Ensuring the Satisfaction of a Temporal Specification at Run-Time by Tsai, Grace et al.
Missouri University of Science and Technology 
Scholars' Mine 
Mathematics and Statistics Faculty Research & 
Creative Works Mathematics and Statistics 
01 Jan 1995 
Ensuring the Satisfaction of a Temporal Specification at Run-Time 
Grace Tsai 
Matt Insall 
Missouri University of Science and Technology, insall@mst.edu 
Bruce M. McMillin 
Missouri University of Science and Technology, ff@mst.edu 
Follow this and additional works at: https://scholarsmine.mst.edu/math_stat_facwork 
 Part of the Computer Sciences Commons, Mathematics Commons, and the Statistics and Probability 
Commons 
Recommended Citation 
G. Tsai et al., "Ensuring the Satisfaction of a Temporal Specification at Run-Time," Proceedings of the First 
IEEE International Conference on Engineering of Complex Computer Systems, 1995. Held jointly with 5th 
CSESAW, 3rd IEEE RTAW and 20th IFAC/IFIP WRTP, Institute of Electrical and Electronics Engineers (IEEE), 
Jan 1995. 
The definitive version is available at https://doi.org/10.1109/ICECCS.1995.479365 
This Article - Conference proceedings is brought to you for free and open access by Scholars' Mine. It has been 
accepted for inclusion in Mathematics and Statistics Faculty Research & Creative Works by an authorized 
administrator of Scholars' Mine. This work is protected by U. S. Copyright Law. Unauthorized use including 
reproduction for redistribution requires the permission of the copyright holder. For more information, please 
contact scholarsmine@mst.edu. 
ENSURING THE SATISFACTION OF A TEMPORAL 
SPECIFICATION AT RUN-TIME 
Grace Tsai 
Mathematics and Computer Science 
Fairleigh Dickinson University 
Teaneck, N J  07666, USA 
Matt Insall 
Department of Mathematics and Statistics 
University of Missouri-Rolla 
Rolla, MO 65401 USA 
Abstract 
A responsive computing system is a hybrid of real- 
time, distributed and fault-tolerant systems. In such a 
system, severe consequences can occur if the run-tame 
behavior does not conform to the expected behavior or 
specifications. In this paper, we present a formal ap- 
proach t o  ensure satisfaction of the specifications in 
the operational environment as follows. First we spec- 
i f y  behavior of the systems using Interval Temporal 
Logzc (ITL). Next we give algorithms for trace check- 
ing of programs in such systems. Finally, we present 
a fully distributed run-time evaluation system which 
causally orders the events of the system during its ex- 
ecution and checks this run-time behavior against its 
ITL specification. The approach is illustrated using a 
train-set example. 
1 Introduction 
A responsive computing system [I] is one which is 
required to respond to internal programs or external 
inputs in a timely, dependable and predictable man- 
ner. These systems are a hybrid of real-time, dis- 
tributed and fault-tolerant systems. In such a system, 
any failure can cause a catastrophe, and hence, it, is 
very important to  ensure that run-time behavior of 
the system conforms to its expected behavior (specifi- 
cation). 
The specification of such critical systems can be 
rigorously represented using formal methods of logic. 
Formal methods are the use of mathematical tech- 
niques in the design and analysis of computer hard- 
ware and software. One of the many advantages of 
using formal methods is that when a property is ob- 
tained, it comes from certainty and not from doubtful 
or approximate inferences. 
Conceptualization. The goal of our work is to  find 
ways to  execute program specifications along with 
the actual program’s execution for purposes of run- 
time assurance - namely for error detection within the 
scope of fault tolerance. If the execution of the pro- 
gram does not satisfy the specification at run time, 
Bruce McMillin 
Department of Computer Science 
University of Missouri-Rolla 
Rolla, MO 65401 USA 
then an error has occurred. Since error detection is 
conceptually the most difficult problem in fault toler- 
ance, this quantification of error detection has proved 
quite powerful - a system need not rely on hardware or 
software confidence to avoid or detect errors; the spec- 
ification provides the absolute truth of correctness. 
The notion of “the program satisfies the specifica- 
tion” is a powerful abstraction as it immediately draws 
the researcher into the area of formal logic to  express 
the specification. This, coupled with an existing set of 
axioms and inference rules for a particular (program- 
ming) language provides the appropriate level of rep- 
resentation for run-time error checking. Essentially, 
the same tools used in program verification are im- 
mediately applicable to  run-time assurance, namely 
execution of the specification in either a predicate or 
temporal framework. 
Our work provides the run-time semantics to  carry 
out such execution of specifications, possibly in the 
presense of failed hardware and/or software. Thus, the 
approach taken here adopts a formalized specification 
language together with a mechanized support tool to  
allow detection of certain types of errors and faults. 
Methodology. There are three steps involved in 
this approach of ensuring a system’s specification at 
run-time: 
1. Specify properties of a responsive computing sys- 
tem using Interval Temporal Logic (ITL) formu- 
las, 
2. build a run-time event history, the causal struc- 
3. evaluate properties of the system according to  the 
At step 1, the logic ITL was developed to  specify 
behavior of a responsive computing system. In par- 
ticular, we use interval formulas and responsiveness 
assertzons to denote properties of a system. These 
formulas denoting system specifications are expected 
to hold within bounded intervals. Thus, an error has 
ture of the execution, and 
event histories. 
397 
0-8186-7123-8/95 $4.00 0 1995 IEEE 
occurred if the system does not satisfy these formulas 
within bounded intervals. 
At step 2, we give algorithms to obtain a run-time 
history or to build the causal structure of the execu- 
tion. The run-time history of a (distributed) system 
can be obtained by collecting and partially ordering 
events’ occurring in the system’. 
At step 3,  we apply a decision procedure, 11, to 
check whether the collected event history satisfies the 
specification of a system derived at step 1. Since an 
event history is a sequence of events occurring in a 
system, it represents a process’ observation of all the 
processes during execution. This history can be uti- 
lized to do evaluation of assertions at run-time. The 
evaluation is a simple matter, then, to break down the 
temporal assertions into predicate calculus expressions 
quantified over this history sequence3. Thus. this ap- 
proach uses the ITL formulas to detect errors. If the 
run-time behavior violates its specification denoted 
by ITL formulas, then appropriate actions should be 
taken. 
For example, one way to avoid cars and trains oc- 
cupying a crossing at the same time is to lower a gate 
before a train arrives on the crossing [2]. An ITL 
formula (step 1) for this situation can be used to rep- 
resent the timing constraints of the system. Knowing 
how long it takes to lower the gate, and the minimum 
time that can elapse between a train passing a sen- 
sor and reaching the crossing, we can deduce timing 
constraints on the gate controller. At run-time, then, 
we collect the events of the train passing the sensor 
(step 2) and can check if the gate controller violates 
the ITL specifications denoting these constraints (step 
3). If yes, actions should be taken to react to the error. 
In our previous work, we used a decision proce- 
dure to check satisfaction of liveness assertions in 
the operational environment [3]. A liveness assertion 
(4 + EF+) denotes that when a program starts from 
a state satisfying assertion 4, eventually it will get 
to a state satisfying assertion $J. This kind of asser- 
tion can not describe properties that must hold within 
bounded intervals and hence is not suitable for re- 
sponsive computing systems. Thus, this paper focuses 
on constructing a decision procedure II to check, at 
run-time, satisfaction of system specifications within 
bounded intervals of time. 
In related work, for the determination of satisfac- 
tion of formulas, [4] translates temporal logic formu- 
las into finite automata. In contrast, we establish a 
correspondence between states and events in the col- 
lected event history and examine the history against 
t,he specification for the determination of satisfaction 
]An event can be modeled as execution of one statement or 
a set of statements. 
2Note that we consader neither the undedyzng scheddang 
strategaes nor predcet whach branches OT statements will be ex- 
ecuted a t  run-tame. 
3 f ~ r  example, the temporal expression “now and always p ,  
in predicate calculus becomes Vz in history H (of events H ,  
indexed by i )  such that H, A program to check this 
temporal expression over a collected history, H ,  loops through 
H checking that each event H ,  satisfies p 
p .  
of formulas. The work of [5] embeds system con- 
straints into programs and examines them at run-time. 
However, they use a centralized monitor to obtain an 
execution history, while our method does not require 
monitors to compute histories. 
The organization of this paper is as follows. In Sec- 
tion 2, we introduce the logic ITL. Section 3 describes 
the notion of an event, our model of distributed com- 
putation, and other definitions to  be used in this pa- 
per. In Section 4, we describe a timestamping scheme, 
vector clocks, to order events in a collected history. 
Next, we present an algorithm, Compute History, to 
construct event histories and then give a decision pro- 
cedure for the determination of satisfaction of ITL for- 
mulas at run-time. Section 5 presents a train set ex- 
ample to illustrate the application of operational eval- 
uation. Section 6 concludes this paper. 
2 Interval Temporal Logic 
This section presents a logic, Interval Temporal 
Logic (ITL), for the responsive computing systems. 
The logic ITL is an extension of Interleaving Set Tem- 
poral Logic (ISTL) [6]. It adopts a partial order se- 
mantics which considers a distributed computation as 
a set of partially ordered events. Hence, this logic 
ITL can capture temporal and distributed aspects of 
the responsive systems that we are modeling. 
With the logic ISTL, one can not reason about a 
property within a bounded interval of time, which mo- 
tivates the development of the ITL for the responsive 
computing systems. There are other temporal logics 
for real-time systems for example [7, 8, 9, lo]. The 
logic [8] does not have a proof system for reasoning 
about a system. [9] is designed for reasoning about 
hardware, while we aim at a logic which can reason 
about a distributed real-time system. In our approach, 
the specification of a system will be tested to detect 
errors at run-time. So we need to build a mechanized 
support tool for the logic. For efficiency considera- 
tion, we built the logic ITL which has a small set of 
syntactic forms and includes only the inference rules 
necessary for the run-time evaluation. Hence we do 
not adopt the logic [9, lo]. 
Due to the page limits, we only present two types of 
formulas, znterval formulas and responsive assertzons. 
The reader may refer to [11] for the syntax and seman- 
tics of the logic. Informally, an znterval is of the form 
b] or [p, q1 and an znterval formula is of the form b]qi 
or [P,q]4 where p , q  and 4 are any formulas of ITL. 
An interval formula b]4 ([p,q]q5) is true over a state 
sequence n, iff the interval b] (b, q]) cannot be found 
or the formula 4 holds on every interval b] (b,q]) .  
Thus, there are two ways to conclude that an inter- 
val formula holds. This would cause a problem in the 
composition of interval formulas to create a ’71eads-to” 
property. Thus, the following responszveness assertion 
is proposed. 
Definition 2.1 A responszveness assertzon 2s a path 
and 4 are formulas of ITL .  
A responsiveness assertion (b]4 -+ b,q]EF$) ‘s 
true over a state sequence n, iff the following holds: if 
formula of  the form (b14 + [P, qIE&J), where P, q14j 
398 
r$ holds whenever p holds, then t,!J will occur at any q 
following p .  This assertion ensures bounded response 
of t,!J to [p]4 within the interrals [p, q]. 
The above formulas are to  be applied to  a run-time 
system to check if a system does what it is supposed. 
The following notation and background are necessary 
to  understand the proposed algorithms for evaluating 
the ITL formulas at run-time. 
3 Background 
A distributed program consists of n processes, 
PI ,  P2, . . . , P,, which cooperate to  perform a compu- 
tation. Each process resides on a unique processor. 
The mapping between processors and processes is one- 
to-one. There are no global clocks, and processes 
must communicate via message-passing to exchange 
information. Thus, the events occurring within a pro- 
cess can be totally ordered according to  its processor’s 
clock while events occurring within other processors 
cannot. 
There are three types of operations, internal (lo- 
cal) operations, send operations, and receive opera- 
tions. A send (receive) event of a processor includes 
execution of a sequence of local operations followed 
by a send (receive) operation in that processor. Send 
or receive events are referred to  as externally observ- 
able events. The externally observable events can be 
partially-ordered by any processor whereas internal 
events of a processor are non-observable by other pro- 
cessors. 
The following definitions are necessary before the 
presentation of the algorithms. 
Notation 3.1 Event executaon an a dzstrzbuted pro- 
gram as represented b y  a daagram, where each hor- 
azontal lane descrabes one process behavaor, and the 
horazontal darectaon of each lane denotes tame whach 
ancreases from left to raght. Message exchanges are 
shown b y  darected lanes. 
Definition 3.1 Event executaon an a program forms 
an arreflexave partaal order(denoted b y  +) on the 
events whach occur an the program. 
Definition 3.2 Event e precedes event f an an execu- 
taon, a.e., e +- f ,  af and only af any one of the followang 
condataons holds [12] I 
e and f are events of the same process, and e 
occurs before f ,  
e is a send event, and f is the corresponding re- 
ceive event, or 
there exists an event g ,  such that e .+ g ,  and 
s - f f .  
Note that we assume that a system has been verified 
to  be deadlock-free. 
Definition 3.3 Two events e ,  f are causally re- 
lated if either e + f or f + e holds. If neither 
e -+ f nor f + e holds, then e and f are considered 
as concurrent or independent events. 
Definition 3.4 A history of a program P is a pair 
h =< J ,  v > where J is the initial interpretation and 
v = a1, a2, . . . , a, is a sequence of events of the pro- 
gram in the causal relation .+ order. 
Throughout the paper, we will use the letter J in a 
history (e.g., h =< J ,  v >) to denote an initial state. 
Definition 3.5 Let A be a collection of events of a 
program. Given an initial state J and two sequences 
of  events v and w ( v , w  E A*), two histories h =< 
J ,  v > and h‘ =< J ,  w > are equivalent, i f  there exist 
histories < J ,  v1 >, < J ,  v2 >, . . . , < J ,  v, > with 01 = 
v and v, = w and for each 1 5 i < n,  there exist a f ,  
,d and x , y  E A*, such that vi = xapy, vi+l = xpay. 
In other words, vi and vi+l only differ b y  the order of 
adjacent symbols which are independent according to  
the causal relation + of Definition 3.2 [6]. 
Definition 3.6 A trace is an equivalence class of 
histories. denoted bu TJ. wl where J is an initial state 
V L ’  J 
and < J,’w > as some member of the equivalence class 
I J ,  ~1([1311 [61b 
Definition 3.7 Let a set v h k  be a processor PLs 
collection of events including processor P i s  (local) 
events, and those it observes (processor P, commu- 
nicates with processor Pk about its local events). This 
set v h k  denotes processor PLs history. Also, proces- 
sor Pk ’s knowledge or view about system execution 
is based on the events an its history v i k .  
Notice that the history h =< J , v  > is a complete 
history of a program, which contains events of the 
whole execution of the program, while the history v h ,  
of processor Pk is a partial history or a collection of 
events observed or executed by processor Pk during 
execution. 
Definition 3.8 Let ek,l,  ek,2, . . . , ek,, be the first, 
second, . . ., nth observable 
(send or receive) events of processor Pk. A n  event 
ek,m is the mth event ofprocessor 4. 
4 Event Histories 
In this section, we present algorithms for the con- 
struction of event histories to  represent system execu- 
tion. These histories will be used to  evaluate system 
specifications written in ITL formulas (described in 
the following section). First, we gives a brief introduc- 
tion to events, our model of distributed computation 
and the notation and definitions used in this chapter. 
4.1 Ordering Events 
Recall that a history v h k  is a collection of events 
observed or performed by processor Pk (process) dur- 
ing execution. Among these events, some are causally 
related, while some are not causally related (indepen- 
dent). Thus, a time-stamping scheme is necessary 
to decide causality of any two events in a history. 
What we would like is a clock scheme that imposes 
no arbitrary orderings on any two events which are 
399 
not, originally causally related. Thus, vector clocks 
(114, 15, IS]) are chosen to determine causality be- 
tween any two events. 
Vector Clock Scheme. Let Ci be the vector clock 
of process Pi, and let Ci denote the clock value after 
the execution of event ea,k. On sending a message, a 
process Pi timestamps the message by appending the 
clock value to it. When process Pi executes an event 
e ,  ,the following operations are performed on its clock 
C” 
Operation 1: for each event e ,  Pi increments its 
clock Ci on the i th component of the vector, i.e., 
Ci[i] = Ca[[i] + 1, where Ca[i] denotes the ith com- 
ponent of vector C’. 
Operation 2: for a receive event e with a vector 
timestamp T, Vm, Ca[m] = 
m a z ( C i [ [ m ] ,  T[m]), where Ci[m] andT[m] denote 
the mth components of vectors Ci and T ,  respec- 
tively. In other words, the value of each compo- 
nent of vector Ci is obtained by taking the maxi- 
mal value ,from the corresponding components of 
vectors C8 and T.  
The following definition describes the mechanism of 
deciding causality of any two time-stamped events. 
Definition 4.1 Given t w o  t i m e s t a m p s  (vectors)  C;,  
C/ for events  ei,k and e j , l ,  respectively, the relation 
(ei ,k  + e j , l )  holds, i$ 
(vr,Ci[r] 5 C { [ T ] ) / \ ( ~ S , ~ ~ [ S ]  < c { [ s ] ) .  
In ot,her words, event ei,k occurs before event e j , l ,  
if and only if all the components of Ci are less than 
or equal to the corresponding components of C{ and 
there exists a component of Ci  which is strictly less 
than that of C;. 
4.2 Correct Histories and Algorithms 
In Section 3.2, we described vector clock times- 
tamping which can be used by a processor in a dis- 
tributed system to order events from different proces- 
sors. The purpose of this subsection is to show that 
a processor Pk can construct an execution history vhk 
without a global clock and without any  moni tors .  We 
begin with the definition of correct histories and then 
present an algorithm Compute  His tory ,  which allows a 
processor Pk to construct an execution history vh, by 
collecting events occurring in the system. Finally, the 
history vhk constructed according to the algorithm is 
shown to be correct. 
Correct Histories. Recall that a history Vh, is a col- 
lection of events executed or observed by processor Pk 
during execution, and it is processor 4 ’ s  view of all 
the externally-observable events performed by other 
processors involved in a computation. The objective 
is to utilize this history to check for a violation of a 
program’s specification at run-time. Thus, it is very 
important to have correct histories. The following def- 
initions show that a history is correct with respect to 
the history h =< J , v  > iff its continuation (see Def- 
inition 4.2) is a member of the equivalence class of 
history h. 
Definition 4.2 A history h =< J ,  w > i s  a contin- 
uation of a his tory h‘ =< J ,  w‘ >, if ( 1 )  for every  
event e i n  h‘, e i s  also i n  h,  and ( 2 )  causality i n  h’ 
implies  causality i n  h. 
Definition 4.3 For a processor 4 ,  i f s  ( run- t ime)  
his tory v h k  =< J , w  > i s  correct with  respect t o  the 
his tory h =< J , v  >, if and only if the fol lowing con- 
dition holds: 
there exists a his tory (Vj,)’, a continuation 
of vh,, such that (Vh,)’ i s  a m e m b e r  of the 
equavalence class of  < J ,  v >, i . e . ,  
(Vh,)’ =< J ,  W >E [ J ,  U ] .  
Notice that, in Definition 4.3, histories h and (Vh,)’ 
are equivalent, where h is a correct and complete his- 
tory of a program and (Vh,)’ is a history resulting 
from extending the history Vh,. The following propo- 
sition shows that a his tory v h k  i s  correct, if and only  
if causakty  among events  i n  vh, as preserved during 
execution. 
Proposition 4.1 For a processor 4 ,  i t s  h is tory  
Vh, =< J , w  > as correct wi th  respect t o  a h is tory  
h =< J , v  > i f  and only zf for events  i n  v h k ,  causal- 
i t y  i n  vh, U Causality i n  h,  i . e . ,  causality i n  \%, i s  
preserved during execution. 
Proof: (if part) If the history Vj, is correct, then 
there exists a continuation (Vh,)’ =< J ,  w’ > of Vh,, 
and < J ,  w’ >E [ J ,  U ] .  In other words, < J ,  w’ > and 
< J ,  v > only differ by the order of independent opera- 
tions, which implies v and w’ have the same orderings 
for those causally related events, i.e., causality in h e 
causality in (Vh,)’. Since (Vh,)’ is a continuation of 
v h k  , for the events in v h k ,  causality in v h k  U causality 
in Vh,)’. Therefore, for the events in vh,, causality 
in Vh, is preserved during execution. 
(only-if part) From assumption for events in Vhk, 
causality in vh, causality in h, we know that h is a 
continuation of Vh, . Then, there exists a continuation 
(Vh,)’ = h of vh,, such that (Vh,)’ and h are equiva- 
lent. By Definition 4.3, the history v h k  is correct with 
respect to the history h. 0 
4.3 Computing Histories in a Non-Faulty 
Environment 
In this subsection, we present an algorithm which 
allows a processor Pk in a distributed system to  collect 
events into a history vh, , limiting ourselves, for now, 
to a non-faulty environment [17]. Later, it  will be 
shown that these histories can be utilized to detect a 
violation of processors’ run-time behaviors. 
Main idea. A processor Pk relies on communica- 
tions to find out events that have occurred in other 
in i U causality in Vh,. This implies that causality 
400 
e21 e2.2 
Figure 1: Message Passing and Event Contents 
processes, and to  collect these events into its history 
vhk. Thus, whenever there as a communication, pro- 
cesses exchange their latest observations (histories) of 
event occurrences in the system4. After the exchange, 
processors incorporate the received histories into their 
own histories. Through the exchanges of histories, ev- 
ery processor can obtain a view of the execution of all 
the other processors in the system. 
Now, we describe the contents of events, the rele- 
vant information for processors to  compute their his- 
tories. Then, examples are given to  illustrate how 
processors exchange their histories (observations) , fol- 
lowed by the algorithm Compute History. 
Definition 4.4 Let a tuple tl = (processor, war = 
va1,time) denote a timestamped local operation. Let a 
tuple t2 = (processorl, processor2, sendlreceive, 
t ime)  represent a timestamped send/receive operation 
of processorl, where processor2 is the corresponding 
communicating processor. A send/receive event e is 
denoted b y  ( t l , t l , .  . ., t l ,  t2). 
From the above, a tuple can represent a 
timestamped local operation or a time-stamped 
sendlreceive operation, and a sendlreceive event e 
contains information of local operations followed by 
an send/receive operation, i.e., ( t l , t l , . . . , t l , t 2 )  . For 
example, in Figure 1, there are two send events, el 1 
and e1,2.  The contents of these two events are as fol- 
lows. 
Events e1,l shows that at time [1,0] the value of 1: 
in processor PI is 1, and PI sent a message to Pz at 
time [2,0]. Likewise, event e1,2 shows that at time 
[3,0] the value of z in processor PI is 5 ,  and PI sent 
a message to  P2 at time [4,0]. Here, the result of a 
local operation, z = 1, is considered as part of the 
next (observable) event e1, l .  Similarly, the result of 
a local operation, 1: = 5 ,  is considered as part of the 
next (observable) event e1,2. 
Based on this example, then, how does processor P2 
incorporate the received events into its history vha? 
The following describes the incorporation of an event 
into a history. 
4Note that, for efficiency considerations, only those events 
which have not been communicated previously need to be sent. 
A run-time history v h ,  of processor Pi is computed as 
follows. During a communication, processors Pi and 
P’ exchange their respective histories Vh, and vh, . Af- 
ter the exchange, both processors incorporate the re- 
ceived history into their own histories. The following 
shows that processor Pi incorporates vh, into its his- 
tory vh,. 
Figure 2: Algorithm Compute History for processor Pi 
Definition 4.5 Given an event e ,  the incorporation 
of e into a history vh, =< J ,  a1a2. . .a, > of proces- 
sor P; as to insert e into the history Vh;, such that the 
new history vh, =< J ,  a1 ’ . . (Yk- le (Yk  . . . an > satis- 
fies the following conditions: 
1. for each m < k ,  e ft am, 
2. e --+ (Yk, i.e., e causes ( Y k .  
Therefore, in the new sequence 
( ( Y ~ . . . ( Y ~ - I ~ ( Y ~ . - . Q , ) ,  e does not cause any event 
preceding e (i.e., events a1 . . . ( Y k - l ) ,  and e causes its 
next event (i.e., event ( Y k ) .  Notice that there are many 
ways of incorporating events into a processor’s his- 
tory, since events are timestamped by vector clocks 
and they form a partial ordering instead of a total or- 
dering. However, it is important that during execu- 
tion, causality in a collected history vh, is preserved, 
and at termination, history vh, is a member of the 
equivalence class of the history h =< J ,  ZI >. The fol- 
lowing describes an incorporation of one history into 
another. 
Definition 4.6 Given two histories vh, and Vha, a 
function fi(vh, , Vha) returns a history v h z  , such that 
for each event e of v h l ,  if e as not in Vh, , then, using 
Definition 4.5, incorporate e into vha. 
The following example illustrates exchanges of obser- 
vations (histories) and incorporations of histories. 
The examples of communicating histories are in [18]. 
i.e., e does not cause any am(1 5 m < 1). 
Algorithm for a Non-Faulty Environment. AS- 
sume that there are n isolated Drocessors which can 
communicate only by two-party messages. Figure 2 
presents Algorithm Compute History, which computes 
a history of processor Pi in a non-faulty environment. 
In this algorithm, processors Pi and Pj exchange their 
respective histories vh, and vh, during a communica- 
tion. Then, processors Pa computes its new history 
vh, by incorporating events in vh, into vh, (step 1). 
Finally, processor Pi updates its clock (step 2). 
Theorem 4.1 The history, vh,, built b y  the algo- 
rithm Compute History of Figure 2, is correct in a 
non-faulty environment. 
40 1 
C , , ~ ~ - ~ ~ ~  - 
ain set examp &--, 
T’ 
cc 
Proof: By Proposition 4.1, history Vh, is correct if 
causality in Vj, is preserved during execution. Recall 
that Vj, is processor Pis collection of events during 
execution. In the algorithm, upon the receipt of his- 
tory Vh, , processor P; computes its history Vh, from 
function h(Vj,, Vh,), which incorporates events of Vh, 
into vh, according to Definition 4.5. Therefore, events 
in Vjz are in a linear order compatible with the causal 
relations -+. Also, history Vh2 is built in a non-faulty 
environment. Thus, causality in vh, is preserved. 
The reader may refer to  [18] for the algorithms for 
the faulty environments. Next we use a train set ex- 
ample to  illustrate the application of operational eval- 
uation of temporal interval formulas. 
5 Train Set Example 
In this section, we illustrate the proposed approach 
using a train set example ([19], [20]). This is an ex- 
ample of a safety-critical system which involves inter- 
actions between controllers and physical processes. In 
Figure 3, the physical process consists of circuits, C, 
and C,, and trains, Tp and T, . The circuits are divided 
into sections and the crossing section (CC) is where 
the circuits intersect. Each section has a sensor, while 
for each train there is an actuator that can stop the 
t,rain within any section. For such a safety-critical sys- 
tem, accidents will occur if the physical specification 
and the logical specification are not met. We can then 
check whether the physical specification denoted by a 
run-time history Vh, satisfies the logical specification 
denoted by ITL formulas. 
5.1 Safety Constraints 
In this subsection, we describes the safety con- 
straints of the system. These constraints are to  be 
embedded into the train set program t o  check if the 
run-time system behaves as what we expect. Figure 4 
describes the state variables to  be used. 
Definition 5.1 Let T“ denote the current time when 
train x enters section f, and let Tf  denote the point of 
time immediately before T&l. 
Notice that addition @ and subtraction 8 on sec- 
tion numbers are performed modulo the number of 
sections of the circuit. 
SC1 (Reservation constraints): for any train, the cur- 
rent occupied section (Ptrain(x))  and the following 
mcs f @ 1 sections must always be reserved. 
(Vz E T T )  
(mcsf  I)} E Rtrain(x) ,  
[p, T ; ] { P t ~ ~ i n ( z ) ,  P tra in(x)  @ 1, * .  . , Ptrain(z) @ 
mcsf denotes the maximal number of consecutive sen- 
sor failure. 
SC2 (Exclusion constraints): mutual exclusion must 
be achieved for reserved sections. In other words, if 
Rtruin(x) and Rtrain(y) are the sets of sections re- 
served, respectively, by trains x and y (x # y), then 
Rtrai~z(z) n Rtrain(y) = 0. 
Vx, y E T r  
[qsl TF](x # y ---f Rtrain(x) n Rtrain(y)  = 0 )  
SC3: if the number of consecutive sensor failures is 
greater than mcs f ,  then the system must be shut 
down. 
Vc E L,Vx, y E T r  [Kc, q$mesf](-Sen~(~, i ) A . .  .A-Sens(c, i e m c s f ) )  -+ [v , Tern f ]  E F  (Shut  D o w  n)  
The above formula can be derived from Progress 
Rule. First, we apply Progress Rule to  de- 
rive a formula *, which describes sensor failure 
on two consecutive sections as follows. To de- 
rive \E = [ y ] P t r a i n ( x )  --+ [ T ~ ’ , T ~ ] E F ( o n ( c , x )  A 
+ens(c, Ptrain(z))) ,  the following premises must 
hold: 
[qq Ptrain( x) + 
[T;]Ptrain(z) -+ 
[Tr,T:]EF(on(c, z) A ySens(c ,  Ptrain(z)))  
[T,”, T&]EF(on(c, z) A +ens(c, P t ra in (x ) ) )  
[T?, T&]E(on(c, z) A l S e n s ( c ,  P tra in(x) ) )  
Premise (1) states that the sensor of section i fails 
within the interval [y ,T:]. Likewise, Premise ( 2 )  
states that the sensor of section i @ 1 fails within the 
interval [T:,TL].  Premise (3) states that  the for- 
mula (on(c,  z) A -Sens(c, Ptrain(x)))  will hold in the 
interval [ ~ , T ~ ] .  If these three premises hold, then 
according to Progress Rule, we can conclude *, the 
sensor failure on two consecutive sections. Similarly, 
we can conclude sensor failure on (mcsf  @ 1) sections 
by applying Progress Rule. 
SC4: if an actuator ever fails, the system must be 
shut down, i.e., if an actuator is set to  stop a train 
x on section i ( [ q S ] A c t ( x ,  i)) and the train is moving 
beyond section i (ET:, T&l](Ptrain(z) > i)), then the 
system must be shut down. 
z @ l  
l e31  
(Vx E Tr)(3i E SC) 
[T:]Act(z, i) A [T:, T&l](Ptruin(z)  > i) 
---f [q”, K$l]EF(Shut-Down) 
402 
train(z1 I the set of sections that are reserved bv a train z on Circuit c I 
Shut-Down 
Sens(c , i )  
Actlz.  i )  
I sensor of section i detects a train on circuit c .  
I Act(z .  i )  is set to stoD train z on section i .  
Shut-Down holds when all trains must be stopped, i.e., all actu- 
ators are set. 
process 
Figure 4: The state variables 
Pt r P, P, 
These safety constraints govern the operation of the 
system - if they are ever violated, then there is an 
error. In other words, for a safety constraint SC, if the 
evaluation n ( v h , ,  SC) returns FALSE, then an error 
has occurred. 
5.2 Results 
In this subsection, we examine results of perfor- 
mance measurement experiments on the train set ex- 
ample. Let Pt,, P,, P, denote processes train, circuit 
and section, respectively. Also let Vht , ,  V h ,  v h ,  denote 
respectively the histories of processes Ptr, P, and P,. 
For this experiment, the trains Tp and T, of Figure 3 
have the same speed. Define a round to  be the time a 
train takes to  get back to  section i when starting from 
section i. 
Let the overhead time be the time a process takes 
to  generate a run-time history Vh, , parse ITL formulas 
and evaluate the formulas. In particular, this time 
includes the exchanges of histories, consistency check 
and incorporation of the received histories. Thus, the 
percentage of overhead incurred is (overhead time / 
tot a1 time). 
The train-set program is implemented on a SUN 
10/40 under Solaris. Consider the cases where it takes 
1, 5 and 10 minutes for a train to traverse a section. 
Figure 5 lists the percentage of overhead for processes 
Ptr,  P, and P, in 3 hours. If the section traversal 
time is 1 minute, then the percentages of overhead are 
respectively 25.83%, 9.46% and 12.09% for processes 
Pt,, P, and P,. The overhead of process Pt,. is larger 
than that of processes P, and P, because in each round 
the process Pt, performs more communications (and 
hence more auxiliary communications) than processes 
P, and P, and the communications are synchronized. 
From Figure 5, the percentage of overhead decreases 
as the section traversal time increases since most of the 
time is spent on traversing sections instead of doing 
auxiliary communications. 
In this implementation, the histories to be sent are 
reset to  empty after the auxiliary communications or 
the exchanges of histories. A process maint,ains its 
own history v h ,  together with a collection of histo- 
ries with respect to  every other process in the system. 
Whenever there is a communication between processes 
P, and Pj,  Pi and Pj exchange the histories that con- 
communication between P, and Pj . So processes only 
exchange the events which are never sent before. After 
tain new events that they have observed since the last 
5 mins/section I 6.67% I 2.43% I 3.20% 
10 mins/section I 3.46% I 1.26% I 1.67% 
Figure 5: The amount of overhead. 
the exchange, Pi and PI clean the respective histories. 
Thus, the histories to  be sent do not grow as the exe- 
cution proceeds, nor does the overhead. 
6 Summary and Conclusions 
This paper presents a formal approach which incor- 
porates formal methods to detect errors and to  guide 
fault-finding process for the development of the critical 
systems. In this approach, system behavior is speci- 
fied using a formal logic, ITL. The system behavior 
or specification can then be used as a metric to  ver- 
ify if the run-time behavior of the system satisfies its 
expected behavior (specification). 
In summary, this approach includes the following 
steps. 
1.  Specify a system using ITL formulas. 
2. Collects events and obtains an event history for 
each process in the system. This allows a process 
to have a (global) view of the execution. 
3. Perform evaluation of the ITL formulas according 
to  their collected event histories. This is to  detect 
an violation of an ITL specification at run-time. 
We built a run-time evaluation system using the 
formalisms of this paper. The simulation of scaling-up 
is underway - check if the overhead of communicating 
histories grows proportionally as the number of pro- 
cesses increases. This work will be extended to  enable 
evaluation of specifications written in other, suitable, 
temporal logic languages. Also, we will consider other 
formal languages such as 1 / 0  automata, process alge- 
bras or timed CSP for the run-time evaluation system. 
Acknowledgements 
The authors are grateful to the members of En- 
gineering Computer Laboratory of The University of 
Missouri-Rolla, who provide many helpful suggestions 
403 
and comments to this paper. The authors would also 
want to thank the anonymous referees for their con- 
structive comments. This work is supported in part by 
the National Science Foundation under Grant Num- 
bers MSS-9216479 and CDA-9222827, and, in part, 
from the Air Force Office of Scientific Research under 
contract number F49620-92-J-0546 and F49620-93-1- 
0409, and, in part by a grant from the University of 
Missouri Research Board. 
References 
[l] M. Malek, “Responsive systems: A challenge for 
the nineties,” in Proceeding EUROMICRO ’90, 
16th Symp. in Microprocessing and Micropro- 
gramming, (Amersterdam, The Netherlands), 
pp. 622-628, North Holland, 1990. 
[2] J .  Rushby, “Formal methods and the certification 
of critical systems,” in Technical Report CSL-93- 
7, 1993. 
[3] G. Tsai, M. Insall, and B. McMillin, “Ensur- 
ing value liveness of distributed software through 
Changeling,” UMR Department of Computer Sci- 
ence Technical Report Number CSC 93-03, 1993. 
[4] 6. Jard and T. Jeron, “On-line model-checking 
for finite linear temporal logic specifications,” in 
Automatic Verification Methods for Finite State 
Systems, Lecture Notes in Computer Science 407, 
pp. 189-196, 1989. 
[5] S. E. Chodrow, F. Jahanian, and M. Donner, 
“Run-time monitoring of real-time systems,” in 
IEEE Symposium on Real-Time Systems, pp. 74- 
83, 1991. 
[6] D. Peled and A. Pnueli, “Proving partial or- 
der liveness properties,” 17th Colloquium on Au- 
tomata, Language and Programming, pp. 553- 
571. 1990. 
[7] B. Moszkowski and Z. Manna, “Reasoning in in- 
terval temporal logic,” in Lecture Notes in Com- 
puter Science # l64 ,  Logic of Programs, pp. 371- 
382, 1983. 
[SI K. T .  Narayana and A. A. Aaby, “Specification of 
real-time systems in real-time temporal interval 
logic,” in Proceeding of Real-Time Systems Sym- 
posium, pp. 86-95, IEEE Computer Society, Dec. 
1988. 
[9] B.  Moszkowski, “Temporal logic for multilevel 
reasoning about hardware,” The Computer Jour- 
nal, pp. 10-18, 1985. 
[lo] R. Moszkowski, “Some very compositional tem- 
poral properties,” Tech. Rep. TR-466, Depart- 
ment of Computer Science, University of New- 
castle upon Tyne, Newcastle NE1 7RU, Great 
Britain, 1993. 
I113 G. Tsai, M. Insall, and B. McMillin, “Construct- 
ing an interval temporal logic for real-time sys- 
tems,” in 20th IFAC/IFIC Workshop in Real- 
Time Proorammino. 1995. UMR DeDartment 
of Compu‘ter Scienlck Technical Report‘ Number 
CSC 93-25. 
[12] L. Lamport, “Time, clocks and the ordering of 
events in a distributed system,” Communications 
of the ACM, vol. 21, no. 7, pp. 558-565, 1978. 
[13] A. Mazurkiewicz, “Trace semantics,” in Lecture 
Notes in Computer Science 255, 1986. 
[14] J .  Fidge, “Timestamps in message passing sys- 
tems that preserve the partial ordering,” in Pro- 
ceeding of the Tenth International Conference of 
Software Engineering, pp. 182-187, 1992. 
[15] F. Mattern, “Virtual time and global states of dis- 
tributed systems,” in Parallel and Distributed Al- 
gorithms: Proceedings of the International Work- 
shops on Parallel and Distributed Algorithms 
(M. Cosnard e t  al., eds.), pp. 215-226, Ed. El- 
sevier Science Publishers B.V., 1989. 
[16] D. Jefferson, “Virtual time,” ACM Transactions 
on Programming Language and Systems, vol. 7, 
no. 3, pp. 404-425, 1985. 
[17] H. Lutfiyya, M. Schollmeyer, and B. McMillin, 
“Formal generation of executable assertions for 
Application-Oriented Fault Tolerance,” UMR 
Department of Computer Science Technical Re- 
port Number CSC 92-15, 1992. 
[18] G. Tsai, Providing Run-Time Assurance for Re- 
sponsive Computing Systems. PhD thesis, Univer- 
sity of Missouri-Rolla, Department of Computer 
Science, Rolla, MO 65401, 1994. Technical Re- 
port Number CSC 94-030. 
[19] R. de Lemos, A. Saeed, and A. Waterworth, 
“Exception handling in real-time software from 
specification to design,” in The Second Interna- 
tional Workshop on Responsive Computing Sys- 
tems, pp. 108-121, 1992. 
[20] R. de Lemos, A. Saeed, and T. Anderson, “Anal- 
ysis of timeliness requirements in safety-critical 
systems,’’ in Lecture Notes in Computer Science 
571, Formal Techniques in Real-Tame and Fault- 
Tolerant Systems, pp. 171-192, 1992. 
404 
