Let us assume that we want to modelize an elevator in a building with ten floors. Our model may have ${\displaystyle n}$  clocks ${\displaystyle c_{0},\dots ,c_{9}}$ , such that the value of the clock ${\displaystyle c_{i}}$  is the time someone had wait for the elevator at floor ${\displaystyle i}$ . This clock is started when someone calls the elevator on floor ${\displaystyle i}$  (and the elevator was not already called on this floor since last time it visited that floor). This clock can be turned off when the elevator arrives at floor ${\displaystyle i}$ . In this example, we actually need ten distinct clocks because we need to track ten independent events. Another clock ${\displaystyle s}$  may be used to check how much time an elevator spent at a particular floor.

A model of this elevator can then use those clocks to assert whether the elevator's program satisfies properties such as "assuming the elevator is not kept on a floor for more than fifteen seconds, then no one has to wait for the elevator for more than three minutes". In order to check whether this statement holds, it suffices to check that, in every run of the model in which the clock ${\displaystyle s}$  is always smaller than fifteen seconds, each clock ${\displaystyle c_{i}}$  is turned off before it reaches three minutes.

Formally, a set ${\displaystyle X}$  of clocks is simply a finite set^[1]: 191. Each element of a set of clock is called a clock. Intuitively, a clock is similar to a variable in first-order logic, it is an element which may be used in a logical formula and which may takes a number of differente values.

Clock valuations edit

A clock valuation or clock interpretation^[1]: 193 ${\displaystyle \nu }$  over ${\displaystyle X=\{x_{1},\dots ,x_{n}\}}$  is usually defined as a function from ${\displaystyle X}$  to the set of non-negative real. Equivalently, a valuation can be considered as a point in ${\displaystyle \mathbb {R} _{\geq 0}^{n}}$ .

The initial assignment ${\displaystyle \nu _{0}}$  is the constant function sending each clock to 0. Intuitively, it represents the initial time of the program, where each clocks are initialized simultaneously.

Given a clock assignment ${\displaystyle \nu }$ , and a real ${\displaystyle t\geq 0}$ , ${\displaystyle \nu +t}$  denotes the clock assignment sending each clock ${\displaystyle x\in C}$  to ${\displaystyle \nu (x)+t}$ . Intuitively, it represents the valuation ${\displaystyle \nu }$  after which ${\displaystyle t}$  time units passed.

Given a subset ${\displaystyle r\subseteq C}$  of clocks, ${\displaystyle \nu [r\rightarrow 0]}$  denotes the assignment similar to ${\displaystyle \nu }$  in which the clocks of ${\displaystyle r}$  are reset. Formally, ${\displaystyle \nu [r\rightarrow 0]}$  sends each clock ${\displaystyle x\in r}$  to 0 and each clock ${\displaystyle x\not \in r}$  to ${\displaystyle \nu (x)}$ .

Inactive clocks edit

The program UPPAAL introduce the notion of inactive clocks.^[2] A clock is inactive at some time if there is no possible future in which the clock's value is checked without being reset first. In our example above, the clock ${\displaystyle c_{i}}$  is considered to be inactive when the elevator arrive at floor ${\displaystyle i}$ , and remains inactive until someone call the elevator at floor ${\displaystyle i}$ .

When allowing for inactive clock, a valuation may associate a clock ${\displaystyle x}$  to some special value ${\displaystyle \bot }$  to indicate that it is inactive. If ${\displaystyle \nu (x)=\bot }$  then ${\displaystyle (\nu +t)(x)}$  also equals ${\displaystyle \bot }$ .

An atomic clock constraint is simply a term of the form ${\displaystyle x\sim c}$ , where ${\displaystyle x}$  is a clock, ${\displaystyle \sim }$  is a comparison operator, such as <, ≤, = ≥, or >, and ${\displaystyle c\in \mathbb {N} }$  is an integral constant. In our previous example, we may use the atomic clock constraints ${\displaystyle c_{i}\leq 180}$  to state that the person at floor ${\displaystyle i}$  waited for less than three minutes, and ${\displaystyle s>15}$  to state that the elevator stayed at some floor for more than fifteen seconds. A valuation ${\displaystyle \nu }$  satisfies an atomic clock valuation ${\displaystyle x\sim c}$  if and only if ${\displaystyle \nu (x)\sim c}$ .

A clock constraint is either a finite conjunction of atomic clock constraint or is the constant "true" (which can be considered as the empty conjunction). A valuation ${\displaystyle \nu }$  satisfies a clock constraint ${\displaystyle \bigwedge _{i=1}^{n}x_{i}\sim _{i}c_{i}}$  if it satisfies each atomic clock constraint ${\displaystyle x_{i}\sim _{i}c_{i}}$ .

Diagonal constraint edit

Depending on the context, an atomic clock constraint may also be of the form ${\displaystyle x_{i}\sim x_{j}+c}$ . Such a constraint is called a diagonal constraint, because ${\displaystyle x_{1}=x_{2}+c}$  defines a diagonal line in ${\displaystyle \mathbb {R} _{\geq 0}^{2}}$ .

Allowing diagonal constraints may allow to decrease the size of a formula or of an automaton used to describe a system. However, algorithm's complexity may increase when diagonal constraints are allowed. In most system using clocks, allowing diagonal constraint does not increase the expressivity of the logic. We now explain how to encode such constraint with Boolean variable and non-diagonal constraint.

A diagonal constraint ${\displaystyle x_{i}\sim x_{j}+c}$  may be simulated using non-diagonal constraint as follows. When ${\displaystyle x_{j}}$  is reset, check whether ${\displaystyle x_{i}\sim c}$  holds or not. Recall this information in a Boolean variable ${\displaystyle b_{i,j,c}}$  and replace ${\displaystyle x_{i}\sim x_{j}+c}$  by this variable. When ${\displaystyle x_{i}}$  is reset, set ${\displaystyle b_{i,j,c}}$  to true if ${\displaystyle \sim }$  is < or ≤ or if ${\displaystyle \sim }$  is = and ${\displaystyle c=0}$ .

The way to encode a Boolean variable depends on the system which uses the clock. For example, UPPAAL supports Boolean variables directly. Timed automata and signal automata can encode a Boolean value in their locations. In clock temporal logic over timed words, the Boolean variable may be encoded using a new clock ${\displaystyle x_{i,j,c}}$ , whose value is 0 if and only if ${\displaystyle b_{i,j,c}}$  is false. That is, ${\displaystyle x_{i,j,c}}$  is reset as long as ${\displaystyle x_{i,j,c}}$  is supposed to be false. In timed propositional temporal logic, the formula ${\displaystyle x_{i}.\phi }$ , which restart ${\displaystyle x_{i}}$  and then evaluates ${\displaystyle \phi }$ , can be replaced by the formula ${\displaystyle x_{i}.((x_{i}\sim x_{j}+c\implies \phi _{\top })\land (\neg x_{i}\sim x_{j}+c\implies \phi \bot ))}$ , where ${\displaystyle \phi _{\top }}$  and ${\displaystyle \phi _{\bot }}$  are copies of the formulas ${\displaystyle \phi }$ , where ${\displaystyle x_{i}\sim x_{j}+c}$  are replaced by the true and false constant respectively.

Sets defined by clock constraints edit

A clock constraint defines a set of valuations. Two kinds of such sets are considered in the literature.

A zone is a non-empty set of valuations satisfying a clock constraint. Zones and clock constraints are implemented using difference bound matrix.

Given a model ${\displaystyle M}$ , it uses a finite number of constants in its clock constraints. Let ${\displaystyle K}$  be the greatest constant used. A region is a non-empty zone in which no constraint greater than ${\displaystyle K}$  are used, and furthermore, such that it is minimal for the inclusion.

• Timed automaton
• Signal automaton
• Clock temporal logic
• Timed propositional temporal logic