Modal Transition Systems with Weight Intervals

Transcription

1 Modl Trnsition Systems with Weight Intervls Line Juhl, Kim G. Lrsen, Jiří Srb 1 Alborg University, Deprtment of Computer Science, Selm Lgerlöfs Vej 300, 9220 Alborg Ø Abstrct We propose weighted modl trnsition systems, n extension to the well-studied specifiction formlism of modl trnsition systems tht llows to express both required nd optionl behviours of their intended implementtions. In our extension we decorte ech trnsition with weight intervl tht indictes the rnge of concrete weight vlues vilble to the potentil implementtions. In this wy resource constrints cn be modelled using the modl pproch. We focus on two problems. First, we study the question of existence/finding the lrgest common refinement for number of finite deterministic specifictions nd we show PSPACE-completeness of this problem. By constructing the most generl common refinement, we llow for stepwise nd itertive construction of common implementtion. Second, we study logicl chrcteristion of the formlism nd show tht formul in nturl weight extension of the logic CTL is stisfied by given modl specifiction if nd only if it is stisfied by ll its refinements. The weight extension is generl enough to express different sorts of properties tht we wnt our weights to stisfy. Keywords: modl trnsition systems, weighted trnsition systems, deterministic specifictions, refinement, ction-bsed CTL, model checking 1. Introduction Modl trnsition systems [1] provide specifiction formlism which cn express both sfety nd liveness requirements of their implementtions lbelled trnsition systems. This formlism llows for two kinds of trnsitions to be present, nmely required (must) trnsitions nd llowed (my) trnsitions. A rther loose specifiction cn then be trnsformed into concrete implementble system by series of refinements. This ide of stepwise refinement is pplicble for exmple for the development of embedded systems. Recent work on Corresponding uthor Emil ddresses: linej@cs.u.dk (Line Juhl), kgl@cs.u.dk (Kim G. Lrsen), srb@cs.u.dk (Jiří Srb) 1 Prtilly supported by Ministry of Eduction of the Czech Republic, project No. MSM Preprint submitted to Elsevier June 17, 2011

2 modl trnsition systems includes pplictions in severl different res like component-bsed softwre development [2, 3], interfce theory [4, 5], modl bstrctions nd progrm nlysis [6, 7, 8], nd other res [9, 10]. An overview rticle cn be found in [11]. A similr concept hs been studied lso in the re of softwre product lines (see e.g. [12] nd [13]), however, their notion of refinement is syntctic nd different from the semntic refinement reltion (bsed on the concepts of simultion/bisimultion) studied in the theory of modl trnsition systems. We present n extension of modl trnsition systems clled weighted modl trnsition systems tht decorte ech trnsition with n intervl contining rnge of weights. The ide of modelling quntittive spects in trnsition systems is well studied. For exmple weighted trnsition systems (see e.g. the book [14]) re known extension of stndrd lbelled trnsition systems. Such systems re prticulrly useful for modelling resource constrints, which re often seen in embedded systems (e.g. fuel/power consumption, price). Weights therefore seem like nturl ddition to modl trnsition systems, in order to combine the benefits of the modl pproch with the modelling of quntities. By llowing both negtive nd positive weights, we re furthermore ble to model systems with both resource gins nd losses. Contrry to weighted trnsition systems, where trnsitions nd/or sttes re lbelled with specific weights, we decorte trnsitions with sets of weights. This dheres to the ide of loose specifiction, since specifiction then determines the rnge of llowed weights insted of the precise weight. The refinement process will then rule out some of the weights, eventully ending up with n implementtion contining the finl concrete weight. To motivte the use of weighted modl trnsition systems s model for embedded systems, consider n ATM mchine. Two clients might ech give specifiction (or requirements), detiling their llowed nd required use of the mchine, long with intervls specifying the cceptble power consumption for ech option. This is demonstrted in Figure 1 (the two topmost systems). Here the dotted lines denote llowed behvior (i.e. the behviour tht client is willing to perform), while the solid lines denote required behvior (i.e. the behviour client is insisting on). The intervl ttched to ech trnsition is the intervl where the power consumption (or some other cost) must lie in. As we cn see, both clients require tht crd is inserted. After the insertion, the clients only llow three ctions, nmely blnce, withdrw nd trnsfer. The blnce option is required by the left client, while the right client requires tht withdrwl must be possible in n implementble system stisfying the specifiction. Even though the left client only specifies withdrwl s optionl, he/she requires tht PIN must be entered in order to continue. After the PIN is ccepted, n mount cn be withdrwn ny number of times. The right client on the other hnd specifies tht PIN is only optionl, however, tht ech mount withdrwn must be preceded with re-entering the PIN. An importnt problem is now to determine the existence of n implementtion stisfying the needs of both clients nd giving the exct power consumption for ech option, fitting in the consumption requirements mde by the clients. 2

3 crd s 1 [2, 5] s 2 return [1, 1] blnce [1, 6] s 3 withdrw [1, 1] PIN [4, 9] mount [3, 4] crd t 1 [4, 8] t 2 return [1, 1] blnce [4, 5] withdrw [1, 3] mount [2, 4] PIN [5, 10] trnsfer [6, 8] trnsfer [2, 5] ccount [5, 7] ccount [4, 6] crd [4, 5] return [1, 1] blnce [4, 5] withdrw [1, 1] PIN [5, 9] mount [3, 4] Figure 1: Two specifictions of n ATM mchine nd their lrgest common refinement below. We cll such n implementtion common implementtion. As it cn be seen, the option of trnsfer is llowed by both clients, but since their power consumption intervls re not overlpping, it is not possible to produce specific system with power consumption stisfying both clients. The trnsfer option is, however, not required by ny of the clients, nd cn thus be ignored in possible common implementtion. Since insertion of the crd, blnce, withdrwl nd PIN entering re required behvior for one or the other of the two specifictions, these must be present in the implementble system. Insted of constructing just one common implementtion, we im t constructing the most permissive common refinement, so tht this refinement encpsultes ll common implementtions. Figure 1 shows most permissive common refinement below the two clients specifictions. After entering the PIN withdrwl is only llowed once, since the right-hnd side specifiction requires tht new mount specifiction is preceded by PIN, while the left-hnd side specifiction does not. Considering the common refinement in Figure 1, one might be interested in knowing whether it is possible to withdrw some mount consuming between 10 nd 20 energy units. Since withdrwl consumes t lest 13 energy units nd t most 19 (dding the lower nd upper intervl bounds long the pth), this is indeed possible. However, since the trnsition lbelled mount is only optionl, some concrete implementtions my leve it out. It is therefore desirble to develop logicl setting tht gurntees tht if some property is true for given specifiction then it is lso true for ll its implementtions. Our contribution consists of definition of weighted modl trnsition systems nd n extension of the concepts relted to modl trnsition systems to the weighted setting. This includes modl nd thorough refinements nd the definition of n implementtion. Then we study the lrgest common refinement 3

4 problem of finite deterministic specifictions. A construction computing the conjunction of given number of finite deterministic specifictions is presented, nd we show tht given specifiction is their common refinement if nd only if it refines the constructed lrgest common refinement. We further show tht deciding whether common refinement exists or not is PSPACE-complete problem. Our lgorithm for the lrgest common refinement ws inspired by the common implementtion construction provided in [15]. However, we extend this technique to the weighted scenrio nd more importntly generlize the construction such tht we construct the most permissive common refinement, contrry to [15] where only the existence of common implementtion ws studied. The mximlity of our construction hence llows for stepwise nd itertive construction of common implementtion, which is desirble in mny pplictions nd ws not possible with the previous lgorithms. We note tht in this study we restrict ourselves to deterministic specifictions s demonstrted, for exmple, in our running exmples. There re two resons tht justify this choice. First of ll, for nondeterministic specifictions the two studied notions of thorough nd modl refinement do not coincide nd hence the refinement process, though sound, is not complete (see e.g. [11]). On the other hnd for deterministic specifictions, s dvocted in the work by Henzinger nd Sifkis [16, 17], modl refinement nd modl composition re complete. More detiled nlysis of this hs been recently given in [15]. Second, in mny prcticl cses, deterministic specifictions re desirble nd often used, nd much of the recent work dels minly with deterministic systems. For exmple in [16] the uthors discuss two min chllenges in embedded systems design: the chllenge to build predictble systems, nd tht to build robust systems. They suggest how predictbility cn be formlized s form of determinism, nd robustness s form of continuity. Another problem we study in this rticle concerns finding logicl chrcteristion of weighted modl trnsition systems. By nturl extension of the ction-bsed CTL we define, bsed on the work of De Nicol nd Vndrger [18], weighted CTL logic for model checking weighted modl specifictions. Compred to other weighted logics like [19] nd [20], we llow to stte rbitrry constrints on the prefixes of model executions nd extend the semntics to del with modl trnsition systems. On the other hnd, we do not consider semiring interprettions of CTL formul quntifiers like in [19] nd semiring semntics of MSO like in [20]. The definition of our logic is rther generic with respect to the choice for querying the weight constrints. Our min result shows tht specifiction stisfies given formul of weighted CTL if nd only if ll its refinements stisfy the sme formul, which is n importnt fct tht justifies the choice of the logic nd supports step-wise model bsed development process. We discuss few speciliztions of the generic logic to some concrete instnces in order to rgue for its pplicbility. The rticle is orgnized s follows. Section 2 introduces the model of weighted modl trnsition systems, modl nd thorough refinement reltions nd some 4

5 bsic properties of the model. In Section 3 we study the problem of lrgest common refinement of given set of finite deterministic specifictions nd mong others prove PSPACE-completeness of the problem. In Section 4 we serch for logicl chrcteristion of weigted modl trnsition systems. For this purpose we suggest definition of generic weighted CTL logic nd rgue for the soundness of this choice. Finlly, Section 5 provides short summry nd mentions some of the open problems. 2. Definitions We begin by extending the notion of modl trnsition systems (consult e.g. [1, 11]) by dding n intervl to ech trnsition in the specifiction. This set denotes the different vlues tht the weight of the trnsition cn be instntited to in n implementtion. We define [n, m] = { Z : n m} for n m, n, m Z {, } to denote the closed intervl between n nd m, nd use I to stnd for the set of ll such nonempty intervls. Definition 1. A (intervl) weighted modl trnsition system (WMTS) is 5- tuple M = (S, Σ,,, δ), where S is set of sttes, Σ is n ction lphbet, S Σ S nd δ : ( ) I ssigns weight intervl to trnsitions. The reltions nd re clled the my nd must trnsitions, respectively. By the definition of δ we see tht if (s,, t) belongs to both nd then the weight intervls of the must nd my trnsition re the sme. This fct is importnt nd implicitly used lter on. It ensures the so-clled consistency, mening tht ny given modl specifiction is gurnteed to hve n implementtion. We write s t if (s,, t) nd s,w t if e = (s,, t) nd δ(e) = W, similrly for the elements of. If no t exists such tht (s,, t), we write s, similrly for must trnsitions. The clss of ll WMTSs is denoted by W. An WMTS is deterministic if for ll s S nd Σ there is t most one t such tht (s,, t). The clss of ll deterministic WMTSs is denoted by dw. While generl WMTS models specifiction giving vriety of weights nd optionl behviour, n implementtion (defined below) defines the precise behviour of the system, including the precise weight of ll trnsitions. Definition 2 (Implementtion). A WMTS is n implementtion if = nd ll weight intervls re singletons. The clss of ll implementtions is denoted by iw. To ese the nottion, we often denote WMTS M = (S, Σ,,, δ) contining stte s S s pir, (s, M). Thus the nottion (s, M) W is short hnd nottion for M W with s stte in M (the sme pplies to iw nd dw). The lowercse letters s, t,... re used for sttes (specifictions) 5

6 d 1 d 2 d 3, [2, 5] b, [0, 8] c, [4, 7], [1, 4] b, [2, 6] c, [6, 7], [4, 7] b, [3, 8] c, [2, 9], [5, 5], [1, 3], [4, 6] b, [1, 4] b, [0, 4], [6, 7] b, [2, 9], [0, 3], [2, 8], [0, 4] b, [3, 9], [1, 3] c, [1, 3] b, [0, 8] i 1 i 2 i 3 s CR s CR b, [3, 3], [4, 4] b, [4, 4], [4, 4], [4, 4] b, [4, 4], [4, 4], [4, 4] b, [3, 4] b, [3, 4], [4, 4] b, [3, 6] c, [6, 7] s 1 s 2, [2, 3] s 3 Figure 2: Different exmples of weighted modl trnsition systems. in generl, while i, j,... re used for implementtions nd d, e... re used for deterministic specifictions. Since every must trnsition is lso my trnsition, my trnsitions in figures will not be drwn between sttes if must trnsition is lredy present. Tke look t the exmples in Figure 2 (ignore the systems s CR nd s CR for the moment). The three systems rooted with d 1, d 2 nd d 3 re exmples of weighted modl trnsition systems, ll of them being deterministic. The systems rooted with i 1, i 2 nd i 3 re exmples of implementtions where my nd must trnsitions coincide nd ll intervls re singletons. We cn now define the refinement reltion for WMTSs, nturl extension of the refinement reltion on MTSs. Intuitively, weight intervl on trnsition denotes the only cceptble weights llowed in n implementtion. A refinement should therefore never llow ny new weights to be dded, eventully leding to n implementtion with only singleton intervls. From now on, when using the term refinement we lwys refer to the modl refinement reltion between two WMTSs s defined below. Definition 3 (Modl refinement of WMTS). Let (s i, M i ) W such tht M i = (S i, Σ, i, i, δ i ) for 1 i 2. We sy tht s 1 modlly refines s 2, written (s 1, M 1 ) m (s 2, M 2 ) or simply s 1 m s 2 if M 1 nd M 2 re cler from the context, if there is refinement reltion R S 1 S 2 such tht (s 1, s 2 ) R nd for ech (s, t) R nd every Σ: 1. whenever s,w 1 s, then there exists t,v 2 t where W V such tht (s, t ) R, nd 6

7 2. whenever t,v 2 t, then there exists s,w 1 s where W V such tht (s, t ) R. Hence (s, M) refines (t, N) (s m t) if it is possible to mimic must trnsitions in N by M, nd it is possible to mimic my trnsitions in M by N. We sy tht WMTS (s, M) is n implementtion of WMTS (t, N) if (s, M) iw nd (s, M) m (t, N). Notice tht ny WMTS hs n implementtion, for instnce one cn turn ll my trnsitions into must trnsitions nd pick n rbitrry weight from ech intervl s the singleton weight. Consult gin Figure 2. The systems i 1, i 2, i 3 nd s CR re ll refinements of the specifiction d 1 (in fct lso of d 2 nd d 3 ). The first three refinements i 1, i 2 nd i 3 re lso implementtions of d 1. Remrk 1. Notice tht for two implementtions (i, I), (j, J) iw, the reltion of modl refinement, (i, I) m (j, J), corresponds to strong bisimultion (with the ssumption tht ctions nd weights re considered s observble pirs). Definition 4 (Thorough refinement). Let (s, M) be WMTS nd define s = {(i, I) iw : (i, I) m (s, M)}, tht is ll possible refinements of (s, M) tht re lso implementtions. For (s, M), (t, N) W we sy tht s thoroughly refines t, written s t t (or (s, M) t (t, N)), if s t. The following lemm is esy to prove, but it is n importnt property tht gurntees sound stepwise refinement development methodology. Lemm 1. The reltions m nd t re both trnsitive. Proof. Let (s, M), (u, O), (t, N) W. First the cse of m. Assume two reltions R 1 nd R 2 ccording to Definition 3 showing tht s m u nd u m t. It is esy to check tht the reltion R defined s R = {(s, t ) : u.((s, u ) R 1 (u, t ) R 2 )} is indeed refinement reltion ccording to Definition 3 nd tht (s, t) R. We now consider t. Assume s t u nd u t t. This immeditely implies tht s u t nd hence tht s t t. We cn now show tht modl refinement implies thorough refinement. Lemm 2. For two WMTSs, (s, M) nd (t, N), it holds tht s m t s t t. Proof. Assume tht s m t. If i m s for n implementtion i, then by Lemm 1 lso i m t. Hence s t which mens tht s t t. 7

8 , [2, 10] t 1 s, [3, 4] s 1, [1, 4] s 2 t, [0, 4] t 2, [1, 6] t 3 Figure 3: s t t, but s m t. Notice tht thorough refinement does not imply modl refinement. A counterexmple cn be seen in Figure 3. The figure is overtken from [15] nd intervls hve been dded, thus counter-exmple lredy exists in the unweighted cse. To show tht s m t we try to construct reltion R. For sure (s, t) R must hold. Since s,[3,4] s 1 either (s 1, t 1 ) or (s 1, t 2 ) must belong to R. In the first,[1,6] cse, t 1 t 3 nd therefore must trnsition from s 1 must exist s well. Since,[1,4] this is not the cse, we ssume (s 1, t 2 ) R. Then the trnsition s 1 s 2 implies the existence of my trnsition from t 2. This is lso not the cse, thus R cnnot exist nd s m t. On the other hnd, every implementtion of s cn perform t most two consecutive s with the weights either 3 or 4 for the first -trnsition nd 1, 2, 3 or 4 for the second -trnsition. These implementtions re lso implementtions of t, hence s t t. However, if we restrict the refined specifictions to be deterministic (or t lest the right-hnd side one) we get the following. Lemm 3. For (s, M) W nd (d, D) dw, it holds tht s m d s t d. We omit the proof here, since it follows s strightforwrd modifiction of the proof given in [15] by dding pproprite intervls to ll trnsitions. For the complexity results presented in the reminder of the pper we ssume constnt time intervl opertions (the encoding of integers is ssumed binry). In [21] it ws shown tht checking whether finite modl trnsition system is thoroughly refined by nother finite modl trnsition system is EXPTIMEcomplete. The thorough refinement problem for MTSs cn be reduced to the sme problem for WMTSs by dding the sme singleton weight to ll trnsitions. Hence the thorough refinement problem for finite WMTSs is lso EXPTIMEhrd. The lgorithm presented in [21] for determining whether one MTS thoroughly refines nother one cn be esily extended to the weighted setting by dding pproprite checks for set inclusions of the weight intervls. This ddition does not effect the running time of the lgorithm, nd the thorough refinement problem for finite WMTS is therefore decidble in EXPTIME s well. On the contrry, the problem of deciding whether two finite weighted modl specifictions re in the modl refinement reltion is decidble in deterministic polynomil time using the stndrd gretest fixed-point computtion, similrly s in the cse of strong bisimultion (for efficient lgorithms implementing this strtegy see e.g. [22, 23]). 8

9 3. Lrgest Common Refinement This section ddresses the lrgest common refinement problem of finite deterministic specifictions defined s follows: given number of finite deterministic WMTSs, (d 1, D 1 ),..., (d n, D n ), we wnt to find specifiction (s, M) W such tht (s, M) m (d j, D j ) for ll j, 1 j n, or to report tht no such common refinement exists. Moreover, we re interested in constructing some lrgest common refinement refinement (s, M) such tht ny other common refinement of the given deterministic specifictions refines (s, M). Notice tht such lrgest common refinement is not unique. In wht follows, we implicitly ssume tht the given deterministic specifictions (d 1, D 1 ),..., (d n, D n ) re finite. Figure 2 shows our running exmple. Our tsk is to construct the lrgest common refinement of the deterministic specifictions d 1, d 2 nd d 3. Let (d 1, D 1 ),..., (d n, D n ) dw be n deterministic WMTSs. We will construct specifiction (s CR, M CR ) W nd prove tht (s CR, M CR ) is the most generl common refinement of d 1,..., d n. The stte set of M CR consists of n- tuples, (e 1,..., e n ), where every e i belongs the the corresponding stte set of D i. Additionlly some sttes in M CR will be mrked. Mrked nodes represent situtions where no common refinement exists. The pseudo-code in Alg. 1 constructs M CR, common refinement of the given specifictions, or returns tht no such refinement exists. The lgorithm voids the construction of the whole product spce nd returns only the rechble prts of such common refinement. It is esy to see tht the lgorithm lwys termintes. The first repet-loop (lines 3 22) runs until Witing is empty, nd in ech itertion one element is removed from Witing. Elements re lso dded to Witing, however since D i re finite for ll i, nd no removed element is dded gin to Witing, this repet-loop termintes. The second repet-loop (lines 23 27) s well s the forll-loop (lines 30 nd 31) lso terminte due to the finiteness of the set S nd finiteness of the reltion. Alg. 1 constructs M CR by inspecting the n deterministic WMTSs nd dding the needed sttes nd trnsitions to M CR, nd furthermore mrking sttes if these represent situtions where no common refinement cn exist. The mrked set is expnded by dding ll sttes, from which pth consisting of only must trnsitions leds to mrked stte. If the stte (d 1,..., d n ) is mrked, no common refinement exists. If this is not the cse, common refinement exists nd the most generl common refinement is constructed by removing ll mrked sttes nd trnsitions leding to mrked sttes. In our running exmple in Figure 2, given the input d 1, d 2 nd d 3 Alg. 1 first constructs n intermedite specifiction s CR where the mrked nodes s 1, s 2 nd s 3 re drwn s circles. After removing them the lgorithm returns the specifiction (s CR, M CR,). Lemm 4. If (e 1,..., e n ), stte in M CR, hs pth consisting only of must trnsitions leding to stte mrked by Alg. 1 in the first repet-loop, then e 1,..., e n hve no common refinement. 9

10 Input: A finite number n of deterministic WMTSs, (d i, D i ) dw, where D i = (S i, Σ, i, i, δ i ) for i = 1,..., n. Output: The string No common refinement exists or (s CR, M CR ) dw, where M CR = (S, Σ,,, δ) s.t. (s CR, M CR ) m (d i, D i ) for ll i. 1 begin 2 S := ; := ; := ; Mrked := ; Witing := {(d 1,..., d n )}; 3 repet 4 Select (e 1,..., e n ) Witing; Witing := Witing \ {(e 1,..., e n )}; S := S {(e 1,..., e n )}; 5 forll the Σ do 6 if i : e i j f j then i f i nd j : e j 7 temp := δ 1 ((e 1,, f 1 ))... δ n ((e n,, f n )); 8 if temp = then 9 Mrked := Mrked {(e 1,..., e n )}; 10 else 11 := {( (e 1,..., e n ),, (f 1,..., f n ) )} ; 12 δ (( (e 1,..., e n ),, (f 1,..., f n ) )) := temp; 13 if (f 1,..., f n ) / S then Witing := Witing {(f 1,..., f n )}; 14 if i : e i i f i then 15 temp := δ 1 ((e 1,, f 1 ))... δ n ((e n,, f n )); 16 if temp then 17 := {( (e 1,..., e n ),, (f 1,..., f n ) )} ; 18 δ (( (e 1,..., e n ),, (f 1,..., f n ) )) := temp; 19 if (f 1,..., f n ) / S then Witing := Witing {(f 1,..., f n )}; 20 if i : e i i f i nd j : e j j then 21 Mrked := Mrked {(e 1,..., e n )}; 22 until Witing = ; 23 repet 24 Mrked := Mrked; 25 forll the (e,, f) do 26 if f Mrked then Mrked := Mrked {e}; 27 until Mrked = Mrked; 28 if (d 1,..., d n ) Mrked then return No common refinement exists 29 S := S Mrked; 30 forll the (e,, f) where f Mrked do 31 := {(e,, f)}; := {(e,, f)}; 32 s CR := (d 1,..., d n ); return (s CR, M CR ) Algorithm 1: Construction of the most generl common refinement. 10

11 Proof. Assume tht (e 1,..., e n ) is stte in M CR, from which there is pth consisting of only must trnsitions leding to stte mrked by Alg. 1 in the first repet-loop. We show tht the sttes e 1,..., e n hve no common refinement. First observe tht if (e 1,..., e n ),V (f 1,..., f n ) exists in M CR we know,v i,v j tht e i fi, where V V i for t lest one i nd e j f j, where V V j for ll j (Alg. 1, line 6-13). Let p be ny common refinement of e 1,..., e n. Assume therefore tht n refinement reltions R j exist such tht (p, e j ) R j for ll j. Then p must hve p,w q trnsition, where W V j nd (q, f j ) R j for ll j. The fct tht q is refinement of f i is cler by the second item in Definition 3,,V i since (p, e i ) R i nd e i fi, where V V i, forces p,w q trnsition, where W V i nd (q, f i ) R i. The fct tht q is lso required to be refinement of f 1,..., f n is given by the first item in Definition 3, since (p, e j ) R j for ll j nd p,w,v j q. Since e 1,..., e n re deterministic, e j f j, where W V j for ll j re forced to be the mtching trnsitions, thus requiring (q, f j ) R j to hold. Next observe tht if stte (g 1,..., g n ) Mrked in Alg. 1 then either (g 1,..., g n ) hs been mrked t line 9 or line 21. If it is mrked t line 9, then there exists some Σ nd f 1,..., f n such tht g i i f i for t lest one i nd δ 1 ((g 1,, f 1 ))... δ n ((g n,, f n )) =. Otherwise (if it ws mrked t line 21) there exists i such tht g i i f i nd there exists j such tht g j j. Both cses imply tht g 1,..., g n hve no common refinement. The first cse is obvious, since the weight set of the mtching trnsition in common refinement must be contined in every δ i ((g i,, f i )) (due to determinism), but no trnsition with n empty weight set is llowed. The second cse lso leds to no common,v i implementtion, since g i fi forces p,v q, where V V i in the refinement, but p,v q cnnot be mtched from g j. These two observtions led to our conclusion, since ny common refinement p of e 1,..., e n, with refinement reltions R j nd (p, e j ) R j for ll j eventully fulfills (q, g j ) R j for some q, becuse of the pth consisting of only must trnsitions. However, since g 1,..., g n cnnot hve common refinement, R j cnnot exist. By noting tht Alg. 1 returns No common refinement exists only if there exists pth consisting of only must trnsitions from s CR to node mrked before in the first repet-loop nd pplying Lemm 4 to s CR we hve the following corollry. Corollry 5. If Alg. 1 returns No common refinement exists then the specifictions (d 1, D 1 ),..., (d n, D n ) hve no common refinement. Lemm 6. If (d 1, D 1 ),..., (d n, D n ) hve no common refinement then Alg. 1 returns No common refinement exists. Proof. We prove the contrposition. Tht is, ssume tht Alg. 1 does not return No common refinement exists. This implies tht (d 1,..., d n ) is not 11

12 mrked stte nd tht Alg. 1 returns (s CR, M CR ). We wnt to construct reltions R 1,..., R n in order to show tht s CR is common refinement of d 1,..., d n. We define the reltions s R i = {((e 1,..., e n ), e i ) : (e 1,..., e n ) M CR } nd continue to prove tht these n reltions fulfill the criteri of Definition 3. It is cler tht ((d 1,..., d n ), d i ) R i. Let ((e 1,..., e n ), e i ) R i nd consider must,v i trnsition e i fi. Since by ssumption the lgorithm returns (s CR, M CR ) nd (e 1,..., e n ) M CR, (e 1,..., e n ) is not mrked. Therefore e j,v j f j exists for ll j nd the trnsition (e 1,..., e n ), j Vj (f 1,..., f n ) is dded to M CR in Alg. 1, line Furthermore, (f 1,..., f n ) is not mrked (nd thus not removed), since otherwise (e 1,..., e n ) would hve been mrked during the repet loop in line 23-27, contrdiction. Hence (f 1,..., f n ) is stte in M CR nd ((f 1,..., f n ), f i ) R i s required. On the other hnd, consider my trnsition (e 1,..., e n ),V (f 1,..., f n ).,V i By construction e i f i, where V V i for ll i. Hence ((f 1,..., f n ), f i ) R i for ll i s required. With the bove lemms nd Alg. 1 we hve the following complexity result. Theorem 7. The problem of existence of common refinement for given number of finite deterministic specifictions is PSPACE-complete. Proof. In order to show continment in PSPACE, Cor. 5 nd Lemm 6 give us tht the existence of common refinement is equivlent to the question whether the stte s CR gets mrked by Alg. 1. In other words, this is equivlent to the question whether there is must-pth from s CR to some stte mrked directly in line 9 or 21 of the lgorithm. Such pth cn be nondeterministiclly guessed on the fly (without constructing the whole stte-spce) nd by Svitch s theorem this implies the continment in PSPACE. The hrdness result follows directly from PSPACE-hrdness of the common implementtion problem for unweighted MTSs shown in [15]. The lst theorem sttes tht M CR is the lrgest common refinement. Theorem 8 (Mximlity of M CR ). If Alg. 1 returns (s CR, M CR ) then for every (t, N) W such tht (t, N) m (d i, D i ) for ll i, 1 i n, it holds tht (t, N) m (s CR, M CR ). Proof. Let (t, N) W be common refinement of (d 1, D 1 ),..., (d n, D n ). This mens tht there exist n reltions R 1,..., R n stisfying the conditions in Definition 3. We construct new reltion Q stisfying the sme conditions in order to prove tht (t, N) m (s CR, M CR ). The reltion Q is defined s follows: (s, (e 1,..., e n )) Q if nd only if (s, e i ) R i for ll i, 1 i n. 12

13 We observe tht (t, (d 1,..., d n )) Q, since (t, d i ) R i for ll i. This stisfies the first condition in the refinement definition. Let now (s, (e 1,..., e n )) Q nd consider wht hppens in cse of must nd my trnsitions. Consider trnsition s,v s. Then for ll i we hve tht for ll e i such tht,w i (s, e i ) R i there exists f i such tht e i f i with V W i nd (s, f i ) R i. This implies tht q = (e 1,..., e n ),W1... Wn (f 1,..., f n ) is trnsition in M CR. Since V W 1... W n nd (s, f i ) R i for ll i, then (s, (f 1,..., f n )) Q s desired. Notice tht (f 1,..., f n ) cnnot be node which ws removed in Alg. 1 since this would imply tht (f 1,..., f n ) is mrked. The sttes f 1,..., f n would not therefore hve common refinement by Lemm 4. This contrdicts the fct tht (s, f i ) R i for ll i. Consider now trnsition (e 1,..., e n ),V (f 1,..., f n ). By construction of,w j M CR we know tht there exists t lest one e j such tht e j fj nd tht,w i e i f i exist for ll i (Alg. 1, line 6-13). Since (d 1, D 1 ),..., (d n, D n ) re,w j deterministic, f i (for ll i) re unique. Now becuse e j fj nd (s, e j ) R j, we get tht s,w s with W W j such tht (s, f j ) R j. This, however, lso mens tht s,w s nd becuse (s, e i ) R i for ll i, we get tht (s, f i ) R i nd W W i for ll i. Notice tht V = W 1... W n, so W V holds. Thus (s, (f 1,..., f n )) Q by the definition of Q. As corollry nd due to the trnsitivity of m (Lemm 1), Cor. 5, Lemm 6 nd the mximlity of M CR (Thm. 8) we get the min result. Corollry 9. Let (d 1, D 1 ),..., (d n, D n ) be finite deterministic WMTSs nd ssume tht Alg. 1 returns specifiction (s CR, M CR ). A specifiction (s, M) W is common refinement of the specifictions (d 1, D 1 ),..., (d n, D n ) if nd only if (s, M) m (s CR, M CR ). This theorem llows us to find common refinement (nd thus lso common implementtion) in stepwise nd itertive mnner. Consider Figure 4. Here (s CR, M CR ) is constructed by giving (d 1, D 1 ),..., (d n, D n ) dw s input to Alg. 1. The specifiction (s n CR, M CR n ) is, on the other hnd, constructed by using Alg. 1 itertively. First (d 1, D 1 ), (d 2, D 2 ) is given s input nd then the output, (s 2 CR, M CR 2 ), nd (d 3, D 3 ) is used s input, continuing in this wy until the lst received output nd (d n, D n ) is given s input, finlly outputting (s n CR, M CR n ). The theorem below sttes tht both pplictions of the lgorithm led to the sme set of possible implementtions. Theorem 10. Let (d 1, D 1 ),..., (d n, D n ) be finite deterministic WMTSs nd ssume tht (s CR, M CR ) nd (s n CR, M CR n ) re the specifictions obtined s illustrted in Figure 4. Then s CR = s n CR. Proof. Using Corollry 9 gives us tht (s n CR, M n CR ) m (s CR, M CR ). The other direction is n esy induction in n, the number of deterministic specifictions. As bse cse we hve n = 2. The two uses of Alg. 1 re here 13

14 (d 1, D 1 ) (d 2, D 2 ) (d n, D n ) (d 1, D 1 ) (d 2, D 2 ) (d n, D n ) (s 2 CR, M 2 CR ) (s CR, M CR ) s CR = (s n CR, M n CR ) s n CR Figure 4: Two wys of using Alg. 1 yielding the sme result. equl, nd the theorem follows. For the induction step ssume (s CR, M CR ) m (s n 1 CR, M n 1 CR ) holds. Notice tht now (s CR, M CR ) m (s n CR, M CR n ) lso holds, since (s n CR, M CR n ) is the output when Alg. 1 is given (sn 1 CR, M n 1 CR ) nd (d n, D n ) s input nd Corollry 9 is thus pplicble. Lemm 2 now implies s CR = s n CR. This result is more generl thn the lgorithm in [15], which checks only for the existence of common implementtion of (unweighted) modl specifictions. The lgorithm presented here furthermore constructs the most permissive common refinement nd provides support for step-wise development of systems. 4. Logicl Chrcteristion In the previous section we discussed lgorithms for constructing some lrgest common refinement for given set of weighted deterministic modl specifictions. Now we shll turn our ttention to logicl chrcteristion of weighted modl trnsition systems. We define n extension of the well-known CTL logic [24] tht will llow us to stte logicl queries tht include constrints bout the weights long the finite nd infinite pths. There re severl well justified choices for the definition of the constrints on the pths. We provide met-definition of generl constrint form which specilizes to mny useful constrint choices. Our min result is tht s long s certin monotonicity property is preserved, specifiction stisfies given logicl formul if nd only if ll its refinements do. This result cn be understood s soundness principle for the suggested logic. We strt with the definition of must-/my-pths in weighted modl trnsition systems. Definition 5 (Pth). A must-pth in WMTS M = (S, Σ,,, δ) is finite or infinite sequence π of trnsitions of the form π = s s2 3 s

15 A must-pth is mximl if it is infinite or it ends in stte with no outgoing my trnsitions (nd hence of course lso no outgoing must trnsitions). The set of ll mximl must-pths strting from stte s is denoted by mxmustp(s). Similrly, my-pth is finite or infinite sequence π of trnsitions of the form π = s 1 s2 s3.... A my-pth is mximl if it is infinite or it ends in stte with no outgoing must trnsition (note tht outgoing my trnsitions re llowed). The set of ll mximl my-pths strting from stte s is denoted by mxmyp(s). Notice tht must-pth is not necessrily prefix of mximl must-pth nd tht mximl my-pth my be strict prefix of nother mximl my-pth. Given must- or my-pth in the form bove, the nottion π[j] denotes the j th stte of the pth, tht is π[j] = s j. For specifying logicl properties we suggest notion of weighted ction-bsed CTL (WCTL), prticulr extension of CTL (see e.g. [25]). The ction-bsed syntx is bsed on the work of De Nicol nd Vndrger [18] which introduces n ction-lbelled next opertor. In [18] they discuss close reltionship between ction-bsed nd stte-bsed logics (see lso [26]). We further extend their logic such tht it cn be interpreted over modl trnsition systems nd we dd generic weight constrint function in order to reson bout the cost of the trnsitions nd demonstrte few exmples of well-justified weight constrint functions. Let us first define the so-clled ction formule: χ, χ ::= true χ χ χ where Σ rnges over the ctions of given WMTS. The semntics to ction formule is given by the following stisfction reltion (, b Σ): = true = b iff = b = χ iff = χ = χ χ iff = χ nd = χ. The (stte) formule of WCTL re now generted by the following bstrct syntx: ϕ, ϕ 1, ϕ 2 ::= true flse ϕ 1 ϕ 2 ϕ 1 ϕ 2 EX c χ ϕ AX c χ ϕ E (ϕ 1 U c χ ϕ 2 ) A (ϕ 1 U c χ ϕ 2 ) E (ϕ 1 R c χ ϕ 2 ) A (ϕ 1 R c χ ϕ 2 ) where χ rnges over ction formule nd c : I I ω {0, 1} is constrint function ssigning 0 (flse) or 1 (true) to ny finite nd infinite sequence of weight intervls (for the definition of I see the first prgrph of Section 2). We moreover require tht c stisfies the following monotonicity property: if c(w 1, w 2,...) = 1 then c(w 1, w 2,...) = 1 for ny w i w i for ll i. 15

16 This mens tht if some sequence of intervls is cceptble by the constrint function, so will be the sequence contining ny subintervls. By L we denote the set of ll WCTL formule. This syntx is similr to the stndrd ction-bsed CTL. The min difference is the superscript c ttched to the next, until nd relese opertors. For exmple, E (ϕ 1 U c χ ϕ 2 ) holds in stte s if there exists mximl must-pth which stisfies tht ϕ 2 holds in some stte long the pth, ϕ 1 holds in ll sttes prior to tht stte, the ctions on the subpth where ϕ 1 holds stisfy χ nd c is true for the sequence of intervls belonging to the subpth where ϕ 1 holds. The reson for choosing must-pth is tht the existence of such pth in the specifiction will gurntee its existence lso in ny of its refinements. Similrly, the formul E (ϕ 1 R c χ ϕ 2 ) holds in stte s if there exists mximl must-pth which stisfies tht ϕ 2 holds in ll sttes long the pth, requirement tht is dropped s soon s ϕ 1 holds, the ctions on the pth where ϕ 2 holds stisfy χ nd c is true for the sequence of intervls belonging to the pth where ϕ 2 holds (hence the need for the constrint function to be defined over infinite sequences of intervls too). For the pth quntifier A, the temporl opertors U nd R hve similr mening, only in this cse we require tht ll mximl my-pths stisfy these properties. The semntics of WCTL formule is then interpreted over the sttes of WMTS. Let M = (S, Σ,,, δ) W, χ rnge over ction formule, s S, nd ϕ, ϕ 1 nd ϕ 2 be formule from L. The stisfction reltion = is defined by s = true s = flse s = ϕ 1 ϕ 2 iff s = ϕ 1 nd s = ϕ 2 s = ϕ 1 ϕ 2 iff s = ϕ 1 or s = ϕ 2 s =EX c χ ϕ iff (s s ) : = χ s = ϕ c(δ(s,, s )) = 1 s =AX c χ ϕ iff (s s ) where = χ : s = ϕ c(δ(s,, s )) = 1 s =E (ϕ 1 U c χ ϕ 2 ) iff π = s s2... mxmustp(s) : i 1 : s i = ϕ 2 j {1,..., i 1} : (s j = ϕ 1 j = χ) c(δ(s 1, 1, s 2 ), δ(s 2, 2, s 3 ),..., δ(s i 1, i 1, s i )) = 1 s =A (ϕ 1 U c 1 2 χ ϕ 2 ) iff π = s 1 s2... mxmyp(s) where i = χ for ll i : i 1 : s i = ϕ 2 ( j {1,..., i 1} : s j = ϕ 1 ) c(δ(s 1, 1, s 2 ), δ(s 2, 2, s 3 ),..., δ(s i 1, i 1, s i )) = 1 16

17 s =E (ϕ 1 R c χ ϕ 2 ) iff π = s s2... mxmustp(s) : ( k 1 : s k = ϕ 2 k = χ ) c(δ(s 1, 1, s 2 ), δ(s 2, 2, s 3 ),...) = 1 ( i 1 : s i = ϕ 1 j {1,..., i} : (s j = ϕ 2 j = χ) ) c(δ(s 1, 1, s 2 ), δ(s 2, 2, s 3 ),..., δ(s i 1, i 1, s i )) = 1 s =A (ϕ 1 R c 1 2 χ ϕ 2 ) iff π = s 1 s2... mxmyp(s) where i = χ for ll i : ( k 1 : s k = ϕ 2 ) c(δ(s 1, 1, s 2 ), δ(s 2, 2, s 3 ),...) = 1 ( i 1 : s i = ϕ 1 ( j {1,..., i} : s j = ϕ 2 ) ) c(δ(s 1, 1, s 2 ), δ(s 2, 2, s 3 ),..., δ(s i 1, i 1, s i )) = 1. If the system M is not cler from the context, we lso use the nottion (s, M) = ϕ mening tht s = ϕ where s stte in M. We remrk tht for the cses of E (ϕ 1 U c χ ϕ 2 ) nd A (ϕ 1 R c χ ϕ 2 ) we my consider lso pths tht re not necessrily mximl, but for the ske of techincl conveniences we restrict ourself to mximl runs in ll cses. Notice tht, s usul, we cn express the temporl modlities eventully (F c χ) nd lwys (G c χ). EF c χ ϕ E (true U c χ ϕ) AF c χ ϕ A (true U c χ ϕ) EG c χ ϕ E (flse R c χ ϕ) AG c χ ϕ A (flse R c χ ϕ) The generic definition of the constrint function c cn be specilized in order to express vriety of interesting properties tht we wnt our sequences of intervls to fulfil. We will now give two exmples. Exmple 1. Consider the ATM mchines shown in Figure 1 in Section 1. It might be worth knowing, for exmple, whether or not in ny implementtion it is possible to check the blnce without entering PIN while consuming between 0 nd 15 units of power. We thus wnt to reson bout the ccumulted energy long given pth. For this purpose, let the constrint function c S be given s { 1 if [ i=1 c S (w 1, w 2,...) = n i, i=1 m i] S 0 otherwise, 17

18 where w i = [n i, m i ] nd S is given set of elements from Z {, }. The constrint function then returns 1 if the intervl contining ll possible sums of weights belonging to ech intervl is contined in the set S, nd 0 otherwise. Notice tht if c(w 1, w 2,...) = 1 then c(w 1, w 2,...) = 1 for ny w i w i for ll i, since smller intervls do not give rise to ny new ccumulted sums, thus still preserving the requirement of being subset of S. Using this constrint function one cn specify tht every possible totl ccumulted weight long some pth should be contined in [0, 15], s required in the ATM mchine. The WCTL formul to check this is ϕ E ( true U c [0,15] PIN ( EX c [, ] return true )) EF c [0,15] PIN ( EX c [, ] return true ), stting tht there exists pth where the ction return is enbled in some stte in the future (with n rbitrry cost), nd tht we until reching the stte enbling return must not tke trnsition with ction PIN nd tht the ccumulted cost on this subpth (where the blnce is checked) must consume between 0 nd 15 power units. Consulting the leftmost specifiction in Figure 1 we see tht s 1 = ϕ holds, crd,[2,5] blnce,[1,6] since must-pth s 1 s 2 s 3 exists, nd from s 3 n outgoing must trnsition with the ction return is required. Any implementtion would therefore lso require these three trnsitions. On the other hnd, t 1 = ϕ, since in the specifiction the blnce trnsition is only optionl, nd thus might not be present in n implementtion. Exmple 2. As nother exmple consider specifiction of gs tnk, ble to both gin nd lose gs. In this cse we re interested in keeping the volume of gs in the tnk between some intervl t ll times, since the tnk would otherwise explode or hve too low volume. It is therefore not dequte to only consider the volume t the end of given pth. All subpths must lso fulfil the intervl bound (note tht we llow for negtive weights). We therefore define c S s { 1 if j 1 : [ j i=1 c S (w 1, w 2,...) = n i, j i=i m i] S 0 otherwise, where w i = [n i, m i ] nd S is given set of elements from Z {, }. In this wy we specify, using the opertor G, tht the volume of the tnk must be between 0 nd 100 everywhere long ll potentilly infinite pths where the ction emergency is not tken by AG c [0,100] emergency true. If emergency is triggered long some pth, the tnk will shut down nd the volume need not be gurded ny more. This kind of weight constrint function proved useful e.g. in [27] where the existence of such n infinite pth ws studied in the context of weighted timed utomt. Observe gin tht if c(w 1, w 2,...) = 1 then c(w 1, w 2,...) = 1 for ny w i w i for ll i. 18

19 We shll now formulte technicl lemm tht will be used in the proof of the min theorem of this section. Lemm 11. Let (s 1, M), (t 1, N) W nd (s 1, M) m (t 1, N). 1. If π N mxmustp(t 1 ) then there exists π M mxmustp(s 1 ) of the sme length s π N, such tht (π M [i], M) m (π N [i], N) for ll i. 2. If π M mxmyp(s 1 ) then there exists π N mxmyp(t 1 ) of the sme lento s π M, such tht (π M [i], M) m (π N [i], N) for ll i. Moreover, in both cses the weight intervls on the pth π M re subintervls of the corresponding intervls on the pth π N. Proof. Let (s 1, M), (t 1, N) W nd ssume tht s 1 m t 1. 1,V 1 2,V 2 3,V 3 1. Let π N = t 1 t2 t3... be mximl must-pth in N. We 1,W 1 2,W 2 wnt to show tht there exists mximl must-pth π M = s 1 s2 3,W 3 s 3... in M such tht si m t i nd W i V i for ll i. We prove this 1,W 1 by induction. By induction hypothesis we ssume tht there is pth s 1 2,W 2 j 1,W j 1 s 2... sj in M for j > 1 such tht s i m t i nd W i V i for ll i, 1 i j. (The bse cse where j = 1 requires tht s 1 m t 1 which is true by the ssumption of the lemm.) We now distinguish two cses (recll tht π N is mximl must-pth). Cse where t j hs no outgoing my trnsitions. Becuse s j m t j we get tht s j cnnot hve ny outgoing trnsitions either nd mximl must-pth in N ws mtched by mximl must-pth in M s required. j,v j Cse where t j tj+1. Becuse s j m t j there must be trnsition j,w j s j sj+1 such tht s j+1 m t j+1 nd W j V j. Hence there is pth 1,W 1 2,W 2 s 1 s2 j,w j... sj+1 in M such tht s i m t i nd W i V i for ll i, 1 i j + 1, s required by the induction. 2. Let π M mxmyp(s 1 ) be mximl my-pth in M. We wnt to find mtching mximl my-pth in N. The rguments re symmetric s in the proof of prt 1. Notice tht the mximlity of π M in cse of finite pth, i.e. the bsence of ny must trnsition t the end of the pth, implies tht the pth π N constructed in similr mnner s in prt 1. is lso mximl (the presence of must trnsition t its lst stte would enforce the presence of must trnsition in the lst stte of π M ). Given specifiction (s, M) W nd WCTL formul ϕ such tht (s, M) = ϕ, the following theorem shows tht ny refinement lso stisfies ϕ. This problem is closely relted to generlized model checking (s defined in [28]), which sks, given (s, M) W nd ϕ L, does there exists n implementtion (i, I) s, such tht (i, I) = ϕ. In our cse we, on the other hnd, consider the vlidity problem for ll refinements does ny refinement fulfil ϕ? 19

20 Theorem 12. Let (t, N) W nd let ϕ L be WCTL formul. Then (t, N) = ϕ if nd only if (s, M) = ϕ for ll (s, M) s.t. (s, M) m (t, N). Proof. The if prt is trivil since (t, N) is refinement of itself. We prove only if below. Let (s, M), (t, N) W be two weighted modl trnsition systems, where M = (S M, Σ,,, δ M ) nd N = (S N, Σ,,, δ N ). We show tht for ny formul ϕ L: if (s, M) m (t, N) nd (t, N) = ϕ then (s, M) = ϕ. (1) The proof is by structurl induction over the structure of the formul ϕ. Induction bsis: The cses ϕ = true nd ϕ = flse re trivil. Induction step: Assume ϕ 1 nd ϕ 2 re stte formule for which (1) hold. ϕ = ϕ 1 ϕ 2 : Since the induction hypothesis pplies to ϕ 1 nd ϕ 2 we hve ϕ = ϕ 1 ϕ 2 : Similr s for conjunction. ϕ = EX c χ ϕ 1 : t = ϕ 1 ϕ 2 = (t = ϕ 1 ) nd (t = ϕ 2 ) = (s = ϕ 1 ) nd (s = ϕ 2 ) = s = ϕ 1 ϕ 2. If t = ϕ then there exists t,w t, where = χ, t = ϕ 1 nd c(w ) = 1. Since s m t, we conclude tht s,v s, where V W exists such tht s m t. The requirement on the constrint function c implies tht lso c(v ) = 1, since V W. By the induction hypothesis s = ϕ 1 nd thus s = ϕ s well. ϕ = E (ϕ 1 U c χ ϕ 2 ): If t = ϕ then there exists must-pth π N = t t2... with t 1 = t in mxmustp(t) on which there exists j such tht t j = ϕ 2, t k = ϕ 1 nd k = χ for ll k < j nd c(δ(t 1 1 t2 ), δ(t 2 j 1 2 t3 ),..., δ(t j 1 t j )) = 1. By Lemm 11 we know tht there exists must-pth π M = s s2... with s1 = s in mxmustp(s) such tht s i m t i for ll i. The induction hypothesis implies tht lso s j = ϕ 2 nd tht s k = ϕ 1 for ll k < j. By the requirement on c we lso hve tht if c(δ(t 1 1 t 2 ), δ(t 2 j 1 2 t3 ),..., δ(t j 1 tj )) = 1 then c(δ(s 1 1 s2 ), δ(s 2 2 j 1 s 3 ),..., δ(s j 1 sj )) = 1, since δ(s i i si+1 ) δ(t i i ti+1 ) for ll i. Hence s = ϕ. 20

21 ϕ = E (ϕ 1 R c χ ϕ 2 ): The sme resoning s in the previous cse is used. As t = ϕ then there exists must-pth π N mxmustp(t) such tht ϕ 2 nd χ holds in ll sttes nd trnsitions respectively until nd including the first stte where ϕ 1 holds (possibly never) nd c equls 1 when evluted on the weight intervls corresponding to the pth where ϕ 2 holds. Agin Lemm 11 provides must-pth π M mxmustp(s) such tht the induction hypothesis nd the requirement on c gives us tht s = ϕ. ϕ = AX c χ ϕ 1 : Consider here n rbitrry trnsition s,v s where = χ. Since s m t, there exists t,w t with V W such tht s m t. As t = ϕ, we know tht t = ϕ 1 nd c(w ) = 1. By the induction hypothesis nd the requirement on c, we get tht lso s = ϕ. ϕ = A (ϕ 1 U c χ ϕ 2 ): 1 2 Consider n rbitrry pth π M = s 1 s2... with s1 = s in 1 mxmyp(s) where i = χ for ll i. By Lemm 11 pth π N = t 1 2 t 2... with t1 = t in mxmyp(t) exists such tht s i m t i for ll i. As t = ϕ, then there exists j such tht t j stisfies ϕ 2, t k = ϕ 1 for 1 2 j 1 ll k < j nd c(δ(t 1 t2 ), δ(t 2 t3 ),..., δ(t j 1 t j )) = 1. By the induction hypothesis s j = ϕ 2 nd s k = ϕ 1 for ll k < j. Since i i 1 δ(s i si+1 ) δ(t i ti+1 ) for ll i, this implies tht c(δ(s 1 2 j 1 s 2 ), δ(s 2 s3 ),..., δ(t j 1 t j )) = 1. We now hve tht s = ϕ s required. ϕ = A (ϕ 1 R c χ ϕ 2 ): Agin, we prove tht if t = ϕ then lso s = ϕ. This is done s in the previous cse by considering n rbitrry pth in mxmyp(s) where ll ctions stisfy χ nd pplying Lemm 11, the induction hypothesis nd the requirement on c. The reder my wonder why this ction-bsed CTL is in positive norml form. The reson for this is tht we require tht formul stisfied by specifiction is lso stisfied by ll refinements. This does not hold for formul of the form ϕ. Consider for instnce the specifiction consisting of two sttes s 1 nd s 2, with s 1,W s2. Then the stte s 1 stisfies ϕ EX c true, with c returning constntly 1, since EX requires must trnsition. However, in the refinement consisting of two sttes i 1 nd i 2 with i 1,V i 2, V W, the stte i 1 does not stisfy ϕ, since there indeed exists must trnsition from s 1 with the ction. On the other hnd, in the refinement consisting of n isolted stte j 1 with no trnsitions j 1 = ϕ holds. 21

22 Thus, showing tht specifiction does not stisfy some ϕ only implies the existence of t lest one refinement stisfying ϕ, not ll of them s required by the modl refinement methodology. 5. Conclusion nd Future Work We presented novel extension of modl trnsition systems clled weighted modl trnsition systems where ech trnsition is decorted with n intervl of weights, describing ll possible vlues tht cn be used in n implementtion. Furthermore we constructed the lrgest common refinement of number of finite deterministic specifictions, nd proved the correctness of the construction. This result generlizes the previously known lgorithm for the common implementtion problem on unweighted deterministic modl trnsition systems. We lso suggested notion of weighted CTL logic in order to reson bout the properties of the weighted modl trnsition systems nd rgued for the soundness of this choice. Clerly the proposed logic is undecible due to its generlity. As future work it would therefore be interesting to identify decidble frgments of the logic. This cn be chieved e.g. by considering subset of the llowed stte formule, n unweighted version of the logic or by resoning only bout implementtions. In our future work we will lso consider the common implementtion/specifiction problems of nondeterministic specifictions, deterministion construction, lgorithmic spects of the generlized model checking problem for weighted modl specifictions s well s the extension of the formlisms to mixed systems where the must trnsitions re not necessrily included in the my trnsitions. One might lso consider lttice of vlues s weight domin insted of the less generl intervls considered here. References [1] K. G. Lrsen, B. Thomsen, A Modl Process Logic, in: Proceedings of the 3rd Annul Symposium on Logic in Computer Science (LICS 88), IEEE Computer Society, 1988, pp [2] J.-B. Rclet, Residul for Component Specifictions, Electronic Notes in Theoreticl Computer Science 215 (2008) [3] N. Bertrnd, S. Pinchint, J.-B. Rclet, Refinement nd Consistency of Timed Modl Specifictions, in: Proceedings of the 3rd Interntionl Conference on Lnguge nd Automt Theory nd Applictions (LATA 09), Vol of LNCS, Springer-Verlg, 2009, pp [4] S. Uchitel, M. Chechik, Merging prtil behviourl models, in: Proceedings of the 12th ACM SIGSOFT Interntionl Symposium on Foundtions of Softwre Engineerings (FSE 04), ACM, 2004, pp