Bounded Model Checking for Metric Temporal Logic Properties of Timed Automata with Digital Clocks

Metric temporal logic (MTL) is a popular real-time extension of linear temporal logic (LTL). This paper presents a new simple SAT-based bounded model-checking (SAT-BMC) method for MTL interpreted over discrete infinite timed models generated by discrete timed automata with digital clocks. We show a new translation of the existential part of MTL to the existential part of linear temporal logic with a new set of atomic propositions and present the details of the new translation. We compare the new method’s advantages to the old method based on a translation of the hard reset LTL (HLTL). Our method does not need new clocks or new transitions. It uses only one path and requires a smaller number of propositional variables and clauses than the HLTL-based method. We also implemented the new method, and as a case study, we applied the technique to analyze several systems. We support the theoretical description with the experimental results demonstrating the method’s efficiency.


Introduction
This paper is a full version of the extended abstract published in informal proceedings of the 25th International Workshop on Concurrency, Specification and Programming [1]. Improvements and extensions compared to that paper are listed in Appendix A.
There are many ways to check the model. Hardware-and software-based systems are increasingly used in safety-critical situations to control and connect physical systems, e.g., simple cardiac pacemakers or very complex space rockets. The complexity and criticality of systems also increase the need for effective verification techniques.
The specification language and the system model usually depend on the type of property we want to verify. Suppose we want to verify the discrete-time execution properties of a system. In that case, discrete-time logic may be the correct specification choice, and the system may best be represented as a discrete timed automaton.
Integrating specialized components is fundamental to many embedded engineering projects. The behavior of these components is often specified in informal timing diagrams that engineers interpret during interface hardware and software design [2][3][4][5][6][7]. The timed automata are one of the models that enable the formal modeling of those components.
Timed automata (TA) [8] are finite-state automata augmented with a finite set of variables called clocks. The clocks are used to measure the elapsed time. Timed automata are very convenient for modeling and reasoning about timed systems: they combine a powerful formalism with advanced expressiveness and efficient algorithmic and tool support. The timed automata formalism is applied to the analysis of software and asynchronous circuits [9] and real-time control programs [10].
The model-checking technique is widely used in sensor verification [2][3][4][5][6][7]. The sensor networks are modeled, e.g., by the network of timed automata, and their properties are specified in terms of temporal logic.
One of the most famous frameworks in the specification and verification of computer systems is temporal logic. There are many types of temporal logic to express the requirements of the systems: computation tree logic (CTL) [11], soft real-time CTL (RTCTL) [12], linear temporal logic (LTL) [13], and metric temporal logic (MTL) [14].
Linear temporal logic (LTL) allows expressing properties about each execution of a system, such as the fact that any occurrence of a problem eventually triggers the alarm. Metric temporal logic (MTL) extends LTL by constraining the temporal operators with time intervals. It was introduced by Koymans [14] in 1990 and has appeared as a real-time specification formalism. MTL has two main semantics: "continuous" and "pointwise" [15][16][17][18]. The pointwise semantics is based on timed words, the widespread interpretation for systems modeled as timed automata [8]. Both semantics have been extensively studied [15][16][17][18]. MTL allows expressing, for example, that any occurrence of a problem in a system will trigger the alarm within at most five units of time. Here, we consider MTL with pointwise semantics interpreted over linear discrete infinite digital-clock models [19] generated by timed automata with integer time.
Bounded model checking [20][21][22] (BMC) is one of the symbolic model-checking techniques designed for finding witnesses for existential properties or counterexamples for universal properties. Its main idea is to consider a model reduced to a specific depth. The method works by mapping a BMC problem to the satisfiability problem (SAT). The MTL satisfiability and model-checking problems are undecidable over interval-based semantics [23]. It has led to various restrictions being considered on MTL to recover decidability [24,25].
We provide a new, efficient method of the bounded model-checking technique for metric temporal logic properties of timed automata with digital clocks, which can be successfully used to verify sensor networks.
Developing new model-checking techniques for a network of automata is an essential research direction. It is due to the fact that timed automata are used to verify the modes of, often, life-critical time systems. Systems and their properties are becoming more and more complex. It results in developing model-checking methods that will work faster than the older methods. To be successfully applied, these methods should be faster than the old ones and use as little memory as possible. However, they should also be easy to implement and understand so that everything is evident at the design stage of such a method. For such a reason, in this paper, we developed a completely new and much faster method of bounded model checking than the one presented in [26].
The main contributions of the paper are as follows: • Defining the translation of the existential model-checking problem for MTL to the existential model-checking problem for linear temporal logic with additional propositional variables q I (this logic is denoted by LTLq); In this paper, we used the weakly monotonic semantics [27] for timed automata with digital clocks [19,27]. The main steps of our new method for MTL and TA with discrete time can be described as follows: first, the infinite timed model is reduced to a finite model. Next, the MTL formulae are translated to LTLq formulae [1], and eventually, since the interval modalities in MTL appear as literals in the LTLq formula, existential properties are reduced to a satisfiability problem (SAT). Our method's main advantages are that the translation from MTL to LTLq requires neither new clocks nor new transitions. Moreover, our BMC method needs only one path, whereas the BMC method from [26] needs many paths depending on a given formula ϕ. Thus, one may expect that our method is much more effective since the intuition is that an encoding that results in fewer variables and clauses is usually easier to solve.
We evaluate the BMC method using a timed generic pipeline paradigm (TGPP), a timed train controller system (TTCS), and the timed dining philosophers problem (TDPP), which we model by a network of discrete timed automata and compare with the corresponding method [26].

Related Work
Timed automata were introduced in the early 1990s by Alur and Dill [8] to model real-time systems. Timed automata cause the specification and verification of models of real-time systems to be easier. The two primary semantics are discussed in the literature: the discrete-time and dense-time semantics [8]. However, the dense-time semantics is more natural from a real-life point of view. It allows us to model real-time systems easily.
Our choice of time domain is N, the set of natural numbers. In our method, the key property of the time domain is its discreteness, which implies that a finite amount of events can happen at different times in any interval of nonzero length. There are many methods for verifying real-time systems using discrete-time models [12,[28][29][30][31]. Authors of [19] established that the timed reachability problem has the same answer, irrespective of the choice between N and IR under certain restrictions.
The other formalisms for discrete time modeling apart from discrete timed automata were presented, such as durational transition graphs (DTG [32]) and embedded system modeling language (EMLAN [33]).
Discrete time models were also widely used for modeling systems' behaviors [34][35][36][37][38]. MTL has been widely discussed in the literature. Checking properties expressed in MTL in timed automata is still an actual research topic [39][40][41][42][43][44]. In [45], the authors took into account MTL over the N. They also used the pointwise semantics over the N and considered two semantic variants: the non-strict and strict semantics. They devised two translations from MTL to LTL: The time difference translation for strict semantics, where new propositional variables encode time differences between states (the time difference translation is similar to the method presented in [1]).

2.
The gap translation for the strict semantics uses a new propositional variable, called gap, to encode the jumps between states. The gap is intended to be true in LTL states corresponding to unmapped time points in MTL models. The main idea for their translation is to map each timed state sequence into a state sequence. Both LTL translations are exponential in the size of the MTL input formula due to the binary encoding of the numbers in the intervals.
In [26], the authors investigated a SAT-based BMC method for MTL that is also interpreted over linear discrete infinite time models generated by discrete timed automata. They translated the existential model-checking problem for MTL into the existential modelchecking problem for a variant of linear temporal logic (called HLTL). They also provided a SAT-based BMC technique for HLTL. The presented translation requires as many new clocks as there are intervals in a given formula. It also requires adding exponential resetting transitions and many paths that depend on a given MTL formula. The complexity of the satisfiability and model-checking problems for fragments of MTL concerning different semantic models were studied in [46] and in [15]. MTL expressiveness was extensively discussed in [17,47,48]. The BMC problem for MTL properties of timed automata with the dense time was discussed in [49]. However, experimental results have shown that this is not feasible.
Additionally, other types of logic were used for the specification of discrete-time systems, such as QsCTL [29], which extends CTL [11] with quantitative bounded temporal operators and is a variant of RTCTL [11], discrete-time CTL [33], and HyperLTL [50], which is a temporal logic for hyper-properties, which allows reasoning about multiple execution paths simultaneously.

Discrete Timed Automata and MTL
In this paper, we used the weakly monotonic semantics [27] for timed automata with digital clocks [19,27]. The paper [19] shows that bounded invariance MTL properties and bounded-response MTL properties are digitizable. That is why we consider timed automata with digital clocks.
The formalism of timed automata was defined in [8] by Alur and Dill for representing systems with real-time constraints. A timed automaton is a finite automaton which manipulates finitely many variables called clocks.

Discrete Timed Automata
Let N = {0, 1, 2, . . .} be the set of natural numbers, and N + = N \ {0}. We assume a finite set X = {x 0 , . . . , x n−1 } of variables, called clocks. Each clock is a variable ranging over N. A clock valuation is a total function v : X → N that assigns to each clock x a nonnegative integer value v(x). The set of all the clock valuations is denoted by N X . For X ⊆ X , the valuation v = v[X := 0] is defined as ∀x ∈ X, v (x) = 0 and ∀x ∈ X \ X, v (x) = v(x).
By δ, we denote a delay of δ > 0 time units. For δ ∈ N + , v + δ denotes the valuation v such that ∀x ∈ X , v (x) = v(x) + δ; let x ∈ X , c ∈ N, and ∼ ∈ {<, , =, , >}. The set C(X ) of clock constraints over the set of clocks X is defined by the abstract grammar: Let v be a clock valuation, and cc ∈ C(X ). A clock valuation v satisfies a clock constraint cc, written as v |= cc if cc evaluates to true using the clock values given by the valuation v.

Definition 1. A discrete timed automaton (DTA for short) is a tuple
Act is a finite set of actions, • Loc is a finite set of locations, • 0 ∈ Loc is the initial location, • X is a finite set of clocks, AP is a set of atomic propositions, and • V : Loc → 2 AP is a valuation function assigning to each location a set of atomic propositions true in this location.
Each t ∈ T, denoted by σ,cc,X −→ , represents a transition from to on the action σ. X ⊆ X is the set of the clocks to be reset upon this transition, and cc ∈ C(X ) is the enabling condition for t.

Product of a Network of Discrete Timed Automata
A network of discrete timed automata can be composed into a global (product) discrete timed automaton [51] in the following way. The transitions of the discrete timed automata that do not correspond to a shared action are interleaved, whereas the transitions labeled with a shared action, are synchronized.
Let n ∈ N, I = {1, . . . , n} be a non-empty and finite set of indices, {A i | i ∈ I} be a family of discrete timed automata A i = (Act i , The parallel compositioni of the family {A i | i ∈ I} of discrete timed automata is the discrete timed automaton A = (Act, Loc, 0 , X , T, Inv, AP, V) such that: and a transition is defined as follows:

Concrete Model
The semantics of the DTA is defined by associating with it a transition system, which we call a concrete model. Definition 2. Let A = (Act, Loc, 0 , X , T, Inv, AP, V) be a DTA, and v 0 a clock valuation such that ∀x ∈ X , v 0 (x) = 0.
The concrete model for A is a tuple • Q = Loc × N X is the set of the concrete states. Action transition: Time transition: Let us observe that for the considered set of clock constraints C(X ), the condition can be replaced by a simpler one. Namely, v |= Inv( ) and v + δ |= Inv( ).
A path ρ in A is an infinite sequence of concrete states q 0 , q 1 , q 2 , . . . such that for all Such a definition of the path permits two consecutive actions to be performed one after the other, i.e., no time has to elapse between two consecutive actions. It means that we are dealing with the point-based weakly monotonic integer-time semantics.

MTL Logic
MTL [14,15] (metric LTL) is the extension of LTL in which temporal operators are replaced by its time-constrained versions. MTL can express many time constraints. For ex-ample, we can express a system property: if a system is in the state q, then it will be in the state q exactly 3 time units later.

Syntax
We begin with some preliminary definitions. Let p ∈ AP be an atomic proposition and I the set of all the intervals in N of the form [a, b) or [a, ∞), where a, b ∈ N and a < b, and let I ∈ I. Observe that we do not exclude one-element intervals since [a, a] can be expressed as [a, a + 1). The MTL logic in positive normal form is defined in the following way: The operators U I and G I are called bounded until and bounded always, respectively, and they are read as "until in the interval I" and "always in the interval I". The operator F I is defined in the standard way:

Semantics
There are two possible semantics for metric temporal logic: the "pointwise" semantics and the "continuous" semantics [15]. In the pointwise approach, temporal assertions are interpreted only at time points where the action happens in the observed timed behavior of a system. In the continuous one, it is allowed to assert formulae at arbitrary time points between actions as well. In the presented method, we use the pointwise semantics.
Let A be a DTA, and M A the concrete model for A. For a path ρ = q 0 , q 1 , . . ., let For all j 0, the function ζ ρ (j) returns the value of the global time (called "duration" in [15]).
Here and in what follows, we use the convention to omit the model from expressions with |= for the sake of brevity.
For simplicity of notation, we write ρ instead of (ρ, 0). Therefore, we shall write M A , ρ|= MTL ϕ for M A , (ρ, 0)|= MTL ϕ. An MTL formula ϕ is existentially valid in the model M A , which is denoted as M A |= MTL Eϕ, if and only if M A , ρ|= MTL ϕ for some path ρ starting in the initial state of M A . Determining whether an MTL formula ϕ is existentially valid in a given model is called the existential model-checking problem.

Bounded Model Checking
The verification method presented in this paper is based on the translation of MTL formula to LTLq formula. We extend a standard LTL logic by adding an extra set of propositional variables. We compare our new method with the corresponding method presented in [26].

The Translation
The set of all the clock valuations is infinite, which means that the model has an infinite set of states. We need to abstract the proposed model before we can apply the BMC technique.
It is easy to see that the relation is an equivalence relation, which enables us to construct a finite abstract model.
To this end, we define the set of possible values of clock x j in the abstract model as where Act = Act ∪ {τ} is a transition relation defined by the time and action transitions.

-
The time transition is defined as The action transition is defined as follows: for any a ∈ Act, For a given path π, π(j) denotes the j-th state s j of the path π, π[..j] = (π(0), . . . , π(j)) denotes the j-th prefix of the path π ending with π(j). Given a path π one can define a function ζ π : N → N such that, for each j 0, ζ π (j) is equal to the number of time In the above definition, m does not play itself a part in the satisfaction relation. However, this notation is helpful for Definition 8.

Theorem 1 (The equivalence of the MTL semantics in the concrete and abstract models).
Let M be the abstract model for the discrete timed automaton A and M A the concrete model for A. Then, for each MTL formula ϕ, the following equivalence holds: Proof. The proof of Theorem 1 follows from the definition of the satisfiability relation and the weak-timed-bisimulation equivalence of the models M A and M.

LTLq Logic
Let I be the set of all intervals and AP I = {q I | I ∈ I} a set of the new propositional variables. An LTLq formula in the negation normal form is defined by the following grammar: where p ∈ AP and q I ∈ AP I . Definition 8. The satisfaction relation |= d , which defines the truth of an LTLq formula in the abstract model M along the abstract path π at the position m, at depth d m is inductively defined as follows: An LTLq formula ψ is existentially valid in the abstract model M, denoted as M |= Eψ, if and only if M, (π, 0) |= 0 ψ on some path π starting in the initial state of M.

The Translation from MTL to LTLq
Two translations from MTL to LTL were described in [45]. However, in the first translation, the new propositional variables encode time differences between states, and in the second translation a new propositional variable called gap encodes the jumps between states. In the translation presented below, we use global time approach [1]. However, in [1] the strongly monotonic semantics was used. Definition 9. Let p ∈ AP, and α, β a MTL formulae. The translation from MTL to LTLq is defined as a function tr : MTL → LTLq by the following equations: tr(αU I β) = tr(α)U(q I ∧ tr(β)), and • tr(G I β) = G(¬q I ∨ tr(β)).
The translation of the F I operator follows from its definition in terms of the U I operator. Observe that the translation of literals, as well as logical connectives, is straightforward. The translation of the operator U I ensures that the formula β holds at some point in the interval I (it is expressed by the requirement q I ∧ tr(β)) and α holds everywhere before β holds. Similarly, the translation of the G I operator ensures that β holds at every point in the interval I (it is expressed by the requirement ¬q I ∨ tr(β)).
The translation from EMTL to ELTLq is more straightforward than the one presented in [48], e.g., TPTL expressiveness is higher than LTLq. In our case, we do not need this extension of the logic to solve the given problem.

Proof of the Theorem 2
A proof of the Theorem 2 follows directly from the Lemmas 1 and 2. Lemma 1. Let A be a discrete timed automaton, ϕ an MTL formula, M an abstract model for discrete timed automaton A, and π an abstract path in the abstract model M. If (π, m) |= d MTL ϕ, then (π, m) |= d tr(ϕ).

Proof.
We proceed by induction on the length of a given formula.

Lemma 2. Let
A be a discrete timed automaton, ϕ an MTL formula, M an abstract model for the discrete timed automaton A, and π an abstract path in the abstract model M. If (π, m) |= d tr(ϕ), then (π, m) |= d MTL ϕ.
Proof. We proceed by induction on the length of a given formula.

Bounded Semantics
To define the bounded semantics, we need to represent infinite paths in the abstract model using k-paths and loops [20,21]. Definition 10. Let M be an abstract model, k ∈ N and 0 l k. A k-path is a pair (π, l), which is also denoted as π l , where π is a finite sequence of the abstract states π = (s 0 , . . . , s k ) such that for each 0 j < k, either (s j τ → s j+1 ) or (s j a → s j+1 ), for some a ∈ Act. Moreover, every action transition is preceded by at least one time transition. A k-path π l is a loop, written as (π l ) for short, if l < k and π(k) = π(l).
Given a path π l , one can define a function ζ π l : N → N such that for each j 0, ζ π l (j) is equal to the number of time transitions on the prefix π l [..j]. Note that for each j 0, ζ π l (j) gives the value of the global time in the j-th state.
In the definition of bounded semantics for variables from AP I , one needs to use only a finite prefix of the sequence (ζ π l (0), ζ π l (1), . . .). Namely, for a k-path π l that is not a loop, the prefix of the length k is needed, and for a k-path π l that is a loop, the prefix of the length k + k − l is needed. (π l , m) |= d k true, (π l , m) |= d k false, (π l , m) |= d k p iff p ∈ V (π l (d)), (π l , m) |= d k ¬p iff p / ∈ V (π l (d)), if (π l ) and d m, The proof of Lemma 3 below is based on induction on the length of the given formula. It is analogous to the proof of Lemma 7 from the paper [20]. Lemma 3. Let A be a discrete timed automaton, ϕ an LTLq formula, and M the abstract model for the automaton A. For each LTLq formula ϕ, each k−path π l in M, each 0 ≤ m ≤ k and each 0 ≤ d ≤ k, if (π l , m) |= d k ϕ, there exists a path π such that π [..k] = π l and m ≤ d and (π , m) |= d ϕ or m > d and (π , m) |= d+k−l ϕ.
The proof of the Lemma 4 below is based on the well-known fact that if the LTL formula is true on some infinite path, it is also true on an infinite path of the form uv ω , where u and v are finite sequences of states [20]. Lemma 4. Let A be a discrete timed automaton, ϕ an LTLq formula, M the abstract model for the automaton A, π a path in the abstract model, and k ≥ 0. For each LTLq formula ϕ, each 0 ≤ m ≤ k and each 0 ≤ d ≤ k, if (π, m) |= d ϕ, there exists a k−path π l such that (π l , m) |= d k ϕ.

Translation to SAT
The last step of our method is the standard one ( [26,53]). It consists in encoding the transition relation of M and the LTLq formula tr(ϕ). The only novelty lies in the encoding of the finite prefix of the sequence (ζ π l (0), ζ π l (1), . . .).
Let M be the abstract model for the automaton A, tr(ϕ) be the LTLq formula, and k ≥ 0 a bound. The formula [tr(ϕ)] k encodes a bounded semantics of the LTLq formula tr(ϕ). It is defined over the same set of the propositional variables as the propositional The definition of the formula [ M tr(ϕ),s 0 ] k assumes that, states and actions in the abstract model M, and passage of time are encoded symbolically. This is possible if the set of states and the set of actions are finite. Formally, each symbolic abstract state s ∈ S is represented by a vector, w = ((w 1 , v 1 ), . . . , (w r , v r )) of propositional variables, where the length r depends on the number of states in the abstract model. This vector is called a symbolic state. Each action a ∈ Act is represented by a vector a = (a 1 , . . . , a t ) of propositional variables, where the length t depends on number of local actions in A. It is called a symbolic action.
A pair consisting of a sequence of the symbolic transitions and a symbolic number is called a symbolic k-path. Let π be a pair which represents a symbolic k-path: ((w 0 , w 1 , . . . , w k−1 , w k ), u), where w i is a symbolic state, for 0 ≤ i ≤ k, and u is a symbolic number, which is a vector u = (u 1 , . . . , u y ) of propositional variables with y = max(1, log 2 (k + 1) ). Moreover, let a i , for 0 < i ≤ k, be a symbolic action.
Let w and w be two different symbolic states, a a symbolic action and u a symbolic number. To define the formula [ M tr(ϕ),s 0 ] k , we use the following auxiliary propositional formulae: I s (w) encodes a state s in the abstract model M, H(w, w ) encodes the equality of two global states, T Act (w, a, w ) encodes an action transition in M, T τ (w, τ, w ) encodes a time transition in M, B ∼ j (u), for ∼ ∈ {<, ≤, =, >, ≥} encodes the relation ∼ between j and u, and L l k,m (π) encodes the existence of a loop for path π at position l. The propositional formula [ M tr(ϕ),s 0 ] k , encodes the unfolding of the transition relation of the abstract model M to the depth k in the following way: where w i , a i and u are, respectively, symbolic states, symbolic actions and the symbolic number for 0 ≤ i ≤ k. The next step of the method is the translation of the LTLq formula tr(ϕ) into the propositional formula [tr(ϕ)] k := [tr(ϕ)] 0 [k,0] . To translate the formula tr(ϕ) to SAT problem, we use the auxiliary propositional formulae defined in [53] and the propositional formula Gt d,m I (π). The formula Gt d,m I (π) encodes the condition that says that the difference of the symbolic global time at the depth d and in the starting point m on the symbolic path π belongs to the interval I. Definition 12 (The translation from ELTL q to SAT). Let M be the abstract model, tr(ϕ) an LTLq formula, and k ≥ 0 a bound. The translation of the formula tr(ϕ) on the path starting at point m at the depth d is defined inductively: The proof of the above theorem is analogous to the proofs presented in [26,53].

Experimental Results
In this section, we experimentally evaluate the performance of our new translation (We performed our experimental results on a computer equipped with I7-3770 processor, 32 GB of RAM, and the operating system Arch Linux. All the benchmarks together with instructions on how to reproduce our experimental results can be found at the web page https://tinyurl.com/satbmc4dtta-emtl, accessed on 3 November 2022). Our SAT-based BMC algorithm is implemented as a standalone program written in the programming language C++. We compared the new method with the corresponding one from [26]. For both methods, we used the state-of-the-art Kissat SAT solver [54]. We conducted the experiments using the slightly modified TGPP [26], the TTCS [26], and TDPP, and we compared our result with the results generated using the implementation from [26].

Timed Dining Philosophers
As the first benchmark, we used the well-known dining philosophers problem [55], and we extended it using clocks. The system consists of n discrete timed automata, each of which models a philosopher, together with n automata, each of which models a fork, together with one automaton which models the lackey. The latter automaton is used to coordinate the philosophers' access to the dining room. In fact, this automaton ensures that no deadlock is possible. The global system is obtained as the parallel composition of the components, which are shown in Figure 4.
We assume that one unit of time represents 30 min. A philosopher has to think at least 30 min (1 time unit, x j ≥ T 2 ) and at most 2 h and 30 min (5 time units x j ≤ T 1 ). He also has to eat for, at most, one hour (2 time units, x j ≤ E 1 ), but he also can finish eating earlier (x j ≥ E 2 ). Let us consider the following formulae: • ϕ 1 = F [0,T 2 +E 2 +1) ( n j=1 L f realeased j ). At least one philosopher will eventually eat and put down both forks.
. Every second philosopher (starting with the first one) always eats in the end.
All these formulae are existentially valid in the model of TDPP. Figure 5 shows experimental results for ϕ 1 and ϕ 2 . For the simple eventually formula ϕ 1 we can observe that time usage for the method based on the old translation is better than for the method based on the new one. However there is a noticeable difference in memory usage. In this case, the new method is better. For the formulae ϕ 2 and ϕ 3 , we can see the advantages of the new method.

Timed Generic Pipeline Paradigm
The TGPP (Figure 8) discrete timed automata model [26] consists of a producer producing data within the time interval ([a, b]) or being inactive, a consumer receiving data  To compare our experimental results with [26], we tested the TGPP discrete timed automata model on the following MTL formulae that existentially hold in the model of TGPP (n is the number of nodes). In the below formulae, we use prod 0 , prod 1 , cons 0 , and cons 1 for ProdReady, ProdSend, ConsReady, and ConsFree respectively. Moreover, we write G for G [0,∞) . Let us consider the following formulae: • ϕ 1 = G(prod 0 ∨ cons 0 ). It states that always either the producer has sent the data or the consumer has received the data. • ϕ 2 = F [0,2·n+3) (G(prod 1 ∨ cons 1 )). It states that eventually in time less then 2 · n + 3, it is always the case that the producer is ready to send the data or the consumer has received the data. • ϕ 3 = G(F [0,2·n+3) (cons 1 )). It states that the Consumer infinitely often eventually receives the data in time less than 2 · n + 3 units. All these formulae are existentially valid in the model of TGPP. Charts in Figure 9 show the total time usage and total memory usage for TGPP needed for verification ϕ 1 and ϕ 2 . In both cases, the new method outperforms the old one. For ϕ 2 , the LTLq-based method was able to verify the system with 19 nodes, and the HLTL-based method was able to verify the system only with 9 nodes. For ϕ 3 , the memory usage is similar in both cases. However, the time usage for the old method exponentially grows. The second plot shows the number of generated clauses and variables.  Charts in Figure 10 shows the total time usage and total memory usage for TGPP needed for verification ϕ 3 . The second plot shows the number of generated clauses and variables.

Timed Train Controller System
The TTCS ( Figure 11) consists of n (for n ≥ 2) trains T 1 , . . . , T n , each one using its own circular track for traveling in one direction and containing its own clock x i , together with controller C used to coordinate the access of trains to the tunnel through which all trains have to pass at a certain point. There is only one track in the tunnel, so trains arriving from each direction cannot use it in the same time. There are signals on both sides of the tunnel, which can be either red or green. All trains notify the controller when they request entry to the tunnel or when they leave the tunnel. The controller controls the color of the displayed signal, and the behavior of the scenario depends on the values δ and ∆ (∆ > δ + 1 makes it incorrect-the mutual exclusion does not hold).
Controller C has n + 1 locations, with the location 0 being the initial one. The action Start i of train T i denotes the passage from the location away to the location where the train wishes to obtain access to the tunnel. This is allowed only if controller C is in location 0. Similarly, train T i synchronizes with controller C on action approach i , which denotes setting C to location i > 0, as well as out i , which denotes setting C to location 0. Finally, action in i denotes the entering of train T i into the tunnel.
Let us consider the following formulae: . It expresses that the system violates the mutual exclusion property. • ϕ 2 = G(F [0,2·δ+1) tunnel 1 ). It expresses that the first train can infinitely often and from any state enter the tunnel in time less than 2 · δ + 1.
. It expresses that the first train is infinitely often in the tunnel and outside the tunnel in time less than 2 · δ + 7. All these formulae are existentially valid in the model of TTCS. As we can see in Figures 12, 13 and 14, the new method surpasses the old one. As we expected, the difference between the two methods is smaller for the simple formula that expresses reachability problem (ϕ 1 ). However, a significant difference can be seen for the formulae ϕ 2 and ϕ 3 . Figure 14 also shows the number of clauses and variables for the new and the old method. As we can see, the numbers of variables and clauses grow exponentially for the old method.

Statistics
We performed one-and two-sided Wicoxon tests for DPTT ( Figure 15). Tests showed that the new method outperforms the old one: the new method used less time (p = 0.36), and used less memory (p = 0.99). We performed the two-sided and one-sided Wilcoxon tests for all the experiments. As a dataset, we took the whole set of the experimental results (note that we deleted some results in the figures in Section 5 to make them clear-whole data can be found in the .tar.xz file we delivered).

Conclusions
In this work, we proposed a new SAT-based BMC for soft real-time systems modeled by discrete time automata with digital clocks and for properties expressible in metric temporal logic with semantics over discrete time automata with digital clocks.
The first step of this method is translating the existential model-checking problem for MTL into the existential model-checking problem for LTLq logic by replacing temporal operators with intervals (MTL) with temporal operators and new propositional variables corresponding to these intervals (LTLq). The second step is translating the existential model-checking problem for LTLq into the satisfiability problem for the propositional formulae. The efficiency of the new method is due to the fact that only one additional clock for measuring global time is needed, unlike the earlier method [26], which translates the existential model-checking problem for MTL into the existential model-checking problem translation to HLTL.
The earlier method [26] needs to add to a timed automaton one extra clock, one extra path, and an extra transition for each occurrence of the temporal operator in the formula.
We implemented our method as a standalone program written in the programming language C++. This implementation allowed us to experimentally evaluate and compare the new approach with the old one.
The experimental results show that our approach is significantly better than the approach based on translation to HLTL. The new method substantially reduces the conjunction normal form (CNF) formula's size, an input formula for the SAT solver. The reduced size of the CNF formula causes the SAT solver to use much less time and memory to determine the satisfiability of the input formula.
In future work, we plan to extend our method by adding discrete data [56]. We also would like to improve and develop and prove the method presented in [49].