Interval Duration Logic Expressiveness and Decidability by Pandya, Paritosh K.
p ( )
URL: http://www.elsevier.nl/locate/entcs/volume65.html 19 pages
Interval Duration Logic: Expressiveness and
Decidability
Paritosh K. Pandya 1,2
School of Technology and Computer Science
Tata Institute of Fundamental Research
Homi Bhabha Road, Colaba,
Mumbai 400005, India
Abstract
We investigate a variant of dense-time Duration Calculus which permits model
checking using timed/hybrid automata. We deﬁne a variant of the Duration Calcu-
lus, called Interval Duration Logic, (IDL), whose models are timed state sequences
[1].
A subset LIDL of IDL consisting only of located time constraints is presented.
As our main result, we show that the models of an LIDL formula can be captured as
timed state sequences accepted by an event-recording integrator automaton. A tool
called IDLVALID for reducing LIDL formulae to integrator automata is brieﬂy
described. Finally, it is shown that LIDL has precisely the expressive power of
event-recording integrator automata, and that a further subset LIDL− corresponds
exactly to event-recording timed automata [2]. This gives us an automata-theoretic
decision procedure for the satisﬁability of LIDL− formulae.
1 Introduction
Duration Calculus (DC) [29,12] is a highly expressive logic for specifying quan-
titative timing properties of systems. It is closely related to the Interval Tem-
poral Logic of Moszkowski [17]. It provides novel interval based modalities for
describing behaviours.
For example, the following formula holds for a behaviour provided, in any
time interval longer than 3 seconds where there is overload throughout, the
alarm must be sounding at the end of the interval.
✷(overload ∧  > 3 ⇒ truealarm)
1 Partially supported by the UNU/IIST oﬀshore project Semantics and verification of real-
time programs using Duration Calculus: Theory and Practice
2 Email: pandya@tifr.res.in
c©2002 Published by Elsevier Science B. V.
254
Open access under CC BY-NC-ND license.
Pandya
Informally, this implies that once overload lasts for 3 seconds, the alarm must
come on. Moreover, the alarm must then persist as long as overload lasts. In
this formula, ✷ modality ranges over all time intervals within the behaviour.
Each such time interval gives a fragment of the behaviour. The operator  is
like concatenation (fusion) of behaviour fragments and overload states in-
variance of overload over the behaviour fragment. Finally, measures the time
length of the behaviour fragment (interval). Another kind of measurement is∫
P which measures the accumulated amount of time for which condition P
holds within the interval. A precise deﬁnition of the syntax and semantics of
Duration Calculus (variant) is given in Section 2.
Duration calculus (DC) was designed to be a convenient and highly ex-
pressive logic for specifying complex requirements over real-time systems [29].
Because of its high expressive power, Duration Calculus is also eﬀective in for-
mulation of compositional semantics of programming notations such as Esterel
and Timed CSP [25,24].
In this paper, we consider the question of model checking Duration Calcu-
lus. Duration Calculus is a dense-time interval temporal logic whose models
treat propositions as boolean functions of time (also called signals by some
authors [4]). Unfortunately, the automata theory for Duration Calculus mod-
els (signals) is still evolving [4] and there are no available tools supporting
such models. Another well-established model of real-time computations is the
timed state sequences model [1]. Timed automata for recognising such timed
state sequences are well investigated and there are now mature tools such as
Hytech [3], Uppaal [5] and Kronos [6] for analysing these automata. Hence,
for model checking, it seems preferable to work with timed state sequences
rather than signals at present.
In this paper, we deﬁne a variant of the Duration Calculus, called Interval
Duration Logic, (IDL), whose models are ﬁnite timed state sequences. It is
a dense-time interval logic. IDL inherits much of the expressive convenience
of original Duration Calculus, and most of the case studies using DC can be
easily adapted to IDL. At the same time, there are signiﬁcant technical dif-
ferences between DC and IDL. The key advantage of IDL over DC is the
availability of timed automata recognising IDL models. These automata can
be used for satisﬁability checking or model checking. Due to their high expres-
sive power, the satisﬁability of both DC and IDL turn out to be undecidable
in general.
As our main contribution, we present a subset LIDL of IDL consisting
only of located time constraints. As our main result, we show that the models
of an LIDL formula can be captured as timed state sequences accepted by a ﬁ-
nite state event-recording integrator automaton. We also show that LIDL has
precisely the expressive power of event-recording integrator automata. More-
over, a subset LIDL− of LIDL exactly corresponds to the event-recording
timed automata [2] whose emptiness is decidable [1]. This gives us an au-
tomata theoretic decision procedure for the satisﬁability of LIDL−. Unlike
255
Pandya
many decidable fragments of Duration Calculus, both LIDL and LIDL− are
closed under all boolean operations including negation. A large number of ex-
amples of interest from Duration Calculus literature can be expressed within
the subset LIDL−. Thus, we believe that LIDL− answers the quest for a
dense-time Duration Calculus variant which is decidable and also practically
interesting.
We have partially implemented a tool, called IDLVALID, which performs
the reduction of LIDL formulae into event-recording integrator automata. A
small example of its use is presented at the end of the paper. The resulting
automata can be analysed using tools such as Hytech [3], Uppaal [5] and Kro-
nos [6] to establish the satisﬁability (validity) of LIDL formulae. Moreover,
the generated automata can be used as observers for model checking LIDL
properties [21].
The rest of the paper is organised as follows. The Interval Duration Logic
is deﬁned in Section 2. A minepump controller speciﬁcation is given in Section
2.1 to illustrate the use of IDL. The subset LIDL is deﬁned in Section 3,
and the reduction of LIDL formulae to event-recording automata is given
in in Section 4. An example this of reduction, implemented using the tool
IDLVALID, is given in Section 5. The paper ends with a discussion.
2 Interval Duration Logic
Let Pvar be the set of propositional variables (called state variables in DC).
The set of states is Σ = 2Pvar consisting of the set of subsets of Pvar. Let ω
be the set of natural numbers {0, 1, . . .}.
Deﬁnition 2.1 A timed state sequence over Pvar is a pair θ = (σ, τ) where
• σ = s0s1 . . . ..sn−1 with si ∈ 2Pvar is a ﬁnite non-empty sequence of states,
and
• τ = t0 t1 . . . tn−1 is a ﬁnite sequence of time stamps such that ti ∈ R0 with
t0 = 0 and τ is non-decreasing.
Let dom(θ) = {0, . . . , n − 1} be the set of positions within the sequence θ.
Also, let the length of θ be #θ = n. A sequence θ′ is called p-variant of θ if
#θ = #θ′ and for all q 
= p, we have q ∈ θ′(i) iﬀ q ∈ θ(i).
Here, it is assumed that the system evolves by discrete steps (transitions).
Element si denotes the i’th state and ti gives the time at which this state is
entered. Thus, the system remains in state si for the time interval [ti, ti+1)
which includes time ti but excludes time ti+1. Note that in a timed state
sequence there may be several positions with same time-stamp representing
that several steps of computation take place at the same observable macro-
time. In literature this is sometimes called super-dense computation (see [24]
for its use). We shall also refer to timed state sequences as behaviours.
Let Prop be the set of propositions over Pvar with the following abstract
256
Pandya
syntax. Let p range over PV ar and let P,Q range over Prop.
0 | 1 | p | P ∧Q | ¬P |  P
Here, 0 denotes proposition false and 1 represents true.
The truth of proposition P can be evaluated at any position i in dom(θ).
Boolean combinators have their usual meaning. P holds at a position i
provided P holds at the previous position in the timed state sequence. We
give a few clauses of this deﬁnition omitting the rest.
θ, i |= p iﬀ p ∈ si
θ, i |= P iﬀ i > 0 and θ, i− 1 |= P
Other boolean combinators ∨,⇒, . . . can be deﬁned in the standard fashion.
We also deﬁne some more operators.
↑ P def= (¬P ) ∧ P
⇑ P def= (¬ P ) ∧ P
Similarly, ↓ p, ⇓ P can also be deﬁned. Note that ¬  P is true at position
0 whereas ¬P is false. At all other positions, they are identical.
Logic IDL is a form of interval temporal logic. The set of intervals within
a timed state sequence θ can be deﬁned as follows, where [b, e] denotes a pair
of positions.
Intv(θ) = {[b, e] ∈ dom(θ)2 | b ≤ e}
Each interval uniquely identiﬁes a subsequence of θ.
Syntax of Interval Duration Logic
Let p, q range over propositional variables from Pvar, let P,Q range over
propositions and D1, D2 range over IDL formulae. Let ci range over integer
constants and cr range over rational constants.
P 0 | P  | D1 D2 | ←✸ D | D1 ∧D2 | ¬D | ∃p.D |
η op ci | ΣP op ci |  op cr |
∫
P op cr
where op ∈ < | > | = | ≤ | ≥.
Formulae of the form η op ci or ΣP op ci are called discrete measurement
formulae, whereas formulae of the form  op cr and
∫
P op cr are called dense
measurement formulae 3 .
3 We can easily extend measurement formulae to comparison of two terms involving arith-
metic operators as in full Duration Calculus, e.g. 20 ∗ ∫P < .
257
Pandya
Semantics of IDL
We deﬁne the truth of Interval Duration Logic formula D within a timed
state sequence θ and interval [b, e]. This is denoted by θ, [b, e] |= D.
θ, [b, e] |= P 0 iﬀ b = e and θ, b |= P
θ, [b, e] |= P  iﬀ b < e and for all t : b < t < e. θ, t |= P
θ, [b, e] |= D1 D2 iﬀ for some m : b ≤ m ≤ e.
θ, [b,m] |= D1 and θ, [m, e] |= D2
θ, [b, e] |=←✸ D iﬀ for some b′ ≤ b : θ, [b′, e] |= D
θ, [b, e] |= D1 ∧D2 iﬀ θ, [b, e] |= D1 and θ, [b, e] |= D2
θ, [b, e] |= ¬D iﬀ θ, [b, e] 
|= D
We also have existential quantiﬁcation over propositional letters:
θ, [b, e] |= ∃p.D iﬀ θ′, [b, e] |= D
for some θ′ which is p-variant of θ.
Now we consider the semantics of measurement formulae. Logic IDL has four
diﬀerent types of measurement terms.
η | ΣP |  | ∫P
These represent some speciﬁc quantitative measurements over the behaviour
in a given interval. We shall denote the value of a measurement term t in a
timed state sequence θ and an interval [b, e] by eval(t)(θ, [b, e]). This is deﬁned
below.
• Step Length η gives the number of steps within a given interval.
eval(η)(θ, [b, e]) = e− b
• Time length  gives the amount of real-time spanned by a given interval.
eval()(θ, [b, e]) = te − tb
• Step count ΣP counts the number of states for which P holds in the (right-
closed-left-open) interval.
eval(ΣP )(θ, [b, e]) = Σe−1i=b σ(i)(P )
• Duration
∫
P gives amount of real-time for which proposition P holds in
given interval.
eval(
∫
P )(θ, [b, e]) =
Σe−1i=b

 ti+1 − ti if σ, i |= P
0 σ, i 
|= P


Now we can deﬁne the semantics of measurement formula as follows
θ, [b, e] |= t op c iﬀ eval(t)(θ, [b, e]) op c
258
Pandya
Finally, a formula D holds for a timed state sequence θ if it holds for the full
interval spanning the whole sequence.
θ |= D iﬀ θ, [0,#θ − 1] |= D
|= D iﬀ θ |= D for all θ
Derived Operators
Note that 10 holds for all point intervals whereas 1 holds for all ex-
tended intervals. Formula P 0 true states that P is true at the beginning
of the interval. Now we deﬁne some derived operators.
• P  def= (P 0 P P 0) states that proposition P holds invariantly
over the closed interval [b, e] including the endpoints. Also, P  def= (P 0 P )
P + def= (P  ∨ P 0). Similarly, P + etc.
• unit def= 0 holds for intervals of the form [b, b+ 1].
• P 1 def= P 0 unit holds for one step (two state) intervals where P is true
at the beginning.
• ✸D def= trueDtrue holds provided D holds for some subinterval.
• ✷D def= ¬✸¬D holds provided D holds for all subintervals.
• We can specify the stability of a proposition as follows.
stable(P, δ)
def
= ✷(⇑ P 0 ( < δ) ⇒ P +)
This states that once P becomes true, it must hold for δ time. Note that
this also applies to P being true initially.
• P  δ−→ Q0 def= ¬✸(P  ∧  ≥ δ¬Q0)
              
              


       
       

Q
δ
P < δ
This operator speciﬁes that if P holds continuously for δ or more time, then
Q must become true within the ﬁrst δ time. Moreover, Q must then persist
till P persists. Note that nothing is speciﬁed about the value of Q otherwise.
• P + <δ←↩ Q0 def= ¬✸(⇑ P 0 (P + ∧  < δ)¬Q0)
          
          


      
      


   
   

Q
δ
P < δ
This operator speciﬁes that once P becomes true, for the ﬁrst δ time, while
P persists Q will also be true.
259
Pandya
The last three operators are adapted from Ravn [27] where a systematic
methodology for specifying and verifying real-time systems has been expounded.
It is possible to deﬁne many subtle variants of these operators in IDL. Note
that operator
←
✸ D provides a backward expanding modality not usually con-
sidered in DC. This operator, together with a forward expanding modality,
was ﬁrst investigated by Halpern and Shoham [9]. We will make a signiﬁcant
use of it later in the paper.
2.1 Mine pump
A mine has water seepage which must be removed by operating a pump.
There is a high water sensor. In response to water being high, a pump may be
operated. The pump must not operate if the water is not high. The mine also
has pockets of methane which escape. The presence of methane is detected
by a sensor. When there is methane, all electrical activity including the pump
must be shut down to prevent explosion.
We shall present a model the mine pump system in IDL and establish
that under suitable assumptions the water level never becomes dangerous.
• HH2O Water level is high.
• DH2O Water level is dangerous.
• HCH4 Methane level is high.
• PumpOn The pump is operating.
Water Seepage Assumptions
High water level occurs before Danger water level. (Sensor is reliable.)
As1
def
= ✷(DH2O ⇒ HH2O+)
It takes at least w seconds for the water level to turn dangerous after reaching
the high water level
As2
def
= HH2O+ <w←↩ ¬DH2O0
This property speciﬁes a minimum separation of w time between water level
becoming high and its becoming dangerous. The value of w must be calculated
based on estimates of rate of water seepage.
Pump control
Pump enabling condition: It is safe to operate the pump only when water
is high and there is no methane.
SafePump
def
= HH2O ∧ ¬HCH4
Pump is started within δ seconds of it being enabled. The pump will remain
on while it is enabled.
Pc1
def
= SafePump δ−→ PumpOn0
260
Pandya
Pump is stopped within δ seconds of being disabled.
Pc2
def
= ¬SafePump δ−→ ¬PumpOn0
The conjunction of above two properties is called Pumpcontrol
Pump Capacity Assumption
Pump can bring water level down below high water level within + seconds
(from any starting condition).
As3
def
= PumpOn −→ ¬HH2O0
Methane Release Assumptions
Between two occurrences of Methane Release there is at least ζ seconds.
As4
def
= ✷( ↓ HCH40 ¬HCH4HCH40
⇒  > ζ)
The high methane level lasts at most κ time units.
As5
def
= ✷(HCH4 ⇒  < κ)
As6
def
= (2 ∗ (δ + +) + κ) < w < ζ
Veriﬁcation Condition
(As1 ∧As2 ∧ As3 ∧ As4 ∧ As5 ∧As6 ∧ PumpControl)
⇒ (ΣDH2O = 0)
The reader is urged to convinced himself that the above veriﬁcation condition
is indeed valid. Liu Zhiming [15] has established correctness of a somewhat
similar speciﬁcation of Mine pump using the proof rules of Duration calcu-
lus. In Section 4 we shall discuss how this condition can be automatically
veriﬁed using a validity checking procedure for some given values of constants
δ, w, +, κ, ζ .
2.2 Decidability
Theorem 2.2 The satisﬁability of IDL formulae is undecidable ✷
The proof is a straightforward variant of the undecidability proof for Du-
ration Calculus [30], where for every 2-counter machine a formula can be
constructed such that the every model of the formula deﬁnes a halting run of
the 2-counter machine. We omit the proof here.
261
Pandya
Sub-logic QDDC
Consider the subset of IDL where dense-time measurement constructs of
the form  op cr or
∫
P op cr are not used. This subset is called Quantiﬁed
Discrete-time Duration Calculus, (QDDC). Note that discrete time measure-
ment constructs η op ci or ΣP op ci can still be used.
Theorem 2.3 For every QDDC formula D over variables Pvar, we can ef-
fectively construct a ﬁnite state automaton A(D) over the alphabet 2Pvar such
that for all state sequences σ ∈ (2V ar)∗,
σ |= D iﬀ σ ∈ L(A(D))
Hence, satisﬁability of QDDC formulae is decidable. ✷
A separate paper gives details of logic QDDC and its automata theoretic
decision procedure [20]. We omit these proofs here. A tool called DCVALID
has been implemented for model checking of QDDC formula [19,20]. As the
tool constructs the automaton representing models of a formula, this can be
used to visualise models and counter models, and also for model checking the
speciﬁcation against designs [21,23].
It should be mentioned that the lower bound on the size of automaton
A(D), in the worst case, is non-elementary. However, such blowup is rarely ob-
served in practice and we have been able to check validity of many reasonably
sized formulae with our tool DCVALID [19,20,23]. DCVALID is implemented
using MONA [13], which is a sophisticated tool for deciding logic WS1S.
3 Located Constraints
We now consider the question of ﬁnding a reasonable subset of IDL with
dense measurements which is decidable. The key idea is that we restrict the
use dense measurement formulae to Located Constraints.
A located constraint has the form P ❀ M where P is a proposition and
M is a dense time constraint of the form  op cr or
∫
Q op cr. Proposition P is
called anchor and M is called the constraint. Such a formula is read as since
last P , constraint M holds.
Deﬁnition 3.1 Semantics of located constraints:
(P ❀M)
def
= 10 ∧ ←✸ (M ∧ (P 0 ¬P ))
Proposition 3.2 Semantics of located constraints.
θ, [b, e] |= (P ❀M) iﬀ
b = e and ∃b′ < b. θ, b′ |= P and
∀b′ < b′′ < e. θ, b′′ 
|= P and θ, [b′, e] |=M
262
Pandya
Interval Duration Logic with Located Constraints (LIDL)
The subset of IDL where dense-time properties occur only as located con-
straints is called IDL with located constraints (LIDL).
The syntax of logic LIDL is deﬁned below. Let
D ::= P 0 | P  | D1 D2 | ←✸ D | D1 ∧D2 | ¬D | ∃p.D |
η op ci | ΣP op ci | (P ❀M)
M :=  op cr |
∫
Q op cr
op ∈ < | > | = | ≤ | ≥
The syntactic restriction is that located constraint sub-formula (P ❀M) does
not occur in scope of any ∃p if p ∈ var((P ❀M)).
Let LIDL− denote the set of LIDL formulae which do not use any term
of the form
∫
P . Note that term  can still be used as shown in examples
below.
Examples
Logic LIDL− is expressive enough to state many of the timing require-
ments we have encountered in Duration Calculus case studies. These require-
ments typically have the form of formulae given in the minepump example
(Section 2.1). We show how these can be formulated in the sub-logic LIDL−.
All the formulae mentioned below refer to the Minepump speciﬁcation of Sec-
tion 2.1.
• Consider the formula As4 of Section 2.1. This formula states a minimum
time separation between two events. In LIDL it can be stated as:
✷(↓ HCH40 ¬HCH4HCH40
⇒ true(↓ HCH4 ❀  ≥ ζ))
• Consider the formula As5 in Section 2.1. This formula puts upper bound
on time of existence of condition HCH4. In LIDL this can be stated as:
✷(HCH4 → true(⇑ HCH4 ❀  ≤ κ))
• The ﬁrst formula Pc1 of pump control speciﬁcation can be stated as:
✷((SafePump(⇑ Safepump❀  ≥ δ)) ⇒ truePumpOn0)
• The water seepage assumption As2 can be formulated as:
✷((HH2O+ (⇑ HH2O ❀  < w)) ⇒ true¬DH2O0)
The last two formulae are examples of “arrow” operators of Ravn [27]. All the
formulae of Minepump example can be expressed in LIDL− in this fashion.
263
Pandya
4 Decidability of LIDL−
We ﬁrst introduce the notion of event recording integrator automata before
considering decidability.
Integrator Automata
These are a sub-class of hybrid automata where only clocks (whose rate is
always 1) or integrators (whose rate is either 0 or 1) are used [14].
An Integrator Automaton AT is the tuple (Q,Σ, q0, F, C, δ). It has a ﬁnite
set of states Q with initial state q0, an alphabet Σ, a set of ﬁnal states F , a set
of integrators (clocks) C and a transition relation δ. The transition relation
has the type
δ ⊆ Q× Σ× 2C × ΦC × [C → {0, 1}]×Q
where each transition (q, a,X, φ, γ, q′) is guarded by a condition φ ∈ ΦC and it
resets a subset of integratorsX. The condition φ is a conjunction of constraints
of the form x op r where x ∈ C is a integrator and r is a rational constant.
The integrator rate assignment γ : C → {0, 1} assigns to each integrator a
rate 0 or 1.
An integrator valuation ν : C → R assigns to each integrator a real (time)
value. ν + γ · t increments those integrators whose rate is 1 by amount t, i.e.
(ν + γ · t)(c) = ν(c) + γ(c) · t, and ν ⊕ [X → 0] replaces the value of each
integrator in X to 0, i.e. (ν ⊕ [X → 0])(c) is 0 if c ∈ X and ν(c) otherwise.
A run of AT is a ﬁnite sequence of the form
(q0, ν0, e0)
a0,X0,γ0−→ (q1, ν1, e1) . . . (qn−1, νn−1, en−1) an−1,Xn−1,γn−1−→ . . . (qn, νn, en)
where (a) q0 is the initial state, (b) ν0(x) = 0 for each x ∈ C , (c) ei ∈ R
gives the amount of real-time time spent in state qi, with e0 = 0, (d) for each
i > 0, let the valuation ν ′i = νi + γi−1 · ei, and ν ′0(x) = 0 for all x. Let
νi+1 = ν
′
i ⊕ [Xi → 0]. Then, for each i, we must have some φi ∈ ΦC such
that (qi, ai, Xi, φi, γi, qi+1) ∈ δ and ν ′i |= φi.
The timed state sequence of the run is (σ, τ) with σ = (a0, a1, . . . , an−1)
and τ = (t0, t1, . . . , tn−1). Here t0 = 0 and ti+1 = ti + ei+1.
The run is accepting if the last state qn ∈ F . The language of the automa-
ton, L(AT ), is the set of timed state sequences arising from all accepting runs
of AT .
In an event recording integrator automaton, the resetting of inte-
grators is determined by the alphabet associated with the transition, and the
integrator rates are also determined by the alphabet. Thus, there are functions
reset : Σ→ 2C
rate : Σ→ [C → {0, 1}]
such that for any transition (q, a,X, φ, γ, q′) ∈ δ, we have X = reset(a) and
γ = rate(a).
264
Pandya
An integrator automaton is called timed automaton if for for all transitions
and for all integrators x, we have γ(x) = 1, i.e. integrator rates are always 1.
Such integrators are called clocks. An event recording integrator automaton
meeting above condition is called event recording timed automaton. This is an
important sub-class of timed automata which can be determinized and also
complemented [2].
Decidability
We follow an automata theoretic approach to deciding LIDL formulae.
Theorem 4.1 For every D ∈ LIDL we can eﬀectively construct an event
recording integrator automaton A(D) such that
θ |= D iﬀ θ ∈ L(A(D))
Moreover, if D ∈ LIDL−, i.e. it is free of terms ∫P , then A(D) is an event
recording timed automaton. ✷
We shall outline the proof of this main theorem later in this section.
Corollary 4.2 Satisﬁability of any LIDL− is decidable.
Proof. By Theorem 4.1, for any formula D of LIDL−, we can construct
an event-recording timed automaton A(D) accepting the models of D. Since
the emptiness of timed automata in general is decidable [1], we can determine
whether D has any models. ✷
Theorem 4.3 For every event recording integrator automaton A we can con-
struct a formula D(A) ∈ LIDL such that
θ |= D(A) iﬀ θ ∈ L(A)
Moreover, if A is an event recording timed automaton (i.e. uses only clocks),
then D(A) ∈ LIDL−, i.e. it does not use terms of the form ∫P . ✷
We omit the proof of this theorem. It can be found in the full version of
the paper. An encoding of accepting runs of Timed Buchi Automaton into
Duration Calculus was given in [18]. A similar encoding can be used here.
Thus, LIDL has exactly the expressive power of event recording integrator
automata, and LIDL− has exactly the expressive power of event recording
timed automata.
4.1 Proof of Theorem 4.1
We now give an outline of the proof of our main theorem, Theorem 4.1. A
detailed proof will be available in the full version of this paper.
Our aim is to construct an integrator automaton A(D) for a given LIDL
formula D. Let the formula be D(φ1, . . . , φk) where φi denotes an occurrence
of a located constraint Pi ❀Mi. Let var(D) = Pvar. Let TW (Pvar) denote
the set of all timed state sequences over Pvar. We shall give the construction
of A(D) in a series of steps.
265
Pandya
Step 1
Let Lvar = L1, . . . , Lk be fresh prop. variables. We will use Li as a witness
for φi.
Deﬁnition 4.4 Let θ′ ∈ TW (Pvar ∪ Lvar). Deﬁne θ′ to be consistent if
#θ′ = #θ and ∀i ∈ dom(θ′), θ′, i |= Li iﬀ θ, i |= φi.
Let CONSIST be set of consistent timed state sequences. For θ ∈
TW (Pvar), let Eˆ(θ) ∈ TW (Pvar ∪ Lvar) denote the unique consistent ex-
tension of θ.
Step 2
Deﬁne the witness formula as follows.
witness(P, L)
def
= L0 ∧ ←✸ (P 0 ¬P )
Let E(D)
def
= D[ witness(Pi, Li) ∧ φi / φi ]
U(D)
def
= D[ witness(Pi, Li) / φi ]
Claim 4.5 For all I ′ ∈ CONSIST ,
θ′ |= D iﬀ θ′ |= E(D) iﬀ θ′ |= U(D)
Step 3
Let U(D) be as above. Note that U(D) ∈ QDDC. By Theorem 2.3, we
can construct a total and deterministic automaton A(U(D)) accepting exactly
the models of U(D). Denote by Lˆ(A(U(D))) the set of timed state sequences
over Pvar ∪ Lvar whose untimed parts are in L(A(U(D))), the language of
words accepted by A(U(D)).
Claim 4.6 For all θ′ ∈ CONSIST , θ′ |= U(D) iﬀ θ′ ∈ Lˆ(A(U(D)))
Step 4
We construct an Integrator Automaton A′ from A(U(D)) as follows.
• For each φi we introduce an xi.
If φi = Pi ❀  op ci then xi is a clock.
If φi = Pi ❀
∫
Qi op ci then xi is an integrator.
• Let Q(A′) = Q(A(U(D))), with the same initial and ﬁnal states as A(U(D))
For every transition s
v−→ s′ in A(U(D)), we deﬁne a corresponding tran-
sition s
v,ψ−→ s′ in A′, where test ψ ∈ ΦC is given below. Recall that
v ∈ (Pvar ∪ Lvar → {0, 1}). Test ψ is the conjunction of set of clock
constraints
{xi opi ci | v |= Li} ∪ {¬(xi opi ci) | v 
|= Li}
where φi is Pi ❀  opi ci or Pi ❀
∫
Qi opi ci.
266
Pandya
• The reset and rate functions are deﬁned as follows. Recall that integrator
xj is introduced for a located constraint φj.
rate(v)(xj) = 1 if xj is a clock
1 if φj = (Pj ❀
∫
Qj op cj) and v |= Qj
0 otherwise
reset(v) = {xj | φj = (Pj ❀ Mj) and v |= Pj}
This completes the construction of A′.
Claim 4.7 For all θ′ ∈ CONSIST , we have θ′ ∈ L(A(U(D))) iﬀ θ′ ∈
L(A′).
Claim 4.8 If θ′ ∈ L(A′) then θ′ ∈ CONSIST .
Step 5
Note that L(A′) has alphabet 2Pvar∪Lvar. By projecting the alphabet to
2Pvar, we get the desired automaton A′′ s.t.
θ |= D iﬀ θ ∈ L(A′′) ✷
5 Tool IDLVALID
We illustrate the construction of an integrator automaton from an LIDL
formula by an example. Consider the formula
✷(↓ HCH40 ¬HCH4HCH40
⇒ true(↓ HCH4 ❀  ≥ ζ))
First, we must replace the located constraints by witness formulae as in
Step 2 of the construction (Section 4.1). We obtain a pure QDDC formula. In
the above example, we introduce witness(↓ HCH4, L) in place of (↓ HCH4 ❀
 ≥ ζ)).
✷(↓ HCH40 ¬HCH4HCH40
⇒ true(L0 ∧ ←✸ (↓ HCH40 ¬ ↓ HCH4))
Next, an (untimed) automaton must be constructed for this formula as in
Step 3 of the construction. (See Theorem 2.3 and following remarks.) We have
implemented a tool called DCVALID to do this. A separate report describe
this tool in detail [20,19]. It returns the following untimed automaton, were
the alphabet of the automaton is a column vector of two bits denoting the
values of HCH4 and witness L. Value X denotes don’t care (i.e. either 0 or 1
gives the same result). Note that our models are non-empty ﬁnite sequences.
Hence initial state is not an accepting state. Also note that the automaton is
267
Pandya
total and deterministic.
2
0
X
3
1
X
1
X
4
0
X
1
1
0
X
5
1
0
1
0
X
1
X
X
X
Finally, the generated untimed automaton must be transformed to an event
recording integrator automaton, as in Steps 4 and 5 of the construction. In
our example, as there is only one located constraint, we introduce a single
clock y which must be reset whenever ↓ HCH4 holds. Also, a test y ≥ ζ must
be performed wherever L = 1 and test ¬(y ≥ ζ) must be performed wherever
L = 0. The transformed automaton is shown below. We have labelled each
edge with value of HCH4 and also shown the tests and resets.
1
2
3 4
0
0
0
1, ¬(y ≥ ζ)?/
1
1
1
0/y:=0
5
X
y:=0
1,(y ≥ ζ)?
In this automaton, timed state sequences which leads to states 2,3 or 4 are
models of the formula. Timed state sequences which lead to state 5 are
counter-models. Note that the resulting automaton is total and determin-
istic.
A tool called IDLVALID which fully automates this construction is cur-
rently under development. As mentioned, parts of it for generating untimed
automata from QDDC formulae are already automated.
Once a hybrid/timed automaton accepting models of an LIDL formula D
is constructed, the automaton can be analysed. Existing model checking tools
such as Hytech [3], Uppaal [5] or Kronos [6] can be used to ﬁnd if a ﬁnal state
is reachable in the constructed automaton. Such a reachability establishes the
satisﬁability of the original formula. Moreover, the constructed automaton
can also be run as a synchronous observer in parallel with a system for model
checking [21].
268
Pandya
6 Discussion
The connection between logics and automata has greatly inﬂuenced the ap-
plicability of formal methods using model checking tools. In this paper, we
have investigated a Duration Calculus like logic which can be model checked
using timed/hybrid automata. Duration calculus (DC) is a well-established
notation for specifying complex properties of real-time systems, with numer-
ous case studies illustrating its high expressive power. However, it has lacked
eﬀective tool support till now.
In this paper, we have deﬁned a variant of DC, called IDL, whose mod-
els are timed state sequences. We have identiﬁed a subset of IDL, called
LIDL, whose formulae can be translated to event-recording integrator au-
tomata which precisely recognise the models of the formula. In fact, LIDL
has exactly the expressive power of event-recording integrator automata and
its further subset LIDL− has exactly the power of event-recording timed au-
tomata. Both these subsets are closed under boolean operations including
negation.
The reduction from LIDL to timed/hybrid automata is practically im-
portant as such automata can be analysed using well-established tools such as
Hytech, Uppaal and Kronos. Morevoer, the automata can be used as property
observers [21] for model checking. We have partially implented the translation
of LIDL formulae to integrator automata into a tool called IDLVALID (see
Section 5).
Typical real-time requirements which arise in many DC case studies can
be expressed within LIDL− showing that it a practically interesting subset.
These include boolean combinations of properties such as minimum time sep-
aration between two conditions, upper bound on how long a condition can last
as well as the “arrow” operators of Ravn [27] (see the examples at the end of
Section 3). Thus, we believe that LIDL− answers the long standing quest
for a Duration Calculus like logic which is decidable and which can be model
checked.
One natural question is whether the change from original Duration Cal-
culus to IDL is really necessary for model checking. The original Duration
Calculus formulae have the desirable property of being closed under stuttering
which is not the case for IDL. In spite of this we have used IDL as its models
are supported by a well-established theory of timed/hybrid automata which
can be analysed using existing tools. It should be noted that the automata
theory of original Duration Calculus models (signals [4]) is still evolving and
we are not aware of any tools for them. At present, we are investigating a sub-
set of IDL formulae which are stutter-closed. For these formulae, the DC and
the IDL semantics will coincide. We believe that most natural DC speciﬁca-
tions, including the speciﬁcation of mine-pump example, have this property.
Thus, the diﬀerences between DC and IDL are less important in practice and
many of the DC case studies can be easily adapted to IDL.
269
Pandya
Related Work
There has been considerable interest in ﬁnding subsets of dense time Du-
ration Calculus which are decidable and model checkable. Some early results
appeared in [30]. A class of Duration Calculus formulae called Linear Dura-
tion Invariants has been shown to be decidable by Zhou et al [31]. However,
these formulae seem quite diﬀerent from the properties which can be expressed
in LIDL. Also notable are the results of Boujjani et al [7] and Franzle [10]
on decidable subsets of Duration Calculus. Unlike our LIDL and LIDL−,
both these subsets are not closed under boolean operations (esp. negation).
In another approach, Dierks et al translate some important DC formulae into
PLC-automata and then translate these into timed automata [8]. Again, the
closure under boolean operations does not hold. The fact that LIDL can ex-
press many Duration Calculus case studies makes it signiﬁcant. For discrete
time duration calculus, a sub-logic QDDC has been shown to be decidable
[20] and based on this a tool called DCVALID has been constructed for model
checking SMV, Esterel and Verilog designs [21,22,23].
Some other decidable dense-time temporal logics include the monadic logic
of relative distance due to Wilke [28] and the Event Clock Logic (ECL) of
Raskin et al [26]. In comparision, LIDL is an interval temporal logic pro-
viding a qualitatively diﬀerent vocabulary for expressing complex properties
(see [18,20]). One consequence of this is that expressing some LIDL− for-
mulae in ECL can necessarily result in a non-elementary blow-up in the size
of the formula. ECL can express general liveness properties (e.g. inﬁnitely
often P ) where as IDL can only express bounded liveness properties. Another
diﬀerence is that LIDL− is expressively complete for event recording timed
automata (see Thoerem 4.3).
References
[1] Alur, R., and D.L. Dill: Automata for modeling real-time systems, in Proc. of
17th ICALP, LNCS 443, Springer-Verlag, 1990.
[2] Alur, R., L. Fix and T.A. Henzinger, A determinizable class of timed automata.
In Proc. 6th Conference on Computer-Aided Verification, LNCS 818, Springer-
Verlag, 1994.
[3] Alur, R., T.A. Henzinger and P.H. Ho, Automatic Symbolic Veriﬁcation of
Embedded Systems, in IEEE Transactions on Software Engineering, 22:181-
201, 1996.
[4] Asarin, E., P. Caspi and O. Maler, A Kleene theorem for timed automata. In
Proc. 12th Annual IEEE Symposium on Logic in Computer Science (LICS’97),
Warsaw, IEEE Computer Society, 1997.
[5] Bengtsson, Johan, K.G. Larsen, F. Larsson, P. Pettersson and Wang Yi, Uppaal
— a Tool Suite for Automatic Veriﬁcation of Real–Time Systems, in Proc.
270
Pandya
of Workshop on Veriﬁcation and Control of Hybrid Systems III, LNCS 1066,
Springer–Verlag, 1995.
[6] Bozga, M., C. Daws, O. Maler, A. Olivero, S. Tripakis and S. Yovine, Kronos:
A Model Checking Tool for Real-Time Systems, Proc. 10th Int. Conf. on
Computer Aided Verification, LNCS1427, Springer-Verlag, 1998.
[7] Bouajjani, A., Y. Lakhnech and R. Robbana, From Duration Calculus to
Linear Hybrid Automata, Proceedings of the 7th International Conference On
Computer Aided Veriﬁcation, CAV’95, LNCS 939, Springer-Verlag, 1995.
[8] Dierks, H., A. Fehnker, A. Mader and F. Vaandragger, Operational and Logical
Semantics for Polling Real-Time Systems, In Proc. FTRTFT’98, Lyngby,
Denmark, (eds.) A.P.Ravn and H. Rischel, LNCS 1486, Springer-Verlag, 1998.
[9] Halpern, J., and Y. Shoham, A propositional modal logic of time intervals,
JACM, 38(4), 1991.
[10] Franzle, M., Model Checking Dense-Time Duration Calculus, In Duration
Calculus: A Logical Approach to Real-Time, Systems Workshop proceedings
of the 10th European Summar School in Logic, Languages and Information
(ESSLLI X), Saarbrucken, Germany, 1998.
[11] Hansen, M.R., Model-Checking Duration Calculus, Formal Aspects of
Computing, 1994.
[12] Hansen, M.R., and Zhou Chaochen, Duration Calculus: Logical Foundations,
Journal of Formal Aspects of Computing 9, 1997.
[13] Klarlund, N., A. Møller and M.I. Schwartzbach, MONA implementation secrets,
to appear in Proc. CIAA 2000, 2000.
[14] Kesten, Y., A. Pnueli, J. Sifakis and S. Yovine, Integration graphs: A Class
of Decidable Hybrid Systems, in Proc. Hybrid Systems, LNCS 736, Springer-
Verlag, 1993.
[15] Liu, Z., Speciﬁcation and veriﬁcation in the duration calculus, in M. Joseph
(ed.), Real-time Systems: Specification, Verification and Analysis, Prentice Hall,
1996.
[16] Liu, Z., A.P. Ravn, and X. Li, Compositional inductive veriﬁcation of duration
properties of real-time systems., In Proc. of PROCOMET’98, (eds.) Gries, D.
and W.P. deRoever, Shelter Island, New York, Chapman and Hall, 1998.
[17] Moszkowski, B., A Temporal Logic for Multi-Level Reasoning about Hardware,
in IEEE Computer, 18(2), 1985.
[18] Pandya, P.K., Weak chop inverses and liveness in mean-value calculus, in proc.
FTRTFT’96, Uppsala, Sweden, LNCS 1135, Springer-Verlag, 1996.
[19] Pandya, P.K., DCVALID User Manual, Tata Institute of Fundamental
Research, Bombay, 1997. (Available in revised version at
http://www.tcs.tifr.res.in/∼pandya/dcvalid.html).
271
Pandya
[20] Pandya, P.K., Specifying and Deciding Quantiﬁed Discrete-time Duration
Calculus Formulae using DCVALID: An Automata Theoretic Approach, In
Proc. Workshop on Real-time Tools (RTTOOLS’2001), Aalborg, Denmark,
August 2001.
[21] Pandya, P.K., Model checking CTL*[DC], In Proc. TACAS 2001, Genova, Italy,
LNCS 2031, Springer-Verlag, 2001.
[22] Pandya, P.K., Model checking CTL[DC] speciﬁcations of SMV, Verilog
and Esterel Designs, Technical Report, TCS-00-PKP-3, Tata Institute of
Fundamental Research, September 2000.
[23] Pandya, P.K., The saga of synchronous arbiter: On model checking quantitative
timing properties of synchronous programs, in Proc. Workshop on Synchronous
languages, applications and programming, SLAP’2002, Grenoble, France
(aﬃliated with EATPS’2002). Electronic Notes in Theoretical Computer
Science, ENTCS 65.5, Elsevier Science B.V., April 2002.
[24] Pandya, P.K., and H.V. Dang, A Duration Calculus of Weakly Monotonic Time,
In Proc. FTRTFT’98, Lyngby, Denmark, (eds.) A.P.Ravn and H. Rischel, LNCS
1486, Springer-Verlag, 1998.
[25] Pandya, P.K., Y.S. Ramakrishna, R.K. Shyamasundar. A Compositional
Semantics of Esterel in Duration Calculus. In Proc. Second AMAST workshop
on Real-time Systems: Models and Proofs, Bordeux, June, 1995.
[26] Raskin, J., and P. Schobben, State clock logic: a decidable real-time logic, In
Proc. HART’97, LNCS 1021, Springer-Verlag, 1997.
[27] Ravn, A.P., Design of Real-time Embedded Computing Systems, Department
of Computer Science, Technical University of Denmark, 1994.
[28] Wilke, T., Specifying Timed State Sequences in Powerful Decidable Logics and
Timed Automata, Proc. FTRTFT’94, LNCS 863, Springer-Verlag, 1994.
[29] Zhou, Chaochen, C.A.R. Hoare and A.P. Ravn, A Calculus of Durations, Info.
Proc. Letters, 40(5), 1991.
[30] Zhou, Chaochen, M.R. Hansen and P. Sestoft, Decidability and Undecidability
Results for Duration Calculus, In STACS’93, LNCS 665, Springer-Verlag, 1993.
[31] Zhou, Chaochen, Zhang Zingzhou, Yang Lu and Li Xiaoshan, Linear Duration
Invariants, in Proc. FTRTFT’94, LNCS 863, Springer-Verlag, 1994.
272
