Combining specification methods for distributed systems [online] by Huber, Martin
Dissertation
Combining Specication Methods
for Distributed Systems
Martin Huber

Combining Specication Methods
for Distributed Systems
Zur Erlangung des akademischen Grades eines
Doktors der Naturwissenschaften
der Fakult

at f

ur Informatik
der Universit

at Karlsruhe Technische Hochschule
genehmigte
Dissertation
von
Martin Huber
aus Karlsruhe
Tag der m

undlichen Pr

ufung  Mai 			
Gutachter Prof Dr Peter H Schmitt
Prof Hans Rischel

Zusammenfassung
Diese Dissertation fa
t die theoretischen Ergebnisse eines Forschungsprojektes bei Siemens ZT
zusammen das sich zum Ziel gesetzt hat die Anwendung formaler Techniken beim Entwurf
verteilter Systeme zu unterst

utzen
Den Ausgangspunkt der Untersuchungen bildete die Spezikationssprache UNITY die jedoch
um zus

atzliche Sprach und Strukturierungskonzepte erweitert werden mu
te um realistische
industrielle Fallstudien bearbeiten zu k

onnen Die Erweiterungen erlauben die Beschreibung
verteilter Systeme als Menge geeignet instanziierter Module die sowohl synchron

uber Aktionen
als auch asynchron

uber gemeinsame Variablen miteinander kommunizieren k

onnen Die Spe
zikationen k

onnen in einer an UNITY angelehnten Notation aber auch als  Automaten oder
in einer linearen temporalen Logik dargestellt werden
Die Auswahl dieser drei Spezikationsmethoden erfolgte aufgrund ihrer sich erg

anzenden Vortei
le Die textuelle Notation erlaubt es gro
e Spezikationen knapp und intuitiv zu beschreiben
Automaten eignen sich am besten zum Anschlu
 an Simulations und Verikationswerkzeuge
Sind die Automaten endlich so k

onnen Eigenschaften mittels Model Checking nachgewiesen
werden und f

ur

uberschaubare Spezikationen bieten sie zus

atzlich die M

oglichkeit zur Vi
sualisierung Eine Darstellung in Logik erlaubt es sowohl die Spezikationen als auch deren
Eigenschaften in einem einheitlichen Formalismus zu beschreiben
Hauptziel dieser Arbeit ist es formal nachzuweisen da
 diese unterschiedlichen Spezikations
methoden parallel eingesetzt werden k

onnen Hierzu ist zun

achst eine gewisse Vereinheitlichung
notwendig um die elementaren Sprachmittel in allen Methoden unmittelbar ausdr

ucken zu
k

onnen Dies wurde durch geeignete Erweiterungen der einzelnen Methoden erreicht So ist es
etwa m

oglich Umgebungsannahmen direkt in der textuellen Notation zu beschreiben Fairness
f

ur Automaten zu denieren und synchrone Aktionen in der Logik auszudr

ucken Spezikatio
nen in der textuellen Notation lassen sich sowohl in die erweiterten Automaten als auch in die
erweiterte Logik

ubersetzen F

ur beide

Ubersetzungen kann nun nachgewiesen werden da
 sie
das gleiche beobachtbare Verhalten in Form von Traces besitzen
Neben der M

oglichkeit Spezikationen modular und hierarchisch zu beschreiben erwiesen sich
auch eine weitgehende Parametrierung und die Extraktion endlicher Modelle als notwendig um
mit realistischen Beispielen umgehen zu k

onnen Beispielsweise l

a
t sich die Anzahl von Modulen
eines Typs in einem System parametrieren und die Extraktion endlicher Modelle erfolgt direkt
aus der textuellen Notation
Automatisierungssysteme dienen als typisches Beispiel f

ur verteilte Systeme Sie sind aufgebaut
aus der traditionell datenu
orientierten Basisautomatisierung und der ereignisorientierten
Leitebene Anhand einer Fallstudie wird abschlie
end gezeigt da
 sich die vorgeschlagene Spe
zikationssprache gleicherma
en f

ur die Basisautomatisierung und f

ur die Leitebene eignet

Abstract
This thesis summarizes the theoretical results of a research project at Siemens ZT that aimed
at supporting the use of formal methods in the design of distributed systems
The specication language UNITY formed the starting point of the investigations However
UNITY had to be extended with additional language and structuring concepts in order to deal
with realistic industrial case studies These extensions allow the description of distributed sy
stems as set of properly instantiated modules that communicate using both synchronous actions
and shared variables The specications may be represented in a UNITYlike notation but also
as  automata or in linear temporal logic
The choice of these three specication methods resulted from the observation of their supple
menting advantages the textual notation allows the concise and intuitive description of large
systems Automata are best suited for connecting simulation and verication tools If the
automata are nite then properties may be proven using model checking and the automata
may serve as visualization The logical representation enables the user to describe both the
specications and their properties in a uniform formalism
The main goal of the thesis is to formally demonstrate that these specication methods may be
used in parallel In order to reach this goal a standardization proved to be useful in order to
be able to directly express the elementary language constructs in all methods This is achieved
by appropriate extensions for the methods For example it is possible to describe assumptions
concerning the environment directly in the textual notation as well as to express fairness for
automata and synchronous actions in the logic Textual specications can be translated to both
the extended automata and the extended logic Both translations can be proven to result in the
same set of observable behavior in terms of traces
In addition to modular and hierarchical specications two concepts showed to be useful to deal
with realistic examples parameterization and the extraction of nite models directly from the
textual notation
Control systems serve as a typical example for distributed systems They are built up from the
base automation that traditionally is dataoworiented and the eventoriented high level process
control By means of a case study it is nally shown that the proposed specication language
is suited equally for the base automation and the high level process control

Ich hatte das Gl

uck zur Erstellung dieser Arbeit mit einem Doktorandenstipendium der Siemens
AG unterst

utzt zu werden f

ur dessen Gew

ahrung ich Herrn Prof B

uttner meinen herzlichen
Dank aussprechen m

ochte In der Fachabteilung ZT SE  fand ich eine fachlich anregende
Arbeitsumgebung in der ich mich sehr wohl gef

uhlt habe Neben meinen M

unchnern und
Erlangern Kollegen danke ich dabei auch den Gastwissenschaftlern und Werkstudenten die das
Projekt TLT begleitet haben
Den Gutachtern Herrn Prof Schmitt und Herrn Prof Rischel danke ich f

ur das meiner Arbeit
entgegengebrachte Interesse und f

ur die hilfreichen Anregungen
Zu guter Letzt von ganzem Herzen ein K

u
chen f

ur Karla

Contents
 Introduction 
 Motivation                                        
 Project Description and Development                         
 Contribution                                       
 Related Work                                       
 A Note on UML                                     
 Thesis Outline                                      
 Introductory Example 
 The Motor Group Example                               
 Traditional Engineering Process                         
 Engineering in TLT                                   
 Developing Blocks Modules and Systems                       	
 Blocks                                       
 Modules                                      
 Systems                                      
 Logic 
 A Firstorder Logic for Transitions                           	
 Syntax of a Firstorder Logic                          
 Semantics                                     
 A Temporal Logic                                    	
 Automata 
 Boolean Algebras                                     
 Atoms                                       	
 Complete Algebras                                
 Subalgebras                                    

 Homomorphisms                                 
 Tensor Products                                 
 An Algebra of Transitions                            
 Boolean Transition Systems                               	
 Boolean Transition Systems Runs and Traces                 
 A Graphical Notation for Boolean Transition Systems            
 Elimination of strong fairness                          
 Conjunction                                    
 Executable Boolean Transition Systems                    
 Executable Composition Delays                        
 Systems                                      
 Abstraction                                    	
 A Programming Notation 
 Types                                           	
 Parameters                                        	
 Declarations                                        	
 Abbreviations                                       	
 Initial Values                                       	
 Transitions                                        	
 Events                                       	
 Commands                                    		
 Triggered Transitions                              
 Guarded Transitions                               
 Fairness Conditions                               
 Blocks                                           
 Translating Blocks                                
 Some Remarks Concerning Fairness                      
 Abstract Models                                 
 Verication Based on Abstract Models                     
 Modules                                          
	 Layered Systems                                     
 Parameterized Specications                               
 Some Notes Concerning Implementation                        
	 The Fault Tolerant Production Cell 
 Introduction                                        
 A Model of the Production Cell                             
 Modeling Sensors and Actuators                        
 Modeling the Devices                              
 Modeling the Production Cell                          
 The Specication of Controllers                             
 The Supervised Transfer Protocol                       
 The Error Handling Strategy                          	
 The Feedbelt Controller                             
 The Table Controller                               
 The Complete System                              
 Compilation                                        
 Verication                                        
 Conclusion and Further Work 

 Relationship to IEC IEC 		                          
A Technical Details 


Chapter 
Introduction
   Motivation
In the past decade a lot of research was dedicated to distributed systems which emerge in such
distinct areas as for example airline reservation systems avionic systems operating systems
or process control systems All these systems have in common that they consist of a number of
often even physically distributed components that in order to fulll their common task have
to be coordinated and therefore communicate from time to time with each other Typically at
least some part of a distributed system shows some ongoing behavior and mostly distributed
systems are nondeterministic either because the systems themselves are nondeterministic or
because they have to react to the inputs of some more or less unknown environment These
two aspects the necessity of interaction and the consideration of innite and nondeterministic
behavior make the specication and realization even of small distributed systems a challenging
and often enough errorprone task
On the other hand many distributed systems are used in safety critical areas where the cost of
a failure may be immense Thus much eort is spent to assure a high reliability Traditionally
this is done in late development phases by reviewing or testing the executable code However
in recent years these methods were more and more considered both insucient and inecient
that is expensive At the same time the emergence of ecient data structures and algorithms
for examing in a rigorous way mathematical models of such systems as well as the emergence of
temporal logics to describe properties of these systems intuitively but also mathematically exact
raised hopes of applying these socalled formal methods to industrial size distributed systems
Formal methods seemingly t better to the specication of systems in early design phases because
less details in the description of the system have to be considered but also because in later design
phases the description of the original system intertwines with implementation details As a
consequence for a formal analysis in later design phases both the system and the programming
language it is described in or even worse the hardware it is supposed to be executed on have to
be modeled Thus rather naturally formal specication and verication of systems complements
traditional reviewing and testing of code
This thesis deals mainly with such a kind of formal specication of distributed systems As
formal specication or specication for short any description of a distributed system will be
considered that has some welldened semantics in terms of a set of observable ongoing behavior
Also dealt but of minor concern are the verication and the realization of distributed systems
The main focus hereby is on socalled reactive embedded systems that react to are embedded

in an environment that is at least partially unspecied and in worst case can issue any allowed
input at any time
In this thesis as well as in most other formalisms there is a distinction between a system
description or programming language and a property language with the tendency of the
system description language being more operational and the property language being more
descriptive Nevertheless both languages are tied together closely due to the fact that both a
system and a property manifest themselves in a set of observable behavior In fact a specication
viewed as a set of behavior may be equally considered a description of a system itself or a
description of a property of that system Therefore in the sequel I use the term specication
language to include both a system description language and a property language
In order to deal with large distributed systems a specication language should
 be comfortable but not too complex
 be compositional
 support dierent abstraction levels
 oer tool support
The rst item is guaranteed in the approach advocated in this thesis by using a small but
powerful set of basic concepts
 specications are structured hierarchically in three levels namely blocks modules
and systems comparable to the hierarchy functionsprocedures processes and sy
stems found in operating systems
 there are two concepts for communication shared variables and actions the latter
being used for synchronous communication
 there are two concepts for describing transitions by distinguishing which transitions
must be executed and which ones may be executed
 innite behavior may be inuenced only by weak and strong fairness conditions
and
 restrictions on the environment are explicitly stated in the specications as assump
tions
The second item that is the demand for compositionality may be found as a requirement
in nearly every paper on the specication of distributed systems Unfortunately there are
many dierent notions of compositionality In this thesis a specication language is called
compositional if welldened units of a specication are fully abstract  that is if they have
the same semantics meaning in any context they may occur in The important thing here
is that some fully abstract block or module may be understood but also specied rened
and veried completely standalone More formally there is a function Traces that for
each such unit U of some specication uniquely determines TracesU the set of observables
behavior of U  If two units U
 
and U

get composed noted by U
 
U

 then by denition of 
it is guaranteed that the set of observable behavior corresponding to the composition is simply
the intersection of the two sets of observable behavior corresponding to the components that
is TracesU
 
U

  TracesU
 
   TracesU

 Furthermore the composition is only dened
if the existence of at least one overall behavior is guaranteed that is TracesU
 
U

   by
construction This is achieved mainly by assumption commitment reasoning
Thirdly the specication language should allow to write both very abstract specications with
many details left out or specied nondeterministically but as well specications that are detailed
enough to be compiled to some executable program This frees the user of learning a variety of
dierent languages and is the foundation for applying a uniform renement method all over the
development process Indeed this uniform renement relation between specications S and T is
simply the set inclusion relation on the sets of observable behavior that is T renes S if and only
if TracesT   TracesS expressing that every observable behavior of T is contained in and
thus is described by the set of observable behavior of S Vice versa in this situation S is called
an abstraction of T  Note again that it does not matter whether S and T both are properties
or both describe systems or some mixed situation arises It is typical that in early development
stages both S and T are properties whereas in later development phases at least T describes
a system in some programming notation Yet another situation occurs if some property P has
to be shown for some given system description S and S turns out to be too big or can not
at all be nitely represented In this situation one looks for some nite representation T such
that by construction TracesS  TracesT  and furthermore TracesT   TracesP  can be
proven by some decision procedure
Tool support useful for specifying large distributed systems includes editors organization tools
for documentation and version control simulation and verication tools Although the tool box
may contain both automata and logic based verication tools for the user of these tools both
the programming notation and the property language should be uniform
  Project Description and Development
This thesis was developed at the research department ZT SE  of Siemens at Munich The
main focus of ZT SE  is the support of the engineering process within Siemens This support
consists of applying modern simulation verication optimization code generation and synthesis
techniques to industrial problems Many examples deal with distributed and reactive systems
like for example communication systems or train control systems
To formally specify these various distributed systems the TLT project started in 		 by ana
lyzing UNITY as introduced in CM  UNITY consists of a programming notation and a
simple yet expressive logic to reason about the programs as well as a renement methodology
for stepwise development of distributed systems The main drawbacks of the original UNITY
approach are that it is not really compositional see San	 or UK	 and there is no means
to directly express synchronization My own focus at that time was renement in Hub	 I
formalized some renement relations methodology for a UNITYlike language that for nite
state programs could be checked automatically by model checking techniques
UNITY specications are not structured in fully abstract units This complicates the handling
especially for larger examples This lead us to considering interfaces of specications a concept
wellknown by software engineers see AG	 The interfaces should hold all relevant infor
mation about any admissible environment of the specication One such information dened
in an interface is the environment class of variables that determines for example whether a
module has write access for a variable Under the guidance of project leader Jorge Cuellar a
rst comprehensive language denition for TLT emerged that in essence extended UNITY by
interfaces Gerd Gouverneur Dieter Barnard and I translated specications of this language to
an automata format coded as binary decision diagrams as introduced in Bry and Bry	
that could be interpreted stepwise executed and veried using the decision procedures of Tho
mas Filkorns model checking tool SVE see FSS

	 Some verication is done implicitly
as for example checking whether there is some legal next state for every guarded command
Additional properties can explicitly be stated in a UNITYlike logic see Hub	
In 		 Holger Busch with a strong background in higher order theorem proving joined the
group and at the same time we started some joined work with Stephan Merz who just nished a
year of work with Lesli Lamport on TLA This lead to a second line of tools by translating TLT
specications to TLA see Mer	 for which Holger Busch implemented a shallow embedding
in the higher order logic theorem prover Lambda see Bus	 and Bus	 At around the
same time Jorge Cuellar Dieter Barnard and I worked on synchronization which we wanted to
include into the language as a means to write more abstract specications After comparing the
synchronization concepts of CCS see Mil	  IOautomata for an introduction see LT	
and in the SR model of Kurshan see Kur	 we decided to use directed actions as a
synchronization concept in the programming notation whereas in the logic and automatabased
translations synchronization is not directed
Together with two students Christine R

ockl and Dagmar Pr

oll I implemented a compiler for
TLT that compiles TLT systems to distributed Cprograms using the MPI message passing
interface library MPI also allows to visualize the execution of the resulting Cprograms see
CHB	b
In Bar	 Dieter Barnard presents a version of TLT specialized on clientserver systems Fur
ther he describes the tools mentioned above
TLT is a research project whose goal it is to support development projects As a main focus
of our department is on reactive process control systems TLT has been applied to several of
these systems see CWB	 CH	 CW	 Technology transfer further took place to extend
the CSL language for Control Specication Language to also deal with distributed systems
resulting in the language denition of DCSL for Distributed Control Specication Language
Besides TLT has been applied to distributed train control systems an ATM signalling protocol
see BC	 and to the RPCmemory specication problem of Manfred Broy and Lesli Lamport
see CHB	a
  Contribution
Summarized the TLT project has arrived at a situation where specications arise in three
dierent views or representations
 A textual operational one suited for example for some compiler but also the most com
fortable readable representation for the developer
 A logical one suited to reason about the specications in some logical calculus by hand or
with assistance of a theorem prover The same logic is further used to express properties
of specications
 An automata based one in form of a transition system labeled by elements of a Boolean
algebra of appropriate FOL predicates suited best for decision procedures like model
checking
To be able to safely mix these representations they have to be proved equivalent which is the
main concern of this thesis
The unication of the logical and the automata based view will be done by comparing the sets
of traces the sequences of observable behavior of both views and show them to be equal For
the operational representation one might dene a structural operational semantics and map
congurations to traces Instead the textual representation is considered as given and is used
to extract in essence a transition relation that forms the core of both the logical and automata
based representation used by the tools see Figure  Being freed of syntactic sugar the two
intermediate representation in logic or as automata are suited to be handled by tools and
for formalizing general theorems or methods dealing with specications Some translation back
from the at logical or automata based view to the more structured textual representation
is not considered anyway it would be quite cumbersome to obtain readable results
text
logical formulas
transition systems
traces
user level
tool/theory level
semantical level
properties as logical formulas
+
properties as logical formulas
+
Figure  The connection between the dierent views of a specication
In this thesis I allow both communication based on shared variables and communication based
on actions and I show that the traces of the automatabased models of a specication agree with
the traces of temporal logic formulas corresponding to that specication By this and by the fact
that there is only one common notion of composition namely trace intersection it is guaranteed
that tools from the two dierent worlds can be safely used together in the verication of one
system In the more academic literature it is often argued that one communication mechanism is
enough as other ones can be mimiced more or less smoothly This way formalisms like UNITY
and TLA only shared variables or CCS and IOautomata only synchronization are kept
elegant However in my view many specications are much more natural and also more concise
if both shared variables and actions may be used directly Thus on this point I spent some
additional eort on the language denition in favor of the conciseness of the specications to be
noted in that language
In order to realize a more direct correspondence between the programming notation and the
temporal logic I include actions representing synchronous channels into rstorder logic and
into linear time temporal logic presented in Chapter  Although only minor changes to the
logics have to be made such an extension to my knowledge has not been considered prior to
TLT
In Chapter  Boolean transition systems are introduced As acceptance conditions I mainly
use fairness conditions Further I present a construction which mechanically transforms Boolean
transition systems with strong fairness conditions to Boolean transition systems with only weak
fairness conditions The use of this construction is twofold the weak fairness conditions result
in faster decision procedures and weak fairness conditions may be expressed as B

uchiconditions
that are compositional From IOautomata see LT	 I employ the notion of input enab
ledness but at the same time I introduce delays as a new less restrictive concept that also allows
nonblocking synchronous composition
When talking to engineers it is often dicult to extract a useful set of properties that guarantee
important properties of a system In this thesis I present consistency criteria that are strong
enough to guarantee for example freedom of deadlock but also that there is an implementation
a model of the system
Inspired by HL	 I also deal with abstract Boolean transition systems As a good rst guess
I present a construction that extracts the control information from the textual representation
and uses this information to build a nite state Boolean transition system
Some of the material of this thesis has been presented before Not published previously are
 a version of TLT that allows to mix guarded and triggered transitions within one
block see Section 
 the notion of delays see sections  and 
 the extraction of symbolic Boolean transition systems from the text see Section

 the algorithm to replace strong fairness conditions see Section   and
 any of the proofs
  Related Work
A huge variety of specication languages for distributed systems emerged over the past decades
For a more complete overview the reader is referred to Ber	 In the sequel I only consider
the languages that inuenced this thesis
UNITY  as introduced by Chandy and Jayadev Misra in CM consists of a programming
notation and a linear temporal logic used both for expressing abstract specications and for
reasoning about programs UNITY programs consist of a static nite set of statements that
may change the values of a set of program variables by means of socalled multiple assignments
This means that all assignments of one statement are executed simultaneously An execution of
a program starts in some specied initial state and thereafter continues to choose and execute
statements The choice of the next statement is arbitrary besides the fairness rule that each
statement is chosen innitely often
Besides the common unless and leadsto operators the UNITY logic further contains ensures
an operator that is directly linked to a program statement This often called helpful statement
makes sure that the progress expressed by the ensuresproperty actually occurs In CH	 and
Kal	 this idea is extended to chains of helpful statements in CH	 chains of sets of helpful
statements and thereby represents a kind of guided leadsto
UNITY is so appealing mainly because there is nothing more to be said about its fundamental
language constructs Nevertheless it is commonly accepted that UNITY lacks further structure
for example UNITY has no notion of hiding and some eort was spent to add local variables
see UHK	 compositional logic operators see San	 or relyguaranteestyle reasoning
see CK	
Recently Jayadev Misra introduced Seuss a language that structures specications in boxes
that contain total procedures for the transformational aspects of a specication and partial
procedures for reactive aspects The only communication mechanism of Seuss is procedure call
This makes it possible to understand a program execution as a single thread of control despite
possible concurrent implementations see Mis	
TLA the temporal logic of actions see Lam	a does not distinguish between a program
notation and a property language Instead TLA specications consist solely of specialized
linear temporal formulas One big advantage of this approach is that composition thereby is
reduced to conjunction The foundation of these formulas are socalled actions These are rst
order logic formulas referring to a set of program variables as well as to primed copies of those
variables The primed variables are used for the values of the corresponding program variable in
the next step of an ongoing behavior For example x
 
 x  y
 
 y indicates that x and
y are increased by one what would be noted x y  x   y   in UNITY Using predicates
allows specifying arbitrary relations like x
 
 x with the intended meaning that x is increased
by some unspecied positive value
Lamport advocates using a special notation of a linear temporal logic based on actions the
always operator and weak and strong fairness Using this notation facilitates to denote so
called stutter invariant formulasThis allows a powerful renement methodology whose basics
may be found in AL In TLA renement is expressed in essence by simple implication For
example  

a
! means that specication  renes specication ! or more formally that
for every behavior fullling  one may nd sequences of values for the abstract variables a such
that ! is fullled The high expressiveness of this renement construct is due to the existential
quantication over behavior
As in the case of UNITY lacking structuring facilities were added subsequently see Lam	b
The Calculus of Communicating Systems or CCS for short was introduced by Robin Milner in
Mil and slightly revised in Mil	 In CCS specications are given as algebraic expressions
For example aE denotes a process that takes part in an action a and thereafter behaves like
process E In CCS an action a may happen simultaneously with the action "a of another process
resulting in the composed system in the unobservable internal  action CCS specications may
be represented as labeled transition systems and they may be given a trace semantics However
with respect to this trace semantics CCS is not compositional since the traces do not adequately
represent deadlock situations of a system
From CCS TLT only incorporates the idea of synchronous communication that is also central to
the synchronous languages Esterel Lustre and Signal developed at INRIA see BB	 Hal	
IOautomata are statemachines with state transitions labeled by actions that are classied as
either input output or internal actions As in CCS the visible that is input and output
actions are used for synchronization In contrast to CCS or CSP Communicating Sequential
Processes see Hoa every automaton must accept any of its input actions at any time If
systems are composed of several automata then each action is declared at most once as an
output action Thus all but at most one component are passive recipients of any action As
a consequence a system composed of several IOautomata may never deadlock Furthermore
this has the advantage that in contrast to CCS or CSPthe trace semantics of IOsystems is
compositional Another dierence to CCS is that matching pairs of output and input actions are
not hidden in the composed system but still are considered to be output actions As in TLA
fairness is used to restrict the innite behavior For describing transitions a simple textual
schema is used splitting transitions in their precondition and their eects respectively
In the SR model SR stands for selectionresolution as presented in GK or Kur	
processes are described as labeled transition systems A shared memory serves as synchronization
means Each process may read any shared variable but has write access only to a subset of the
shared variables called its selection variables The sets of selection variables are distinct for each
process A computation step now consists of a selection phase followed by a resolution phase In
the selection phase all processes nondeterministically choose depending on their current local
state values for their selection variables Hereby the set of possible values is given as a predicate
labeling each local state The global selection made up of the selections of all processes is called
the resolution of the system Depending on the resolution each process determines one enabled
transition that is a transition whose label again given as a predicate over all shared variables
is consistent with the global selection In CGS	 it is shown that the labeling of the local states
with a selection may be omitted The resulting structure is called Boolean transition system
and formed the basis for the Boolean transition systems used in this thesis In essence I added
stuttering and fairness to the approach of CGS	
Through cooperative work TLT further was inuenced by the ideas of Egon Boerger Hans
Rischel and Catalin Roman advocating abstract state machines
 
see Gur	 duration calculus
see RCM

	 and Swarm see RC	 respectively It can also be related to the functional
approach of Bro	 even though this relation is somewhat cumbersome Mer	
  A Note on UML
Since the release of version  in September 		 see Rat	a the Unied Modeling Language
UML has quickly become a standard specication language Although UML has not inuenced
the development of TLT it is now briey compared to TLT
UML allows the modeling of distributed systems using dierent kinds of graphical notations
For example class diagrams and object diagrams are used to model in an objectoriented way
the static relationship between classes and objects respectively The dynamic aspects can be
specied using state sequence collaboration and activity diagrams Furthermore there are use
case component and deployment diagrams
None of the diagrams in UML is intended to capture the complete system Instead the numerous
diagrams illustrate dierent aspects of the system under investigation In general there is no
code generation for the dynamic aspects of the system Currently simulation and verication
are still impeded by the fact that none of the diagrams has a formal semantics in Rat	b the
semantics of the diagrams is given in plain text
TLT on the other hand is intended to specify the whole visible behavior of a system within one
framework This is possible because in TLT the only associations between the objects of a
system are given by the communication mechanisms of TLT The multiplicity of associations
is reected in TLT by allowing vectors of variables actions and modules In this sense the
modules in TLT correspond to classes in UML and a system description in TLT corresponds to
an object diagram However the modules named in a TLT system description are not restricted
to static aspects but also represent a dynamic behavior that due to the formal semantics of
TLT often can be simulated veried and implemented
Using a standard specication language has a lot of advantages regarding user acceptance and
tool support Therefore it is a current research activity at ZT SE  to adapt UML for control
systems
 
Formerly abstract state machines were called evolving algebras
  Thesis Outline
The introductory example presented in Chapter  introduces the main features of the TLT
specication language and its methodology This introduction provides enough information to
follow the case study in Chapter  Besides it is helpful to keep track of the more theoretical
chapters that follow
The following two chapters present the adapted versions of two theories widely used as models of
concurrent systems The rst one linear temporal logic is suited to describe both concurrent
systems and their properties This allows deriving properties of systems in one homogeneous
calculus The second one Boolean transition systems BTS generalizes labeled transition
systems and is suited for applying decision procedures at least given some nite state space
The aim is to allow the use of both theories within the verication of one system in a consistent
way The glue combining both models are traces Traces are sequences of visible states and
actions dened either based on the allowed paths through a BTS or as the models fullling a
temporal logic formula
In Chapter  a programming notation for TLT is dened together with the translations to
temporal logic formulas and Boolean transition systems It is shown that both translations
result in the same set of traces Consistency criteria are given that guarantee that there is
at least one trace fullling the specication Furthermore nite abstract Boolean transition
systems are dened and their relation to the exact concrete models is examined
In Chapter  the theory is applied to the case study Fault Tolerant Production Cell dened
by the BMBF project KorSys

Chapter 
Introductory Example
The example presented in this section describes a situation that frequently arises in control
systems a group of motors has to be started and stopped in predened orders On the basis
of this example the main concepts of TLT are introduced to guide the reader in the more
theoretical chapters that follow
The rst section in this chapter introduces the example and briey analyses the traditional
engineering process The following two sections then deal with the engineering process in TLT
and the development of modules in TLT
  The Motor Group Example
A typical control system at least consists of a process to be controlled a controller and an opera
tor station see Figure  The controller reads sensor values calculates some control function
and writes the actuator values accordingly Often the controller runs on specialized hardwa
re like programmable logic controllers PLC The controller also noties the operator about
important changes in the process Vice versa the operator can inuence the process by notify
ing the controller The controller transforms the commands of the operator into appropriate
actuator values
The process in the motor group example consists of a row of very simple motors The control
task simply requires the motors to be started one after the other and to be stopped in reverse
order Both operations are initiated by the operator who in turn receives notications about
success or failure Furthermore it is assumed that some unspecied error may occur any time in
the process The occurrence of this error as well as a StopGroupcommand from the operator
station immediately cause the controller to stop the motors even if a starting operation is not
yet nished
In the sequel the main focus is on the controller
  Traditional Engineering Process
In the eld of control systems it is common to separate the development of basic building blocks
from the engineering process for a concrete plant
Operator Station
Programmable Logic Controller
MMM
Process
Alarms and Events
Actuators and Sensors
Figure  A simple control system
The basic building blocks represent specialized control functions Some of these blocks may
be delivered in standard libraries shipped with the process control system whereas others are
developed specically for an application area In the dominant standard IEC  see tcN	
these basic blocks are called function blocks Function blocks have a uniform and well dened
static interface whereas the behavior can be written in any of the IEC programming languages
instruction list ladder diagrams function block diagrams sequential function charts and struc
tured text The rst three of these languages are the traditional languages whereas the latter
two allow for example to easily specify the control ow of a program
The engineering for a plant is then done graphically by instantiating and connecting the function
blocks as shown in the continuous function chart in Figure 
The continuous function chart is built up by two instances of a function block called Motor
The coordination is done by the function block GroupCtr  Finally there is a function block
StopCondition that detects lock conditions The connections between the function blocks
mark the data ow In the example some of the inputs and outputs are connected directly
to the process input and output given as hardware addresses In addition the user has to
determine the sequence in which the function blocks get executed Furthermore a mapping
to the operator station and higher level process control systems has to be realized by setting
attributes for the inputs and outputs of the function blocks The programmable logic controller
then cyclically reads the process inputs and operator commands executes the program in the
specied order and writes the process outputs and operator notications
Although this stateoftheart style of engineering process is much more comfortable than the
pure instruction list and ladder diagram solutions used traditionally it still has several decien
cies
 Application domain
Continuous function charts are usually restricted to the level of the programmable logic
controllers Todays higher level control systems like batch control systems typically run
on PCs and are programmed separately using dierent languages and concepts
 Generic designs
Reuse is hindered by insucient support for generic designs adding a third motor in the
Figure  A continuous function charts for the motor group example
example would require the user to program a new group controller simply because this
function block needs more inputs and outputs
 Clearness and safety
For larger examples the graphs lack conciseness Even for small plants there are hundreds
of charts with thousands of function blocks and connections The function blocks may be
connected almost arbitrarily because there is only a static type checking Furthermore
the usefulness of the type checking is limited by the fact that more than two thirds of all
variables are usually of Boolean type
 Abstraction
Continuous function charts are not intended and not suited for high level designs For
example there is no notion of renement that would be necessary to describe systems at
dierent levels of abstraction
 Eciency
Sometimes it is dicult to make the control programs ecient in the example there is
no need to execute the group controller in each cycle Instead it would be sucient to
trigger the controller only if one of its inputs changes its value Because eciency often is
crucial such situations are dealt by introducing further execution models based on alarms
timers and interrupts all executing in parallel to the cyclic execution order described above
However this further complicates the programs and the testing
 Engineering in TLT
Although never realized it would also be possible to use a graphical tool in TLT to describe the
system level of a specication see Figure  The main dierence to the continuous function
chart is that the TLT specication is not necessarily restricted to the control layer In general
there are also modules modeling the operator station a batch control system or the process A
second important dierence concerns the data ow In TLT data ow is based on both shared
variables shown as dashed lines and synchronous actions represented by solid lines For
clarity the data types are omitted in the gure Finally in contrast to the solution presented
before the controller module is generic By simply choosing a value for the parameter nbMotors
the interface and the behavior of the module can be adjusted to deal with any number of motor
modules
Motor
Start
Stop
StartAck
StopAck
v motor
Motor
Start
Stop
StartAck
StopAck
v motor
GroupCtr
StopGroup
StartGroup
StopGroupAck
StartGroupAck
nbMotors = 2
StopAck[2]
StartAck[1]
Stop[2]
Start[1]
StopCondition
error
OS_StopGroup
StopGroupAck
StopGroup
OS_StopGroupAck
Process
Operator Station
Stop[1]
Start[2]
StopAck[1]
StartAck[2]
AutoStop
Figure  On the system level the user instantiates and connects modules
The following textual description is equivalent to the graphical one presented in Figure 
System MotorGroup
Parameters
MotorNo  Natural  
Layer 
Include Module StopCondition
Include Module GroupCtr
nbMotors   MotorNo
Include h m  MotorNo i Module Motor
 Start   Startm StartAck   StartAckm
Stop   Stopm StopAck   StopAckm
v   vm motor   motorm
End
In the textual description it is no eort at all to change the number of motors One only has
to change the parameter MotorNo There is no need to draw any connections because these
are generated automatically by identifying variable and action names Therefore any identiers
occurring in a module can be renamed when the module gets instantiated in a system In the
example some parameter nbMotors of the controller module gets renamed to MotorNo Besides
the string m is appended to the variable and action identiers
 
of any included motor module
After the renaming has been carried out the motor module is instantiated jMotorNoj times with
m taking values from the integer interval MotorNo Altogether this results in variable names
like v and action names like Start
In this example all modules are part of one layer In general system descriptions can consist of
several layers that alternate with Propertysections In these Propertysections one may describe
properties that are guaranteed by the lower layers and on whom the upper layers may rely
A Propertysection for the motor group example is presented at the end of this chapter after
having introduced temporal logic as the language of choice to specify the properties
This section closes with a sequence diagram that describes one possible intended behavior of a
system with two motors see Figure 
The notes in the diagram show the conditions that must hold to cause an action as well as the
side eects that actions cause in the process For example a Startcommand causes the rst
motor module to set the variable motor that is connected to the physical motor

Likewise
the module can only acknowledge the Startcommand if the velocity of the corresponding motor
as represented by the variable v diers from 
 Developing Blocks Modules and Systems
In the sequel the main features of the language are introduced bottom up starting with blocks
 
By convention action identiers start with capital letters whereas variable identiers start with lowercase
letters

As in B Z or TLA the prime is used to indicate the value of a variable after a transition took place
:OperatorStation :StopCondition :GroupCtr :Motor :Motor
StartGroup
Start[1]
StartAck[1](ok)
Start[2]
StopGroup
v[1] = 0
error
Stop[2]
StopAck[2](ok) /\ StartAck[2](ko)
Stop[1]
StopAck[1](ok)StopGroupAck(ok)
AutoStop
StartGroupAck(ko)
motor[1] '
motor[2] '
  motor[2] '
v[2] = 0
  motor[1] '
v[1] = 0
Figure  The sequence diagram shows the behavior of the system if some error occurs in the
process while the motors are getting started Due to that error the motors get turned o in
reverse order
  Blocks
In TLT it is possible to further structure modules into blocks A block is the smallest unit that
may be given a semantics Blocks control or own a set of variables and actions no other
block or module is allowed to change and emit respectively For variables this means that at
most one block has write access for actions this means that at most one block can initiate them
not controlled by any block of a given module are Read variables and In actions see below
Blocks used to specify a communication protocol often fulll some syntactic restrictions that
allow to use an exact mirrorblock for the communication partner Such blocks are called
interfaces and inverting such an interface means that all incoming actions become outgoing
actions and vice versa An inverted interface describes exactly the same behavior as the original
interface Therefore the composition of the two is trivially nonblocking
Taking a look at the sequence diagram in Figure  it becomes obvious that all commands
like Start or StopGroup are intended to get acknowledged This observation justies the
introduction of an interface that describes a simple protocol where an incoming Cmd action and
an outgoing CmdAck action alternate starting with a command
The textual representation of this protocol reads as follows
Interface Acknowledge
Declarations
Variables
History pending  Boolean
Actions
In Cmd  	

Out CmdAck  f ok ko g
Initially pending
Transitions
tr fpendingg Cmd   pending
 
tr fpendingg CmdAck   pending
 
End
The textual view of a block starts with the keyword Block or Interface followed by the name of the
block The next sections for declaring types parameters and abbreviations are not necessary for
the example and thus omitted here Then follows a set of declarations of variables and actions
Besides their domain variables and actions are given an environment class Write variables
belong to the module which declares them# they are visible to the environment but they may
not be modied by it Read variables are imported from the environment# their values can be
read but not modied locally History variables record the history of visible events between a
module and its environment Furthermore there are Spec specication variables that are not
part of the state space of modules# they are used to dene constants as well as to parameterize
transitions Local variables nally completely belong to a module# they are not visible and
therefore they may neither be read nor changed by the environment Within one module any
block may read any variable whereas only one block has write access to a variable that may be
changed by the module This block is said to control the variable
Actions are used in CCSstyle see Mil	 that is matching visible actions allow for syn
chronous communication among modules Visible actions are therefore declared as In or Out
depending on whether they are under the control of the environment or the given module So
called Internal actions may be used to synchronize the blocks within one module They are not
visible to the environment Again all blocks of a module see and may react to any action
but at most one block may issue an Internal or an Out action This block is said to control
the action Whereas variables always hold some value actions only occur occasionally Whe
never an action occurs a value is communicated instantaneously according to the domain of the
action
The declaration of a variable or action with name Identier is denoted according to the schema
Env Class Identier  Domain
where Env Class and Domain determine the environment class and domain of the variable or
action Domains may be for example Boolean integer real as well as sets arrays or lists
One special domain called unit indicates actions that carry no value These actions are called
signals and thus merely serve for synchronization
In the example it is assumed that the interface is responsible for handling one particular com
mand Thus the command can be modeled by a signal that is an action that provides no
value passing The CmdAck action can take either value of the set f ok ko g To describe
this protocol one Boolean valued history variable pending is sucient pending is true if and
only if a command is pending that is if and only if a command already has been issued but the
corresponding acknowledgement has not yet occurred
The variables that are controlled by a block are given some initial values in the Initially section
The initial values are determined by a predicate like for example   x  x    Controlled
variables not occurring in the initial section may assume arbitrary initial values from their
respective domain
The core of a block is the Transitions section describing operationally the next step relation
Two kinds of transitions are distinguished
 Guarded transitions   g 	 cmd
These are essentially Dijkstras guarded commands if guard g is true enabled then the
command cmd may be executed By cmd controlled variables are updated or controlled
that is Out actions are executed  is used as separator# for reference purposes the
transition may have a label for example gt g 	 cmd
 Triggered transitions   facg ev cmd
The semantics of triggered transitions may informally be characterized as follows whene
ver event ev occurs then the command cmd must be executed An event is an observable
transition either controlled by the module itself or by its environment In this thesis all
events are Boolean combinations of actions The optional assumption ac may constrain
the occurrence of the event Such assumptions result in proof obligations that have to
be checked when blocks get composed to modules and when modules get composed to
systems
Interfaces contain only triggered transitions In the example the transitions state that the
history variable pending becomes true whenever a command occurs tr and false whenever
the command gets acknowledged tr	 This is indicated by the prime symbol
 
 More formally
the primed occurrence of a variable represents its value in the next state p and p
 
are used as
shorthand instead of p  true and p
 
 true for Boolean valued variables
Obviously the desired protocol of alternating Cmd and CmdAck actions can be achieved by al
ternating execution of the two transitions starting with the rst Problems arise however when
the environment does not stick to the protocol Suppose the environment does not wait for the
CmdAck but sends two successive Cmd actions resulting in two successive executions of the rst
transition Even worse both the command and the corresponding acknowledgement could occur
simultaneously which would result in a contradiction Thus the question whether the protocol is
followed is not local and can only be decided by the knowledge of the calling module To avoid
such global reasoning TLT allows to note assumptions about the environment With help of
History variables this can be done in arbitrary detail and results in an abstract representation of
the environment In the example the assumptions restrict the occurrence of the command to
states where pending is false whereas the acknowledgement may only occur whenever pending is
true These assumptions become proof obligations when the block gets composed and must be
guaranteed by the blocks controlling the command and the acknowledgement The advantage is
however that these proof obligations can be generated and checked automatically in the sense
that it is syntactically determined and independent of the concrete environment
The Transition Relation
To extract the transition relation rst consider transition tr The informal meaning if a
command occurs then the history variable pending is set gets translated to the rst order
predicate
a Cmd  pending
 
That is the occurrence of Cmd implies that the state of pending becomes true
Due to the assumption a call only occurs in state 
pending
b Cmd  
pending
Together what must happen is formalized by
 Cmd  
pending  pending
 
Similarly for the second translation one obtains
a CmdAck  
pending
 
without considering the assumption and
 CmdAck  pending  
pending
 
as the complete translation Here CmdAck abbreviates 
c
CmdAckc which formally may be
read CmdAck occurs and there is some value transmitted That is an action with value
passing is abbreviated as if it was a signal without valuepassing As the exact value that is
transmitted often is irrelevant this convention will be used throughout the thesis
In a second step all possible changes of the sole controlled variable pending are determined Due
to the fact that no other module may change the value of pending the transition relation for
pending is
 pendingpending
 
 Cmd  CmdAck
that is if pending changes its value then this is due to the events Cmd or CmdAck
Now two transition relations may be formulated The rst expresses what is known for sure
ie without relying on the assumptions the second one assumes these assumptions to hold

ac
Acknowledge
def
 a  a  
Acknowledge
def
     
In many other specication languages like UNITY transitions are executed interleaved and
the transition relation of a program is built up of the transition relations of individual transi
tions typically combined by means of a program counter In contrast the transition relation
 introduced above might be called datadriven It allows for the simultaneous execution of
several transitions given they do not contradict
Temporal Logic Traces and Fairness
Taking into account that the initially predicate specifying the initial values of the variables is
simply 
pending two temporal formulas describing the protocol are
 
ac
Acknowledge
def
 
 pending   
ac
Acknowledge and
 Acknowledge
def
 
 pending   Acknowledge
where  has to be read always in every step
Temporal formulas will be interpreted over innite sequences of valuations called traces A
valuation maps variable identiers to values of appropriate type and actions to either the value
transmitted or to  with the intended meaning that the action does not occur For signals
p
denotes their occurrence
Noting alternately the values of the variables and actions according to the schema
 
value of pending

 

value of Cmd
value of CmdAck

A

 
value of pending

 

value of Cmd
value of CmdAck

A
      
the sequence
 
false

 

p


A

 
true

 




A

 
true

 


ok

A

 
false

 

p


A

 
true

     
is an initial segment of a trace of  Acknowledge This trace is said to be a model of
 Acknowledge and vice versa  Acknowledge is said to hold on that trace
Instead of interpreting a trace




	

 

 
	
  
as alternating the values 
i
of the varia
bles and values 	
i
of actions one can understand a trace also as sequence of triples

i

i
	

i 

The ith triple then represents the ith evaluation of the transition predicate  which will be
referred to as the ith step taken by the block Thus 
i
is the valuation of the unprimed variables
occurring in  the valuation of the variables before the ith step 
i
the valuation of the
primed variables the values after the ith step and 	
i
the valuation of the actions their
values during the ith step A special role play the stutter steps


	 
 where  is the
valuation assigning  to all actions Stutter steps trivially are a model of the transition relation
 As a consequence a sequence of stutter steps


	 

	    
such that  satises
the initial predicate is a trace of  
On the trace given above the rst step
 
false

 
p



 
true

is a model of the execution of
the rst transition the second one
 
true

 




 
true

models a stutter step with respect
to the variables and actions of this interface
Another model of both  Acknowledge and  
ac
Acknowledge is
 
false

 




A

 
false

 




A

 
false

 




A
      
modeling the situation that the environment never issues a Cmd action
Because  
ac
Acknowledge does not require the environment to obey the assumptions there
are additional models for  
ac
Acknowledge that are not a model of  Acknowledge like for
example
 
false

 

p


A

 
true

 

p


A

 
true

 


ok

A

 
false

 

p


A

 
true

     
where the environment emits two commands successively without waiting for an acknowledge
ment
Transition Systems
Transition systems are a special kind of automata made up of a set of states connected by a set
of labelled edges The transition systems used in this thesis are labelled by the valuations of
the transition relation
Whereas there is one sole translation of a TLT specication into its logical representation
there are several ways of dening transition systems representing the specication One canonic
form are concrete transition systems characterized by their state space being built up of all
possible valuations of the controlled variables Often the concrete state space is innite which
foils using decision procedures for verication that in worst case make an exhaustive search
through the state space To overcome innite state spaces abstract transition systems are
introduced where each abstract state represents a set of concrete states Whereas the paths
through the canonical concrete transition system of a specication coincide with the traces
that are models of the corresponding temporal formula   the paths through abstract transition
systems correspond to a superset of these traces Thus one drawback of abstract transition
systems is that a property may hold for all concrete traces but be violated by some additional
traces of the abstract representation Such situations often can be dealt with by rening the
abstract representation A second diculty lies in nding a good rst abstract transition
system Such a canonical abstract representation will be introduced in Chapter  The basic
idea is to use the control information that is available in the textual representation in form
of guards assumptions and the initial predicate In Chapter  a general notion of transition
system is introduced that contains both the concrete and abstract transition systems
Both for concrete and abstract transition systems the construction of the state space is based
on the controlled variables of a block The block Acknowledge only controls one variable pending
that has two possible values Thus the concrete transition system already is nite consisting
of two states For readability reasons in the graphical representation of the transition system
the states are labeled by the predicates pending and 
pending instead of the values true and
false The initial state 
pending is marked by an additional arrow The arc between two
states 
 
and 

is labeled by the set of valuations that are models of the transition relation and
that agree on the controlled variables with 
 
and 



Again these sets are represented by rst

Adding information about the states  
 
and  

to the labels simplies the description of the composition of
blocks
order logic predicates A label p represents the set of all valuations 
 such that 
 is a model of
p Thus the formula used as label for a transition between two states labeled by s

and s

is
given by s

 Acknowledge  s

 
or any equivalent formula that has the same set of valuations
as its models Arcs labeled by the empty set false are omitted
The concrete transition system representing the protocol is visualized in Figure 
pending /\ pending' /\
Cmd /\   CmdAck Cmd
CmdAck
pendingpending pending
pending /\   pending' /\
Cmd /\ CmdAck
pending /\ pending' /\
Cmd /\   CmdAck
pending /\   pending' /\
Cmd /\   CmdAck
pending
Figure  The transition system shown on the left describes the protocol with exact labels
On the right the labels on the arcs are incomplete every transition label should also state
the relation with respect to the controlled variables and that regarding the actions nothing
else happens The stutter loops are omitted completely These conventions get applied in all
subsequent graphs
The set of traces of a concrete transition system is obtained by following all paths starting
in an initial state As in the logical representation the transition system corresponding to
 
ac
Acknowledge see Figure  allows for additional traces
Cmd
CmdAck
pendingpending
Cmd ?CmdAck ?
Figure  If the assumptions are not required to hold then Cmd actions may also occur in
state pending and CmdAck actions may also occur in state 
pending This is expressed by the
$notation for an action A A
c abbreviates Ac  
A An equivalent exact label for the
self loop of state pending would be pending  pending
 
 
CmdAck
   Modules
A module is a set of blocks that belong together in the sense that they know the same variables
and actions More formally they share one common set of declarations To the environment
consisting of other modules only a part of the declared variables is visible The other variables
are hidden
The Motor Module
In the textual representation the composition to a module is achieved by the concatenation of
the blocks By convention the main block is not named explicitly nor does it start with
the keyword Block The set of declarations that the blocks share is given as the union of the
declarations that occur in the blocks
The motor module uses the interface Acknowledge twice for a Start and a Stop command These
commands are turned into appropriate values of the Boolean valued variable motor that is
connected to the real physical motor If motor is set then the motor is caused to start The
velocity of the motor is used to determine whether a command was successful
Module Motor
Declarations
Variables
Read v  Real
Write motor  Boolean Init false
History pendingStart pendingStop  Boolean
Actions
In Start Stop  
Out StartAck StopAck  f ok ko g
Include Interface Acknowledge
 Cmd  Start CmdAck  StartAck
pending  pendingStart 
Include Interface Acknowledge
 Cmd  Stop CmdAck  StopAck
pending  pendingStop 
Transitions
gt pendingStop 	 
motor
 
k If pendingStart Then StartAckko
k If v Then StopAckok
gt pendingStart  
pendingStop 	 motor
 
k If v Then StartAckok
End
Besides the two interfaces the module only has got one further main block The transition
section of this block consists of two guarded transitions gt and gt	 gt may be executed
only if a Stop action is pending The koperator separates subcommands that have to be
executed in parallel In order to syntactically check for inconsistencies it is required that
these subcommands aect disjoint sets of actions and of primed variables If executed gt
thus
 resets the variable motor to turn o the motor
 emits a StartAck
ko action given a pending Start command and
 acknowledges the pending Stop command given the velocity of the motor equals 
Because only the occurrence of StopAck
ok can reset pendingStop and thereby falsify the guard
the transitions gets executed until the physical motor is stopped Similarly gt	may be executed
only if a Start action but no Stop action is pending Its eect is to set the variable motor and to
acknowledge the Start command as soon as the motor is running
The Transition Relation of Module motor
The transition relation of module motor is built up from the transition relations of the three
blocks of the module Firstly the transition relation of the main block is determined
main
def
  motor motor
 
 gt  gt  
 StartAck  gt  gt  
 StopAck  gt 
where
gt
def
 pendingStop  
motor
 

 pendingStart  StartAckok  
pendingStart  
StartAck  
 v  StopAckok  v  
StopAck  
gt
def
 pendingStart  
 pendingStop  motor
 

 v  StartAckok  v  
StartAck 
Note that guarded transitions  g 	 cmd enter the transition relation as conjunction
g  Trlcmd Here Trl is a function that translates a command into a rst order logic formula
In the example the koperator for simultaneous execution in the sense of within one atomic
step is replaced by the logical and whereas the If b Then cmdconstruct gets translated to
b  Trlcmd  
b  StutterCtrcmd That is if the condition b holds then the translation
of the command is in eect If the condition b does not hold then the variables and actions
controlled by cmd stutter For variables stuttering means that they do not change their value
For actions stuttering means that they do not take place
Based on the transition relation the provisional temporal formula
%main
def
  main
describes the socalled safety part of the specication It remains to determine some scheduling
for the guarded transitions Without such a scheduling one possible trace of %main consists
of stuttering forever even in case of some pending command However in general one wants to
verify properties that hold for all traces Allowing this trace thus would mean that the essential
liveness property of the protocol namely that command eventually get acknowledged could
not be veried
At rst glance one possibility to exclude this trace lies in disallowing stuttering In the denition
of  stuttering was explicitly allowed for each controlled variable and action

 The possible
stuttering gets obvious by reformulating main as
main
def
  motormotor
 
 gt  gt  
 
StartAck  gt  gt  
 
StopAck  gt 
Obviously this formula is fullled if nothing happens Yet stuttering is essential for a general
notion of composition that does not force all blocks to do a real non stutter transition in each
step besides stuttering is even more crucial for renement purposes Therefore one can not
simply forbid stuttering
Fortunately there is a less strict requirement that excludes only innite stuttering one forbids
that the transitions continuously are enabled but never get executed This can be reformulated

Non controlled variables and actions are not restricted at all by 
positively as the property if continuously some guard is enabled then eventually the block gets a
chance to execute at least one of its guarded transitions This property is called local progress
and assumed for all blocks Therefore it is not noted explicitly in the textual representation
Local progress is a special case of a weak fairness condition Although such fairness conditions
in general will reduce the number of traces it can be guaranteed under reasonable preconditions
that they can not forbid all traces Even better one can prove this property in a constructive
manner resulting in a simple scheduler that only produces traces that are weak fair
The temporal formula that corresponds to the textual specication can now be completed
 main
def
 %main  WF someGuard gt gt 
where
someGuard
def
 pendingStop  pendingStart  
pendingStop
Actually WFg gt is a shorthand for the temporal logic formula g   gt  may be
read eventually and thus  means from some point continuously and  can be inter
preted as always eventually or as innitely often Putting these interpretations together
WFg gt is said to hold on a trace if it is true that if on that trace g holds from some point
continuously then gt holds innitely often
The temporal logic also serves as property language in TLT For example the formula
%main  
StopAckko expresses that the main block never returns that the Stop command
has failed For such safetyproperties it is always sucient to consider %main instead of
 main which justies the introduction of %main
The transition system corresponding to the main block is shown in Figure  In the gure
the transitions are drawn by solid lines to indicate that the transitions are inuenced by some
fairness condition In the example a further distinction is not necessary because there is only
one fairness condition Transitions not restricted by any fairness condition are drawn by dashed
lines as in Figure 
gt2
gt1
motor motor
gt1 \/ stutter gt2 \/ stutter
Figure  Because the only controlled variable motor is Booleanvalued the concrete transition
system for the main block consists of only two states
Again the set of traces of the transition system is obtained by following all paths starting in an
initial state and obeying the fairness conditions
Composition of Blocks Assumption Commitment Reasoning
Combining blocks is essential for describing large systems Therefore it is crucial to have a
straightforward notion of composition guaranteeing that
 a block has the same meaning in all contexts its meaning is fully abstract
 blocks may not contradict each other and
 the meaning of the composition of blocks should be simple describable as and
The rst item has already be dealt with by dening a unique set of traces as the semantics of a
block The second item will be dealt with in detail in Chapter  and in Chapter  In essence
blocks can not contradict because they restrict the behavior of dierent sets of controlled
variables and actions For the last item see Figure  composing two blocks means
 syntactical concatenation in the textual
 conjunction of the temporal formulas in the logical
 forming product automata in the transition system and
 intersection in the trace
representation
text
temporal logical formula Boolean transition system
traces
Representation Composition given as
concatanation
conjunction product automata
intersection
Figure  Composition in the dierent views of a specication
For blocks to be composed to one module a series of consistency criteria have to be fullled in
order to guarantee that the blocks may not contradict each other The main property blocks
have to fulll is that they control dierent variables and actions This means for example
that only one block may issue a StartAck action or change write the variable motor
Besides before actually composing the blocks the assumptions of the interfaces have to be
checked The assumptions regarding the commands have to be committed by the environment
that controls the Start and Stop action and thus does not constrain the composition of the three
blocks forming the motor module However the main block controls the two acknowledgements
Thus the module has to guarantee that the corresponding command is pending whenever the
main block emits an acknowledgement In case of the motor module this is trivial because the
transition relation of the main block already implies the assumptions
CC main  StopAck  pendingStop
CC main  StartAck  pendingStart
Therefore no temporal reasoning is required

The consistency condition 
CC follows imme
diately from the fact that the StopAck action is guarded by pendingStop in transition gt and

One is tempted to say the reasoning is purely syntactical
does not occur elsewhere StartAck occurs in both transitions In gt the condition of the
Ifcommand equals pendingStart in gt	 the guard implies pendingStart and thus 
CC	 holds
too
As a result the three blocks may be composed to form a module Let 
I and 
I	 denote the
transition relations of the interfaces that is
I
def
  Start  
pendingStart  pendingStart
 
 
 StartAck  pendingStart  
pendingStart
 
 
 pendingStart pendingStart
 
 Start  StartAck 
I
def
  Stop  
pendingStop  pendingStop
 
 
 StopAck  pendingStop  
pendingStop
 
 
 pendingStop pendingStop
 
 Stop  StopAck 
Then the transition relation for the module is dened as the conjunction of the transition
relations of the three blocks
Motor
def
 main  I  I
 
pendingStart  
pendingStop  motor
 
motor 
 Start  pendingStart
 
 
Start  
pendingStart
 
 
 Stop  pendingStop
 
 
Stop  
pendingStop
 
 

StartAck  
StopAck

pendingStart  pendingStop  motor
 
motor 
Start  
Stop  
StartAck  
StopAck  pendingStart
 
 pendingStop
 

pendingStart  pendingStop  
motor
 

 Start  pendingStart
 
 
Start  
pendingStart
 
 

Stop  
StartAck 
 v  StopAckok  pendingStop
 
 v  
StopAck  
pendingStop
 

pendingStart  
pendingStop  motor
 
motor 

Start  Stop  
StartAck  
StopAck  pendingStart
 
 pendingStop
 
pendingStart  
pendingStop  motor
 

 Stop  pendingStop
 
 
Stop  
pendingStop
 
 

Start  
StopAck 
 v   StartAckok  pendingStart
 
 v  
StartAck  
pendingStart
 

pendingStart  pendingStop  
motor
 
 
Start  
Stop  StartAckko 
 v  StopAckok  pendingStop
 
 v  
StopAck  
pendingStop
 

The treatment of assumptions diers in two ways quite signicantly from the one found else
where in the literature eg in CK	Col	AL	DF	 or Mer	 Firstly the reasoning
about assumptions is lifted to the textual representation of specications where safety as
sumptions occur as annotations In other works assumptions are considered to be a property of
specications expressed either in logical or semantical terms Secondly as seen above assumpti
ons often are structural properties of specications In these cases it is not necessary in TLT to
use temporal logic for the proofs In other approaches assumption commitment style is always
carried out using terms of temporal reasoning TLA for example uses expressions of the form
A

	 C
with the intended meaning if the environment respects the assumptions A up to
point i then the module commits C up to point i
Liveness assumptions are dealt with on the level of layered system descriptions That means
that the underlying architecture of the system can be used to show that cyclic reasoning is
avoided
Modules in Temporal Logic
The composition of blocks to modules in the temporal logic view is achieved by conjuncting the
temporal formulas representing the blocks and then hiding the local and the history variables
 Motor
vis
def


pending
 main   I   I 
Here

pending
means that there is a sequence of values for the variable pending such that  main
  I   I holds As a consequence of hiding the valuations for pending are not mentioned
any more in the traces of  Motor 
The history variable pending is is an auxiliary variable in the sense of AL This means that
it is completely determined by Cmd and Return
Initially it is constant 
pending Then in each step it is given as a function of Cmd and
CmdAck according to the following function table
value of Cmd value of CmdAck value of pending
 
  value of pending
p
 true
  fok kog false
p
 fok kog forbidden
The situation where both Cmd and CmdAck occur may not arise because of the mutual exclusive
assumptions of tr and tr	
Modules as Transition Systems
A concrete transition system of module Motor is shown in Figure 	 Its state space is obtained
by forming all combinations of the states of the interfaces with the states of block main As the
controlled variables are disjoint all combinations interpreted as conjunctions are satisable
by construction Two states of the composition are connected by an arc labeled by a predicate
equivalent to 
pendingpending
 
I  I	  main if and only if the corresponding states in the
components are connected by labels I I	 and main respectively and their conjunction
is satisable
Start
StartAck
pendingStart pendingStart Stop StopAck
pendingStop
pendingStop
gt2
gt1
motor
motor
gt1 \/ stutter
gt2 \/ stutter
Start
StartAck(ko)
Stop
Start
Stop
Start /\ Stop
v=0
v=0 /\
StopAck(ok)
Start
v=0 /\
StartAck(ko)
v=0 /\
StartAck(ok)
v=0 /\
StartAck(ok)
v=0
v=0 /\
StopAck(ok)
Stop
Stop
Stop /\ v=0 /\
StartAck(ok)
v=0 /\
Stop
Startv=0 /\
Start
v=0 /\ Start /\
StopAck(ok)
v=0 /\ StartAck(ko)
/\ StopAck(ok)
v=0 /\ StartAck(ko)
/\ StopAck(ok)
Start /\ Stop
Start /\ v=0 /\
StopAck(ok)
Figure 	 On top the transition systems of the three blocks are repeated On bottom their
product is shown For clarity all states where the variable motor is set are grayed
The Other Modules
The two remaining modules do not introduce new theoretical concepts and are therefore pre
sented only in their textual representations
The Module StopCondition reads a variable error that signals an exception in the process that
makes it necessary to halt the group Besides the operator may want to stop the motors using
the input action OS StopGroup As a consequence the transition section contains both a guarded
and two triggered transitions The former one forwards the exception in the process by turning
the variable error into an action StopGroup the latter ones deal with the incoming actions
The specication variable result used in the last triggered transition serves as a formal parameter
binding the value of the StopGroupAck action
The AutoStop action nally informs the operator that the motors had to be stopped due to
some exception in the process In a more realistic example there would be more than one cause
of error and as a consequence the AutoStop action would also return some alarm text to the
operator station
Module StopCondition
Declarations
Variables
Read error  Boolean
History pndOSStopGroup  Boolean
History pndStopGroup  Boolean
Spec result  f ok ko g
Actions
In OS StopGroup  	

Out OS StopGroupAck  f ok ko g
Out AutoStop  	

Out StopGroup  	

In StopGroupAck  f ok ko g
Include Interface Acknowledge
 Cmd   OS StopGroup CmdAck   OS StopGroupAck
pending   pndOSStopGroup 
Include Inverted Interface Acknowledge
Cmd   StopGroup CmdAck   StopGroupAck
pending   pndStopGroup 
Transitions
 OS StopGroup   StopGroup
 error   pndStopGroup  StopGroup

result
StopGroupAck	result
   If pndOSStopGroup Then OS StopGroupAck	result

Else AutoStop
End
Module GroupCtr
Parameters
nbMotors  Integer
Declarations
Variables
History pendingStartGroup pendingStopGroup  Boolean
History pendingStart pendingStop  Vector nbMotors Of Boolean
Local motor  Vector nbMotors Of f stopped pndStart pndStop running g
Actions
In StartGroup StopGroup  	

Out StartGroupAck StopGroupAck  f ok ko g
Out Start Stop  Vector nbMotors Of 	

In StartAck StopAck  Vector nbMotors Of f ok ko g
Include InterfaceAcknowledge
 Cmd   StartGroup CmdAck   StartGroupAck
pending   pendingStartGroup 
Include InterfaceAcknowledge
 Cmd   StopGroup CmdAck   StopAckGroup
pending   pendingStopGroup 
Include h m  nbMotors i Inverted Interface Acknowledge
 Cmd   Startm
CmdAck   StartAckm
pending   pendingStartm 
Include h m  nbMotors i Inverted Interface Acknowledge
 Cmd   Stopm
CmdAck   StopAckm
pending   pendingStopm 
Transitions
h m  nbMotors it StartAckm	ok
   motorm
 
 running
h m  nbMotors it StartAckm	ko
  StopAckm   motorm
 
 stopped
h m  nbMotors it pendingStartGroup  pendingStopGroup 

h n   nbMotors i
	 nm  motorn  running
  motorm  stopped
 Startm k motorm
 
 pndStart
t pendingStartGroup  pendingStopGroup 

h m   nbMotors i
	 motorn  running

 StartGroupAck	ok

h m  nbMotors it pendingStopGroup  motorm 	 f running pndStart g 

h n   nbMotors i
	 nm  motorn  stopped

 Stopm k motorm
 
 pndStop
t pendingStopGroup 

h m   nbMotors i
	 motorn  stopped 

 StopGroupAck	ok
 k
If pendingStartGroup Then StartGroupAck	ko

End
The GroupCtr module is responsible for successively starting and stopping the motors In order to
deal with an arbitrary number of motors both variables actions transitions and even interfaces
are parameterized As an example consider the local variable motor Actually as is the case for
all other parameterizations the parameterized declaration for motor is a schema for jnbMotorsj
declarations The resulting variables are named motor  motornbMotors They are used
to keep track of the states of the motors This is necessary to maintain the order in which the
motors are started and stopped If for example an exception occurs in the process while the
motors get started then the last motor that is either running or that received a pending Start
command is stopped rst compare transition t
The parameterization for the transitions t is a schema for the following jnbMotorsj transitions
t  StartAckok   motor
 
 running



t nbMotors StartAcknbMotorsok   motornbMotors
 
 running
That is the occurrence of StartAcki
ok triggers motori to be set to state running
Similarly each of the two parameterized interfaces abbreviates jnbMotorsj interfaces In case of
the interfaces one has to pay attention to rst do the substitutions and then duplicate the in
terface In order to match the corresponding interfaces of the motor modules the parameterized
interfaces have to be inverted
  Systems
A system is built up of instances of modules that optional may be ordered in layers Each
layer then relies on a set of properties of lower layers and guarantees a set of properties to
upper layers The properties on which the lowest layer and thus the whole system relies upon
are called system assumptions The system assumptions must be fullled by the environment
of the system Sometimes it is useful to consider several sets of system assumptions for the
environment in order to evaluate the eect on the properties of the system Furthermore it is
worth noting that any eort spent on specifying system assumptions and properties is optional
Several important properties like freedom of deadlock directly result from proof obligations that
are extracted automatically from the textual notation and therefore do not need to be denoted
explicitly However the extra eort usually pays o in reduced testing time and should be
standard at least for safetycritical systems or systems that are delivered in big quantities
The following system description completes the one presented earlier in the engineering section
In the example the system assumptions close the system with respect to the process and the
operator station that are not modeled explicitly They form a kind of minimal substitutes for the
missing environment and model for example that the environment sticks to the acknowledge
protocol The last two system assumptions state that the motor eventually react to the motor
variable as expected if for one of the motors the variable motor is continuously set unless the
velocity indicates that the motor is running then eventually it will be running and vice versa
if for one of the motors the variable motor is continuously reset unless the velocity indicates
that the motor is stopped then eventually it will be stopped These latter two assumptions are
necessary to prove the essential liveness properties of the system
The rst property is concerned about starting the motors if the group receives a StartGroup
command then eventually a state will be reached where the StartGroup command is overridden
by a stop condition or where all the motors are running The second property states that both
an exception in the process and a StopGroup command lead to a state where all the motors are
stopped
System MotorGroup
Parameters
MotorNo  Natural  
Properties
  	 StartGroup   	 StopGroup  error 

m MotorNo
vm 
  
 

  	 error  StopGroup  

m MotorNo
vm   
 

Layer 
Include Module StopCondition
Include Module GroupCtr
nbMotors   MotorNo
Include h m  MotorNo i Module Motor
 Start   Startm StartAck   StartAckm
Stop   Stopm StopAck   StopAckm
v   vm motor   motorm
Systemassumptions
  	 StartGroup  pendingStartGroup 

  	 OS StopGroup  pndOSStopGroup 


m MotorNo
	motorm Unless vm 
  
   	 vm 
   error 


m MotorNo
	motorm Unless vm   
   vm  
End

Chapter 
Logic
In this chapter a logic is introduced that provides a means both for describing and for reasoning
about distributed systems As specications of distributed and embedded systems typically
have some ongoing behavior the logic of choice is a temporal logic that allows reasoning about
systems that change in time Nevertheless following the approach of TLA see Lam	a
the reasoning about specications in the logical view will be done in rstorder logic whenever
possible This will be realized by specifying the nextstate relation in &pure rstorder logic by
using primed variables to specify the nextstate values This has the advantage that a large part
of the proof burden can be carried out using a &pure rstorder calculus In order to provide
a means to describe synchronous communication the standard rstorder logic is extended to
include sorted actions
As a consequence this chapter is divided into two sections The rst section briey introduces
the extended rstorder predicate logic that allows to describe transitions of distributed systems
In the second section this rstorder logic is embedded into a temporal logic in order to deal
with sequences of transitions
  A First	order Logic for Transitions
In computer science it is common to use rstorder predicate logic to formally describe assertions
that hold in a certain state of a computation represented by the values of a set of variables
in some computer memory The foundation to this use of predicate logic were laid by Robert
Floyd and CAR Hoare in the late sixties see Flo and Hoa	 For example the assertion
counter   states that a variable counter has the value  Floyd labeled the edges of aw charts
with such assertions with the intended meaning that the assertions hold every time execution
reaches the edge Hoare uses assertions P and Q to describe the state of a computation before
and after the execution of a sequence of commands S resulting in Hoare triples fPgS fQg for
an overview see for example Gri
In this thesis rstorder logic is not used solely to express assertions about the state of a com
putation but rather to directly describe transitions occurring in computations More precisely
the complete nextstate relation of a specication is expressed by a rstorder predicate logic
formula
This section does not provide a comprehensive introduction to logics but assumes some familia
rity with rstorder logic as may be gained from Fit	 Sch	 Ric	 or And
 Syntax of a Firstorder Logic
The denition of a formal language starts by xing a signature sometimes also called the
alphabet of the language As usual this signature comprises symbols for variables functions
and predicates To reect the data types used in the programming notation of TLT the logic
is typed and thus its signature also provides a set of symbols for sorts Besides a set of action
symbols is included Actions will be used for synchronization and communication purposes If
actions are used for synchronization only and do not carry a value to be communicated then
they are called signals In this special role they are said to be of unit sort
Denition  Signature
Assume a set of symbols containing disjoint nonempty sets '
V ar
for variables '
Act
for
actions '
Func
for functions and '
Pred
for predicatesThe symbols of '
V ar
 '
Act
 '
Func
are sorted using symbols from '
Sort
for sorts To de	ne '
Sort
 some set of elementary sort
identi	ers is assumed  containing at least one sort  called the 
unit sort '
Sort
is assumed
to be closed under forming tuples That is if S
 
 S

 '
Sort
then also the Cartesian product
S
 
 S

 '
Sort
 

The set of variables '
V ar
 '
V

 '
V
 

 '
S
consists of matching sets of unprimed '
V

fx y z     x x    g and primed '
V
 
 fx
 
 y
 
 z
 
     x
 
 x
 
    g variables together
with a set '
S
 fi j k    g of speci	cation variables The variables x  '
V
are called program
variables or exible variables
Furthermore there are two functions sort and arity The function sort maps each symbol
s  '
V ar
'
Act
'
Func
to its sort sorts  '
Sort
 Any matching pair of primed and unprimed
variable is required to be of the same sort that is sortx  sortx
 
 for all x  '
V
 The function
arity maps each symbol s  '
Pred
'
Func
to a tuple of sorts written aritys  S
 
     S
n

'
Sort

n
 such that n   sort and arity are extended as described below to terms
Based on the signature dened above terms and formulas are dened inductively together with
two sets FV and FAct for free variables and free actions occurring in them
Denition  Terms
The set of terms over '
V ar
and '
Func
 and the set FVt of free variables of a term t are de	ned
as
 Every variable v  '
V ar
with sortv  S  '
Sort
is a term of sort S
FVv  fvg
 Given terms t
 
     t
n
of sortt
i
  S
i
and a function f  '
Func
of arityf  S
 
     S
n
and sortf  S then ft
 
     t
n
 is a term of sort S
As a special case unary functions with arity 
 are called constants and denoted by f
instead of ft
 

 
For sets A and B their Cartesian product is made up from all pairs of elements of A and B that is
A   B
def
 fa b j a  A b  Bg
FVft
 
     t
n
 
 
i  n
FVt
i

 Given terms t
 
 t

of sortt
i
  S
i
 then t
 
 t

 is a term of sort S
 
 S


FVt
 
 t

  FVt
 
  FVt


A term is called closed if no variables occur in it The set FAct is empty for all terms
It is important to note that actions do not occur in terms Actions will be restricted to the role
of atomic formulas dened below and the syntax A is used to denote intuitively something
like the value sent on channel A is  or a synchronization on action A takes place and a
value of  is passed If alternatively actions were used syntactically like variables then terms
like A  without intuitive semantics could be formed Furthermore this avoids any confusion
with variables As an important special case actions can also have the sort  or unit In
this case the syntax A abbreviates At and represents there is a signal on channel A or a
synchronization on action A takes place
The following table summarizes the syntactic dierences of variables actions functions and
predicates
symbol type arity sort used in terms
variables dened yes
actions dened no
functions dened dened yes
predicates dened no
Denition  Atomic Formulas
The set of atomic formulas over predicates '
Pred
and actions '
Act
using terms as de	ned above
and the sets FV and FAct of free variables and actions of an atomic formula  are de	ned
as
 Given terms t
 
     t
n
of sortt
i
  S
i
and a predicate p  '
Pred
of arityp  S
 
    S
n

then pt
 
     t
n
 is an atomic formula
As a special case predicates of arity  are called propositional constants and denoted by
p instead of pt
 

FVpt
 
     t
n
 
 
i  n
FVt
i
 and FActpt
 
     t
n
  
 Given a term t and an action A  '
Act
 both of the same sort S  '
Sort
 At is an atomic
formula
As a special case actions with sort  are called signals For signals At will be abbre
viated simply by A
FVAt  FVt and FActAt  fAg
 Given terms t
 
 t

of sort S then t
 
 t

is an atomic formula
FVt
 
 t

  FVt
 
  FVt

 and FActt
 
 t

  
The denition of formulas is based on atomic formulas and includes existential and universal
quantication over actions 
A
may be read as for some value sendable on channel A or
for an empty channel A and 
A
as for all values sendable on channel A and for an empty
channel A
Denition  Syntax of FirstOrder Logic Formulas
The set of formulas over predicates and terms as de	ned above and the set FV of free
variables of a formula  are de	ned as
 Any atomic formula  is a formula 
FV  FV and FAct  FAct
 If  is a formula then 
 is a formula
FV
  FV and FAct
  FAct
 If 
 
 

are formulas then 
 
  is a formula
FV
 
 

  FV
 
  FV

 and FAct
 
 

  FAct
 
  FAct


 If  is a formula and v  '
V ar
a variable then 
v
 is a formula
FV
v
  FVnfvg and FAct
v
  FAct
 If  is a formula and A  '
Act
an action then 
A
 is a formula FV
A
  FV
FAct
A
  FActnfAg
Notation Let  
 
and 

denote rstorder logic formulas and let p denote a propositional
constant Then the following common shorthands will be used in the sequel 
denotes syntactical equality

 
 

 


 
 


 
v
  

v



 
 

 

 
 


A
  

A



 
 

 
 
 

  

 
 

true  p  
p false  p  
p
If C denotes some nite set without loss of generality wlog C  fc
 
     c
n
g then
the following shorthand notations are used

cC
pc  pc
 
      pc
n


cC
p
c
 p
c
 
     p
c
n

cC
c  c
 
     c
n

 in
c
i
 c
 
     c
n

C
p  
c
 
   
c
n
p
and similarly for
W
and 
To dissolve ambiguities in a at representation any subformula may be enclosed
in parenthesis For example both 
v
 and 
v
 might be used Besides the
following binding order of operators is assumed


  




Thus  
x

x     y   may be simplied to 
x

x    y  
Finally Boolean valued variables will be used frequently This means there is a sort
Boolean and two constants of this sort In abuse of notation these constants will also
be called true and false Then b true and b false are abbreviated by b and 
b
As the same notation is used for propositional constants we take care that from the
context it is clear whether b is a Boolean valued variable or a propositional constant


In the context of the TLT programming notation it is convenient to distinguish socalled state
predicates as a special class of rstorder logic formulas They are used to describe the states of
a specication and are joined by transition predicates used to formalize transitions
Denition  State and Transition Predicates
A state predicate  is a formula as de	ned above but such that FAct   and such that
FV  '
V
 '
S

Firstorder logic formulas as de	ned above are also called transition predicates

  Semantics
In this section the rstorder logic formulas introduced above are given a formal meaning called
the semantics of the formulas The denition of the semantics follows the inductive structure
of the syntax of the formulas The basis is laid by xing the meaning of the symbols occurring
in the signature of the rstorder logic Whereas for the sort function and predicate symbols
an interpretation is xed the variable and action symbols are evaluated This separation of
interpretation and evaluation reects the special role of place holders that variables and actions
play
Denition 	 Interpretation I
Let U be a set U  f
p
g called common universe
A 	rstorder logic interpretation I maps
 elementary sort names S  '
Sort
to nonempty subsets D of the universe U  that is
IS  D  U  As a special case the unit sort is mapped to f
p
g that is I  f
p
g
Furthermore let S
 
 S

 '
Sort
and D
i
 IS
i
 Then IS
 
 S


def
 D
 
 D


 nary function symbols f  '
Func
with arityf  S
 
     S
n
 and sortf  S to functi
ons If  D
 
     D
n
	 D with D
i
 IS
i
 and D  IS
As a special case constant symbols c with sortc  S are mapped to functions
Ic  f
p
g 	 D that are identi	ed with elements of D  IS
 nary predicate symbols p  '
Pred
with arityp  S
 
     S
n
 to nary relations Ip 
D
 
     D
n
 where D
i
 IS
i

As a consequence propositional constants are mapped to either  or f
p
g

However Boolean valued variables should not be confused with propositional constants The meaning of the
former depends on a valuation that may change over time whereas the meaning of a propositional constant is
xed once and for all for the whole system under consideration

Whereas in the sequel 	formula
 will be used synonymously for 	temporal logic formula

For all speci	cation variables c  '
S
 we require that the set of closed terms of sort sortc is
eectively computational and large enough to name all elements of the corresponding Isortc
ie for all u  Isortc there is a closed term t of sort sortc such that It  u


In the sequel Da abbreviates Isorta for any variable or action a Da is called the domain
of a
Usually the same notation is used for constant symbols and their interpretation For example
Itruetrue and Ifalsefalse for the Boolean constants
According to the separation of the variable symbols into disjoint sets of primed unprimed and
specication variables the valuation of the variables is divided into three valuation functions
Together with the valuation function for action symbols the valuation function is thus split into
four parts
Denition  Valuation
Given an interpretation I a valuation 

def
   	 
 
 of the variables '
V ar
and actions '
Act
is a function 
  '
V ar
 '
Act
	 U
(
 fg de	ned as

a
def







a  a  '
S
a  a  '
V
	a  a  '
Act

 
a  a  '
V
 
where   	 and 
 
are functions
   '
S
	 U
  x 	 x  Dx
   '
V
	 U
  x 	 x  Dx
 	  '
Act
	 U  fg
	  A 	 	A  Da  fg
 
 
 '
V
 
	 U

 
 x
 
	 
 
x
 
  Dx
 

For actions a the set D

a
def
 Dafg is called extended domain of a Let '
 
 '
V ar
'
Act

Then 
j
	
 
denotes the function 
j
	
 
 '
 
	 U
(
 fg de	ned by 
j
	
 
a  
a for all a  '
 

In this denition the valuation of actions diers from the valuation of variables in letting 
be a possible value for actions This reects the case where an action does not occur that
is no synchronization takes place and no value is communicated To simplify reference if
	A  DA we say that A occurs and that it has the value 	A If 	A   we say that
A does not occur
Now subsequently the semantics of terms and formulas based on an interpretation and a valua
tion are dened
The semantics of a term is an element in the subset of the universe that corresponds to the
sort of the term More formally given an interpretation and a valuation the semantics   is a
function that maps terms t to elements of sortt that is    t 	  t   sortt

Denition  below extends I to arbitrary closed terms
Unprimed variables actions and primed variables represent the current state of a specication
the synchronization and communication while passing to the nextstate and the nextstate
respectively On the other hand specication variables will be used for global parameters of
systems like a lift with n oors as well as for writing schemata of conditions commands and
transitions In this latter usage the specication variables will always be bounded Thus free
specication variables will only occur on a global system specication level and therefore have
more in common with the interpretation than with the exible variables This dierence will be
made explicit in the notation we will use the valuation function  for specication variables is
placed on the same level as the interpretation I
Denition 
 Semantics of Terms
Given an interpretation I and a valuation   	 
 
 the semantics  t 


 

I
of a term t is
de	ned by
 t 


 

I
def














t for t  '
S

t for t  '
V


 
t for t  '
V
 

If t
 



 

I
      t
n



 

I
 for t  ft
 
     t
n

 t
 



 

I
  t




 

I
for t  t
 
 t


The semantics of atomic formulas is a function that maps the formulas to their truth value In
the denition below the semantics are given for the true case only that is   should be read
as  is true
Denition  Semantics of Atomic Formulas
Given an interpretation I and a valuation   	 
 
 the semantics of atomic formulas is
de	ned by
 pt
 
     t
n
 


 

I
i  t
 



 

I
      t
n



 

I
  Ip
for a predicate pt
 
     t
n

At 


 

I
i 	A   t 


 

I

for an action A and a term t
 t
 
 t




 

I
i  t
 



 

I
  t




 

I
for terms t
 
and t

The intended meaning of  


 

I
is 
the formula  is true under interpretation I and valuation
  	 
 

Finally the semantics of rstorder logic formulas also contains a denition for existential
quantication over actions which has to include the possibility that an action does not happen
Denition  Semantics of Formulas
Given a 	rstorder logic interpretation I and a valuation   	 
 
 the semantics of formulas
is inductively de	ned
If  is an atomic formula then its semantics is de	ned in De	nition  otherwise

 


 

I
i not  


 

I

 
 




 

I
i 
 



 

I
and 




 

I

x
 


 

I
i







 

xd
 

I
for some d  Dx  if x  '
V
 


 
xd
I
for some d  Dx  if x  '
V
 
 


 

Ix d
for some d  Dx  if x  '
S

A
 


 

I
i  

Ad
 

I
for some d  DA  fg
where 
a db
def



b  b  a
d  b  a
for valuations 

As a consequence of free speci	cation variables occurring only on system level their valuation
 as well as the interpretation I are usually 	xed for a speci	cation under consideration Thus
the subscripts
I
will often be omitted
With I and  being 	xed
 the valuation  	 
 
 is called a model of  i  


 


  is called satis	able i there is a valuation  	 
 
 that is a model of  and
  is called valid i all valuations  	 
 
 are models of 
Remark  true and false
The symbols true and false are abused several times As syntactic entity true names a
Boolean constant and abbreviates the formula p  
p As a semantic entity true is an
element of the universe
As a Boolean constant it might be used together with a Boolean valued variable x in a
formula like x  true Then x  true 


 

I
i x  Itrue  true
Used as an abbreviation of p  
p true is a valid formula for any interpretation I and
any valuation of the specication variables 
Remark  Comparison of actions in TLT versus actions in CCS
In contrast to pure CCS actions in TLT are typed This has advantages if there are on
ly nitely many actions channels but innite data types In such situations it is often
straightforward to abstract from the actual data sent resulting in nite control specica
tions
On the other hand in TLT there is no notion of an algebra of actions Instead actions are
used exclusively to have values assigned to them
Examples
Let A be a Boolean valued action and let x be a Boolean valued variable The following table
shows the truth values of some formulas for all possible valuations of A and x
Valuation of A Valuation of x Ax 
x
Ax 
A
Ax
true true is true is true is true
false is false is true is true
false true is false is true is true
false is true is true is true
 true is false is false is true
false is false is false is true
From the table it follows that 
A
Ax is valid Other valid formulas for this example are

x

A
Ax 
x

A
Ax and 
A

x
Ax There are also formulas that are not satisable like for
example 
A

x
Ax 
A

x
Ax 
x

A
Ax 
x

A
Ax and 
A

x
Ax
In the following table sample formulas are evaluated for various given sorts and valuations of
actions and variables The sort of an action or variable a is written using the notation a  sorta
for declarations formally introduced in Section 
Declaration Valuation  	 
 
 is a model for  	 
 
 is not a model for
A  
 	A 
p
A 
A
	A   
A A
	A arb 
A
A 
A
A
A  fg 	A   A 
A

A A

c
Ac
	A   
A A

A  
A 
c
Ac
	A arb 
A  
A A A
A  S 	A arb 
A
Ax 
A
Ax
x  S x arb 
A

Ax 
A

Ax

c

A
Ac 
A

c
Ac

c

A
Ac

A

c
Ac
A  
 	A arb 
A

B
A B 
B  
 	B arb
Lemma  
x

Ax 


 

I
i 	A  
Proof
Recall that 
x

Ax to be wellformed requires that DA  Dx Wlog assume x  '
S
the
proof for x  '
V
or x  '
V
 
is analog

x

Ax 


 

I
i 
Ax 


 

Ix d
for all d  Dx
i not Ax 


 

Ix d
for all d  Dx
i not 	A  x 


 

Ix d
for all d  Dx
i not 	A  d for all d  Dx  DA
i 	A    
Action quantiers facilitate the formulation of consistency conditions for TLT specications
However they do not add additional expressiveness to rstorder logic This is shown by the
following lemma that describes how to implement actions by introducing a fresh variable for
each action symbol

 The action quantiers may then be reduced to ordinary ones as is shown
in the subsequent theorem Another way of implementing actions is described in Mer	 There
two variables replace each action one variable of the same sort as the action carries the value
of the action whereas a second Boolean valued variable indicates the presence or absence of the
action
Lemma 
Assume that action A does not occur bound in  and let x  '
S
be a variable not occurring in
 and such that sortA  sortx Further let 
A
txt
denote  with all occurrences At
being syntactically replaced by x  t Then
  

A
 

I
i 
A
tfalse



 

I
  

Ad
 

I
i 
A
txt



 

Ix d
Proof of   Induction on syntax of formulas
 Base case  atomic formulas
Let   '
Pred
   t
 
 t

 or   '
Act
but such that   At Then trivially
 

A
 

I
i  


 

I
i 
A
tfalse



 

I
holds
For   '
Act
and   At we get
At 

A
 

I
i 	A A   t 

A
 

I
i    t 

A
 

I
i as terms never evaluate to 
 false 


 

I
i At
A
tfalse



 

I
 Induction step 
As an example let   
B
 Then
 

A
 

I
i  

ABd
 

I
for some d  DB  fg
i by inductive hypothesis

A
tfalse


Bd
 

I
for some d  DB  fg
i 
A
tfalse



 

I
The proof for the second proposition is analog  

This has to be done in order to use standard rstorder logic theorem provers
Theorem  Syntactic Removal of actions
Let x  '
S
be a variable not occurring in  and such that sortA  sortx Further let 
A
td
denote  with all with respect to A free occurrences At being syntactically replaced by d
for any t Then

A
 


 

I
i 
x

A
txt
 
A
tfalse



 

I

A
 


 

I
i 
x

A
txt
 
A
tfalse



 

I
Proof  First equivalence

A
 


 

I
i  

Ad
 

I
for some d  DA  fg
i  

Ad
 

I
for some d  DA or  

A
 

I
i  Lemma 

A
txt



 

Ix d
for some d  DA or 
A
tfalse



 

I
i 
x

A
txt



 

Ix d
or 
A
tfalse



 

I
i 
x

A
txt
 
A
tfalse



 

Ix d
The proof of the equivalence for universal quantication is similar  
The theorem states that action quantiers are nothing more than syntactic sugar and can
be replaced by ordinary quantication However the resulting formulas loose their intuitive
semantics In essence the action quantor gets replaced by the disjunction of an ordinary
quantor and a term describing empty channels Due to the theorem it is straightforward to
reprove for example the following rules well known for ordinary quantication
Corollary 

a

b
  
b

a
 with a b  '
V ar
 '
Act

a

b
  
b

a
 with a b  '
V ar
 '
Act
 A Temporal Logic
Historically temporal logics emerged from modal logics originally introduced by philosophers
to reason about systems of connected worlds that vary in the set of assertions that are true
in them Thus each world has a distinct mode of truth therefore modal logics Two
predominant operators in these logics are  and  p is said to hold in a given world w
written w j p if the assertion p is true in all worlds reachable from w Similarly p is said
to hold in a given world w if the assertion p is true in some world reachable from w Temporal
logics are obtained from modal logics by replacing the general notion of connected worlds by a
totally ordered set of points sometimes also intervals in time t j p then means that assertion
p is true in all points of time in the future of the given point t or simply that p holds always
in the future of t t j p then means that assertion p is true in some future point or simply
that p holds sometimes or eventually in the future of t
Summarized in a temporal logic with the operators  and  a sequence of situations may be
described and reasoned about Therefore these logics are called linear time temporal logics
Examples for linear time temporal logics are UNITY see CM or TLA see Lam	a
Besides there are also socalled branching time temporal logics In branching time temporal
logics each point of time may have several successors resulting in a tree of situations that may
be described and reasoned about see for example BAPM The best known representative of
these logics is CTL the Computation Tree Logic as presented in CE and CES Branching
time temporal logics allow to express that a property holds in some possible future whereas in
linear time temporal logics valid properties always have to hold for all possible futures that is
for all sequences On the other hand there are properties like strong fairness that are expressible
in linear time temporal logics but not in CTL For this reason there was an ongoing discussion in
the eighties about which kind of temporal logic to prefer mainly with respect to expressiveness
and the computational complexity to check the satisability of formulas As a result more
expressive logics like CTL
	
 were introduced that contained both CTL and linear time temporal
logics A second result of these discussions is a wide variety of articles comparing linear time
and branching time temporal logics as for example Lam EL EH BCG and
Sti	
In this thesis I only consider linear time temporal logics because I personally feel that they are
more intuitive to use
Good introductions to temporal logics may be found in Eme	 or in the comprehensive standard
textbook for linear time temporal logics MP	 lately expanded by a second volume MP	
In BA	 both rstorder logic and temporal logic are dealt in an introductory manner
The temporal logic presented below subsumes the rstorder logic dened above Following the
philosophy of TLA see Lam	 a temporal &nextoperator is excluded but since transition
predicates can be expressed in the rstorder logic anyway this is no real loss of expressive
power Excluding the &nextoperator allows for dealing with safety properties and most as
sumptions within rstorder logic Furthermore in rening a specication typically extra steps
are introduced that falsify properties containing a temporal &nextoperator In contrast to TLA
however I make no use of short hand notations that implicitly add a frame to formulas but
stay with plain denitions similar to the ones found for example in MP
Whereas most temporal logics found in the literature are based on a propositional logic the TLT
logic is based on a rstorder logic Therefore an immediate question is whether there should
be quantication on the level of the temporal logic In fact this turns out to be necessary
in order to hide local variables of specications which is essential for both composition and
renement Indeed besides the quantication introduced for the rstorder logic there will be
two more possibilities to express quantication Firstly there is a straightforward extension
permitting the quantication of specication variables also for temporal formulas As said
before specication variables are used bounded for schematas and free for global parameters of
the specication under consideration In the latter case their value does not change over time
For free occurrences of actions and exible variables that may change over time a second kind
of temporal quantication is needed Intuitively the existential quantication on a exible
variable x will express there is a sequence of values for x
As was the case for the rstorder logic the formal denition of the temporal logic is given for
a minimal set of operators only Additional operators are dened as abbreviations
Denition  Syntax of Temporal Formulas
The set of temporal formulas is de	ned inductively as
 Any 	rstorder logic formula  see De	nition  is a temporal formula  
FV   FV FAct   FAct
 If  is a temporal formula then  always is a temporal formula
FV   FV  FAct   FAct 
 If  is a temporal formula then 
 is a temporal formula
FV
   FV  FAct
   FAct 
 If  
 
 

are temporal formulas then  
 
  is a temporal formula
FV 
 
  

  FV 
 
  FV 

 FAct 
 
  

  FAct 
 
  FAct 


 If  is a temporal formula s  '
S
and a  '
V
 '
Act
 then 
s
 and

a
 are temporal
formulas
FV
s
   FV  fsg FAct
s
   FAct 
FV

a
 
def


FV  fag  a  '
V
FV   a  '
Act
FAct

a
 
def


FAct   a  '
V
FAct  fag  a  '
Act
Notation Let  denote a temporal formula  and  denote rstorder logic formulas and p
and q denote state predicates Then the following shorthands commonly known as
&eventually &leadsto &weak fair &strong fair &unless and &until respectively will
be used
  

 WF    
 	     SF    
pUnless q  p  
q  p
 
 q
 
 pUntil q  pUnless q  p 	 q
Furthermore as usual

s
  

s

 and

a
  


a

 
 
 
  

 
 
 
  

 and
 
 
  

 
 
 
  

and  
 
  

  
 
  

   

  
 

Note that some temporal connectives like  
 or are identical to rstorder logic
ones
Finally the following binding order for the temporal operators is xed


  








In the previous section the semantics of rstorder logic formulas was based on an interpretation
and on a valuation of the variables and actions For temporal formulas the exible variables and
the actions have to be evaluated for every time instance Thus there is now an innite sequence
of valuations for the exible variables and actions The valuation of the specication variables
as well as the interpretation of sorts predicates and functions does not change compared to the
rstorder logic
More formally in case of rstorder logic the actions and exible variables occurring in transition
predicates are evaluated by a triple  	 
 
 of valuation functions for the unprimed variables
the actions and the primed variables respectively This models one step or transition where 
gives the values of the variables before 
 
gives the values of the variables after the step
and 	 tells whether some synchronization and communication takes place in this step In order
to evaluate the actions and exible variables over time one has to consider sequences of such
steps like for example
 

 	

 
 

  
 
 	
 
 
 
 
  

 	

 
 

    
These steps are however not independent as the values assigned to the primed variables in
step i have to be equal to the values of the corresponding unprimed variables in step i That
is

 
i
x
 
  
i 
x for all x  '
V

which means that 
 
i
and 
i 
may be identied resulting in sequences
 

 	

 
 
 	
 
 

 	

 

      '
V
	 U  '
Act
	 U  fg 

of alternating valuations of exible variables and actions These are called valuation sequences
and may also be noted as




	 
 

 
	 



	 

   
Now the question arises what it means to quantify over an action or exible variable Consider
for example the temporal formula

y
 y
 
 x where x and y denote exible variables This
formula states that there is a sequence of values of y such that in every step always the new
value of y equals the old value of x incremented by one For example let


x 
 
x 

x        	       
If for 

y 
 
y 

y     one chooses
         or         
then clearly 

 
 
 

     fullls  y
 
 x  Actually the formula

y
 y
 
 x  is valid
because by dening

i
y
def


arbitrary  for i  

i 
x    for i  
it is always possible to fulll  y
 
 x 
In order to dene temporal quantication formally it is convenient to relate valuation sequences
that agree in the valuation of all but one action or variable
Denition  Similar Valuation Sequences
Two valuation sequences 


 	


 

 
 	

 
     and 
 

 	
 

 
 
 
 	
 
 
     are called asimilar if they
only dier in the valuation of a that is if 

i
x  
 
i
x and 	

i
A  	
 
i
A for all xA  a
After these preparations it is now possible to dene the semantics of temporal logic formulas
Denition  Semantics of Temporal Formulas
Assume an interpretation I a valuation  of the speci	cation variables and an in	nite valuation
sequence   

 	

 
 
 	
 
     such that the 
i
are valuations of the exible variables x  '
V
and the 	
i
are valuations of the actions A  '
act

The fact that a temporal formula  holds at position i of  is inductively de	ned by
 i j
I
 i  


i



 
i

I
for a 	rstorder logic formula 
with 
 
i
x
 

def
 
i 
x
 i j
I
 i  j j
I
 for all j  i
 i j
I

 i not  i j
I
 
 i j
I
 
 
  

i  i j
I
 
 
and  i j
I
 

 i j
I

s
 i  i j
Isd
 for some d  Isorts
 i j
I

a
 i  i j
I
 for some  being a similar to 
Furthermore  j
I
 abbreviates   j
I
 and is read 
 holds on  with respect
to I   is then called model of  
 is called satis	able with respect to I  i there is a model  of  
 is called valid with respect to I  noted j
I
 i all sequences  are models of  
Usually one 	xed pair I  is used if this is clear from the context j replaces j
I

Corollary 
The additional notations introduced after De	nition  have the following semantics
 i j
I
 i  j j
I
 for some j  i
 i j
I
 	  i if  


j

j

 
j

I
for some j  i
then  


k

k

 
k

I
for some k  j
 i j
I
WF  i for all j  i holds 

 


k

k

 
k

I
for some k  j
or  


k

k

 
k

I
for some k  j
 i j
I
SF  i for all j  i holds 
if  


k

k

 
k

I
for in	nitely many k  j
then  


k

k

 
k

I
for in	nitely many k  j
Examples
In MP	 a lot of theorems for propositional linear temporal logic are listed For example let
 and ! denote arbitrary temporal formulas and let  and  be transition predicates that is
rstorder logic formulas Then the following formulas are valid ie they hold for arbitrary
valuation sequences 
 j
I
  !    !
 j
I
  !    !
 j
I
SF   WF 
For the latter two formulas the opposite is not true in general For example
 evenx  oddx   evenx   oddx
does not hold for 
i
x
def
 i whereas
WFx   x    SFx   x  
is violated for example by the valuation sequence dened by 
	i
x
def
  and 
	i 
x
def
 
To state some propositions dealing with exible quantication some arbitrary a  '
V
 '
Act
is xed Then for example the following propositions hold
 j
I


a
 

a
 
 j
I


a
  
a

 j
I

a
  

a
 
To prove the last proposition one has to show that for some arbitrary valuation sequence 
 j
I

a
 implies  j
I


a
 
Thus suppose  j
I

a
  Then
 j
I
 for some avariant  of 
Let 

be such an avariant of  that is


j
I
 
Then by the semantics of 


 j j
I
 for all j  
Thus
  j j
I
 for some avariant  of   for all j   
That is
 j j
I

a
 for all j  
which nally implies
 j
I


a
 
The opposite is not true in general For example


y
 y  x y
 
 y
is valid whereas the only models of

y
  y  x y
 
 y
are the valuation sequences   
i
 	
i

i
with 
i
x being constant for all i
Until now the semantics of formulas was given with respect to valuation sequences for all
variables and actions Obviously however it is sucient to base the semantics of a formula
only on the variables and actions that occur free within the formula In the programming
notation introduced in Chapter  the meaning of formulas will be dened in the context of a
given set of variable and action declarations The projection of the models of a formula to these
declarations are called the trace of the formula Formally
Denition  Traces
Let FFV 
def
 FV    '
V
denote the free exible variables of a formula   Furthermore let
VarsActs be two sets such that FFV   Vars  '
V
and FAct   Acts  '
Act
 The set of
traces wrt with respect to VarsActs is then de	ned as
Traces
VarsActs
 
def
 f
	
	
VarsActs
j  j  g
where 
	
	
VarsActs
 
)


 )	


)

 
 )	
 
     with

)

i
 Vars	 U
)

i
x  
i
x
and

)	
i
 Acts	 U  fg
)	
i
x  	
i
x

If Vars and Acts are clear from the context Traces  abbreviates Traces
VarsActs
 
The following lemma summarizes the most important properties of traces
Lemma 	
 Let )  
)


 )	


)

 
 )	
 
     with

)

i
 Vars	 U
)	
i
 Acts	 U  fg

Then )  Traces 
i  j  for all   

 	

     with


i
x 
)

i
x for all x  Vars
	
i
A  )	
i
A for all A  Acts
 Traces 
 
  

  Traces 
 
  Traces 


 j  
 
  

i Traces 
 
  Traces 


Proof
 By denition FFV   Vars  '
V
and FAct   Acts  '
Act
 Therefore the semantics
of  do not depend on the valuations of variables from '
V
Vars and actions from '
Act

Actions
 By denition
 To see the direction from left to right suppose )  Traces 
 
 ie  j  
 
for any 
that agrees on Vars and Acts with ) Since  
 
  

is valid especially  j  
 
  


that is  j  
 
implies  j  

 Thus )  Traces 

 by denition
For the opposite direction assume there is some  such that  j  
 
but not  j  

 That
means )  Traces 
 
 but )  Traces 

 which contradicts the premise Traces 
 
 
Traces 


 
In applications widely known theorems of linear temporal logic like for example the transiti
vity of leadsto will be used as needed but without presenting a full calculus

Chapter 
Automata
Besides logic the most commonly used formal models for distributed systems are various kinds
of somehow coupled automata In this chapter Boolean transition systems as special kind of
automata will be presented In contrast to most other automata Boolean transition systems
are characterized by the edges of the automata being labelled by elements of a Boolean algebra
Therefore this chapter starts with a brief introduction to Boolean algebras
  Boolean Algebras
This section summarizes some facts about Boolean algebras that are needed in the following
Most denitions and lemmas can already be found in Hal the standard text book about Boo
lean algebras on pages  The notions of tensor products and independence of Subalgebras
are explained in more detail in Kur	 on pages  However in contrast to Kur	 tensor
products are only dened for complete atomic Boolean algebras This way I can give a direct
denition instead of the somewhat cumbersome denition in Kur	 that is based on interior
products monomorphisms and independent subalgebras I include proofs to make the thesis
selfcontained As I do not present the full theory some proofs are more elementary and there
fore sometimes slightly less elegant than the corresponding ones in Hal or Kur	 A reader
familiar with the traditional theory of Boolean algebras may safely skip the rst denitions
besides Denition  and start reading in Section 
Denition  Boolean Algebras
Let B be a set that contains two distinguished elements  and  and that is closed under the
two binary operations  and  and under the unary operation "
 
Then B  B "    is
called a Boolean algebra i for arbitrary elements a b c  B the following axioms are ful	lled
a  b  c  a  b  c associativity a b c  a b  c
a  b  b  a commutativity a b  b a
a    a identity rules a   a
a  "a   inverse elements a "a  
a  b c  a  b  a  c distributivity a b  c  a b  a c
Sometimes B will be identied with B
 
That is   B  B  B   are total functions
Corollary 
In every Boolean algebra the following equations are true
"
  
"
  
a     a   
a  a  a idempotency a a  a
a  a b  a absorption a a  b  a
a  b  "a
"
b De Morgan a b  "a 
"
b
By dening a  b
def
 a  b  a a partial order on B gets dened that is  is
 reexive a  a
 antisymmetric a  b and b  a imply a  b and
 transitive a  b and b  c imply a  c
Further a  b
def
 a  b  a  b
Lemma 
 a  b  a and a  a b
 a
 
 b
 
and a

 b

imply both a
 
 a

 b
 
 b

and a
 
 a

 b
 
 b


 a  b i a 
"
b  
Proof
 Obvious
 Obvious
 Suppose a  b  a Then a  b 
"
b  a 
"
b ie   a 
"
b
Now suppose a 
"
b   Then a 
"
b   ie "a  b   and thus a  "a  b  a   or
equivalently a  b  a
 
Examples
  PA " A  
is a Boolean algebra for any countable set A The complement for some X  PA is
dened as the set dierence with respect to A that is
"
X
def
 A  X The order  is
ordinary set inclusion  The validity of the axioms is guaranteed by set theory
  fA  PZZ j jAj is nite or jZZ Aj is nite g " ZZ  
Again  is dened as set inclusion  A set A  PZZ such that jZZ  Aj is nite is
called conite An example of a conite set is the set of all integers with absolute values
greater than  f z  ZZ j jzj   g The complement of a nite set is conite and vice
versa The intersection or union of two nite conite sets is again niteconite The
intersection or union of a nite and a conite set is again conite Thus all operations
are welldened
  For
V


 true false 
Here For
V
denotes the formulas of propositional logic dened inductively by
p  true j false j v j p  p j p  p j 
p
where v  V denotes a nite set of propositional variables
Given For
V
 For
V

denotes the set of equivalence classes over For
V
based on  There
are 

jV j
equivalence classes that correspond to the 

jV j
possible truth tables based on the
valuations of the variables in V  The order  is implication The validity of the axioms
is given by the usual semantics of 
 true and false 
Boolean algebras may be visualized as Hasse diagrams that are obtained by arranging the
elements of the Boolean algebra in such a way that a  b i a and b are connected and b is
above a
{ a, b }
{ a } { b }
ø
true
false
p /\ q p /\ ¬q ¬p /\ ¬q¬p /\ q
p p <=> q q ¬p ¬qp <=> q
p \/ q p \/ ¬q ¬p \/ ¬q¬p \/ q
Figure  The picture shows the Hasse diagrams corresponding to the Boolean algebras
 Pfa bg " fa bg   and  For
fpqg
 
 true false 
 Atoms
If one takes a closer look on the examples in Figure  it becomes apparent that the Boolean
algebras presented there are generated by the elements in the second row from bottom The
elements drawn above this row always are equivalent to the union left example and the dis
junction right example of the second row elements they dominate For example p in the third
row is connected to p q and to p
q and in fact p is equivalent to p q  p
q This special
role of the elements of the second row gives rise to the following denition
Denition  Atoms and Atomic Algebras
An element s  B is called atom of a Boolean algebra B i s   and for all b  B b  s
implies b   or b  s SB denotes the set of all atoms of B
The Boolean algebra B is called atomic i every nonzero element dominates at least one
atom that is i for all b  B there exists a s  SB such that s  b
Lemma 
Let s  SB and b b
 
 b

 B Then
 s  b or s  b  
 s  b
 
and s  b

i s  b
 
 b

 s  b
 
or s  b

i s  b
 
 b

Proof
 Firstly s  b  s Since s is an atom either s  b   or s  b  s ie either s  b   or
s  b
 The direction from left to right follows from Lemma  For the opposite direction one
has to show s  b
 
 b

 s given s  b
 
 s and s  b

 s That is obvious
 The direction from left to right follows from Lemma  For the opposite direction
suppose s  b
 
does not hold Then s  b
 
  by  Thus s  b

   s  b


s  b
 
 s  b

 s  b
 
 b

  s That is s  b


Lemma 	
Assume S
 
 S

to be 	nite sets of atoms with S
 
 S

 SB b
 

X
sS
 
s and b


X
sS

s
If both sums exist then b
 
 b


X
sS
 

S

s
Proofsketched
b
 
 b


X
s
 
S
 
s
 

X
s

S

s


X
s
 
S
 
s

S

s
 
 s


X
sS
 

S

s
The last equation holds because for atoms s
 
 s



s
 
 for s
 
 s

  otherwise
  
Examples
 B  PA " A  
Here SB  f fag j a  A g that is the atoms are the singletons Clearly B is atomic
  fA  PZZ j jAj is nite or jZZ Aj is nite g " ZZ  
Again the atoms of B are the singletons
 B  For
V


 true false  and V is nite
Here SB  f

I
b
i


J

b
j
j V  fb
i
ji  Ig
(
 fb
j
jj  Jg g
 B  For
V


 true false  and V is innite
For an innite set of propositional variables For
V

is not atomic Indeed there are no
atoms at all Let p be an arbitrary formula that is not equivalent to false and let v be a
variable not occurring in p Then p v does not equal false but p v  p Thus p is not
an atom 
  Complete Algebras
Denition  Upper BoundsSuprema
An element u  B is called an upper bound of A  B i a  u for all a  A The set of all
upper bounds of a subset A of B is denoted by UA
An element u  UA is called supremum of A in B denoted by
W
A i
W
A  u for all
u  UA
Dually lower bounds and in	ma get de	ned
If the supremum of a nite set A exists then it is unique and equal to the sum of the elements
of A
Lemma 

If
W
A exists for some 	nite A then
W
A 
X
aA
a
Proof
As a 
X
aA
a for all a  A
X
aA
a is an upper bound of A It remains to show that it is the least
upper bound Thus let u be an arbitrary upper bound of A ie a  u for all a  A Thus
X
aA
a 
X
aA
u  u  
Denition  Complete Algebras
A Boolean algebra B is called complete i
W
A and
V
A exist for arbitrary subsets A  B
Atomic Boolean algebras have the important property that all elements are equal to the
supremum of the atoms they dominate
Lemma 
Let B be atomic Then for arbitrary b  B
b 


fs  SB j s  bg 
ProofHalp lemma 
Remark This implies that the supremum exists without referring to completeness*
b is by denition an upper bound of S
b
def
 fs  SB j s  bg Thus it remains to show that
b  u for arbitrary upper bounds u of S
b
 Suppose not that is b  "u   Since B is atomic
there is an atom s

such that   s

 b  "u  b In particular s

 S
b
 and thus s

 u  s


On the other hand it also follows s

 u  b  "u  u   and thus s

 u   which contradicts
s

 u  s

  
Examples
 B  PA " A  
Let X be an element of PA that is a subset of A Then all subsets of PA containing
X are upper bounds of X The supremum and inmum of X is X
 B  For
V


 true false 
Let p be a propositional formula as representative of a class of equivalent formulas Then
all formulas that imply p are upper bounds The supremum and inmum of p is p
  fA  PZZ j jAj is nite or jZZ Aj is nite g " ZZ  
This Boolean algebra is not complete For example the set of all even integers
 
zZZ
even
z
fzg
is neither nite nor conite 
 Subalgebras
Denition  Subalgebras
A Boolean algebra A  A "    is called subalgebra of a Boolean algebra
B  B "    i A  B and A is closed with respect to the operations   and
" of B and shares the  and  elements
Actually that A shares the  and  elements with B can already be deduced from the closedness
condition Suppose a  A Since A is closed under " "a  A and thus a  "a  A and a "a  A
But a  "a   and a "a   ie    A
An important special case are subalgebras that do not interfere with each other This is
expressed by the property that the product of elements of such independent algebras never
equals  which can be interpreted as contradiction given none of the elements already equals
 This corresponds to TLT specications with disjoint sets of variables and actions
Denition 
Let A
i
be a 	nite set of subalgebras of a Boolean algebra B Then the A
i
are independent
i for arbitrary a
i
 A
i
a
 
     a
k
  implies a
i
  for some i
 Homomorphisms
Morphisms map Boolean algebras to Boolean algebras in a way that preserves important pro
perties
Denition  Morphisms
A homomorphism between two Boolean algebras A and B is a function   A 	 B such that
  a
 
 a

   a
 
   a


  a
 
 a

   a
 
   a

 and
  "a   a
If  is injective that is  a
 
   a

 implies a
 
 a

 then  is called monomorphism which
will be indicated by the notation   A 	 B
If  is surjective that is for all b  B there exists an a  A such that  a  b then  is
called epimorphism indicated by   A 	 B
A homomorphism that is both injective and surjective and thus is bijective is called isomorhism
indicated by   A 	 B
Two Boolean algebras A and B are called isomorphic noted by A


B i there is an
isomorphism   A 	 B
The image of A in B under   written  A is de	ned as  A   A 
B

B
"
B
 
B
 
B

where  A  fb  B j exists a  A such that  a  bg
The following lemma shows that homomorphisms preserve the order of elements as well as the
 and  elements Furthermore the image of a Boolean algebra is a subalgebra and monomor
phisms map nonzero elements to nonzero elements
Lemma 
Let   A 	 B be a homomorphism Then
 a
 
 a

implies  a
 
   a


If  in addition is injective then a
 
 a

i  a
 
   a


     and    
  A is a subalgebra of B
 If  is injective then a   implies  a  
Proof
  a
 
   a

   a
 
 a


a
 
	a

a
 
  a
 

To prove  a
 
   a

 implies a
 
 a

 one has to show that  a
 
   a

   a
 

implies a
 
 a

 a
 
 Because  a
 
   a

   a
 
 a

 it is sucient to show  a
 

a

   a
 
 implies a
 
 a

 a
 
 But since  is injective  a
 
 a

   a
 
 implies
 
 
 a
 
 a

   
 
 a
 
 from which a
 
 a

 a
 
follows trivially
                     
           
 By denition  A  B
Suppose b
 
 b

  A Then there are a
i
 A such that  a
i
  b
i
 Now
b
 
 b

  a
 
   a

   a
 
 a

   A
b
 
 b

  a
 
   a

   a
 
 a

   A
b
 
  a
 
   a
 
   A
 Suppose not that is  a  

   Then since  is injective a   Contradiction
 
Theorem  Characterization of Complete and Atomic Boolean Algebras
A is a complete atomic algebra i A


 PSA " SA  
The isomorphism   A 	 PSA is given by
 a  f s  SA j s  a g Especially  s  f s g for atoms s  SA
ProofHalptheorem 
Assume A is complete and atomic and let a
 
 a

 A Then
  a
 
 a

  f s  SA j s  a
 
 a

g
 f s  SA j s  a
 
and s  a

g
 f s  SA j s  a
 
g   f s  SA j s  a

g
  a
 
   a


  a
 
 a

  f s  SA j s  a
 
 a

g
 f s  SA j s  a
 
or s  a

g
 f s  SA j s  a
 
g  f s  SA j s  a

g
  a
 
   a


The second equality holds due to Lemma 
  "a  f s  SA j s  "a g
 f s  SA j s  a   g
 SA f s  SA j s  a   g
 SA f s  SA j s  a g
  a
Therefore  is a homomorphism
Further  is surjective Let X be an arbitrary subset of SA Then x 


sX
s exists as
A is complete and  x  X
Finally  is injective If  a
 
   a

 then


s
a
 

s 


s
a


s But since A is atomic every
element is equal to the supremum of elements it dominates see Lemma  Thus a
 
 a


In the opposite direction  PSA " SA   and thus A   
 
PSA are com
plete and atomic
 
In the sequel only complete atomic Boolean algebras will be considered The isomorphism
mentioned above justies the further restriction to Boolean algebras of sort B  PX for
arbitrary sets X recall PX abbreviates  PX "X  
 Tensor Products
This sections deals with the task of embedding small algebras as independent subalgebras of
one big algebra called the tensor exterior product compare Kur	
Denition 	 Tensor Product
Given two Boolean set algebras PX and PY  their tensor product PXPY  is given by
PX  Y  that is  fT j T  X  Y g X  Y   The atoms of PX  PY  are the
sets containing exactly one pair x y  X  Y 
Example Let X  fx zg and Y  fy zg
Then PX  Y   Pfx y x z z y z zg  X  Y   An element of PX  Y 
is for example fx y z zg 
Next canonical embeddings and projections are dened
Denition  Canonical Monomorphisms and Projections
Let PX and PY  be Boolean algebras and X
 
 X Y
 
 Y and T  X  Y  Then the two
canonical monomorphisms also referred to as liftings

X
and

Y
are de	ned by

X


PX 	 PXPY 
X
 
	

X
X
 
  fx
 
 y j x
 
 X
 
 y  Y g  X
 
 Y

Y


PY  	 PXPY 
Y
 
	

Y
Y
 
  fx y
 
 j x  X y
 
 Y
 
g  X  Y
 
The canonical projections
	
	
X
and
	
	
Y
are de	ned by
	
	
X


PXPY  	 PX
T 	 T
	
	
X
 fx  X j 
yY
x y  Tg
	
	
Y


PXPY  	 PY 
T 	 T
	
	
Y
 fy  Y j 
xX
x y  Tg
Some special cases 


X
X  X  Y


X
fxg  fxg  Y for x  X
these are the atoms of the subalgebra

X
PX of PX PY 


X
  
 fx yg
	
	
X
 fxg
Lemma 



X
and

Y
are monomorphisms


X
PX and

Y
PY  are independent subalgebras of PXPY 
 

X
X
 

	
	
X
 X
 
and 

Y
Y
 

	
	
Y
 Y
 



X
T
	
	
X
  T and

Y
T
	
	
Y
  T 

	
	
X
and
	
	
Y
are not homomorphisms
 T
 
  T


	
	
X
 T
 
	
	
X
  T

	
	
X

 T   i T
	
	
X
 

	
	
X
maps atoms fx yg of PXPY  to atoms fxg of PX
 T
 
 T

implies T
 
	
	
X
 T

	
	
X

Proof


X
X
 
 

X
X

  X
 
 Y   X

 Y   X
 
X

 Y 

X
X
 
X



X
X
 
  

X
X

  X
 
 Y    X

 Y   X
 
 X

 Y 

X
X
 
 X



X
X
 
  X X
 
 Y  X  Y  X
 
 Y   X  Y 

X
X
 
 

X
X
 


X
X
 
 

X
X

 implies X
 
 Y   X

 Y  implies X
 
 X



X
PX  fX
 
 Y j X
 
 Xg  X  Y  
Clearly fX
 
 Y j X
 
 Xg  fT j T  X  Y g and

X
X
 
 

X
X

  X
 
 Y   X

 Y   X
 
X

 Y 

X
PX

X
X
 
  

X
X

  X
 
 Y    X

 Y   X
 
 X

 Y 

X
PX

X
X
 
  X  Y 

X
X
 
  X  Y  X
 
 Y   X X
 
 Y 

X
PX
It remains to show that

X
PX and

Y
PY  are independent Suppose  

X
X
 
 

X
PX and  

Y
Y
 
 

Y
PY  That is there are elements x
 
 X
 
and y
 
 Y
 
such that x
 
 y 

X
X
 
 for all y  Y and x y
 
 

Y
Y
 
 for all x  X
Thus x
 
 y
 
 

X
X
 
  

Y
Y
 
  
 X
 
 Y 
	
	
X
 fx  X j 
yY
x y  X
 
 Y g  fx  X j x  X
 
g  X
 
 Suppose x

 y

  T 
y x

 T
	
	
X
y x

 y

 

X
T
	
	
X

 Take x
 
 x

 X such that x
 
 x


Then fx
 
gY  fx

gY 
	
	
Y
 
	
	
Y
   Y  Y  Y  fx
 
gY 
	
	
Y
 fx

gY 
	
	
Y
 T
 
  T


	
	
X
 fx  X j 
yY
x y  T
 
  T

g  fx  X j 
y
 
Y
x y
 
 
T
 
and 
y

Y
x y

  T

g  fx  X j 
y
 
Y
x y
 
  T
 
g   fx  X j 
y

Y
x y

 
T

g  T
 
	
	
X
  T

	
	
X
 By denition
 By denition
	 One has to show T
 
	
	
X
  T

	
	
X
 T
 
	
	
X

Obviously T
 
	
	
X
  T

	
	
X
 T
 
	
	
X
 It remains to show T
 
	
	
X
 T
 
	
	
X
  T

	
	
X
 But since
T
 
  T

 T
 
 this is equivalent to T
 
  T


	
	
X
 T
 
	
	
X
  T

	
	
X
which was shown above
 
The second property is called the lifting lemma in Kur	
Remark  Tensor products should not be confused with the more familiar direct products
dened as follows
A  B  A  B "    with a
 
 b
 
  a

 b


def
 a
 
 a

 b
 
 b

 a
 
 b
 
 
a

 b


def
 a
 
a

 b
 
b

 a b
def
 "a
"
b 
def
   and 
def
   One dierence in the
theory of direct products is that the projection functions
	
	
A
and
	
	
B
dened by a b
	
	
A
 a
and a b
	
	
B
 b trivially are homomorphisms Further the number of elements in A B
is given by 
jAjjBj
whereas A B has 
jAj	jBj
elements
Remark  Because PX PY PZ  PX  Y Z  PXPY PZ all
denitions and lemmas about tensor products can easily be generalized to deal with a nite
number of component algebras For example the tensor product of n Boolean algebras
PX
 
    PX
n
 is dened by
PX
 
     PX
n

def
 PX
 
    X
n

 An Algebra of Transitions
In this section the Boolean algebras introduced above are related to the logic dened in Chapter

As in Denition  consider a signature consisting of a set Vars of variables and a set Acts
of actions the latter modeling synchronousnonblocking channels Each variable and action
is typed such that Dx denotes the domain of values of the variable x and DA denotes the
domain of values of the action A
Given a set of variables Vars a concrete state wrt Vars is an element of
Y
xVars
Dx
A concrete state  thus denes a valuation of the variables in Vars that is
Vars  x

	 x  Dx
Similarly restricting a valuation 	 to the actions in Acts results in a total function 	  Acts	
U  fg such that
Acts  A

	 	A  D

A
Now the concept of a concrete transition wrt VarsActs may be formalized It is a pair of
states together with a valuation of each action that is an element of
Transitions
def

Y
xVars
Dx
Y
AActs
D

A
Y
x
 
Vars
 
Dx
 

Example trac light
To model trac lights that allow pedestrians to safely cross a street let pedestrians and cars
be two variables with values Dpedestrians  fgreen redg and Dcars  fgreen amber redg
Possible states are for example red amber and green green Altogether there are     
states Pedestrians may issue a request by pressing a button This is modeled as an action that
carries no information Thus DRequest has only one element say DRequest  f
p
g and
Request occurs i 	Request 
p

A possible transition of the trac light system is for example

red
green

p


red
amber

 noted according to the schema
	pedestrians

	cars


 Request


	pedestrians
 


	cars
 




Altogether there are        possible transitions 
In order to model situations in which several concrete transitions are possible it is reaso
nable to consider arbitrary sets of transitions or expressed otherwise arbitrary elements of
PTransitions This Boolean algebra may be derived as the tensor product of Boolean algebras
corresponding to the variables and actions as follows
Given a variable x of domain Dx PDx denes a Boolean algebra Similarly for an action
A of domain DA PD

A denes a Boolean algebra Given a set of variables Vars and a set
of actions Acts these denitions extend as follows
B
Vars
def
 P
Y
xVars
Dx 
O
xVars
PDx
B
Acts
def
 P
Y
AActs
D

A 
O
AActs
PD

A
This way forming tuples of variables corresponds with forming tensor products as shown for
two variables x and y in the following diagram
Dx  Dy
power set construction
	 PDx  PDy


y
cross product


y
tensor product
DxDy
power set construction
	 PDxPDy  PDxDy
Given a set of variables Vars and actions Acts let
B

VarsActs
def
 B
Vars
 B
Acts
 B
Vars
 P
Y
xVars
Dx
Y
AActs
D

A 
Y
xVars
Dx
That is B

VarsActs
 PTransitions is the power set of the set of concrete transitions wrt
VarsActs
Example trac light
In the trac light example a transition from state red amber to state green red should be
possible independently from the value of Request that is whether the pedestrian presses the
button again or not Thus it is reasonable to summarize the two transitions

red
amber

p


green
red

and

red
amber




green
red


The element of B

fpedestrianscarsgfRequestg
that summarizes the two transitions simply is
f

red
amber

p


green
red



red
amber




green
red

g 
This set may be represented shortly as

red
amber

f
p
g


green
red

with the intended meaning
to abbreviate all transitions
 that start from state red amber and
 such that a Request occurs or does not occur and
 that end in state green red
This set may also be described as
f 	 
 
  Transitions j
	
pedestriansred and 	
carsamber

Request
p
or 
Request
	
 

pedestriansgreen and 	
 

carsred
g
However only 

 

 

 
 
of the 

possible sets of transitions may be abbreviated
according to the schema
set of states
set of valuations of the actions
 set of states
 
Note that the algebra B

VarsActs
perfectly ts to canonical embeddings and projections Adding a
variable v means embedding B

VarsActs
into the larger algebra B

VarsfvgActs
whereas removing
a variable v means performing a canonical projection to B

VarsfvgActs
 Obviously this also
holds for actions
Example trac light Assume the trac light specication has to be embedded into a
larger system that also allows to count the number of requests Then the algebra for this larger
system might be based on a set Vars
def
 fpedestrians cars countg
A transition is for example


red
amber


A
p



green
red


A

Similarly if the lights for the cars were considered irrelevant then the algebra may be projected
canonically to B

fpedestriansgfRequestg

Then the transition from above simplies to
 
red

p

 
green

 
 Boolean Transition Systems
This section introduces Boolean transition systems or BTS for short as a means of repre
senting TLT specications as automata Boolean transition systems are closely related to the
 automata of Kur	 and to the Boolean transition systems dened in CGS	 Labeling
with elements of some Boolean algebra forms the common ground of these approaches

As ac
ceptance conditions B

uchi conditions as well as weak and strong fairness are considered B

uchi
conditions are widely used in the eld of  automata because they are compositional in the sense
that the composition of two BTS with B

uchi conditions can be represented again as BTS with
B

uchi conditions such that the observable behavior of the composed BTS is identical to the

In dierence to labeled transition systems whose labels are typically taken from some 	at
 signature
intersection of the behavior of the components The drawback of B

uchi conditions is however
that one can not guarantee in general that specications with B

uchi conditions are executable
ie that there is at least one behavior fullling the B

uchi conditions On the other hand using
only fairness conditions in fact guarantees that there are behavior of the BTS however there is
no smooth notion of composition any more depending on the concrete denition of composition
one either looses the theorem that the behavior of the composition is identical to the intersection
of the behavior of the components or the existence of behavior can not be guaranteed for the
composition
To overcome these restrictions I proceed as follows Firstly all acceptance conditions are ex
pressed as B

uchi conditions which guarantees the composition theorem mentioned above For
weak fairness conditions this is trivial Strong fairness conditions however can not be expressed
directly as B

uchi conditions Therefore they get replaced by weak fairness conditions at the cost
of doubling the state space
In a second step I focus on executable specications by allowing only fairness conditions This
in addition with some composition criteria is sucient for guaranteeing that the composition of
executable specications is again executable These criteria are weaker than the notion of being
input enabled as found for example in LT LT	 in the context of IOautomata
  Boolean Transition Systems	 Runs and Traces
This section summarizes the elementary denitions regarding Boolean transition systems
Denition  Boolean Transition Systems
A Boolean transition system BTS is a structure +  V IB stMF such that
 V is a set of states vertices
 I is a nonempty set of initial states that is Init   I  V 
 B is a complete atomic Boolean algebra
 M is a transition matrix that is M  V  V 	 B
e  V  V is called an edge i Me  
 st is a nonzero element of B such that St   st Mv v for all v  V 
An atom s  st is called stutter step
 F is a 	nite set of acceptance conditions Each acceptance condition is either
 a weak fairness condition WFEL
 a strong fairness condition SFEL or
 a B

uchi condition B

uchiEL
where E is a set of edges and L is a function L  E 	 B such that
Fair   Le Me for all e  E
Further let G be the projection of E  V  V to its 	rst component that is
G
def
 fv  V j exists w  V such that v w  E g Sometimes it is convenient to denote
WFEL as WFGEL and SFEL as SFGEL
From St it follows immediately that
Corollary  Mv v   for all v  V  that is v v is an edge for arbitrary v  V 
Remark  st plays a crucial role to ensure the existence of traces and to guarantee com
positionality St allows a BTS to stutter in each state However stutter steps are not
restricted to self loops as might be indicated by St Indeed stutter steps are concerned
with the labeling of a BTS rather than with its states In a sense to be made precise in
Chapter  a BTS does some stutter step if only it does not force itself to take part in a
synchronization or communication
Remark  St is a stronger requirement than the more common Mv v   for all v  V 
Remark  As B is atomic Me 
X
sS
B
sM
e
s for all edges e Thus an edge may be considered
as being labeled by a set of atoms of the labeling Boolean algebra These atoms will turn
out to be valuations of variables and actions
Next the visible behavior of BTS is dened This is done in two steps in a rst step ignoring
the labels the set of runs through the BTS gets dened On the basis of runs traces get dened
in a second step Our interest lies mainly in these traces Runs just are an aid in dening the
set of traces In addition some proofs of theorems about traces can be carried out by simply
considering runs
A run is a path through the BTS that starts in an initial state follows edges and respects the
part of the acceptance conditions dealing with the edges
Denition  Runs
A sequence v

 v
 
     v
n
      V

is called a run of a BTS +  V IB stMF i
Run v

 I
Run Mv
i
 v
i 
   for all i  IN
Run for all WFGEL  F  In	nitely often v
i
 G or in	nitely often v
i
 v
i 
  E
for all SFGEL  F  In	nitely often v
i
 G implies in	nitely often v
i
 v
i 
  E
and
for all B

uchiEL  F  In	nitely often v
i
 v
i 
  E
Runs+ is the set of all runs of + A 	nite sequence v

 v
 
    v
n
  V
n
is called initial run
i it ful	lls v

 I and Mv
i
 v
i 
   for all   i  n
Mostly weak fairness will be used as acceptance condition Two equivalent characterizations for
weak fairness are
Corollary 
A sequence v

 v
 
     v
n
      V

satis	es WFGEL
i If from some point k on v
i
 G for all i  k then there is a l  k such that
v
l
 v
l 
  E
i It is not the case that there is a 	xed but arbitrary k such that v
i
 G
for all i  k and v
i
 v
i 
  E for all i  k
Denition  Traces
A sequence s

 s
 
     of atoms of B is a trace of + i + has a run v

     such that
Tr s
i
Mv
i
 v
i 

Tr for all WFGEL  F  In	nitely often v
i
 G or in	nitely often s
i
 Lv
i
 v
i 
 and
v
i
 v
i 
  E
for all SFGEL  F  In	nitely often v
i
 G implies in	nitely often s
i
 Lv
i
 v
i 

and v
i
 v
i 
  E and
for all B

uchiEL  F  In	nitely often s
i
 Lv
i
 v
i 
 and v
i
 v
i 
  E
The set of all traces of + is referred to as Traces+
Let B
L
be a complete and atomic Boolean algebra and
	
	
B
L
 B 	 B
L
the canonical projection
Then Traces+
	
	
B
L
is de	ned as the set of all sequences s

 s
 
      SB
L


such that there
exists a sequence t

 t
 
      Traces+ with t

	
	
B
L
 s


+ is called executable i there is at least one trace that is i Traces+  
From the denitions it follows that each run dominates at least one trace if v
i
 v
i 
  E
for any F EL  F then one chooses some arbitrary s
i
 Mv
i
 v
i 
 else one chooses some
F EL  F such that v
i
 v
i 
  E and jfj j v
j
 v
j 
  E and j  i and s
j
 Lv
j
 v
j 
gj
is maximal Then one chooses some arbitrary s
i
 Lv
i
 v
i 
 Mv
i
 v
i 
 Due to Fair such
atoms s
i
always exist Thus
Corollary 	
 If Runs+   then Traces+   Further
 a trace ful	lling SFEL also ful	lls WFEL and
 a trace ful	lls WFGEL i it ful	lls B

uchi
,
E
,
L where
,
E  fv
 
 v

  V

j v
 
 G or v
 
 v

  Eg and
,
Lv
 
 v

 

Lv
 
 v

  for v
 
 v

  E
Mv
 
 v

  for v
 
 v

  E
Thus to guarantee that + is executable it is sucient to guarantee the existence of runs
In absence of acceptance conditions v v     is a run for arbitrary v  I and s s     is a
trace dominated by v v     for any atom s  st Mv v As a consequence all BTS without
acceptance conditions are trivially executable The other way round the only way to exclude
the possibility of stuttering forever from the set of traces or equivalently to guarantee any
progress is by means of acceptance conditions
When TLT specications are to be implemented in an operational manner eg by compiling
them into deterministic executable programs one has to guarantee that any chosen initial trace
can be completed to one satisfying the acceptance conditions For arbitrary BTS this can not
be guaranteed However problems only arise due to B

uchiacceptance conditions as sketched
in Figure  For the subclass of BTS without B

uchiacceptance conditions this property will
be proven in section 
   A Graphical Notation for Boolean Transition Systems
Pictures often provide some help in understanding particular aspects of a system description
But as Leslie Lamport points out in Lam	a for a picture to provide more than an informal
ba
A
c d
A
A
A
A
A
x=
y=
0 1 2 3 4 5
0
1
2
3
4
5
Buechi( { (c,d) } , L (c,d) = A )
A
Buechi( E , L ) 
with  E = { ((x,y),(x’,y’))  |  x’ = x+1 /\ y’=y = 0  \/  y’ = y+1 /\ x’ = x /\ x  < y }
and    L(e) = ¬A   for all e     E∈
Figure  In the BTS shown on the left the B

uchi condition can be satised but only if the
step leaving state a leads to state c and not to b However one could argue that this B

uchi
condition still can be implemented because to take that decision it is sucient to look ahead
one transition The B

uchi condition in the BTS shown on the right states that traces may not
end up in one of the selfloops labeled with A Obviously for this example it is not possible
with any nite look ahead to determine a proper run in position x  n y   a lookahead
of n transitions is necessary to decide not to increase y
comment there must be a formal connection between the complete specication and the picture
As a consequence Lamport denes the semantics the meaning for diagrams to be a TLA
formula % and calls a diagram to be a diagram for a TLA specication - i -  % holds
This denition allows
 incomplete diagrams that only describe certain aspects of a specication as well as
 dierent diagrams that provide complementary views of one sole specication
Especially Lamport does not try to visualize fairness aspects in his diagrams That is he does
not try to describe the complete temporal behavior of a specication in his diagrams
The view taken in this thesis diers from Lamports one in that the graph of a BTS as dened
below fully captures the semantics of the BTS More formally there is a bijection between Boo
lean transition systems and their graphs that is each graph % corresponds uniquely to one BTS
+ Due to this bijection each graph % denes a set of traces namely Traces%
def
 Traces+
for the corresponding BTS + With this in mind it makes sense to talk of complementary
abstract graphs of one BTS if Traces+
 
  Traces%

 then the graph %

corresponding to
a BTS +

is called an abstract graph for +
 
 For example omitting the weak fairness conditions
in a graph corresponding to a BTS + results in an abstract graph for + Thus neither  nor
 of Lamports requirements are lost and in addition a direct correspondence between BTS
and their graphs is gained
Given a Boolean algebra B and a stutter element st the graph corresponding to a BTS + 
V IB stMF is a directed graph with nodes V and initial nodes I with the edges ie any e 
V  V withMe   being labeled byMe as well as by a set of tuples colorFEL Le
for any acceptance condition FEL  F such that e  E Here color  F 	 Id is an injective
function mapping F to an arbitrary set Id of identiers Given B and st it is straightforward
to regain V  I and M from a graph# an element FEL  F is restored by collecting all edges
labeled with one color
Edges that are not aected by any acceptance condition that is edges e such that e  E for any
FEL  F  are called noncolored
To reduce the labeling of most graphs a small set of conventions suces
 Noncolored edges are printed as dashed arrows and labeled by Me
 Noncolored self loops labeled with a label l such that l  st are omitted
 If Le agrees with Me then the label colorFEL Le is simplied to
colorFEL
 In case a BTS has only one sole acceptance condition FEL the labels
colorFEL Le are omitted completely whenever Le Me
Sometimes the graphs are also simplied by explicitly noting the acceptance conditions below
the graph instead of overloading the graph with the colors
Besides these general rules graphs can be further adjusted to the common situation com
pare Section  where B  B

VarsActs
 P
Y
xVars
Dx
Y
AActs
D

A 
Y
x
 
Vars
 
Dx
 
 and
V 
Y
xVars
Dx 
Firstly a predicate p may be used to label a state v if v is the sole valuation satisfying p
Secondly if v
 
 v

 is an edge and the v
i
are labeled with p
i
 then the edge may be labeled with
p instead of Mv
 
 v

 provided that
 p
 
 p 

AActs
A does not occur in p

A  p
 




i 
 Me 
The label true may be completely omitted Note that due to the last rule a label true implies
that no action occurs
Thirdly for an action A Ac$ replaces the label Ac  
A
Example
Consider the BTS +example  V IB stMF being dened by
 V  ftrue falseg 
 I  ftrueg 
 B  B

fbgfABg
for a Boolean valued variable b and two signals A and B 
 Mtrue true  ftrue trueg
Mtrue false  ftrue
p
 falseg
Mfalse true  
Mfalse false  ffalse false false
p
 falseg 
 st  ftrue true false falseg and
 F   
true false
{ (true,       ,      ,false) }
b ¬b
b /\ A /\ ¬B /\ ¬b’
b ¬b
A
B?
    ¬b /\ ¬A /\ ¬B /\ ¬b’
\/  ¬b /\ ¬A /\  B /\ ¬b’
{ (false,       ,      ,false),
   (false,       ,      ,false) }{ (true,       ,      ,true) }
b /\  ¬A /\ ¬ B /\ b’
Figure  From top to bottom the original graph for the BTS +example the graph with
complete predicates as labels and the graph with short predicates are shown The elements
of B

fbgfABg
are denoted as b 	A 	B 
 
b
 

Figure  shows the graphical representation of the BTS 
  Elimination of strong fairness
Strong fairness conditions can not be expressed directly as B

uchi conditions Instead there is
a straightforward translation into more general Street conditions

 As a result specications
using strong fairness conditions turned out to result in signicantly higher computational com
plexities

than comparable specications with weak fairness conditions Nevertheless both weak
and strong fairness are expressively equivalent This observation was the origin of the following
construction that replaces and under reasonable preconditions implements strong fairness by
weak fairness at the cost of only one extra bit In the context of this thesis the construction
helps simplifying the presentation of composition and executable BTS because attention may
be restricted to weak fairness and B

uchi conditions
To implement the strong fairness SFGEL by weak fairness conditions the state space of the
original BTS is doubled The key idea is to dene a second BTS identical to the original one
besides the fact that the only edges leaving G are elements of E Thus if a path enters G in
this copy then executing an edge from E is inevitable if only E is weak fair To forward from
the original BTS to its copy all edges of the original BTS are doubled That is edges v

 )v
 

are added for all original edges v

 v
 
 where )v
 
denotes the vertex of the copy corresponding
to v
 
 What remains is changing always eventually to the copy This is achieved by requiring
weak fairness for the edges v

 )v
 
 The construction is shown for an example in Figure 
Theorem 
Let +  V IB stMF be a BTS such that SFE

 L

  F 
Then Traces+  Traces
)
+ for
)
+  
)
V 
)
IB st
)
M
)
F where
)
V  V  f g 

StreetE
 
 L
 
 E

 L

 holds for a trace s

 s
 
     i innitely often e
i
 E
 
and s
i
 L
 
e
i
 implies innitely
often e
i
 E

and s
i
 L

e
i
 

In experiments carried out with the model checker SVE
SF
a b c
a,0 b,0 c,0
a,1 b,1 c,1
WFmirror
WFmirror
WFmirror
WFmirror
WFmirror
WFmirror
WFmimic
WFmimic
WFmimic
WFmimic
Figure  The strong fairness condition of the left BTS is implemented on the right
)
I  I  f g
)
Mv
 
  v

 d  Mv
 
 v

 for d  f g
)
Mv
 
  v

  

Mv
 
 v

  v
 
 G

or v
 
 v

or v
 
 v

  E

  v
 
 G

and v
 
 v

and v
 
 v

  E

)
Mv
 
  v

  

Mv
 
 v

  v
 
 v

  E

  else
)
F 
 
F
ELFfSF
E

L

g
F
)
E
)
L  WF
mirror
 WF
mimic
where F
)
E
)
L for F fWFSFB

uchig is de	ned by
)
E
def
 f v
 
 d
 
 v

 d

  V  f g

j v
 
 v

  E and
)
Mv
 
 d
 
 v

 d

   g 
)
Lv
 
 d
 
 v

 d


def
 Lv
 
 v

 for all v
 
 d
 
 v

 d

 
)
E 
WF
mirror
def
 WF f v
 
  v

   V  f g

j Mv
 
 v

   g  M   and
WF
mimic
def
 WF f v
 
 d
 
 v

 d

  V  f g

j v
 
 v

  E

g  L

 
If furthermore for all fairness conditions FGEL either
G  G

 
or for all v
 
 G  G

it holds that
v
 
 v

  E

implies v
 
 v

  E and L

v
 
 v

  Lv
 
 v


and if
)
M gets rede	ned to
)Mv
 
  v

 d  Mv
 
 v

 for d  f g
)
Mv
 
  v

  





Mv
 
 v

  v
 
 G

or v
 
 v

and v
 
 v

  E

Mv
 
 v

  L

v
 
 v

  v
 
 v

  E

  v
 
 G

and v
 
 v

and v
 
 v

  E

)
Mv
 
  v

  

Mv
 
 v

  L

v
 
 v

  v
 
 v

  E

  else
then Traces+  Traces
)
+ and
)
+ is called to implement +
Proof
First of all
)
+ is welldened Init and St follow immediately from the denition It re
mains to show Fair for all acceptance conditions in
)
F  that is  
)
Lv
 
 d
 
 v

 d

 
)
Mv
 
 d
 
 v

 d

 for all v
 
 d
 
 v

 d

 
)
E This holds trivially for WF
mirror
be
cause M
mirror
v
 
 d
 
 v

 d

  L
mirror
v
 
 d
 
 v

 d

  Mv
 
 v

 and for WF
mimic
because v
 
 v

  E

and L
mimic
v
 
 d
 
 v

 d

  L

v
 
 v

 For any other acceptan
ce condition F
)
G
)
E
)
L 
)
F  taking the original denition of
)
M  the proof obligation  
)
Lv
 
 d
 
 v

 d

 
)
M v
 
 d
 
 v

 d

 is equivalent with   Lv
 
 v

 Mv
 
 v

 which is
Fair for the original BTS + For the redened version of
)
M  either G G

  and thus the rede
nition does not aect
)
E or the proof obligation  
)
Lv
 
 d
 
 v

 d


)
M v
 
 d
 
 v

 d


is equivalent with   Lv
 
 v

 Mv
 
 v

  L

v
 
 v

  Mv
 
 v

  L

v
 
 v

 which is Fair
for SFE

 L


Let s

 s
 
      SB


Summarizing the denitions for runs and traces
s

 s
 
      Traces+ i there is a sequences v

 v
 
      V

such that
A v

 I
A s
i
 Mv
i
 v
i 

A for all WFGEL  F  Innitely often v
i
 G or innitely often s
i
 Lv
i
 v
i 
 and
v
i
 v
i 
  E
for all SFGEL  F  Innitely often v
i
 G implies innitely often s
i
 Lv
i
 v
i 

and v
i
 v
i 
  E and
for all B

uchiEL  F  Innitely often s
i
 Lv
i
 v
i 
 and v
i
 v
i 
  E
s

 s
 
      Traces
)
+ i there is a sequence w

 d

 w
 
 d
 
      V  f g

such
that
B w

 d

  I
 
 f g
B s
i

)
M w
i
 d
i
 w
i 
 d
i 

B for all WF
)
G
)
E
)
L 
)
F  Innitely often w
i
 d
i
 
)
G or innitely often s
i

)
Lw
i
 d
i
 w
i 
 d
i 
 and w
i
 d
i
 w
i 
 d
i 
 
)
E
for all SF
)
G
)
E
)
L 
)
F  Innitely often w
i
 d
i
 
)
G implies innitely often s
i

)
Lw
i
 d
i
 w
i 
 d
i 
 and w
i
 d
i
 w
i 
 d
i 
 
)
E and
for all B

uchi
)
E
)
L 
)
F  Innitely often s
i

)
Lw
i
 d
i
 w
i 
 d
i 
 and
w
i
 d
i
 w
i 
 d
i 
 
)
E
Traces+  Traces

+ 
To show the inclusion from left to right one has to determine the d
i
to dene a run of the
extended BTS
)
+ In order to guarantee the additional weak fairness conditionWF
mirror
requiring
that always eventually the mirror gets visited

 the following strategy is applied in determing
the run of the extended BTS
)
+ The transition to the mirror takes place as soon as the
original run decides that it is going to take an edge from E

the next time it enters a state in
G


First two auxiliary functions are dened Enabledi is the next position starting at i where
it is possible to take an edge from E

 Executedi is the next position starting at i where an
edge from E

is taken Both functions return   if those positions do not exist Obviously
Enabledi  Executedi as usual k    and      More formally
Enabledi 

minfk j k  i and v
k
 G

g  there is some k  i with v
k
 G

   else
Executedi 





minfk j k  i and v
k
 v
k 
  E

g  there is some k  i
with v
k
 v
k 
  E

and s
k
 L

v
k
 v
k 

   else
Then let w
i
 v
i
and d
i


  if Enabledi  Executedi
  else ie if Enabledi  Executedi

A implies B trivial
A implies B
Firstly note that from the original denition of
)
M it follows that either
)
Mv
i
 d
i
 v
i 
 d
i 
 
Mv
i
 v
i 
 or
)
Mv
i
 d
i
 v
i 
 d
i 
   We are nished if the second situation does not occur
for the strategy chosen to determine w
i
and d
i
 Two cases are to be distinguished
 d
i
 d
i 
  v
i
 G

 v
i
 v
i 
  E


Executedi
d
i
 
 Enabledi
v
i
G

 Enabledi 
d
i 
 
 Executedi 

v
i
v
i 
E

 Executedi
 d
i
  d
i 
  v
i
 v
i 
  E


Executedi
d
i
 
 Enabledi
taut
 Enabledi 
d
i 

 Executedi 

v
i
v
i 
E

 Executedi
For the redened version of
)
M  in two cases
)
Mv
i
 d
i
 v
i 
 d
i 
  L

v
i
 v
i 
 Mv
i
 v
i 

instead of
)
Mv
i
 d
i
 v
i 
 d
i 
  Mv
i
 v
i 
 In both cases v
i
 v
i 
  E

and thus
v
i
 G

 and d
i
  Therefore Executedi  Enabledi  i By denition of Executed it
follows that s
i
 L

v
i
 v
i 
 Mv
i
 v
i 
 as required
A implies B
From B   s
i

)
Mv
i
 d
i
 v
i 
 d
i 
 Thus by denition of F
)
E
)
L 
)
F  it follows
immediately that
 v
i
 d
i
 v
i 
 d
i 
 
)
E i v
i
 v
i 
  E for all FEL  F  fSFE

 L

g and
 v
i
 d
i
 
)
G implies v
i
 G 

Without this additional weak fairness condition one might simply choose d
i
  for all i
The second condition is necessary for the fairness conditions only if innitely often conti
nuously v
i
 d
i
 
)
G then innitely often continuously v
i
 G and therefore innitely often
v
i
 v
i 
  E from which due to  innitely often v
i
 d
i
 v
i 
 d
i 
 
)
E can be deduced
Now two cases are to be distinguished
For the original denition of
)
M nothing else has to be shown  because furthermore
)
Lv
i
 d
i
 v
i 
 d
i 
  Lv
i
 v
i 
 for all v
i
 v
i 
  E
For the redened version of
)
M  it is possible that
)
M  M  but only if v
i
 v
i 
  E


From the additional precondition it then follows that besides v
i
 v
i 
  E also s
i

)
Mv
i
  v
i 
  Mv
i
 v
i 
  L

v
i
 v
i 
 Mv
i
 v
i 
  Lv
i
 v
i 
  Lv
i
 v
i 

It remains to show that the two extra fairness conditions are fullled Suppose WF
mirror
does not hold that is eventually always d
i
  From the denition of d
i
 it follows that
Enabledi  Executedi for all i  i

for some i

 Especially Enabledi    and
thus innitely often v
i
 G

 On the other hand v
i
 v
i 
  E

for all i  i

otherwise
Enabledi
 
  Executedi
 
 for some i
 
 i

 This contradicts SFE

 L

 WF
mimic
follows
immediately from SFE

 L


Traces

+  Traces+ 
For the opposite direction given a sequence v

 d

 v
 
 d
 
      V f g

 it is straight
forward to choose v

 v
 
      V

as a corresponding run in +
B implies A trivial
B implies A
By denition
)
Mv
 
 d
 
 v

 d

  Mv
 
 v

 Thus s
i
Mv
i
 v
i 

B implies A
For Buechi conditions B

uchiEL  F  one has to prove that always eventually v
i
 v
i 
  E
and s
i
 Lv
i
 v
i 
 But because at least v
i
  v
i 
  
)
E it is guaranteed by B

uchi
)
E
)
L 
)
F that always eventually v
i
  v
i 
  
)
E and s
i

)
Lv
i
  v
i 
   Lv
i
 v
i 

The fairness conditions can only be proven by means of the additional preconditions Then
only two restricted situations are to be dealt with
Case  G  G

 
For this case it is sucient to show that v
i
 G implies v
i
 d
i
 
)
G Then it follows that
if innitely often continuously v
i
 G then innitely often continuously v
i
 d
i
 
)
G and
therefore innitely often v
i
 d
i
 v
i 
 d
i 
 
)
E and s
i

)
Lv
i
 d
i
 v
i 
 d
i 
 such that by
denition of
)
E innitely often v
i
 v
i 
  E and s
i
 Lv
i
 v
i 
 can be deduced
Thus suppose v
i
 G Then v
i
 G

and by denition of
)
M it follows that   s
i

)
Mv
i
 d
i
 v
i 
 d
i 
  Mv
i
 v
i 
 and d
i 
 d
i
 On the other hand v
i
 G implies the
existence of a state v such that v
i
 v  E Therefore from the denition of
)
E it follows that
v
i
 d
i
 v d
i
 
)
E and thus v
i
 d
i
 
)
G as required
Case  v
i
 G  G

and v
i
 v
i 
  E

implies v
i
 v
i 
  E and L

v
i
 v
i 
  Lv
i
 v
In this case all reasoning takes place in the original BTS If innitely often continuously
v
i
 G then innitely often v
i
 G

 Then due to SFE

 L

 which is proven below
innitely often v
i
 v
i 
  E

and s
i
 L

v
i
 v
i 
 and thus innitely often v
i
 v
i 
  E and
si
 Lv
i
 v
i 

It remains to show SFE

 L

 Suppose not SFE

 L

 That is innitely often v
i
 G

but
from some point i

on v
i
 v
i 
  E

or s
i
 L

v
i
 v
i 
   Two cases may arise
Case  there is at least one i  i

such that v
i
 G

and d
i
 
Then from the redened version of
)
M  it follows that either
Case  v
i 
 v
i
and d
i 
  and v
i
 v
i 
  E

or
Case  v
i
 v
i 
  E

and s
i

)
Mv
i
  v
i 
  Mv
i
 v
i 
  L

v
i
 v
i 

Case  is an immediate contradiction Thus continuously case  But that contradicts
WF
mimic

Case  for all i  i

such that v
i
 G

it holds that d
i
 
Due to WF
mirror
 there is some j  i such that d
j
  But from the denition of
)
M  it follows
that the only possibility to reach the next k  j with v
k
 G

and d
k
  is by following an
edge with v v
 
  E


 
Without the additional preconditions trace equality can not be obtained In the general si
tuation diculties may arise due to conicting fairness conditions FGEL as sketched in
Figure 
SF1
a b c
a,0 b,0 c,0
a,1 b,1 c,1
WFmirror
WFmirror
WFmirror
WFmirror
WFmirror
WFmirror
WF
m
im
ic
SF2
WF
m
irro
rSF2
WFmimic
WFmimic
WFmimic
Figure  The strong fairness condition SF of the left BTS is replaced but not
implemented on the right For example any trace running through the states
a  b  c  b  c   obeys the strong fairness condition SF	 in the BTS on the
right However the projection a b c b c  of this run is not strong fair with respect to SF	
in the left BTS
Applying this construction successively to all SFEL  F results in a BTS without strong
fairness conditions and such that all properties that hold for the resulting BTS also hold in
the original BTS If furthermore the additional condition holds then the resulting BTS even is
traceequivalent to the original one
  Conjunction
From Corollary  it follows that weak fairness conditions can be expressed as B

uchi con
ditions for arbitrary traces In the previous section it was shown that strong fairness can be
replaced by weak fairness Now in order to dene the conjunction of two BTS it is assumed
that all acceptance conditions of a BTS are B

uchi conditions
Denition 
 Conjunction
Let +
 
and +

be two BTS +
i
 V
i
 I
i
B st
i
M
i
F
i
 such that
 F
i
contain only B

uchi conditions and
 St Independence   st
 
 st

M
 
e
 
 M

e


for any edges with   st
 
M
 
e
 
 and   st

M

e


Then their conjunction product is de	ned as
+
 
+

 V
 
 V

 I
 
 I

B stMF
where
st
def
 st
 
 st

and
Mv
 
 v

 v
 
 
 v

 

def
 M
 
v
 
 v
 
 
 M

v

 v

 

and
F
def
 fB

uchi
)
E
 

)
L
 
 j B

uchiE
 
 L
 
  F
 
g  fB

uchi
)
E


)
L

 j B

uchiE

 L

  F

g
with
)
E
 
def
 fv
 
 v

 v
 
 
 v

 
  V
 
 V



j v
 
 v
 
 
  E
 
and
L
 
v
 
 v
 
 
 Mv
 
 v

 v
 
 
 v

 
   g
)
L
 
v
 
 v

 v
 
 
 v

 

def
 L
 
v
 
 v
 
 
 Mv
 
 v

 v
 
 
 v

 

and
)
E

def
 fv
 
 v

 v
 
 
 v

 
  V
 
 V



j v

 v

 
  E

and
L

v

 v

 
 Mv
 
 v

 v
 
 
 v

 
  g
)
L

v
 
 v

 v
 
 
 v

 

def
 Mv
 
 v

 v
 
 
 v

 
  L

v

 v

 

+
 
 +

is welldened Init St and Fair follow immediately from the denition
Corollary 
 is commutative and associative
Thus one may write +
 
 +

 +

for both +
 
 +

  +

and +
 
 +

 +

 Further this
denition generalizes trivially to conjunctions of BTS indexed over a nite set written as
Y
iI
+
i

For this case the condition requiring the independence of stutter steps may be summarized to
St Independence
 
Y
iI
st
i
M
i
e
i
 for any set of edges e
i
 V
i
 V
i
such that   st M
i
e
i

The traces of +
 
 +

are given as the intersection of the traces of +
 
and the traces of +


Theorem  Conjunction Theorem
Traces+
 
 +

  Traces+
 
  Traces+


Proof
Let s

 s
 
      SB


Summarizing the denitions for runs and traces
s

 s
 
      Traces+
 
   Traces+

 i there are sequences v

 v
 
      V

 
and
w

 w
 
      V


such that
A v

 I
 
and w

 I

A s
i
 M
 
v
i
 v
i 
 and s
i
 M

w
i
 w
i 

A for all B

uchiE
 
 L
 
  F
 
 Innitely often s
i
 L
 
v
i
 v
i 
 and v
i
 v
i 
  E
 
 and analog for B

uchiE

 L

  F


s

 s
 
      Traces+
 
+

 i there is a sequence v

 w

 v
 
 w
 
      V
 
 V



such
that
B v

 w

  I
 
 I

B s
i
 Mv
i
 w
i
 v
i 
 w
i 
  M
 
v
i
 v
i 
 M

w
i
 w
i 

B for all B

uchi
)
E
)
L  F  Innitely often s
i

)
Lv
i
 w
i
 v
i 
 w
i 
 and
v
i
 w
i
 v
i 
 w
i 
 
)
E
Obviously A i B and A i B compare Lemma 
Instead of proving A i B directly the proof obligation is strengthened to
v
i
 v
i 
  E
 
and s
i
 L
 
v
i
 v
i 

i v
i
 w
i
 v
i 
 w
i 
 
)
E
 
and s
i

)
L
 
v
i
 w
i
 v
i 
 w
i 

To show the direction from left to right rst note that s
i
 M
 
v
i
 v
i 
M

w
i
 w
i 
 by A
Thus s
i
 L
 
v
i
 v
i 
 Mv
i
 w
i
 v
i 
 w
i 
 
)
L
 
v
i
 w
i
 v
i 
 w
i 

From the denition of E it then follows that v
i
 w
i
 v
i 
 w
i 
 
)
E
The direction from right to left follows immediately by the denitions of E and L
 
As already mentioned it is not possible to base conjunction on fairness conditions in a way
similar straightforward Figure  exemplies that weak fairness conditions of components may
eventually not be expressed by weak fairness conditions in the composed BTS
  Executable Boolean Transition Systems
This section presents a rst result concerning executable BTS namely that BTS without B

uchi
acceptance conditions are executable
Theorem  Each BTS + without B

uchiacceptance conditions is executable Moreover
all initial runs can be completed
ab
A
A A
WF( { (a,b) } , L (a,b) = A )
or equivalently
Büchi( { (a,b) , (b,b) } , L(a,b)  = A , L(b,b) = ¬A )
v w x
a,v a,w a,x
b,x
Büchi( {((a,w),(b,x)) , ((b,v),(b,v)) , ((b,v),(b,w)) , 
               ((b,w),(b,w)) , ((b,w),(b,v)) , ((b,x),(b,x)) } , 
             
                                     A        , if e = ((a,w),(b,x)) 
                                   ¬A        , else 
)L(e) := 
b,v b,w
Figure  +
 
on the left does not allow the trace 
A
A
A     that would be possible
in +

in the middle To disallow this trace in the composition one has to add a B

uchi
condition that forces the transition from state aw to state b x This B

uchicondition can
not be expressed by a weak fairness condition WF faw b xg  Law b x  A 
does not disallow alternating continuously between a v and aw One may be tempted
to require SF faw b xg  Law b x  A  instead This would work for this
example but it be too strong in the sense of excluding too many traces in the composition
in other examples one such example may be obtained by replacing the fairness constraint
WF fa bg  La b  A  for +
 
by WF fw xg  Lw x  A  for +

 Then both +
 
and
+

allow the trace 
A
A
A     that would be forbidden by the strong fairness condition
SF faw b xg  Law b x  A  in the composition
Proof
The idea of the proof is simple for each weak fairness conditions WFEL one counts how long
it has been enabled continuously in the past without taking an edge from E For each strong
fairness conditions SFEL one counts how often it was enabled since the last time an edge
from E was taken Then a fairness condition that is enabled and waits for the longest time
is chosen and an edge e  E is executed Since there are only nitely many fairness condition
this leads to a run fullling all fairness conditions
More formally let F fF

G
 
 E
 
 L
 
    F
N
G
N
 E
N
 L
N
g with F
k
 fWFSFg for all   k 
N  Then a run v

 v
 
     may be determined inductively as follows
v

may be chosen arbitrarily from I
Now suppose v

 v
 
     v
n
are already determined and dene a functionWait  jFjIN	 IN by
Waitk i
def












maxfj j v
ij
    v
i
 G
k
and either j   or
j   andv
ij
 v
i
j 
     v
i 
 v
i
  E
k
g

v
i
 G
k
and F
k
 WF
.fj j lastE
k
 i  j  i and v
j
 G
k
g 
v
i
 G
k
and F
k
 SF
  v
i
 G
k
where lastE i
def


maxfj j v
j 
 v
j
  E and j  i g  exists j  i with v
j 
 v
j
  E
  else

Then two cases can be distinguished
 v
n

 
k
G
k
Then any v
n 
 V may be chosen such that Mv
n
 v
n 
   eg v
n 
def
 v
n
St then
guarantees that Mv
n
 v
n
  
 v
n

 
k
G
k
Choose a k

such that Waitk

 n is maximal among all Waitk n then v
n
 G
k

by
denition Due to the denition of the G
k
 there exists a v
n 
such that v
n
 v
n 
  E
k

and due to Fair Mv
n
 v
n 
   as required in Run
Given an initial run v

 v
 
     v
n
 the same decision procedure is used to determine
v
n 
 v
n
      
  Executable Composition	 Delays
In this section the composition of BTS naming only weak fairness conditions is further investi
gated Summarizing the previous sections it was shown that
 For BTS containing only B

uchi conditions the composition theorem holds
Traces+
 
 +

  Traces+
 
  Traces+
 

 BTS containing only fairness conditions are executable Traces+  
 Strong fairness conditions can be replaced and often even implemented by weak fairness
conditions To simplify the exposition in this section it is assumed that there are no strong
fairness conditions
As weak fairness conditions can trivially be expressed as B

uchi conditions
Traces+
 
 +

  Traces+
 
  Traces+
 

holds especially for BTS +
 
and +

containing only weak fairness conditions However even
if both +
 
and +

are executable it is still possible that their composition is not that is
Traces+
 
 +

   as exemplied in Figure 
a
A
WF( { v } , { (v,w) } , L(v,w)=A )
v w a,v a,w
Büchi( { ((a,w),(a,w)) } , L((a,w),(a,w)) = ¬A )
¬A ¬A ¬A
or equivalently
Büchi( { (v,w) , (w,w) } , L(v,w) = A , L(w,w) = ¬A )
¬A ¬A
Figure  The BTS shown on the left has 
A
A     as sole trace The set of traces of the
BTS shown in the middle is described by 
A
A    
A
 z 
n times
 A
A
A     That is the fairness
condition forces a step labeled by A Thus the intersection of both sets of traces is empty In
the BTS for the composition shown on the right the B

uchi condition can not be fullled as
the state aw is unreachable Thus Traces+
 
  Traces+
 
  Traces+
 
 +

  
In the example a fairness condition requires the occurrence of an action A in each trace of
one BTS whereas the other BTS never allows the occurrence of this action To overcome
such situation a notion of being input enabled was introduced in the context of IOautomata
Transcribed to TLT this means that each BTS in all states must accept occurrences of actions
that other modules require to be fair

Formally
Denition  Input Enabledness
Let +  V IB stMF
)
+  WJB stNG and WFGEL  G
Then the BTS + is called input enabled wrt the weak fairness condition WFGEL i
for all w  G and all v  V 
there exist some v
 
 V and w
 
W such that ww
 
  E and   Lww
 
 Mv v
 

However this poses strong restrictions on the specications One drawback is that modules can
not agree on a protocol restricting the states where edges e  E may occur Such situations will
be dealt in Chapter  in the context of assumptioncommitment reasoning A second drawback is
that the implementation is hindered consider a BTS that is supposed to accept two independent
actions A and B On a low abstraction level it may only be possible to deal with one input
action at a time For example the BTS may alternate between two states as shown in Figure
 Although not being input enabled this BTS guarantees that each of the actions A and
B can always eventually occur Expressed otherwise the acceptance of the actions is at most
delayed because the BTS eventually will reach a state where it can accept them A subtle point
is that in order to guarantee to reach these states the BTS itself uses weak fairness conditions
However these fairness conditions are not seen from the outside and therefore do not restrict
the environment

 the environment accepts these fairness conditions for example by simply
stuttering which is possible in all states
A?
a b
B?
B?A?
WF( { (a,b) , (b,a) } , L(a,b) = ¬B , L(b,a)=¬A )
Figure  The shown BTS is not input enabled In state a it does not accept the action B in
state b it does not accept A
Denition  Delays
Let +  V IB stMF
)
+  WJB stNG and WFGEL  G
Then the BTS + at most delays the weak fairness condition WFGEL i
 Delay for all w  G and all v  V 
there exist some v
 
 V and w
 
W such that ww
 
  E and   Lww
 
Mv v
 

or
  Mv v
 
 implies   st Mv v
 
 for arbitrary v
 
 V 
 Delay for all w  G and all v

 v
 
      Runs+ 
in	nitely often there exist some v
 
 V and w
 
 W such that ww
 
  E and
  Lww
 
 Mv
i
 v
 


There is a subtle dierence however in that in the theory of IOautomata all inputs have to be accepted in
all states regardless whether the environment 	insists
 by means of a fairness condition to do them
	
Otherwise there would be cyclic fairness conditions that might result in livelocks
Clearly the notion of at most delaying subsumes being input enabled
Corollary 
If a BTS +  V IB stMF is input enabled with respect to a weak fairness condition
WFGEL then it at most delays it
Intuitively Delay requires that a BTS in any state either
 is input enabled for a given fairness condition or
 allows a stutter step on any edge leaving this state 
Note however that Delay only requires the existence of a stutter step in this second case and
does not force one On the contrary the BTS might even take part in a synchronization
Delay simply states that the BTS innitely often has to be input enabled wrt the fairness
condition Typically this is guaranteed by means of socalled local weak fairness conditions
Denition  Local Fairness
Let +  V IB stMF and WFGEL  F 
If st  Lv v
 
 for all v v
 
  E then WFGEL is called local weak fairness condition
If
,
+ is another BTS then from St it follows that
,
+ may accept any local fairness condition
simply by doing a stutter step
Corollary 	
Let +  V IB stMF
,
+  WJB stNG and WFGEL  F 
If WFGEL is a local weak fairness condition then
,
+ is input enabled wrt and thus at most
delays WFGEL
Theorem  Executable Conjunction
Let +
 
 V
 
 I
 
B stM
 
F
 
    +
N
 V
N
 I
N
B stM
N
F
N
 be BTS such that
 all acceptance conditions are weak fairness conditions
 the BTS at most delay each others fairness conditions
 St Independence
 
Y
 nN
st M
n
e
n
 for any set of edges e
n
 V
n
 V
n
such that   st
n
M
n
e
n
 for all   n  N
 Fair Independence Let v
n
 V
n
and in addition for some 	xed but arbitrary k
let v
k
 G for some WFGEL  F
k

If for all n  k there are w
n
 V
n
and w
k
 V
k
such that   Lv
k
 w
k
 M
n
v
n
 w
n

then it holds that
  Lv
k
 )w
k
 
Y
 nN
M
n
v
n
 )w
n
 for some )w
n
 V
n

Then Traces+
 
     +
N
  Traces+
 
       Traces+
N
  
Proofsketched
 Determine a fairness conditionWFGEL  F
k
that is enabled the longest without being
executed Further determine an edge e
k
 E that +
k
wants to take that is such that
  Le
k
 M
k
e
k

 Continue the runs of all BTS simultaneously
If Le
k
labeled steps are possible in all +
n
 that is if there are edges e
n
in these com
ponents such that   Le
k
 M
n
e
n
 then due to Fair Independence one may choose
some s  L)e
k
 
Y
 nN
M
n
)e
n
 Go back to 
If not choose arbitrary edges e
n
 v
n
 w
n
 along some run in that component such that
  st Me
n
 in all components where   Le
k
 M
n
e
n
 does not yet hold for any
e
n
the existence of these edges is guaranteed by Delay The remaining components
including +
k
 do not change their local state v
n
they choose the edge e
n
 v
n
 v
n
 For
these components   stMe
n
 holds too due to condition St in the denition of BTS
Because of St Independence it is then possible to choose some s 
Y
 nN
st
n
M
n
e
n

Termination of step  follows from Delay all +
n
reach after a nite sequence of steps a
state v
n
where some L
k
e
k
labeled step is possible Then they stay at state v
n
until the last
component reaches a state where some L
k
e
k
labeled step is possible
 
Remark  All denitions in this section can be extended easily to also include strong fairness
conditions Then Traces+
 
      Traces+
N
   can still be proven by generalizing
the rst sentence in the proof of Theorem  to
Determine a fairness condition FGEL  F
k
that waits for the longest time
Here waiting refers to the function Waitk i dened in the proof of Theorem 
However the denition of the conjunction of BTS may no longer be traced back to Deniti
on  Nevertheless it is of course possible to dene Traces+
 
    +
N
 semantically
as the intersection of the traces of the BTS Then the whole conclusion of the theorem
namely
Traces+
 
    +
N
  Traces+
 
       Traces+
N
  
holds for arbitrary fairness conditions
 
 Systems
By building systems typically the labeling Boolean algebras of the components dier from each
other For example some components may run completely independent Thus the Boolean
algebras of the components have to be embedded into the larger Boolean algebra of the
composed system
To compute the composition of two BTSs on dierent Boolean algebras B
 
and B

 it is necessary
to obtain a Boolean algebra B and two algebra monomorphisms

i
 B
i
	 B That is the
BTSs are projected to B before they are conjoined The resulting product thus depends on the
chosen

i
 Formally the image of a BTS under a Boolean algebra monomorphism is given by
the following construction
Denition 
 Image
Let +
 
 V IB
 
 st
 
M
 
F
 
 be a BTS over B
 
and

an algebra monomorphism

 B
 
	 B
Then the image of +
 
under

is the BTS

+
 
def
 V IB stMF with
Mv v
 

def


M
 
v v
 
 st
def


st
 
 and F
def
 fFE
)
L j FEL  F
 
and
)
Le 

Le g
That the image of a BTS +
 
is welldened follows from the simple fact that monomorphisms
map nonzero elements to nonzero elements Lemma  Thus St and Fair also hold in

+
 

The following lemma states that the set of runs is not at all inuenced by this construction
Lemma  Runs

+  Runs+
Proof
Only the second condition Run in denition  is inuenced by

 But since

is injective
Mv
i
 v
i 
   i

Mv
i
 v
i 
   holds trivially
 
However the number of traces in general will increase due to the fact that the number of atoms
increases jSBj  jS

Bj Still it is possible to relate the traces in case that B  PXY 
Lemma 
Let +
X
 V IPX stMF and

X
 PX 	 PX  Y  Then
 Traces+
X
  Traces

X
+
X

	
	
X
and
   Traces

X
+
X
 i 
	
	
X
 Traces+
X
 
Proof
For the proof it is assumed that all acceptance conditions are B

uchiconditions The proof for
fairness conditions is similar
x

 x
 
      Traces+
X

i exists v

 v
 
      Runs+
X
 such that
 fx
i
g M
X
v
i
 v
i 
 for all i
 innitely often fx
i
g  L
X
v
i
 v
i 
 and v
i
 v
i 
  E
X
for all B

uchiE
X
 L
X
  F
X
i exists v

 v
 
      Runs+
X
 and exists y

 y
 
      Y

such that
 fx
i
 y
i
g M
X
v
i
 v
i 
 Y for all i
 innitely often fx
i
 y
i
g  L
X
v
i
 v
i 
 Y and v
i
 v
i 
  E
X
for all B

uchiE
X
 L
X
  F
X
i exists v

 v
 
      Runs

X
+
X
 and exists y

 y
 
      Y

such that
 fx
i
 y
i
g M
X
v
i
 v
i 
 Y for all i
 innitely often fx
i
 y
i
g  L
X
v
i
 v
i 
 Y and v
i
 v
i 
  E
X
for all B

uchiE
X
 L
X
  F
X
i exists v

 v
 
      Runs

X
+
X
 and exists y

 y
 
      Y

such that
 fx
i
 y
i
g 

X
M
X
v
i
 v
i 
 for all i
 innitely often fx
i
 y
i
g 

X
L
X
v
i
 v
i 
 and v
i
 v
i 
  E
X
for all B

uchiE
X
 L
X
  F
X
i exists y

 y
 
      Y

such that
 x

 y

 x
 
 y
 
      Traces

X
+
X

i x

 x
 
      Traces

X
+
X

	
	
X
Similarly for the second proposition
x

 y

 x
 
 y
 
      Traces

X
+
X

i exists v

 v
 
      Runs

X
+
X
 such that
 fx
i
 y
i
g 

X
M
X
v
i
 v
i 
 for all i
 innitely often fx
i
 y
i
g 

X
L
X
v
i
 v
i 
 and v
i
 v
i 
  E
X
for all B

uchiE
X
 L
X
  F
X
i exists v

 v
 
      Runs+
X
 such that
 fx
i
 y
i
g 

X
M
X
v
i
 v
i 
 for all i
 innitely often fx
i
 y
i
g 

X
L
X
v
i
 v
i 
 and v
i
 v
i 
  E
X
for all B

uchiE
X
 L
X
  F
X
i exists v

 v
 
      Runs+
X
 and exists y

 y
 
      Y

such that
 fx
i
g M
X
v
i
 v
i 
 for all i
 innitely often fx
i
g  L
X
v
i
 v
i 
 and v
i
 v
i 
  E
X
for all B

uchiE
X
 L
X
  F
X
i x

 x
 
      Traces+
X

 
Especially the latter lemma can be applied to Boolean transition systems that are based on
algebras of transitions as introduced in Section  For example if
X
def

Y
xVars
Dx
Y
AActs
D

A
Y
xVars
Dx
then PX  B

VarsActs
which can be embedded into any algebra B

Vars
 
Acts
 

such that Vars 
Vars
 
and Acts  Acts
 

Denition  Composition
Let I be a 	nite index set and let +
i
 V
i
 I
i
B
i
 st
i
M
i
F
i
 be BTS without strong fairness con
ditions for all i  I Further assume some Boolean algebra B and monomorphisms

i
 B
i
	 B
such that St Independence holds for

i
+
i

Then the composition 
iI
+
i
is de	ned by 
iI
+
i
def


iI

i
+
i

Corollary 
 If B
 
 B

 B then +
 
+

 +
 
+

 Traces
iI
+
i
 

iI
Traces

i
+
i

 If all acceptance conditions are fairness conditions and the BTS

i
+
i
at most delay each
others fairness conditions and ful	ll Fair Independence then Traces
iI
+
i
  
Example Let +
 
and +

be based on two algebras B
 
def
 B

Vars
 
Acts
 

and B

def
 B

Vars

Acts


respectively and let B
def
 B

Vars
 
Vars

Acts
 
Acts



Furthermore let
st
i
def
 f 	 
 
  B
i
j x  
 
x
 
 for all x  Vars
i
and 	A   for all A  Acts
i
g 
Then the canonical embeddings B
i
	 B map st
i
to

i
st
i

def
 f 	 
 
  B j x  
 
x
 
 for all x  Vars
i
and 	A   for all A  Acts
i
g 
Thus
st
def


 
st
 
  


st


 f 	 
 
  B j x  
 
x
 
 for all x  Vars
 
 Vars

and
	A   for all A  Acts
 
 Acts

g
Besides if Vars
 
 Vars

 Acts
 
 Acts

  then  

 
st
 
 

 
M
 
e
 
 


st

 


M

e


whenever  

 
st
 
 

 
M
 
e
 
 and  


st

 


M

e

 because

i
B
i
 are independent
subalgebras of B That is St Independence and therefore the composition of +
 
and +

is
welldened
Also note that   st
i
 M
i
e
i
 i  

i
st
i
 M
i
e
i
 

i
st
i
  

i
M
i
e
i
 because

is
injective Thus St Independence guarantees that two stutter steps in the original algebras B
 
and B

result in a stutter step in the composition
Note that this construction also generalizes to situations where B 
O
iI
B
i
for a nite set I

Similarly
Denition  Projection
Let +  V IPX  Y  stMF be a BTS over PX  Y  and
	
	
X
 PX  Y  	 PX
the canonical projection
Then the projection of + to PX is the BTS +
	
	
X
def
 V IPX st
	
	
X
M
	
	
X
F
	
	
X
 with
F
	
	
X
def
 fFE
)
L j FEL  F and
)
Le  Le
	
	
X
g
+
	
	
X
is welldened Due to Lemma  
	
	
X
maps any nonzero element of PX  Y  to
some nonzero element of PX
Lemma 
 Runs+  Runs+
	
	
X

 Traces+
	
	
X
  Traces+
	
	
X
 If Traces+   then Traces+
	
	
X
  
Proof
 Immediate from Lemma  
 For this part it is assumed that there are only Buechi acceptance conditions For fairness
conditions the proof is similar
x

 x
 
      Traces+
	
	
X

i exists v

 v
 
      Runs+
	
	
X
 such that
 fx
i
g Mv
i
 v
i 

	
	
X
for all i
 innitely often fx
i
g  Lv
i
 v
i 

	
	
X
and v
i
 v
i 
  E for all B

uchiEL  F
X
i exists v

 v
 
      Runs+ such that
 fx
i
g Mv
i
 v
i 

	
	
X
for all i
 innitely often fx
i
g  Lv
i
 v
i 

	
	
X
and v
i
 v
i 
  E for all B

uchiEL  F
X
i exists v

 v
 
      Runs+ and exists y

 y
 
      Y

such that
 fx
i
 y
i
g Mv
i
 v
i 
 for all i
 innitely often fx
i
 y
i
g  Lv
i
 v
i 
 and v
i
 v
i 
  E for all B

uchiEL  F
X
i exists y

 y
 
      Y

such that  x

 y

 x
 
 y
 
      Traces+
i x

 x
 
      Traces+
	
	
X
 Immediately from Lemma  
  Abstraction
Whereas composition is needed to describe large specications a notion of renement is necessa
ry to develop specications in a stepwise manner that guarantees that properties that once hold
for a specication continue to hold in later development phases The other way round one may
be interested in nding an abstraction for a given specication in such a way that rstly certain
properties that hold for the abstraction also holds for the original specication and secondly the
desired properties are easier to be checked for the abstraction
As in case of composition that can be dened as trace intersection in a suitable Boolean algebra
renement can be dened semantically as trace inclusion given a common Boolean algebra
Denition  Abstraction
Let B
 
and B

be complete atomic Boolean algebras and +
 
 V
 
 I
 
B
 
 st
 
M
 
F
 
 and
+

 V

 I

B

 st

M

F

 be Boolean Transition Systems
+

is called an abstraction of +
 
and +
 
is called a re	nement of +

 written +
 
 +


i there exist a Boolean algebra B and monomorphisms

i
 B
i
	 B such that
Traces

 
+
 
  Traces


+


Obviously +
 
+

 +
 
and +
 
+

 +

as monomorphisms take the identity and

i

The drawback of this semantical denition of renement is that it is hard to check The following
theorem presents some sucient structural conditions that allow to deduce trace inclusion
In fact it is not even necessary to nd monomorphisms as the theorem directly relates the
Boolean algebras B
 
and B


Theorem 	 Abstraction Theorem
Let B
 
and B

be complete atomic Boolean algebras and +
 
 V
 
 I
 
B
 
 st
 
M
 
F
 
 and
+

 V

 I

B

 st

M

F

 be Boolean Transition Systems
If there is a function  mapping
 states v
 
 V
 
to states v

 V


 initial states v
 
 I
 
to initial states v

 I


 atoms s
 
 SB
 
 to atoms s

 SB

 and arbitrary elements b
 
 B
 
to
 b
 
 


sb
 
 s
and such that
 M

v

 w

 


f
v
 
w
 
V
 
 V
 
j
v
 
v

and 
w
 
w

g
 M
 
v
 
 w
 
 
and if furthermore for any acceptance condition FE

 L

  F

there is an acceptance condition
FE
 
 L
 
  F
 
such that
 E

 f v

 w

  V

 V

j exists v
 
 w
 
  E
 
such that  v
 
  v

and  w
 
  w

g
and
L

v

 w

 


f
v
 
w
 
E
 
j
v
 
v

and 
w
 
w

g
 L
 
v
 
 w
 

then  Traces+
 
  Traces+


If furthermore  de	nes a Boolean algebra monomorphism

 
 B
 
	 B

then +
 
 +

by
choosing


def
 Id
Proof
Let s

 s
 
      Traces+
 
 Thus there exists a sequence v

 v
 
     
Runs+
 
 Then  v

 v
 
      Runs+

 Run and Run follow
from  and  respectively Furthermore from  M
 
v
 
 w
 
 it follows that
   M
 
v
 
 w
 
 


f
vwV
 
 V
 
j
v
v
 
 and 
w
w
 
g
 M
 
v w  M

 v
 
 w
 

and therefore Run
It remains to show Tr and Tr for the sequence  s

 s
 
      SB




Tr follows because
 s
i
 


sM
 

v
i
v
i 

 s   M
 
v
i
 v
i 




f
vwV
 
 V
 
j
v
v
i
 and 
w
v
i 
g
 M
 
v w  M

 v
i
 v
i 

The rst relation holds because especially s
i
M
 
v
i
 v
i 

A similar argument shows that further  s
i
  L

 v
i
 v
i 
 whenever required in Tr
that is whenever s
i
 L
 
v
i
 v
i 
 From this one can deduce Tr
 
Remark   as dened in  is not in general a Boolean algebra homomorphism For exam
ple let B
 
 Pf  g B

 PfABg  fg   fg  fAg and  fg  fBg
Then  f g   f g   fg  fBg  fABg   f g    f g
Remark  If B
 
 PX  Y  and B

 PX then the canonical projection
	
	
X
 PX  Y  	 PX fullls condition  from above From Lemma   it
follows that
	
	
X
maps atoms to atoms Furthermore for arbitrary T  X  Y
 T  
 

xyT
 fx yg 
 

xyT
fxg  f x  X j 
yY
x y  T g  T
	
	
X
Taking the identity function as   it follows immediately that omitting acceptance conditions
results in an abstraction
Corollary 
Let +
 
 V IB stMF
 
 +

 V IB stMF

 and F

 F
 
 Then +
 
 +


As a second example consider two BTS +
 
and +

that are independent in the sense
that B
 
 PX and B

 PY  are embedded canonically into some labeling algebra
B  PX  Y  Z In this situation the function  required in Theorem  is de
ned as follows
 v
 
 v


def
 v
 
for all states v
 
 v

  V
 
 V


 v
 
 v


def
 v
 
for all initial states v
 
 v

  I
 
 I

 and
 fx y zg
def
 fxg for all atoms fx y zg  SB
Note that  coincides with the canonical projection
	
	
X
that maps subsets T  X  Y  Z to
T
	
	
X
 fx  X j 

yzY Z
x y z  Tg 
 
f
xyzgT
fxg
Chapter 
A Programming Notation
Specications could be given purely on the logical level as in TLA or even on the automata
level only as in discreteevent systems or statecharts However there are good reasons for
introducing a specication language that is somewhat higher than temporal logic or transition
systems
 Specications get more structure by distinguishing between input and output blocks and
modules or guarded and triggered transitions for example
 The use of parameters macros and short hand notations like If Then Else allows for
concise specications
 Specications are built up hierarchically The base is given by blocks which form the
smallest syntactic unit with context independent meaning Modules then are sets of blocks
sharing the same set of declarations On the system level nally an interpretation and a
valuation of the parameters of the system are xed and the modules are interconnected
in essence by use of renaming
 It is possible to specialize the specication language allowing certain adapted program
ming styles These may for example ease verication by restricting language constructs
for example the restriction to nite data types allows the use of model checking techni
ques ie decision procedures Other restrictions may ease the implementation of speci
cations Typical RPC or client server applications for example use the acknowledge
protocol from the introductory example to call lower level modules This protocol al
lows to replace the synchronous communication by asynchronous one and therefore the
implementation of TLT modules as set of UNIX processes running on a LAN
In the following one such specication style will be presented It is specialized to deal with
distributed reactive systems and eases assumptioncommitment style proofs by allowing in
some sense even forcing to annotate the specications Each building block of this specication
language will come along with syntactic as well as logical verication conditions that together
guarantee the realizability of the specication that is the existence of traces
Other specication styles further annotations for faulttolerance realtime or performance
evaluation are conceivable One style specialized to deal with client server architectures is
described in Bar	
Remark To increase readability syntactic entities variables functions etc but also keywords
of the specication language will be printed using sans serif fonts if they occur in normal text In
specications only the keywords are printed using sans serif fonts Furthermore most syntactic
entities are dened as tuples hIdSubDef

    SubDef
n
i with Id uniquely identifying the entity
Then the notation SubDef
i
Id is used instead of simply SubDef
i
whenever the context is not
obvious
  Types
In section  variables and actions were given a unique sort In the context of programming
languages one usually talks of types instead of sorts Some typical buildin types are Boolean
Bit  for the unit type String Natural Integer and Real Another basic type is MN
representing an integer interval Thus M and N must be integer constants or system parameters
denoting the lower and upper bound of the interval Finite sets of constants are described as
usual by enumerating the elements separated by commas and enclosed in curly brackets
Besides these basic types it is possible to form complex types from given basic or complex
types Complex types may be dened as tuples unions set dierences arrays or lists
Type

 Type

Cartesian product of Type

and Type

Type

 Type

union of elements from Type

and Type

Type

 Type

set of all elements from Type

not in Type

Array M   NOf Type

function M   N	 Type

List Of Type

list with elements of type Type

In TLT specications userdened types T
i
are dened in the Typessection as follows
Types
T
 
 type denition
 
T

 type denition




For example
Motor States  f stopped running defect g
denes a type Motor States whose values are taken from a set of constants indicating possible
states of a motor
Index  N
denes a type Index whose values range from  to N the latter being a parameter of type
Natural or Integer
 Parameters
Specications in TLT may be parameterized in order to avoid an ination of virtually identical
specications Examples for parameterized or generic specications are a lift specication for
N oors or a mutual exclusion algorithm for N processes Formally a parameter is nothing
but a specication variable
Denition  Parameters
Tuples  id type  or  id type expr  are called parameter de	nition i
 id  '
S
is a unique identi	er
 type  sortid  '
Sort
 and
 expr is a term
The parameters of a specication are listed in the Parameterssection as follows
Parameters
Param
 
 type
 
 expr
 
Param

 type




Parameterized specications are presented in Section 
 Declarations
For purposes of compositional specication program exible variables and actions are now
further enriched with an environment class The environment class determines the &ownership
and &scope of visibility of variables and actions in a modular system
The intuition behind the variable classes will be as follows Local variables belong to a parti
cular module and are not visible to the outside Write variables belong to the module which
declares them as write# they are visible to the environment but they may not be modied by it
Read variables are imported from the environment# their values can be read but not modied
locally Spec variables get used in quantications as formal parameters of actions and as array
indices# and nally History variables record the history of visible events between a module
and its environment# they are auxiliary variables in the sense that their values are completely
determined by the history of visible events
Remark An environment class for Global variables is not provided Our own experience has
discouraged their use because the question of ownership the consequences for composition and
diculties with implementation make global variables troublesome An equivalent but more
elegant solution is to implement global variables as separate modules in the style of abstract
data types with appropriate access methods see Page  for an example
Input and output actions intuitively provide a user with valuepassing synchronous or rendezvous
communication which is performed on a  or many basis per &communication channel The
action classes can be interpreted as follows In actions are actions under the control of the
environment and Out actions are under control of a given module In a composed system
input and output actions with the same identier match each other but only one module may
declare an action as Out action In order to hide actions for renement purposes one has to
add a third class of socalled Internal actions These might also be used as internal events to
synchronize among the blocks of a module However for this latter purpose one might also use
Out actions that are simply ignored by other modules
Denition  Declarations
A triple  id type env class  is called declaration i
 id  '
Var
 '
Act
is a unique identi	er
 type  sortid  '
Sort
 env class is an element from fLocalWriteReadSpecHistoryOut In Internalg such that
env class  fLocalWriteReadSpecHistoryg for all id  '
Var
env class  fOut In Internalg for all id  '
Act
The function sortidis used to refer to the type and similarly a function classid is used to refer
to the environment class of id Whenever classid  fLocalWriteReadHistoryg then a primed
copy of id with identical type and environment class is de	ned implicitly
Let Decl denote a set of declarations Then
 Vars denotes the set of declared program variables that is all variables v such
that classv  Spec  The following subsets of Vars are distinguished
 vVars the set of variables v with classv  fWriteReadg the visible va
riables
 hVars the set of variables v with classv  fLocalHistoryg the hidden
variables and
 lVars the set of variables v with classv  Local the local variables
 Acts denotes the set of declared actions Again two subsets are distinguished
 vActs the set of actions A with classA  fOut Ing the visible actions
 hActs the set of actions A with classA  Internal the hidden or internal
actions
The declarations of variables and actions a
i
are listed in the Declarationssection as follows
Declarations
classa
 
 a
 
 sorta
 

classa

 a

a

 sorta





For example
In Call  
declares a signal Call controlled by the environment Variables or actions with common environ
ment class and sort may be summarized to one declaration eg
In Call
 
 Call

 
 Abbreviations
Abbreviations or macros are a necessary means to obtain readable specications In TLT
abbreviations may be introduced for arbitrary terms formulas or commands see Section 
below For example
max length  
introduces a symbolic name for an integer constant Abbreviations get resolved in a preproces
sing step by syntactically replacing the identiers on the left by the terms formulas or commands
on the right
Denition  Abbreviation
A tuple  id expr  is called an abbreviation i
 id is a unique identi	er and
 expr is either a term a formula or a command
In the programming notation the macros are listed in the Abbreviationssection
Abbreviations
Abbrev
 
 expr
 
Abbrev

 expr




 Initial Values
Initial values may be specied in two ways
Firstly it is possible to specify an initial predicate init in the initial section
Initially init
Formally an initial predicate init is a state predicate such that classx  fWrite LocalHistoryg
for all x  FVinit Any valuation satisfying the initial predicate may serve as an initial state
If no initial predicate is specied then true is assumed
Secondly it is allowed to extend the declaration of Local Write and History variables x by
specifying a term init expr of the same type as the variable declared
classx x  sortx Init init expr
with sortx  sortinit expr In this case  x  init expr is appended to the initial predicate
Thus wlog there is only one initial predicate
 Transitions
Transitions on the logical level are given as transition predicates On the level of the specication
language transition predicates still form the basis of transitions However additional structure
is added
Firstly events are introduced as a special kind of transition predicates
 Events
Informally an event describes a non stuttering step that is a transition whose occurrence is
observable and which usually results in a state change Inevents are used in modules to
describe stimuli of the environment For example consider an action Call whose occurrences
are to be counted This would be written as
Call  number of calls
 
 number of calls  
and may be read as whenever a Call occurs the counter number of calls is increased by one
Similarly
Call  
Return  pending calls
 
 pending calls  
has to be read as whenever a Call but no Return occurs the counter pending calls is increased
by one But what about

Call     $
The problem in the last example arises due to the fact that modules are allowed to stutter
Thus if Call is an input action it can not be decided whether another module explicitly made a
non stuttering step labelled by 
Call or whether it simply stuttered The same problem arises
for predicates eg if the value for the temperature increases then send out a warning noted
by
temp
 
 temp  Warning
is executable whereas
temp
 
 temp  Warning
does not make sense in a context where stuttering is allowed Of course this is not simply due
to the fact that  is reexive whereas  is not take temp
 
 temp  and temp
 
 temp 
One easy solution is to dene events as transition predicates p that satisfy the additional cons
traint that
/ there is no valuation   
 
 with 
 
x
 
  x for all x  '
V
such that  p 

		
 

I

Here and in the sequel  denotes the valuation that assigns  to all actions Note that
/ implies that p is not a state predicate However such semantical denitions are hard to
validate Furthermore synchronization would be based on actions and variables Thus in this
thesis attention will be restricted to events built up of actions only This results in a purely
syntactical denition
Denition 	 Events
Events are de	ned with regard to a set Decl of declarations and all actions occurring in an event
have to be declared in Decl Given such a set atomic events are
 actions of form At such that FVAt  '
S
 or
 actions of form 
c
 
c
k
At such that FV
c
 
c
k
At  '
S
Events then are de	ned as
ev 


iI


jJ
i
at ev
j


kK
i

at ev
k

where at ev
j
and at ev
k
are atomic events and I J
i
  for all i
An event ev is called Inevent i classA  In for all A  FActev
An event ev is called Outevent i classA  fOut Internalg for all A  FActev

c
Ac is used to express some value is sent on channel A In the sequel 
c
Ac will be
abbreviated by A This can not be confused with the abbreviation A
def
 A
p
 introduced for
signals because A
p
 


 

I
i 
c
Ac 


 

I
for a specication variable c of sort 
Lemma 	
Events ful	ll condition  from above ie there is no valuation 
    
 
 with 
 
x
 
  x
for all x  '
V
such that  ev 


I

Proof
Suppose  ev 


I
for some valuation 
    
 
 That is 

jJ
i
at ev
j


kK
i

at ev
k



I
for
some i  I Especially 

jJ
i
at ev
j



I
for some i  I As J
i
  there exists an atomic event
at ev
j
such that  at ev
j



I
 Two cases are possible
 at ev
j
is an action At Then
At 


I
i 
A   t 


I
which contradicts 
A  A  
 at ev
j
is an action 
c
 
 c
k
At Then

c
 
 c
k
At 


I
i At 


Ic
 
d
 
c
k
d
k

for some d
i
 Isortc
i

i 
A   t 


Ic
 
d
 
c
k
d
k

which contradicts 
A  A  
 
From this proof it follows immediately that the evaluation of events does not depend on  or

 
 Therefore Lemma  can be strengthened to
Corollary 	
If 
A   for all A  FActev then 
ev 


I

  Commands
Next some structure is added to transition predicates resulting in commands
Remark As in the case of formulas the syntax of transitions will be dened inductively This
style allows brief denitions by avoiding to talk about priorities of operators etc As in the case
of formulas a at representation of a command is typically ambiguous Such ambiguities are
resolved by use of parenthesis
Before introducing commands an abbreviation is presented that will be used frequently in the
sequel Informally Stutter describes that nothing happens with regard to its argument If the
argument is a variable this means that its value remains unchanged If the argument is an
action this means that it does not happen Formally
Denition 	 Stutter
For an action or a program variable a Stuttera
def


a
 
 a  for a  '
V


c
ac  for a  '
Act
For a set A of actions and program variables StutterA
def


aA
Stuttera
Now together with the syntax of commands cmd their control set Ctrcmd containing the
variables and actions controlled by the transition and a function Trl mapping commands to
transition predicates are dened
Denition 	 Commands and their Control Set
Commands are de	ned with regard to a set Decl of declarations and all variables and actions
occurring in a command have to be declared in Decl Given such a set
 transition predicates p are commands if classA fOutInternalg for all actions A occur
ring in p and classx
 
Read for all primed variables occurring free in p
Ctrpfx j classxfLocalWriteHistoryg and x
 
occurs in pg 
fA j classA fOutInternalg and A occurs in pg
Trlpp
 cmd

k cmd

is a command for commands cmd

and cmd

 
Ctrcmd

k cmd

 Ctrcmd

 Ctrcmd


Trlcmd

k cmd

  Trlcmd

  Trlcmd


 If p Then cmd

Else cmd

is a command for commands cmd

and cmd

and a transition
predicate p such that FActp and classx
 
Read for all primed variables occurring
free in p cmd

or cmd


CtrIf p Then cmd

Else cmd

 Ctrcmd

 Ctrcmd


TrlIf p Then cmd

Else cmd

  p Trlcmd

  StutterCtrcmd

 Ctrcmd

 

 p  Trlcmd

  StutterCtrcmd

 Ctrcmd


As usual Else true may be omitted

Case
 p
 
cmd
 



 p
k
cmd
k
End
is a command for commands cmd
i
and transition predicates p
i
such that
FActp
i
 and classx
 
Read for all primed variables occurring free in one of the
p
i
or cmd
i

Ctr
Case
 p
 
cmd
 



 p
k
cmd
k
End
 
 
 ik
Ctrcmd
i
 
Trl
Case
 p
 
cmd
 



 p
k
cmd
k
End
 


ik
p
i
 Trlcmd
i
  Stutter
 
ji
Ctrcmd
j
  Ctrcmd
i

Furthermore let Ctr
V
cmd
def
 Ctrcmd   '
V

Ctr
Act
cmd
def
 Ctrcmd   '
Act
 and
Ctr
 
cmd
def
 fx
 
 '
V
 
j x  Ctrcmdg  fA  '
Act
j A  Ctrcmdg 
Remark  If p Then c

Else c

has the same translation as
Case
p  c


p  c

End
 For example
Trl
If xyThen x
 
x
Else y
 
y
  Trl
Case
 xy  x
 
x
 xy  y
 
y
End
 
x  y  x
 
 x   y
 
 y
 x  y  y
 
 y   x
 
 x
where  denotes syntactical equality
 Triggered Transitions
Triggered transitions in essence consist of an event and a command The intuition is that whe
never the event happens then the corresponding command is performed Triggered transitions
serve mainly two purposes
 They are used to process input actions typically an input event would trigger an update
of variables or trigger a suitable output action of the module
 They are used to set the values of history variables which record the history of visible
events# history variables play an important role in modeling the behaviour of the environ
ment as part of the assumptioncommitment style of specication in TLT
In Chapter  the notions being input enabled and at most delaying were dened in order
to guarantee noncontradicting deadlock free composition Here by default triggered tran
sitions may not block their environment ie they are input enabled This may be weakened
in two ways Firstly by delaying the occurrence of the event until a state predicate is satised
This results in the proof obligation that after a nite number of local steps this predicate will be
satised Secondly assumptions made about the behaviour of the environment may be formula
ted Again these assumptions are state predicates Here the intuition is that the event happens
only if the state predicate is satised This results in a proof obligation for the environment
Denition 		 Triggered Transitions
Triggered Transitions are de	ned with regard to a set Decl of declarations and all variables
and actions occurring in the transition have to be declared in Decl Given such a set a tuple
 tt s assume delay ev cmd  is called triggered transition i
 
To ease implementation one may require Ctrcmd
 
  Ctrcmd

   and thereby forbid for example
x
 
  k x
 
 
 tt is an optional name for reference purposes
 s is a possibly empty list of speci	cation variables
 assume is a state predicate with classv  Local for all v  FVassume

 delay is a state predicate with classv  fHistory LocalSpecg for all v  FVdelay
 ev is either an Inevent or an Outevent
 cmd is a command de	ned with regard to Decl and
 TT 
s
 assume  delay  ev  
Ctr
 

cmd
Trlcmd  
I
The conjunction of the state predicates assume and delay is called guard of a triggered transition
Further it is required that delaytrue whenever ev is an Outevent In this case the assumption
assume is also referred to as commitment the module the transition belongs to commits itself
to cause ev only if assume holds
Notation
tt
s
fassumeg hdelayi ev  cmd
ftrueg and htruei may be and usually are omitted
The specication variables in s serve as formal parameters binding the values of actions occurring
in the event For example

c
Callc  pnd
 
 c
means that if a Call happens then its value is bound to the specication variable c that implicitly
is declared to be of the same type as Call
Often triggered transitions are used to update history variables Thus the following shorthand
notation is used for triggered transitions
 Ah
 
 instead of 
c
Ac  h
 
 c
or
 Ah
 
  sth instead of 
c
Ac  sth k h
 
 c
More general the pure syntax may be recovered by scanning ev for action symbols containing
primed variables x
 
in their parameter list replacing these by fresh specication variables c
adding these to s and adding either  x
 
 c or k x
 
 c to the right hand side depending on
whether there already is a right hand side
 Guarded Transitions
Guarded transitions basically consist of a state predicate representing a guard guard and a
command cmd Intuitively this means that once in a state where the guard is enabled ie
evaluates to true it is possible to execute the command cmd The TLT semantics in fact
allows any subset of enabled transitions to be executed simultaneously as long as they do not
contradict each other In this sense TLT has a step semantics and not an interleaving semantics

It is allowed that assumefalse meaning that the corresponding ev never occurs
The execution of an individual enabled transition is of course just a special case Furthermore
the implicit consistency criterion associated with each guarded transition only guarantees the
executability of the transition itself and not for arbitrary subsets
Denition 	 Guarded Transitions
Guarded transitions are de	ned with regard to a set Decl of declarations and all variables and
actions occurring in a guarded transition have to be declared in Decl Given such a set a triple
 gt guard cmd  is called guarded transition i
 gt is an optional identi	er for reference purposes
 guard is a state predicate
 cmd is a command de	ned with regard to Decl and
 GT  guard  
Ctr
 

cmd
Trlcmd 
I
Notation
gt guard 	 cmd
 Fairness Conditions
Intuitively transitions describe onestep behavior only To describe the ongoing behavior of a
specication innite sequences of transitions are to be considered As for the triggered tran
sitions there is no choice they must be executed whenever the corresponding event occurs
On the other hand for guarded transitions there is too much freedom because any subset of
simultaneously enabled guarded transitions can be executed Allowing any execution sequence
or in terms of automata any paths is too coarse in this situation For example it would be
legal to never execute any guarded transition Thus a kind of scheduling is necessary However
the scheduling should neither be too restrictive nor too specialized Fairness serves as such a
general scheduler Intuitively it works simply by being fair to all transitions Or in other
words it avoids favoring particular transitions in an unfair way
Denition 	
 Fairness Conditions
Fairness conditions are de	ned with regard to a set Decl of declarations and all variables
and actions occurring in a fairness condition have to be declared in Decl Given such a set
 fair F fg fcmd  is called fairness condition i
 fair is an optional name for reference purposes
 F is either WF or SF
 fg is a state predicate and
 fcmd is a command
Notation
fair Ffg fcmd
Typically fairness conditions are closely linked to a guarded transition Therefore fair Fgt
abbreviates fair Fguard cmd for some guarded transition  gt guard cmd 

 Blocks
Blocks are the smallest unit with context independent meaning They dene automata or
temporal logic formulas in such a way that
 they are executable ie there exists at least one trace
 the same translation of a block is used independently from the context and
 under reasonable consistency criteria the composition of blocks is still executable
ie care is taken that blocks can not contradict
Denition  Blocks
A block  Bl Types Params Decls Init Transitions Fair  consists of
 Bl a unique identi	er for reference purposes
 Types a set of type de	nitions as described in Section 
 Params a set of parameter declarations as described in Section 
 Decls a nonempty set of declarations as introduced in De	nition 
 Init a state predicate
 Transitions a 	nite set of transitions and
 Fair a 	nite set of fairness conditions
Writing all triggered transitions at the beginning wlog Transitions 
f tt

 s

 assume

 delay

 ev

 cmd

      tt
jttj
 s
jttj
 assume
jttj
 delay
jttj
 ev
jttj
 cmd
jttj

 gt
jttj
 guard
jttj
 cmd
jttj
      gt
jttjjgtj
 guard
jttjjgtj
 cmd
jttjjgtj
g
Further let g
i
def
 assume
i
 delay
i
for all   i  jttj
If
 
 ijttjjgtj
Ctr
V
cmd
i
   then the set of controlled variables and actions is de	ned by
Ctrblock
def

 
 ijttjjgtj
Ctrcmd
i

else
Ctrblock
def
 fvg
for a fresh variable  v  Local 
Finally let Ctr
V
block
def
 Ctrblock   '
V
and Ctr
Act
block
def
 Ctrblock   '
Act

With these de	nitions the following consistency conditions are required of blocks
 All transitions are de	ned with regard to Decls
 All History variables are auxiliary variables as de	ned in De	nition  below
 The speci	cation variable lists occurring in the triggered transitions are pairwise disjoint
that is s
i
  s
j
  for all   i  j  jttj
 Events only deal with non controlled actions that is
Ev FActev
i
   Ctr
Act
block   for all   i  jttj
 Pairs of triggered transitions are not enabled simultaneously with regard to their assump
tions or their control sets are disjoint and one of the delays is more general
TT Consistency For all   i  j  k
TT Consistency  ev
i
 ev
j
 
assume
i
 assume
j
 
or
TT Consistencya Ctrcmd
i
  Ctrcmd
j
   and
TT Consistencyb  ev
i
 ev
j
 delay
i
 delay
j
  delay
i
 delay
j
 
 Init only controlled exible variables occur in init FFVinit  Ctr
V
block
Init the initial condition is satis	able 
FFV
init
init 
 All fairness conditions are de	ned with regard to Decls Further for any fairness condition
 fair kind fg fcmd 
F FFVfg  Ctr
V
block
F Ctrfcmd  Ctrblock
F  fg  
Ctr
 

block
 Trlfcmd  
ctr
block  
where 
ctr
block describes part of the nextstep relation of the block as de	ned below in
De	nition 
Remark  The control set of a block contains at least one variable and thus Ctrblock  
Remark  The control set does not contain specication variables that is Ctrblock 
'
V
 '
Act

Remark  As an immediate consequence of Denitions  and  no variable occurring
primed in a transition is of class Read Therefore classv  Read for all v  Ctr
V
block
and thus due to Init also classv  Read for all v  FVinit
Remark  Condition TT Consistency required for triggered transitions may be replaced by
the following weaker condition that also is sucient but that is harder to check
for all a 
 
 jjttj
Ctrcmd
j
 dene I
a
def
 f   i  jttj j a  Ctrcmd
i
 g#
then for all I  PI
a
 such that jIj   one has to show


iI
ev
i
 g
i
 

iI
Ctr
 

cmd
i


iI
Trlcmd
i
 
Intuitively this condition means that any subset of transitions that may be triggered
simultaneously may also be executed simultaneously
Notation
Block block name
Types
T  type denition
Parameters
param  sortparam
Declarations
classa a  sorta
Abbreviations
Abbrev  expr
Initially init
Transitions
gt guard 	 cmd
tt
s
fassumeg hdelayi ev  cmd
Fairness
wf WFfgfcmd
sf SFfgfcmd
End
The translation of the programming notation to both logic and automata is based on a predicate
describing the intended nextstep relation of the block
Denition  Nextstep Relation
The nextstep relation of the block block is given by
block
def
 
env
block  
ctr
block
where

env
block
def


 ijttj

s
i
 ev
i
 g
i
 Trlcmd
i
 
describes the eect of the environment of the block and

ctr
block
def


aCtr
block
 Stuttera 


f i j aCtr
tt
i
g

s
i
ev
i



f i j aCtr
gt
i
g
guard
i
 Trlcmd
i
 
describes the eect of the behavior controlled by the block itself
History variables are intended to be used to record the occurrence of events Thus their value
should be determined by the history of past events This is achieved in Denition  by
forcing all history variables of a block to be auxiliary variables Auxiliary variables are dened
semantically by means of two functions determining a unique initial value and a unique primed
value based on the actual value of the variable and the values of the visible actions
Denition  Auxiliary Variables
A variable h is called auxiliary i there are two functions f

and f such that for all


 	

 
 
 	
 
 

      Tracesinit block it holds that


h  f

 

i 
h  f
i
h  h 	
i
A j A  vActs i  and

i 
h  
i
h whenever 	
i
A   for all actions A  vActs
One frequently used special kind of block is worth mentioning
Denition  Interfaces
Blocks that consist of only triggered transitions and such that classCtrblock  fHistoryg are
called interfaces An interface I can be inverted denoted by
"
I  by inverting the environment
class of all actions occurring in the interface Outactions become Inactions and vice versa
Corollary 
TracesI  Traces
"
I for any interface I
Two lemmas stating that blocks are stutter invariant and input enabled conclude this section
The rst lemma states that the transition relation block may be satised by stuttering The
proof is purely technical and moved to the appendix
Lemma 	 Stutter Invariance
Let  be an arbitrary valuation of Vars and 
 
a valuation of Vars
 
such that 
 
x
 
  x for
all x  Vars
Then  block 

		
 

or equivalently  

aVarsActs
Stuttera   block 
The second lemma whose proof also is postponed states that the transition relation
block may be satised regardless of the values of noncontrolled actions and variables given
events only occur in states allowed by their corresponding guards
Lemma  Input Enabledness
 

 ijttj

s
i
 ev
i
 g
i
   
Ctr
 

block
block 

 Translating Blocks
In this section the textual representation for blocks presented in the previous section gets
translated into a temporal logic formula and into a concrete BTS The main theorem then
states that both of these models yield the same set of traces
Denition 
 Translation to Logic
The temporal formula representing the 
safety part
%block
def
 init block
The 
full temporal formula
 block
def
 %block 

 fair WF fg fcmd Fair
WFfg fg  Trlfcmd 

 fair SF fg fcmd Fair
SFfg fg  Trlfcmd 
WF


jttjijttjjgtj
guard
i



jttjijttjjgtj
 guard
i
 Trlcmd
i
  
The last conjunct is referred to as local progress
The reason for distinguishing between %block and  block is justied by the fact that the
verication of safety properties can be done completely without referring to the fairness condi
tions Suppose some safety property  holds for all fair traces satisfying  block but not
for all traces satisfying %block Then there is a trace in Traces%block and a position i on
that trace such that 
 

	
i

i
	
i 

 But all initial segments of traces can be completed to fair
traces

 Thus
Corollary 
For any transition predicate 
j %block   i j  block  
or equivalently
Traces%blockTraces i Traces blockTraces 
The following lemma shows that local progress might also be stated directly on the textual level
as an explicit fairness conditions satisfying the conditions F F and F
Lemma 
Local progress may also be expressed explicitly as the fairness conditions
 LP WF


jttjijttjjgtj
guard
i



jttjijttjjgtj
guard
i
Trlcmd
i
 
The proof of this lemma is given in the appendix
In the sequel let Fair
LP
denote the set
Fair  f LP WF


jttjijttjjgtj
guard
i



jttjijttjjgtj
guard
i
 Trlcmd
i
 g 
Next a translation to a standard BTS +block is given

This was shown in Chapter  for the traces of BTS but the same scheduler also works for the temporal
formula block Actually it will soon be shown that Tracesblock Tracesblock for a suitable BTS
block
Denition  Translation to BTS
+block
def
 V IB stMF
where
V 
Y
xCtr
V

block
Dx 
I  f  V j  init 

I
g 
L 
Y
xVars
Dx
Y
AActs
D

A
Y
x
 
Vars
 
Dx
 
 
B  PL 
st  f  
 
  L j x  
 
x
 
 for all x  Varsg 
Mv w  f  L j x  vx for all x  Ctr
V
block
x
 
  wx for all x
 
 Ctr
 
V
block  and
 block 

g
F  f FEL j  fair F fg fcmd   Fair
LP

E  fv w  V  V j exists  such that

x  vx  x  Ctr
V
block
x
 
  wx  x
 
 Ctr
 
V
block
and  fg  Trlfcmd  
ctr
block 

g  and
Lv w  f  L j  fg  Trlfcmd  
ctr
block 

and

x  vx  x  Ctr
V
block
x
 
  wx  x
 
 Ctr
 
V
block
g for all v w  E g
Lemma  +block is wellde	ned
Proof
 I  V by denition
   I
By Init 
FFV
init
init  that is there is some valuation 
 of the variables in FFVinit
such that  init 


 Thus  init 
	
for any   Ctr
V
block 	 U that agrees with 
 on
FFVinit
Init 
 Ctr
V
block
 B is a complete atomic Boolean algebra by denition
 M  V  V 	 B by denition
 st   Mv v   for all v  V  Due to lemma  it is sucient to dene
x
def


vx  for x  Ctr
V
block
arb  for x  Ctr
V
block
 Then     st  Mv v
   Le  Me for all e  v w  E
If e  E then there exists some  such that  fg  Trlfcmd  
ctr
block 

and
x 

vx  x  Ctr
V
block
wx  x  Ctr
 
V
block
 Then dene a 

  a  Acts Ctrblock
a  else

The actions from ActsCtrblock do not occur in fgTrlfcmd 
ctr
block Therefore
 fg  Trlfcmd  
ctr
block 


On the other side besides  
ctr
block 

also  
env
block 

holds due to Corollary 
because all actions occurring in events are elements from Acts Ctrblock which is due
to condition Ev in Denition  That is  Me
 
Due to Theorem 
Corollary  Traces+block  
Furthermore both the translation to logic and the translation to BTS result in the same set of
traces as shown in Figure  and expressed in the following theorem
ΣΦ
Traces(block)
block
block block
Figure  The two models of block yield the same observable behavior
Theorem  Equivalence of models
Tracesblock
def
 Traces block  Traces+block
Proof
Let  




	 
 

 
	 

    Then
  Traces block
i  j  block
i
  init 
	

  block 

	
i

i
	
i 

for all i
a innitely often 
fg 
	
i
or innitely often  fg  Trlcmd 

	
i

i
	
i 

for all  fair WF fg fcmd  Fair
LP
b innitely often  fg 
	
i
implies innitely often  fg Trlcmd 

	
i

i
	
i 

for all  fair SF fg fcmd  Fair
LP
On the other hand
  Traces+block
i there is a sequence v

 v
 
      V

such that
I v

 I
II 
i
 	
i
 
i 
 Mv
i
 v
i 
 for all i
IIIa innitely often v
i
 G or innitely often v
i
 v
i 
  E and 
i
 	
i
 
i 
 
Lv
i
 v
i 
 for all WFGEL  F
IIIb innitely often v
i
 G implies innitely often v
i
 v
i 
  E and 
i
 	
i
 
i 
 
Lv
i
 v
i 
 for all SFGEL  F
To show  i I  i II a i IIIa and b i IIIb we dene v
i
def
 
i
	
	
Ctr
V

block


i  init 
	

i / FFVinit  Ctrblock /
 init 
v

i v

 I
i I

i  block 

	
i

i
	
i 

for all i
i / v
i
x
def
 
i
x for all x  Ctr
V
block /

i
 	
i
 
i 
 Mv
i
 v
i 
 for all i
i II
Instead of proving a i IIIa and b i IIIb directly we show stronger that
 fg 
	
i
i v
i
 G
and
 fg  Trlfcmd 

	
i

i
	
i 

i v
i
 v
i 
  E and 
i
 	
i
 
i 
  Lv
i
 v
i 

 fg 
	
i
i / FFVfg  Ctrblock /
 fg 
v
i
i / F /
there are v  such that 
	
	
Ctr
V

block  Ctr
V
 

block
 v
i
 v and  fg  Trlfcmd  
ctr
block 

i v
i
 G
 fg  Trlfcmd 

	
i

i
	
i 

i /  block 

	
i

i
	
i 

for all i /
 fg  Trlfcmd  
ctr
block 

	
i

i
	
i 

i v
i
 v
i 
  E and 
i
 	
i
 
i 
  Lv
i
 v
i 

 

  Some Remarks Concerning Fairness
Fairness is the most demanding concept in the theory of TLT Nissim Francez wrote a whole
book Fra that is dedicated solely to fairness The following remarks aim at providing at
least some deeper insight into the fairness notion of TLT and the consistency conditions required
for fairness conditions
Remark  Local progress is not the weakest possible fairness See Figure  Local pro
gress is used because of its very intuitive meaning namely if continuously some guarded
transition is enabled then eventually at least one enabled guarded transition gets execu
ted scheduled Thus local progress states that the guarded transitions of a block may
not starve In most examples this is the sole fairness condition necessary
l=1 l=2
l=3
A
A
A?
¬A
wf2wf1 
LP
¬A
LP
LP
LP
Block Local Progress
Declarations
In A  	

Local l  f    g init 
Transitions
 A   If l 
 Then l
 
l
 l  l
 

 l  l
 

Fairness
wf WF	l l
 


wf WF	l l
 


End
Figure  l   holds only due to local progress In fact the two weak fairness conditions
do not restrict the set of traces at all whereas local progress does and might as well be omitted
In the terminology of Francez wf and wf	 are not liveness enhancing
Remark  The necessity of the condition F may be seen considering the block shown in
Figure 
In this example the fairness constraint intuitively causes a Reset signal to be sent out if r
continues to be  That is in all traces innitely often r   or Reset occurs innitely often
r=1 /\  Reset
\/   ¬Reset
Block Flout F
Declarations
Out Reset  	

Read r  Bit
Transitions
 r  Reset
Fairness
wfWF	r Reset

End
Figure  An example motivating F
This is captured in the logical view by  Flout F The corresponding BTS +Flout F
however further forbids eg the trace
r  
Reset
 

 

 

 

      
because G  V  forcing an edge labeled with r    Reset to occur innitely often Ac
tually this is due to an inaccurate fairness denition for BTS To be exact a fairness
constraint FE L denes two implicit guards G
E
and G
L
being the projections of E to
its rst component the old G and the projection of L to the unprimed variables of the
labeling universe G
L
e
def
 f  j exists 	 
 
such that  Le 

		
 

g The fairness then is
dened to be enabled i it is enabled with respect to both G
E
and G
L
 However this
can not be generalized in a straightforward way to arbitrary labeling algebras Further
the example seems to be rather articial and can be circumvented by holding a local copy
r local of the Read variable r as shown in Figure 
Remark  F forbids obviously senseless fairness conditions like WFtrue x
 
   x
 
 
that trivially would result in non executable specications Furthermore F forbids
fairness conditions that contradict the transition relation block
Block Contradiction
Declarations
Write x  Natural init 
Transitions
 true  x
 
x
Fairness
 WF	truex
 
x

End
r=1 /\  Reset
\/   ¬Reset
r_local = 0
r_local = 1
r=0 /\  Reset?
r=1
wf1
wf1
Block Obey F
Declarations
Out Reset  	

Read r  Bit
Local r local  Bit
Transitions
 true  r local
 
r
 r local  Reset
Fairness
wfWF	r localReset

End
Figure  Block Obey F is welldened Furthermore with regard to the
visible variables and actions Obey F has exactly the desired traces that is
Traces
frgfResetg
Obey F  Traces Flout F
The transition predicate 
ctr
Contradiction is given by x  x
 
 x
 
 x  The
fairness condition always eventually increase x by  contradicts the fact
that x may only be incremented by one This is reected by condition
F which requires 
x
 
 x
 
 x 	  
ctr
Contradiction   to hold However

x
 
 x
 
 x 	   x  x
 
 x
 
 x    is not even satisable
Remark  The expressiveness of the fairness notion as advocated in this thesis is demon
strated by the following example
Block Fair
Declarations
Out A  f  g
Write x  Natural init 
Transitions
 true  x
 
x k A	

 true  x
 
x k A	

Fairness
 WF	trueA	


End
This results in the BTS shown in Figure 
Clearly 


	 

	 

	 

	       Traces Fair
 If the notion of
fairness was based on runs only as for example in Kur	 such specialized conditions
could not be expressed
x=0 x=1    x=2    x=3
A(1) \/ A(2) A(1) \/ A(2) A(1) \/ A(2) A(1) \/ A(2)
Figure  BTS corresponding to block Fair All transitions are colored by both local progress
and WFtrueA

 Abstract Models
The abstract models of a block are characterized by their states being state predicates forming
an arbitrary partition of the concrete state space
Denition  Translation to Abstract BTS
Let W be a set of state predicates p such that 
 aBTS FFVp  Ctr
V
block and 
Ctr
V

block
p 
 aBTS 
p  q  for arbitrary p q W with p  q
 aBTS 


pW
p 
Then the abstract BTS +
a
block
def
 WJB stNG of a block block based on W is given
by
J  fw W j 
Ctr
V

block
 w  init   g 
L 
Y
xVars
Dx
Y
AActs
D

A
Y
x
 
Vars
 
Dx
 
 
B  PL 
st  f  
 
  L j x  
 
x
 
 for all x  Varsg 
Np q  f  L j  block  p  q
 


g
G  f FEL j  fair F fg fcmd   Fair
LP

E  fp q W  W j  p  fg  and
exists  such that  p  q
 
 fg  Trlfcmd  
ctr
block 

g 
Lp q  f  L j  p  q
 
 fg  Trlfcmd  
ctr
block 

g for all p q  E g
Lemma 	 +
a
block is wellde	ned
The proof of this lemma is similar to the proof of Lemma  and is given in the appendix
 
Theorem  Relationship between models
Traces+block  Traces+
a
block
Proof
This proof can be done either directly or by use of Theorem  A direct proof is given in
the appendix Here it is shown that the premises of Theorem  are fullled Transcribed
to the situation above this means to nd a function  such that
  maps v  V to w W
  maps v

 I to w

 J
  maps atoms   L to atoms   L and arbitrary elements b  B to  b 
 
b
 
 Nw
 
 w

 
 
f
v
 
v

V  V j
v
 
w
 
and 
v

w

g
 Mv
 
 v


 for any acceptance condition FE
a
 L
a
  G there is an acceptance condition FEL  F
such that
E
a
 f w
 
 w

 W  W j exists v
 
 v

  E
such that  v
 
  w
 
and  v

  w

g
and
L
a
w
 
 w

 
 
f
v
 
v

Ej
v
 
w
 
and 
v

w

g
 Lv
 
 v


Firstly let  v be the uniquely determined w W such that w 
v

Secondly if v

 I then by denition  init 
v

 Then w

 init 
v

 Thus

Ctr
V

block
 w

 init   ie w

 J 
Choosing the identity function for   that is by dening  
def
  the extra condition of the
third item follows from Lemma 
Let   Mv
 
 v

 Then  block 

 v
 
x  x and v

x  x
 
 for all x  Ctr
V
block
Thus  block  w
 
 w

 


by denition of   ie   Nw
 
 w

 Thus 
Suppose w
 
 w

  E
a
 That is w
 
 fg  and there is some  such that
w
 
 w

 
 fg  Trlfcmd  
ctr
block 

 Dening v
 
x
def
 x and v

x
def
 x
 
 for
all x  Ctr
V
block it follows that v
 
 v

  E and
w
 
 w

  f w
 
 w

 W  W j exists v
 
 v

  E such that  v
 
  w
 
and  v

  w

g
It remains to show that for any pair v
 
 v

  E such that w
 

v
 
and w


v

it holds that
  Lv
 
 v

 implies   L
a
w
 
 w


If   Lv
 
 v

 then  fg Trlfcmd  
ctr
block 

 v
 
x  x and v

x  x
 
 for all
x  Ctr
V
block Since w
 

v
 
and w


v

it therefore follows that   L
a
w
 
 w


Thus by Theorem  it holds that  Traces+block  Traces+
a
block and because
  id Traces+block  Traces+
a
block  
The simple counterexample presented in Figure  shows that the opposite is not true in general
In the theorem stated above the same Boolean algebra was chosen for the labeling of the concrete
BTS and of the abstract BTS This simplies the proof because the identity function can be
used as   In general however it will be necessary not only to reduce the set of states but also
the set of labels As already mentioned in the remarks following Theorem  the canonical
projections form natural candidates Indeed from Lemma 
Corollary 

Let aVars  Vars aActs  Acts and L
a

Y
xaVars
Dx
Y
AaActs
D

A
Y
xaVars
Dx
Then Traces+
a
block
	
	
L
a
  Traces+
a
block
	
	
L
a
and thus Traces+block
	
	
L
a
 Traces+
a
block
	
	
L
a

    =0
>0
Σ Σa
x’=x+1
x’=x \/ x’=x+1
   x=0
x=1
x=0 /\ x’=1
x=2
x=1 /\ x’=1
x=3
x=2 /\ x’=3
Block StrangeTraces
Declarations
Write x  Natural Init 
Transitions
 true  x
 
x
End
Figure  The abstract BTS shown on the right consists of only two states one allows  as
sole valuation whereas the second one represents all natural numbers greater than 
Let                   Then   Traces+
a
blockTraces+block
The question that immediately arises in the context of abstract models is how to nd good
ones Typically this is a creative task whereas checking whether a given abstract model is well
dened often is signicantly easier In TLT it is possible to extract control information directly
from the textual specication This information is used to dene the necessary partition of the
state space Even though such an automated construction may fail to result in models that can
be used to verify the desired properties it often serves as a good starting point The resulting
models may be further rened by splitting states either automatically calculating for example
weakest preconditions or by hand Often however it is easier to adjust the specications by
splitting transitions and thus introducing additional guards or by replacing actions by signals
both transformations typically add control information As a side eect the control ow is
then also more obvious that is the textual specications prot by getting more readable
Denition  Control Predicates and Symbolic Guards
The set of control predicates of a block is de	ned as
CP
def
 finitg  f g
i
j   i  lg  ffg j  fair F fg fcmd   Fairg
The set of literals based upon CP is de	ned as LITCP
def
 f

pK
p 

pL

p j K
(
L  CPg
The set of symbolic guards is then de	ned as symbGuards
def
 f l  LITCP j 
FFV
l
l  g
That is all state predicates occurring in the textual representation are used as control predicates
Then all possible conjunctions are formed in which all these predicates occur either negated or
unnegated As there are only nitely many control predicates this set is also nite with 
jCPj
elements Finally the set of symbolic guards is obtained by removing all conjunctions that are
not satisable
Lemma 
symbGuards de	nes a partition of the state space
 FFVG  Ctr
V
block for all G  symbGuards
 
G
 
G

  for arbitrary G
 
 G

 symbGuards with G
 
 G

 


GsymbGuards
G 
Proof
 By denition of the control predicates
 Suppose there is some valuation  such that 
G
 
G

 
	
for some G
 
 G

 Then
there has to be some p  CP such that p occurs positive in G
 
but negative in G

 Then
 p 
	
and 
p 
	
 Contradiction
 Let  be an arbitrary valuation Then for any p  CP either  p 
	
or 
p 
	
 Let
K
def
 fp  CP j  p 
	
g and L
def
 fp  CP j 
p 
	
g Then 

pK
p 

pL

p 
	
and

pK
p 

pL

p  symbGuards Especially 


GsymbGuards
G 
	

 
Denition  Symbolic BTS
Using the notation of de	nition  and 
+
s
block
def
 symbGuards JB stNG
is called the symbolic BTS corresponding to block
Corollary  Relationship between models
 +
s
block is an abstract BTS of block
 J  fG  symbGuards j init occurs positive in G g
 Traces+block  Traces+
s
block
In the worst case there are 
n
symbolic guards for n control predicates As an example consider
the control predicates x   y   and z   However typically many of the control predicates
contradict each other For example x   x   and x   exclude each other pairwise and
result in the  symbolic guards x   x   x   and x    x    x  
To analyze the complexity in case of contradictory control predicates consider the following
algorithm to compute symbolic Guards
Block Symbolic Guards
Parameters
n  Natural  number of control predicates
ctr pred  Array	n
 OF FOL Predicates  n control predicates
Declarations
Local sel  Array	n
 Of fpos negg  sel	i
pos i
 the ith ctr pred enters the symb
 guard currently tested positiv
Local d  Natural  length 	depth
 of symb guard
 currently tested
Write symGuardL  List Of FOL Predicates  list of symb guards
Abbreviations
Guard 

id
selipos
ctr pred	i
 

id
selineg
 ctr pred	i

last pos 
	
max f i j sel	i
pos  idg  if f i j sel	i
pos  idg 
 
  else
snd last pos 
	
max f i j sel	i
pos  idg  if f i j sel	i
pos  idg 
 
  else
Initially sel	
  pos  d  
Instructions
 d  n

If satisable	Guard

Then 	 d
 
 d   jj sel
 
	i
 
	
pos  id
 
sel	i
  i 
 d
 


Else 	 Case
 sel	d
  pos  d
 
d jj sel
 
	i
 






neg  id
pos  id
 
sel	i
  else
 sel	d
  neg  last pos  Halt
 sel	d
  neg  last pos  d
 
last pos jj sel
 
	i
 
	
neg  id
 
sel	i
  else
End


 d  n

If satisable	Guard

Then 	 symGuardL
 
 symGuardL  Guard jj
Case
 sel	d
  pos  sel
 
	i
 
	
neg  id
sel	i
  else
 sel	d
  neg  last pos  Halt
 sel	d
  neg  last pos  d
 
last pos jj sel
 
	i
 
	
neg  id
 
sel	i
  else
End
Else 	 Case
 sel	d
  pos  symGuardL
 
 symGuardL  	

in
selipos
concrGuard	i
 

in
selineg
 concrGuard	i

  concrGuard	n
 
 jj
If snd last pos Then 	 Halt

Else 	 d
 
snd last pos jj
sel
 
	i
 
	
neg  id
 
sel	i
  else


 sel	d
  neg  last pos  Halt
 sel	d
  neg  last pos  d
 
last pos jj sel
 
	i
 
	
neg  id
 
sel	i
  else
End


End
In the program text l  e denotes the list that results from appending the element e to list
l The keyword Halt may be interpreted as a special action that signals the termination of
a computation More formally the occurrence of Halt implies that the block stutters that is
%block    Halt 

aCtr
block
Stuttera 
The algorithm generates symbolic guards by a specialized kind of backtracking that
allows to skip the generation of symbolic guards whenever possible for example
it uses the fact that if ctr pred is not satisable then no symbolic guard
ctr pred 

in
sel
ipos
ctr predi 

in
sel
ineg

ctr predi is satisable either
Lemma 
If n control predicates pairwise contradict each other then
n

	n

tests on satis	ability are
sucient to determine the symbolic guards
Proof
Let g
 
     g
n
denote the control predicates Because they exclude each other the symbolic
guards are n predicates g
i


j i

g
j
for   i  n and eventually the predicate

 in

g
i

The rst symbolic guard g
 


 jn

g
j
is found after the following n tests
g 

g
 
 g


g
 
 
g

 g





g
 
 

 jn

g
j
  g
n

For the second one there are again n tests necessary

g
 


g
 
 g



g
 
 g

 g






g
 
 g

 

jn

g
j
  g
n

To determine the further symbolic guards successively one test less is needed since the search
starts from 
g
 
 
g

 
g
 
 
g

 
g

 and so on Thus to nd 

 jn

g
j
  g
n
 two tests
are necessary

 jn

g
j
 and


 jn

g
j
  g
n

Finally one more test is required to determine whether

 in

g
i
is a symbolic guard
Summing up
n n n        n
X
 in
i  n
n  n 


n

   n

tests are necessary  

 Verication Based on Abstract Models
This section is dedicated to a short excursion to verication It serves to exemplify how abstract
BTS can be used for verication purposes and in which way their use is limited
According to Theorem  there are several ways of checking whether a temporal property
! holds for a block Besides proving j  block  ! in temporal logic it is also possible
to show Traces+block  Traces! for the corresponding BTS The decision procedures
proposed below makes further use of the fact that Traces+block  Traces+
s
block
Thus it is sucient to decide whether Traces+
s
block  Traces!
The algorithms presented below are based on x point calculations in a simplied version of
+
s
block For the invariance properties it is enough to keep a graph where nodes are labeled
by one bit marked or not marked and the edges are not labeled at all For leadsto properties
one further has to consider fairness as shown below If +
s
block has only nitely many states
then both algorithms are decision procedures that is they are guaranteed to terminate
Verication of invariance properties
To verify safety properties  for a state predicate  the following decision procedure may be
used
 Add  to the control predicates CP build the symbolic BTS
 Mark all symbolic guards where  occurs positive
 Calculate the set of reachable states
 If all reachable states are marked then Traces+
s
block  Traces
If not  may or may not hold The abstract model has to be rened
Obviously a negative decision may already be taken on the y by reaching an unmarked state
To verify  for arbitrary transition predicates  one has to mark edges
As an example consider the block Increment shown in Figure  To increase readability in this
and the following two gures let
gt
def
 x  y  x
 
 x   y
 
 y gt	
def
 y  x  x
 
 x  y
 
 y 
gt$
def
 x  y  x
 
 x   x
 
 x  y
 
 y gt	$
def
 y  x  x
 
 x  y
 
 y   y
 
 y
gtkgt	
def
 x  y  x
 
 x   y
 
 y   and
gtkgt	$
def
 x  y  x
 
 x   y
 
 y    x
 
 x  y
 
 y
For the example Increment the invariant   x  y    x  y  x  y    holds as may be
seen in Figure 
     x=y      x>y     x < y
gt1
gt2
gt1
gt2
gt1 ? (gt1 || gt2 ) ? gt2 ?
     x=0 , y=0      x=1 , y=0      x=2 , y=0
     x=0 , y=1      x=1 , y=1      x=2 , y=1
     x=0 , y=2      x=1 , y=2      x=2 , y=2
gt1
gt1
gt1
gt1
gt1
gt2 gt2 gt2
gt2 gt2
     x=0 , y=3      x=1 , y=3      x=2 , y=3
gt1 gt1
gt2
     x=3 , y=0
     x=3 , y=1
     x=3 , y=2
gt1
gt2
gt2
     x=3 , y=3
gt1
gt2
gt1 || gt2
gt1 || gt2
gt1 || gt2
Block Increment
Declarations
Write xy  Natural
Initially xy
Transitions
gt xy  x
 
x
gt yx  y
 
y
End
Figure  On the right the concrete on top and the symbolic BTS corresponding to block
Increment are shown
Verication of leadsto properties
To verify leadsto properties  	  for state predicate  and  the following decision procedure
may be used
     x=y      x=y+1      x>y+1     x=y-1     x<y-1
gt1 gt1
gt2
gt1
gt2 gt2
gt1 ? (gt1 || gt2 ) ? (gt1 || gt2 ) ? (gt1 || gt2 ) ? gt2 ?
Figure  The abstract BTS that results from adding x  y   x  y  x  y to the set
of control predicates
 Add  and  to the control predicates CP build the symbolic BTS
 Replace the strong fairness conditions by weak fairness conditions using the algorithm
presented in Section 
 Mark all symbolic guards where  occurs positive
 Label color all edges with the weak fairness conditions they take part in
 Successively
 choose one fairness condition WFG
s
 E
s
 L
s

 mark all nodes g  G
s
where all edges leaving g either
 are edges leading to a marked node or
 are edges leading to some g
 
 G
s
but such that g g
 
  E
s
until no more nodes can be marked
 Determine the set of nodes where  occurs positive If all nodes in this set are marked
then Traces+
s
block  Traces 	 
If not  	  may or may not hold The abstract model has to be rened or edges
g g
 
  E
s
with g
 
 G
s
have to be removed from E
s
due to external knowledge typically
well foundedness of some data type that guarantees that these edges may not be taken
innitely often without taking an edge leaving G
s

A more sophisticated algorithm would in addition iterate forward from states marked with 
To allow arbitrary transition predicates  and  one also has to mark the edges
In the example this decision procedure does not yield to a direct result for the property
true 	 x  y in the symbolic BTS presented in Figure  the selfloops in the abstract
states x  y and x  y foil the marking of these states However these selfloops can be remo
ved because it is not possible to increment decrement x permanently in state x  y x  y
The resulting BTS then is given by
     x=y      x>y     x < y
gt1
gt2
gt1
gt2
(gt1 || gt2 ) ?
In this BTS both states x  y and x  y are marked in the rst iteration of step  in the
algorithm Thus the property true 	 x  y holds
 Modules
In rst approximation modules consist of a set of blocks that share the same declarations while
they control disjoint variables and actions On the level of modules hiding is introduced
Denition 
 Modules
A tuple  Mod Types Params Decl
Mod
 Init Transitions Fair Blocks  is called module i
  Bl

 Types Params Decl
Mod
 Init Transitions Fair  is a block called the main block of
the module and
 Blocks is a 	nite set of blocks with each block Bl being enriched with a possibly empty
list of substitutions such that
Subst all parameters of Bl get replaced by expressions containing only constants
or module parameters of appropriate type and
Subst any identi	er occurring in Bl may be renamed either by a fresh identi	er or
by identi	ers from Decl
Mod
given both identi	ers agree in type and environment
class
These substitutions are carried out simultaneously in a preprocessing step that is before
determing Vars Acts etc or extracting the transition relations of the blocks
Let Decls denote the union of Decl
Mod
with all declarations made in any of the blocks after all
substitutions have been carried out Vars and Acts then denote the sets of all declared variables
and actions respectively
Finally in order to avoid duplicate declarations variables and actions need to be de
clared only within the block which controls them This convention makes it necessa
ry to add missing declarations to the blocks That is DeclsBl has to be replaced
by DeclsBl  f a type env class   DeclsMod j a  DeclsBl and a occurs in Blg for all
blocks
Furthermore and wlog let Blocks  fBl

    Bl
N
g denote the blocks again after all substitutions
have been carried out Thus fBl

    Bl
N
g denotes all blocks
The set of controlled actions and variables of the whole module is de	ned as the union of the
corresponding sets of the blocks
CtrMod
def

 
iN
CtrBl
i

Then the following consistency conditions must be ful	lled
 No identi	er occurs several times in Decls with dierent type or environment class
 The control sets of the blocks are pairwise disjoint
ExclCtr CtrBl
i
  CtrBl
j
   for all i  j
 The speci	cation variable lists occurring in the triggered transitions are pairwise disjoint
 Pairs of triggered transitions are not enabled simultaneously with regard to their assump
tions or one of the delays is more general
For any pair tt

tt

of triggered transitions occurring in dierent blocks
TT Consistency Mod
 ev
i
 ev
j
 
assume
i
 assume
j
  delay
i
 delay
j
  delay
i
 delay
j
 
 All fairness conditions are executable Let  id F fg fcmd  be some arbitrary fairness
condition occurring in one of the blocks Then the following has to hold
Fair Module
 fg  
Ctr
 

Mod
Trlfcmd 

iN
Bl
i
  
 The safety commitments are ful	lled
for all transitions  tt s assume delay out ev cmd  occurring in one of the blocks Bl
k

Commit TL j

iN
%
Com
Bl
i
   
s
out ev  assume
where %
Com
Bl
k
 is obtained from %Bl
k
 by replacing the occurrence of all commitments
assume by true that is

s
 out ev  delay  assume  Trlcmd 
reduces to

s
 out ev  delay  Trlcmd 
in the de	nition of 
env
Bl
k

Often temporal reasoning is not necessary A sucient 	rstorder logic criteria is given
by
Commit FOL 

iN

Com
Bl
i
  
s
out ev  assume 
 The delays are satis	ed
Delay  
s
 assume  
delay
 
Ctr
 

Mod


iN
Bl
i
 

fa  Ctr
Mod j a  vVars  vActsg
Stuttera   
Delay j

iN
 Bl
i
  
s
   
assume  delay 
for all triggered transitions tt s assume delay ev cmd  occurring in one of the blocks
Remark  In the premises of the consistency criteria dealing with the safety commitments
and with delays all blocks appear Mostly it is possible to consider only the blocks that
control the Outevent or the delayed event In case of the safety commitments one then
proves
j

jJ
%
Com
Bl
j
   
s
out ev  assume
where J
def
 fj j   j  N and there is some action A  CtrBl
j
 that occurs in out ev g
The syntactically shortest proof obligations for the safety commitments are obtained by
the following sucient criteria
Commit FOL
 

AFAct
out ev


 gt guard cmd 
Ctr
cmd
FAct
out ev
guard  Trlcmd   
s
out ev  assume 
That is in contrast to Commit FOL only those guarded transitions are considered that
emit actions occurring in out ev
In case of the delays

iN
 Bl
i
 can often be replaced by  Bl for the block where
tt occurs Furthermore the delay condition is trivially fullled for triggered transitions
dealing with Outevents because they may not be delayed delay  true
Remark  The proofs concerned with the commitments can further be simplied by ad
ding the commitments that have already been proven successively to the premise of the
consistency conditions That is %
Com
may be replaced by a stronger predicate by only
replacing only those commitments that still have to be proven
Lemma 

Let %
Com
Bl denote the formula that is obtained from %block by removing ie replacing
by true all commitments
If Commit TL is ful	lled for all commitments then
j 

iN
%Bl
i
   

iN
%
Com
Bl
i
 

 tt s assume delay out ev cmd 
S
Transitions
 
s
 out ev  assume 
 

iN
%
Com
Bl
i
 
Proof
The rst equivalence follows from the denitions of %Bl
i
 and %
Com
Bl
i
 the second equiva
lence is due to Commit TL
 
Notation
Module Mod
Types
T  type denition
Parameters
param  sortparam
Declarations
classa a  sorta
Abbreviations
Abbrev  expr
Initially init
Transitions
gt guard 	 cmd
tt
s
fassumeg hdelayi ev  cmd
Fairness
wf WFfgfcmd
sf SFfgfcmd
Include Block Bl
id

 t

     id
k
 t
k

Include Inverted Block Bl	
id

 t

     id
l
 t
l

/ if Bl is an interface /
Block Bl



End
End
 Module 
For interfaces that are included into the module it is possible to specify them as Inverted This
means that after all substitutions have been carried out the environment classes of all declared
visible actions get inverted Inactions become Outactions and vice versa
Example Petersons mutual exclusion algorithm
The following module describes a way to model tokens without using global variables For
simplicity it is assumed that the token may be set by only two Inactions Set  and Set 
Module Token
Declarations
Variables
Write token  
Actions
In Set  Set   
Transitions
set  Set   
Set    token
 
 
set  
Set   Set    token
 
 
both Set   Set    token
 
 token
 
End
Quite straightforward if exactly one Inaction occurs then the value of token is set accordingly
More interesting is transition both If both Inactions occur simultaneously the value of token
may be set to any value token
 
 token
 
is equivalent to token
 
 f g Because there are no
two events that may be fullled simultaneously there is no need for assumptions
As a second simple example consider the following client that uses token to gain access to a
critical section
Module Client
Parameters
myToken  
Declarations
Variables
Read token  
Read req   Boolean
Write req  cs   Boolean Init false
Local pc  
Actions
Out Set   
Transitions
request pc   	 req
 
jj pc
 
 
set token pc   	 Set  jj pc
 
 
enter pc    
req  	 cs 
 
jj pc
 
 
enter pc    token  myToken 	 cs 
 
jj pc
 
 
leave pc   	 
req 
 
jj 
cs 
 
jj pc
 
 
End
Intuitively Petersons algorithm now works like this Firstly the client makes a request transi
tion request then the client oers some other client the right of way by sending Set  Then
the client module checks whether it has right of way enter or whether the other client has
not even made a request enter	 and enters its critical section Finally executing leave the
client leaves the critical section again

Denition 
 Translation to Logic and concrete BTS
Assuming the notation of De	nition 
Mod
def


iN
Bl
i
 
vis
Mod
def
 
hVarshActshVars
 
Mod
%Mod
def


iN
%Bl
i
 %
vis
Mod
def


hVarshActs
%Mod
 Mod
def


iN
 Bl
i
  
vis
Mod
def


hVarshActs
 Mod
+Mod
def
 
iN
+Bl
i
 +
vis
Mod
def
 +Mod
	
	

vVarsvActs
where the de	nition of +Mod is based on canonical embeddings of the Boolean algebras un
derlying +Bl
i
 and where j

vVarsvActs
denotes the canonical projection
j
vVarsvActs
 P	
Y
xVars
D	x
 
Y
AActs
D

	A

Y
x
 
Vars
D	x
 

 
  P	
Y
xvVars
D	x
 
Y
AvActs
D

	A

Y
x
 
vVars
D	x
 

 
 
Examples 
The translation to logic for module Token is given by

vis
	Token
  	Token
   	 token
 

 token
Set   Set   token
 
 
 Set   Set   token
 
 
 Set   Set   token
 
 token
 


For module Client rstly let
request
def
 pc    req
 
 pc
 
 
set token
def
 pc    Set   pc
 
 	
enter
def
 pc  	  
req   cs 
 
 pc
 
 
enter	
def
 pc  	  token  myToken  cs 
 
 pc
 
 
leave
def
 pc    
req 
 
 
cs 
 
 pc
 
 
any guard
def
 pc    pc    pc  	  
req   pc  	  token  myToken  pc  
any transition
def
 request  set token  enter  enter	  leave
Then
	Client
   	
	 cs 
 

 cs  enter  enter  leave 

 	 req 
 

 req  request  leave 

 	 pc
 

 pc any transition 

 	 Set pc set token 



 WF	any guard any transition

and

vis
	Client
 

pc
	Client

The corresponding BTS are given in their pictorial representation
Set_1
token=myTokenreq_1 
token=0 token=1
req_0 cs_0
req_0 cs_0
req_0 cs_0
req_0 cs_0
       Set_0 /\    Set_1
\/    Set_0 /\ ¬ Set_1
\/ ¬ Set_0 /\ ¬ Set_1
       Set_0 /\    Set_1
\/ ¬ Set_0 /\    Set_1
\/ ¬ Set_0 /\ ¬ Set_1
       Set_0 /\ Set_1
\/ ¬ Set_0 /\ Set_1
      Set_0 /\   Set_1
\/   Set_0 /\ ¬ Set_1
In the BTS representing module Token note that the selfloop in state token   could take
place due to transition set  or due to transition both or due to stuttering

Remark  +Mod is well dened
For simplicity it is assumed that all fairness conditions are weak fairness conditions com
pare Theorem  These may be rewritten as B

uchi conditions Corollary  Ac
cording to Denition  it remains to show that St Independence holds for the images
of the BTS +Bl
n

def
 V
n
 I
n
B
n
 st
n
M
n
F
n
 under the canonical embeddings

n

The blocks are stutter independent i for any set of edges e
n
 V
n
 V
n
such that
 

n
st
n
  

n
M
n
e
n
 it holds that  

nN

n
st
n
  

n
M
n
e
n
 
If 
n
 	
n
 
 
n
 

n
st
n
  

n
M
n
v
n
 w
n
 then by denition of

n
st
n
 it follows that
	
n
A   for all A  ActsBl
n
 and 
n
x  
n
 
x for all x  VarsBl
n
 Furthermore by
denition of

n
M
n
 it follows that v
n
 w
n

Dening x 



v
n
x  x  Ctr
V
Bl
n

arb  x  Vars
 
nN
Ctr
V
Bl
n

 
 
def
  and 	   
 	 
 
 

nN

n
st
n
 and by Lemma  it follows that  	 
 
 

n
M
n
v
n
 v
n

for all   n  N and thus  	 
 
 

nN

n
st
n
  

n
M
n
e
n
 as required
Remark  The explicit representation of +Mod agrees with the one given for blocks in
Denition  one only has to replace block by Mod
For example
stMod
def


nN

n
stBl
n



nN

n
f  
 
  LBl
n
 j x  
 
x
 
 for all x  VarsBl
n
g


nN
f 	 
 
  LMod j x  
 
x
 
 for all x  VarsBl
n
 and
	A   for all A  ActsBl
n
g
 f  
 
  LMod j x  
 
x
 
 for all x  VarsModg 
Remark  The stuttering element of +
vis
Mod is given by
st
vis
Mod  f 	 
 
  LMod
	
	

vVarsvActs
j x  
 
x
 
 for all x  vVarsMod and
	A   for all A  vActsModg 
That is the values of local variables may be changed while stuttering On the other hand
assumptions are preserved by visible stuttering steps because they are based only on visible
and history variables recall that the latter ones may change their value only if a visible
event occurs
Having introduced hiding it is reasonable to also distinguish local and visible fairness conditions
Because of the general denition of fairness conditions it is possible that although a fairness
condition only names local variables there may not be a local step fullling the fairness condition
For example consider the module
Module Sideeect
Declarations
Variables
Local l  Natural
Actions
Out A  	

Transitions
 true  l
 
 l jj A
Fairness
wf WF	truel
 
 l

End
In this example the only possibility to do a fair step as a side eect results in emitting the
visible action A Therefore the following denition is necessary
Denition 
 Local Fairness Conditions
A fairness condition  id F fg fcmd  occurring in module Mod is called local i
 fg  
Ctr
 

Mod
Trlfcmd  Mod 

avVarsvActs
Stuttera  
All other fairness conditions are called visible
Again one now has to show that both representations yield the same set of traces and that there
is at least one trace Firstly embedding the declarations of the blocks into the declarations of
the module has the same eect on the sets of traces in both the logical and the automata view
Lemma 
 Embedding
Let

i
 P	
Y
xVarsBl
i

D	x
 
Y
AActsBl
i

D

	A
 
Y
x
 
Vars
 
Bl
i

D	x
 


  P	
Y
xVars
D	x

Y
AActs
D

	A

Y
x
 
Vars
 
D	x
 



denote the canonical embedding of the declarations of block i into the declarations of the module
Then
Traces
Vars
Bl
i
Acts
Bl
i

+Bl
i
  Traces
Vars
Bl
i
Acts
Bl
i

 Bl
i

implies Traces
VarsActs


i
+Bl
i
  Traces
VarsActs
 Bl
i

Proof
  Traces
VarsActs


i
+Bl
i

i / Lemma  /

	
	

Vars
Bl
i
Acts
Bl
i

 Traces

Vars
Bl
i
Acts
Bl
i

+Bl
i

i / Premise /

	
	

Vars
Bl
i
Acts
Bl
i

 Traces

Vars
Bl
i
Acts
Bl
i

 Bl
i

i / Denition  /
  Traces
VarsActs
 Bl
i

 
Therefore applying Theorem  stating that Traces
Vars
Bl
i
Acts
Bl
i

+Bl
i
 
Traces
Vars
Bl
i
Acts
Bl
i

 Bl
i
 to all block results in
Corollary 
	

iN
Traces
VarsActs


i
+Bl
i
 

iN
Traces
VarsActs
 Bl
i

The following lemma dealing with hiding will be helpful in the proof of Theorem 
Lemma 
 Hiding
 Traces+   implies Traces+
	
	

vVarsvActs
  
 If Traces+  Traces 
then Traces+
	
	

vVarsActs
  Traces
vVarsvActs


hVarshActs
 
Proof
 Immediate from Lemma  in Chapter 
   Traces+
	
	

vVarsvActs

i / Lemma  /
  Traces+
	
	

vVarsvActs
i / Denition  /
exists )  Traces+ such that )
	
	

vVarsvActs
 
i / Premise /
exists )  Traces  such that )
	
	

vVarsvActs
 
i / Denition  Denition  /
  Traces
vVarsvActs


hVarshActs
 
 
Theorem 


 TracesMod
def
 Traces+Mod  Traces Mod
 TracesMod
vis

def
 Traces+
vis
Mod  Traces 
vis
Mod
 TracesMod  
 TracesMod
vis
  
Proof
 Traces
iN
+Bl
i

Theorem 


iN
Traces

i
+Bl
i

Corollary


iN
Traces Bl
i

Lemma
 Traces

iN
 Bl
i

 Follows from  by applying 
 Firstly in Lemma  it was shown that
Traces

iN
%Bl
i
  Traces

iN
%
Com
Bl
i

Adding fairness on both sides results in
Traces

iN
 Bl
i
  Traces

iN
 
Com
Bl
i

Therefore replacing all commitments by true does not inuence the set of traces
Now the proof of the theorem can be traced back to Theorem 

Therefore let
+Bl
n

def
 V
n
 I
n
B
n
 st
n
M
n
F
n
 Because no own fairness condition is delayed recall
that delaytrue in all triggered transitions dealing with Outevents it is sucient to show
input enabledness stutter independence and fairness independence
a Any block Bl
n
of the module is input enabled with respect to the fairness conditions
of any other block Bl
f
 According to denition  it has to be shown that for any
fairness condition WFGEL  F
k
 any state w  G and any state v  V
n
where
n  k there are some v
 
 V
n
 w
 
 V
k
and a valuation   L such that ww
 
  E
and  

k
Lww
 
  

n
M
n
v v
 

If w  G then by denition  fg 
w
and by Fair Module it follows that there exists
some  such that
 fg  Trlfcmd 

iN
Bl
i
 

Thus it holds that  fg  Trlfcmd  
ctr
Bl
k
 

and by construction ww
 
  E
Besides  Bl
n
 

and therefore  

k
Lww
 
  

n
M
n
v v
 
 holds for
v
 
x
def
 x for all x  CtrBl
n

b That the blocks are stutter independent was already shown in the remarks following
Denition 
c Remains fairness independence Let v
n
 V
n
and in addition for some xed but
arbitrary k let v
k
 G for some WFGEL  FBl
k

Then it has to be shown that if for all n  k there are w
n
 V
n
and w
k
 V
k
such
that  

k
Lv
k
 w
k
  

n
M
n
v
n
 w
n
 then it holds that
/  

k
Lv
k
 )w
k
  

nN

n
M
n
v
n
 )w
n
 for some )w
n
 V
n

This means that when all blocks are input enabled wrt a certain fairness condition
then they can do a step in common
But / is exactly what is expressed by the consistency criteria Fair Module
 Follows from  by applying 
 
 Layered Systems
In this section systems are introduced as a means to combine modules in a LEGOlike fashion
This aims at building concrete systems using predened modules from some library On the
system level these modules are instantiated appropriately and properties for the concrete system
or specication under consideration may be given using the linear temporal logic presented in
Chapter 
In most application areas telecommunications control client server that have been investiga
ted by the TLT group systems were typically build up in layers For example the software
architecture of a typical control system consists of three layers On top there is the socalled
process control system PCS It consists nowadays of some PCs and is responsible for moni
toring and control for keeping archives as well as for production planning using for example
recipes In the middle a series of PLCs for programmable logic controllers does the intrinsic

Strictly speaking in order to reduce this theorem to Theorem  it has to be assumed that F
n
only
contains weak fairness conditions or all strong fairness conditions can be implemented by weak fairness conditions
This diculty can be circumvented by doing a direct proof similar to the one presented for the composition theorem
on the system level
control They poll the physical devices in a cyclic manner in intervals of few milliseconds com
pared to reaction times in the range of seconds for the PCS The bottom layer nally sums
up the intelligent eld devices that come along with their own low level control software see
Figure 	
PCS layer
PLC layer
Field device layerM M
Figure 	 The architecture of a typical control system It is simplied by omitting any concrete
bus systems typically both TCPIP and some eld bus are used
A more detailed view on control systems is taken in Chapter  At this point their architecture
motivates the introduction of socalled layered systems as an additional means of structuring
specications

Denition  Layered Systems
A tuple  Sys Param SysAssumptions Layer

     Layer
L
 is called a system i
 Sys is a name identifying the system
 Param is a set of parameter declarations  id type expr  such that no variable occurs
in expr
 SysAssumptions is a set of temporal logic formulas describing the assumptions made about
the environment of the system
 Layer
i
are tuples  Modules
i
 Poperties
i
 where
 Modules
i
is a 	nite set of modules with each module Mod being enriched with a
possibly empty list of substitutions such that
Subst all parameters of Mod get replaced by expressions containing only con
stants or system parameters of appropriate type and
Subst any identi	er occurring in Mod may be renamed by a fresh identi	er
These substitutions are carried out simultaneously in a preprocessing step that is
before determing Decls or extracting the transition relations of the modules

Of course it is possible to use only one layer
Let Decls denote the union of all declarations made in any module after all substituti
ons have been carried out Vars and Acts then denote the sets of all declared variables
and actions respectively
 Poperties
i
is a set of arbitrary temporal formulas expressing the properties layer
i guarantees to layer i  Properties of the top layer L are called the system
properties
Furthermore wlog the set of all modules of all layers is given by fMod

    Mod
M
g
 Any variable action is declared at most once in the system as Write Out
 The safety assumptions are ful	lled
For any module Mod let %
Assume
Mod
def


hVarshActs

ijBlocks
Modj
%Bl
Assume
i

where %Bl
Assume
 is obtained from %Bl by replacing

s
 in ev  delay  assume  Trlcmd 
in the de	nition of 
env
Bl by

s
 in ev  delay  Trlcmd 
for all  tt s assume delay in ev cmd  occurring in Bl
Further for any  tt s assume delay in ev cmd  occurring in one of the modules Mod
let RelyMod denote the conjunction of all properties below module Mod together with
the system assumptions
Then one has to show that
Assumptions j RelyMod 

iM
%
Assume
Mod
i
   
s
in ev  assume
holds for all  tt s assume delay in ev cmd  that do not occur in an interfaces
 Let  
l
denote the conjunction of all  
vis
Mod of modules of layer l Similarly P
l
denotes
the conjunction of all formulas in Properties
l
respectively Then the following condition
has to be satis	ed for all layers l
Properties j SysAssumptions  

kl
P
k
  
l
 P
l
for all   l  L
 at most one module is delayed by each transition
If delay diers from true for some triggered transition  tt s assume delay in ev cmd 
then
Delayed Module FActin ev  CtrMod
j

for one module Mod
j

 all visible fairness conditions are executable Let  id F fg fcmd  be some arbitrary
visible fairness condition occurring in one of the modules Mod
f
 Then
Vis Fair System
 fg  Trlfcmd  Mod
f
 

ttTriggeredTTs
delay  assume
 
vActs
SysvVars
 

Sys
 fg  Trlfcmd 

jM

vis
Mod
j
  
for TriggeredTTs
def
 ftt j  tt s assume delay in ev cmd TransitionsSys and
 fg  Trlfcmd  Mod
f
  
s
in ev  g
Remark  For assumptions occurring in interfaces the condition Assumptions does not need
to be proven because the condition already is checked as a commitment in the inverted
module
Notation
System Sys
Parameters
param  sortparam  expr
Layer L
Properties
 Prop
Include Module Mod
id

 t

     id
k
 t
k




Layer 
Properties
 Prop
Include Module Mod
id

 t

     id
l
 t
l

Systemassumptions
 Env Prop
End 
 System 
Example Peterson continued
Using the modules Client and Token introduced on Page  a system of two modules competing
for some mutual exclusive critical section may be build up
System Peterson
Layer 
Properties
  
  cs   cs  
  req  	 cs  
  req  	 cs  
Include Client
myToken  
Include Client
myToken    req   req  req   req 
cs   cs  Set   Set 
Include Token
End
Strictly speaking the two liveness properties could be strengthened to cs  and cs 
This is due to local progress which prevents the clients from staying permanently in their idling
states
The following picture shows the BTS corresponding to the instantiated modules occurring in
system Peterson
Set_1
token=0req_1 
req_0 cs_0
req_0 cs_0
req_0 cs_0
req_0 cs_0
Set_0
token=1req_0 
req_1 cs_1
req_1 cs_1
req_1 cs_1
req_1 cs_1
token=0 token=1
       Set_0 /\    Set_1
\/    Set_0 /\ ¬ Set_1
\/ ¬ Set_0 /\ ¬ Set_1
       Set_0 /\    Set_1
\/ ¬ Set_0 /\    Set_1
\/ ¬ Set_0 /\ ¬ Set_1
       Set_0 /\ Set_1
\/ ¬ Set_0 /\ Set_1
      Set_0 /\   Set_1
\/   Set_0 /\ ¬ Set_1

Denition  Translation to Logic and concrete BTS
Assuming the notation of De	nition 
Sys
def


 iM

vis
Mod
i

%Sys
def


 iM
%
vis
Mod
i

 Sys
def


 iM
 
vis
Mod
i

+Sys
def
 
 iM
+
vis
Mod
i

where the de	nition of +Sys is based on canonical embeddings of the Boolean algebras
underlying +
vis
Mod
i

By applying Properties inductively for all layers it follows immediately that all properties hold
in the system given the environment fullls the system assumptions
Corollary 
j SysAssumptions   Sys 

P in Properties
Sys
P
Next two lemmas and a corollary are stated They will be used in the proof of the composition
theorem for systems The rst lemma allows to discard the assumptions
Lemma 
j SysAssumptions    
Assume
Sys   Sys 
Proof
 By applying Properties inductively for all layers
 j SysAssumptions   Sys   
Assume
Sys holds because by denition
j  
Assume
Sys 

 tt s assume delay in ev cmd 
in Transitions
Sys
 
s
in ev  assume   Sys 
It remains to show
j SysAssumptions   
Assume
Sys   Sys 
This is done bottom up for each layer separately Therefore let  
l
denote the conjunction
of all  
vis
Mod of modules of layer l and let P
l
denotes the conjunction of all formulas in
Properties
l

Firstly from Assumptions it follows that
j SysAssumptions 

kl
P
k
  
Assume
Sys 

 tt s assume delay in ev cmd 
in Transitions
layer l
 
s
in ev  assume
and thus
j SysAssumptions 

kl
P
k
  
Assume
Sys   
l

Using Properties
j SysAssumptions 

kl
P
k
  
Assume
Sys  P
l
can be deduced which allows to repeat the argument for the next layer After all one has
shown
j SysAssumptions   
Assume
Sys 

 tt s assume delay in ev cmd 
in Transitions
Sys
 
s
in ev  assume
as required
 
Moving from blocks to modules one had to embed the declarations of the blocks into the
declarations of the module Now embedding is applied to move from modules to systems
Repeating the arguments from Section  one proves
Lemma  Embedding
Let

i
denote the canonical embedding of the declarations of module Mod
i
into the declarations
of the system Sys Then
Traces
Vars
Mod
i
Acts
Mod
i

+Mod
i
  Traces
Vars
Mod
i
Acts
Mod
i

 Mod
i

implies Traces
VarsActs


i
+Mod
i
  Traces
VarsActs
 Mod
i

as well as
Corollary 	

 iM
Traces
VarsActs


i
+Mod
i
 

 iM
Traces
VarsActs
 Mod
i

Finally in the composition theorem it is shown
 that both  Sys and +Sys yield the same set of traces and
 that there is at least one trace
Theorem 
 TracesSys
def
 Traces+Sys  Traces Sys
 Assuming the system assumptions TracesSys  
Proof
 Traces
 iM
+Mod
i

Theorem 


 iM
Traces

i
+Mod
i

Corollary


 iM
Traces Mod
i

Lemma
 Traces

 iM
 Mod
i

 Firstly assuming the system assumptions it was shown in Lemma 	 that
Traces Sys  Traces 
Assume
Sys
Furthermore
Traces Mod  Traces 
Commit
Mod
for all modules Therefore replacing all assumptions and commitments by true does not
inuence the set of traces
Now a trace can be dened inductively
Firstly let VisInitStatesMod
m

def
 f
m

j 
m

 	
m

 
m

      Traces 
vis
Mod
m
g
Then

mM
VisInitStatesMod
m
   because each module only constrains its Write
variables and any visible variable may at most once be declared as Write within the
system Thus there is some initial state 

for the whole system
Now assume an initial trace 

 	

 

    
i
 is already determined Then analog to the
proof following Theorem  a fairness condition  fair F fg fcmd  is chosen that
waits the longest Let fair occur in Module Mod
f
 Now two cases may arise
 If the fairness condition is local then by denition
 fg  
Ctr
 

Mod
f

Trlfcmd  Mod
f
 

avVars
Mod
f
vActs
Mod
f

Stuttera  
Thus Mod
f
can do a fair step while stuttering on all visible variables and actions
All other modules simply do a stuttering step
 If the fairness condition is visible then due to Fair Module
 fg  Trlfcmd  Mod
f
 

for some valuation  of the variables and actions declared in Mod
f
 Now for all
other modules Mod
j
the set of enabled transitions is determined If there is mo
re than one enabled transition in Mod
j
then because of TT Consistency and
TT Consistency Mod there is one delay delay implying all others If this delay
is not yet satised then module Mod
j
continues doing local steps that is with regard
to the visible variables and actions the module stutters until delay holds Delay
and Delay During that time all other modules including Mod
f
 do with regard
to the visible variables and actions stutter steps After all modules have reached a
state where they can accept the fairness step Vis Fair System can be applied and
thus
 fg  Trlfcmd 

jM

vis
Mod
j
 

vis
for some valuation 
vis
of the visible variables and actions declared in the system
Since 
vis
Mod
j

def
 
hVars
Mod
j
hActs
Mod
j
hVars
 

Mod
j

Mod
j
 it follows further that
 fg  Trlfcmd 

jM
Mod
j
 

for some valuation  That is there is a common step of all modules that fullls the
fairness condition fair
 
  Parameterized Specications
In this section the programming notation will be extended to deal with parameterized specica
tions In the context of TLT parameters may be viewed as an elegant way of writing generic
specications For example in a paper machine there are groups of drives linked together by
a sieve One drive behaves as the master drive whereas all other drives are slave drives being
controlled by the master drive However the number of slave drives varies in dierent parts of
the paper machine as well as in dierent paper machines In TLT such a system could be noted
as follows
System Papermachine
Layer 
Include Module Supervisory Control
End
Layer 
Include Module Master Drive
Include Module Slave Drives
Number of slaves 



End
End
In this case a generic module Slave Drives is used that can deal with any number of drives In
the concrete system the parameter Number of slaves gets instantiated with  Alternatively it
is also possible to replicate a module Slave Drive four times
System Papermachine
Layer 
Include Module Supervisory Control
End
Layer 
Include Module Master Drive	
Include 
hslavei
Module Slave Drive
x xslave    



End
End
In this case each of the modules controls exactly one drive In order to keep these module
separate it is necessary to rename all visible variables and actions In the example a visible
variable x of module Slave Drive gets replaced by variables x x	 x and x respectively
On the system level at latest all parameters have to be instantiated Therefore although
specications are described parameterized and thus generic it is always possible to resolve the
parameterization syntactically in a preprocessing step This simplies the task of implementing
simulating and verifying systems
Denition  Vector Types
A type T is called vector type i
 jITj is 	nite
 there is a set C of constants of type T such that I  C 	 IT and
 the elements of C are ordered
For example fstopped running defectg trivially is a vector type with three constants being
ordered implicitly according to their occurrence within the set  is a vector type with
C  f 	  g As a special case vector types may be empty as in  or C  f g This can
be useful to describe optional parts of a system
A rst schema is used to declare vectors of variables and actions Consider for example a system
with  N instances or replicas of a generic pump controller and a supervisory controller
Each pump controller is responsible for supervising one pump and independent from the other
controllers and uses a Boolean valued variable pump oki to denote the status of its that is the
ith pump For the supervisory controller however it might be reasonable to write an interface
dealing with all  N pump controllers Thus from the view of this interface there exists
a Boolean valued vector pump ok pump ok	 pump ok of length  N Declarations for
vectors of length N are written
classa a  Vector N Of sorta
which is used as schema to declare the following N variables or actions
classa a     aN  sorta 
More generally vectors may be of arbitrary vector types
classa a  Vector VectorType Of sorta 
If VectorType is determined by N constants fc

     c
N
g then the N variables or actions declared
implicitly by this construction are
classac

 ac

     ac
N
  sorta 
It is important to realize that by this construction N variables or actions get declared This
distinguishes vectors from arrays For an array a a and a	 refer to two positions of one
array variable whereas a and a	 refer to two dierent variables or actions
In the sequel let VT denote a vector type that is determined by N constants fc

     c
N
g Then
the following schemata are introduced to handle vectors
 For formulas

hcVTi
p abbreviates the conjunction p
cc
 

     p
cc
N


For example let x be a variable of type Vector  Of Integer
Then

hc	i
xc   abbreviates x    x	    x   
Disjunctions are handled analog
 On command level hc  VTi cmd abbreviates cmd
cc
 

k    k cmd
cc
n


 For triggered transitions
h c  VT i tt
s
fassumeg hdelayi ev  cmd
abbreviates N triggered transitions
tt c
 
 fassume
cc
 

g hdelay
cc
 

i ev
cc
 

 cmd
cc
 




tt c
n
 fassume
cc
n

g hdelay
cc
n

i ev
cc
n

 cmd
cc
n


This notation extends naturally to tuples of specication variables
h c
 
 
    c
 
n
 
 VT
 
    c
m
 
    c
m
n
m
 VT
m
i tt
s
fassumeg hdelayi ev  cmd
In this case
Y
 im
n
i
N
i
transitions arise from syntactically substituting the
X
 im
n
i
vector indices c
i
j
 with all possible combinations of constants
 Similarly for guarded transitions the following schema is introduced
h c VT i gt guard 	 cmd
This schema abbreviates N guarded transitions
gt c
 
 guard
cc
 

	 cmd
cc
 




gt c
n
 guard
cc
n

	 cmd
cc
n


Again this notation extends naturally to tuples of specication variables
h c
 
 
    c
 
n
 
 VT
 
    c
m
 
    c
m
n
m
 VT
m
i gt guard 	 cmd
 For fairness conditions
h c  VT i fair Ffg fcmd
abbreviates N fairness conditions
fair c

 Ffg
cc
 

 fcmd
cc
 





fair c
n
 Ffg
cc
n

 fcmd
cc
n

 
Again this notation extends naturally to tuples of specication variables
h c
 
 
    c
 
n
 
 VT
 
    c
m
 
    c
m
n
m
 VT
m
i fair Ffg fcmd
 For blocks
hc  VTi Block Bl
id

 t

     id
m
 t
m

abbreviates N blocks
Block  Bl c

id

 t

     id
m
 t
m


c c





Block Bl c
n
id

 t

     id
m
 t
m


c c
n

such that in a rst step all substitutions from id

 t

     id
m
 t
m
 are carried out and
in a second step all identiers c get replaced by an identier c
i
for each constant c
i
of the
vector type
Again this notation extends naturally to tuples of specication variables
h c
 
 
    c
 
n
 
 VT
 
    c
m
 
    c
m
n
m
 VT
m
i Block Bl
 Within systems vectors of modules are described exactly the same way as vectors of blocks
are described in the context of modules
Example  A token for N modules
The following module generalizes module Token presented on page 
Module GeneralToken
Parameters
N  Integer
Declarations
Variables
Write token  N
Actions
In Set  Vector N Of 	

Transitions
set

hpr Ni
Setpr   token
 
	 f pr  N j Setpr g
End
If N equals two then the sole transition becomes
set Set  Set   token
 
 f pr   j Setpr g
which yields the same translation as module Token namely

vis
	GeneralToken
  	GeneralToken

  	 token
 

 token
Set  Set  token
 
 
 Set  Set  token
 
 
 Set  Set  token
 
 token
 

 

Example  A round robin scheduler
This example presents a complete system made up of a scheduler that is capable of starting
N processes in a round robin fashion Although the example is rather small it demonstrates
nearly all kinds of parameterizations
Scheduler
RoundRobin
Process[1] Process[2]
[] <> Start(1)
[] <> Start(2)
 Start(1) |--> Finished[1]
 Start(2) |--> Finished[2]
Start : [1...2]
F
in
is
he
d[
1]
 :
 (
)
F
in
is
he
d[
2]
 :
 (
)
Figure  The architecture of system RoundRobin
Module Scheduler
Parameters
N  Natural
Declarations
In Finished  Vector N Of 	

Out Start  N
History pnd  N init 
Local start  Boolean init true
Transitions
gt start  start
 
k Start	pnd

h pr  N i tt f pnd  pr  start g Finishedpr
 
	 If prN Then pnd
 
 pnd Else pnd
 
  
 k
start
 
End
Module Process
Parameters
N  Natural  number of processes in whole system
Me  Natural  identies this process within system
Declarations
In Start  N
Out Finished  	

Local pc   init 
Transitions
gt

 f pc g Start	Me
   pc
 

gt

 pc  pc
 
 k      
gt

 pc  pc
 
 k Finished
End
System RoundRobin
Parameters
ProcNo  Natural  
Properties


pr 
 Start	pr

Layer 
Include Module Scheduler
N   ProcNo
End
Properties


pr 
	 Start	pr
  Finishedpr 

Layer 
Include h pr  ProcNo i Module Process
N   ProcNo Me   pr  Finished   Finishedpr
End
End
   Some Notes Concerning Implementation
All entities of the programming language presented in this chapter have to satisfy both syntactic
and semantic consistency criteria Typically there is some trade o between syntactic and
semantic consistency criteria Whereas syntactic criteria are easy to check they might be too
coarse and thus restrict the expressibility of the language too much More often there is
danger that they lead to specications that look unnatural or even unreadable On the other
hand semantic criteria can be adjusted to exactly what is necessary to obtain the desired eg
compositionality results However at the prize of getting proof obligations that may be hard
to check or even undecidable
In the sequel semantical consistency criteria are replaced by syntactical ones and the eect on
implementation is discussed
Transitions
The sole semantic consistency criteria of transitions is the requirement that they are executable
This may be achieved in essence by allowing only assignments instead of arbitrary transition
predicates
Modules
On the level of modules diculties concerning implementation may arise due to contradicting
transitions that have to be executed simultaneously Within one block TT Consistency forbids
these inconsistencies A simple purely syntactic substitute is given by
Syn TT Consistency Ctrcmd
i
   Ctrcmd
j
   for all   i j  jttj i  j
The problem of inconsistencies resulting from cyclic triggered transitions in dierent blocks
may be tackled by a dependency graph dened as follows
Denition  Dependency Graph
Given a module made up of a set of blocks Bl
def
 fBl

    Bl
N
g the corresponding dependency
graph is de	ned as a directed graph DGMod  V IE where
 the nodes are given as
V
def

 
iN
 f fag j a  CtrBl
i
 and a does not occur in any guarded transition g 
f fa  CtrBl
i
g j a occurs in some guarded transition of block Bl
i
g  
 the initial nodes are de	ned as
I
def

 
iN
f fa  CtrBl
i
g j a occurs in some guarded transition of block Bl
i
g  and
 v

 v

  E  V V i there is a triggered transition tt such that
 some a

 v

occurs in the event ev of tt and
 some a

 v

occurs in the command cmd of tt
DGMod is said to be weak acyclic i no cycle in DGMod can be reached starting from a
node v  I
Intuitively the initial nodes I of a dependency graph mark sets of actions and variables that
might be forced to happen to be updated due to fairness conditions like local progress The
additional nodes in V are made up of singletons of actions and variables that are used only in
triggered transitions Thus following the edges in the dependency graph all actions may be
determined that might be triggered in a step of the module
Due to ExclCtr the controlled actions of the blocks are disjoint Due to Ev actions do not
occur in any event of the block by which they are controlled These two consistency conditions
allow to deduce immediately from the denition of the dependency graph that
Corollary 
 v

  v

  and
 v v  E 
Clearly if a graph DGMod is weak acyclic then due to TT it is possible to determine
valuations for all actions by successively following the edges in the graph and setting all actions
not reached to 
To give an example consider the following three blocks
Block Block
Declarations
Out A  	

Transitions
gt

 true  A
Fairness
wf

WF	trueA

End
Block Block
Declarations
Out ABC  	

Transitions
tt

 A   B  C
End
Block Block
Declarations
Out BC  	

Transitions
tt

 C  B
End
In this example A is the sole action that always eventually is forced by the fairness condition
wf

 The dependency graph with regard to this initial state is not weak acyclic
{A}
{B} {C}
Figure  The dependency graph with regard to the initial state A
As may be seen from the dependency graph the triggered transitions tt

and tt
	
depend on
each other Indeed they constitute a contradiction
 Suppose A
B occurs Then tt

triggers C and tt
	
triggers B which contradicts
A  
B
 Now suppose A  B occurs Then the second block does not trigger C recall
that Block	
def
 C  A  
B and therefore the third block does not trigger B
because Block
def
 B  C which contradicts A B
Together it follows that A may never happen However the fairness condition in the rst block
forces always eventually A and therefore the composition of the three blocks is not executable
If no fairness was required for A then the dependency graph is by denition weak acyclic and
there is a model for the composition namely
 
B
B

 
 
A
 
 
B
 
 
C

C
C
A

 
B
B

 

A
 

B
 

C

C
C
A
      

Unfortunately there are also situations where a dependency graph based only on syntactic
informations is too coarse If in the example tt

gets replaced by
tt
a
 A  B  C 
then the dependency graph does not change and forbids the compositi
on of the three blocks Nevertheless there are executions For example
 
B
B

 
 
A
p
 
 
B
p
 
 
C
p

C
C
A

 
B
B

 

A
p
 

B
p
 

C
p

C
C
A
      


The dependency graph may now be used to replace the semantic criteria Fair Module in the
denition of modules
Syn Fair Module The dependency graph DGMod is weak acyclic
Using this criteria the proof of fairness independence in Theorem  has to be adjusted
Again let v
n
 V
n
and in addition for some xed but arbitrary k let v
k
 G for some
WFGEL  FBl
k

Then it has to be shown that if for all n  k there are w
n
 V
n
and w
k
 V
k
such that
 

k
Lv
k
 w
k
  

n
M
n
v
n
 w
n
 then it holds that
 

k
Lv
k
 )w
k
  

nN

n
M
n
v
n
 )w
n
 for some )w
n
 V
n

This time the dependency graph is used in order to successively determine a valuation 
 x
def
 v
n
x for all x  Ctr
V
Bl
n

 x
def
 arb for all x  Vars Ctr
V
Bl
n

 choose a for all a  Ctr
 

ctr
Bl
k
 such that  fg  Trlfcmd  
ctr
Bl
k
 

 A
def
  for all A  Acts
 
nN
Ctr
Act
Bl
n

 Now all nodes v  V of DGMod without predecessors are determined Then for all
actions A  v let A
def
  and for all variables x  v let x
 

def
 x
 Next successively all nodes v  V are determined whose predecessors already are xed
Then for all actions A  v that occur in a transition with  ev 

 choose A according
to TT and for all variables x  v that occur in a transition with  ev 

 choose x
 

according to TT For all remaining actions A  v let A
def
  and for all remaining
variables x  v let x
 

def
 x
Because of TT Consistency no contradictions within one block ExclCtr no con
tradictions between triggered transitions of dierent blocks and Syn Fair Module no
action or variable is visited twice this results in a well dened valuation
 Finally A
def
  for all remaining actions A from Ctr
Act
mod and x
 

def
 x for all
remaining variables x from Ctr
V
mod
Now  is completely determined and besides all 
env
Bl
n
 also all 
ctr
Bl
n
 are fullled The
refore as required  

k
Lv
k
 )w
k
  

nN

n
M
n
v
n
 )w
n
 holds by choosing )w
n
x
def
 x
for all x  CtrBl
n

On the system level nally there also exists the problem of inconsistencies resulting from
cyclic triggered transitions Again this may be tackled by a dependency graph dened as
follows
Denition  System Dependency Graph
Given a system made up of a set of modules Sys
def
 fMod

    Mod
M
g the corresponding
dependency graph is de	ned as a directed graph DGSys  V IE where
 the nodes are given as
V
def

 
iM
 f fag j a  CtrMod
i
 and a is visible
and a does not occur in any guarded transition g 
f fa  CtrMod
i
g j a is visible
and a occurs in some guarded transition of CtrMod
i
 g  
 the initial nodes are de	ned as
I
def

 
iM
f fa  CtrMod
i
g j a is visible
and a occurs in some guarded transition of CtrMod
i
 g   and
 v

 v

  E  V V i there is a triggered transition tt such that
 some a

 v

occurs in the event ev of tt and
 some a

 v

occurs in the command cmd of tt
DGSys is said to be weak acyclic i no cycle in DGSys can be reached starting from a node
v  I

Chapter 
The Fault Tolerant Production Cell
  Introduction
The case study Fault Tolerant Production Cell was dened by the FZI Forschungszentrum
Informatik at Karlsruhe for the KorSys correct software for safety critical systems project
Besides the FZI also the University of Oldenburg the Technical University of Munich BWM
ESG and Siemens participate in KorSys The case study is an extension of the case study
Production Cell introduced in LL	 that has been worked out using more than  dierent
approaches among these is also a TLT solution see CH	
The Fault Tolerant Production Cell extends the original task description mainly due to the
fact that all devices may fail To cope with these failures additional sensors have been added
The overall architecture of the production cell is shown in Figure 
The production cycle for a single metal plate does not dier from the process in LL	 If the
signal at the beginning of the feed belt shows green a plate may be added to the feed belt The
plate is conveyed to the elevating rotary table The robot picks the plate up using its rst arm
and puts the plate into a unoccupied press Here the piece is processed and afterwards picked
up with the second arm of the robot The plate is carried to the deposit belt If the trac
light at the end of the deposit belt shows green the plate may be forwarded to some undened
environment
The production cell is an example for a reactive control also called embedded system that is
a system consisting of a set of physical devices and a set of controlling devices that interact
by means of sensors and actuators see Figure 
A model for an embedded system thus consists of
 explicitly modeled physical devices PD
i

 explicitly modeled controllers CD
i
 and
 the environment that is modeled implicitly in form of assumptions 
Explicit modeling of physical devices allows expressing mixed properties like if in the real
world no component gets broken then the controllers will report no errors If the model would
S19 S18
S20
traffic light for deposit
deposit belt
S1 S2
feed belt
traffic light for insertion
system
clock
alarm
signal
S6
elevating rotary table
S3
S4
S5
S10
S9
S8
press1
S7
S11
S14
S13
S12
press2
robot
S17
arm1
S15
arm2
S16
Figure  The architecture of the fault tolerant production cell top view and side view
end with the observation of the sensors one could only indirectly argue about the physical
devices like if the sensors show behavior B then the controllers will report no errors An
engineer formulating such a property would of course implicitly using his knowledge about the
physical devices identify the observed behavior B with the situation no error occurs however
this step is a frequent source of errors and it is clearer to explicitly model the physical devices
With both the physical devices and their controllers being modeled as TLT specications the
whole production cell may be described as a twolayered system see Figure 
According to Figure 	 one might expect a third layer with higher level control functionality
like diagnosis or production planning However because almost all errors can be dealt with
locally a general diagnosis module is not necessary for the case study And as far as production
planning is concerned it also can be dealt with locally with the sole exception that the robot
needs knowledge about the state of the presses to decide to which one the next plate has to
be passed Because an extra module would have increased the necessary communication
 
 the
planning was moved to the controller for the robot
 
With regard to the distributed implementation on a LAN see CHBb the communication turns out to
be the main obstacle for eciency
PD1 PD2 PD3
CD1 CD2
Environment
User
Figure  An embedded system
Layer 0
Layer 1
FB_Ctr Table_Ctr Press_Ctr
FB Table Press
System Assumptions
System Properties
(physics)
(basic control)
Properties Layer 0
Figure 
 A Model of the Production Cell
In order to extract a discrete model of some physical system one typically has to proceed in
several stages The rst model might be an continuous model like a set of dierential equations
describing trajectories of the system in time A second model may introduce discrete points of
time where sensors are read and actuators are set Finally one might end up with a nite
discrete model described as an automaton Each renement step has to be validated by
relating the models in such a way that it is guaranteed that no relevant possible behavior
are lost For the production cell case study the physics are dened by the textual task
description For example maximal times are assumed without proof in whatever model As
nothing is known about the underlying physics the specications presented here already start
at the discrete automaton level
The models of physical devices simply describe what can happen Ie they only exclude what
physically is impossible like a sensor detecting a plate if there is none Thus these specications
typically allow many traces and are easily validated with respect to the textual task description
To describe physical behavior appropriately TLT specications are used with only one dierence
to the TLT specications introduced so far for modeling software The fairness section gets
replaced by a general temporal formulas section allowing to specify arbitrary liveness properties
but also invariants fullled by the physical devices Especially together with the fairness section
the minimal fairness local progress requirement is given up for physical devices Recall that
for a specication to be run on a computer it is necessary that it is realizable which can not be
guaranteed for arbitrary liveness requirements For physical devices one needs not care about
schedulers and implementation thus this restriction does not make sense
The hierarchy block  module  system ts very well to model sensorsactors  physical devices
 the complete production cell Thus this hierarchy is kept for the description of the physical
system As an alternative one might also specify the sensors and actors as modules that might
be arranged in a separate layer Variables and actions now are to be interpreted as an abstract
means to describe physical behavior in an operational style Actions for example are used to
express that two physical devices do something commonly in one instant of time
In this case study timing conditions are used solely to supervise the movement of devices For
this purpose it is sucient to use abstract timer actions like for example StartTimerTable and
TimeOutTable If more complicated real time computations are necessary real time may be
modeled by introducing a real valued variable t representing the current time as in AL	
  Modeling Sensors and Actuators
The sensors and actuators occurring in the production cell may be divided into  types
 Boolean sensors
 trac lights
 belt motors moving in one direction
 motors moving in two directions eg the vertical table movement
 motors supervised by an intelligent sensor eg the horizontal table movement and
 the alarm signal set by the controllers in case of failure and reset by the environment after
repair
Because all sensors and actors are needed in the sequel they are now briey introduced
Sensors
About Boolean sensors the task description says
Boolean sensors may fail In this case they return a zero value
Thus three states are to be distinguished  a sensor may detect something it may work but not
detect anything or it may be defect From the controllers view the last two states can not be
distinguished This is reected by the fact that a controller reading the sensor value in both
states gets  as a result
In the following specication the variable sensor denotes the actual state the sensor is in whereas
the variable s denotes the value visible to the controllers
Block Sensor
Declarations
Variables
Write sensor  fdetecting not detecting defectg
Write s  Boolean
Transitions
 true  sensor
 
	 f detecting not detecting defect g k
If sensor
 
 detecting Then s
 
Else  s
 
End
An immediate consequence from this specication is the property
  sensor  detecting  s 
denoting the fact that the recognition of plates or positions is trustworthy A visualization of
block Sensor is given in Figure 
detecting, true
defect, false
not_detecting, false
Figure  BTS corresponding to block Sensor
The specication for the Boolean sensor is used  times within the production cell
Sensor Location Function
s  s feed belt detect plate at beginning  end
s table detect plate
s  s table detect position at bottom  top
s s press press detect plate
s  s	  s s  s  s press press detect position at bottom  middle  top
s  s	 deposit belt detect plate at beginning  end
Remark  According to the command sensor
 
 fdetecting not detecting defecg
a sensor in general can change its state arbitrarily This is no longer true when the sensor
is placed in some concrete environment namely as part of a physical device Eg
 The sensor detecting whether the table is in top position can only be in state detecting
if the table actually is there
  sensor  detecting  pos t v  at top 
 A plausible but not used error scenario
 sensor  defect
Remark  To detect plates the sensors used in this case study register changes of an electro
magnetic eld when plates come close If they are defect they report no plate Another
type of sensors photo electric cells report plate in case they are defect Thus this kind
of sensor is modeled by replacing
If sensor
 
 detecting Then s
 
Else 
 s
 
by
If sensor
 
 detecting Then 
 s
 
Else s
 

Combining the two types of sensors one obtains a perfect sensor in the sense that
both the presence and the absence of plates as well as a defect can be safely indicated
Let x y be the values emitted by a combination of a photo electric sensor x and an
electromagnetic sensor y
Then three situation can arise 





false false  no plate
true true  plate
true false  at least one sensor defect

Such combined sensors simplify the fault detection but are not used in practise for cost
reasons Therefore they were not considered in the case study
Remark  In case of the sensors s	 and s there is a kind of combination of two sensors
that barely makes sense Although the two sensors follow each other immediately in
the workow s is more important than s	 in that it also supervises the transfer from
the feedbelt to the table Furthermore sensor s	 might fail in stopping the feedbelt in
case the table is not yet ready for the next plate However increasing safety by starting
the feedbelt motor only after the table is ready for the next work piece makes sensor s	
superuous In order to make the feedbelt safe independent from the table it would be
reasonable to replace s	 by a photo electric cell
Trac Lights
According to the task description the trac lights may not fail
Therefore the following trivial specication may serve as a model
Block Trac Light
Declarations
Variables
Write light  fgreen redg Init red
Actions
In Set Light  fgreen redg
Transitions
 Set Light	light
 


End
Motors
Two kinds of motors occur in the case study the motors for the belts that may be running
stopped or defect and the motors moving components in two directions eg left and right or
up and down
running
stopped_defect
stopped
Motor(off)
Motor ?
Motor(on)
Motor(on) ?Motor(off) ?
Motor ?Motor ? Motor(on)Motor(off) ?
Figure  BTS corresponding to block Belt Motor Motoro$ abbreviates
Motoro  
Motor which is equivalent to 
Motoron Accordingly Motor$ abbrevia
tes Motor  
Motor which is equivalent to true
Block Belt Motor
Declarations
Variables
Write motor  fstopped running stopped defectg Init stopped
Actions
In Motor  fon og
Transitions
 Motor	on
   motor
 
	 f running stopped defect g
 Motor	o
   motor
 
	 f stopped stopped defect g
 true  motor
 
 stopped defect
 motor  stopped defect  motor
 
 stopped
End
Remark  State stopped defect of the Belt Motor models both a defect motor and a plate
that got stuck
Similarly there are motors that may move into two directions
Block Two Dirs Motor
Declarations
Variables
Write motor  fstopped dir dir stopped defectg Init stopped
Actions
In Motor  fdir dir stopg
Transitions
 Motor	dir
   motor
 
	 f dir stopped defect g
 Motor	dir
   motor
 
	 f dir stopped defect g
 Motor	stop
   motor
 
	 f stopped stopped defect g
 true  motor
 
 stopped defect
 motor  stopped defect  motor
 
 stopped
End
Finally a specication of the physical unit responsible for movements supervised by a sensor
eg the horizontal movement of the table is given In this case motor and sensor are modeled
together since the intelligent sensor is strongly linked to the motor by detecting defects of
motor and sensor Note that parameterization allows one generic block for an arbitrary number
of positions the table has  horizontal positions whereas the robot distinguishes  positions
Block Supervised Motor
Parameters
N  Integer
pos name  Array	N
 Of String
Declarations
Variables
Write pos  N
Write s  String
WriteLocal motor  fdir dir stopg
Actions
In Motor  fdir dir stopg
Transitions
 Move	motor hist
 


 s 
 pos err  Case
 motor hist
 
 dir  pos
 
 pos  pos    pos
 
 pos  
 motor hist
 
 dir  pos
 
 pos  pos  N  pos
 
 pos  
 motor hist
 
 stop  pos
 
 pos
End k
s
 
 pos name	pos
 

  s
 
 pos err
 s  pos err  s
 
 pos name	pos

Formulas


i N
pos name	i
 
 pos err


i N
 	 posi  	motor  dir Unless pos  i
  	s 
 pos err

  pos i 



i N
 	 posi  	motor  dir Unless pos  i
  	s 
 pos err

  pos i 

End
Remark  According to the task description the sensor detects both failures of the motor
and failures of itself
Remark  Because the supervised motor has some knowledge about its position it is possi
ble to state two general liveness properties stating that given it moves continuously from
position i towards position i i  and innitely often does not fail then eventually it
reaches position i  i  These formulas may be rened for concrete instances of the
block whenever upper time bounds for the movements are known as for example for the
horizontal movement of the table
The Alarm Signal
The task description of the alarm signal says that
 it should be switched on by the control programs if a failure is detected
 it can only be switched o by the user
 it can not fail itself and
 switching o the alarm signal means that all devices are repaired
Because the alarm signal may not fail it is sucient to consider the two states green
and red that are visible to the environment Controllers only report alarms if the
alarm light is green and thereby cause a state change to red Vice Versa if the
alarm light is red then the user can reset the alarm by means of a Repaired action
Module Alarm Signal
Declarations
Variables
Write s  fgreen redg Init green
Actions
In FB Alarm T Alarm Robot Alarm  	

In Press Alarm Press Alarm DB Alarm  	

In Repaired  	

Abbreviations
Alarm  FB Alarm  T Alarm  Press Alarm 
Press Alarm  Robot Alarm  DB Alarm
Transitions
 f s  green g Alarm   s
 
 red
 f s  red g Repaired   s
 
 green
End
   Modeling the Devices
For brevity the description of the devices focuses on the feedbelt and the table This comple
ments the specications given in CH	 for the robot and the press of the original production
cell
To model the devices the blocks specifying the sensors and actuators have to be instantiated
appropriately and their behavior has to be described in the context of the device they are part
of
For example the physical feedbelt contains two Boolean sensors a trac light and a belt motor
However these are not arranged by chance but depend on and inuence each other Expressed
otherwise the set of possible behavior of the subcomponents of the feedbelt is restricted by
their special architecture For example plates are transported towards sensor s at the end and
not in the opposite direction To relate movement and possible sensor values of the feedbelt a
variable fb state is introduced It describes whether and where there are plates The possible
behavior of the feedbelt in accordance to the task description and physical or causality laws
are formulated in a transition section dening the next step relation and a formulas section
listing general temporal properties
The transitions given below imply eg that the number of plates is only increased if the trac
light is green This is assumed for any environment and thus xed in the description of the
feedbelt On the other hand the maximum time after which a new plate is delivered depends
on the concrete environment and is therefore considered as a part of the system assumptions


The rst  formulas describe that sensors can detect a plate only in case there is one and that
as long as they are not defect they only are in state not detecting if there is no plate The last
two assumptions exemplify two ways of describing the progress of the feedbelt Firstly if a plate
is on the belt when a timer is started and the motor at the end keeps running as long as there
is no timeout and the plate has not yet arrived at the end then a plate will eventually arrive
at the end The second liveness property states that if the motor is in state running innitely
often then each plate on the belt will eventually arrive at the end
The controller for the feedbelt presented in the next section further restricts possible behavior of
the feedbelt For example it will only allow one plate on the belt at a time given that initially
there is at most one plate Thus a property to be proven for the composition of the physical
feedbelt its controller and the system assumptions will be
 fb stateseveral plates 
plate_at_S1 plate_between plate_at_S2 several_plates
fb_motor=running
no_plate
fb_light=green fb_motor=running 
fb_motor=running
fb_light = green fb_light = green fb_light = green
Figure  Physically possible state changes of the feedbelt

Without such a time it would not be possible to distinguish the situation 	sensor s is defect
 from 	the
environment delivers no more plates

Module Feedbelt
Include Block Belt Motor
 Motor   FB Motor motor   fb motor
Include Block Sensor
s   s sensor   sensor
Include Block Sensor
s   s sensor   sensor
Include Block Trac Light
light   fb light Set Light   FB Set Light 
Declarations
Variables
Write fb state  fno plate plate at S plate between plate at S several platesg
Actions
In StartTimerFB TimeOutFB  	

Abbreviations
Plate Leaves FB  fb state  plate at S  fb state
 
 no plate
Initially
fb state 
 several plates
Transitions
 fb state  no plate  fb light  green  fb state
 
 plate at S
 fb state  plate at S  fb motor  running  fb state
 
 plate between
 fb state  plate between  fb motor  running  fb state
 
 plate at S
 fb state  plate at S  fb motor  running  fb state
 
 no plate
 fb state 	 f plate at S plate between plate at S g  fb light  green  fb state
 
 several plates
Formulas
  	 sensor  detecting  fb stateplate at S 

  	 sensor  not detecting  fb state 
plate at S 

  	 sensor  detecting  fb stateplate at S 

  	 sensor  not detecting  fb state 
plate at S 

 StartTimerFB  	 fb stateplate at S  fb stateplate between 
 
 	  TimeOutFB  fb state
 

 plate at S  fb motor  running 
 
  fb state
 
plate at S
  fb motor  running 
	 fb stateplate at S  fb stateplate between  fb stateplate at S 

End
Of course the modeling could also be done completely in temporal logic For example the table
might be specied as follows


Module Table
Include Block Two Dirs Motor
motor   motor t v Motor   Motor T V
Include Block Supervised Motor
N    motor   motor t h Motor   Motor T H s   s pos   pos t h
pos name   	 pos out pos feedbelt pos beltrobot pos robot pos out 

Include Block Sensor
s   s sensor   sensor
Include Block Sensor
s   s sensor   sensor
Include Block Sensor
s   s sensor   sensor
Declarations
Variables
Write state  fno plate one plate several platesg
Write pos t v  fbottom between topg
Actions
In StartTimerTable TimeOutTable  	

Abbreviations
Plate Arrives at Table  state  no plate  state
 
 one plate 
state 
 no plate  state
 
 several plates
Plate Leaves Table  state  one plate  state
 
 no plate 
state  several plates  state
 

 several plates
Assumptions
A pos t h 
 pos out
A  pos t v
 

 pos t v
 	 pos t v  bottom  motor t v  up  pos t v
 
 middle 
pos t v  middle  motor t v  up  pos t v
 
 top 
pos t v  middle  motor t v  down  pos t v
 
 bottom 
pos t v  top  motor t v  down  pos t v
 
 middle 

A  state
 

 state
 	 state  no plate  state
 
 one plate 
state  one plate  state
 
 several plates 
state  several plates  state
 
 one plate 
state  top  state
 
 no plate 

A  	 	 sensor  detecting  state 
 no plate 
 
	 sensor  not detecting  state  no plate 
 

A  	 	 sensor  detecting  pos t v  bottom 
 
	 sensor  not detecting  pos t v 
 bottom 
 


Actually I cheated a bit by just translating a set of transitions to logic resulting in A and A
A  	 	 sensor  detecting  pos t v  top 
 
	 sensor  not detecting  pos t v 
 top 
 

L StartTimerTable  Move T V	dir
  Move T H	dir
 
 	  TimeOutTable  pos t v 
 top  motor t v  dir 
 
 	  TimeOutTable  s 
 pos robot  motor t v  dir  s 
 pos err 

  	 pos t v
 
 top  s
 
 pos robot 

L StartTimerTable  Move T V	dir
  Move T H	dir
 
 	  TimeOutTable  pos t v 
 bottom  motor t v  dir 
 
 	  TimeOutTable  s 
 pos feedbelt  motor t v  dir  s 
 pos err 

  	 pos t v
 
 bottom  s
 
 pos feedbelt 

End
The instance of the supervised motor used in module Table is visualized in Figure 
2, pos_feedbelt 4, pos_robot
1, pos_out
3, pos_belt2robot
5, pos_out
1, pos_error
2, pos_error
5, pos_error
4, pos_error
3, pos_error
Figure  All possible state changes of the motor responsible for the horizontal movement of
the table given as pairs pos t h s
  Modeling the Production Cell
To model the complete production cell the same procedure as for the devices is necessary
Firstly the modules specifying the devices have to be instantiated appropriately Secondly the
behavior of the devices has to be related in the context of the production cell For example a
plate can only arrive at the table if a plate leaves the feedbelt The opposite is not true in
general since plates may be lost However to prove progress it is assumed that not all transfers
end up with a lost plate
Besides the system assumptions have to be specied Hereby the developer is required to decide
which properties should be encapsulated within the modules and which ones should be part of
the system assumptions The following examples may help in clarifying the distinction between
what is part of the specication of physical devices and what belongs to the specication of
system assumptions
Properties concerning physical devices should hold in any environment in order to increase the
reuse of the modules Typically they are local to the module
 A running motor nally reaches a certain position a liveness property
 A device continuously moved by a motor towards position X nally reaches this position
a liveness property
 At most one sensor at a time can signal press at position X Although the three sensors
indicating bottom middle and top position are independent it is physically impossible
that a press is in more than one position at a time an invariant
Typical system assumptions depend on the environment or the concrete architecture Often
they are global or temporary
 Initially a device is in a certain controllable state
For example the tables angle initially is somewhere between its position towards the
feedbelt and the position towards the robot
 Hypotheses concerning the operating system or hardware considered as part of the envi
ronment that is not explicitly modeled
For example no transmission errors in some message passing layer in the case study this
is assumed implicitly simply by not modeling a message passing layer 
 If the light at the feedbelt shows green then within some xed maximum time a user will
deliver a new plate
Excerpt of the system description
System Fault Tolerant Production Cell
Layer 



Layer 
Include Module Feedbelt
Include Module Table
Include Module Press
state press   state press pos press   pos press
Include Module Press
state press   state press pos press   pos press
Include Module Robot
Include Module Depositbelt
Include Module Alarm Signal
Systemassumptions
  Plate Arrives at T  Plate Leaves FB
 	   Plate Leaves FB
  	   Plate Arrives at T

  	 Arm Picks Up Plate From T  Plate Leaves T 

 	   Plate Leaves T
  	   Arm Picks Up Plate From T 

 fb stateplate at S Until fb stateplate at S  fb light  red
 fb motor 
 running



End
 The Specication of Controllers
 The Supervised Transfer Protocol
Any plate that runs through the production cell is transferred  times from one device to the
next The following table sums up these transfers
Source Target Active Supervision Remarks
environment feed belt environment feed belt s special case
feed belt table feed belt table s
table robot robot table s restricted supervision
robot press robot press s or s
press robot robot press s or s restricted supervision
robot deposit belt robot deposit belt s
deposit belt environment deposit belt s	 environment special case
For all transfers one of the two devices plays the active role of dropping or picking up the
plate whereas the second device can make use of a sensor to detect whether the transfer was
successful This suggests a simple protocol proceeding in three phases
 The passive device signals its readiness to take part in the transfer by sending
Ready For Transfer
 As soon as the active device also is ready it sends Transfer Started and begins handing
over the plate
 On receiving Transfer Started the passive device starts a timer At latest at timeout it
uses its sensor to decide whether the transfer was successful In case the sensor indicates
that the plate was handed over the controller sends Transfer Completedsuccess imme
diately In case of a timeout both a sensor failure or the loss of the plate or both
might have occurred Therefore the decision whether to send Transfer Completedsuccess
or Transfer Completedfail is postponed until error recovery is signaled by the alarm light
At that time the sensor values are assumed to be trustworthy see next section and thus
allow a safe decision concerning the outcome of the transfer
Unfortunately this strategy has a aw for the transfers towards the robot because the sensors
at the table s and the press s or s might break down during transfer that is exactly
when they are expected to change their value from true to false If for example s breaks down
just when the robot tries to grasp the plate then both the table and the robot leave the transfer
point although it is not guaranteed that the robot has picked up the plate If the plate can
not be delivered to the press which can be supervised by the press then either the plate is
still on the table and s is defect or the plate was lost by the robot or the sensor of the press
is defect Due to the rst case the table controller may not signal Ready For Transfer to the
feedbelt controller before it gets acknowledged whether the plate was successfully transfered to
the press or not
Interface TransferInterface
Declarations
Variables
History h  f busy ready transfer g Init busy
Actions
In Ready For Transfer  	

Out Transfer Started  	

In Transfer Completed  fsuccess failg
Transitions
 f h  busy g Ready For Transfer   h
 
 ready
 f h  ready g Transfer Started   h
 
 transfer
 f h  transfer g Transfer Completed   h
 
 busy
End
This interface is used  times in the case study For example the instance used by the feedbelt
controller is given by
Include Interface TransferInterface
Ready For Transfer  T Reached FB
Transfer Started  Plate Leaving FB
Transfer Completed  Transfer FBT
  The Error Handling Strategy
The error handling strategy depends heavily on the failure model The specication of this
failure model may be explicit or implicit For example in the task description it is said that
plates do not fall from belts besides at the end
To express this property explicitly one has to add some state plates on oor to the variable
fb state in the specication of the feedbelt Because no transitions allows to enter this state one
might deduce the invariant
fb state  plates on oor    fb state  plates on oor 
Instead of introducing a state that never is entered only to express a property directly this state
was simply omitted Similarly the situation a plate got stuck on the feedbelt is not modeled
explicitly besides the fact that this failure might happen according to the task description
However from the controllers view this situation can not be distinguished from the situation
defect belt motor Thus to keep the modeling simple the former situation is rather considered
a possible cause on the basis of which the controller might deduce that the motor is broken
For the design of the controllers the following two failure assumptions stated in the task des
cription were crucial
 initial steps of the controllers are safe in a sense that all sensors are trustworthy and
 the same is true for all steps the controllers take when the alarm signal is reset to green
after an error occurred
This may be expressed explicitly in temporal logic For example
   fb phase  f limbo init limbo limbo transport g
 sensor  defect  sensor  defect 
   fb error  s  green  sensor  defect  sensor  defect 
   t phase  limbo  sensor  defect  sensor  defect 
sensor  defect  s  pos err 
   t error  s  green  sensor  defect  sensor  defect 
sensor  defect  s  pos err 



From this the following simple error handling strategy is commonly applied for all controllers
 Initially the controllers may take a safe step because they may rely on the sensor values
due to the assumptions
 Then the controllers run until they detect an error
 The controllers stop any movements and change to error mode In error mode they wait
for the alarm light to be set to green
 After the alarm light is reset to green the controllers do a safe step again
Some notes concerning the error handling strategy
Remark  Errors are dealt with locally whenever possible If for example a motor of the
table breaks down the table controller does not inform the feedbelt that it is broken Rather
the sending of T Reached FB is suppressed This way the transfer protocol between the
two controllers is independent of temporary errors of one of the components
Remark  The values of the alarm light are ignored whenever components have not detected
an error previously Again this serves local error recovery
Remark  The controllers typically work in phases ie they cyclicly perform a set of tasks
The interpretation of incoming signals and thus the error handling of the components
depends on the actual phase  for example when the table is moving and the sensor s
changes its value from  to  indicating that a plate has left the table then it is concluded
that the sensor is broken In phase deliver plate this change could also occur due to the
fact that the sensor breaks down The controller however assumes that it occurred due to
the robot picking up the plate
Finally a complete list of situations is given where local errors can be detected s is an arbitrary
sensor pl a sensor signaling the existence of a plate
Error Situation from controllers view Detection Examples
sensor device stopped immediate feedbelt waiting for table
s followed by s and plate at end s	
table waiting in top position s
sensor device moving immediate table moving with plate s
pl followed by pl
sensor device stopped timeout feedbelt waiting for plate
pl expected but pl continuously from environment s
motor device moving s continuously timeout feedbelt running plate at end s	
table moving downwards
in top position s
motor or device moving timeout table moving upwards s	
sensor s expected but s continuously vertical motors
feedbelt running plate between
belt motors	
 The Feedbelt Controller
FB_Controller
Feedbelt
s21
FB_Motor(on/off)
FB_Set_Light(green/red)
s1
s2
T_Reached_FB
Transfer_FB2T(success/fail)
Plate_Leaving_FB
SensorBelt_MotorTraffic_Light Sensor
TimeOutGet
TimeOutFB
TimeOutDel
FB_Alarm
Alarm_Signal Global_Timer
FB_Error
StartTimerGet
StopTimerGet
StartTimerFB
StopTimerFB
StartTimerDel
StopTimerDel
Figure  Architecture of the Feedbelt
The strategy of the feedbelt controller is best understood looking at the dierent phases that
the controller passes through
limbo init Initially the controller reads its sensor values which are assumed to be trustwor
thy According to these sensor values all phases besides get plate are reachable
get plate is unreachable because even in case there are no plates at start or at
the end it is still possible that there is a plate between The controller thus
decides to nd out by changing to state limbo or limbo transport Hereby it
is assumed that there is at most one plate on the feed belt initially
limbo The controller does not know whether there is a plate on the belt Thus it
waits for the table controller signaling that the table is in position pos feedbelt
Then phase limbo transport is entered the belt motor is started and a timer is
started
limbo transport In this phase the controller waits for either sensor s signaling that a plate has
arrived at the end or for a timeout In case of timeout the controllers decides
that there is no plate and thus changes to get plate That is the controller stops
the belt sets the trac light to green and starts a timer set to the maximal
time the environment needs to deliver the next plate
get plate The controller waits for the environment to deliver a new plate Now either
sensor s indicates that the plate was put on the belt or a timeout signals that
sensor s must be defect In the former case the motor is started together with
a timer that gets set to the maximal time a plate needs to reach sensor s at
the end of the belt Thereby phase transport is entered
transport The controller waits until either a plate reaches sensor s or a timeout signals
that either the motor or sensor s is defect If the plate has reached the end wi
thout failure either phase waiting at end or phase deliver are entered depending
on the state of the table
waiting at end Phase waiting at end describes the situation where a plate is at the end but
the table is not ready to get it If sensor s breaks during this phase it is
immediately recognized As soon as the table gets ready the belt motor is
started and phase deliver is entered In addition a timer is set that supervises
that the motor does not break down while the plate is still at sensor s
deliver This phase is entered with the motor running and the table being ready If
sensor s indicates no plate then the supervision of the transfer is passed
to the table controller by sending Plate Leaving FB Phase deliver is left after
the table has send Transfer FB	T
success In case of Transfer FB	T
fail the
controller switches to error mode as is the case for any other error
The possible changes are visualized in Figure 	
limbo limbo_transport waiting_at_end/\      errorlimbo_init
deliver
/\      error
get_plate
/\      error
transport
/\      error
waiting_at_end
/\ error
deliver
/\ error
get_plate
/\ error
transport
/\ error
Figure 	 The dierent phases of the feedbelt controller
Module Feedbelt Controller
Include Interface TransferInterface
Ready For Transfer   T Reached FB
Transfer Started   Plate Leaving FB
Transfer Completed   Transfer FBT
h   table
Declarations
Variables
Read s s  Boolean
Read s  fred greeng
Write fb error  Boolean Init false false
Write phase  flimbo init limbo limbo transport get plate transport
waiting at end deliver plateg Init limbo init
Actions
Out FB Set Light  fred greeng
Out FB Motor  fon og
Out FB Error  String
Out FB Alarm  	

Out StartTimerFB StartTimerGet StartTimerDel  	

Out StopTimerFB StopTimerGet StopTimerDel  	

In TimeOutFB TimeOutGet TimeOutDel  	

Transitions
 phase  limbo init  s  green  FB Set Light	red
 jj
Case
 s  phase
 
 transport jj FB Motor	on
 jj StartTimerFB
 s  table  busy  phase
 
 waiting at end jj FB Motor	o

 s  table  ready  phase
 
 deliver jj FB Motor	on
 jj StartTimerDel
 s  s  table  busy  phase
 
 limbo jj FB Motor	o

 s  s  table  ready  phase
 
 limbo transport jj FB Motor	on
 jj StartTimerFB
End
 phase  limbo  table  ready
 phase
 
 limbo transport jj FB Motor	on
 jj StartTimerFB
 phase  limbo transport  s  table  ready
 phase
 
 deliver jj StopTimerFB jj StartTimerDel
 fb error  phase  get plate  s
 phase
 
 transport jj FB Motor	on
 jj FB Set Light	red
 jj StopTimerGet jj StartTimerFB
 TimeOutGet   If fb error  phase  get plate  s
Then 	 FB Set Light	red
 jj FB Error	S
 

 fb error  phase  transport 
Case
 s  table  busy  phase
 
 waiting at end jj FB Motor	o
 jj StopTimerFB
 s  table  ready  phase
 
 deliver jj StopTimerFB jj StartTimerDel
End
 TimeOutFB  
Case
 phase  limbo transport  s  phase
 
 get plate jj FB Motor	o
 jj
FB Set Light	green
 jj StartTimerGet
 fb error  phase  transport  s  FB Motor	o
 jj FB Error	S or motor

 fb error  phase  transport  s  FB Motor	o
 jj FB Error	motor

End
 fb error  phase  waiting at end
 If s  table  ready Then 	 phase
 
 deliver jj FB Motor	on
 jj StartTimerDel 
 jj
If s Then 	 FB Error	S
 

 fb error  phase  deliver 
Case
 s  table  busy  phase
 
 get plate jj FB Motor	o
 jj StopTimerDel jj
FB Set Light	green
 jj StartTimerGet
 s  table  ready  FB Motor	o
 jj StopTimerDel jj Plate Leaving FB
End
 TimeOutDel   If fb error  phase  deliver  s Then 	 FB Motor	o
 jj FB Error	motor
 

 FB Error  Transfer FBT	fail
   fb error
 
jj StopTimerGet jj StopTimerFB jj StopTimerDel
 fb error  s  green  fb error
 
jj
Case
 phase  get plate  s  phase
 
 transport jj FB Motor	on
 jj
StartTimerFB
 phase  get plate  s  StartTimerGet jj FB Set Light	green

 phase  transport  s  FB Motor	on
 jj StartTimerFB
 phase  transport  s  table  busy  phase
 
 waiting at end
 phase  transport  s  table  ready  phase
 
 deliver jj FB Motor	on
 jj StartTimerDel
 phase  waiting at end  table  ready  phase
 
 deliver jj FB Motor	on
 jj StartTimerDel
 phase  deliver  s  FB Motor	on

 phase  deliver  s  table  busy  phase
 
 get plate jj FB Set Light	green
 jj
StartTimerGet
End
 FB Error   If s  green Then 	 FB Alarm 

End
 The Table Controller
The main block of the table controller is organized in phases similar to the feedbelt controller
Two instances of the transfer interface are used to communicate with the feedbelt and the robot
controller The two blocks Feedbelt History and Robot History are projections of these instances
of the transfer interface that additionally start a timer to supervise the transfer of the plate
Besides the block Motor History supervises the movement of the table Especially the vertical
movement is supervised by starting a timer each time Motor T Vdir or Motor T Vdir	 is
emitted
The phases of the table controller are similar to those of the feedbelt controller Initially or in
case of reset the controller may rely on the sensor values and can immediately decide which of the
other phases to enter In phase get plate the delivering of a plate from the feedbelt is supervised
by sensor s and timer StartTimerFB	T After a successful transfer the table moves towards the
robot phase transport and by arriving there sends T Reached R to the robot controller and
enters phase deliver plate If the sensor s signals no plate after the robot started to pick up
the plate then the movement back to the feedbelt is started phase move back On reaching
the feedbelt phase wait for press is entered If the robot already has signaled that the plate
was successfully passed to one of the presses then phase get plate can be entered immediately
Otherwise the acknowledgment of either success or failure of this transfer to the press is waited
for In the latter case the controller enters error mode instead of phase get plate
Module Table Controller
Include Inverted Interface TransferInterface
Ready For Transfer   T Reached FB
Transfer Started   Plate Leaving FB
Transfer Completed   Transfer FBT
Include Inverted Interface TransferInterface
Ready For Transfer   T Reached R
Transfer Started   Plate Leaving T
Transfer Completed   Transfer TR
Block Feedbelt History
Declarations
Variables
History h transferFromFB  fstarted nishedg Init nished
Local t transfer FBT start  Real
Transitions
 f h transferFromFB  nished g Plate Leaving FB
 
StartTimerFBT jj h transferFromFB
 
 started
 f h transferFromFB  started g Transfer FBT
 
StopTimerFBT jj transferFromFB
 
 nished
End
Block Robot History
Declarations
Variables
History h transferToR  fstarted nishedg Init nished
Local t transfer TR start  Real
Transitions
 f h transferToR  nished g Plate Leaving T
 
StartTimerTR jj h transferToR
 
 started
 f h transferToR  started g Transfer TR
 
StopTimerTR jj h transferToR
 
 nished
End
Block Motor History
Declarations
Variables
Local moving v moving h  Boolean Init false false
Actions
Out Motor T H  fdir dir stopg
Out Motor T V  fdir dir stopg
Transitions
 Motor T V	stop
   moving v
 
k StopTimerTable
 Motor T V	dir
  Motor T V	dir
   moving v
 
k StartTimerTable
 Motor T H	stop
   moving h
 
 Motor T H	dir
  Motor T H	dir
   moving h
 
End
Declarations
Variables
Read s s s  Boolean
Read s  fred greeng
Read s  String
Read t  Real
Write t error  Boolean Init false
Write phase  flimbo get plate transport deliver plate
move back wait for press g Init limbo
Local plate reached press  Boolean
Actions
Out T Alarm  	

Out T Error  String
In TransferPress  f success fail g
Out StartTimerFBT StartTimerTR StartTimerTable  	

Out StopTimerFBT StopTimerTR StopTimerTable  	

In TimeOutFBT TimeOutTR TimeOutTable  	

Transitions
 phase  limbo  t error  s  green

t error
 
jj
Case
 s  s  s  pos feedbelt  If t error Then	 phase
 
 wait for press 

Else	 phase
 
 get plate jj T Reached FB 
 jj
Motor T H	stop
 jj Motor T V	stop

 s  s  s 
 pos feedbelt  phase
 
 move back jj Motor T H	dir
 jj
Motor T V	stop

 s  s  s  pos feedbelt  phase
 
 move back jj Motor T H	stop
 jj
Motor T V	dir

 s  s  s 
 pos feedbelt  phase
 
 move back jj Motor T H	dir
 jj
Motor T V	dir

 s  s  s  pos robot  phase
 
 deliver plate jj T Reached R jj
Motor T H	stop
 jj Motor T V	stop

 s  s  s 
 pos robot  phase
 
 transport jj Motor T H	dir
 jj
Motor T V	stop

 s  s  s  pos robot  phase
 
 transport jj Motor T H	stop
 jj
Motor T V	dir

 s  s  s 
 pos robot  phase
 
 transport jj Motor T H	dir
 jj
Motor T V	dir

End
 t error  phase  get plate  s
 phase
 
 transport jj Motor T H	dir
 jj Motor T V	dir
 jj Transfer FBT	success

 TimeOutFBT   If t error  phase  get plate  s  h transferFromFB  started
Then 	 T Error	S and FB motor or loss or S
 jj Transfer FBT	fail
 

 t error  phase  transport  s  s 
 pos err

Case
 s  moving v  Motor T V	stop

 s  pos robot  moving h  Motor T H	stop

End jj
If s  s  pos robot Then	 phase
 
 deliver plate jj T Reached R 

 t error  phase  transport   s  s 
 pos err  T Error	S

 t error  phase  transport   s  s  pos err  T Error	S and MS

 t error  phase  transport  s  s  pos err  T Error	MS

 TimeOutTable  
Case
 t error  phase  transport  s  s 
 pos err  T Error	S or V Motor

 t error  phase  transport  s  s  pos err  T Error	S or V Motor AND MS

 t error  phase  transport s  s 
 pos err  T Error	S AND S or V Motor

 t error  phase  transport s  s  pos err  T Error	S AND S or V Motor AND MS

End
 t error  phase  deliver plate  h transferToR  started  s
 phase
 
 move back jj Motor T H	dir
 jj Motor T V	dir
 jj Transfer TR	success

 TimeOutTR   If t error  phase  deliver plate  h transferToR  started  s
Then 	 T Error	Plate not picked up
 jj Transfer TR	fail
 

 t error  phase  move back  s 
 pos err

Case
 s  moving v  Motor T V	stop

 s  pos feedbelt  moving h  Motor T H	stop

End jj
If s  s  pos feedbelt  Then	 phase
 
 wait for press 

 TransferPress	success
   plate reached press
 
 t error  phase  wait for press  plate reached press
 plate reached press
 
jj phase
 
 get plate jj T Reached FB
 t error  phase  move back  s  pos err  T Error	MS

 TimeOutTable  
Case
 t error  phase  move back  s 
 pos err  T Error	S or V Motor

 t error  phase  move back  s  pos err  T Error	S or V Motor AND MS

End
 T Error  TransferPress	fail
   t error
 
jj If s  green Then 	 T Alarm 
 jj
If moving v Then 	 Motor T V	stop
 
 jj
If moving h Then 	 Motor T H	stop
 

End
 The Complete System
The complete system is obtained by instantiating the modules according to the concrete layout
of the case study
System Fault Tolerant Production Cell
Layer 
Include Module Feedbelt Controller
phase   fb phase
Include Module Table Controller
phase   t phase
Include Module Press Controller
phase   p phase P Motor   P Motor
s top   s s middle   s s bottom   s s plate   s 
Include Module Press Controller
phase   p phase P Motor   P Motor
s top   s s middle   s s bottom   s s plate   s 
Include Module Robot Controller
phase   r phase
Include Module Depositbelt Controller
phase   r phase
Layer 
Include Module Feedbelt
Include Module Table
Include Module Press
state press   state press pos press   pos press P Motor   P Motor
s top   s s middle   s s bottom   s s plate   s 
Include Module Press
state press   state press pos press   pos press P Motor   P Motor
s top   s s middle   s s bottom   s s plate   s 
Include Module Robot
Include Module Depositbelt
Include Module Alarm Signal
Systemassumptions
  Plate Arrives at T  Plate Leaves FB
 	   Plate Leaves FB
  	   Plate Arrives at T

  	 Arm Picks Up Plate From T  Plate Leaves T 

 	   Plate Leaves T
  	   Arm Picks Up Plate From T 

  	 fb stateplate at S  fb light  green  fb state
 
 plate at S 

 fb motor 
 running
  	 fb phase 	 f limbo init limbo limbo transport g  fb error  s  green
 sensor
defect  sensor
defect  fb motor 
defect 

  	 t phase  limbo  t error  s  green
 sensor 
 defect  sensor 
 defect  sensor 
 defect  s 
 pos err 

End
Only one of the system assumptions needs further explanation In the model of the feedbelt the
state several plates can be entered only if the trac light at the beginning of the belt shows green
However this is not sucient to disallow several plates on the belt because the environment
could place several plates onto the belt within one green phase To avoid this the system
assumption
  fb stateplate at S  fb light  green  fb state
 
 plate at S 
is added For the states plate between and plate at S the feedbelt controller takes care that
there is no green light
 Compilation
In CHB	b a tool is described that allows to compile TLT specications to the language C and
the supporting library MPI for Message Passing Interface MPI is a publicdomain library for
message passing in a distributed environment GLS	 In order to implement the specications
using this tool the specications for the controllers as presented above have to be changed to
some extend
 MPI does not support enumeration types Thus all enumeration types got coded as inte
gers
 For the same reason variables must be coded as actions
 One additional TLT module is needed to gather the inputs and outputs to the simulation
of the production cell
 Since the transmission times over the LAN far exceed cpu times necessary to compute
the control values all transmissions of the controllers to this extra module need to be
packed together wherever possible
 Verication
In this section some samples of verication tasks are presented The proofs for these samples
make use of the intuitiveness of abstract Boolean transition systems wherever possible
As an example of a more demanding invariant it will be proven that
 fb state several plates
holds for the production cell That is strictly speaking it is shown that
 Fault Tolerant Production Cell   fb state several plates
but for simplicity the premise  Fault Tolerant Production Cell is omitted in all formulas of this
section
Intuitively the property holds because it is assumed to hold initially and afterwards the feedbelt
controller takes care not to allow a second plate on the belt
That the property holds initially follows immediately from the feedbelt as modeled in Section
 Now assume there is a transition that violates the property that is
  fb state several plates  fb state
 
 several plates 
From the programming text of the feedbelt model or from the BTS representation in Figure 
it is also obvious that the state fb state  several plates is entered only in case the trac light
at the beginning of the feedbelt shows a green light That is
   fb state several plates  fb state
 
 several plates  fb light  green 
fb_phase = get_plate
/\
fb_light = green
       FB_Set_Light(red)
 
 
 
 
 
 
 FB_Set_Light(red)
    FB_Set_Light(green)
fb_phase = get_plate
/\
fb_light = red
       FB_Set_Light(green) fb_phase = get_plate/\
fb_light = red
       FB_Set_Light(green)
    FB_Set_Light(red)
    FB_Set_Light(red)
fb_phase = get_platefb_phase = get_plate
       FB_Set_Light(green)
fb_light = red
fb_light = green
FB_Set_Light(green) FB_Set_Light(red)
FB_Set_Light(red)
FB_Set_Light(green)
       FB_Set_Light ?
       FB_Set_Light(red)
    FB_Set_Light(green)
Feedbelt Traffic Light:
Feedbelt Controller:
Product Automaton:
fb_phase = get_plate
/\
fb_light = green     FB_Set_Light(green)
       FB_Set_Light
    FB_Set_Light(red)
 
 
 
 FB_Set_Light(green)
Figure  On top the BTS for the trac light is shown In the middle there is an
abstract BTS for the feedbelt controller In the product of the upper two BTS the state
fb
l
ight  green  fb
p
hase  get plate is not reachable
Taking a look at the feedbelt controller the trac trac light is set to green only if phase
get plate is entered The abstract BTS in the middle of Figure  captures this situation The
behavior of the trac light is given at the top of that gure In the product of the two BTS as
shown at the bottom only three states are reachable and indeed
   fb light  green  fb phase  get plate 
That is together with 
   fb state several plates  fb state
 
 several plates  fb phase  get plate 
Next the following invariant may be deduced from Figure 
fb_state
fb_phase
limbo_init limbo limbo_transport waiting_at_end deliver get_plate transport
no_plate
plate_at_S1
plate_between
plate_at_S2
several_plates
fb_motor = running
sensor1=defect /\ sensor2=defect
fb_light=red fb_light=red
I
n
v
a
r
ia
nt
s
Figure  The product of the feedbelt and the feedbelt controller with respect to the va
riables fb state and fb phase Only transitions leaving reachable states are shown On the
bottom some invariants used to reduce the number of transitions are given Of these inva
riants fb phase  flimbo init limbo limbo transportg  sensor  defect  sensor	  defect is
a system invariant whereas the other two ones follow from Figure  and Figure  respec
tively
   fb phase  get plate  fb state  plate between  fb state  plate at S 
That is together with  and the model of the feedbelt
   fb state  several plates  fb state
 
 several plates
 fb state  plate at S 
Together with 
   fb state several plates  fb state
 
 several plates
 fb light  green  fb state  plate at S 
But this contradicts the system assumption
fb stateplate at S Until fb stateplate at S  fb light  red
 
Mostly invariants are easier to prove For example the invariant
  Transfer FBT  fb state  deliver 
can be proven directly by use of one suitable abstract BTS as shown in Figure 
As a last example the invariant
  fb error  fb motor  running 
is easily deduced from the invariant
 fb motor  running  fb phase  f limbo transport deliver transport g 
that restricts the phases in which the motor might be running this invariant is validated by
Figure  Initially 
fb error and thus the invariant holds But immediately from the code
of the feedbelt controller one can verify that it is not possible to enter an error state in one of
the phases in which the motor might be running without stopping the motor
  
 fb error  fb error
 
 fb phase
 
 f limbo transport deliver transport g
 FB Motoro 
fb_phase = deliver
/\
table = ready
       Plate_Leaving_FB
fb_phase = deliver
/\
table = busy
fb_phase = deliver
/\
table = busy
    Transfer_FB2T
fb_phase = deliver
/\
table = ready
    T_Reached_FB T_Reached_FB
fb_phase = deliverfb_phase = deliver
table = busy
table = ready
T_Reached_FB
table = ready /\ 
Plate_Leaving_FB ?
\/    Pl_Leaving_FB
       table = busy
table = transfer
    Transfer_FB2T
       Plate_Leaving_FB
fb_phase = deliver
/\
table = transfer
fb_phase = deliver
/\
table = transfer
T_Reached_FB T_Reached_FB
table = ready
    Transfer_FB2T    Transfer_FB2T
Figure  At the bottom one possible abstract BTS to validate the invariant
Transfer FB	T  fb state  deliver is given It results from taking the product of the transfer
interface on top with a suitable abstraction of the feedbelt controller middle
fb_motor
fb_phase
limbo_init limbo limbo_transport waiting_at_end deliver get_plate transport
= running
= running
Figure  The product of the feedbelt motor and the feedbelt controller with respect to the
variables fb motor and fb phase Only transitions leaving reachable states are shown From the
product it follows especially that fb phase  get plate  fb motor  running holds for the
production cell
Chapter 
Conclusion and Further Work
The temporal language of transitions is a modular specication language that combines the
expressiveness of synchronous languages like Signal or Esterel with the expressiveness of state
based languages like UNITY The programming view allows to describe the behavior of mo
dules in an operational style using two kinds of transitions The interaction of the modules can
be formulated with assumptioncommitment protocols in interfaces The programming view is
linked to a linear temporal logic and to an automata format To achieve a direct correspondence
of the main language constructs both logic and automata are extended to deal with actions and
transitions The logic also gets used for the consistency conditions and properties of the modules
Finite automata can be extracted directly from the programming notation Parameterization
eases to deal with repeating structures
However the framework presented in this thesis is too general to be used in nowadays highly
specialized software business The two main obstacles hereby are that
 some concepts like the notion of fairness are too demanding and too new for many users
in a special application domain and conversely
 domain specic concepts the users are familiar with are missing
For short TLT needs to be adjusted to specic domains The remainder of this thesis gives
some hints of how this could be achieved in the domain of control systems

  Relationship to IEC    IEC  
Until recently control systems were programmed almost exclusively using either relay ladder
diagrams or instruction lists an assembly language Even with the emergence of the pro
gramming standard IEC  in 		 the programming of control systems was restricted to a
paradigm that only knew variables as a communication means
A typical control application in the context of IEC  is captured by the following continuous
function chart
The scheduling of such an application can be described as a TLT specication as follows
 Schedule App   v
 
FBx  w
 
FByv
 
  z
 
FBv
 
w
 


FB1
FB2
FB3
x
y
z
w
v
Figure  Contionuous function charts timers or adders
where Schedule App is caused by the real time operating system of a PLC typically some
programs are scheduled cyclically whereas others get scheduled interrupt driven or eg at
starting time
Actually this representation is already an abstraction In reality the execution of a function
block is not considered to be atomic although function blocks mostly are guaranteed to ter
minate within a given number of processor cycles Even worse within function blocks global
variables might be changed IEC  function blocks are by no means fully abstract Thus
the execution order may be crucial and has to be dened explicitly If the execution sequence
in the above would dier from the one suggested by the dataow and be say FB	 FB FB
then the scheduling of the program might be specied as
 Schedule App   v
 
FBx  w
 
FByv  z
 
FBv
 
w
 
 
That is function block FB	 relies on the old value of the variable v
The main disadvantage of the IEC  is however that in order to realize communication
between dierent programmable logic controllers extra communication function blocks have
to be used to simulate events The use of these communication function blocks is somewhat
articial and makes the IEC  languages not well suited for distributed control systems This
drawback made necessary the denition of a second norm called IEC 		 Since July 		 a
rst draft of this norm is available It facilitates communication by allowing the use of signals
in the norm called events The overall model of a function block according to IEC 		 is
shown in Figure 
IEC 		 function blocks are divided into an execution control chart and a set of algorithms
typically these are ordinary IEC  function blocks On each incoming signal a correspon
ding Boolean valued history variable is set to true Together with each signal a set of variables
gets sampled again by updating corresponding history variables With each state of the control
chart a set of algorithms is associated that get executed if the execution control chart enters
the state On termination of these algorithms output signals may be sent Afterwards the
execution control chart changes its state depending on its actual state the values of the history
variables and the values of internal variables of the algorithms
Algorithms
Execution
Control 
Chart
Input Signals
Input Variables Output Variables
Output Signals
History Variables
Figure  An IEC 		 function block
The execution control charts used in the norm IEC 		 can be described easily as TLT speci
cations This way the graphical representation introduced in IEC 		 is given some formal
semantics that may be used to formally reason about the distribution aspects of control app
lications described that way Notwithstanding the local algorithms could still be described as
function blocks using the established languages of IEC 

Appendix A
Technical Details
This appendix summarizes some purely technical proofs left out in the main text
Lemma 	Stutter Invariance
Let  be an arbitrary valuation of Vars and 
 
a valuation of Vars
 
such that 
 
x
 
  x for
all x  Vars
Then  block 

		
 

or equivalently  

aVarsActs
Stuttera   block 
Proof
The lemma is checked for the two conjuncts of block separately
Firstly suppose the claim does not hold for some i in the rst conjunct 
env
 ie

s
i
 ev
i
 
assume
i
 
delay
i
 
Trlcmd
i
  

		
 


Then especially 
s
i
ev
i


		
 

 But that contradicts lemma 
Secondly  v
 
 v 

		
 

for all v  Ctr
V
block and 
A 

		
 

for all A  Ctr
Act
block
Therefore 

aCtr
block
Stuttera 

		
 

and thus also  
ctr
block 

		
 


 
Lemma Input Enabledness
 

 ijttj

s
i
 ev
i
 g
i
   
Ctr
 

block
block 
Proof
Let  	 
 
 be an arbitrary valuation Then two cases are distinguished
Firstly assume that  

 ijttj

s
i

ev
i
 

		
 


Then dene
,	A 

  A  Ctrblock
	A  A  Ctrblock
and
,

 
x 

x  x  Ctrblock

 
x  x  Ctrblock

	
Because all events are either Infor which ,	 agrees with  or Outevents for which ,	 agrees
with 	  

 ijttj

s
i

ev
i
 

	

	
 

continues to hold Thus  
env
block 

	

	
 


Because all controlled variables and actions stutter  
ctr
block 

	

	
 

holds too Together
 block 

	

	
 

and thus 
Ctr
 

block
block 

		
 


Now assume  


 ijttj

s
i
ev
i
  

 ijttj

s
i
 ev
i
 g
i
  

		
 


Then 
s
j
 ev
j
 g
j
  

 ijttj

s
i
 ev
i
 g
i
  

		
 

for some   j  jttj
With TT Consistency it follows that 
s
j
 ev
j
 g
j
  

 ijttj
ij

 
s
i
ev
i
 

		
 


From TT it follows that there is a valuation  )	
)

 
 with )	A  	A for all A  Ctrcmd
j

)

 
x  
 
x for all x  Ctrcmd
j
 and such that 
s
j
 ev
j
 g
j
 Trlcmd
j
  

	

	
 


Due to Ev also 

 ijttj
ij

 
s
i
 ev
i
 

	

	
 

and therefore   
s
j
ev
j
 g
j
 Trlcmd
j
   

 ijttj
ij

 
s
i
 ev
i
  

	

	
 


Dening ,	A 





)	A  A  Ctrcmd
j

  A  Ctrblock Ctrcmd
j

	A  else
and
,

 
x 





)
x  x  Ctrcmd
j

x  x  Ctrblock Ctrcmd
j


 
x  else

it holds that  block 

	

	
 

and thus 
Ctr
 

block
block 

		
 


 
Lemma 
Local progress may also be expressed explicitly as the fairness conditions
 LP WF


jttjijttjjgtj
guard
i



jttjijttjjgtj
guard
i
Trlcmd
i
 
Proof
 LP WF


jttjijttjjgtj
guard
i



jttjijttjjgtj
guard
i
Trlcmd
i
  /
gets translated to
WF


jttjijttjjgtj
guard
i
 


jttjijttjjgtj
guard
i
  Trl


jttjijttjjgtj
guard
i
 Trlcmd
i

This is equivalent to
WF


jttjijttjjgtj
guard
i
 


jttjijttjjgtj
guard
i
 


jttjijttjjgtj
guard
i
 Trlcmd
i

since Trlp  p for transition predicates p Furthermore


jttjijttjjgtj
guard
i
 Trlcmd
i
 implies


jttjijttjjgtj
guard
i
 Therefore / is equivalent to local progress
WF


jttjijttjjgtj
guard
i



jttjijttjjgtj
guard
i
 Trlcmd
i

It remains to be shown that F F and F hold for local progress
 F By denition


jttjijttjjgtj
guard
i
is a state predicate such that
FFV


jttjijttjjgtj
guard
i
  Ctr
V
block
 F By denition


jttjijttjjgtj
guard
i
 Trlcmd
i
 is a command such that
Ctr


jttjijttjjgtj
guard
i
 Trlcmd
i
  Ctrblock
 F 


jttjijttjjgtj
guard
i
 
Ctr
 

block
Trl


jttjijttjjgtj
guard
i
 Trlcmd
i
  
ctr
block 
holds
Let  be a model of


jttjijttjjgtj
guard
i
 It has to been shown that

Ctr
 

block
Trl


jttjijttjjgtj
guard
i
 Trlcmd
i
  
ctr
block 

		
 

//
holds for arbitrary 	 and 
 

 is model of guard
i
for some i Due to GT there are valuations ,	 and
,

 
such that
 guard
i
 Trlcmd
i
 

	

	
 


Then dene )	A
def


,	A  if A  Ctrcmd
i

  else
and
)

 
x
 

def


,

 
x
 
  if x  Ctrcmd
i

x  else

Obviously  )	
)

 
 is a model of both


jttjijttjjgtj
guard
i
 Trlcmd
i
 and

ctr
block Because all actions and primed variables that occur free in
Trl


jttjijttjjgtj
guard
i
 Trlcmd
i
   
ctr
block are elements of Ctr
 
block //
holds for arbitrary 	 and 
 

 
Lemma 	 +
a
block is wellde	ned
Proof
 J W by denition
   J 
It has to be shown that there is some p W and some valuation 
  Ctr
V
block	 U such
that  p  init 


 Assume not Then  


pW
p   init 


does not hold either for any 

Due to aBTS it follows that  init 


does not hold for any 
 This contradicts Init
 B is a complete atomic Boolean algebra by denition#
 N  W W 	 B by denition
 st   Np p   for all p  W  Because of aBTS there is a valuation  of the
variables in Ctr
V
block such that  p 
	
 Due to lemma  it is sucient to dene
x
def


x  for x  Ctr
V
block
arb  for x  Ctr
V
block
 Then     st  Nv v
   Le  Ne for all e  p q  E
If e  E then there exists some  such that  p  q
 
 fg  Trlfcmd  
ctr
block 

 Then
dene a 

  a  Acts Ctrblock
a  else

The actions from Acts  Ctrblock do not occur in p  q
 
 fg  Trlfcmd  
ctr
block
Therefore  p  q
 
 fg  Trlfcmd  
ctr
block 


On the other side besides  p  q
 
 
ctr
block 

also  
env
block 

holds due to Corollary
 because all actions occurring in events are elements from Acts  Ctrblock which
is due to condition Ev in Denition  That is   Ne
 
Theorem  Relationship between models
Traces+block  Traces+
a
block
Proof
Let  




	

 

 
	


    Traces+block  Traces+
a
block may be establis
hed by proving
There is a sequence v

 v
 
      V

such that
V v

 I
V 
i
 	
i
 
i 
 Mv
i
 v
i 
 for all i
Va continuously v
i
 G implies in
nitely often v
i
 v
i 
  E and

i
 	
i
 
i 
  Lv
i
 v
i 
 for all
WFGEL  F
Vb innitely often v
i
 G implies in
nitely often v
i
 v
i 
  E and

i
 	
i
 
i 
  Lv
i
 v
i 
 for all
SFGEL  F
implies
There is a sequence w

 w
 
      W

such that
W w

 J
W 
i
 	
i
 
i 
  Nw
i
 w
i 
 for all i
Wa continuously w
i
 G
a
implies in
nitely often w
i
 w
i 
  E
a
and

i
 	
i
 
i 
  L
a
w
i
 w
i 
 for all
WFG
a
 E
a
 L
a
  G
Wb innitely often w
i
 G
a
implies in
nitely often w
i
 w
i 
  E
a
and

i
 	
i
 
i 
  L
a
w
i
 w
i 
 for all
SFG
a
 E
a
 L
a
  G
Firstly let w
i
be the uniquely determined w W such that w
i

	
i

V  W
If v

 I then by denition  init 
v

and due to V also  init 
	

 Then w

 init 
	

by
denition of w
i
 Thus 
Ctr
V

block
 w

 init   ie w

 J 
V	  W	
Let 
i
 	
i
 
i 
  Mv
i
 v
i 
 Then especially  block 

	
i

i
	
i 

 Thus
 block w
i
 w
i 
 


	
i

i
	
i 

by denition of w
i
 ie 
i
 	
i
 
i 
  Nw
i
 w
i 

Va  Wa
Suppose continuously w
i
 G
a
for some explicit fairness condition WFG
a
 E
a
 L
a
  G Ie
w
i
 fg  and there is some  such that w
i
 w
i 
 
 fg  Trlfcmd  
ctr
block 

 Especially
w
i
 fg 

	
i

i
	
i 

and by denition of w
i
also  fg 

	
i

i
	
i 

 Because of V	 
i
x  v
i
x
for all x  FFVfg  Ctr
V
block Thus  fg 
v
i
and by F it follows that there is some 
i
such that  fg Trlfcmd  
ctr
block 

i
and 
i
x  v
i
x for all x  Ctr
V
block Therefore
continuously v
i
 G and thus always eventually v
i
 v
i 
  E and 
i
 	
i
 
i 
  Lv
i
 v
i 

This implies always eventually  fg Trlfcmd  
ctr
block 

	
i

i
	
i 

 By denition of w
i
it follows that always eventually w
i
w
i 
 
 fg Trlfcmd  
ctr
block 

	
i

i
	
i 

 Thus
always eventually w
i
 w
i 
  E
a
and 
i
 	
i
 
i 
  L
a
w
i
 w
i 

Vb  Wb
Analog simply replace continuously by always eventually
 

Bibliography
AG	 Robert Allen and David Garlan Formal Connectors Technical Report CMUCS
	 School of Computer Science Carnegie Mellon University Pittsburgh PA
March 		
AL M Abadi and L Lamport The existence of renement mappings In Computer So
ciety Press editor Proc of the rd Annual IEEE Symp on Logic in Computer
Science pages 0 July 	 Washington DC
AL	 M Abadi and L Lamport An OldFashioned Recipe for Real Time Technical
Report 	 DEC Systems Research Center 		
AL	 Martin Abadi and Leslie Lamport Conjoining Specications Technical Report 
Systems Rsearch Center Digital Palo Alto California December 		
And Peter B Andrews An Introduction to Mathematical Logic and Type Theory To
Truth Through Proof Academic Press New York and London 	
BA	 M BenAri Mathematical Logic in Computer Science PrenticeHall Hemel Hamp
stead 		
BAPM M BenAri A Pnueli and Z Manna The temporal logic of branching time Acta
Informatica pages 0 	
Bar	 D Barnard Temporal Language of Transitions and ClientServerSystems PhD
thesis Faculty of Informatics Technical University of Munich D	 Munich
Germany 		
BB	 A Benveniste and G Berry The synchronous approach to reactive and realtime
programming In Proc of IEEE volume 		 pages 0 		
BC	 Dieter Barnard and Simon Crosby The Specication and Verication of an ATM
Signalling Protocol In Proc of th IFIP PSTV	 Warsaw June 		
BCG MC Browne EM Clarke and O Gr

umberg Characterizing nite kripke structures
in propositional temporal logic Theoretical Computer Science 	0 	
Ber	 Daniel M Berry Formal specication and verication of concurrent programs Tech
nical Report SEICM School of Computer Science CMU Pittsburgh Februa
ry 		
Bro	 Manfred Broy A Functional Solution to the RPCMemory Specication Problem
Submitted as a Final Solution to Dagstuhl Seminar of BroyLamport 		 Faculty
of Informatics Technical University of Munich D	 Munich Germany 		
	
Bry Randal E Bryant Graphbased algorithms for boolean function manipulation IEEE
Trans on Computers C0	 August 	
Bry	 Randal E Bryant Symbolic boolean manipulation with ordered binarydecision
diagrams ACM Computing Surveys 	0 September 		
Bus	 H Busch A Practical Method for Reasoning About Distributed Systems in a Theo
rem Prover In Higher Order Logic Theorem Proving and its Applications  
th Inter
national Workshop Aspen Grove UT USA Proceedings pages 0 Springer
Verlag LNCS 	 September 		
Bus	 H Busch Proving liveness of fair transition systems In J v Wright J Grundy
and J Harrison editors Theorem Proving in Higher Order Logics 	th Internatio
nal Conference TPHOL	 volume  of LNCS pages 0	 SpringerVerlag
August 		
CE EM Clarke and EA Emerson Design and synthesis of synchronization skeletons
using branching time temporal logic In D Kozen editor Workshop on Logic of
Programs volume  of LNCS pages 0 SpringerVerlag 	
CES EM Clarke EA Emerson and AP Sistla Automatic verication of nite state
concurrent systems using temporal logic specications A practical approach In
Proceedings th ACM Symposium on Principles of Programming Languages pages
0 	
CGS	 C Courcoubetis S Graf and J Sifakis An Algebra of Boolean Processes In Proc
of CAV	 pages 0 		
CH	 Jorge Cu1ellar and Martin Huber Property Preserving Datarenement Internal re
port Siemens Corporate Research and Development ZFE T SE  D Munich
Germany 		
CH	 Jorge Cu1ellar and Martin Huber The FZI Production Cell Case Study A distribu
ted solution using TLT In Formal Development of Reactive Systems Case Study
Production Cell volume 	 of LNCS SpringerVerlag 		
CHB	a Jorge Cu1ellar Martin Huber and Dieter Barnard A Solution relying on the Mo
del Checking of Boolean Transition Systems In The RPCMemory Specication
Problem LNCS 	 		
CHB	b Jorge Cu1ellar Martin Huber and Dieter Barnard Rapid Protyping for an Assertio
nal Specication Language TACAS	 LNCS  March 		
CK	 Pierre Collette and Edgar Knapp A Compositional Proof System for UNITY Based
on RelyGuarantee Conditions In Proc of IFIP Working Conf on Programming
Concepts Methods and Calculi IFIP 		
CM K Mani Chandy and J Misra Parallel Program Design  A Foundation Addison
Wesley Reading Massachusetts 	
Col	 Pierre Collette An explanatory presentation of composition rules for assumption
commitment specications Information Processing Letters 0 		
CW	 Jorge Cu1ellar and Isolde Wildgruber The Steam Boiler Problem  A TLT Solution
Presented at a Dagstuhl Seminar In Proc of a Dagstuhl Seminar 		
CWB	 J R Cu1ellar I Wildgruber and D Barnard Combining the Design of Industri
al Systems with Eective Verication Techniques In M Naftalin T Denvir and
M Betran editors Proc of FME	 volume  of LNCS pages 	0 Barcelo
na Spain October 		 SpringerVerlag
DF	 J

urgen Dingel and Thomas Filkorn Model checking for innite state systems using
data abstraction assumptioncommitment style reasoning and theorem proving In
Proc of CAV	 LNCS 		 Liege Belgium June 		 SpingerVerlag
EH EA Emerson and JY Halpern &sometimes and &not never revisited on branching
versus linear time temporal logic Journal of the ACM 0 January 	
EL E Allen Emerson and CL Lei Modalities for Model Checking Branching Time
Strikes Back In Proc of th Annual ACM Sympo on POPL pages 0	 New
Orleans Louisiana January 	 ACM
Eme	 E Allen Emerson Temporal and Modal Logic chapter  pages 		0 Handbook
of Theoretical Computer Science Elsevier Science Publishers BV edited by j van
leeuwen edition 		
Fit	 Fitting First Order Logic and Automated Theorem Proving Springer New York
		
Flo R W Floyd Assigning Meanings to Programs In Proc of the Symposium on
Applied Mathematics pages 	0 American Mathematical Society 	
Fra Nissim Francez Fairness Texts and Monographs in Computer Science Springer
Verlag Berlin 	
FSS

	 T Filkorn HA Schneider A Scholz A Strasser and P Warkentin SVE Users
Guide Technical report Siemens AG ZFE T SE  D M

unchen Germany
		
GK B Gopinath and RP Kurshan The selectionresolution model for coordinating
concurrent processes Technical report Mathematical Sciences Research Center
AT2T Bell Laboratories Murray Hill NJ 	
GLS	 William Gropp Ewing Lusk and Anthony Skjellum USING MPI  Portable Parallel
Programming with the MessagePassing Interface MIT Press Cambridge MA 		
Gri David GriesFitting The Science of Programming Springer New York 	
Gur	 Y Gurevich Evolving Algebras A Tutorial Introduction In Bulletin of the EATCS
volume  pages 0 EATCS 		
Hal Paul R Halmos Lectures on Boolean algebras SpringerVerlag 	
Hal	 N Halbwachs Synchronous Programming of reactive systems Kluwer 		
HL	 M Hennessey and H Lin Symbolic Bisimulations Theoretical Computer Science
0	 		
Hoa	 CAR Hoare An axiomatic Basis for Computer Programming Communications of
the ACM 0 October 		
Hoa CAR Hoare Communicating Sequential Processes International Series in Com
puter Science PrenticeHall London 	
Hub	 M Huber Verfeinerung in TLT Masters thesis Universit

at Karlsruhe 		
Kal	 Markus Kaltenbach Model Checking for UNITY PhD thesis University of Texas
at Austin 		
Kur	 RP Kurshan Computer Aided Verication of Coordinating Processes Princeton
University Press 		
Lam Leslie Lamport sometimes is sometimes not never In Proc of th Annual ACM
Symp on POPL Las Vegas January 	 ACM
Lam	 Leslie Lamport The Temporal Logic of Actions Technical Report 	 Digital
Systems Research Center Palo Alto California December 		
Lam	a L Lamport The Temporal Logic of Actions ACM Transactions on Programming
Languages and Systems 0	 May 		
Lam	b Leslie Lamport TLA Technical Report preliminary DEC Systems Research
Center August 		
LL	 Claus Lewerentz and Thomas Lindner Formal Development of Reactive Systems
Case Study Production Cell volume 	 of Lecture Notes in Computer Science
SpringerVerlag January 		
LT Nancy A Lynch and Mark R Tuttle Hierachical Correctness Proofs for Distributed
Algorithms In Proc of th Symp on Principles of Distr Comp pages 0
ACM 	
LT	 Nancy A Lynch and Mark R Tuttle An introduction to inputputput automata
CWIQuarterly  		
Mer	 Stephan Merz Explaining Composition Technical report Institute of Informatics
Technical University of Munich Munich Germany July 		
Mer	 Stephan Merz TLASemantik f

ur UTLT Programme Internal paper Faculty of
Informatics Technical University of Munich D	 Munich March 		
Mer	 Stephan Merz From TLT modules to stream processing functions Internal paper
Faculty of Informatics Technical University of Munich D	 Munich March
		
Mil R Milner A Calculus of Communicating Systems Lecture Notes in Computer
Science 	 SpringerVerlag Berlin 	
Mil	 R Milner Communication and Concurrency PrenticeHall London 		
Mis	 Jayadev Misra A discipline of multiprogramming  preliminary draft Technical
report University of Austin 		
MP Zohar Manna and Amir Pnueli Verication of concurrent programs part i The
temporal framework Technical Report STANCS Department of Computer
Science Stanford University July 	
MP	 Z Manna and A Pneuli The Temporal Logic of Reactive and Concurrent Systems
SpringerVerlag New York 		
MP	 Z Manna and A Pneuli Temporal Verication of Reactive Systems  Safety
SpringerVerlag New York 		
Rat	a Rational The unied modeling language v documentation set Technical report
Rational Software Corporation Monterey California 		
Rat	b Rational The unied modeling language v semantics Technical report Rational
Software Corporation Monterey California 		
RC	 GruiaCatalin Roman and H Conrad Cunningham A unitystyle programming
logic for shared dataspace programs IEEE Transactions on Parallel and Distributed
Systems  		
RCM

	 Hans Rischel Jorge Cu1ellar Simon M3rk Anders P Ravn and Isolde Wildgruber
Development of SafetyCritical RealTime Systems In Proceedings of the SOFSEM
	 MBartosek JStaudek JWiedermann Eds volume  of LNCS November
		
Ric	 Michael M Richter Prinzipien der K

unstlichen Intelligenz Teubner Stuttgart
		
San	 B A Sanders Eliminating the Substitution Axiom from UNITY Logic Formal
Aspects of Computing 	0 		
Sch	 U Sch

oning Logik f

ur Informatiker BIWissenschaftsverlag 		
Sti	 Colin Stirling Modal and temporal logics In S Abramsky D Gabbay and T Mai
baum editors Handbook of Logic in Computer Science volume  Oxford University
Press 		
tcN	 IEC technical committee No  International Standard IEC  Technical report
International Electrotechnical Commission Denmark 		
UHK	 Rob Udink Ted Herman and Joost Kok Progress for Lokal Variables in UNITY
In Proc of IFIP Working Conf on Programming Concepts Methods and Calculi
IFIP 		
UK	 RT Udink and JN Kok On the relation between unity properties and sequences
of states In Proc of REX	 Workshop volume Unknown of LNCS pages 	0
SpringerVerlag 		
Keywords and Symbols
Auxiliary Functions
arity 
class 	
Ctr 
Ctr
V
 
Ctr
Act
 
Ctr
 
 
Runs 
sort  	
Stutter 
Traces   
Trl  
Boolean algebras
	 	  	  	  
B  B "    
 
s  SB 	
X
 
W
 
 

X
 
	
	
 
Boolean transition systems
+block 	
+
a
block 
+
s
block 
+Mod 	
+
vis
Mod 	
+Sys 	
+  V IB stMF 
Ac$ 
+
 
 +

 

+
 
 
+
 
+

 	
+
	
	
X
 	
+
 
 +

 	
Commands
Case 
If Then Else 
k   
Declarations
Acts  	
hActs 	
vActs 	
Decls 	
Vars  	
hVars 	
lVars 	
vVars 	
Environment Classes
History 	
In 	
Internal 	
Local 	
Out 	
Read 	
Spec 	
Write 	
Fairness Conditions
WF SF  
WFELSFEL 
WFGELSFGEL 
 fair F fg fcmd  
Logic

  
  



 
true false 
  
 	 
WF SF  
	 
Unless  
Until  
  
 
 
  
   	

p  
  
I 
 
U  
D 
D

 
FAct 
FFV 
FV 
'
Act
 
'
Func
 
'
Pred
 
'
S
 
'
Sort
 
'
V
 
'
V ar
 
'
V
 
 
   	 	
%  	 	
   	   	 	
Program Sections
Abbreviations 	
Declarations 	
Initially 	
Parameters 	
Transitions 	
Types 	
Transitions
 gt guard cmd  
 tt s assume delay ev cmd  
Types
Array M   NOf 	
Bit 	
Boolean 	
Boolean 
  	
fg 	
Integer 	
MN 	
List Of 	
Natural 	
Real 	
 	
String 	
 	
 	

Consistency Conditions
Boolean transition systems
Delay 
Delay 
Fair 
Fair Independence 
Init 
Run 
Run 
Run 
St 
St Independence  
Tr 
Tr 
Programming Notation
aBTS 
aBTS 
aBTS 
Assumptions 
Commit FOL 
Commit FOL 
Commit TL 
Delay 
Delay 
Delayed Module 
Ev 
ExclCtr 
F 
F 
F 
Fair Module 
GT 
Init 
Init 
Properties 
Subst  
Subst  
Syn Fair Module 
Syn TT Consistency 
TT 
TT Consistency 
TT Consistency 
TT Consistencya 
TT Consistencyb 
TT Consistency Mod 
Vis Fair System 

Index
abbreviation 	 
abstract transition system see transition sy
stem
abstraction  
acceptance condition 	 
action  0 	
controlled  
in 	
internal 	
out 	
symbols 
valuation 
actuator 
assumption   
liveness 
safety 
atom 	
atomic formula
semantics 
syntax 
automata 
B

uchi condition 
behavior 
block 0  0
Boolean algebra  0	
atomic 
complete 	
homomorphism 	
isomorphic 	
of transitions 
subalgebra 	
independent 	
tensor product 	
Boolean transition system 	  	0	
abstract  0
executable  
graphical representation 
symbolic 

BTS see Boolean Transition System
Calculus of Communicating Systems see
CCS
canonical monomorphism 	
canonical projection 	
CCS  	 
action 
channel 
command   		0
commitment 
communication
synchronous 
compiler 
complete Boolean algebra 
composition 	  

executable 
fully abstract 
concrete transition system see transition sy
stem
conjunction 

executable 
	
consistency condition  
semantic 
syntactic 
constant 
propositional  
continuous function chart 
control predicate 
control set  
control sets 
control system 
controller 
CTL 
declaration  	 	
delay 	 
 
dependency graph 
 
direct product 
distributed system 
domain  
extended 
embedding  

canonical 	
environment class   	
epimorphism 	
error handling 	
evaluation 
event  
 	0		
Inevent 		
Outevent 		
extended domain 
fairness   0
local 
	 
strong   
weak  	  
fairness condition 	 	    

rstorder logic 	 	0	
semantics  0	
syntax  0
formal methods 
formula
rstorder logic  
satisable 	
valid 	
temporal logic  
satisable 
valid 
fully abstract 
function
symbols 
graph 
guarded command 
guarded transition see transition
Hasse diagram 	
hiding 
homomorphism 	
IOautomata  	 
IEC  
IEC 		 
image 

implementation 0
inmum 
initial state 
initial value   	
input enabled 	 
interface   
interpretation 
invariance property 
isomorhism 	
layer 
leadsto property 
lifting 
lifting lemma 
local fairness 
	
local progress 	 
logic see rstorder logic see temporal logic
modal logic 	
model  
of physical system 
of temporal formula 
module   0
modules 
monomorphism 	
canonical 	
MPI 
nextstep relation 
nondeterminism 
operator station 
parameter 
PLC see programmable logic controller
predicate
symbols 
predicate logic 	
prime symbol 
programmable logic controller  
projection 
canonical 	
property 	
system 	
propositional constant  
quantication  	
reactive system 
renement  
representation
automata  0	
logical  	0
textual  	0	
run 
SR model  
schema 
semantics 
atomic formulas 
rstorder logic 0	
rstorder logic formulas 
temporal logic 0
temporal logic formulas 
terms 
sensor 
Seuss 
signal 
signature 
sort 
boolean 
symbols 
unit 
specication 0
compositional 
generic 
parameterized 0
specication language 
compositional 
state 
state predicate 
step 
stutter invariance 
stutter step  
stutter steps 
stuttering   
subalgebra 
independent 
supremum 
SVE 
symbolic guard 

synchronization 
syntax
atomic formulas 
rstorder logic 0
rstorder logic formulas 
temporal logic 0
system  
embedded 
layered   0
reactive 
system assumption  	
system dependency graph 
temporal logic 	 	0
branching time 
linear time 	 
semantics 
syntax 
tensor product 	
term 
closed 
semantics 
syntax 
TLA  	  
action 
composition 
renement 
trace     
transition   	0
algebra of 
guarded   0
triggered   0
transition matrix 
transition predicate 
transition relation 
transition system  see Boolean transition
system
abstract 
concrete 
graphical representation 
triggered transition see transition
type 	
unit sort 
UNITY  	  
ensures 
leadsto 
multiple assignment 
unless 
universe 
valuation   
valuation sequence 
similar 
variable 0  	
auxiliary   
boolean valued 
controlled  
domain 
environment class 
exible 
history  	 
local 	
primed 
program 
read 	
shared 	
specication 	
symbols 
write 	
vector 
vector type 
verication 
view see representation
weak acyclic 
 
weak fairness see fairness
LEBENSLAUF
	 geboren in Karlsruhe
	 0 	 Gymnasium in Oberkirch Abitur
	 0 	 Grundwehrdienst in Sigmaringen
	 0 		 Studium der Informatik mit Nebenfach Mathematik
an der Universit

at Karlsruhe
Diplom im Herbst 		
		 Aufnahme in die Studienstiftung des deutschen Volkes
		 0 		 Hilfswissenschaftler an der Fakult

at f

ur Mathematik
		 0 		 Forschungsaufenthalt in der Zentralabteilung Technik
der Siemens AG in M

unchen
seit 		 Mitarbeiter in der Zentralabteilung Technik
der Siemens AG in Erlangen
