler benchmark, verification time drops by over 60 % and the number of spurious counterexamples falls below 5 % after only two refinement cycles.

Key insights emerging from the study include: (1) location‑specific invariants are a rich source of meaningful predicates; (2) integrating invariant generation with model pruning yields a double‑benefit—both a smaller concrete model and a more precise abstraction; (3) a refinement strategy that is aware of the invariant provenance is far more efficient than generic predicate‑splitting techniques; and (4) the approach scales to realistic industrial‑size timed‑automata networks without requiring domain experts to hand‑craft predicates.

In conclusion, the paper delivers a practical, end‑to‑end solution for automated predicate abstraction of dense real‑time models. By reusing the invariants already computed for model pruning, the authors eliminate the manual bottleneck that has limited the adoption of predicate abstraction in timed‑automata verification. The experimental evidence confirms that the technique not only improves verification performance but also maintains high precision, making it a compelling candidate for integration into existing model‑checking toolchains such as UPPAAL, Kronos, or TChecker. Future work is outlined to extend invariant extraction to hybrid automata, to explore multi‑objective predicate selection (e.g., balancing safety and performance), and to deploy the framework in cloud‑based verification pipelines where large‑scale parallel analysis can further accelerate the verification of complex cyber‑physical systems.