A Parametric Counterexample Refinement Approach for Robust Timed Specifications

Robustness analyzes the impact of small perturbations in the semantics of a model. This allows to model hardware imprecision and therefore it has been applied to determine implementability of timed automata. In a recent paper, we extend this problem to a specification theory for real-timed systems based on timed input/output automata, that are interpreted as two-player games. We propose a construction that allows to synthesize an implementation of a specification that is robust under a given timed perturbation, and we study the impact of these perturbations when composing different specifications. To complete this work we present a technique that evaluates the greatest admissible perturbation. It consists in an iterative process that extracts a spoiling strategy when a game is lost, and through a parametric analysis refines the admissible values for the perturbation. We demonstrate this approach with a prototype implementation.

💡 Research Summary

The paper addresses the problem of synthesizing implementations of timed specifications that remain correct under small timing perturbations, a concern that reflects the inevitable imprecision of real hardware clocks. The authors work within the framework of timed input/output automata (TIOA), interpreting a specification as a two‑player game: the system (implementation) and its environment alternate moves, and the system wins if it can always respect the timing constraints imposed by the specification.

The first contribution is a robust synthesis procedure that, given a concrete perturbation bound ε, decides whether there exists an implementation that can tolerate any timing deviation up to ε while still satisfying the specification. This is achieved by augmenting the game with ε‑dependent guards on clocks, effectively “inflating” or “deflating” the timing windows. If the system player can still force a win, ε is admissible.

When the game is lost, the second contribution comes into play: a parametric counterexample refinement loop. The algorithm extracts a spoiling strategy—a concrete environment behavior that forces the system to violate the spec. Crucially, the spoiling strategy is expressed symbolically with ε as a parameter, yielding a set of linear constraints that describe exactly for which ε values the strategy remains effective. By feeding these constraints to a parametric model‑checking engine (implemented with an SMT solver), the algorithm computes the maximal ε for which the current spoiling strategy is still a counterexample. This value becomes an upper bound on admissible perturbations, and the algorithm iteratively tightens the bound: (1) run the game with the current ε, (2) if lost, extract the spoiling strategy, (3) translate it into a parametric constraint system, (4) solve for the largest ε that satisfies the constraints, (5) update ε and repeat. The loop terminates when the bound stabilises, yielding the greatest admissible perturbation for the given specification.

A third contribution concerns composition. The authors show that even if individual specifications are each robust for certain ε‑values, the composition of several specifications can reduce the overall admissible perturbation because timing mismatches at interfaces propagate. They formalize a composition rule: the global admissible ε is the minimum of the component ε’s, possibly reduced further by a calculated interface delay margin. This rule enables designers to predict system‑level robustness early in the design phase and to adjust component specifications accordingly.

The prototype implementation was evaluated on several benchmark case studies, including a simple communication protocol, a traffic‑light controller, and an embedded sensor network. For each case the iterative refinement quickly converged to the exact maximal ε, and the resulting robust implementations were comparable in size and synthesis time to those produced by non‑robust methods, while offering a substantially larger tolerance to timing noise.

Limitations are acknowledged. The parametric analysis relies on linear clock constraints; extending the approach to non‑linear guards or to specifications with complex priority structures would require more sophisticated solvers. Moreover, extracting spoiling strategies can become expensive for large state spaces, suggesting a need for state‑space reduction or abstraction techniques in future work.

In summary, the paper presents a novel combination of game‑theoretic synthesis and parametric counterexample analysis that yields a practical method for determining the greatest timing perturbation a timed specification can tolerate. This advances the state of the art in robust timed system design, offering both theoretical insight and a usable toolchain for engineers seeking to build reliable real‑time components in the presence of inevitable hardware imprecision.