with respect to the finest time scale. .... is discrete with the possible exception of the finest one that may be .... (4) âEvery day there exists some hours during which.
Embedding Time Granu!arity in Logical Specifications of Real-Time Systems A. Montanari, E. Ratto, E. Corsetti
A. Morzenti
CISE - Tecnologie Innovative, SPA 20090 Segrate (Milano), Italy
Politecnico di Milaiio 20133 Milano, Italy
naturalness of first order and modal logic. However. the use of TRIO for the specification of large and complex systems has shown its major flaw. As origiiially defiiicd, TRIO presents the lack of structure of every "pure" logical formalism. In particular, it is e n d o w d wit,h a. flat temporal domain that constrains the user to specify ii system with respect t o a unique time granularity. l o remove this limitation, we developed a n ohject oriented framework on T R I O [CMMR89]. It endows t,he specification language with the notions of modularity and abstraction. Moreover, it allows bot,h local and partial proofs taking into account the stratified striicbure of object oriented specifications. Finally, it supp0rt.s a n incremental, top-down approach t o the specification activity through a step-wise refinement process [C1h4R90a]. [CMRSOb]. Such a methodology allows one t o verif! 1 he consistency and the adequacy of Specifications at, each step of their incremental development.
Abstract Tlit paper extends the T R I O logical Specification formalism with the notion of time granulady. Such an exlension provides the specifier with the ability of dealing iciztli different time granularities udhiii a single specificafton. It allows one to maintain th.e description of the dynamics of processes that evolve according to different time constants as separate as possible. It also makes it possible to model the dynamics of a gizen process with rcspect to different time scales. The paper first introduces tinae granularity in a completely general way, that is, it defines the weakesi semantics of time granularity. Then a number of possible specializations of such a semantics taking iirto account both coninion-sense and domnan-specific knowledge are identified. They result in (1 iaronomic classification of predicates that makes the jovrrialism more expressi,ue and easier to use.
1
Introduction
This paper focuses on time granularity. It. allows one t.o specify the t,emporal behaviour and t,he required properties of the whole system and of its coiiq1onent.s with respect to different time scales. In such a way the description of the dynamics of processes lliat evolve according to different time constants can he maintained a s separate as possible. Moreover, the dynamics of a given process can be modeled with respect t o different t8ime scales. Let us consider, as an example, the specification of a pondage power station. The temporal evolution of the level of the basin depends on at least three different processes that evolve a.ccording t o verv different time scales: the flow of water whose time scale is day: the opening and the closing of the sluice gates whose tiiiie scale is minute; the electronic control whose time scale is microsecond. Moreover, the same process can he described with respect t o different time scales depending on it is considered as a whole or as a compound process. For instance, the sluice gate opening is described as a whole with respect t o the time scale of minute. while it can be decomposed into component subprocesses with respect, to the time scale of second.
A joint research project on the definition of an exefor the specification of real-time sysin 1987 by CISE and Politecnico di \IiI;~no'. In this paper we present how t o embed the iiction of time granularity in the specification language. Sucli an extension provides the specifier with the abili t y of dealing with different time granularities within a single specification. Uiiring the first phase of the research we defined a specification language, named TRIO. It is a first-order logical formalism, au mented with temporal operators and a metric on time fMor891, [MRRZ89], [GMM90]. It has a rigorous model theoretic semantics t,liat provides a sound basis for the executability of specifications. According t o the formal definition of the semantic interpretation of TRIO formulae, we implemented a prototype TRIO-based specificatioii environment that supports the activity of verifying arid validating specifications [MMRR89]. TRIO has proved t o be an invaluable specification tool, since it combines tallerigour and the precision of formal methods with the expressiveness and c11t able forinalisin tciiih was started
TRIO does not take into account time granularity. It constrains the specifier t o describe the whole system with respect t o the finest time scale. For instance. in the TRIO specification of a pondage poiwr st.ation the flow of water should be described with respect to the time scale of microsecond. To overcome the flatness
I'he research is funded by the Autoniatica Research Center ( C H A ) of the Electricily Board of Italy (ENEL) and, from June of 1989. partially by the National Research Council of Italy (CNR). wit hili the National Project on Parallel Machines a i d Computer 5cience.
0-8186-2212-1/91/0000/0088$01.OO 0 1991 IEEE
88
the formulae obtained by applying temporal operators. That is, if F is a TRIO formula and t is a t,eniporal term, then:
of TRIO, we replace the original notion of temporal
domain by the notion of temporal universe. Then we introduce multisorted temporal terms to qualify predications with respect to time granularity. Finally, we define the semantics and the executability of the extended language by translating it into TRIO. The rationale of the introduction of time granularity in real-time syst , e m specifications together with the identification of the main representational requirements it imposes are presented in detail in [CMRSl]. The modifications to be done to TRIO to embed it with time granularity and their preliminary formalization are given in [CMMRSl]. Both [CMRSl] and [CMMRSl] deal with time granularity in a completely general way, that is, they define the weakest semantics of time granularity. In this paper, we first briefly present the syntax, semantics and executability of TRIO, then we describe the syntax and semantics of the extended language T R I O # embedding time granularity. We also identify a number of possible specializations of the weakest semantics of time granularity taking into account both commonsense and domain-specific knowledge. Such specializat ions result in a taxonomic classification of the predicate set that makes the language more expressive and easier to use.
2
F u t ~ ( F , tand ) Past(F,t) are TRIO formulae too. The intuitive semantics of these formulae is that they hold at the current instant if and only if F holds at a temporal distance f in t.he future and in the past, respectively. From TRIO temporal operators we can derive a number of other ones, including:
A l w F u t r ( F ) gfV t ( t > 0 -+ F u t r ( F , t ) ) SornFutr( F ) iAlwFutr(1F) Vt’(0 < t’ < t -+ F u t r ( F ,t ’ ) ) Lasts,,,(F, t ) S o m e t i m e s ( F f s f S o t n P a s t ( F )V F V S o m F u f r ( F ) def Always(F) - A l w P a s t ( F )A F A A l w F ? r f r ( F ) Until(F1,F2) %f 3t ( F u t ~ ( F 2 , At ) Lasts,,,(Fl,t))
ef ef
where F , F1 and F2 are TRIO formulae and f and t’ are TRIO terms denoting temporal distances. A l w F u t r ( F ) says that F will be true in any fut.ure instant; S o r n F u t r ( F ) says that F will h e t m e in at. least one instant in the future; L a s t s ( F , t ) says t,hat. F will be true in each instant in the future at a temporal distance lower than t from the current one; Sometimes( F ) says that there exists a t least one instant over which F holds; .4lways(F) says that F holds in every instant, of the temporal domain; Until(Fl , F2) says that F2 will he true in the future and till then FI will be true. A specification C of a real-time system is a classically and temporally closed TRIO formula, i.e. a formula with no time independent free variables. Let us consider, as an example, the TRIO specification of a communication channel that delays t,he output of a time interval of width t with respect to the input*and that neither produces nor loses messages:
The Logical Specification Formalism
TRIO is a typed first order language, augmented with temporal operators and a metric on time. According to the Linear Temporal Logic approach, TRIO is endowed with a totally ordered temporal domain and its temporal operators allow one to talk about the truth and the falsity of predications at time instants different from the current one that is left implicit [PnuSl], [I 0 A Pnfr(L,fl)A ALastsi,e(TL,tl)A Lastse,e(TL,At,, - t l ) ) ] ~ j
Figure 7' : Continuo.us and Pervasive. The formal definition of the relevant specialization INTSEC:,j is the following:
INTSEC:,,(L) 0
0
gf[Lastsi,i(L,A,,] - l ) ] ~ ,
Discrete with an upper bound The projection of the literal L holds over a bounded sequence of intervals included into d , ] ( t )and the summation of their length does not exceed a given upper bound (Figure 10).
Continuous and not pervasive The projection of the literal L holds over a time interval included into the interval $Jt,,(t) (Figure 8).
bound Figurelo: Discrete wath an Uppcr Boaiid. The formal definition of the relevant specialization I N T S E C ; , is the following:
Figure 8: Continuous and not Pervnsave. The formal definition of the relevant specializat,ion INTSEC;, is the following:
95
In such a way we obtain a categorization of predicates according to their behaviour under temporal projection that presents some similarity with the classification of temporal propositions given by Shoham [Sho88]. Such a categorization allows us to introduce and characterize primitive ontological concepts as event, property, fact and process in terms of their temporal projection. Notice, however, that the categorization of predicates is not absolute, but it depends on the specific domains. For instance, a predicate which is punctual with respect to a given pair of domains may be continuous and pervasitie with respect to another pair of domains.
4 Conclusion and Future Work We discussed the problems related with embedding time granularity in logic specifications of real-time systems, and presented an approach that refers to the temporal logic language TRIO. First we generalized TRIO’S temporal domain by transforming it into a temporal universe which includes a linearly ordered set of temporal domains. Then we defined the constraints to be imposed on the relations among the domains of the teinporal universe, and on the function tha.t maps points of coarse-grained temporal domains and corresponding sets of points in the more finely grained domains. ‘The syntax of TRIO was extended, yielding a language called T R I O f . in order to include multisorted temporal terms which allow (sub)formulae to posses a variety of time granularities. We expressed the relation between the interpretation of predicates in adjacent temporal domains in a very general way, using a flexible and parametric notation, in terms of a translation of T R I O # at one given granularity level into corresponding formulae to be evaluated at the immediately lower level. This translation mechanism was defined in a compositional way, and can be easily adapted to express, for example, the property of a predicate to be continuous or discontinuous with respect to a change in time scale, or to adequately charact,erize strong or weak semantics for negation. The presented approach is admittedly still preliminary and incomplete. Much work remains to be done in defiiiig in complete detail the syntax of the new language and in evaluating the ultimate consequences of the compositional translation mechanism adopted to assign a meaning to formulae of T R I O #. We also intend to exploit the increased expressiveness and naturalness of the resulting language to define a methodology that supports the developmement. of specifications for realtime systems by means of a top-down refinement process, where the system is described at increasing levels of detail that are coupled wit,h descriptions of the temporal aspects at finer granularity levels. Another line of
research involves the use of the different t,ime scales embedded in T R I O # specification to support effective execution methods with the purpose of early prototyping and verification. For what concerns executability, the definition of T R I O #’s semantics via translation into TRIO has a beneficial consequence: at least in principle, T R I O # specifications can be executed by means of an interpreter of the kernel TRIO language coupled with a “compiler” of the new T R I O # language into TRIO. Of course, in practice one would use opt,imized ad hoc interpreters to better exploit information included in T R I O #’s specifications in order to avoid that the interpreter performs unnecessary, redundant coinputations at the finer levels of granularity.
References [AuKe86] RT-ASLAN: A Specification Langiiage for Real-Time Systems, Auernheimer, B., Kemmerer, R., IEEE TSE, vol. SE-12, no.9, Septeniber 1986. [BeMa77] A Course in Mathematical Logic, Bell, Machover, M., North-Holland, 1977.
a..
[BPM83] The Temporal Logic of Branching Time, BenAril M., Pnueli, A., Manna, Z., Acta Informatica, 1983. [ClRa88] A Simple, General Structure for Temporal Domain, Clifford, J., Rao, A., in Temporal .4spects in Information Systems, Rolland. C.. Bodart, F., and Leonard, M. (Editors), Elsevier Science Publishers B.V. (North-Holland), IFIP 1988. [CMhIIR89] A n Object Oriented Framework Based on a Logic Formalism for an Executable Specification of Real-Time Systems, Corsetti, E., Meda, R., Montanari, A . , Ratto, E., AICA Working Days on Temporal Validation of Real-Time Software, Napoli-Portici, September 1989. [CMRgOa] A Methodology for an Incremental, Logical Specification of Real-Time Systems, Corsetti, E., Montanari, A . , Ratto, E., Proc. 2nd IEEE Euromicro Workshop on Real-Time Systems 1990, Horsholm, Denmark, May 1990. [CRIIR9Ob] A Methodology for Real-Time System Specifications based on Knowledge Representation, Corsetti: E., Montanari, A . , Ratto. E.. Proc. Computa.tiona1 Intelligence 1990. Milano, Italy, September 1990. [CMRSl] Dealing with Dinerent Time Gmnulnrifi&s in Formal Specification of Real- Time ,Yysienis, Corsetti, E., Montanari, A . , Ratto, E., REALTIME SYSTEMS, Vol. 111, Issue 2, June 1991. [CMRSl] Time Granularity in Logical Specifications, Corsetti, E., Montanari, A., Morzenti, A., and Ratto, E., Proc. 6th Italian Conference on Logic Programming, Pisa, Italy, June 1991.
[MRRZ89] TRIO, a Logac Formalasm for the Specificatzon of Real-Time Systems, Morzenti. A . , Ratto, E., Roncato, M., Zoccolante, L., Proc. 1st IEEE Euromicro Workshop on Real-Time Systems 1989, Como, Italy, May 1989.
[Gal871 The Logic of Occurrence, Galton, A., in Galton A., (Ed.) Temporal Logics and their applications, Academic Press, 1987. [GGMM87] On the Specification of Real-Time Systems Using Logic Programming, Garzotto, F., Ghezzi, C., Mandrioli, D., Morzenti, A., Proc. 1st European Software Engineering Conference, Strasbourg, LNCS 289. Springer Verlag 1987.
[Pla81] Theorem Proving with Abstraction, Plaided, D., Artificial Intelligence, 16, 1981. [Pnu81] The Temporal Semantacs of Concurrent Programs, Pnueli, A., Theoretical Computer Stience, 13, North-Holland, 1981.
[GiWa89a] Abstract Theorem Proving, Giunchiglia, F., Walsh, T., Proc. 11th IJCAI, Detroit, USA, 1989.
[ReUr7l] Temporal Logzc, Rescher, N., Urquhart, A., Springer Verlag, Wien-New York, 1981.
[GiWa89b] Abstracting into inconsistent spaces (Or, the “false proof” problem), Giunchiglia, F., Walsh, T., Proc. 1st Conference of the Italian Association for Artificial Intelligence (AI*IA), Povo (TN), Italy, 1989.
[Sho88] Reasonzng about Change: Tzme and Causatzon from the Standpoant of Artzjicaal Intellzgence, Shohan, Y., MIT Press, 1988. [Wo183] Temporal Logac Can Be More Expresszve, Wolper, P., Information and Control 56, 1983.
[GMMSO] TRIO, a Logic Language for Executable Specifications of Real-Tim.e Systems, Ghezzi, C., Mandrioli, D., Morzenti, A., The Journal of Systems and Software, June-July, 1990. [GrMC89] A Computational Framework for Granularity and its Applicution to Educational Diagnosis, Greer, J . , McCalla, G., Proc. 11th IJCAI, Detroit, USA, 1989. [HaAl87] Short Time Periods, Hayes, P. J., Allen, J . F., Proc. 10th IJCAI. Milano, Italy, 1987. [Hob851 Granularity, Hobbs, J . R.. Proc. 9th IJCAI, Los Angeles, USA, 1985. [JaMo8G] Safety Analysis of Timing Properties of RealTime Systems, Jahanian, F., Mok, A.,K., IEEE TSE, vol. SE-12, 110.9, September 198G. [I
