Interval Duration Logic: Expressiveness and Decidability

We investigate a variant of dense-time Duration Calculus which permits model checking using timed/hybrid automata. We define a variant of the Duration Calculus, called Interval Duration Logic, (IDL), whose models are timed state sequences [1].A subset LIDL of IDL consisting only of located time constraints is presented. As our main result, we show that the models of an LIDL formula can be captured as timed state sequences accepted by an event-recording integrator automaton. A tool called IDLVALID for reducing LIDL formulae to integrator automata is briefly described. Finally, it is shown that LIDL has precisely the expressive power of event-recording integrator automata, and that a further subset LIDL- corresponds exactly to event-recording timed automata [2]. This gives us an automata-theoretic decision procedure for the satisfiability of LIDL– formulae.     

Transformational design of real-time systems Part I: From requirements to program specifications

In the two parts of this article a transformational approach to the design of distributed real-time systems is presented. The starting point are global requirements formulated in a subset of Duration Calculus called implementables and the target are programs in an OCCAM dialect PL. In the first part we show how the level of program specifications represented by a language SL can be reached. SL combines regular expressions with ideas from action systems and with time conditions, and can express the distributed architecture of the implementation. While Duration Calculus is state-based, SL is event-based, and the switch between these two worlds is a prominent step in the transformation from implementables to SL. Both parts of the transformational calculus rely on the mixed term techniques by which syntax pieces of two languages are mixed in a semantically coherent manner. In the first part of the article mixed terms between implementables and SL and in the second part of the article mixed terms between SL and PL are used. The approach is illustrated by the example of a computer controlled gas burner. Received: 10 June 1996 / 29 December 1997     

Probabilistic Duration Calculus for Continuous Time

This paper deals with dependability of imperfect implementations concerning given requirements. The requirements are assumed to be written as formulas in Duration Calculus. Implementations are modelled by continuous semi-Markov processes with finite state space, which are expressed in the paper as finite automata with stochastic delays of state transitions. A probabilistic model for Duration Calculus formulas is introduced, so that the satisfaction probabilities of Duration Calculus formulas with respect to semi-Markov processes can be defined, reasoned about and calculated through a set of axioms and rules of the model. Received November 1994 / Accepted in revised form June 1998     

Checking Temporal Duration Properties of Timed Automata

In this paper, the problem of checking a timed automaton for a Duration Calculus formula of the form Temporal Duration Property is addressed. It is shown that Temporal Duration Properties are in the class of discretisable real-time properties of Timed Automata, and an algorithm is given to solve the problem based on linear programming techniques and the depth-first search method in the integral region graph of the automaton. The complexity of the algorithm is in the same class as that of the solution of the reachability problem of timed automata.     

Polyhedral Flows in Hybrid Automata

A hybrid automaton is a mathematical model for hybrid systems, which combines, in a single formalism, automaton transitions for capturing discrete updates with differential constraints for capturing continuous flows. Formal verification of hybrid automata relies on symbolic fixpoint computation procedures that manipulate sets of states. These procedures can be implemented using boolean combinations of linear constraints over system variables, equivalently, using polyhedra, for the subclass of linear hybrid automata. In a linear hybrid automaton, the flow at each control mode is given by a rate polytope that constrains the allowed values of the first derivatives. The key property of such a flow is that, given a state-set described by a polyhedron, the set of states that can be reached as time elapses, is also a polyhedron. We call such a flow a polyhedral flow. In this paper, we study if we can generalize the syntax of linear hybrid automata for describing flows without sacrificing the polyhedral property. In particular, we consider flows described by origin-dependent rate polytopes, in which the allowed rates depend, not only on the current control mode, but also on the specific state at which the mode was entered. We identify necessary and sufficient conditions for a class of flows described by origin-dependent rate polytopes to be polyhedral. We also propose and study additional classes of flows: strongly polyhedral flows, in which the set of states that can be reached up to a given time starting from a polyhedron is guaranteed to be a polyhedron, and polyhedrally sliced flows, in which the set of states that can be reached at a given time starting from a polyhedron is guaranteed to be a polyhedron. Finally, we discuss an application of the above classes of flows to approximate exponential behaviours.     

Model-checking discrete duration calculus

Duration Calculus was introduced in [ZHR91] as a logic to specify and reason about requirements for real-time systems. It is an extension of Interval Temporal Logic [Mos85] where one can reason about integrated constraints over time-dependent and Boolean valued states without explicit mention of absolute time. Several major case studies, e.g. the gas burner system in [RRH93], have shown that Duration Calculus provides a high level of abstraction for both expressing and reasoning about specifications. Using Timed Automata [A1D92] one can express how real-time systems can be constructed at a level of detail which is close to an actual implementation. We consider in the paper the correctness of Timed Automata with respect to Duration Calculus formulae. For a subset of Duration Calculus, we show that one can automatically verify whether a Timed Automaton is correct with respect to a formulaD, abbreviated D, i.e. one can domodel-checking. The subset we consider is expressive enough to formalize the requirements to the gas burner system given in [RRH93]; but only for a discrete time domain. Model-checking is done by reducing the correctness problem D to the inclusion problem of regular languages.     

Balanced timed regular expressions

Several classes of regular expressions for timed languages accepted by timed automata have been suggested in the literature. In this article we introduce balanced timed regular expressions with colored parentheses which are equivalent to timed automata, and, differently from existing definitions, do not refer to clock values, and do not use additional operations such as intersection and renaming.     

Model-checking discrete duration calculus

Duration Calculus was introduced in [ZHR91] as a logic to specify and reason about requirements for real-time systems. It is an extension of Interval Temporal Logic [Mos85] where one can reason about integrated constraints over time-dependent and Boolean valued states without explicit mention of absolute time. Several major case studies, e.g. the gas burner system in [RRH93], have shown that Duration Calculus provides a high level of abstraction for both expressing and reasoning about specifications. Using Timed Automata [A1D92] one can express how real-time systems can be constructed at a level of detail which is close to an actual implementation. We consider in the paper the correctness of Timed Automata with respect to Duration Calculus formulae. For a subset of Duration Calculus, we show that one can automatically verify whether a Timed Automaton ? is correct with respect to a formulaD, abbreviated ? ?D, i.e. one can domodel-checking. The subset we consider is expressive enough to formalize the requirements to the gas burner system given in [RRH93]; but only for a discrete time domain. Model-checking is done by reducing the correctness problem ? ?D to the inclusion problem of regular languages.     

The Saga of Synchronous Bus Arbiter: On Model Checking Quantitative Timing Properties of Synchronous Programs

Quantified Discrete-time Duration Calculus, (QDDC), is a form of interval temporal logic [14]. It is well suited to specify quantitative timing properties of synchronous systems. An automata theoretic decision procedure for QDDC allows converting a QDDC formula into a finite state automaton recognising precisely the models of the formula. The automaton can be used as a synchronous observer for model checking the property of a synchronous program. This theory has been implemented into a tool called DCVALID which permits model checking QDDC properties of synchronous programs written in Esterel, Verilog and SMV notations.In this paper, we consider two well-known synchronous bus arbiter circuits (programs) from the literature. We specify some complex quantitative properties of these arbiters, including their response time and loss time, using QDDC. We show how the tool DCVALID can be used to effectively model check these properties (with some surprising results).     

Towards a denotational semantics of timed RSL using duration calculus

The Timed RAISE Specification Language(Timed RSL)is an extension of RAISE Specificatioin Language by adding time constructors for specifying real-time applications.Duration Calculus(DC) is a real-time interval logic,which can be used to specify and reason about timing and logical constraints on duration propoerties of Boolean states in a dynamic system.This paper gives a denotational semantics to a subset of Timed RSL expressions,using Duration Calculus extended with super-dense shop modality and notations to capture time point properties of piecewise continuous states of arbitrary types.Using this semantics,the paper pesents a proof rule for verifying Timed RSL iterative expressions and implements the rule to prove the satisfaction by a sample Timed RSL specification of its real-time requrements.     

Decidability of a Hybrid Duration Calculus

We present a logic which we call Hybrid Duration Calculus (HDC). HDC is obtained by adding the following hybrid logical machinery to the Restricted Duration Calculus (RDC): nominals, satisfaction operators, down-arrow binder, and the global modality. RDC is known to be decidable, and in this paper we show that decidability is retained when adding the hybrid logical machinery. Decidability of HDC is shown by reducing the satisfiability problem to satisfiability of Monadic Second-Order Theory of Order. We illustrate the increased expressive power obtained in hybridizing RDC by showing that HDC, in contrast to RDC, can express all of the 13 possible relations between intervals.     

Automata theory based on lattice-ordered semirings

In this paper, definitions of K{\mathcal{K}} automata, K{\mathcal{K}} regular languages, K{\mathcal{K}} regular expressions and K{\mathcal{K}} regular grammars based on lattice-ordered semirings are given. It is shown that K{\mathcal{K}}NFA is equivalent to K{\mathcal{K}}DFA under some finite condition, the Pump Lemma holds if K{\mathcal{K}} is finite, and Ke{{\mathcal{K}}}\epsilonNFA is equivalent to K{\mathcal{K}}NFA. Further, it is verified that the concatenation of K{\mathcal{K}} regular languages remains a K{\mathcal{K}} regular language. Similar to classical cases and automata theory based on lattice-ordered monoids, it is also found that K{\mathcal{K}}NFA, K{\mathcal{K}} regular expressions and K{\mathcal{K}} regular grammars are equivalent to each other when K{\mathcal{K}} is a complete lattice.     

Model-checking dense-time Duration Calculus

Since the seminal work of Zhou Chaochen, M. R. Hansen, and P. Sestoft on decidability of dense-time Duration Calculus [ZHS93] it is well known that decidable fragments of Duration Calculus can only be obtained through withdrawal of much of the interesting vocabulary of this logic. While this was formerly taken as an indication that key-press verification of implementations with respect to elaborate Duration Calculus specifications were also impossible, we show that the model property is well decidable for realistic designs which feature natural constraints on their switching dynamics.The key issue is that the classical undecidability results rely on a notion of validity of a formula that refers to a class of models which is considerably richer than the possible behaviours of actual embedded real-time systems: that of finitely variable trajectories. By analysing two suitably sparser model classes we obtain model-checking procedures for rich subsets of Duration Calculus. Together with undecidability results also obtained, this sheds light upon the exact borderline between decidability and undecidability of Duration Calculi and related logics.Received June 1999Accepted in revised form September 2003 by M. R. Hansen and C. B. Jones     

Transformational design of real-time systems. Part II: From program specifications to programs

In the two parts of this article we present a transformational approach to the design of real-time systems. The overall starting point are requirements formulated in a subset of Duration Calculus called implementables and the target are programs in an OCCAM dialect PL. In the first part we have shown how the level of program specifications represented by a language SL can be reached. SL combines regular expressions with action systems and time conditions. In this part we show the transformation from SL to PL. It relies on the ‘Expansion strategy’ by which certain transformations can be applied in an almost automatic fashion. In many places transformations consist of algebraic reasoning by laws for operations on programs. Both parts of our transformational calculus rely on the mixed term techniques in which syntax pieces of two languages are mixed in a semantically coherent manner. In the first part of the article mixed terms between implementables and SL have been used, in the present part mixed terms between SL and PL are used. The approach is illustrated by the example of a computer controlled gas burner from part I again. Received 23 July 1996 / 13 February 1998     

Grail: A C++ Library for Automata and Expressions

Grail is a package for symbolic manipulation of finite-state automata and regular expressions. It provides most standard operations on automata and expressions, including minimization, subset construction, conversion between automata and regular expressions, and language enumeration and testing. Grail 's objects are parameterizable; users can provide their own classes to define the input alphabet of automata and expressions. Grail's operations are accessible either as individual programs or directly through a C++ class library.     

Formal verification of components assembly based on SysML and interface automata

We propose an approach which combines component SysML models and interface automata in order to assemble components and to verify formally their interoperability. So we propose to verify formally the assembly of components specified with the expressive and semi-formal modeling language, SysML. We specify component-based system architecture with SysML Block Definition Diagram, and the composition links between components with Internal Block Diagrams. Component’s protocols are specified with sequence diagrams, they are necessary to exploit interface automata formalism. Interface automata is a common Input Output (I/O) automata-based formalism intended to specify the signature and the protocol level of the component interfaces. We propose formal specifications for SysML semi-formal models in order to exploit interface automata approach. We also improve the interface automata approach by considering system architecture, specified with SysML, in the verification of components composition.     

Advanced Features of Duration Calculus and Their Applications in Sequential Hybrid Programs

Duration Calculus was introduced as a logic to specify real-time requirements of computing systems. It has been used successfully in a number of case studies. Moreover, many variants were proposed to deal with various features of real time systems, including sequential communicating processes, sequential hybrid systems and imperative programming languages. This paper aims to integrate several variants of Duration Calculus, and to provide a semantic framework for real-time programming languages and sequential hybrid programs. A shortversion of this paper appeared in J. Davis, A.W. Roscoe and J.C.P. Woodcock editors, Millennial Perspectives in Computer Science,Proceedings of the 1999 Oxford-Microsoft Symposium in Honour ofProfessor C.A.R. Hoare.     

A multidimensional approach to syntactic pattern recognition

This paper describes a syntactic method for representing the primitive parts of a pattern as nodes of a type of directed graph. A linear representation of the digraph can then be presented to a regular unordered tree automaton for classification. Regular unordered tree automata can be simulated by deterministic pushdown automata, so this procedure can be implemented easily. Regular u-tree automata and the corresponding generative systems, regular u-tree grammars are formally defined. Several results are shown which are applicable to all syntactic pattern recognition schemes involving the use of primitives.