A Sampling Semantics of Duration Calculus - Semantic Scholar

UNU/IIST International Institute for Software Technology

A Sampling Semantics of Duration Calculus

Dang Van Hung and Phan Hong Giang Jan 1995

UNU/IIST Report No. 50

R

UNU/IIST UNU/IIST enables developing countries to attain self-reliance in software technology by: (i) their own development of high integrity computing systems, (ii) highest level post-graduate university teaching, (iii) international level research, and, through the above, (iv) use of as sophisticated software as reasonable. UNU/IIST contributes through: (a) advanced, joint industry-university advanced development projects in which rigorous techniques supported by semantics-based tools are applied in case studies to large scale software developments, (b) own and joint university and academy institute research in which new techniques for application domain and computing platform modelling, requirements capture, software engineering and programming are being investigated, (c) advanced, post-graduate and post-doctoral level courses which typically teach Design Calculi oriented software development techniques, (d) events [panels, task forces, workshops and symposia], and (e) dissemination.

Application-wise, the advanced development projects presently focus on software to support large-scale infrastructure systems such as transport systems (railways, airlines, air trac, etc.), manufacturing industries, telecommunications, etc., and are thus aligned with UN and International Aid System concerns. UNU/IIST is a leading research centre in the area of Duration Calculi, i.e. techniques applicable to realtime, reactive, hybrid & safety critical systems. The research projects parallel and support the advanced development projects. At present, the technical focus of UNU/IIST in all of the above is on applying, teaching, researching, and disseminating Design Calculi oriented techniques and tools for trustworthy software development. UNU/IIST currently emphasises techniques that permit proper development steps and interfaces. UNU/IIST also endeavours to promulgate sound project and product management principles. UNU/IIST's primary dissemination strategy is to act as a clearing house for reports from research and technology centres in industrial countries to industries and academic institutions in developing countries. At present more than 200 institutions worldwide contribute to UNU/IIST's report collection while UNU/IIST at the same time subscribes to more than 125 international scienti c and technical journals. Information on reports received (and produced) and on journal articles is to be disseminated regularly to developing country centres | which are then free to order a reasonable number of report and article copies from UNU/IIST. Dines Bjrner, Director | 1.7.1992{31.6.1997

UNU/IIST Reports are either Research, T echnical, C ompendia or Administrative reports:

R Research Report  T Technical Report  C Compendium  A Administrative Report

UNU/IIST International Institute for Software Technology P.O. Box 3058 Macau

A Sampling Semantics of Duration Calculus

Dang Van Hung and Phan Hong Giang

Abstract In the paper, the problem of discretization of continuous time in Duration Calculus (DC) is addressed. For a DC formula D, for a sampling step h, a sampling semantics [[D]]h is de ned to express the properties of discrete observations of its models, while original semantics [[D]] expresses the properties of the models. In practice, only sampling semantics is implemented. So, an implementation D of a system speci ed by S , where both are written in DC, is correct i [[D]]h  [[S ]]. Some rules for proving the correctness of an implementation are given. The problem of digitization is also considered in the paper. Some forms of digitizable DC formulas are shown. Then we apply the obtained results to a non-trivial example, namely, a Biphase Mark Protocol introduced in [12]. That protocol uses 18-cycle cell for one bit of message. A cell is formed by 5-cycle mark subcell followed by 13-cycle code subcell. We adopt the same assumptions about physical environment as in [12]. However, we are able to show the stronger property than in [12]: The protocol works correctly provided the ratio of the writer's and reader's clock is within 30% of unity.

Dang Van Hung is from the Institute of Information Technology of the National Center for Natural Science and Technology of Vietnam, where he is a senior researcher. He was a Fellow of UNU/IIST from April 1994 to July 1995. he became a research fellow of UNU/IIST from October 1995. His research interests are in Formal Techniques of Programming, Concurrent and Distributed systems, Real-Time Systems. E-mail: [email protected]. Phan Hong Giang is a researcher from the Institute of Information Technology of the National Center for Natural Science and Technology of Vietnam. He stayed with UNU/IIST from September 1995 to January 1996 under a Fellowship Programme. His research interests include RealTime Systems, Logic Programming and Reasoning under Uncertainty. E-mail: [email protected]

Copyright c 1997 by UNU/IIST, Dang Van Hung and Phan Hong Giang

Contents

Contents

1 2 3 4 5 6 7 8

Introduction Duration Calculus Sampling Semantics Limit of sampling semantics Digitization A Model of a Biphase Mark Protocol Discussion Appendix: Proof of Lemma 3 and Formulas (14) ? (16)

Report No. 50, February 28, 1997

i

1 2 5 9 12 15 21 23

UNU/IIST, P.O. Box 3058, Macau

Introduction

1

1 Introduction Hybrid real-time control systems are reactive systems that intermix discrete and continuous components. Typical examples are digital controllers that interact with continuously changing physical environments. There are many formal approaches to specifying, designing and verifying hybrid systems, in which either continuous or sampling semantic models, but not both, are used. A comprehensive comparison between these approaches can be found in [16]. Among them, Duration Calculi (DC) ([5, 6]) are becoming a promising approach. DC is a single language approach meaning that it uses the same language for the speci cation and the implementation of a system. Furthermore, in DC we can adopt both a continuous semantics model and a sampling one. This seems to be useful in many cases. A hybrid control system is viewed as consisting of a control program and a physical plant interacting at discrete sampling times (see, e.g. [14, 15]). A design of a hybrid control system aims to derive a speci cation of the control program from a speci cation of the continuous behavior of the plant and the physical description of the system. The design is correct if, under the assumption of the behavior of the environment, the derived `discrete' speci cation implies the speci cation of the continuous behavior of the plant. In other words, it should be the case that the continuous behavior of the plant will satisfy the requirement if it satis es the discrete design when disretized at sampling time points. Thus, beside the usual implication operation on formulas, we need another implication relation between formulas to reason about the correctness of the re nement. To solve this problem in Duration Calculus, in this paper, in addition to the usual continuous semantic model, we de ne a sampling semantics model for DC formulas and consider the relationship between the two models. In this way, we can consider in the same framework the satisfaction of a DC formula and reason about the correctness of design and implementation of a hybrid system in a uniform manner. The design process of a hybrid system in this framework can be formulated as follows. For a speci cation S , at the rst step we re ne it into a formula D such that D ) S in DC, then we nd another DC formula E and a sampling step h such that the sampling semantics of E w.r.t. h \implies" the usual semantics of D. If it is necessary, E is re ned further in \discrete" DC; this re nement therefore corresponds to the development of a computer program. An interesting problem in discretization of the continuous time is the digitizability of speci cation formulas. A principle for this has been introduced in [10], that reduces in some cases the veri cation problem with a dense time domain to a veri cation problem with a discrete time domain. We consider the digitizabilty R of DC formulas and unfortunately nd that the formulas involving the operator chop (;) and , in general, are not digitizable; only the formulas expressed in the metric of time are digitizable. The paper is organized as follows. In the next section, a brief summary of DC is presented. Section 3 introduces sampling semantic model of DC. In Section 4, we consider the power of sampling semantics when the sampling step approaches 0. The digitizability of DC formulas is Report No. 50, February 28, 1997

UNU/IIST, P.O. Box 3058, Macau

Duration Calculus

2

discussed in Section 5. The last section is devoted to an example of using DC and its continuous and sampling semantics for the speci cation and veri cation of the Biphase Mark Protocol.

2 Duration Calculus In this section, we give a brief summary of DC and its application to speci cation of real-time systems. For more details, readers are referred to [5]. Time in DC is the set R+ of nonnegative real numbers. For t; t0 2 R+; t  t0 ; [t; t0 ] denotes the time interval from t to t0 . Let intv denote the set of all time intervals. Syntax of DC:

Assume that V = fX; Y; : : :g is a set of state variables. We will use the special symbol ` to denote the length of an interval, fin , Ani (i; n  0) as n-ary function and n-ary predicate names respectively.

State expressions: The set of state expressions is generated by 1. 0,1 and every state variable name in V are state expressions 2. if P and Q are state expressions, so are (:P ) and (P ^ Q), where : and ^ are boolean operators on states and semantically dierent from the connectives on formulas.

Terms: The set of terms is generated by R

1. if P is a state expression then P is a term 2. ` is a term 3. if r1 ; : : : ; rn are terms and fin is an n-ary function name then fin(r1 ; : : : ; rn ) is a term

Atomic Formulas: if Ani is an n-ary predicate name, and r ; : : : ; rn are n terms then Ani (r ; : : : ; rn) is an atomic formula.

1

1

Formulas: the set of formulas is generated by the grammar: D =b A j D; D j :D j D _ D where A stands for atomic formulas of DC. Report No. 50, February 28, 1997

UNU/IIST, P.O. Box 3058, Macau

Duration Calculus

3

Semantics of DC

Assume that each n-ary function name fin is associated with a total function from Rn to R which is denoted by fin also, and each n-ary predicate name Ani is associated with a total function from Rn to ftt ;  g which is also denoted by Ani . In this paper, for simplicity we interpret the functions f as operators on real, e.g. +; , and the relations A as comparing operators between reals, e.g. ; . An interpretation I is a function I 2 (V ! (R+ ! f0; 1g)), for which each I (X ), X 2 V has at most nitely many discontinuity points in any interval [a; b]. We shall use the abbreviation XI =b I (X ).

Semantics of state expressions: The semantics of a state expression P in an interpretation I is a function IP 2 Time ! f0; 1g de ned inductively on the structure of state expressions by: I (t) =b 0 IX (t) =b XI (t) I (t) =b 1

I :P (t) =b 1 ? IP (t) ( 0 if IP (t) = 0 and IQ(t) = 0 I P _Q (t) =b 1 otherwise

0

(

1

)

(

)

Semantics of terms: The semantics of a term r in an interpretation I is a function Ir 2 intv ! R de ned inductively on the structure of terms by: IR P ([a; b]) =b Rab IP (t)dt If r ;:::;r ([a; b]) =b fin(Ir ([a; b]); : : : ; Ir ([a; b])) n ( 1 i

n)

I`([a; b]) =b b ? a

n

1

Semantics of formulas: The semantics [[D]] of a formula D is a function from the set of interpretation I and the set intv to ftt,g, de ned inductively on the structure of formulas below.

Using the abbreviations I ; [a; b] j= D =b [[D]]([a; b]) = tt and I ; [a; b] 6j= D =b [[D]]([a; b]) =  , [[D]] is de ned by: I ; [a; b] j= Ani(r1 ; : : : ; rn ) i Ani (Ir ([a; b]); : : : ; Ir ([a; b])) = tt I ; [a; b] j= true I ; [a; b] j= (:D) i I ; [a; b] 6j= D I ; [a; b] j= (D1 _ D2 ) i I ; [a; b] j= D1 or I ; [a; b] j= D2 I ; [a; b] j= (D1 ; D2 ) i I ; [a; m] j= D1 and I ; [m; b] j= D2 for some m 2 [a; b] n

1

Abbreviations: For a DC formulas D, D and a state expression P , we use the following 1

Report No. 50, February 28, 1997

UNU/IIST, P.O. Box 3058, Macau

Duration Calculus

4

abbreviations:

3D =b (true; D); true dP e =b R P = ` ^ ` > 0 D ) D =b (:D) _ D 1

2D =b :(3(:D)) d e =b ` = 0 D ^ D =b :((:D) _ (:D ))

1

1

1

Some axioms and theorems in the calculus are: 1. 2. 3. 4. 5. 6. 7. 8. 9.

R

(DA 1) 0 = 0 R (DA 2) For an arbitrary state P , P  0 R R R R (DA 3) For arbitrary states P and Q, P + Q = (P _ Q) + (P ^ Q) (DA R 4) Let P be Ra state and R r; s nonnegative real numbers. ( P = r + s) , ( P = r; P = s) (Monotonicity) If D1 ) A1 and D2 ) A2 then D1 ; D2 ) A1 ; A2 (Associativity) (D1 ; D2 ); D3 , D1 ; (D2 ; D3 ) P ) Q then dP e ) dQe (dP e ^ dQe) ) dP ^ Qe (Induction rules) Let X be a formula letter occurring in the formula D(X ) and let P be a state. Then If D(de) holds and D(X _ X ; dP e) ^ D(X _ X ; d:P e) are provable from D(X ), then D(true) holds, If D(de) holds and D(X _dP e; X ) ^ D(X _d:P e; X ) are provable from D(X ), then D(true) holds

Example 1 To conclude this section, we give an example of using DC in specifying a real-time

system. The example is a simple gas burner taken from [5]. One of the time-critical requirements of a gas burner is speci ed by a DC formula denoted by Req-1, de ned as

Req-1

R

` > 60s ) (20  leak  `):

This says that if the interval over which the system is observed is at least one minute, the proportion of time spent in the leak state is not more than one-twentieth of the elapsed time. The requirement is re ned into two design decisions

Des-1 Report No. 50, February 28, 1997

2(dleake ) `  1s), UNU/IIST, P.O. Box 3058, Macau

Sampling Semantics Des-2

5 2(dleake; d:leake; dleake ) `  30s).

Des-1 says that any leak state must be detected and stopped within one second, and Des-2

says that leak must be separated by at least 30s. The design is shown to be correct by proving the implication Des-1 ^ Des-2 ) Req-1.

3 Sampling Semantics We refer to the semantics of DC formulas given in the previous section as continuous semantics or analog semantics. The continuous semantics is good for the speci cation and the design of the system at abstract levels, since the real systems are physical devices whose states are changing continuously. However, computer programs work in a discrete time manner. Thus, in the re nement of speci cations, we need a \discrete semantics" model of DC formulas as well. The sampling semantics of DC formulas is de ned in this section. For a DC formula D, for a positive real number h, the sampling semantics of D, denoted by [[D]]h , is a mapping from the set of interpretations of state variables and the set of intervals intv to f ; tt g. We will use the abbreviation:

I ; [a; b] j=h D =b [[D]]h (I ; [a; b]) = tt: Let I be an interpretation over state variables. The time model of sampling with sampling step h is the set Rh =b fih j i = 0; 1; 2; : : :g. In this paper from now on, we assume that every state variable is interpreted as a right side continuous boolean function in the interpretation I .

Semantics of terms: The semantics of a term t in the interpretation I is a function Ith from intv to reals, de ned inductively on the structure of terms in the same way as It , except that IRh P and I`h are de ned as follows. IRh P ([a; b]) =b h Pkj ?i IP (jh); I`h([a; b]) =b (k ? i)h; =

1

where i = [a=h]0:5 , k = [b=h]0:5 , and for any real number x,  [x] =b if x  bxc +  then bxc else bxc + 1: Intuitively, IRh P approximates the integral of the state variable P using an algebraic sum, ih and kh are approximations of the time points a and b, respectively, in the discrete model of time. Report No. 50, February 28, 1997

UNU/IIST, P.O. Box 3058, Macau

Sampling Semantics

6

Semantics of formulas: The semantics of formulas is de ned exactly in the same way as in

the previous section.

It follows immediately from the de nition that not every axiom and rule of DC is sound in the sampling semantic model. For the axioms and rules mentioned in the previous section, the axioms DA 4, the induction rule 9 are not sound, the others are sound. The axiom DA4 now is replaced by the following:

R P = mh + nh , R P = mh; R P = nh, where m; n 2 N of natural numbers. Since the term `=h ranges over the set N , we can use the natural induction rule on natural numbers instead of the induction rule based on the nite variability of states. The natural induction rule is formulated as: Let D be a DC formula. Then if D holds for ` = 0, and if (` = (k + 1)h) ) D is provable from (` = kh) ) D then 2D holds. In general [[D]] 6= [[D]]h . In the sequel, we consider the relationship between them.

De nition 1 For a state variable P and a positive real number , we say P is -stable if

-stable(P ) is satis ed, where

-stable(P ) =b 2(d:P e; dP e; d:P e ) `  ): The formula -stable(P ) says that the state P keeps true for at least  time units whenever it becomes true.

Theorem 1 Let  > h. Then 1: 2:

I ; [a; b] j= ` = d ; I ; [a; b] j=hR j` ? dj < h I ; [a; b] j=R -stable(P ) ^ P = d ; I ; [a; b] j=h j P ? dj  min(`; ( ` + 1)h)

I ; [a; b] j=h ` = d I ; [a; b] j= j` ? dj < h I ; [ih; kh] j= R-stable(P ) ^ R P = d I ; [ih; kh] j= j P ? dj  min(`; ` h) h



Intuitively, item 1 says that the time metric is approximated with a tolerance less than the length of the sampling step, while duration of a stable state variable is approximated with the tolerance depending on the length of observation time interval, degree of its stability and the length of the sampling step. Proof: Suppose that t0 ; : : : ; tn are all the discontinuity points of IP in the interval [a; b] (note: the state variables in DC are nitely variable). Since -stable(P ) is true for interval [a; b], it Report No. 50, February 28, 1997

UNU/IIST, P.O. Box 3058, Macau

Sampling Semantics

7

follows that tm ? tm?2  , m = 2; : : : ; n. Hence, n  2  b? a . Furthermore, for j = i; : : : ; k ? 1

j

Z

j

h

( +2)

jh

Pdt ? hP (jh)j

(

= 0 if 8m:tm 62 [jh; (j + 2)h]  h otherwise

R P Since ja ? ihj + jb ? khj < h, we have j ab P (t)dt ? h kj =?i1 P (jh)j  h( b? a + 1).

Corollary 1 Let i; k; i  k be in N , a; b; h;  be in R , a < b;  > h. RP =d I ; [ a; b ] j =  stable ( P ) ; I ; [ a; b ] j = h 1: I ; [a; b] j= j R P ? dj  h( ` + R1) I ; [a; b] j= -stableR(P ); I ; [a; b] j=h P < d 2: I ; [a; b] j= P < d + h( ` +R1) I ; [a; b] j= -stableR(P ); I ; [a; b] j= P < d 3: I ; [a; b] j=h P < d + h( ` + 1)R I ; [a; b] j= -stableR(P ); I ; [a; b] j=h P > d 4: I ; [a; b] j= P > d ? h( ` +R1) I ; [a; b] j= -stableR(P ); I ; [a; b] j= P > d 5: I ; [a; b] j=h P > d ? h( ` + 1) I ; [ih; kh] j= -stable(:P ); I ; [ih; kh] j=h dP e 6: I ; [ih; kh] j= dP e I ; [a; b] j= -stable(:P ); I ; [a; b] j=h dP e 7: I ; [a; b] j= 3(dP e ^ `  b ? a ? h) I ; [ ih; kh] j= dP e 8: I ; [ih; kh] j=h dP e I ; [a; b] j= -stable(:P ) ^ -stable(P ); I ; [a; b] j=h dP e; d:P e 9: I ; [a; b] j= 3((dP e; d:P e) ^ `  b ? a ? h) I ; [ ih; kh ] j= -stable(:P ) ^ -stable(P ); I ; [ih; kh] j= dP e ^ `  h; d:P e ^ `  h 10: I ; [ih; kh] j=h (dP e; d:P e) +

De nition 2 For DC formulas D; D0 , we say [[D]]  [[D0 ]]h i for all interpretations I , for all intervals [a; b], if I ; [a; b] j= D then I ; [a; b] j=h D0, 0 [[D]]h  [[D ]] i for all interpretations I , for all intervals [a; b], if I ; [a; b] j=h D then I ; [a; b] j= D0, [[D]]h  [[D0 ]] i for all interpretations I , for all intervals [a; b], I ; [a; b] j=h D if and only if I ; [a; b] j= D0.

Example 2 It follows immediately from the de nition of sampling semantics that: Report No. 50, February 28, 1997

UNU/IIST, P.O. Box 3058, Macau

Sampling Semantics

8

1. [[` = d]]  [[j` ? dj  h]]h , [[` = d]]h  [[j` ? dj  h]], R 2. For all state expression Q, we have [[dQe]]  [[j Q ? `j  h]]h .

Theorem 2 For any DC formulas D ; D and D0 ; D0 ]]h  [[D0 ]]; [[D ]]h  [[D0 ]] 1: [[D ; D ]]  [[D0 ; D0 ]];[[D [[D _ D ]]h  [[D0 _ D0 ]]; [[D ^ D ]]h  [[D0 ^ D0 ]] ; h ]]  [[D0 ]]h ; [[D ]]  [[D0 ]]h : 2: [[D ; D ]]  [[D0 ; D0 ]] ;[[D h [[D _ D ]]  [[D0 _ D0 ]]h ; [[D ^ D ]]  [[D0 ^ D0 ]]h 1

2

1

1

2

1

2

1

1

2

1

2

2

1

1

2

2

1

1

2

2

2

1

1

2

1

1

2

1

2

1

2

2

2

1

2

Note that for a DC formula D, if [[D]]h  [[D]], then any model that satis es D in the sampling model of time satis es D in continuous time as well. Inversely, if [[D]]  [[D]]h , then any model that satis es D in continuous time satis es D in the sampling model of time as well. Following [10], for the latter, we say that D is closed under sampling w.r.t. h, and for the former, we say that D is closed under inverse sampling w.r.t h. Theorems presented in this section make the assumption that state expressions involving integral need to be stable. In practice, this assumption is often satis ed by environment from the physical laws, e.g. the water level cannot change too fast, the wind should change its direction and speed slowly, etc. Suppose that we want to verify that a system (an interpretation I ) satis es a speci cation (a DC formula D) under an assumption (a DC formula A), that is to verify I j= A ) D. One method of doing so is to nd formulas ;  such that, [[A]]  [[ ]]h , [[]]h  [[D]] and prove that I j=h ) . The problem of veri cation in the integer model of time is easier and is decidable (see [7]). The theorems presented above give some guide for nding such formulas.

Example 3 Consider the simple gas burner in Example 1. From Example 2 we have that R [[dleak e]]  [[j leak ? `j  h]]h , and [[`  1 ? h]]h  [[`  1]]. Hence, if we can prove that R (1) S j=h 2(j leak ? `j  h ) `  1 ? h); then we can conclude S j= 2(dleak e ) `  1): Thus, if h  1=2, and we can ensure that if leak at jh then non-leak at (j + 1)h for all natural j (this means S j=h dleak e ) ` = h) then (1) holds. Note that this can be proved by using natural induction rule of discrete DC.

Report No. 50, February 28, 1997

UNU/IIST, P.O. Box 3058, Macau

Limit of sampling semantics

9

4 Limit of sampling semantics Since for any xed interval [a; b], limh!0 IRh P ([a; b]) = IR P ([a; b]), we expect that the class of the formulas D, such that for an interval [a; b], there is a real number  for which h <  ) [[D]]h  [[D]], is large enough to cover many formulas encountered in practice. This means that for sampling steps that are small enough, the sampling semantics and continuous semantics are approximative, and we can replace one by the other. In fact, when specifying a system, we use the continuous semantics, while in implementing the system, we use the sampling semantics. To ensure that the implementation is correct, it must be the case that the sampling semantics of the implemented formula implies the continuous semantics of the speci cation formula of the system. A question arise as whether there exists such an implementation. Or, more precisely, given a satis able DC formula S , do there exist a sampling step h and a satis able formula D such that [[D]]h  [[S ]]? In this section, we de ne another kind of semantics of DC formulas that we call limit semantics that is useful for the answer to this question. For a DC formula D, the limit semantics of D, denoted by [[D]]l , is a mapping from the set of interpretations of state variables and the set intv of intervals to ftt ;  g, is de ned by: [[D]]l (I ; [a; b]) = tt i there exists a sequence hn such that limn!1 hn = 0 and for all n [[D]]h (I ; [a; b]) = tt n

In other words,

I ; [a; b] j=l D if there exists a sequence hn such that limn!1 hn = 0 and for all n I ; [a; b] j=h D: n

As in the previous section, we use the denotation:

De nition 3 For DC formulas D; D0 , we say [[D]]  [[D0 ]]l i for all interpretations I , for all intervals [a; b], if I ; [a; b] j= D then I ; [a; b] j=l D0, [[D]]l  [[D0 ]] i for all interpretations I , for all intervals [a; b], if I ; [a; b] j=l D then I ; [a; b] j= D0 , 0 [[D]]l  [[D ]] i for all interpretations I , for all intervals [a; b], I ; [a; b] j=l D if and only if I ; [a; b] j= D0. From the properties of limits, the following theorem is obvious. Report No. 50, February 28, 1997

UNU/IIST, P.O. Box 3058, Macau

Limit of sampling semantics Theorem 3 R R [[R P  d]]l  [[R P  d]]; [[R P < d]]l  [[R P  d]]; [[ P > d]]  [[ P > d]]l ;

10

R

R

[[R P < d]]  [[ R P < d]]l ; [[R P  d]]l  [[R P  d]]; [[ P > d]]l  [[ P  d]]:

Now we want to compare dierent kinds of semantics for more general formulas. The theorem guides us to consider those formulas in which all inequalities evolving integrals of state variables are either of the form t1 > t2 or of the form t1  t2 . In terms of topology, the formulas are either open or closed. Formally, we de ne open formulas and closed formulas as follows.

De nition 4 1. Continuous terms are de ned recursively by:  R P is a continuous term, where P is a state variable,  real constants are continuous terms,  if t1; : : : ; tn are continuous terms, and if fn is always interpreted as a n-ary continuous function, then fn (t1 ; : : : ; tn ) is a continuous term. 2. Closed (open) formulas are de ned by:  if t1; t2 are continuous terms, then t1  t2 (t1 < t2) is a closed (open) formula,  if D1 ; D2 are closed (open) formulas, then D1 _ D2 , D1 ^ D2 , D1; D2 are closed (open) formulas

Example 4 1. true is a closed formula, since true =b 2. dLe ) ` < 1 is an open formula, since

R 1  0,

dLe ) ` < 1  (R 1 < 1 _ R 1 > R L)

Theorem 4 1. For a closed formula D, [[D]]l  [[D]], 2. For an open formula D, [[D]]  [[D]]l . Report No. 50, February 28, 1997

UNU/IIST, P.O. Box 3058, Macau

Limit of sampling semantics

11

The meaning of the theorem is that given a closed formula D, if for a sampling step which is small enough, D is satis ed by a model by sampling, then we can conclude that D is satis ed by the model; inversely, for an open formula D and a model of it, we can nd a sampling step h such that D is satis ed by the model by sampling. The proof of the theorem is immediate from the following lemmas. In fact, we prove a strengthening of the theorem.

Lemma 1 For an interpretation I , for an interval [a; b], for a closed formula D and sequences fhng; fan g and fbng such that hn ! 0; an ! a; bn ! b, if for all n I ; [an; bn ] j=h D then I ; [a; b] j= D. n

Proof: The proof is by induction on the structure of the closed formulas. First, note that for any continuous term t, for any interval [a; b] and sequences fhn g; fan g and fbn g such that hn ! 0; an ! a; bn ! b, it holds that limn!1 Ith ([an ; bn]) = It ([a; b]). n

1. Let D =b t1  t2 , where t1 and t2 are continuous terms. It follows immediately from the properties of limit that for any interval [a; b] and sequences fhn g; fan g and fbn g as in the lemma, if for all n Ith ([an ; bn ])  Ith ([an ; bn ]), then It ([a; b])  It ([a; b]). 2. Let D =b D1 _ D2 , where D1 ; D2 are closed terms. Let [a; b] be an interval, sequences fhn g; fan g and fbng be as above. Assume that for all n, I ; [an; bn ] j=h D1 _ D2. Then, there are i 2 f1; 2g and subsequences hn , an and bn such that I ; [an ; bn ] j=h Di . By the inductive hypothesis, [[Di ]]l  [[Di ]], which implies [[D1 _ D2 ]]l  [[D1 _ D2 ]]. 3. Let D =b D1 ; D2 , where D1 ; D2 are closed terms. Let [a; b] be an interval, sequences fhn g; fan g and fbng be as above. Assume that for all n I ; [an; bn ] j=h D1 ; D2 . Then, there is a sequence fcn g such that for all n an  cn  bn , I ; [an; cn ] j=h D1 and I ; [cn ; bn ] j=h D2 . From the boundedness of fcn g, there are a number c 2 [a; b] and a subsequence fcn g such that cn ! c. By the inductive hypothesis, I ; [a; c] j= D1 and I ; [c; b] j= D2 . 4. The case D =b D1 ^ D2 is proved in similar way. n

1

n

1

2

2

n

k

k

k

k

k

nk

n

n

n

k

k

Lemma 2 For any interpretation I , for any interval [a; b], for any open formula D if I ; [a; b] j= D, then for all sequences fhn g; fan g and fbn g such that hn ! 0; an ! a; bn ! b, there is an N such that I ; [an; bn ] j=h D for all n  N . n

Proof: Taking into account that for any interpretation I , for any interval [a; b], for any continuous term t limh!0 Ith([a; b]) = It ([a; b]), the proof is similar to the previous one and is omitted here.

It follows from the theorem that if a speci cation of a system is an open formula then with a sampling step that is small enough, if the speci cation is satis ed by the system in the real time model then it also is satis ed by the system in the sampling time model. Thus, an open speci cation is not satis able if it is not satis able in every sampling model of time. For a closed speci cation, if it is satis ed by a system in every sampling time model then it also is satis ed by the system in the real-time model. Report No. 50, February 28, 1997

UNU/IIST, P.O. Box 3058, Macau

Digitization

12

According to Theorem 4, in order to reduce the problem of verifying I j= A ) D to the problem of verifying I j=h A ) D, the formula A should be an open formula, and D should be a closed formula. Otherwise, we have to weaken the assumption A into an open formula and strengthen the conclusion D into a closed formula.

5 Digitization Now assume that there is a digital clock that ticks at all time points jh, j = 0; 1; : : :. Consider the sampling model of time according to the digital clock. Then, the time model is the set of non negative integers N = f0; 1; 2; : : : g. It can be seen from the previous sections that the sampling semantics can be useful only under the condition that the state variables are -stable for some  that is large enough relative to the time unit. Otherwise, it is inadequate to describe the behavior of real-time systems. For example, the very simple formula dP e can be true in the sampling model of time for a model in which it fails in the continuous model of time. Thus, a richer discrete semantics model is needed to represent the digitization. In the sampling model, by the approximative interpretation of integral, we lost the information of state changing between two sampling points. The digitizability is to reduce the problem of veri cation in the real-time model to the one in the integer time model. An obvious solution is to de ne digitizability of a formula as the property that the formula should not distinguish a state change of the system between two sampling points from the one at these points. To make the condition for the digitizability weaker, in [10], a digitization quantum is introduced to de ne the digitizability. According to their de nition, a property (formula) D is digitizable i for all models I , I satis es D if and only if for all digitization quantum 0   < 1, the sampling observation starting from time  with the sampling step h = 1 satis es D. This kind of observation approximates the metric between two discontinuity points of any state variable by a value with a tolerance less than 1. Thus, many properties speci ed by Metric Temporal Logic formulas are digitizable. However, for a property speci ed with duration variables, this kind of observation cannot, in general, approximate duration variables by the values with a tolerance  < 1 as we can see in many examples. In [3] the authors tried to generalize the results for the duration variables. However, the results obtained on digitization are very weak and work for a very restrict class of properties only. Roughly speaking, the results say that for a speci c state variable P , for an interval [i; k], where i; k 2 N , for j = i; : : : ; k ? 1, a digitization quantum j can be found such that the integer observation of P that the observation of P at time jR is the value of P (bj + j c) (the value observed by the digital clock staring at j ) approximates P ([i; k]) by a value with a tolerance strictly less than one. Thus, we cannot expect results as presented in [10] for Duration Calculus. However, since in Duration Calculus, we can express the properties of the metric of time, we follow the de nition of digitizability from [10], and expect the properties about the order of events, length of intervals, and stability are digitizable. For every interpretation I of state variables, for every 0   < 1, an integer interpretation I  Report No. 50, February 28, 1997

UNU/IIST, P.O. Box 3058, Macau

Digitization

13

derived from I by observing I with the -digital clock is de ned as follows. For each state variable P , since IP is nitely variable, the set of its discontinuity points is nite or countable. Let t0 ; t1 ; : : : be the sorted sequence of the discontinuity points of IP . Then, [t0 ] ; [t1 ] ; : : : is sorted as well. Then, for any i 2 N , [ti ]  t < [ti+1 ] ,

IP (t) = 1 i IP (t0 ) = 1 for some t0 such that ti < t0 < ti

+1

From its de nition, for any state variable P , IP is a boolean function which is continuous from the right and can be discontinuous only at integer points.

Example 5 Let IP be expressed by the lower part in Fig. 1, where the discontinuity points of IP are 0:7; 1:8; 2:65; 4:3. Let  = 0:6. Then IP is expressed by the upper part.

IP IP

1 0 1 0

0.7

1.8 2

1

2.65

3

4

4.3

5

t

Fig. 1

De nition 5 (digitizability) A DC formula D is said to be digitizable i for any interpretation I , for any interval [a; b], I ; [a; b] j= D if and only if I ; [[a] ; [b]] j= D for all 0   < 1: 1

Example 6 R

1. The formula D =b 1 < P  2 is not digitizable. Let I be an interpretation in which P is interpreted as the boolean function

IP (t) =b

(

Report No. 50, February 28, 1997

1 if 9n 2 N :n  t  n + 0:5 0 otherwise UNU/IIST, P.O. Box 3058, Macau

Digitization

14

Then, all n 2 N , I; [n; nR+ 4] j= D. However, for any 0   < 1, either I  ; [n; n + 4] j=1 R P = for 4 or I ; [n; n + 4] j=1 P = 0. 2. The formula D =b `  5 is digitizable, since for any a; b; a  b, b ? a  5 if and only if for any 0   < 1, b ? a  5. In general, we have the following:

Theorem 5

1. For any state variable P , dP e =b dP e _ d e is digitizable. 2. For any integer k, `  k, k  ` are digitizable. 3. If A, B are digitizable then A ^ B is digitizable. Proof: First we prove item 1. Without lost of generality, we can assume that interpretations of state variables are boolean functions that are continuous from the right. Thus, for any a  b, dP e is true if and only if the function IP (t) has no discontinuity point in (a; b). The function IP (t) has no discontinuity point in (a; b) if and only if for any 0   < 1, by the de nition of I , the boolean function IP (t) has no discontinuity point in ([a] ; [b] ). Then item 1 follows.

Item 2 follows from Example 5. Item 3 is proved directly from the de nition. The formulas of the form A _ B or A; B are not, in general, digitizable even with the condition that A and B are digitizable. For example, let A =b dP e , B =b d:P e , From Theorem 5, A; B are digitizable. Let I be as in Example 5, item 1. Then, for all 0   < 1, I ; [0; 4] j=1 A _ B , I ; [0; 4] j=1 A; B However, I ; [0; 4] 6j= A _ B and I ; [0; 4] 6j= A; B . Similar to the result in [3] about weak-closed formulas, we have:

Proposition 1 Let A; B be digitizable DC formulas, k be an integer. Then the formula (A ^ ` = k); B is digitizable.

Example 7 Suppose we want to express that a signal sent on a wire P will be received after  ( 2 N ) time units on a wire Q. Using DC, this is written as a formula D: D =b dP e; ` =  ) ` = ; dQe: Since the formula ` = ; dQe is not digitizable, we cannot expect that ` = ; dQe is observed in the integer model of time. To make it observable, from Theorem 5 we should strengthen it by ` = ; (dQe ^ `  1). Thus the premise should be weakened to dP e ^ `  1; ` = .

Report No. 50, February 28, 1997

UNU/IIST, P.O. Box 3058, Macau

A Model of a Biphase Mark Protocol

15

Hence, in order to implement the requirement in the integer model of time, we should weaken the requirement to:

D1 =b (dP e ^ `  1); ` =  ) ` = ; (dQe ^ `  1):

6 A Model of a Biphase Mark Protocol In this section, as an example, we will use DC to model and prove the correctness of a Biphase Mark Protocol (BPM). The BPM protocol (or format) is widely used in practice for asynchronous communication between two digital hardware devices. The BPM protocol works by coding each bit of message as a portion of square wave (called a cell) of xed clock cycles. Each cell is logically divided into two parts. The rst part is called a mark, the other a code. If the signal in the mark subcell is the same as one in the code subcell then information carried by that cell is 0. Otherwise, if the signals are dierent then the information carried is 1. There is a phase reverse between two consecutive cells. It means that the signal at the begining of the following cell is held as the negation of the signal at the end of the previous cell. Despite its extensive use, to the best of our knowledge, in the literature there are relatively few works dedicated to formally modeling and assessing the protocol's performance. In [4] the authors used a model of linear hybrid systems to analyze a protocol developed by Philips Corp. That protocol uses Manchester encoding that in many aspects is similar to a BPM protocol. In [12], Moore used the Boyer-Moore Logic to analyze a BPM protocol. In his version of the BPM protocol, each bit of message is coded as a cell of 18 clock cycles. Among them the 5 rst cycles constitute the mark sub-cell and the last 13 cycles form the code sub-cell. He proved the correctness of the protocol provided the ratio of the clock rates of sender (or writer) and receiver (or reader) is within 5% from unity. The author conjectures that his protocol works with clock rate ratio up to 30% of unity. Inspired by Moore's work, we use DC to construct a model for the protocol. We adopt the same assumptions about the physical environment as in [12] and succeed in showing that his conjecture about 30% clock rate tolerance is the case. We consider two digital devices called a writer and a reader. They are connected by a bus. The writer is required to send a message M which is a list of bits < b0 ; b1 ; : : : ; bn > to the reader. To do that, the writer holds the voltage in the bus at one of two values flow; highg. At the beginning, the writer holds voltage low for 18 cycles then it changes the voltage to high in order to transmit the rst bit b0 . After 5 cycles, depending on value of b0 the writer will keep voltage at high for next 13 cycles if b0 = 0 or changes to low if b0 = 1. For the next bit b1 the writer changes the voltage of the mark subcell such that it is a negation of the voltage in code subcell of the previous cell. After transmission of bit bn the writer keeps the voltage low for another 18 cycles to signal the end of session. For the reader's part, it rst waits until detection of voltage change (or \edge") then skips a xed number of cycles (this number is called \sampling distance") and samples the signal there. It compares this signal with one after the edge. The reader assumes the bit of message is 1 if they are dierent or 0 otherwise.

Report No. 50, February 28, 1997

UNU/IIST, P.O. Box 3058, Macau

A Model of a Biphase Mark Protocol

16

The \raison d'etre" for such a protocol is the presence of disturbances from the physical environment on the communication process. In our model, we focus on two physical phenomena: 1. The voltage on the bus does not change immediately. It takes a signi cant amount of time to change from high to low and vice versa. 2. The disparity between digital clock rates of writer and reader. As in [12] we adopt the following assumptions:

A1 On every cycle of its clock, the writer puts on the bus one of two values flow; highg. If

the value of the current cycle is the same as the value of previous one then the signal on the bus stays stable at that value during the whole cycle. A2 Otherwise, if those values are dierent then the signal on the bus is nondeterministic for the whole cycle i.e., the value for that whole cycle is either low or high.

These assumptions are abstractions from the real value of voltage on the bus. They allow us to see writer's and reader's views of bus as standard state variables while preserving the ability to model the temporal character of voltage change. Our model is \normalized" to the writer's clock i.e., we assume that its clock rate is 1. The clock rate of the reader is r. Recall that we are modeling a BPM protocol in which the cell's size is n = 18, the mark subcell's size is m = 5, the code subcell's size is k = 13 and the sampling distance is d = 10. Without loss of generality, we assume further that the phase displacement (the st tick) of the reader's clock is within the rst cycle of the writer's clock. We denote the writer's and reader's views by state variables X and Y respectively. Note that X can be discontinuous at integers only. We de ne a state variable C that has value 1 in code subcells and value 0 in mark subcells. Logically, the writer's view of the protocol can be considered as a chain of cells, so we could write for large enough T (2) I ; [0; T ] j= St; ((d:C e ^ ` = 5); (dC e ^ ` = 13))n ; St Where St is used to mark the start and the end of signal train. We use the convention that stipulates the existence of two intervals of length greater than the cell size in which X has low value. One interval lies prior to the rst bit cell and the other after the last bit cell. So, St ) d:X e ^ `  18. n is the length of message to be transmitted. We take the liberty of using An for n?times repetition of A. Assumptions about the protocol allow us to write down the following formulas: (3) dC e ) (dX e _ d:X e) Report No. 50, February 28, 1997

UNU/IIST, P.O. Box 3058, Macau

A Model of a Biphase Mark Protocol

17

(4) d:C e ) (dX e _ d:X e) (5) dC e; d:C e ) (dX e; d:X e) _ (d:X e; dX e) The formulas (3) and (4) say that during a subcell the signal writer holds is stable. (5) says that there is a signal edge to mark the start of next cell. Assumption A1 imposes the following formulas on X and Y : (6) dX e ^ ` > 1 ) ` = 1; dY e (7) d:X e ^ ` > 1 ) ` = 1; d:Y e Assumption A2 imposes the following formulas (8) (dX e ^ ` = 1); (d:X e ^ `  1) ) ` = 1; (dY e _ d:Y e) (9) (d:X e ^ ` = 1); (dX e ^ `  1) ) ` = 1; (dY e _ d:Y e) Message

1

0

C X MX Y MY Time

18

23

36

38

54

-

Fig. 2 Note that the described assumptions do not impose any constraint on the possible value of Y during the rst writer's clock cycle: we assume Y low for whole that period. Report No. 50, February 28, 1997

UNU/IIST, P.O. Box 3058, Macau

A Model of a Biphase Mark Protocol

18

We also de ne two additional state variables MX and MY on the basis of X and Y respectively as follows.

8 > < 1 if 9t0: (00 < t ? t0  1) ^0 ((X ([t0 0 ; t)) = 0 ^ X ([t0 ? q; t0)) = 1) _ MX (t) =b > (X ([t ; t)) = 1 ^ X ([t ? q; t )) = 0)) : 0 elsewhere, 8 > < 1 if 9t0: (00 < t ? t0  r) ^0 ((Y ([t00 ; t)) = 0 ^ Y ([t0 ? qr; t0 )) = 1) _ MY (t) =b > (Y ([t ; t)) = 1 ^ Y ([t ? qr; t )) = 0)) : 0 elsewhere, where Z ([a; b)) = v =b 8t 2 [a; b) Z (t) = v with Z a state variable and v 2 f0; 1g. q is a constant that is often chosen to be half size of cell, in our case q = 9.

MX (t) = 1 says that t is in the rst cycle of a mark subcell (therefore of a cell) from the writer's view. On the other hand, the intuitive meaning of MY (t) = 1 is that t is a moment when the

start of a cell can be detected by the reader and it commences to look for next bit. The stability of the signal in intervals [t0 ? q; t0 ) and [t0 ? qr; t0 ) is intended to distinguish an edge denoting the start of a cell from an edge that occurs inside a cell carrying a message bit 1. Fig. 2 illustrates the state variables in the case when the writer sends the message < 1; 0 >. We are now in a position to formulate the properties that ensure the correctness of the BPM protocol. They are the following:

R1 Each bit sent by the writer is faithfully received by the (digital) reader with clock rate r. The bits in the lists are ordered by time. R2 Each bit received by the reader corresponds to a bit sent by the writer.

In other words, requirement R1 establishes an injective mapping from the bits in the list sent by the writer to the bits in the list received by the reader while requirement R2 says that the mapping is surjective. Between them, R1 and R2 give rise to a bijective mapping. These properties can be formalized by following relationships between DC formulas

8a; b; a  b

0 true ; 1 1 0 BB (dMY e ^ dY e ^ ` = r) ; CC ` = 18 ^ CC C B (10) if IX ; [a; b] j= @ dMX e; true ^ A then IY ; [a; b] j=r B BB ` = 10r ; CA @ (dY e ^ ` = r) ; dX e true

Report No. 50, February 28, 1997

UNU/IIST, P.O. Box 3058, Macau

A Model of a Biphase Mark Protocol

19

0 true ; 1 1 0 BB (dMY e ^ d:Y e ^ ` = r) ; CC ` = 18 ^ C CC B (11) if IX ; [a; b] j= @ dMX e; true ^ A then IY ; [a; b] j=r B BB ` = 10r ; CA @ (d:Y e ^ ` = r) ; d:X e true

0 true ; 1 1 0 ^ BB (dMY e ^ dY e ^ ` = r) ; CC CC BB d`M=X18e; true ^ B = 10r ; CC (12) if IX ; [a; b] j= B CA @ (dX e ^ ` = 5) ; CA then IY ; [a; b] j=r BB@ `(d: Y e ^ ` = r ) ; (d:X e ^ ` = 13) true 0 true ; 1 0 1 ` = 18 ^ BB (dMY e ^ d:Y e ^ ` = r) ; CC BB dMX e; true ^ CC B CC (13) if IX ; [a; b] j= B CA @ (d:X e ^ ` = 5) ; CA then IY ; [a; b] j=r BB@ `(d=Y e10^r`; = r) ; (dX e ^ ` = 13) true (14) (true ; (dMY e ^ ` < 1) ^ ` = 2 ) 3dMX e (15) dMX e ) `  1 (16) dMY e; d:MY e; dMY e ) `  5 Statements (10), (11), (12), (13) are formalization of requirement R1. In the premise parts, conjunctions of ` = 18 and dMX e; true allow us to lock into an entire cell of the writer's view. The other conjuncts of the premises identify whether the bit of message is 0 or 1. The conclusion parts in these statements eectively simulate the work of the reader. After detection of a mark, it skips 10 cycles and then samples at the next cycle. The bit is recovered by comparison of the sampled signal value with the one at the mark. So, (10) and (11) say that if the writer transmits 0 then the reader can recover 0, while (11) and (12) say the same thing for 1. It is in some sense the \local correctness". At a higher level, we can view whole transmission session as a series of cells connected by a chop operator. In total, (10) - (13) say that the all the bits sent by the writer are recovered by the reader in the same order. We are now concerned with the possibility that \super uous" or \un-authentic" bits may sneak into the receiving list. However, such a possibility is excluded if the three formulas (14), (15), (16) are true. (14) establishes a mapping between a start of a cell in the reader's view represented by dMY e to a start of a cell in the writer's view represented by dMX e. We can imagine, in the time axis, intervals of length 2 where dMY e holds in sux parts. (14) says that in such intervals dMX e must hold somewhere. (15) and (16) in combination make that mapping injective. The truth of (16) implies that the Report No. 50, February 28, 1997

UNU/IIST, P.O. Box 3058, Macau

A Model of a Biphase Mark Protocol

20

mentioned intervals of length 2 can not overlap. Truth of (15) implies that dMX e in dierent intervals can not belong to the same cell of the writer's view. Now we will discuss a subtle issue of dierent kinds of semantics that are involved in the proof of correctness of the BPM protocol. Certainly, the ultimate purpose of using the BPM protocol for communication is to recover information by a digital reader. Let us look at this process from the reader's point of view. The signal train denoted by state variable Y is all that is available. Because the asynchronous mode of communication is assumed, the reader does not have any relevant information about the source of that signal train nor the physical characteristics of the transmission medium. Therefore, it does not know about the properties of the signal train itself. What it can extract from \real" state variable Y is only a \digitized" version of Y . The latter is obtained using a digital clock of rate r with the rst tick at arbitrary  with respect to assumed real time. Then, information is recovered by the known algorithm on the basis of the \digitized" version of Y . There is no rich information about the relationship between the clocks of writer and reader except the assumption that the rst tick of the reader's clock takes place during the rst cycle of the writer's clock. So, to describe the writer's behavior from the reader position, continuous semantics should be used. Therefore, to prove statements (10) ? (13) that involve both continuous and sampling semantics, we have to use the trans-semantic technique investigated in previous sections. We proceed using the following thread of reasoning. First we will use (i) the hypothesis that clock rate ratio between writer and reader is within 30% of unity H =b 0:7 < r < 1:3 together with (ii) assumptions about the working mode of the writer - formulas (2) ? (5) and (iii) assumptions about the physical characteristics of communication medium - formulas (6) ? (9) to prove in standard DC the following lemma that gives continuous counterparts of (10) ? (13).

Lemma 3 0 1 0 1 B true ; ` = 18 ^ BB (dMY e ^ dY e ^ ` = r) ; CCC B C (17) CC @ dMX e; true ^ A ) BB ` = 10r ; @ (dY e ^ ` = r) ; A dX e true 0 true ; 1 1 B 0 ` = 18 ^ BB (dMY e ^ d:Y e ^ ` = r) ; CCC C B (18) @ dMX e; true ^ A ) B = 10r ; CC B@ (`d: A d:X e Y e ^ ` = r) ; true

Report No. 50, February 28, 1997

UNU/IIST, P.O. Box 3058, Macau

Discussion

21

1 0 1 0 true ; ` = 18 ^ B CC BBB (dMY e ^ dY e ^ ` = r) ; CCC d M e ; true ^ B X (19) B = 10r ; CC @ (dX e ^ ` = 5) ; CA ) BB@ `(d: A Y e ^ ` = r) ; (d:X e ^ ` = 13) true 0 1 0 1 true ; ` = 18 ^ B CC BBB (dMY e ^ d:Y e ^ ` = r) ; CCC d M e ; true ^ B X (20) B CC @ (d:X e ^ ` = 5) ; CA ) BB@ `(d=Y e10^r`;= r) ; A (dX e ^ ` = 13) true So, these formulas must be true with respect to the continuous semantics of DC. Then, the proof of statements (10) ? (13) con be carried out as follows. From the hypothese of (10) ? (13) and Lemma 3, we conclude that the right hand side formulas in Lemma 3 are true (continuous semantics). Next, based on the results of the previous section on digitization, we conclude the digitizability (with respect to the digital clock of rate r) of the right hand sides of the lemma from their syntax. The proved digitizability ensures the truth equivalence of these formulas with respect to the continuous semantics on one hand and the sampling semantics obtained using the reader's digital clock on the other hand. Finally, the truth of the right hand side formulas of Lemma 3 with respect to the sampling semantics implies the right hand sides of statements (10) ? (13). Showing the digitizability of the mentioned formulas from their syntax is a relatively easy task. Readers interested in the detailed proof of formulas (10) ? (16) are referred to the appendix. Readers who are familiar with [12] will note the dierences between his modeling and what is presented here. One of them is that in our modeling we do not treat phase displacement (the time moment of the rst tick of the reader's clock) individually. Thanks to the power of explicitly expressing intervals oered in DC we are able to consider all possible phase displacements at once by using the ceiling operator as in dMY e; dMX e. We think that this characteristic feature of DC also enables us to \squeeze" the model to get stronger propositions about the clock rate tolerance. In Moore's model \ramp" intervals in which signal is nondeterministic may be exaggerated through the three-pass process from the writer's view to the reader's view depending on possible values of the phase displacement and the rate of reader's clock. But in our model we use state variable D to express this property independently of the reader's clock. In conclusion, we think that by this example we have demonstrated the power of DC in dealing with problems that involve both continuous and discrete presentations of time.

7 Discussion We have treated the discretization of DC formulas by giving some discrete semantic models to DC. The best aspect we can see is the sampling semantics. It gives some ideas on how to derive Report No. 50, February 28, 1997

UNU/IIST, P.O. Box 3058, Macau

References

22

a design from a speci cation, and to move closer to implementation in the same language. The worst aspect we can see is the digitizability of DC. In general, we cannot observe the truth of a formula that involves integrals of state expressions or the chop operator. Since programming activities should generally be done in discrete time whereas true analog behavior should use continuous time, our treatments are useful for the designers of real-time systems from their speci cations written in DC. It also shows that DC can be linked with other real-time logics for discrete time such as Interval Temporal Logics [13].

References [1] L. Alur and D. L. Dill, A theory of timed automata, Theoretical Computer Science, 126, 1994,pp. 183-235. [2] P. J. Antsaklis, J. A. Stiver, M. Lemmon, Hybrid system modeling and autonomous control systems, LNCS 736, 1993, pp. 366-392. [3] A. Bouajjani, R. Echahed and R. Robbana, Verifying Invariance Properties of Timed Systems with Duration Variables, Formal Techniques in Real-Time and Fault-Tolerant Systems, LNCS 863, 1994, pp. 193-210. [4] D. Bosscher et al. Veri cation of an Audio Control Protocol, LNCS 863, 1994, pp. 170-192. [5] Z. Chaochen, C. A. R. Hoare, A. P. Ravn, A calculus of durations, Information Processing Letters, 40, 1992, pp. 269-276. [6] Z. Chaochen, A. P. Ravn, M. R. Hansen, Extended Duration Calculus for Hybrid Real-time Systems, LNCS 736, 1993, pp. 36-59. [7] Z. Chaochen, M.R. Hansen and P. Sestoft, Decidability and Undecidability Results for Duration Calculus, In STACS'93, P. Enjalbert, A. Finkel and K.W. Wagner (eds), LNCS 665, Springer-Verlag 1993, pp. 58-68. [8] M.R. Hansen, Model-Checking Discrete Duration Calculus Formal Aspect of Computing, 1994, pp. 826-845. . [9] D.V. Hung and W. Ji, On the design of hybrid control systems using I/O automata, UNU/IIST report, No. 34, 1994. [10] T. Henzinger, Z. Manna, and A. Pnueli, What Good are Digital Clocks?, Springer-Verlag, LNCS 623, 1992. [11] T. A. Henzinger, Z. Manna, A. Pnueli, Towards re ning temporal speci cations into hybrid systems, LNCS, 736, 1993, pp. 60-76. [12] J. S. Moore A formal model of asynchronous communication and its use in mechanically verifying a Biphase Mark Protocol, Formal Aspects of Computing, 6, 1994, pp. 60-91. Report No. 50, February 28, 1997

UNU/IIST, P.O. Box 3058, Macau

Appendix: Proof of Lemma 3 and Formulas (14) ? (16)

23

[13] B. Moszkowski, A temporal Logic for Multilevel Reasoning about Hardware, IEEE Computer, Vol. 18, No. 2, 1985, pp. 10-19. [14] A. Nerode, W. Kohn, Models for hybrid systems: automata, topologies, controllability, observability, LNCS 736, 1993, pp. 317-356. [15] X. Nicollin, A. Olivero, J. Sifakis, S. Yovine, An approach to the description and analysis of hybrid systems, LNCS 736, 1993, pp. 149-178. [16] A. Pnueli, Development of Hybrid Systems, Formal Techniques in Real-Time and FaultTolerant Systems, LNCS 863, 1994, pp. 77-8. [17] C. Zong Ji et al. An Abstraction of Hybrid Control Systems, UNU/IIST Technical Report, 1994.

8 Appendix: Proof of Lemma 3 and Formulas (14) ? (16) We sketch in the following the proof of Lemma 3 from (2) ? (9) with the hypothesis that the clock rate ratio is within 30% of unity, or H =b 0:7 < r < 1:3. In the proof we will frequently make use of the Finite Variability assumption and the following equivalence schemes for arbitrary formulas A; B and X .

A ) B , X; A ) X; B A ) B , A; X ) B ; X We denote left and right hand sides of implications by L and R respectively with subscripts. For example, formula (17) is abbreviated to L17 ) R17

Proof of (17) Due to the Finite Variability of C , we have

0 dC e _ 1 BB d:C e _ CC BB dC e; d:C e _ CC L ) L ^B CC BB d:C e; dC e _ @ dC e; d:C e; dC e; true _ CA d:C e; dC e; d:C e; true 17

17

Report No. 50, February 28, 1997

UNU/IIST, P.O. Box 3058, Macau

Appendix: Proof of Lemma 3 and Formulas (14) ? (16)

24

Distribute L17 ^ over disjunctions, we have

0L BB L BL L )B BB L B@ L

1 ^ dC e _ CC ^ d:C e _ CC ^ dC e; d:C e _ CC ^ d:C e; dC e _ A ^ dC e; d:C e; dC e; true _ C L ^ d:C e; dC e; d:C e; true 17

17

17

17

17

17

17

The rst two disjuncts on the right hand side must be false because L17 ) ` = 18 but dC e ) `  13 and d:C e ) `  5 The 3rd, 5th and 6th disjuncts also must be false because of (6), which says that an edge of variable C from 1 to 0 causes to happen an edge in variable X ,

dC e; d:C e ) dX e; d:X e _ d:X e; dX e: Thus, since L17 ) dX e ^ ` = 18, we have L17 ) L17 ^ d:C e; dC e: Now, from equivalence scheme A ) B , X ; A ) X ; B , we have (L17 ) R17 ) , (` = 13; L17 ) ` = 13; R17 ): It is easy to check that

` = 13; L17 ) (` = 13 ^ dC e); (L17 ^ d:C e; dC e): By (3) and (5) we have (` = 13 ^ dC e); (L17 ^ d:C e; dC e) ) (` = 13 ^ d:X e); (` = 18 ^ dX e): Applying assumptions (6); (7); (8) and (9) we have (` = 13 ^ d:X e); (` = 18 ^ dX e) ) ` = 1; (d:Y e ^ ` = 12); ((dY e _ d:Y e) ^ ` = 1); (dY e ^ ` = 17): Note that hypothesis H : :7 < r < 1:3 means 6:3 < 9r < 11:7 and 8:4 < 12r < 15:6. By the

Report No. 50, February 28, 1997

UNU/IIST, P.O. Box 3058, Macau

Appendix: Proof of Lemma 3 and Formulas (14) ? (16)

25

de nition of MY we have

0 1 0 1 B ` = 13 ; CC `=1; BB `  1 ; B C (d:Y e ^ ` = 12) ; B CC ) BB (dMY e ^ dY e ^ ` = r) ; CCC : B CC @ ((dY e _ d:Y e) ^ ` = 1) ; A BB ` = 10r ; @ (dY e ^ ` = r) ; A (dY e ^ ` = 17) true

Thus we deduce ` = 13; R17 from ` = 13; L17

Proof of (18) is nearly the same. Proof of (19) By the same argument as used in the proof of (17), we have

0L BB L BL L )B BB L B@ L

1 ^ dC e _ CC ^ d:C e _ CC ^ dC e; d:C e _ CC ^ d:C e; dC e _ A ^ dC e; d:C e; dC e; true _ C L ^ d:C e; dC e; d:C e; true 19

19

19

19

19

19

19

The rst two disjuncts can be shown to be false again by checking the length of intervals in which L19 and dC e (d:C e) can be true. Now we show L19 ^ dC e; d:C e to be false. We have, on one hand, dC e ) `  13 and d:C e ) `  5 on the other hand L19 ) ` = 18. So

L19 ^ dC e; d:C e ) L19 ^ (dC e ^ ` = 13); (d:C e ^ ` = 5): But then by using (3) and (4) we have (dC e ^ ` = 13); (d:C e ^ ` = 5) )

((dX e _ d:X e) ^ ` = 13) ; ((dX e _ d:X e) ^ ` = 5)

!

The latter contradicts L19 that requires (dX e ^ ` = 5); (d:X e ^ ` = 13.

Report No. 50, February 28, 1997

UNU/IIST, P.O. Box 3058, Macau

Appendix: Proof of Lemma 3 and Formulas (14) ? (16)

26

Next, we show L19 ^ dC e; d:C e; dC e; true must be false. We have

1 0 ((dX e _ d:X e) ^ ` > 0) ; dC e; d:C e; dC e; true ) B @ ((dX e _ d:X e) ^ ` = 5) ; CA ((dX e _ d:X e) ^ ` < 13) The latter again contradicts L19 . By similar argument we have L19 ^ d:C e; dC e; d:C e; true must be false. So, we have L19 ) L19 ^ d:C e; dC e. Since d:C e ) `  5 and dC e ) `  13, we have

L19 ) L19 ^ (d:C e ^ ` = 5); (dC e ^ ` = 13): Similar to the proof of (17) by using the equivalence scheme, we have (L19 ) R19 ) , (` = 13; L19 ) ` = 13; R19 ): It is easy to check that

` = 13; L19 ) (` = 13 ^ dC e); (L19 ^ (d:C e ^ ` = 5); (dC e ^ ` = 13): From (3) and (4) we have

0 1 0 1 (` = 13 ^ dC e) ; (` = 13 ^ d:X e) ; B @ (L ^ (d:C e ^ ` = 5) ; CA ) B@ (dX e ^ ` = 5) ; CA : (dC e ^ ` = 13) (d:X e ^ ` = 13) 19

Using (6); (7); (8) and (9) we have

0 `=1; 1 CC 1 BB (` = 12 ^ d:Y e) ; 0 (` = 13 ^ d:X e) ; B CC ( ` = 1 ^ ( d: Y e _ d Y e )) ; B C B ) ( d X e ^ ` = 5) ; B CC : A B (` = 4 ^ dY e) ; @ B (d:X e ^ ` = 13) @ (` = 1 ^ (d:Y e _ dY e)) ; CA (` = 12 ^ d:Y e) Report No. 50, February 28, 1997

UNU/IIST, P.O. Box 3058, Macau

Appendix: Proof of Lemma 3 and Formulas (14) ? (16)

27

With the hypothesis about r: :7 < r < 1:3, from the de nition of MY we have

0 `=1; 1 0 1 true ; B C (` = 12 ^ d:Y e) ; B CC BB (dMY e ^ dY e ^ ` = r) ; CC B ( ` = 1 ^ ( d: Y e _ d Y e )) ; B CC ) BB ` = 10r ; CC : B B B C CA ( ` = 4 ^ d Y e ) ; B (d:Y e ^ ` = r) ; @ (` = 1 ^ (d:Y e _ dY e)) ; CA @ true (` = 12 ^ d:Y e) Thus we conclude R19 from L19 .

Proof of (20) is similar. To prove (14) we need a lemma

Lemma 4 (` = 1); (dY e ^ ` = a); (d:Y e ^ ` = b) ) (`  1 + a ^ dX e); d:X e; where a; b are constants and a + b < 1. Proof

We are going to prove (` = 1); (dY e ^ ` = a); (d:Y e ^ ` = b) ) ((`  1 + a ^ dX e); d:X e). Let D1 =b (` = 1); (dY e ^ ` = a); (d:Y e ^ ` = b). We have D1 ) D1 ^ `  2. Due to the Finite Variability, we have

`  2 ) dX e_d:X e_dX e; d:X e_d:X e; dX e_dX e; d:X e; dX e; true _d:X e; dX e; d:X e; true : Distributing D1 ^ over the disjunction, we have

0 (D BB (D B (D D )B BB (D B@ (D

^ d:X e; dX e; d:X e; true ) _ 1 ^ dX e; d:X e; dX e; true ) _ C CC ^ dX e) _ CC CC ^ d:X e) _ A ^ d:X e; dX e) _ (D ^ dX e; d:X e) 1

1

1

1

1

1

1

We will now eliminate the rst ve disjuncts in the left hand side by showing that each of them must be false . For D1 ^ d:X e; dX e; d:X e; true , we have on one hand D1 ) `  2, but on the other hand d:X e; dX e; d:X e; true ) `  5: The later can be proved easily from (2) ? (4). So, Report No. 50, February 28, 1997

UNU/IIST, P.O. Box 3058, Macau

Appendix: Proof of Lemma 3 and Formulas (14) ? (16)

28

by combining both implications we have D1 ^ d:X e; dX e; d:X e; true ) false . For the same reason, D1 ^ dX e; d:X e; dX e; true must be false . To prove that D1 ^ dX e must be false we note that, because of (5), stability of X in a interval of length 1 + a + b implies that Y should be stable in the sux interval of length a + b. But the interval in which D1 is true has a Y -edge in that sux. The contradiction shows that D1 ^ dX e must be false . By the same argument we have D1 ^ d:X e evaluated to false . Finally, we have to show that D ^ d:X e; dX e must be false . We have (d:X e; dX e) ^ `  2 ) d:Y e; dY e _ d:Y e. However, from D we have a subinterval where Y = 1 followed by Y = 0. 1

1

Thus, after elimination of false disjuncts we have D1 ) D1 ^ dX e; d:X e. Now, let c be a constant such that D1 ) D1 ^ ((dX e^ ` = c); d:X e), we will prove that c  1+ a. Suppose otherwise c > 1 + a, we would have ((dX e ^ ` = c); d:X e) ) ` = 1 + a; dY e; true : The right hand side contradicts D1 . Thus, Lemma 4 is proved.

Proof of (14)

(true ; (dMY e ^ ` < 1) ^ ` = 2 ) 3dMX e: By the de nition of MY , we can choose a constant a such that a  r, a < 1 and (true ; (dMY e ^ ` < 1)) ^ ` = 2 ) d:Y e; (dY e ^ ` = a) or

(true ; (dMY e ^ ` < 1)) ^ ` = 2 ) dY e; (d:Y e ^ ` = a): Let consider the rst case (the second one is exactly similar). Again from the de nition of MY we have

` = 9r + a ? 2; ((true ; (dMY e ^ ` < 1) ^ ` = 2) ) (d:Y e ^ ` = 9r); (dY e ^ ` = a): Further, we can choose an arbitrarily small constant b such that a + b < 1. To be illustrative let b = :1, we have (d:Y e ^ ` = 9r); (dY e ^ ` = a) ) (d:Y e ^ ` = 9r ? 1:1); ` = 1; d:Y e ^ ` = :1); (dY e ^ ` = a): Applying Lemma 4 for ` = 1; d:Y e ^ ` = :1); (dY e ^ ` = a) we have (d:Y e ^ ` = 9r ? 1:1); ` = 1; d:Y e ^ ` = :1); (dY e ^ ` = a) ) d:Y e ^ ` = 9r ? 1:1); d:X e; dX e: Due to Finite Variability, we have

` = 9r ? 1:1 ) d:X e _ dX e _ true ; d:X e; dX e _ true ; dX e; d:X e: With 5:2 < 9r ? 1:1 < 10:6, we can easily check the following: Report No. 50, February 28, 1997

UNU/IIST, P.O. Box 3058, Macau

Appendix: Proof of Lemma 3 and Formulas (14) ? (16)

29

1. d:Y e ^ dX e ^ ` = 9r ? 1:1 must be false because dX e ^ ` > 1 ) true ; dY e, 2. d:Y e ^ (true ; dX e; d:X e) ^ ` = 9r ? 1:1 must be false because dX e; d:X e ) dY e; true . We have (d:Y e ^ ` = 9r ? 1:1); d:X e; dX e )

(d:X e ^ `  9r ? 1:1); dX e _ (d:Y e ^ (true ; d:X e; dX e) ^ ` = 9r ? 1:1); d:X e; dX e

!

For the second disjunct of the conclusion we have

0 1 0 1 ((d:Y e ^ (true ; d:X e; dX e) ^ ` = 9r ? 1:1) ; (` = 9r ? 1:1 ^ d:Y e); d:X e; dX e ^ B CA ) B@ (` = 9r ? 1:1 ^ (true ; d:X e; dX e)) ; CA @ d:X e ; dX e) d:X e; dX e Since d:X e; dX e; d:X e ) l  5 we can choose c  5 such that

0 1 1 0 (` = 9r ? 1:1 ^ (true ; d:X e; (dX e ^ ` = c)) ; (` = 9r ? 1:1 ^ (true ; d:X e; dX e)) ; B CA CA ) B@ d:X e ; @ d:X e ; dX e dX e Further, we have (dX e ^ `  5) ) 3dY e. So (` = 9r ? 1:1 ^ (true ; d:X e; dX e)); d:X e; dX e ) (` = 9r ? 1:1 ^ 3dY e); d:X e; dX e: Therefore, ((d:Y e^ (true ; d:X e; dX e) ^ ` = 9r ? 1:1); d:X e; dX e) must be false. By eliminating the false disjunct, we have (d:Y e ^ ` = 9r ? 1:1); d:X e; dX e ) (d:X e ^ `  9r ? 1:1); dX e: Moreover, (d:X e^`  9r?1:1) can not be a part of X -stable interval of length 5; it must be a part of X -stable interval of length 13. So (d:X e^ ` = 9r ? 1:1); dX e ) (d:X e^ ` = 9r ? 1:1); dMX e. Thus, (14) is proved.

Proof of (15) and (16) are inferred directly from de nitions of MX and MY .

Report No. 50, February 28, 1997

UNU/IIST, P.O. Box 3058, Macau