Zenoness detection and timed model checking for real time systems

In this paper, we consider the time Petri net model (TPN model) and show how to detect zenoness using the state class method. Zenoness is a situation which suggests that an inﬁnity of actions may take place in a ﬁnite amount of time. This behavior is often considered as pathological since it violates a fundamental requirement for timed systems for they cannot be inﬁnitely fast. Models violating this property are called zeno. We state a necessary and sufﬁcient condition for T-safe TPNs to be zeno and derive an algorithm to verify zenoness in the case of bounded TPN models. We also adapt a model checking approach to verify on-the-ﬂy a subset of TCTL properties while taking into account zeno behaviors.


INTRODUCTION
Time Petri nets provide a formal framework to model and verify the correct functioning of real-time systems.Petri nets extended with timing dependencies are very numerous in the literature [1,11,17,22,24].The best known timed extensions are timed Petri nets proposed by Ramchandani [24] and time Petri nets proposed by Merlin and Farber [22].We focus, in this paper, on the time Petri net model [22], referred in the sequel as the TPN model, for both zenoness detection and timed properties model-checking.Zenoness is a behavior which suggests that an infinity of actions may take place in a finite amount of time.This behavior is often considered as pathological since it violates a fundamental requirement for timed systems for they cannot be infinitely fast.Models violating this property are called zeno.To detect zenoness for bounded TPNs, the authors in [8], propose to translate the TPN model under study to an equivalent timed automata, then verify zenoness using the method developed in [18].We proposed in this paper an approach to verify zenoness directly on the TPN model.We also state a necessary and sufficient condition for T-safe TPNs to be zeno and derive an algorithm to verify zenoness in the case of bounded TPNs.Our approach is based on the state class method [4] which allows to construct an abstraction for the TPN state space that preserving linear properties of the model.Several abstractions of the TPN model state space have been proposed in the literature to verify its untimed temporal properties [4,6,7,5,13,15,20,26].These approaches allow to construct state class spaces that preserve reachability [5,20], linear properties [4], and branching properties [6,7,15,26].The verification is then performed using standard model-checking techniques [10].
In [16], we proposed an approach to verify on-the-fly timed properties for the TPN models using the state class method.The objective was to bridge the gap between timed automata [2] and time Petri nets.In fact, most proposed verification techniques of timed properties for TPNs define translation procedures from the TPN model into a semantically equivalent timed automata [2], in order to make use of available model checking tools [8,12,14,21,26].Model checking is then performed on the resulting timed automaton, with results interpreted back on the original TPN model.Though effective, these techniques face the difficulty to interpret back and forth properties between the two models.The use of observers [25], on the other hand, allows to express some timed properties in the form of TPNs, but properties on markings are quite difficult to express with observers [9].With our verification approach, we were able to verify timed properties with the same versatility as for timed automata with tools like UPPAAL [3], but only non zeno models were considered.With the results we present in this paper for characterizing zenoness, we show how to adapt our timed model checking approach to take into account zeno behaviors.
The rest of the paper is organized as follows: Section 2 introduces the TPN model and its semantics.Section 3 presents the state class method and shows how to construct the state class graph (SCG).In Section 4, we state a necessary and sufficient condition to detect zenoness and propose a detection algorithm using the SCG.In Section 5, we propose to contract the SCG by inclusion for better performances.In Section 6.2, we complete our model checking technique proposed in [16] to the case of zeno models.

TIME PETRI NETS
Let Q + and R + be respectively the set of positive rational numbers and the set of positive real numbers.Let Q + [ ] be the set of non empty intervals of R + which bounds are respectively in ↓ I and ↑ I denote respectively its lower and upper bounds.

Definition 1 : Time Petri Net (TPN)
A TPN is a tuple (P, T, P re, P ost, m 0 , Is) where: • P is a finite set of places, • T is a finite set of transitions, with P ∩ T = ∅, • P re and P ost are respectively the backward and forward incidence functions: Informally, a TPN is a Petri net with time intervals attached to its transitions [22].A transition can fire iff it is enabled and the time elapsed since it has been enabled most recently is within its time interval.A transition t with ↓ Is(t) = 0 will be called a zero lower bound transition.Let M be the set of all markings of the TPN model, m ∈ M a marking, and t ∈ T a transition.t is said to be enabled in m, iff all tokens required for its firing are present in m, i.e.: ∀p ∈ P, m(p) ≥ P re(p, t).We denote by En(m) the set of all transitions enabled in m.If m results from firing transition t f from another marking, N ew(m, t f ) denotes the set of all newly enabled transitions in m, i.e.: N ew(m, t f ) = {t ∈ En(m)|∃p, m(p) − P ost(p, t f ) < P re(p, t)}.For reasons of clarity, we consider in the sequel only T-safe TPNs (no multi-enabled transitions).

The TPN state
The TPN state is a couple (m, I), where m is a marking and I is an interval function, I : [4].For a state s = (m, I), and t ∈ En(m), I(t) is called the firing interval of t, and is the interval of time where t can fire.I is also called the firing domain of s, since it can be interpreted as a set of tuples {i|i(t) ∈ I(t), ∀t ∈ En(m)}.The initial state of the TPN model is s 0 = (m 0 , I 0 ), where I 0 (t) = Is(t), for all t ∈ En(m 0 ).The TPN state evolves either by time progression or by firing transitions.When a transition t becomes enabled, its firing interval is set to its static firing interval Is(t).The bounds of this interval decrease synchronously with time, until t is fired or disabled by another firing.t can fire, if the lower bound ↓ I(t) of its firing interval reaches 0, but must be fired, without any additional delay, if the upper bound ↑ I(t) of its firing interval reaches 0. The firing of a transition takes no time.Let s = (m, I) and s = (m , I ) be two states of the TPN model.We write s θ → s , iff state s is reachable from state s after a time progression of θ time units (s is also denoted s + θ), i.e.: We As a shorthand we write: An execution path in the TPN state space, starting from a state s, is a maximal sequence ρ = s 0 θ 0 :t 0 → s1 θ 1 :t 1 → s 2 ....., such that s 0 = s.When no starting state is specified, the initial state s 0 of the TPN model is intended.The execution path suffix of ρ and starting from state s i (i ≥ 0) is denoted ρ(i).The sequence of transitions associated with ρ is the sequence of transitions (potentially infinite) ω ρ = t 0 , t 1 , t 2 , ..... that occur on the execution path.We denote by π(s) the set of all execution paths starting from state s.π(s 0 ) is therefore the set of all execution paths of the TPN.The TPN state space defines the branching semantics of the TPN model, whereas π(s 0 ) defines its linear semantics.The total elapsed time during an execution path ρ, denoted time(ρ), is the sum i≥0 θ i .An infinite execution path is diverging iff time(ρ) = ∞, otherwise it is said to be zeno.A TPN model is said to be zeno if at least one of its execution paths is zeno.

ABSTRACTION OF THE TPN STATE SPACE: THE STATE CLASS METHOD
Because of time density 1 , a state in the TPN state space may have an infinity of successors.To finitely represent the state space of a TPN model, Berthomieu and Menasche proposed in [4] to abstract time, and group states in what is called state classes.

The TPN concrete state space
The abstraction of time consists in hiding time progressions in the TPN state space, while keeping only those states which are immediately reachable after firing transitions.This operation results in a graph called concrete state space [23].

Definition 3 : TPN concrete state space
The concrete state space of the TPN model is the structure (Σ, , s 0 ) where: • s 0 is the initial state of the TPN model, • Σ = {s|s 0 * s}, where * is the reflexive and transitive closure of , is the set of reachable concrete states of the TPN model.

The state class method
A state class is a symbolic representation for some infinite set of concrete states sharing the same marking.All concrete states reachable from the initial state by the firing of the same sequence of transitions are agglomerated in the same state class.The resulting graph is called state class graph (SCG) [4].Let ω = t 0 , t ) be a state class and t f a transition.The class α has a successor by t f , denoted succ(α, t f ), iff t f is enabled in m and can be fired before any other transition enabled in α.If this is the case, t f is said to be firable from α. Algorithm 1 shows how to perform such a test.

Return true
Return false Step 1 checks if t f is enabled in m.
Step 3 computes and checks the consistency of the formula corresponding to the part of the firing domain of α where t f can be fired before any other enabled transition.Note that if a zero lower bound transition is enabled in a state it is also immediately firable from that state with out any condition.If t f is firable from α, α = succ(α, t f ) is computed according to algorithm 2: Eliminate by substitution, in F , t f and all variables associated with transitions conflicting with t f for m Step 1 computes the marking after firing t f .Step 2 selects in F states from which t f is firable.
Steps 3 and 4 decrease each firing delay by t f time units to coincide with the moment t f is fired.
Steps 5 and 6 add constraints corresponding to the newly enabled transitions.
From algorithm 2, it is easy to see that the formula F of a state class can be rewritten as a conjunction of atomic constraints of the form t − t ≺ c (called also triangular constraints) or t ≺ c (called also simple constraints), where c ∈ Q ∪ {∞, −∞}, ≺∈ {=, ≤, ≥} and t, t ∈ T .The domain of F is therefore convex and has a unique canonical form defined by: (x,y)∈(En(m)∪{o}) 2 x − y ≺ x−y F Sup(x − y, F ) where: o represents the value zero, Sup(x − y, F ) is the supremum of x − y in the domain of F , ≺ x−y F is either ≤ or <, depending respectively on whether x − y reaches its supremum in the domain of F or not.As an example, if State classes are considered modulo an equivalence relation, such that two state classes are equivalent iff they have the same marking and their domains are equal (i.e., their formulae are equivalent).To compare two state classes, each one is translated into its canonical form.They are equal, if they have identical canonical forms [4].Formally the SCG definition can be stated as follows:
Similarly to the TPN state space, an execution path in the SCG starting from a state class α, is a maximal sequence ζ = α 0 t 0 α 1 t 1 α 2 t 2 ....., where α 0 = α.We also denote by π(α) the set of all execution paths starting from α. Algorithm 3 shows how to progressively construct the SCG.It starts from the initial state class and uses the list WAIT to store state classes which are not yet explored.In [4], the authors prove that the SCG is finite for all bounded TPN models, and also preserves reachability and execution paths (i.e., linear properties) [4].In addition, each execution path in the state space is inscribed 2 within only one execution path of the SCG (The SCG is deterministic 3 ).
Algorithm 3: SCG(N = (P, T, P re, P ost, m 0 , Is)) In terms of implementation, a state class (m, F ) is generally represented with a pair (m, D), where D is the matrix representation of F , of order |En(m) ∪ {o}|, defined by: ∀(x, y) ∈ (En(m) ∪ {o}) 2 , ). D is known under the name Difference Bound Matrix (DBM) [19].Its purpose is to render the implementation of operations on F simple.In fact, all operations performed on state classes to construct the SCG are very well defined for DBMs.However, they require each DBM to be put in its unique canonical form.The computation of this form is based on the shortest path Floyd-Warshall's algorithm, and is considered as the most costly operation on DBM s, with a time complexity of O(n 3 ), where n is the DBM order.

DETECTING ZENONESS USING THE STATE CLASS METHOD
Many properties such as freedom from livelock and deadlock are in general required from correctly designed systems.One property specific to timed systems, called Non-Zenoness or time progress, suggests that a timed system cannot perform an infinite number of actions within a finite amount of time.In fact, such a behavior prevents time from converging.To detect zenoness 2 A state space execution path ρ = s 0 3 No state class in the SCG exists with two outgoing arcs labelled with the same transition.
for bounded TPNs, the authors in [8], proposed to translate the TPN model under study to an equivalent timed automata, then verify zenoness using the method developed in [18] .We propose, in this section, an approach to verify zenoness directly on the TPN model using the state class method.Let ω = t 0 , t 1 , t 2 , .... be a sequence of transitions (potentially infinite).ω is called a zero lower bound sequence iff all its transitions are zero lower bound transitions.The following lemma states a necessary and sufficient condition for a TPN model to be zeno.
Proof In words, the lemma states that a TPN is zeno iff it can reach a marking from which it can perform an infinite sequence of zero lower bound transitions.Note first that a finite execution path cannot be zeno since time diverges after the last transition is fired.If an infinite execution path ρ = s 0 ... has no suffix associated with a zero lower bound sequence, then ∀i ≥ 0, ∃j ≥ i s.t.↓ Is(t j ) > 0. With the fact that the TPN model has a finite number of transitions, there must exist a transition t with ↓ Is(t) > 0 which is fired an infinity of times.Each time t is fired, ↓ Is(t) time units (at least) would have elapsed since it was enabled the last time.Adding the fact that the TPN model is T-safe, it is easy to conclude that ρ is a diverging execution path.Now if ∃ρ ∈ π(s 0 ), i ≥ 0 s.t.ρ(i) is associated with a zero lower bound sequence, then ρ is of the form ρ = s 0 → s i+2 ..... Since ∀j ≥ i, ↓ Is(j) = 0 then the firing sequence ρ obtained from ρ by replacing θ j (∀j ≥ 0) with the value zero is also an execution path of the TPN model.In fact this replacement is possible because if a zero lower bound transition is enabled in a state it is also immediately firable from that state.The result is a zeno execution path.
The next theorem characterizes zenoness in the case of bounded TPNs useful to derive a detection algorithm.

Theorem 1 : A bounded TPN is zeno iff its state class graph has a cycle where all transitions are zero lower bound transitions ( a zero lower bound cycle).
Proof Note first that since the TPN is bounded its SCG is finite [4].In the case the SCG has a zero lower bound cycle, there must exist an execution path that has a suffix inscribed inside this cycle, i.e., circles infinitely in the cycle.The sequence of transitions associated with this suffix is a zero lower bound sequence, and lemma 1 assures that the TPN is zeno.In case the SCG has no zero lower bound cycle, either the SCG has no cycle at all, or each cycle contains at least one non zero lower bound transition.If the SCG has no cycle, all its execution paths must be finite, and hence not zeno.In the other case, any infinite execution path must go through one or more of the cycles of the SCG an infinity of times, which assures that this execution path cannot have a suffix associated with a zero lower bound sequence, and lemma 1 assures that the TPN is not zeno in this case.
From theorem 1, an algorithm to check the zenoness of a bounded TPN models is straightforward.It consists only in constructing the SCG of the TPN model and detecting if it contains a zero lower bound cycle or not.If such a cycle exists, the TPN is zeno otherwise it is not (see algorithm 4 ).

CONTRACTING THE SCG FOR BETTER PERFORMANCE: THE I-SCG
In this section, we propose a contraction of the SCG by inclusion, we call I-SCG (Inclusion contracted SCG), and use it as an alternative in algorithm 4 to detect zenoness.The objective it to improve performances.The contraction by inclusion of the SCG consists in agglomerating its state classes into the most including ones.The inclusion test is performed as follows: Let (m,F) and (m,F') be two state classes in canonical forms sharing the same marking, and let (m,D) and (m,D') with "<" less than "≤".The resulting graph will be denoted I-SCG (Inclusion contracted SCG).The I-SCG could be obtained by first constructing the SCG then repeatedly agglomerating its state classes by inclusion, until no more agglomerations are possible.It is however more interesting to perform this operation during the construction itself.By doing so, most state classes are not computed, which saves time and space.Algorithm 5 shows how to progressively compute the I-SCG.
Algorithm 5: I-SCG(N = (P, T, P re, P ost, m 0 , Is)) Note that the way the I-SCG is constructed, it must be a deterministic graph like the SCG.This is because whenever , α 1 is also merged in α 2 which prevents non determinism in the I-SCG.
To illustrate the difference in size and computing time between the SCG and the I-SCG, we consider TPNs obtained as the parallel composition of the simple model shown in figure 1. Table 1 reports the results in terms of the size of the obtained graphs (nodes/arcs) and the computing time.The parallel composition of n copies of the simple model is denoted S(n) in the table.The last column in the table compares the results obtained for the SCG and I-SCG, and shows the big difference in their size and computing time.The following theorem states some interesting properties preserved in the I-SCG which makes it a better alternative to verify reachability for the TPN model than the SCG.Proof (i) Since the SCG is finite for all bounded TPN models, the I-SCG, which is its contraction, is also finite.
(ii) In an agglomeration step where a state class α is agglomerated in a state class α , α must be included in α .Any marking reachable from α is also reachable from α .Hence, reachability properties are preserved.
Another property which allows to use the I-SCG instead of the SCG in algorithm 4 to detect zenoness is stated in the next theorem.

Theorem 3 : The SCG contains a zero lower bound cycle iff the I-SCG contains a zero lower bound cycle.
Proof Note first that the deterministic aspect of both the SCG and I-SCG assures that any execution path in the state space of the TPN model is inscribed in exactly one execution path in either the SCG or the I-SCG.So if the SCG contains a zero lower bound cycle, it must contain a zeno execution path, which in turn should be inscribed in an execution path in the I-SCG.So we conclude that the I-SCG, which is finite, must contain a zero lower bound cycle.Now if the I-SCG contains a zero lower bound cycle, a zeno execution path with a suffix inscribed in this cycle must exist in the state space of the TPN model.This is because, if we take a state from a state class of the cycle, it must be reachable from the initial state of the TPN model.Knowing that each zero lower bound transition in the cycle is enabled and firable from its outgoing state class in the cycle, and its firing leads to the marking of its ingoing state class in the cycle, a zeno execution path that cycles around these markings must exist in the state space of the TPN model.This in turn assures that a zero lower bound cycle exists in the SCG.

ADAPTING TCTL MODEL-CHECKING TO ZENO MODELS
In [16], we proposed an approach to verify a subclass of the TCTL timed logic for the TPN model, but only non zeno models were considered.In the following, we repeat this verification approach in some details, then show how to adapt it to the case of zeno models using the results presented in sections 4 and 5.

The timed temporal Logic we consider
We define a timed temporal logic for which we give algorithms to verify the satisfaction of its formulae in the context of the TPN model.The logic we consider is mostly a subset of the T CT L timed logic, for which atomic propositions are expressed on markings.Let M be the set of reachable markings of a TPN model N , and P R the set of propositions on M , i.e., {℘|℘ : M → {true, f alse}}.Before introducing our temporal logic we recall the syntax and semantics of T CT L logic in the context of the TPN model.The syntax of T CT L formulae is defined by the following grammar (in the grammar, ℘ ∈ P R and index I is an element of Q + [ ] ): T CT L formulae are interpreted on states of a model M = (S, V), where S = (S, →, s 0 ) is the state space of the TPN model and V : S → 2 P R is a valuation function such that: if s = (m, I) is a TPN state, V(s) = {℘ ∈ P R|℘(m) = true}.To interpret a T CT L formula on an execution path, we introduce the notion of dense execution path.Let s ∈ S be a TPN state and ρ = s 0 θ0:t0 → s 1 θ1:t1 → s 2 ..... an execution path such that s 0 = s (i.e., ρ ∈ π(s)).The dense execution path corresponding to ρ is the mapping ρ : R + → S defined by: ρ(r) = s i + δ such that r = i−1 j=0 θ j + δ, i ≥ 0 and 0 ≤ δ < θ i .The formal semantics of T CT L is given by the satisfaction relation |= defined as follows: The TPN model N is said to satisfy a T CT L formula φ iff M, s 0 |= φ.To ease T CT L formulae writing, some abbreviations are used: Our timed temporal logic, we call T CT L T P N , is defined as follows: ℘ 1 and ℘ 2 are propositions on markings (i.e., ℘ 1 , ℘ 2 ∈ P R).Index I is an element of Q + [ ] .I r is a time interval which starts from 0. Formula ℘ 1 I r ℘ 2 is a shorthand for T CT L formula ∀ (℘ 1 ⇒ ∀♦ I r ℘ 2 ) which expresses a bounded response property.Formula ℘ 1 → I ℘ 2 expresses also a bounded response property, but with a slightly different semantics.Intuitively, φ = ℘ 1 → I ℘ 2 holds at a state s iff for each execution path ρ starting from s, if ℘ 1 is true for the first time on ρ at a state s , then ℘ 2 should be true the first time at a state s , reachable from s , within time interval I (starting from s ).Furthermore, φ must be recursively valid starting from s .More precisely, this means that if ℘ 1 holds the first time on ρ at state s , then: 1 -In case ℘ 2 does not hold at state s then ℘ 2 will eventually hold the first time at a state s , within time interval I (relatively to the time s occurred), while φ holds also at state s . 2 -In case ℘ 2 holds at state s then ↓ I must be equal to zero, and φ must hold at the first following state which does not satisfy both ℘ 1 and ℘ 2 .
In the sequel, ℘ 1 → I ℘ 2 will be called the bounded first response property.One remark about this property is that it does not seem to have a simple TCTL equivalent 4 as it is the case for the bounded response property.However, the next theorem states that, for intervals starting from 0, the bounded response and the bounded first response are equivalent.

On-the-fly T CT L T P N model checking
First we give an algorithm to model check the bounded first response property, then show how to adapt this algorithm to model check remaining T CT L T P N properties.

Model checking the bounded first response property
Let N be a TPN model and φ = ℘ 1 → I ℘ 2 where I = [a, b].Model checking φ on N could be performed by analyzing each execution path of N 's SCG, until the truth value of φ is established.The SCG is progressively constructed, depth first, while looking for the satisfaction of property ℘ 1 .If ℘ 1 is satisfied at a state class α, ℘ 2 is looked for in each execution paths which starts from α (i.e., ∀ρ ∈ π(α)).For each execution path ρ ∈ π(α), ℘ 2 is required to be satisfied the first time at a state class α such that the time separating α and α is within the time interval I.If this is the case the verification of φ is restarted again from α , and so forth, until all state classes are explored.Otherwise, the exploration is stopped, and φ is declared invalid.
Two important issues need to be addressed in this technique: how to count time between the moments ℘ 1 and ℘ 2 are satisfied on a execution path, and how to deal with infinite paths resulting from cycles.To resolve these two issues, we propose to put the TPN model N in parallel with the TPN model of figure 2, we call Alarm-clock.The resulting TPN we denote N ||Alarm, will be used instead of N to verify φ.The verification of φ now proceeds as follows: During the generation of the SCG of N ||Alarm, if ℘ 1 is satisfied in a state class α = (m, F ), transition t a is enabled in α to capture the event corresponding to the beginning of time interval I. t a is enabled by changing the marking m in α such that place P a would contain one token, and replacing F with F ∧ t a = a.These two actions correspond to artificially putting a token in place P a of Alarm-clock.The generation process continues while checking ℘ 2 .If ℘ 2 is satisfied before t a is fired, φ is declared invalid and the exploration stops.When t a is fired (which means that time has come to start looking for ℘ 2 ), t b gets enabled in the resulting state class α = (m , F ) to capture the event corresponding to the end of interval I.If t b is fired during the exploration, φ is declared invalid and the exploration stops.If before firing t b , ℘ 2 is satisfied in a state class α = (m , F ), transition t b is disabled in α by changing the marking m such that place P b would contain zero tokens, and eliminating variable t b from F .These two actions corresponds to artificially removing the token in place P b .After α is modified, φ is checked again starting from α .Note that in this technique, the fact of knowing a state class and the transition that led to it, is sufficient to know which action to take 5 .This means that there is no need to keep track of execution paths during the exploration, and hence, the exploration strategy of the SCG (depth first, breadth first,..) is irrelevant.This in turn solves the problem of dealing with cycles and infinite execution paths for bounded TPN models.
Let α = (m, F ) be a state class and t the transition that led to it.The different cases that might arise during the exploration are given in what follows: 1-The case where t a , t b / ∈ En(m) and t / ∈ {t a , t b } corresponds to a situation where we are looking for ℘ 1 .
• In case ℘ 1 is satisfied in α while ℘ 2 is not, we enable t a in α, • In case ℘ 1 and ℘ 2 are both satisfied in α while a = 0, we stop the exploration and declare φ invalid.

2-
The case where t a ∈ En(m) corresponds to a situation where ℘ 1 has been satisfied before, and where we need to make sure that ℘ 2 is not satisfied, unless a = 0.If ℘ 2 is satisfied in α while a > 0, we stop the exploration and declare φ invalid.3-The case where t b ∈ En(m) corresponds to a situation where we are looking for ℘ 2 .If ℘ 2 is satisfied in α then we disable t b and get in a situation where we are looking for ℘ 1 (i.e., ( 1)).4-The case where t = t b corresponds to a situation where interval I has expired while we are looking for ℘ 2 .In this case, we stop the exploration and declare φ invalid.
Some attention is required when dealing with transitions t a and t b .If transition t a can be fired at exactly the same time as another transition t, and t is fired before t a , ϕ might be declared wrongly false if the resulting state class satisfies ℘ 2 .A similar situation might arise for transition t b if it is fired before a transition t which can be fired at exactly the same time.To deal with these two special situations, we assign a high firing priority to transition t a , so that it is fired before any other transition which can be fired at exactly the same time.At the contrary, we assign a low firing priority to t b so that it is fired after any other transition which can be fired at exactly the same time.To cope with this priority concepts, we need to change the way we decide if a transition is firable or not (i.e., operation isf irable), and the way the successor of a state class α = (m, F ), by a transition t, is computed (i.e., operation succ).isF irable AC (α, t f ) replaces isF irable(α, t f ) to check whether a transition is firable or not.What changes is the way formula F is computed.In case t a is enabled while we want to fire a different transition t f (step 4), we need to make sure that t f is fired ahead of time of t a .In case t b is enabled and is the one we want to fire (step 6), we need to make sure that t b is the only transition that can be fired.The remaining cases are handled exactly as before.succ AC (α, t f ) replaces succ(α, t f ) for generating successor state classes during the exploration.What changes is also the way formula F is computed.

Model checking algorithms
The on-the-fly T CT L T P N model checking of formula φ is based on the exploration algorithm 8.The algorithm uses two lists: WAIT and COMPUTED, to manage state classes, and calls a polymorphic satisfaction function checkStateClass φ to check the validity of formula φ.COMPUTED contains all computed state classes, while WAIT contains state classes of COMPUTED which are not yet explored.As a consequence WAIT is just a sublist of COMPUTED 6 .The algorithm generates state classes by firing transitions.The initial state class is supposed to result from the firing of a fictive transition t .Each time a state class α is generated as the result of firing a transition t, α and t are supplied to checkStateClass φ to perform actions and take decisions.In general, checkStateClass φ enables or disables transitions t a and t b in α.It also

Algorithm 4 :
isZeno(N = (P, T, P re, P ost, m 0 , Is))Construct the SCG of NRemove all arcs of the SCG corresponding to non zero lower bound transitionsRepeatedly remove all nodes with no ingoing arcs until no arcs can be removed if the resulting graph is empty then return false else return true be their representations using DBMs.

FIGURE 1 :
FIGURE 1: A simple TPN model

FIGURE 2 :
FIGURE 2: The Alarm-clock TPN write s 1 , t 2 , ...t n be a sequence of transitions firable from the initial TPN state.The state class corresponding to ω (i.e., {s ∈ S|∃s 1 , ..., s n ∈ S, s 0 t 0 s 1 t 1 s 2 ...s n t n s}) is represented by the pair (m, F ), where m is the common marking of all states agglomerated in the state class, and F is a formula that characterizes the union of all firing domains of these states.In F , each transition enabled in m is represented with a variable of the same name.The initial state class (m 0 , F 0 ) coincides with the initial state of the TPN model (i.e., m 0 is the initial marking and

TABLE 1 :
A comparison between the SCG and the I-SCG