Linking Duration Calculus and TLA

Transcription

1 Linking Duration Calculus and TLA Yifeng Chen and Zhiming Liu Department of Computer Science, University of Leicester, Leicester LE1 7RH, UK {Y.Chen, Abstract. Different temporal logics tend to emphasise on different aspects of a hybrid system. In this paper, we study the predicative interpretation of Duration Calculus (DC) and Temporal Logic of Actions (TLA) and the relationship between them. A notation called generic composition is used to simplify the manipulation of predicates. The modalities of possibility and necessity become generic composition and its inverse of converse respectively. The transformation between different temporal logics is also characterised as such modalities. Formal reasoning is carried out at the level of predicate calculus and supported by the higher-level laws of generic composition and its inverse. The formalism provides a framework in which human experience about hybrid system development can be formalised as refinement laws. In the case studies of water pump controlling, the requirements about high-level durational properties are first specified in DC and then refined to more concrete TLA specifications that describe the discrete behaviour of the controller through refinement laws. 1 Introduction A hybrid system consists of both continuous components that observe continuous physical laws and discrete components that execute digital instructions. Hybrid systems inevitably involve time as an observable and can be naturally specified using temporal logics. Different temporal logics tend to emphasise on different aspects of a hybrid system. For example, interval logics such as Duration Calculus (DC) [13], emphasising on properties over intervals, are more suitable for describing high-level continuous properties and hence closer to the continuous aspects of hybrid systems. On the other hand, Linear Temporal Logics (LTL) [], emphasising on the properties of states at discrete time points, are more suitable for modelling discrete aspects of hybrid systems and can be easily verified with timed automata [9]. A straightforward specification in one logic may become less intuitive in another logic. In the past, all aspects of a hybrid system are normally specified in one logic [, 1]. Traditional method of combining logics is to collect all syntactical constructs together and identify the axioms of the system. This usually results in a complicated axiomatic system difficult to handle. For example, the design of a hybrid system may involve an abstract specification of the requirements in DC and a concrete LTL specification that describes the behaviour of the system of implementation. Existing development techniques do not support such refinement. A more natural approach is to unify the different logics at another common (i.e. semantic) level. Predicative interpretation is a standard technique in modal logic [1, 1]. Each proposition with modal operators can be represented as a predicate. The modality of possibility (or necessity) is defined with an existential (or universal) quantifier. Predicates are also used in semantic modelling of programming languages. This approach is often known as predicative semantics [3, 5] in which each program is represented as a predicate. Combinators of programs become operators on predicates. In this paper, we will interpret modal/temporal logics using predicative semantics and reason about the relationships between them at this level.

2 Predicative semantics is observation-based. A predicate can be interpreted as a set of possible observations on the observables (i.e. logical variables). A program combinator is relational if it distributes universal disjunction (i.e. non-deterministic choice). All common combinators are relational in observation-based semantics. In order to manipulate predicates and their operators flexibly at higher level of abstraction, we use a notation called generic composition []. A generic composition is a relational composition with a designated interface consisting of several logical variables. The specification of a system usually involves a large number of modalities of different temporal logics. Each temporal logic emphasises on a particular aspect of the system, and therefore its modalities may be related to only some logical variables in the predicative semantics. This is why generic composition with a restricted interface is more convenient than relational composition. Generic composition has an inverse operator. With the help of the two higher-level operators, we no longer need the existential and universal quantifiers. The modality of possibility then becomes a generic composition, while the modality of necessity becomes its inverse of converse. The link between two specifications in different temporal logics can be characterised as a pointwise relation between the possible observations of the specifications. Such a pointwise relation also determines a pair of modalities and can be defined with a generic composition and its inverse. The integration of different temporal logics will not be useful unless we provide the knowledge about how specifications in one logic can be approximated or refined by specifications in another logic. Such knowledge can be formalised as the refinement laws of modalities. Identifying these laws is the key task of any real application. In this paper, we will demonstrate this by studying the refinement from DC specifications to TLA implementations. As we explained before, DC is natural in describing high-level duration properties of continuous part of a hybrid system. Schenke and Olderog [11] studied the direct refinement transformation from DC to a language similar to CSP []. Since the gap between DC and TLA specifications is smaller than that between DC and a real programming language, the refinement relationship between temporal logics enjoys stronger algebraic properties. Once TLA implementations are obtained, many model-checking tools can then be applied for verification. Section studies the predicative semantics of modal logic using the notation of generic composition and its inverse. Section 3 discusses several well-known temporal logics and the relationships between them. The technique is then applied to the case studies in Section. Predicative interpretation of modal logics Manipulating predicates We assume that there are two types of logical variables: non-overlined variables such as x, y, z, and overlined variables such as x, y, z,. Overlining is purely syntactic and is used to associate logical variables. We use a notation called generic composition [] to manipulate predicates. A generic composition is a relational composition with a designated interface of non-overlined variables. Def 1 P : x R = z P[z/x] R[z/x]. A fresh variable z is introduced to connect x of P and x of R and is hidden by the existential quantifier. Generic composition is a restricted form of relational composition. It relates two predicates on only some of their logical variables. For example, the following composition relates two predicates on only x (and x): (x=1 y =): x (x x z =3) = (x 1 y = z =3).

3 Existential quantifier x P is simply represented as P : x true, and variable substitution P[e/x] as P : x (x =e). An interface x may split into a tuple of variables, e.g. (y, z). For example, the generic composition P : (y, z) true is the same as the predicate y z P. If the tuple is empty, a generic composition becomes a conjunction: P : R = P R. Generic composition has an inverse operator denoted by P / x R, which is the weakest predicate X such that (X : x R) P. It can be defined by a Galois connection: Def X P / x R iff X : x R P for any predicate X. Generic composition and its inverse satisfy a property: P / x R = ( P : x R) where R = R[x, x/x,x] is the converse of R for the variable x. Universal quantifier x P can then be written as P / x true. Negation P becomes false / P whose interface is empty. Implication P Q becomes Q / P. Disjunction P Q is a trivial combination of negation and implication. Thus all connectives, substitution and quantifiers become special cases of generic composition and its inverse []. Theorem 1 Generic composition and its inverse are complete in the sense that any predicate that does not contain overlined free variables can be written in terms of generic composition and its inverse using only the constant predicates and predicate letters. The theorem shows the expressiveness of generic composition for predicate manipulation. Generic composition and its inverse form a Galois connection and satisfy the algebraic laws of strictness, distributivity and associativity. Law 1 (1) A (A: x R)/ x R (3) false : x R = false (5) A: x (R S) = (A: x R) (A: x S) (7) A/ x (R S) = (A/ x R) (A/ x S) (9) (A: x R): x S = A: x (R : x S) () (A/ x R): x R A () true / x R = true () (A B): x R = (A: x R) (A: x R) () (A B): x R = (A: x R) (A: x R) (1) (A/ x R)/ x S = A/ x (S : x R). The notation is especially useful when the interfaces of the operators in a predicate are not identical. In the following laws we assume that x, y and z are three different logical variables, A = z A and C = y C. Law (1) A: x C = A: (x,y) (y =y C) () A/ x C = A/ (x,y) (y = y C) (3) (A: (y,x) B): (x,z) C = A: (y,x) (B : (x,z) C) In this paper, we will use generic composition and its inverse to define modalities. These properties make the composition a useful technical tool for linking temporal logics. Generic composition has also been applied to define a variety of healthiness conditions and parallel compositions. A series of other laws can be found in []. In general, a specification is a predicate on a modal variable (e.g. x) and an auxiliary variable (e.g. y). Initially, the variables are left untyped. For a logic in a particular domain, these logical variables can be typed. A logical variable may split into several ones, and its type becomes the product of several types. The semantic space is the set of all such specifications (e.g. denoted by A). An accessibility relation R is denoted by a predicate R = R(x, x) on two variables, the modal variable x and the overlined modal variable x. Each accessibility relation determines a pair of modalities. Def 3 A P = P : x R and A P = P / x R.

4 A P informally means that the predicate P may be true and is defined as a generic composition of the specification P and the converse relation R; its dual modality A P informally means that the predicate P must be true is defined with an inverse operator. The transformation between two temporal logics also becomes modalities. Let A (or B ) be a semantic space of specifications, each of which is a predicate on modal variable x (or x ) and auxiliary variable y (or y ). The transformation from A to B is characterised as a predicate T(x, y, x, y ) on four variables. The predicate determines a transformer modality from A to B and a corresponding inverse transformer from B to A. Def A B P = P : (x,y) T and B A P = P / (x,y) T. We now identify some of the laws that will be used in our later case studies. A transformer and its inverse form a Galois connection and therefore satisfies the following laws. Law 3 (1) A B P Q iff P B A Q (for any P and Q) () A B B A A B P = A B P (3) B A A B B A P = B A P. If the transformer predicate T = (x =f(x, y ) y =g(x, y )) is determined by (possibly partial) surjective functions, the modalities form a Galois embedding, and the transformer A B distributes conjunction. Law (1) B A A B P = P () A B (P Q) = A B P A B Q. If the accessibility relations of A and B satisfy a kind of monotonicity condition that for any y, R A (x, x) R B (f(x, y), f(x, y)), then the transformer and the modalities of necessity become commutative. Law 5 B A B P = A B A P. 3 Examples of temporal logics Real time A real-time specification is a predicate P = P(t, s) on a typed modal variable t [, ] that denotes time and an untyped auxiliary variable s that denotes the system s state at the time. We let T denote the space of such specifications. For example, the following real-time specification states that if a time period is not longer than 3, the value of the auxiliary variable s is bounded by : t 3 s. (1) Here we are interpreting t as the lapse of time. We may also interpret t as an absolute time point. The specification t 3 s then states that for any time before 3, the value of s is bounded by. Real-time logic is not concrete enough to distinguish the two different interpretations. The modality T P informally means that the predicate P may be true sometime in the future and is defined as a generic composition; its dual modality T P informally means that the predicate P must be true any time is defined with an inverse operator. Def 5 T P = P : t (t t) and T P = P / t (t t). Thus we have T (t 3 s ) = (t 3 s ) and T (t 3 s ) = (s ).

5 Real-time intervals In some applications, we are interested in temporal properties over a period of time and thus need to reason about temporal intervals. Let I denote the set of intervals, each of which is a convex subset of the real domain [, ] (such that for any t 1, t i and t 3 T, t 1 t 3 t implies t 3 a). For example, [1, ], [1, ), (1, ], (1, ) and the empty set are intervals. Interval concatenation is defined a b = a b if a b =, a = b and a b I. The length of an interval is defined: a = a a. A specification on real-time intervals is a predicate P = P(i, s) on a typed modal variable i I that denotes the interval and an untyped auxiliary variable s that denotes some system feature related to the interval. We let I denote the space of all temporal specifications on intervals. The modalities I P and I P correspond to the (bi-directional) extension of intervals. Def I P = P : i (i i) and I P = P / i (i i). The following transformer modalities transform real-time specifications to interval specifications. The modal variable t is related to the length of the interval i. These transformers correspond to the first interpretation of real-time specification. Def 7 T I P = P : t (t = i ) and I T P = P / t (t = i ). Alternatively, we may relate t to the left-end of interval i and obtain another pair of transformers. Def T I P = P : t (t = i) and I T P = P / t (t = i). The two distinctive interpretations of real-time specifications now correspond to different transformers and become distinguishable in interval logic. Properties of these modalities can be studied using the laws of generic composition and its inverse. Linear temporal logics Linear temporal logics are based on traces. Let X denote the set of all traces of elements (including the infinite ones). For two traces a, b X, a b denotes their concatenation. If a is an infinite trace, then for any b, a b =a. a b iff a is a prefix (i.e. pre-cumulation) of b. a denotes the length of a. For exampe, the length of the empty trace is. a i denotes the i-th element of the trace where 1 i a. A trace specification is a predicate on a modal variable tr X ω of infinite traces. There is normally no auxiliary variable. We let S denote the space of trace specifications. The modality S P informally means that the predicate P may be true for some suffix, while its dual modality S P informally means that the predicate P must be true for every suffix. Def 9 S P = P : tr ( a a < a tr = tr) S P = P / tr ( a a < a tr = tr). For example, the specification S < (tr =1) states that the first element of every suffix is 1, i.e. every state is 1. We introduce a dependent variable s = tr. The specification can then be simplified as S (s = 1). Such semantic notation directly corresponds to LTL, although here we allow finite traces as well. If we introduce one more dependent variable s = tr 1 to denote the second element of the trace, we can then express specifications of Temporal Logic of Actions

6 (TLA) [7]. For example, let X be the set {, 1}. The specification S (s s ) describes a trace of alternating s and 1s. The link between the original variables and the dependent variables can also be characterized as a transformer. For example, let P(s, s ) be a TLA specification on the current state s and the next state s. It corresponds to a specification P : (s,s ) (s =tr s =tr 1 ) on traces. A timed trace is a trace with strictly-increasing time stamps. For simplicity, we assume the first time point is. The sequence (, p), (1, q), (, p), is one example. In general, a timed trace is a trace of pairs (t, s ), (t 1, s 1 ),, (t n, s n ), where i j (i <j t i < t j ) and t =. We let K denote the space of specifications on timed traces. For TLA of timed traces, we introduce dependent variables s =s, s =s 1, t =t and t =t 1 and assume that t <t. For example, the following specification requires the state to change from 1 to after no-longer-than (seconds) or from to 1 after no-shorterthan : K ((s = 1 s = t t ) (s = s = 1 t t )). () Real-time functions A specification of real-time functions is a predicate on a modal variable x:[, ] X (i.e. a mapping from real-time points to states). There is normally no auxiliary variable. We let F denote the space of trace specifications. The modality F P informally means that the predicate P may be true after some point in the future, while its dual modality F P informally means that the predicate P must be true from anytime on. Def 1 F P = P : x a< l x(l) = x(l +a) F P = P / x a< l x(l) = x(l + a). A timed trace can be viewed as a discrete form of real-time function in which the state is stable between consecutive time points. This determines a natural transformation from timed-trace specifications to real-time-function specifications. Def 11 K F P = P : tr k l [t k, t k+1 ) s k = x(l) F K P = P / tr k l [t k, t k+1 ) s k = x(l). The transformers satisfy Law. Duration calculus Duration calculus (DC) is a special interval logic. A duration specification is a predicate on a variable i I that denotes the interval and an auxiliary variable x:[, ] {, 1} that denotes a real-time Boolean function. Note that a DC specification only describes the feature of x during the interval i. The state of any time point outside of the interval is arbitrary. The space of duration specifications is denoted by D. The modalities of DC are the same as those of interval logic: D P = I P and D P = I P. Again, we may introduce some dependent variables. For example, instead of specifying the relation (i.e. a predicate) between the interval and the real-time function, we may specify the relation between the length of the interval and the integral of the real function in the interval. Although not all computations can be specified in such a restricted way, it has been expressive enough for most applications and covers the most common design patterns [1]. Here we shall use t = i to

7 denote the length of the interval and s = e x(t)dt to denote the integral of the b function in the interval. For example, the Gas Burner problem [1] includes a requirement that gas leak is bounded by for any interval no-loner-than 3. This can be formalised as in D : D (t 3 s ) (3) where t and s are two dependent variables. The following two concrete DC specifications form a common design that implements the above abstract specification: D ( x t ) and D ( x x x t ) () where the real-time function x(l) records whether there is gas leak at the time point l, the specification x = (s =t) describes a period with gas leak (at most time points of in the period [13]), and x = (s = ) describes a period without leak. The first specification requires any leaking period to be bounded by seconds; the second specification states that, during any interval, the period of non-leak between two periods of leak should be no less than seconds. The sequential composition (also known as the chop operation) is the pointwise concatenation of the intervals of specifications: P Q = i 1 i (P[i 1 /i] Q[i /i] i = i 1 i ). The link between real-time interval logic and DC can be characterised as the following transformers. Def 1 I D P = P : s (s = i x(t)dt) D I P = P / s (s = i x(t)dt). Here s R + represents the integral accumulated during an interval, and we assume that s i. We may also view s as a dependent variable for i x(t). The transformation forms an embedding and therefore satisfies Laws and 5. Indeed the transformation from real-time specification to duration specification is the composition of the transformation from real-time specification to interval specification and the transformation from interval specification to duration specification: T D P = I D T I P D T P = I T D I P. Here, we are taking the first interpretation of real time (as the length of the interval). Since the length of interval is monotonic in the sense that if i i then i i, Law 5 of commutativity also holds. The requirement () can now be formalised more precisely as: D T D (t 3 s ). A real-time Boolean function x(l) satisfies this specification if and only if for any interval, the integral s of x(l) during the interval and the length t of the interval satisfy (t 3 s ). The example corresponds to a general specification pattern: D T D (t A s B) (5) where A and B are constant parameters such that A B. This pattern of specification requires a system not to stay in the Boolean state 1 longer than B during any period no longer than A. It has dual pattern that requires a system not to stay in the

8 1 9 s 1 9 s (A,B) 3 (A,B) t A s B t t A s B t Fig. 1. Basic patterns of DC state for too long but stay in the state 1 long enough: D T D (t A s B). The two patterns are illustrated in Figures 1 as sets of coordinates (t, s). Note that we always assume s t. Let f(l) be a monotonically-nondecreasing function such that f(l) l for any l. The following specification is a generalisation of pattern (5): D T D s f(t) in which the function sets the least upper bound for s. It is monotonic and nondecreasing as we naturally assume that, for any longer interval, the least upper bound is allowed to be greater. The general pattern has a dual D T D s g(t) where the function g is also monotonic and non-decreasing and satisfies g(l) l for any l. The following properties show that the general patterns can be decomposed as the conjunction of basic patterns: s f(t) = l (t l s f(l)) s g(t) = l (t l s g(l)). DC is a combination of interval logic and logic of real-time functions. There is an embedding from specifications of real-time functions into DC specifications. Def 13 F D P = P : x l i x(l) = x(l) D F P = P / x l i x(l) = x(l). The transformers satisfy Law. A DC specification P satisfies the condition that its state is arbitrary outside of the interval iff it satisfies F D D F P = P. On the other hand, the embedding of K in D can now be defined as the compositions of the transformers: K D P = F D K F P D K P = F K D F P. We now study a technique to refine DC specifications with TLA designs. For example, the DC abstract specification (3) can be implemented with a TLA specification of timed traces (). The TLA design is arguably more intuitive than () in DC alone. Although the two types of specifications cannot be combined directly, we can establish the refinement relationships between (3) and () in D. The basic pattern D T D (t A s B) can be refined with Law (1) in which denotes the refinement order such that A B if and only if A B =A.

9 We let High = (s =1 s =), Low = (s = s =1) and t = t t. Law () provides a similar refinement for the dual pattern. Law (1) D T D (t A s B) K D K ((High t B/n) (Low t (A B)/n)) (n >) () D T D (t A s B) K D K ((High t B/n) (Low t (A B)/n)) (n >). These laws allow the frequency of switching to multiply for integer number of times and hence are more general than the example TLA refinement (). We can always replace an integer parameter with a real parameter in the above laws if the result is a further refinement. For example, we may replace the first n on the right-hand side of Law (1) with any real number λ n. The parameters A and B are constant parameters. That means the TLA refinement describes a controller that runs according to an internal timer but does not take any input from the environment. Figure illustrates the refinement of the basic patterns. The grey areas indicate the requirements, while the dark areas (contained in the grey areas) illustrate the TLA designs. 1 9 s 1 9 s (A,B) 3 (A,B) t A s B t t A s B t Fig.. Refinement of basic patterns (n=) The refinement of the general patterns T D T t f(t) and T D T t g(t) is based on the refinement of the basic patterns (see Figure 3). Law 7 D T D s f(t) K D K ( (High t a) where a >, and for any l a, f(l) = l. Law D T D g(t) s K D K ( ( High t sup l b where < b inf l (l g(l)). ( Low t sup l a ) ) l f(l) f(l)/a ) ) g(l) (l g(l))/b (Low t b) In the above refinement laws, we have restricted ourselves to trace-based implementation that is independent of input. The target system can be generalised to

10 1 9 s 1 9 s (a,a) s f(t) t 1 (b,) g(t) s t Fig. 3. Refinement of general patterns incorporate input information from the environment. We assume that the controller not only has an internal timer but is also equipped with a sensor that can detect the changes of the environment periodically. If the reading h of the sensor is higher than a particular level H, the switch will be turned on; if the reading is lower than a level L, the switch is off; otherwise, when the level is between H and L, the switch can be either on or off. Let f(t, h) and g(t, h) be monotonic functions with regard to both t and h. The controller periodically checks the input. The (non-zero) cycle of sampling can be as small as possible but must be bounded by a constant τ ; otherwise the controller may not be able to react in time. The following law refines such specifications to the target system. Law 9 D T D g(t, h) s f(t, h) K D K ((h H s =1) (h L s =) t τ) where L H, τ f(τ, L) and g(τ, H). If the functions are linear, we can determine the parameters more accurately. The least upper bound of τ can be determined when assuming H = L. Once a particular τ is chosen, the ranges of H and L can be derived. Law 1 D T D (a 1 t b 1 s h a t + b ) K D K ((h H s =1) (h L s =) t τ) where τ b1+b 1+a 1 a, H b 1 a 1 τ and L (1 a )τ b. Case study: water pumps A water pump with a timer To demonstrate the use of the refinement laws of the last section, we first consider an example of a simple water pump. The (hybrid) system consists of a water pool with inflow v i (which rate is at least v imin ) and a water pump. When the water pump is on, water drains at a rate of v o > v imin ; when it is off, there is no draining caused by the pump. The requirement is that during any period, the water level never drops more than H.

11 We assume that the controller has no sensor that can detect the change of inflow or the water level. Thus we need to consider the worst case when v i is constantly at the lowest rate v imin. The requirement can be specified formally as follows: D T D (v o s v imin t H). It is implicit that s be always bounded by t. Thus we obtain a specification H T D T s f(t) where a is chosen as its maximum: a = v o v imin and f(t) = { t t a v imin t/v o + /v o t > a l f(l) To determine sup l a f(l)/a, we let t n = a + n voa v imin where n >. The value of l f(l) f(l)/a reaches maximum when l approaches every t n from its left-hand side. Thus l f(l) b = sup l a f(l)/a = t 1 f(t 1 ) f(t 1 )/a 1 = voa vimin a + v m H a The obtained TLA implementation K D K ((High t a) (Low t b)) (according to Law 1) is illustrated in Figure. 1 9 s (a,a) t Fig.. Controlling of a simple water pump The above example can be generalised in several ways. Firstly, we may require the water level not to drop more than a certain level within only the intervals shorter than a given constant t (instead of being in every interval). To refine such a weaker requirement, we simply need to revise the least-upper-bound function f(t) slightly. Secondly, if the water level is also required not to rise a certain level, Law 9() can be used for refinement. Since all these modalities distribute conjunction, the two TLA refinements can be combined together in conjunction compositionally. Finally, we have assumed v imin to be a constant (Law ). If the inflow is not random and fits into some model, then the least average inflow v imin will be a function related to the interval length t. For example, the minimum of sin(x) is 1, but its least average for the interval ( π, π) is. If the function v imin (t) is known, then Law 9 is still applicable. This can be generalised further: since we know the relation between the amount of water pumped out (i.e. v o s) and the length t of any corresponding interval, if the pumped water drains into another pool, we can then study the water-level controlling of the other pool using the same refinement laws.

12 A water pump with a timer and a sensor In the previous example, the controlling of the relative rise or drop of the water level relies on the controller s internal timer to switch the pump between on and off. The controller does not read any input from the environment. In order to control the absolute water level l (instead of relative changes in the last example), the controller needs a sensor to detect the water level directly. We use v i to denote the inflow. The maximum and minimum of the inflow are denoted by v imax and v imin respectively and satisfy v imin < v i < v imax < v o. It is required that the water level never drops below L or rise above H where H and L are two parameters such that L <H. The above requirement can be formalised as follows: L l + v i t v o s H. We assume that the controller cannot directly detect the changes of v i in real time. In extreme cases, the inflow may be as heavy as v imax or as light as v imin. The restriction is then strengthened as follows: (v imax t + l H )/v o s (v imin t + l L )/v o. In order to apply Law 1, we use h to denote l/v o and then obtain the following specification: D T D (v imax t H )/v o s h (v imin t L )/v o. () This can be refined by a TLA specification: K D K ((h H s =1) (h L s =) t τ) (7) H L voτ viminτ H where t v o+v imax v imin, H H vimaxτ v o and L v. Figure 5 demonstrates the behaviour of the implementation with a particular given inflow function Fig. 5. Experiment on the water pump with a sensor (top-down illustrating water level l, inflow v i and controller switching)

13 Again, the above example can be generalised in a number of ways. In particular, if the inflow v i satisfies a certain model in the following form: v imin (t) v i v imax (t) where t is the length of an interval, then we can substitute the constants v imin and v imax with the functions v imin (t) and v imax (t) respectively in specification (7). If the inequations become non-linear, Law 9 can be used. Two water pumps with timers and sensors It is essential that the design of a complicated system can be decomposed into smaller ones. Let us consider a system of two water pools. The water pumped out of the first pool flows into the second pool directly. Thus the design of the controller of the second water pump depends on the design of the first pump. The latter has already been studied in the last example. We now show that under some conditions, the second controller can be designed using the same method separately. We use the symbols h, H, L, v o and so on to represent the parameters of the second controller. The key here is to estimate the inflow rate of the second pool (i.e. the outflow rate of the first pump). A crude measure is the maximal rate v o when the pump is on and minimum rate when the pump is off. The abstract specification of the second pump controller can be obtained by replacing v imax and v imin with v o and respectively in (): D T D (v o t H )/v o s h L /v o. The rest of the design is a routine application of Laws 1. The above specification is not flexible enough in that the controller is required to work properly even in the worst cases when the outflow of the first pump is constantly at its fastest rate (or slowest rate). However, we know that the waterlevel restriction of the first pool does not allow its pump to remain on or off for any considerable period. That means for a longer period of time, the maximum (or minimum) average outflow rate of the first pump is less (or more) than v imax (or v imin ). Fortunately, no matter how the first controller is designed, it must satisfy the original specification (3). The total outflow of the first pump during a period t is v o s. Thus the average outflow rate v o s/t is bounded by the maximum (v imin t+l L )/t and the minimum (v imax t+l H )/t. This leads to the abstract specification of the second controller: ((v imax t + l H ) + l H )/v o s ((v imin t + l L ) + l L )/v o. The rest of the design is a routine application of Law 1. 5 Conclusions This paper has presented a predicative interpretation for modal logics. The accessibility relation of Kripke semantics is parameterised as a predicate. Introducing a new pair of modalities is the same as introducing a new accessibility relation. The transformers between modal logics also become modalities. Formal reasoning is mostly conducted at the level of predicate calculus and assisted with the higherlevel laws of generic composition and its inverse. The completeness of the semantic interpretation relies on the completeness of predicate calculus.

14 The examples showed that different temporal logics are good at describing different aspects of a system at different levels of abstraction. Two temporal logics naturally arise from the Gas Burner problem. The abstract requirement is naturally specified in DC. The following DC design has described a controller switching between on and off at particular time points. Although such controlling can be described in DC, the essentially equivalent TLA specification () is arguably more intuitive. We have identified refinement laws for several design patterns. Some of the laws are general and cover most types of refinement with a particular target implementation. More specific laws are introduced for the most common patterns, and their parameters can be more easily determined. Such laws are the formal representation of our experience about the development of hybrid systems. The technique is applied to the examples of water-pump system. Identifying general and at the same time practical laws is a challenging task. However once such laws are identified, they genuinely make the design process more systematic, especially for the determination of parameters. References 1. P. Blackburn, M. de Rijke, and Y. Venema. Modal Logic. Cambridge University Press, 1.. Y. Chen. Generic composition. Formal Aspects of Computing, 1():1 1,. 3. E.C.R. Hehner. Predicative programming I, II. Communications of ACM, 7():13 151, 19.. C. A. R. Hoare. Communicating Sequential Processes. Prentice Hall, C. A. R. Hoare and J. He. Unifying Theories of Programming. Prentice Hall, L. Lamport. Hybrid systems in TLA+. In Hybrid Systems, volume 73 of LNCS, pages Springer-Verlag, L. Lamport. A temporal logic of actions. ACM Transctions on Programming Languages and Systems, 1(3):7 93, A. Pnueli. The temporal semantics of concurrent programs. Theoretical Computer Science, 13:5, A. Pnueli and E. Harel. Applications of temporal logic to the specification of real-time systems. In M. Joseph, editor, Formal Techniques in Real-Time and Fault-Tolerant Systems, Lecture Notes in Computer Science 331, pages 9. Springer-Verlag, A.P. Ravn, H. Rischel, and K.M. Hansen. Specifying and verifying requirements of real-time systems. IEEE Transactions on Software Engineering, 19(1):1 55, M. Schenke and E. Olderog. Transformational design of real-time systems part i: From requirements to program specifications. Acta Informatica, 3(1):1 5, H. Shalqvist. Completeness and correspondence in the first and second order semantics for modal logic. In Proceedings of the third Scandinavian logic symposium, pages North Holland, C. Zhou, C. A. R. Hoare, and A. P. Ravn. A calculus of durations. Information Processing Letters, (5):9 7, C.C. Zhou, A.P. Ravn, and M.R. Hansen. An extended duration calculus for hybrid real-time systems. In R.L. Grossman, A. Nerode, A.P. Ravn, and H. Rischel, editors, Hybrid Systems, Lecture Notes in Computer Science 73, pages Springer-Verlag, 1993.