Applications of formal methods in engineering by Tran, Sang Cong
  
 
University of Warwick institutional repository: http://go.warwick.ac.uk/wrap  
 
A Thesis Submitted for the Degree of PhD at the University of Warwick 
 
http://go.warwick.ac.uk/wrap/60452  
 
This thesis is made available online and is protected by original copyright.  
Please scroll down to view the document itself.  
Please refer to the repository record for this item for information to help you to 
cite it. Our policy information is available from the repository home page.  
 
 
 
 
APPLICATIONS OF FORMAL METHODS
IN ENGINEERING
Volume 1 of 2
Sang Cong Than
B.Eng (Hons.), M.Phil (Eng.)
A thesis submitted for the degree of
Doctor of Philosophy in the Engineering Department
University of Warwick
December 1991
Abstract
The main idea presented in this thesis is to propose and justify a general frame-
work for the development of safety-related systems based on a selection of crit-
icality and the required level of integrity. We show that formal methods can be
practically and consistently introduced into the system design lifecycle without
incurring excessive development cost.
An insight into the process of generating and validating a formal specification
from an engineering point of view is illustrated, in conjunction with formal defi-
nitions of specification models, safety criteria and risk assessments. Engineering
specifications are classified into two main classes of systems, memoryless and
memory bearing systems. Heuristic approaches for specification generation and
validation of these systems are presented and discussed with a brief summary of
currently available formal systems and their supporting tools.
It is further shown that to efficiently address different aspects of real-world
problems, the concept of embedding one logic within another mechanised logic,
in order to provide mechanical support for proofs and reasoning, is practical. A
temporal logic framework, which is embedded in Higher Order Logic, is used
to verify and validate the design of a real-time system. Formal definitions and
properties of temporal operators are defined inHOL and real-time concepts such
as timing marker, interrupt and timeout are presented. A second major case
study is presented on the specification a solid model for mechanical parts. This
work discusses the modelling theory with set theoretic topology and Boolean
operations. The theory is used to specify the mechanical properties of large
distribution transformers. Associated mechanical properties such as volumetric
operations are also discussed.
Declaration
This dissertation is the result of my own work and, unless otherwise stated in the
text, includes nothing which is the outcome of work done in collaboration. No
part of this dissertation has already been, or is currently being, submitted for any
degree, diploma or other qualification at any other university.
Acknowledgement
During the time of this project, it is pleasing to note the number of people who
have given their help and support. Thanks are due to my supervisor Dr. Evor
Hines. He diligently read through the various drafts of this thesis and made
valuable written comments. His insistence on clear writing has set a standard
which I will always try to aim for.
In addition, I would like to express my sincerest thanks to Professor John
Cullyer. This work could never ha ve taken sha pe without his continued guidance
and support. His patience during my earlier days and his ever optimistic manner
has brought me through some of the most difficult times. He made valuable
suggestions on earlier drafts of this thesis, and was the source of many excellent
discussions.
This work could not have started without the financial support of T&N Tech-
nology Limited, Goodyear Transformers Limited and the Science and Engineering
Research Council. The technical advice and individual guidance received while
working there greatly help in this project. Of the innumerable people who helped,
I must explidtly acknowledge Kevin Marks at T&N Technology Ltd. and Ken
Frewin at Goodyear Transformers Ltd., who were the source of many stimulating
discussions.
Thanks are also due to colleagues who have been around at various times
to ask questions or answer mine. I would particularly like to thank Wai Wong
for help at various times with HOL theorems and tactics and in response to my
persistent questions about L\TEXtypesetting.
This work would not have been completed without the HOL system. Thanks
are due to the hardware verification group at Cambridge University. I am espe-
cially grateful to Dr. Mike Gordon for leading the way in hardware verification
and giving advice when it was most needed.
To my parents
Contents
Abstract
Acknowledgement
VOLUME 1
1 Introduction
1.1 Background and Related Work .
1.1.1 Design methodologies .
1.1.2 Specification and verification for software .
1.1.3 Specification and verification for hardware .
1.2 Overview ofThesis. . . . . . . . . . . . . . . . . . . . . . . . . . .
2 Formal Methods in Safety-Related Systems
2.1 The Concept of Safety . . . . . . . . . . . . . . . . . . . . . . . . .
2.1.1 Safety in computer-based systems . . . . . . . . . . . . . .
2.1.2 Applying formal methods .
2.2 Design Methodology. . . . . . . . . . . . . . . . . . . . . . . . . .
2.2.1 Development lifecycle . . . . . . . . . . . . . . . . . . . . .
2.3 Safety Criteria Selection . . . . . . . . . . . . . . . . . . . . . . . .
2.3.1 Measures of risk . . . . . . . . . . . . . . . . . . . . . . . .
2.3.2 Safety integrity levels . . . . . . . . . . . . . . . . . . . . .
2.4 Determination of Assessment Levels .
2.4.1 Level selection . . . . . . . . . . . . . . . . . . . . . . . . .
2.5 Selection of Development Techniques
vi
ii
iv
1
3
3
4
4
7
10
11
11
12
13
14
16
18
19
20
22
22
CONTENTS
2.6 Validation and Verification
2.6.1 Informal techniques
2.6.2 Semi-formal techniques .
2.6.3 Formal techniques .
2.7 Discussion .
3 Formal Specifications in Engineering
3.1 Introduction .
3.1.1 System Classification .
3.2 Formal Model of Safety . . . . . . . . . . . . . . . . . . . . . .
3.21 Risk assessment .. . . . . . . . . . . . . . . . . . . . .
3.3 A Specification Model . . . . . . . . . . . . . . . . . . . . . . . . .
3.3.1 Model representation . . . . . . . . . . . . . . . .
3.3.2 Fonnula of correctness .
3.3.3 Total and partial correctness .
3.4 Specification Generation . . . . . . . . . . . . . . . . . . . . . . . .
3.4.1 Memoryless systems .
3.4.2 Memory bearing systems . . . . . . . . . . . . . . . . . . .
3.5 Specification Validation . . . . . . . . . . . . . . . . . . . . . . . .
3.5.1 Memoryless systems . . . . . . . . . . . . . . . . . . . . . .
3.5.2 Memory bearing systems . . . . . . . . . . . . . . . . . . .
3.6 Description of Formal Methods . . . . . . . . . . . . . . . . . . . .
3.6.1 First order logic .
3.6.2 Higher order logic . . . . . . . . . . . . . . . . . . . . . . .
3.6.3 Temporallogic.........................
3.7 Discussion .
4 HOL Theorem Prover
4.1 Introduction .....
4.2 Background......
4.3 The HOL logic . . . . . . .
......................
......................
vii
23
24
25
25
26
28
28
29
31
32
34
35
36
38
40
40
43
43
44
45
47
48
49
50
51
53
53
53
54
CONTENTS viii
4.3.1 Terms 55
4.3.2 Types . . . . . . . . . . . . . . . . . . .
4.3.3 Hilbert's c-operator . .
4.4 The Meta-Language . . . . . . . . . . . . . . ..
4.5 The HOL System . . . . . . . . . . . . . . . . . . . .
4.5.1 Theories: definitions, axioms and theorems .
4.5.2 Primitive inference rules .
4.5.3 Tactics and tacticals
56
58
59
62
63
64
66
674.6 Summary...... ....
5 Embedded Temporal Logic
5.1 Tuning Verification .
5.1.1 First orderlogic .
5.1.2 Temporallogic........
5.1.3 Interval temporal logic ...
69
69
69
70
70
5.1.4 Other techniques . . . . . . . . . . . . . . . . . . . . . . .. 71
5.1.5 Higher order logic . . . . . . . . . . . . . . . . . . . . . .. 71
5.2 Temporal Operators . . . . . . . . . . . . . . . . . . . . . . . . .. 71
5.2.1 Basic operations . . . . . . . . . . . . . . . . . . . . . . .. 72
5.2.2 Timing conditions . . . . . . . . . . . . . . . . . . . . . .. 73
5.2.3 Defining time markers. . . . . . . . . . . . .
5.3 Temporal Projection . . . . . . . . . . . . . . . . . .
5.3.1 Mapping function . . . . . . . . . . . . . . .
5.3.2 Interrupts......
5.3.3 Tune limits . . . . .
74
71
78
81
82
84
84
5.4 Formulation of Temporal Correctness . . . . . . ..
5.5 Discussion .
6 A Throttle Control System
6.1 Introduction .
6.1.1 System description. . . . . .
86
86
87
CONTENTS ix
6.1.2 System requirements
6.1.3 Design methodology
6.2.3 Traction control .
88
90
94
95
96
97
98
98
98
6.2 Background Behaviour .,
6.2.1 Manual control . . .
6.2.2 Cruise/Resume control . . .
6.2.4 Idle control . . . . . . . . . . . . . . . . . . .
6.2.5 Shutdown/Reset mode . . . . . . . . . . . .
6.2.6 Function NextState . . . . . . . . . . . . . . .
6.3 Foreground Behaviour. . . . . . . . . . . . . . . . . . . . . . . .. 101
6.3.1 Motion . . . . . . . . . . . . . . . .. 103
6.3.2 Real-time characteristics. . . . . . . . . . . . . . . . . . .. 104
6.3.3 Maximum response time .. . . . . . . . . . . . . . . . .. 105
6.3.4 Maximum registered time . . . . . . . . . . . . . . . . . .. 106
6.3.5 Maximum transit time. . . . . . . . . . . . . . . . . . . .. 106
6.3.6 Position and direction . . . . . . . . . . . . . . . . . . . .. 101
6.4 Improving the Performance. . . . . . . . . . . . . . . . . . . . .. 108
6.5 The Complete Specification . . . . . . . . . . . . . . . . . . . . .. 111
6.6 VerificationPlan and Methodology. . . . . . . . . . . . . . . . .. 111
6.6.1 Proof plan 112
6.6.2 Safety properties . . . . . . . . . . . . . . . . . . . . . . .. 112
6.6.3 State transitions 114
6.6.4 Deterministic state-machine 116
6.7 Discussion 117
1 Mechanical Solid Modelling
7.1 Introduction .
120
120
7.2 Designing Mechanical Parts. . . . . . . . . . . . . . . . . . . . .. 121
7.2.1 Communication between the designer and the modeller.. 122
7.2.2 Tune taken and costs incurred in the design process . . .. 122
7.3 Geometric Modelling in Transformer Design . . . . . . . . . . .. 123
CONTENTS x
7.5.1 Metric space . . . . . . . . .
123
124
124
127
129
130
132
133
135
136
140
142
144
7.3.1 Spatial arrangement ...
7.3.2 Volumetric verification .
7.4 Mathematical Foundations .
7.5 Point-Set Algebra .
7.5.2 Open sets and neighbourhood . . . . . . . .
7.5.3 Closed sets . . . . . . . . . . . . . . . . . . .
7.5.4 Closure....................·
7.5.5 Interior.....................
7.5.6 Boundary....................
7.5.7 Dimensional property of boundary .
7.6 Closed Point-Set Topology .
7.6.1 Defining OBJECT .
7.6.2 Solid primitives 146
7.6.3 Generic and parameterised primitives . . . . . . . . . . .. 149
7.7 Combinations of Solid Primitives. . . . . . . . . . . . . . . . . .. 151
7.7.1 Modified boolean operations . . . . . . . . . . . . . . . .. 152
7.7.2 Boolean model. . • . . . . . . . . . . . . . . . . . . . . .. 156
7.8.3 Computation of overall volume .
157
161
164
166
168
7.8 Solid Modelling inTransformer Designs . . . . . . .
7.8.1 Null-object detection .
7.8.2 Specifying the manufacturing process . . . .
7.9 Discussion .
8.1.2 Specification techniques ...
171
171
171
173
174
175
176
8 Concluding Remarks
8.1 Summary of Thesis. . . . .
8.1.1 Methodology....
8.1.3 Timing analysis .
8.1.4 Specifying behaviour .
8.2 Discussion .
CONTENTS
8.2.1
8.2.2
Correctness of a real design . . . . . . .
Relating different levels of abstraction .
8.2.3 Verification process
8.3 Future Work .
8.3.1 Executable specifications
8.3.2 Computer aided design with formal methods.
8.4 Final Thoughts . . . . . . . . . . . . . . . . . . . . . .
References
VOLUME 2
A. A Formal Solid Modelling System
B. Temporal Definitions and Theorems
C. HOL Specification of DBW Controller
D. Formal Specification ot Solid Modelling
E. Paper - The Development of a High Quality Software Design
Methodology for Automotive Applications
F. Paper - Formal Methods in Automotive Applications
G. Paper - On the Development of Formal Methods Based Soft-
ware Design Methodology for Automotive Applications
H. Paper - Formal Solid Modelling Using Higher-Order Logic
I. Paper - Applications of Formal Methods in the Transformer
Industry
Xl
176
177
177
178
178
178
179
181
List of Figures
2.1 Design procedures . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.2 IEemapping for software integrity level 19
2.3 Factors affecting software integrity levels 20
3.1 Representations of engineering systems . . . . . . . . . . . . . .. 30
3.2 Specificationmodel 36
5.1 Representation of len . . . . . . . . . . . . . . . . . .. 74
5.2 The projection p When p' . . • • . • • • • • . . • • . • • . • . . • .. 77
5.3 Mapping from abstract states to time. . . . . . . . . . . . 79
6.1 DBWsystem overview. . . . . . . . . . . . . . . . . . . . . . . .. 88
6.2 DBWState diagram . . . . . . . . . . . . . . . . . .. 95
6.3 A Mealy machine 101
6.4 DBWstate transition diagram. . . . . . . . . . . . . . . . . . . .. 102
7.1 The use of formal geometrical model. . . . . . . . . . . . 123
7.2 The schematic diagram of a simplified transformer. . . . 125
7.3 Representation scheme 127
7.4 Neighbourhood in an open ball. . . . . . . . . . . . . . . . . . 132
7.5 Defining the interior of set operations . 136
7.6 Set compositions of the boundary of 8 INTER t . . . 139
7.7 Scaling transformation. . . . . . . . . . . . . . . . . . . . 149
7.8 Dangling faces . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
7.9 Geometric components of A REGJNTER B . . . . . . . . . . . 154
xii
LIST OF FIGURES xiii
7.10 A geometric model of a power transformer ..
7.11 An example of a null object . . . . . . . . . . .
7.12 An example of process simplification .
7.13 An example of volume verification . . .
158
162
165
168
List of Tables
2.1 Available standards (J = applicable). . .
2.2 Safety integrity levels . . . . . . . . . . . . . . . . . . . . . .
2.3 Assessment levels . . . . . . . . . . . . . . . . . . . . . . .
2.4 Assessment techniques
4.1 Predicate logic notation
7.1 Definitions of geometric objects. . . . . . . . . . . . . . . . . . .. 145
xiv
17
21
21
23
55
Chapter 1
Introduction •
As the cost associated with the development of computer-based systems con-
tinues to fall, industry worldwide is increasingly coming to depend upon new
technology to maintain a competitive edge whilst being able to operate ever more
complex control systems that require a high degree of reliability, integrity,depend-
ability and safety. Such systems are generically referred to as being safety-critical.
Engineers and managers have begun to realise that with their new technol-
ogy comes flexibility and additional safety considerations. These considerations
include,
• The knowledge that the correct and safe operation of the business, capital
equipment or control system is dependent upon such technology.
• The risk of causing a loss of human life, economic loss or environmental
damage is outside their normal engineering judgement.
• That the conventional safety assessment are ineffident and fail to identify
weaknesses in the operation of the system.
Till now the only assurance of correct operation of a safety-critical system has
been by conventional testing techniques. However, such techniques are not
without flaws and cannot locate all faults. Faults often only materialise many
months or years after a system has been put into operation, possibly leading to
very expensive recall procedure or retro-fits on site, if not dangerous incidents,
Manufacturing and nuclear industry, as well as defence contractors, have an
1
1. Introduction 2
urgent requirement to gain confidence in the correct and safe operation of their
computer based systems.
With the advent of computers, designers have been able to design more com-
plex systems, since they can be simulated on computers and so debugged to some
extent before manufacture. However, for large systems, exhaustive simulation is
prohibitively expensive, and requires exponentially large simulation time even
with today's fastest computers.
Due to these seemingly unsurmounta ble problems, designers ha ve been forced
to look in other directions to verify designs before building them. Even though
the cost of manufacturing is coming down, it is still important to have confidence
in the design before it is committed to implementation. This is essential since it is
not always possible to test every aspect of the design in the time available. Whilst
many applications can tolerate some errors, there are others where minor flaws
in the system could mean dangerous or may be too expensive to tolerate. These
include,
• Safety critical applications :
Increasingly, integrated circuits of enormous complexity are being used in
areas where errors in these cin:uits could lead to loss of life. Examples in-
clude flight control systems, railway signalling systems, electronic throttle
controller, medical life-support systems such as pacemakers, military appli-
cations, nuclear plant controllers, and anti-lock braking systems in cars (see
[35]).
• Remotely sited applications :
Applications where access to the systems is difficult would benefit from
having the design 100% correct. This is simply because the cost of repair-
ing or replacing faulty components would be too high. Examples include
systems installed in aretic regions, satellites, nuclear plants and systems
installed on oil or gas pipelines.
• Volume production applications:
1.1. Background and Related Work 3
Many industries manufacture systems for the mass market. If the design
of a device in such systems is faulty then the cost of recalling and repair-
ing it would be very high. Examples include circuits in automobiles, in
telecomrnunica tion systems, and so on.
With important applications such as these, it is necessary to ensure that a design
is correct. To achieve this, attention has turned to fonnal methods for specifying
and verifying the correctness of system design.
1.1 Background and Related Work
Techniques used for the complete specification and verification of systems are
briefly summarised in this section. Summaries of only the most relevant work
are given, together with pointers to others.
1.1.1 Design methodologies
To-date research reveals an increasing awareness of the process of design but is
fundamentally naive in its treatment of methodologies and formal models. It is
from work on programming methodology that the basic idea that we have used
as the framework of this thesis, have been imported. There are a number of struc-
tured design methodologies available [105]. These include MASCOT, SSADM,
and ISO. MASCOT is primarily a method for the design and implementation of
real time systems. The method is widely used in the UK defence and avionics
industries and originated from work done at RSRE.Whilst MASCOT is a develop-
ment technique, which uses of a graphical data-flow network as the medium for
expressing software structure, SSADM in contrast, is a well-defined step-by-step
approach. Rather than concentrating on one approach such as functional analysis,
SSADM regards functions and data with equal importance. Another important
design methodology is the Jackson Development Method 050). Within JSO there
is a distinction between specification and implementation. JSD approaches the
problem via the idea of a model and its relation to function. First an abstract
1.1. Background and Related Work 4
description is written and then one detennines how that abstract description is
created in an implementation. In ]SD the abstract description is created in two
steps, and its realisation in a third step which is the development procedure. It is
not until the fourth step that system functions are considered.
1.1.2 Specification and verification for software
There are many formalism for the formal specification of software based upon
axiomatic definition or model building. For example, the algebraic specification
languages OBJ [40], and CLEAR [24] are axiomatic formalisms, and the notation
Z [104] is model based. The semi-formal design methodology YOM (VIenna
Development Method) is also model-based [67].
Research on specific specification techniques has, more recently, led. to research
into the general ideas about specifications and operations on specifications. These
attempts at general theories aim at more complex notation than those given in
Chapter 3 of this thesis, but they are relevant to the further development of the
described framework and its application to system design. A particularly useful
general study of refinement is described by Back [8].
Much work is concerned. with the generation of logical approaches. For
example, in Cohen [30], there are simple but general definitions concerning spec-
ifications modelled by sets of statements in formal systems. A simple study of
operations on specifications is described by Sanella and WllSing [100]. A substan-
tial theory of such specifications is presented inGoguen and Burstall's theory of
institutions [41]. Other approaches work on themes of specifications which are
modelled. by relations as in, for example [59], to analyse ideas about modularity
such as in Back and Mannila [7], or algebraically, as in Bergstra [13].
1.1.3 Specification and verification for hardware
The formal verification of digital hardware is most simply founded upon clearly
defined logics such as first order logic, higher order logic, temporal logic, modal
logic and so on.
1.1. Background and Related Work 5
The early work of Milner and others on the LCF project [43] inspired much
effort in the area of mechanised theorem proving. A specialised language was
developed for specifying and verifying hardware [45J which led to the devel-
opment of the interim LCF-LSM theorem proving system [46]. Many examples
were done using this system including the verification of a simple computer [47J.
Many improvements to the LCF system have been made over the years, including
an improved rewriting package [91], and a new tactics package [92]. Hanna and
Daeche then independently developed the VERITAS theorem prover based on
higher order logic [53,54]. With the improved expressive power of higher or-
der logic becoming increasingly attractive, and with the experience gained from
the LCF family of theorem provers, Gordon then developed the HOL theorem
proving system [49,50J, which forms the basis of the work done in this thesis. A
number of examples have been successfully completed which demonstrate the
use of higher order logic as a vehicle for specification and verification. These
include the verification at the detailed timing level of a D-flipflop implemented
in logic gates (see [54J and [56J for proofs done in the VERITAS and the HOL
systems respectively), the verification of a ring interface chip [48J, re-proof of
the computer in HOL [68], and the first level proof of correctness of the VIPER
microprocessor [31].
The systems mentioned above are all based on general theorem provers, where
the proof is done manually and the system merely does the housekeeping. In the
direction of automated theorem provers is the work of Boyer and Moore [17].
This has been used by Hunt to verify the correctness of a 16-bit microprocessor
[61]. The underlying logic of this theorem prover is first order predicate logic
without quantifiers. In principle, proofs are done automatically by this system,
but in practice the theorem prover needs to be guided considerably by carefully
requesting simpler theorem to be proved first. Barrows VERIFY system [12] is
another example of an automated theorem prover. The underlying model used
by this system is that of finite state machines, based on Gordon's LSM language
[46]. Inboth of these systems, logic gates form the set of primitive devices on the
1.1. Background and Related Work 6
basis of which hardware verification is done.
Another general formalism used for verification is temporal logic. An in-
teresting variant is that developed by Moszkowski known as Interval Temporal
Logic (m) [88J. Proofs using m were initially done by hand. Recent work by
Hale [52J shows that the HOL system can be used to mechanise proofs in m.
A subset of m has also been developed as an executable language known as
Tempura [89J. More recently, Leeser has used a variant of this formalism together
with Prolog to reason about circuits down to the detailed transistor level [72].
On the side of more specialised formalism are CIRCAL and J,lFP. The early
work of Milne and Milner on Concurrent Processes [81] inspired a number of
calculi. Milne went on to develop CIRCAL [82,83], while Milner went in a
slightly different direction and developed the Calculus of Communica ting Process
(CCS) [85,86J. In the CIRCAL framework, the structure of hardware devices is
represented hierarchically, communication between components being effected
through commonly named ports. Behaviour in this framework is described as a
sequence of events on the external ports of devices. Operators are provided for
the composition and the hiding of ports. Several examples have been completed
using this framework, including a simple CRT controller by Traub in [t13]. Here
Traub also presents the various temporal concepts needed to model different
granularities of time and the means of moving between them. A Lisp based
environment for doing proofs in this formalism has also been developed [t12].
Another motivation for using formal methods is the ability to transform de-
signs in a correctness preserving way and hence perform refinements. One com-
mon aim is to convert simple but inefficient algorithms into complex but efficient
ones. A recent general treatment is presented by Sheeran [tOl]. Design trans-
formation and derivations are emerging as a practical technique in research on
special architectures such as systolic arrays as described in, for example [11].
Sheeran uses /lFP [101],which is an extension of the programming language FP
developed by Backus. Sheeran introduces the Jl operator into the basic language
FP to model memory in circuit. Both the behaviour (functional part) and the
1.2. Overview of Thesis 1
implementation (geometric part) of a circuit can be presented in this language.
With the aid of the p operator, the inputs and outputs are modelled as streams.
Behavioural descriptions of circuits can be transfonned into their geometric forms
thus leading to correctness by construction. Only synchronous system can be
modelled by this formalism. Examples done using this framework include the
design of a systolic correlator [101].
The above work has concentrated on the gate level and higher. Wmskel
[116J described a compositional model for the more primitive components of a
VLSI technology, namely transistors, capacitors, etc. This work is based on the
simulation models developed by Bryant [21]. Though this work is at a more
detailed level than what has been described so far, it is not clear how it can be
related to the system leveL
1.2 Overviewof Thesis
Below is a brief description of the organisation of the material presented in this
thesis.
• Chapter 2 provides a general framework for the development of safety-
related systems based on the selection of criticality and the required level
of integrity. Different development and validation techniques are proposed
for different levels of integrity required. For very highly safety critical
systems, the main emphasis is on the use of formal methods to verify the
correctness and ensure that the required level of safety integrity is achieved.
This chapter lays down a methodological approach based on which formal
methods can be consistently introduced into, and incorporated with, the
system design lifecycle.
• Chapter 3 gives an insight into the process of generating and validating
a formal specification from an engineering point of view. We give formal
definitions of safety and that of a specification. Engineering specifications
are classified into two main classes of systems, memoryless and memory
1.2. Overview of Thesis 8
bearing systems. Heuristic approaches for specification generation and
validation of these systems are presented and discussed. We also give a
brief summary of currently available formal systems and their supporting
tools and then the reasons for selecting higher order logic as a specification
formalism are discussed.
• Chapter 4 provides a brief description of the HOL system. We describe the
species of higher order logic used, the meta-language ML in which the logic
is formulated, and the theorem proving strategies used to conduct proofs
in HOL. The main emphasis in this chapter is on those features of the HOL
system which are used in later chapters of this thesis.
• Chapter 5 illustrates the concept of embedding one logic within another
mechanised logic in order to prove soundness and provide mechanical sup-
port for proofs and reasoning. This chapter provides a temporal framework
based on which the design of a real-time system described in the following
chapter can be rigorously specified and validated. Formal definitions and
properties of temporal operators are defined inHOL and real-time concepts
such as time marker, interrupt and timeout are also discussed.
• Chapter 6 first gives a brief overview of the Drive-by-WIre control system
together with its interfaces. Then a novel design is presented which uses the
temporal constructs of the previous chapter. A formal specification for this
system is presented together with complete proof procedures of safety and
correctness. Some of the difficulties involved in arriving at the correctness
statement and constructing the proof are discussed.
• Chapter 7 provides a second case study in specifying a solid modelling
theory for mechanical parts. The work illustrates one aspect of formal vali-
dation techniques, that is correctness by construction. This chapter presents
the modelling theory with set theoretic topology and boolean operations.
The theory is used in this case to specify the mechanical properties of large
1.2. Overview of Thesis 9
distribution transformers. Associated mechanical properties of transform-
ers such as volumetric operations are also discussed .
• Finally, Chapter 8 evaluates the research described in this thesis. Some
ideas for further research, possible solutions to problems encountered, and
improvements to current strategies are also proposed.
Chapter 2
Formal Methods in
Safety-Related Systems
Despite the ever increasing importance of software systems in UK industry, there
is considerable difficulty in providing systems that meet the user requirements,
even when safety is not an issue. In response to increasing concern over the
use of computer-based systems in safety-related applications, recent government
reports and guidelines, such as the ACARD report [1] and the Draft Interim De-
fence Standard 00-55 [66], call for the use of formal methods, particularly for high
integrity applications. Use of the best software development methods available,
including formal methods, may also be advisable to prevent legal liability for
damage or injury caused by malfunctioning software. However, despite these
recommendation there is little evidence of these methods being adopted. Most
industries using computer control seem reluctant to invest in staff and computer
tools. This chapter explores the reasons for the special concerns for the safety of
computer-based systems, the ways in which formal methods can reduce the risk
of system failure, and how it can be effectively incorporated into the development
cycle.
10
2.1. The Concept of Safety 11
2.1 The Concept of Safety
It should be emphasised that the present research is concerned with systems
which are used in safety-related applications. A safety-related system is one via
which the safety of human beings and the environment is to be assured. Such
safety-related systems can range from quite small items, such as traffic light
controllers, to major applications such as nuclear power station and avionics
systems. Therefore, safety-related systems should imply those which are critical
in one or more of the following areas,
• Safety critical: a system in which failure or design fault could cause risk
to human life.
• Security critical: a system in which failure or design fault could cause
unauthorised disclosure, alteration, loss or destruction of material.
• Performance critical: a system in which failure or design fault could
cause the system not to achieve an important objective.
• Cost critical: a system in which failure or design fault could cause a
significant finandalloss.
• Environmental critical: a system in which failure or design fault could
cause significant damage to the environment or property. This could have
associated with it, disruption to normal life and possibly significant political
factors.
2.1.1 Safety in computer-based systems
There are many factors contributing to concern over the safety of computer-based
systems, Firstly being digital, they are unable to respond in a continuous and
interpolative manner that is characteristic of analogue solutions. As a result,
computer-based system are unable to average out the effects of inherent design
errors, or of erroneous data input. Consequently, digital design principles often
2.1. The Concept of Safety 12
gives way to rule of thumb and engineering judgement to achieve the desired
solution.
A second feature of computer-based systems is that where software is used to
carry out system functions there is a tendency to build more and more complex
systems since constraints such as volume, weight, and hardware rework costs
have lesser impact. As systems become more complex the ability to demonstrate
adequately the correct performance of the system under all operating conditions
is greatly reduced and there is a significant risk that design errors will not be
detected. Testing systems and their components does not guarantee tha t they will
operate safely with values between input limits, and furthennore an exhaustive
testing of all possible paths through a complex system is practically Impossible,
Additionally, concern for the safety of computer-based systems has been com-
pounded by the rapid increase in the demand for computer skills in recent years.
As a result many system designers have little training in the pure mathematics
disciplines of set theory and logic. These factors have produced a generation of
computer professionals who are almost unaware of the relevant mathematics and
modelling techniques.
2.1.2 Applying formal methods
The design of a computer-based system, as for all sequential systems is based
theoretically on propositional logic and on the assumption that system outputs
and internal stages are a function of all previous inputs and the most recent inter-
nal state. For relay logic, this type of system has been traditionally represented
through the use of state transition tables and diagrams. Unlike relay logic, how-
ever, a computer-based system does not behave in a concurrent fashion. For this
reason, the order in which the logic is executed is identified as a logical relation-
ship between input condition, system state and output condition for all values of
input data. This is achieved through the use of predicate calculus, which allows
properties of objects manipulated by the system to be expressed.
Formal methods are mathematical languages which possess rigorously de-
2.2. Design Methodology 13
fined syntax and semantics, based on the mathematics of set theory and logic.
Using these methods a functional specification of a system can be regarded as a
set of mathematical equations and the rules for logical equivalence can be used
to prove that two expressions are equivalent. This process has the result that
abstract specifications can be defined in the first instance to model the behaviour
of the system as required by the user, and can be subsequently refined to more
detailed expressions, and eventually into a suitable implementa tion. At each step
logical equivalence can be proven between the expressions, thus proving that the
final implementation complies with the abstract specification in every feature.
The process offers a potential for eliminating the risk of failing to meet the user
requirement, since specification can take place at an abstract level, and could
potentially improve design efficiency, as the process is amenable to automation.
However, the use of formal mathematical techniques are not without its draw-
backs. Therefore, in order to make an effective approach towards system devel-
opment for a wide range of safety-related applications, a framework is needed
to select and apply appropriate techniques during the development process. The
following sections described a methodological approach in the development cycle
of safety-related systems.
2.2 Design Methodology
The design approach taken in this thesis consists of a number of consecutive
conceptual stages as follows,
• Safety criteria selection: The safety criteria are established in discussion
with the user. These are the criteria by which the system is expected to con-
form for it to be judged operable. The safety criteria differ for each system,
industry sector and application because of the way in which the system is
to be used, given legal, economic and environmental considerations.
• Determination of assessment levels: For each hazard criteria a specific
assessment level is established after discussion with the user. Since there are
2.2. Design Methodology 14
no universal techniques for making this type of assessment the criticality
of the system with respect to the particular application, is determined and
from this the appropriate technique is chosen. By this consultation the user
is assured that the correct emphasis is placed on the application.
• Selection of development techniques: Each hazard criteria is evaluated
using the selected technique, in terms of the hardware, software and as a
complete system.
• Validation and verification: For each hazard criteria, the system will be
assessed to conform to some recognisable standard of safe/reliable opera-
tion for the agreed assessment level or will be found to be deficient in some
way.
2.2.1 Development IiCecycle
The prindples just described. can be embodied in four main steps, as shown in
Fig.2.1. The first two steps do not deal directly with the design process. Rather
they are part of the preparation needed before one can design safety features into
the target systems. They usually require a broad range of inputs, including some
specialised plant knowledge. It should be noted that the final specification of the
target system must itself be safe.
• Step 1: Safety relevant information on the plant and the environment
is compiled in this activity. Sources of information can be plant and en-
vironment descriptions, risk analyses etc. Auxiliary information such as
regulations and general safety criteria should also be gathered in this step.
The result of this step is a set of safety goals which should be fulfilled in the
design of the target system. These safety goals are often expressed as a set
of unsafe states the plant should not be brought into by the target system.
A set of specific design constraints is produced during this step, along with
a partial validation plan.
2.2. Design Methodology 15
Wormation on the
environment
Description of
the system
results
Figure 2.1: Design procedures
• Step 2: The initial functional specification should be examined closely
with respect to the safety goals established in step 1. The potentially safety
critical parts of the target system should be highlighted in order to identify
where specific safety measures should be designed into the target system.
The result of this step is a specification of the special features which should
be designed into the target system in order to enhance safety. These should
be added to complete the functional Specification.
2.3. Safety Criteria Selection 16
The third and fourth steps are concerned with the design of the target system and
its verification .
• Step 3: The target system is designed on the basis of the functional spec-
ifications and the description of the interfaces to the plant, as well as the
Specification of safety enhancing features made in step 2 and the specific
design constraints determined in step 1. During this activity one should
also utilise general prindples and techniques for safe design, which should
have been identified before the design started. The result of this step will
be the target system design document.
• Step 4: The design documents are verified with respect to the functional
specification, and it is also confirmed that the specific safety relevant re-
quirements and recommendations developed in the fi.st three steps have
been followed. Information on any required corrections is returned to step
3. After this step, the final design document is complete.
Needless to say, a high quality of project management and quality control is
needed in carrying out these four steps if the potential safety gain is to be realised.
The verification procedure in the final step can only proceed properly if full
records exists of the progress through the first three steps. The choice of suitable
techniques for these steps and the application of the chosen ones are not trivial
and the criteria for selecting appropriate techniques are discussed in section 2.5.
The following sections discuss the prindples and procedures involved in these
steps inmore details.
2.3 Safety Criteria Selection
The safety criteria for a system must satisfy any relevant legal requirements.
Many regulatory authorities have issued guidelines establishing criteria and there
are a number of national and international standards. In addition, many compa-
nies have developed their own internal standards. Table 2.t shows some national
2.3. Safety Criteria Selection 17
C1I .... .2u ..... ~ ....C1I c,j ..... 0 ~ u c,j ~ C1Iu 0- c,j 0- 's E >. u;:: r.Il C1I r.Il U 0 eo ;::~ 0 "iJ ~ :a 0 ..... c,j..... c,j C1I .... - C1I ~C1I C1I ::l C1I •.:= ;;j ~ ~0 <: z E!:: ::::a o <: 0 ~ tZ
BS5750 l22J J J J v' v' v' v' v' v'
BS5724 v'
BS5882 l:lJJ v' v'
IEC 880 [o:lJ v'
IEC SC65A WG9/10 loJJ v' v' v' v' v'
AQAP 1/13 [4.5J v' v'
Def Stan 00-16 [36J v' v'
Def Stan 00-55 [66J v' v' v'
Def Stan 00-31 [65J v' v'
CAA 690 v'
NES 620 [OOJ v' v'
RTCA DO-178A [98J J
HSE PES1/2 [60J v' J v' v' v' v' v'
Table 2.1: Available standards (v' = applicable).
and international standards and their suitable application areas. It should be
noted that the table is by no means complete.
From an engineering viewpoint, safety criteria for a system can be either
qualitative, for example build to a design standard, or quantitative, such as to
build a system so that it does not fail in a dangerous mode more than 10-6 times
per year. In both cases, it is important to carry out hazard analysis either as part
of a process to demonstrate compliance with a numerical target or to alert the
designer as to whether or not the applied standard is appropriate.
Quantitative safety criteria are most often used for high risk situations but it
should be noted that it is not possible, given the current state of knowledge, to
quantify system safety integrity. However, this does not mean that quantified
safety criteria for the system as a whole cannot be used. The numerical figure
can be used to aid in the decision on the degree of rigour required in the system
development process.
2.3. Safety Criteria Selection 18
2.3.1 Measures of risk
Any approach to safety-related systems has to include a wide range of different
types of application presenting a wide variety of different risks. The hazards
associated with such diverse applications vary greatly both in character and
consequence. Risk is defined by IEe in [63] as follows,
The combination of the frequency, or probability, and the consequence
of a specified hazardous event.
However, the means of combination of the frequency, or probability, and the con-
sequence is undefined. The following means of combination could be considered
given suitable values for the consequences of hazards,
Hn = frequency of occurrence x consequence of hazard
where Hn represents some subjective assessed measure of risk associated with the
hazard. As a result the degree of risk associated with different applications also
varies. There is no clear cut point at which we can say this application is safety
related and we shall apply full rigour to its development. Safety is essentially a
concept which depends on current social values and in fact, it concerns with the
level of risk at which the user is prepared to tolerate. Considerations which affect
the acceptable level of risk Hn include
• the number of people affected when a hazard occurs, and
• the degree to which individuals may choose to subject themselves to the
risk. For instance, it can be chosen subjectively and quantitatively that the
affected radius of a railway accident is 50metres, whilst it is about 20metres
in a car accident [107,108).
Moreover, since other economic and social factors also play an important part in
the consideration, a faithful assessment of the level of risk involved should not
only consider the negative hazardous effects but also the positive contributions
2.3. Safety Criteria Selection 19
Fn:rquency
of
occurenee
Figure 2.2: lEC mapping for software integrity level
of the system. That is the benefits to be derived from the application should also
be taken into account.
The benefits derived from the application and harmful consequences of the
hazard may ha ve a direct or indirect effect. For instance, the direct environmental
consequences of a population inddent may well be associated with indirect effects
which relate to the long-term health of the users.
2.3.2 Safety integrity levels
Safety integrity is a continuous quantity which is generally assessed in subjective
terms as safe or unsafe, that is either one side or the other of a level which is
regarded as acceptable. In practice a discrete measure is used which allows safety
integrity to be expressed in quantified terms. The quantification is rather crude,
typically the safety integrity of a system is expressed as one of several levels
ranging from highly catastrophic hazards to a very low risk level.
The lEe in [60] postulated a mapping between these safety integrity levels
and the consequences associated with the hazard concerned as shown in Fig.2.2.
However, this mapping is purely illustrative. As was discussed earlier, safety
integrity is affected by a number of factors other than the consequences of the
hazard. These factors and their inter-relationships are illustrated in Fig.2.3.
2.4. Determination of Assessment Levels 20
Number affecllld
Dcgrceolharm
DcIll'CC of choice
Hiah,
I
Ov .... u systml
inl.tCrity levd
Number bencfiaina
Type ofbencfit
Bascntial
De.irable
Extent oC bc:nefu
Luxury
Low
Figure 2.3: Factors affecting software integrity levels
2.4 Determination of Assessment Levels
So far, we have identified four major aspects of safety related system involving
different levels,
• the severity of hazard,
• the frequency, or probability, of occurrence,
• the safety integrity required, and
• the degree of assessment required.
The level of required safety integrity relates to the means used to both develop
and access the system. The level of assessment relates only to the means used
to ensure that an acceptable level of safety is achieved. The severity of hazard
and the frequency of occurrence, as discussed in section 2.3.1, are the basis for the
selection of safety integrity and assessment levels.
2.4. Determination of Assessment Levels 21
Integrity level Associated with
Low local environmental damage
Medium wide environmental damage
High small scale injury
Critical small scale loss of life
Catastrophic wide scale loss of life
Table 2.2: Safety integrity levels
Level Assessment
0 System overview
1 System structure analysis
2 System hazard analysis
3 Rigorous analysis
4 Formal mathematical techniques
Table 2.3: Assessment levels
When assessing safety related systems we identify five levels of hazard sever-
ity, five levels of safety integrity and five levels of safety integrity assessment,
based on the work done by the HSE [60], IEC [63] and other bodies [62,66]. Table
2.2 illustrates the association we make between safety integrity level and haz-
ard severity. Notice that the levels we use do not correspond exactly with those
described by the IEC in [63]. We do not explicitly use levels of frequency of occur-
rence. Rather the frequency of occurrence of a hazard is implicitly incorporated
into the scale of hazard severity.
Table 2.3 identifies the levels of assessment. These are associated with the
levels of hazard severity and safety integrity identified in Table 2.2. The associ-
ation of levels of hazard severity, frequency of occurrence, safety integrity and
assessment is flexible in the sense that safety is essentially a subjective quality,
based on a variety of different factors for which there are few measures and no
generally agreed means of combination.
2.5. Selection of Development Techniques 22
2.4.1 Level selection
One of the most difficult steps is the choice of a level at which to assess the system
and its components. This is related to the level of safety integrity which the
system should achieve. The required level of safety integrity summarises many
interlinked points, all of which are considered,
• Potential for loss of life
• Potential for human injury
• Potential for environmental damage
• Potential for economic damage
• Potential benefit derived from the system
• Expected number of instances of the system
• Expected number of occurrences of the hazard
• Contribution of the system to safety.
The process of determining the assessment level for a particular system is repre-
sented by Fig.2.3, which summarises the relationships between the various factors
which contribute to safety integrity and the contributions made by different as-
pects of a system to the overall safety integrity of the system.
Having defined the safety criteria and the safety integrity level which the
system should achieve, the next step is to select an appropriate development
technique which can ensure that the safety criteria are met.
2.5 Selection of Development Techniques
The approach is to associate with each level of assessment a number of techniques
which can be used in assessing a system, as shown in Table 2.4 [60]. The most
rigorous assessment level, i.e. level4, is associated with the use of formal mathe-
matical methods. Levell, however, is associated with the use of a review of the
2.6. Validation and Verification 23
Level Associated techniques
0 Design review
1 Checklists, Code walkthrough
2 Fault tree analysis, Event tree analysis, Cause
effect graphs
3 State transition diagrams, Petri-Nets, Markov
models
4 Formal mathematical specification and anal-
ysis techniques
Table 2.4: Assessment techniques
design and design procedures using checklists and a walkthrough and review of
the development stages. The assessment of any system typically involves the use
of techniques associated with more than one assessment level. For instance, de-
sign reviews are performed at all levels and formal hazard analysis is performed
at all levels above level2.
The concept of levels is important to the design and assessment of safety-
related systems. Safety itself, and the factors which contribute to the level of
integrity required and that achieved, are continuous quantities with no estab-
lished me tries. The concept of levels allows some degree of measurement to be
applied to these quantities and hence introduces a more concrete assessment of
the system integrity.
Different techniques are associated with the different levels of assessment.
These techniques model different aspects of the system. In addition to the in-
dependence of the personnel performing the assessment, diversity is therefore
provided with respect to the viewpoint from which the system is assessed.
2.6 Validation and Verification
Depending on the level of assessment a variety of different verifica tion techniques
are applied, ranging from straight forward design review to formalised analyses
of all or part of the system.
2.6. Validation and Verification 24
Different levels of safety integrity and different types of application require
that differing approaches, with increasing levels of formality, are employed in
system development. The validation and verification process takes this into
account so that in the process of reviewing a high integrity system more stringent
criteria are applied than would be the case for a low integrity system.
However, it is possible to apply a low level of verification to a system which
requires a high level of safety integrity. Since the purpose of the assessment is
to ensure that the required level of safety integrity has been reached, this may
be sufficient. A high level of assessment will, however, provide the necessarily
greater degree of assurance that the required integrity level has been achieved.
2.6.1 Informal techniques
Apart from dynamic execution testing, infonnal or manual methods have been
the only methods available for carrying out validation and verification of the
system when a fairly low level of safety integrity is required. Such Informal
methods include,
• walkthrough
• review
• audit/checklists
• code inspection.
As methods, however, they are by no means exhaustive, and although having the
advantage of repeatibility they are not particularly effective in detecting errors
introduced as a result of minor revisions. Nevertheless, such methods continue
to be as cheap and effective as any in finding the majority of errors, especially
when performed by experienced designers and therefore, they are most suitable
for analysing systems when safety constraints are not critical.
2.6. Validation and Verification 25
2.6.2 Semi-formal techniques
A number of semi-formal methods are used for those levels which have a high
level of associated degree of risk. Typical techniques include fault tree analysis,
Markov reliability model, Petri Nets and state transition diagrams.
Just as a rigorous and complete test case analysis is equivalent to formal veri-
fication, a rigorous treatment of these analysis is equivalent to formal verification.
However, it should be emphasised that a standard analysis using the above tech-
niques applied to system design, like the testing of the system, is informal and
incomplete. For instance, fault tree analysis, as it is usually performed, is an ef-
fective technique for focusing attention on some significant aspects of the design
but, without the rigour of formal verification, it cannot ensure that the required
level of safety is achieved.
Therefore, for safety-related systems with a very high level of associated
risk, a formal treatment is essentiaL Although the semi-formal analysis can
make significant contributions to achieving safe systems, formal specifications
and verification is the only method proposed to date that can achieve inprindple,
if not in practice, the level of safety required for safety-related applications. Of
course, formal verification should be applied in conjunction with, rather than
instead of, other techniques.
2.6.3 Formal techniques
Formal verification is used to validate systems against a formal specification that
defines what it is required to do. To achieve substantial improvements in system
safety, techniques for validating formal spedficatlons are important. The system
verification requires that the detailed formal specifications, which is required
for system verification, should themselves be verified against a simpler more
abstract specification. Of course, the simpler more abstract specification may
still be subject to error and must be verified against yet another Simpler and still
abstract specification, a process that eventually leads to a top-level specification.
In the context of safety-related computing, this top-level specification should
2.7. Discussion 26
express the safety requirements of the system.
However, there is no simple systematic method for checking that a top-level
specification correctly states the required safety properties of the system, since
safety properties, which are included in the specification, are also specified by
the user. Therefore, the specification expresses the real safety requirements of
the application and must, in the end, be determined by human inspection and
his/her understanding. In principle, it is the safety-reJated properties defined in
the top-level specifications that are assured by the verification.
There are a number of tools available to assist with the fonnal verification
of hardware and software systems. Some formal methods ha ve, in fact, evolved
from the semantic-analysis tools that were built to manipulate specifications and
programs. Tools and their associated specification languages that handle subsets
of first-order logic include the Boyer-Moore Theorem Prover (and the Gypsy
specification language)[42], LOTOS (and the language CSP) [114], and m-EVES
(with language m-Verdi) [34]. Finally, tools that handle subsets of higher order
logic include HOL [49], LCF [43], and OBI [41]. The relative advantages and
drawbacks of these formal methods and languages will be discuss further in the
following chapter.
2.7 Discussion
Designing for safety, particularly for computer-based systems, is an obvious goal,
but up to now little guidance existed on how to achieve it. The lEe Working
Group 9/10 has recently produced guidelines on design for system safety [63]
and the work in this chapter are most closely related to the philosophy on which
those guidelines are based and the principles underlying them. In fact, this
proposed standard addresses the fulllifecyc1e of the system development. There
are two significant points to the standard from IECWG9/10. Firstly, the standard
advances a five-point scale for the levels of safety integrity so as to introduce the
concept of degree of risk. Secondly, the standard does not place single emphasis
2.7. Discussion 27
on the use of formal methods for developing and assessing systems unlike the
interim Def Stan 00-55 [66]. Rather it proposes the use of a package of techniques
chosen from a set of such techniques such that they reflect the system integrity,
the application and the industry.
However, the main difference between our approach and that proposed by
the lEe standard is that in the Standard the required integrity level is selected on
the basis of the level of risk associated with the system, whilst in this approach we
also consider the benefits which the system contributes. Furthermore, the level
of risk associated in a system as a whole is not directly related to the level of risk
associated with software and other components. In fact, the overall level of safety
integrity is always higher than its constituent parts.
Finally, the work presented in this chapter outlines a general framework for
the development of systems based on the current state of the art. The main
emphasis in this thesis as a whole is on the use of formal methods to verify
the correctness, and ensure that the required level of safety integrity is indeed
achieved. This chapter has laid down a methodological approach based on which
formal methods are consistently introduced into, and incorporated with, the
system design. The following chapter discusses the concepts of safety and risk
from a mathematical point of view and illustrates how such safety objectives can
be achieved in a formal development framework.
Chapter 3
Formal Specifications in
Engineering
3.1 Introduction
Formal specification and verification can be used to validate systems against
system requirements where the required level of safety integrity is very high,
as was discussed in the previous chapter. During the verification of a system,
a large number of theorems must be proved. Although these proofs are not
mathematically profound, keeping track of the details of the proofs and the inter-
relationships among the various theorems can be overwhelming. Furthennore,
the proofs must be carried out with a very high degree of rigour to ensure the
high level of safety required. The generation of a formal specification and its
verification is usually carried out in a deductive system, part of which can be
automated by employing a mechanical proof checker, also called an automated
theorem prover. However, such a proof checker is usually far from automatic.
The user must supply many trivial details of the proof, usually in a manner that
must accommodate the internal working of the prover. In effect, the user must
create the proof, while the verification systems is responsible for the soundness
and completeness of the proof. Fortunately, experience has shown that, although
mechanical theorem verifiers frequently fail to find proofs that they might be
expected to find, they seldom find proofs that are invalid. The construction of
28
3.1. Introduction 29
proofs is not inherently difficult, but it is very time consuming.
Tosatisfy the mechanical theorem prover and to achieve the required level of
safety, the specifications must be formal. Informal specifications in plain English
may be useful in understanding the system and its documentation, but they can-
not serve as a basis for verification. Even carefully written formal specifications
are prone to error, and experience has shown that unverified specifications are
comparable in reliability to untested programs. Indeed, the process of verification
involves, in part, the correction of the fonnal specification.
In an attempt to obviate the inherent difficulties associated with the devel-
opment of formal specification, and formal techniques in general, this chapter
presents some heuristic approaches to the generation and validation of formal
specifications for engineering problems. Our approach is to classify practical
systems into categories and then present a formal treatment which is appropriate
to each class of system.
3.1.1 System Classification
From the viewpoint of specifications, practical systems differ not only in terms
of their functional properties, but also in terms of the interactions between their
inputs and their outputs. We have identified, from an engineering viewpoint,
two major classes of systems:
• Memoryless systems: whose every output is a function of the current
input alone; such systems have no memory of their past inputs.
• Memory bearing systems: whose current output depends not only on
their current input, but also on their past inputs; such systems must con-
stantly memorise, if not an infinite history of their past inputs, at least a
summary of it.
Within memory bearing systems, we have identified an important class of
systems which has important practical applications,
3.1. Introduction 30
input space X input space X
system
function R
system
function R
feedback
represents tion
of memory
output space Y output space Y
a) Representation of
memory less systems
b) Representation of
memory bearing systems
Figure 3.1: Representations of engineering systems
• Continuous processes, whose function is to compute responses toa stream
of inputs. In such systems, real-time aspects have to be identified.
Hence, from the viewpoint of specifications, we distinguished between three
classes of systems, memory less systems, and continuous processes. Typical ex-
amples of the first class include a CAD package, or a theorem prover. Examples
of the second class include a database management system. Examples of the third
class include an operating system, a process control and monitoring system, and a
database management system. However, due to the looseness of the classification
criteria, a system can be classified into more than one class, as in the case of a
database management system. Detailed specification examples of these types of
systems are discussed later in Chapter 6 and Chapter 7. In Chapter 6, we will
present a case study of a memory bearing device called Drive-by-Wire, and in
Chapter 7, a detailed discussion of the specification of a CAD system is presented.
A traditional view of these types of systems is illustrated in Fig.3.1, in which
the underlying principle of system modelling is based on a sta te machine descrip-
tion with or without a feedback loop. With this model in mind, in the following
section, we can formally state the safety conditions and the assessment criteria to
which the intended systems have to comply.
3.2. Formal Model of Safety 31
3.2 Formal Model of Safety
In state machine descriptions, a system ismodelled as a single, compound func-
tion which generates a new state from an input state as shown in Fig.3.t. A formal
treatment of safety is only concerned with the current behaviour of the system
and therefore, it can be equally applied to machines which mayor may not have
memory.
Let us suppose now that the operating domain of the system under considera-
tion can be divided into two subsets, Sand U which represent the set of sale and
unsafe states respectively. Using predicate calculus it is possible to formally state
the definition of system safety such that there are three conditions to be satisfied,
1. When the current state, Si, is contained in a set of safe states S, there is a
function F that will transfonn the current state into the next state, Si,which
is also contained in the set of safe states S.
'lSi E S. F(s;) = s; :> s; E S
2. When the current state is contained in a set of unsafe states U, there is a
function F that will transfonn the current state to the next state, which is
contained in the set of safe states S.
'lSi E U. F(s;) = s; :> s; E S
3. When the current state is contained in a set of unsafe states U, and there
does not exist a set of safe states for the current state to be transfonned to,
then there is a function F that will transfonn the current state to the next
state with the lowest risk.
where S is a set of states judged to be safe and, U is a set of states judged to
be unsafe, and Risk.; is the risk level associated with state Si.
3.2. Formal Model of Safety 32
In asserting that Risk(".) < Risk("j) consideration needs to be given to the time
taken for the system to achieve state S/ru and consequently this affects the assess-
ment of the acceptable level of risk in the design. The risk assessment is formally
based on a comparison of the cumulative effects of hazards over a finite duration
of time. Strategies for defining risk levels are discussed further in the following
section.
3.2.1 Risk assessment
There are at least two strategies that can be adopted when considering the con-
sequences of time in assessing a risk level. If Risk(•• ) is considered to be lower
than Risk(.,), however more time is required for the system to achieve state Sic
than state SI, a judgement can be made whether safety is best served by achieving
state Sir with a low risk in a longer time than state St. Suppose now that state SI
has a higher risk than state Sic but a lower risk than state Sj and can be achieved
in a short time, then the last safety condition, described above, can be qualified
as follows,
"lSi E U. -,(3 Sj E S. F(sd = Sj "
Riske".) < Risk(.,) < Risk(.j) " T(".) < Te.,) ) ~ F(Si) = Sir
where T.j is the time required to achieve a particular state Sj from the current
state Si. This strategy is appropriate for those instances when it is only possible
to predict one state ahead.
However, if it is possible to look ahead more than one state, an alternative
strategy might be to achieve a state with a higher risk for a short time in the
knowledge that a state with a lower risk will be achieved ultimately. So for this
strategy, safety could be expressed as the integral of the level of danger against
time,
safety = f P,;,Risk.; dt
3.2. Formal Model of SaCety 33
where Ps, is the probability of occurrence and Risk,,; represents the level of risk
associated with the state Si. The value of Risk,,; is subjectively judged and could
influence the choice of strategy adopted due to the level of confidence in the
judgement.
It is asserted in this Thesis that the definition of safety can be formally stated.
However, the determination of set of safe states or unsafe states depends on a sub-
jective judgement based on the knowledge, experience, emotion and legislation
of what is acceptable at the time. For instance, in the design of a Drive-by-Wire
system which is described in Chapter 6, the machine is specified as a finite state
model which maps a set of legitimate input sequences to an output space.
The output space is divided into three subsets, namely, the initialisation or
start-up mode, a set of safe states and a set of unsafe states, where these states
are defined by appropriate conditions, for instance, an unsafe state is defined as
the case when the system failed with its throttle being wide open. In this case,
a number of safety strategies can be applied, such as to shutdown the system,
or to switch it to manual control mode. It is then completely dependent upon
a subjective judgement of the specifiers, the users and what are allowed in the
safety legislation of the automotive industry to dictate the required actions. The
verification of the system is observed in order to ensure that the three safety
measures outlined above are indeed achieved.
However, in order to formally prove that the required level of safety is reached,
the specifications must be formal. Informal specifications may be useful in un-
derstanding the system and its documentation, but they cannot serve as a basis
for verification. In the following section, we describe a specification model which
provides a framework for a formal development. Later in section 3.4 and section
3.5, we discuss techniques for generating and verifying such a model.
3.3. A Specification Model 34
3.3 A Specification Model
A formal specification can be modelled as a tuple of 3-element represented by
(X, Y, R),which includes
• A set X, called the input space of the specification. This set contains all the
inputs that are likely to be submitted to the system.
• A set Y, called the output space. This set contains all the outputs that
systems are likely to return.
• A relation R from X to Y, called the input-output relation of the specifica-
tion. This relation contains all the pairs of the form (x, 1/) where x E X is a
legal input sequence and 11E Y is a correct output for the input sequence
x. By including the pair (x, 11) in R, the specification states that for input se-
quence z, the output 11 is considered to be correct. The necessary constraint
for the correctness argument of a specification is that the relation R has to
be onto, this means that there is at least an output 11 E Y for any input e.
The uniqueness property further requires that R also needs to be one-one.
However, in practice, there are cases where, for a given input X there may
bemore than one output 11E Y which can be designated, and R in this case
can be arbitrarily non-deterministic.
It is convenient to consider that input sequences are infinite, we represent them
as follows,
where Xo is the current input, Xl is the most recent previous input, X2 is the input
submitted prior to XII and so on. In practice, it is not necessary to look at all
the input sequence in its infinity to decide whether a given output 11 is correct;
rather it suffices to look for the subsequence of recent inputs. Specifically, there
is usually an input whose purpose is to reset the system to its initial state, for
instance, setting a database to empty, setting a control system to start-up, etc. and
3.3. A Specification Model 35
it is often adequate to consider a set of input sequences up to the most recent
initialisa tion.
3.3.1 Model representation
Given spaces X and Y, we can subsequently define the relation R on X x Y. Let
d = (Wit A~, R,) be a system which comprises of a set of well-formed formulae
WI called the specification, and a set of axioms A~ and rules R,. The set of
specified formulae WJ has the following properties,
• they are logical formulae interpreted over the input space X and output
space Y,
• they are formulae of the form (e, y) e R. where e is the input sequence and
y is its corresponding output.
Then the pair (e, y) is in R if and only if the formula (z, y) E R is a theorem of
d. That is, the correctness of the specification WI is guaranteed if there exists a
theorem,
WI ~'Vz.3y. (z,y)e R
In fact, in this model we only consider the correctness of a specification in rela-
tion to the Customer Requirement, including the safety properties. The issue of
uniqueness as discussed in the previous section has to be addressed when dealing
with the safety objectives of the design. That means that R is required to be a
one-one or deterministic function,
WI ~ 'V:t. 3y y'. (:t, y) e R 1\ (z, y') e s » y = y'
When such a representation is chosen, definitional axioms are typically used to
define the desired output of the specification for trivial input sequences; while
inference rules define the equivalence between input sequences. The model
representation is illustrated in Fig.3.2. The most natural way to define the integrity
3.3. A Specification Model 36
Output space Y
Figure 3.2: Specification model
of a specification is to give the necessary and sufficient condition under which it
can be proved correct. This correctness condition is illustrated in the following
sections.
3.3.2 Formula of correctness
Suppose now that Sp = (X, Y, R) is a specification with an input space X, an
output space Y and an input-output relation R. Implementations for this specifi-
cation must have X as their input space, and Y as their output space. In order to
match them against Sp to check for correctness, it is necessary to define a function
that computes between their inputs and outputs.
The functional abstraction F of an implementation I is a function from X to
Y such that,
F = ((x,y) I I(x) = y}
It follows that given a relation R and an implementation I, the function F de-
scribes what I does, while R describes what I must do. It is obvious that the
correctness of I with respect to R must be expressed as a consistency condition
3.3. A Specification Model 37
between F and R, that is
I is correct with respect to R ¢::::} F is more defined than R
In other words, F must carry more input-output information than R, i.e. the im-
plementation I does all that R requires. More formally, the correctness statement
can be formulated as a logical equivalence of the form,
I- Vxy. I(x, y) == F(x, y)
where I is a predicate representing the implementation, and F is a predicate
representing the specification. For a simple system, this is often the appropriate
way to state correctness and some system can only handle such equivalence
[45). However, for complex systems, it is usually wrong to require that the
implementation be logically equivalent to the specification. The specification will
typically be some sort of abstract description of behaviour, opera ting on different
data types and at a different time scale to the implemented systems. Insuch cases,
correctness is more appropriately formulated as an implication of the form,
I-Vxy.I(x,y) :)
let Xl = Absi( x) in
let Yl = Abso(Y) in F(xt, Yl)
where the Absi and Abso respectively maps the input and output of the imple-
mentation I, to those of the specification F.
Inpractice, however, it is a property of the implication that the predicate
I- 'Ix. False :) x
is true for any z, i.e. false implies anything. Thus if the implementation I( x, y) were
equivalent to False then, in a mathematical sense, it would correctly implement
every specification. Hence, care has to be taken when deriving correctness proofs
for a particular implementation to ensure that this problem does not arise. In fact,
3.3. A Specification Model 38
to obviate the problem, the correctness statement can be reformulated in a more
rigorous way, by combining the correctness and consistency condition as follows,
r 'Vxy. (l(x, y) :::> F(Absj(x),Abso(Y)) " lex, y)
The second conjunct of this theorem states that for all possible input values, there
are some output values which are consistent with those. If this is true then the
implementation formula l(x,y) is never equal to False and so the false implies
everything problem can not arise.
3.3.3 Total and partial correctness
The specification model and its correctness statement described so far, is called a
partial correctness specification. These specifications are partial because for the
relation F( x, y) to be true, itdoes not assert anything about the internal behaviour
of the system. Itmerely means that the system described by F delivers an output
y on the reception of an appropriate input x. Let us take the example of the
Driv~by-Wire, presented in Chapter 6 for instance. Generally, the specification
is described as a tuple of 5, = (X, F, Y) where X and Y are sets of legal input
and output sequences, and F is a relational representation of the system which
is modelled as a finit~state machine. The partial correctness statement of the
specification is asserted by a theorem of the form,
r 'Vxy. x EX" F(z, y) :::> yE Y
More specifically, a useful theorem 1 which asserts the system behaviour in a
shutdown condition can be shown in a simplified form as follows,
r 'Vs. SAFE So A Nextstate (so, SI) :::> SAFE 81 (3.1)
where So and 81 are the input and output state vectors and the relation Nextstate is
true if SI is an output of 80. In this case the domain of both input and output space
1Detailed discuuion is presented in section 6.6.3 ILIldshown in Annex C.
3.3. A Specification Model 39
is defined coherently by the predicate SAFE which in tum, defines a set of safe
states of the system. What is illustrated in this example is the fact that the above
theorem guarantees the partial correctness of the specification by asserting that
given any sequences belonging to a suitable input space the system will deliver a
legal output.
Although, theorem (3.1) is useful in determining the behavioural correctness
of a specification, it says nothing about the deterministic property of the system in
question. In fact, determinism is a dual problem with the termination of computer
programs which can be stated formally as follows,
I-Vx.xEX::> 3y.yEY A F(x,y) (3.2)
Notice that this asserts that F terminates under input condition x if there is
some final output state for each initial input state satisfying X. For example,
the terminating condition of a finite state machine model of the Drive-by-Wtre is
described by a theorem of the form,
I-Vm v pt.3s.3m' v' p'.Nextstate (s,m,v,p)t = (m',v',p')
In fact, the correctness of the function Nextstate can be illustrated further by
showing that it is also deterministic, i.e. it satisfies the relation
In this case, the termination condition of (3.2) is sufficient and the total correctness
statement of a specification can be defined by the informal equation,
Total correctness = Termination + Partial correctness
and it can be implemented by asserting, as shown in the case of the specification
of the Drive-by-Wire that,
I- 'tim v p t. 38. 3Vm' v' p'. NextState (s, m, v, p) t = (m', v', p')
3.4. Specification Generation 40
In fact, the total correctness of the specification is expressed by the unique (3'1)
quantifier which states that there is one, and only one, set of output states for
each occurrence of the input state s. Having defined the specification model
and its correctness statements, we will discuss techniques for generating such.
specifications and outlines methods with which they can be validated in the
following sections.
3.4 Specification Generation
Recall from Chapter 2 that the first phase of the specification process consists of
expressing the user requirements in the form of a relation. This process takes place
in a progressive stepwise fashion, by considering one aspect of the target speci-
fication at a time. In this section, we discuss techniques to tackle the complexity
of generating a specification by breaking it down into a set of simpler subsped-
fications. We will discuss in tum, techniques that are applicable to memoryless
systems, and then those that are applicable to memory bearing systems.
3.4.1 Memorylesssystems
Let us assume that the general form of a specification of a memoryless system is a
relation on some set S. Given that S is fixed, the generation of a relation R takes
place ina stepwise fashion. Generally, there are three heuristic approaches which
can be used in developing such specification,
• Separate binary (rom unary properties
It is common for a specifications to be the conjunction of two kinds of
properties,
- binary properties which link input states 8 to output states s', and
- unary properties which describes features of output states s' alone.
It is good practice to distinguish between these two types of properties.
More specifically, it is often more convenient, especially in the verification
3.4. Specification Generation 41
phase, to reduce binary properties to their simplest possible expression,
thereby abstracting away from them any hint of unary properties.
Usually, a binary property has the form of an equivalent relation, and ex-
presses some form of preservation. In contrast, the unary property serves
to reduce the range of the relation, and expresses the property we wish to
produce in the output. A simple example of such a distinction between bi-
nary and unary properties, which are discussed in more details in Chapter
7, can be outlined as follows,
Ra = {(b, b') I transform (b, b') }
RI = {(b, b') I -mull.object (b')}
(3.3)
(3.4)
where band b' are binary tree representations of solid objects, and the
predicate transform holds if b' is actually a Boolean transformation of b, that
is the predicate transform operates on two arguments b and 6'. In contrast, the
predicate nulLobject qualifies its argument b' to be a valid solid primitive if
it is a non-empty object 2. Thus, the property (3.3) is a binary relation which
states that b' preserves the original binary tree h, and (3.4) is a unary relation
which expresses a property of the output object b'.
• Use only binary and unary properties
Some specifications can be formulated in the following terms,
given s, find s' that maximises I(s') under the constraints p(s,s').
The fact that s' which maximises function I,is not a property linking s' to s;
rather it is a property linking s' to other possible occurrences of s' such that
p( s, s') is satisfied. As such, it does not fit well into the relational formalism,
which is best suited to describing binary properties of 8 and s'. The key to
avoiding this difficulty is to reformulate the specification in such a way that
the maximality of 1(8') is expressed as a property of 8' alone, hence fitting it
2Detailed descriptions or these (unctions are discussed in Chapter 7.
3.4. Specification Generation 42
as a unary property, or as a property of s and s', hence fitting it as a binary
property .
• Stressing the right abstractions
A failure to find the proper abstraction in generating a specification is more
often due to the lack of grasp of the requirements, on the part of the specifier
than it is to some intrinsic property of the specification.
Two broad classes of semantic abstraction functions are those that abstract
preserving each system's behaviour and those that abstract preserving the
system's structure,
- Behavioural abstraction, which describes only constraints on the ob-
servable behaviour of the system. The behavioural constraint that
most formal methods address is a system functionality. That is to de-
fine a relation R which maps from input space X to output space Y.
Apart from functionality, other behavioural aspects, such as fault tol-
erance, safety, security, response time, and space efficiency can also be
addressed in the behavioural abstraction.
It is often the case that some of these aspects such as fault tolerance,
are included as part of, rather than separate from, a system's function-
ality. If the overall correctness of the system is defined so that it must
satisfy more than one behavioural constraint, a system that satisfies
one but not another would be incorrect. For instance, if functionality
and response time are the constraints of interest, a system producing
correct outputs past deadlines would be as unacceptable as a system
producing incorrect outputs on time.
- Structural abstraction, which describes constraints on the internal com-
position of systems. In this thesis, we do not consider the structural
abstraction of systems, rather we concentrates on the behavioural spec-
ification of both memoryless and memory bearing systems. For more
detailed discussion on structural specification and other abstraction
3.S. Specification Validation 43
mechanisms see, for example [49,51,79J.
3.4.2 Memory bearing systems
In addition to the generation strategies outlined for memoryless systems, there
are two additional strategies specifically applied for memory bearing systems .
• The use of definitional axioms:
For each element of the output space Y,we generate a definition that defines
for which inputs that element is to be delivered asanoutput. Becauseseveral
inputs may share the same output, the definition will show a trivial input,
and leave it to the rules to show what non-trivial inputs share the same
output as the trivial one .
• The initialisation rule: Each memory bearing system has an operation
that resets it to some predefined state that isusually interpreted as the initial
state. Given such an operation, we must express in a rule, that everything
that occurs before such an operation is to be ignored.
Detailed examples on the use of definitional axioms and rules for generating
and reasoning about a specification are given inChapter 6. The set of strategies
presented here for the generation of the specification of the memoryless and
memory bearing systems are by no means complete, they are merely indicative.
In fact, there is no systematic way to check that aU the requirements have been
formulated completely and correctly. The only way to ensure the consistency
and completeness is to perform a validation, in the form of formal reasoning, on
the specification. Different approaches for system validation are discussed in the
following section.
3.5 SpecificationValidation
Inpractice, when a specification is derived from a user requirement, we can never
be sure that we have captured aU the requirements that the user has inmind (com-
3.5. Specification Validation 44
pleteness), or to have captured them faithfully (consistency). On the other hand,
because the user requirements are expressed in an informal document, it is not
possible to check them formally for completeness against a formal specification.
The purpose of the validation step of the specification process is to check the
completeness of the proposed specification with respect to the user requirements.
In the following sections, we discuss in turn how the specification validation is
performed for memoryless systems, then we consider memory bearing systems.
3.5.1 Memoryless systems
Just as we did in the previous section, we assume, without loss of generality,
that the general fonn of a specification of a memoryless system is a relation with
respect to some set S. The validation step raises two crucial questions that must
be considered, namely,
• What fonn do properties take ?
• How do we check a specification against a property ?
The task of validating a specification requires the generation from the require-
ments of properties that the specification must meet. Properties are relations
which can be stated fonnally as follows,
A specification S expresses that for input states satisfying the predicate
q(s) I output states s' must satisfy the predicate q'( s, s').
Such a definition can in effect be captured in the relation
V = ((s,s') I q(s) " q'(s,s')}
From this definition, it is implied that checking for a specification S to be valid
with respect to a property V means must to validate the following conditions,
• The set of input states associated with property, V say, is included in the set
of input states associated with specification S.
3.5. Specification Validation 45
• Whenever applicable, the set of output states acceptable by V includes the
set of output states acceptable by 8.
In other words, the above validity conditions formally implies that the domain of
V is a subset of the domain of 8, i.e. 8 is more-defined than V. For instance, in
Chapter 7, when solid objects are combined using pre-defined solid primitives, an
important property to preserve the correctness of the operation is that it is required
not only to show that the solid components are in fact satisfied some pre-defined
validity conditions, but also to prove that the combined object is actually a valid
solid, i.e. it also belongs to a set of homogenously three dimensional objects 3.
3.5.2 Memory bearing systems
It is obvious that the problem of validating a memory bearing specification is
Identical to that of validating a memoryless specification, since in both cases
the specifications of memory bearing systems are hardly ever written as explicit
relations, but are rather written using definitions and rules.
If specifications and properties are represented as explicit relations, then the
problem of validation is the same as for memoryless systems, and will not be
considered further here. Thus, suppose that specifications are represented ax-
iomatically using explidt definitions, then in the remainder of this chapter, we
will discuss specification validation for various representational forms of proper-
ties.
• The property is a singleton
Consider a property of singleton that for a given input sequence :lo, the
output is Yo for a specification of the form 8 = (X, Y, R) where X and Yare
input and output space respectively, and R is an input-output relationship.
This can be represented formally by the relation,
3More deta.ils on solid modelling And operations are discussed in Chapter 7.
3.5. Specification Validation 46
Inthis case, it is obvious how to validate the specification for a specific input
xo, and to check whether the specification yields the output Yo. This is ex-
actly similar to program testing. Inorder to prove that a given specification
meets a property of this form, we must prove the following lemmas,
Xo E X
R(xo) = {yo}
These lemmas are, in fact, derived from the definition of total correctness
discussed in section 3.3.3. Because the first lemma is a consequence of
the second, it is convenient to prove the second. However, it should be
emphasized that the second lemma asserts that the application of R on Xo
results on a singleton set with Yo as its only element Therefore, using the
principle of separation of concern, this can in tum be proved by means of
the following lemma,
(:ro, Yo) ER
(:ro, Y) ER:> y = Yo
The first lemma ensures the partial correctness proof and the second asserts
the determinism of the specification. To prove the first lemma, it is required
to show that (:ro, YO) ERisa theorem of the deductive system that represents
the specification. To prove the second lemma, it is necessary to show that
Y = Yo is a logical consequence of (:ro, y) ERin the deductive system that
represents the specification R. The latter proof uses the fact that R is a
possible relation that verifies the definitions of the specification.
• The property is written as a relation
This is the most common form of properties expressed in any formal de-
ductive system. Intuitively, the specification is valid with respect to the
property if and only if it can be proved that the property is indeed a theo-
rem of the formal system itself. Any subsequent rules, axioms, definitions
3.6. Description or Formal Methods 47
and theorems used to derive this property, contributes to a formal proof.
Detailed discussions about proof procedures and tactics are presented in
Chapter4.
3.6 Description of Formal Methods
Inconsidering the characteristics of a formal method, it is important to distinguish
between a formal system and the method of its application. A formal system is
characterised by being logically self-consistent. Each expression can either be
defined in terms of another, simpler expression, or in a set of axioms of the
system. A formal system will also include rules for converting expressions into
other, equivalent ones. In contrast, a formal method provides a framework for
applying such a system to software development.
Many of the formal methods currently in use provide some or all of the
following resources:
• a notation for writing expressions based on an established logical and math-
ematical theory,
• a language structure to allow the notation to be used for generating spec-
ification. This usually incorporates aspects such as data typing, variables
and information hiding. It should be noted that in contrast to the logical
system employed, the language component of a formal method may not be
rigorously defined,
• a methodology for applying the above to software development; this can
include guidance on specification, decomposition and proofs,
• support in the form of textbooks, courses and automated tools such as
editors and theorem provers.
All the formal methods discussed in this chapter describe a system as a series of
state changes. However, there is a distinction to be made between those methods
which describe state change as it affects the internal data structure of the system,
3.6. Description of Formal Methods 48
and those which describe state change as it effects the way the system interacts
with its environment. Of these methods, we will discuss the most relevant ones,
in the considered domain, in terms of their underlying logical principles. These
include,
• First order logic
• Higher order logic.
• Temporal logic, and
3.6.1 First order logic
First order logic is the most traditional form of logic which deals with proposi-
tions and propositional functions, that is, those functions where the domain of
the independent variable ranges over propositions. All usual logical connectives
are defined as well as the existential and universal quantifier. However, inter-
pretations of first order logic require a specified domain and symbols referring to
entities within this domain. Different domains lead to different interpretations.
The language of first order logic consists of terms and formulae. However,
the traditional approach in this formal system is purely logical and does not
provide the common concept of function. Truth values are usually introduced
by assigning them with an interpretation, this means that functions with truth
values as the range, are used instead of predicates. Furthermore, since first order
logic does not support proper quantifiers, formal methods using first order logic
have difficulty in expressing timing in a detailed manner, and also in expressing
abstraction between levels of description. Examples of first order logic systems
include the Boyer-Moore theorem prover [17] which has been used to prove the
correctness of a microprocessor at the register level [61J. A detailed discussion of
the limitations of first order logic in relating different levels of abstraction can be
found in [50,72].
However, first order logic is important both from methodological and practical
point of view. Inparticular, studies with first order logic have revealed limitations
3.6. Description of Formal Methods 49
in its expressive power and that leads to a new formalism which is based on higher
order logic.
3.6.2 Higher order logic
Higher order logic represents an enhancement of the first order logic. It extends
the notation of first order predicates in that the domain of variables also ranges
over functions and predicates, and functions can take another function as argu-
ments and return functions as results. For example, consider a temporal definition
of Next as follows,
r Next p = ~t. P (t + 1)
This asserts that the function Next is always true at the subsequent time point.
Here phas time functions as domain, that is, function from time which is mod-
elled as positive integers to Boolean values, and Next is a higher order function,
accepting p as an argument and returning a Boolean result.
Specifications, written in higher order logic, are partial and hierarchical, and
they can take account of low level timing issues. For instance, in the above
example, the specification is partial since it leaves the value of Next at time
zero unspecified. Furthermore, such simple elements of the specification can be
defined at different levels of abstraction and consistency between levels can then
be proved. A designer's knowledge of systems is structured as a set of theories,
each defined by a theory presentation constsnng of a set of symbol declarations
and a set of axioms. Theorems can be deduced from axioms using inference rules.
Available supported tools for higher order logic include the HOL system
developed by Mike Gordon and his team at the University of Cambridge. HOL as
a formal system is polymorphic, i.e. it allows types containing type variables, and
has Hilbert's operator to build the choice axiom which allows us to introduce new
primitive formulae. Inpure logic, a theory contains all possible theorems, whereas
in HOL it contains only axioms and already proved theorems, and consequently
the soundness and consistency of proofs are always preserved.
3.6. Description of Formal Methods 50
Higher order logic has more expressive power than first order predicates, but
the trade off for this advantage involves more difficulty in performing and mech-
anising proofs procedures. The integration of higher order logic with functional
methods is a trend for future development.
3.6.3 Temporal logic
Inorder to present systems practically, we must cope with a particular aspects of
reality, namely time and its temporal evolution. A formal system that can reason
about past and future events is called temporal logic. Temporal logic includes
all usual connectives and adds some typical operators. Although there are many
variants, the basic operators are,
• henceforth 0
• eventually <>
• next 0
• until u
Ina temporal logic system, specifications are transferred into state diagrams using
temporal logic decision procedures. This state diagram and the implementation
are traversed simultaneously to look for a counter example, where the implemen-
tation does not satisfy the specification. There are two main types of temporal
logic based on the way it consider time, namely linear temporal logic [57] and
interval temporal logic [52].
Ingeneral, temporal logic is appropriate for specifying control systems, since
it can capture time and dynamic behaviour, with clear and concise notation. In
temporal logic, there are no explicit time variables; time is an implicit part of the
temporal operators. As a result, the specifications of behaviour are more succinct.
In addition, there is no need to express such information as an order over time
variables. In higher order logic descriptions, time variables are explicit and Sig-
nals are functions of time to values. Behaviour specifications have consequently
3.7. Discussion 51
become more complex. However, the advantage of embedding time variables
in higher order logic systems such as HOL, is that it is not necessary to have
special proof rules to deal with the temporal operators, so the system may be less
complex [68,69J.
Temporal logic can be embedded in higher order logic. Gordon and Hale
[52J have shown that Interval Temporal Logic can be embedded in HOL. The
work in Chapter S of this thesis, demonstrates that Linear Temporal Logic can
also be embedded inHOL. There are several advantages to doing this, including
the ability to mix a temporal logic description of behaviour with explicit time
representation. Details on embedding temporal logic are discussed further in
ChapterS.
Embedding one logic within another mechanised logic in order to prove
soundness and provide mechanical support, has been proved valuable inmany
cases. For instance, Hoare's logic was embedded inLCF [103J, Dijisktra's weakest
preconditions were embedded in HOL [8], while CSP was embedded in HOL in
[26].
3.7 Discussion
It has been shown so far that formal methods always have a role in system design,
and to make the verification and validation practical they have to be supported by
theorem proving systems. However, to satisfy the mechanical theorem prover and
to achieve the required level of safety, the specifications must be formal. Informal
specifications may be useful in understanding the system and its documentation,
but they cannot serve as a basis for verification. In fact, the process of verification
involves, in part, the correction of the formal specification.
In an attempt to obviate difficulties associated with the development of for-
mal specification, and formal techniques in general, this chapter presents some
heuristic approaches to the generation and validation of formal specifications of
engineering problems. Our approach is to classify practical systems into cate-
3.7. Discussion 52
gories and then present formal treatments which are appropriate to each class
of system. However, it should be noted that these treatments are by no means
exhaustive.
Furthermore, the choice of a logical formalism for system verification has
been shown to have a strong impact on the effectiveness of system development
in terms of cost and efficiency. It involves a compromise between expressive
power and ease of proof. A simple and restricted formalism, such as first order
logic, will make the proofs of simple systems easy but may make it hard to specify
complex systems simply and concisely. At the other end, a powerful formalism,
such as higher order logic, makes available the results of general mathematics,
allowing in principle the construction of whatever mathematical tools are needed
to deal with the verification task at hand.
Higher order logic has been considered to be more rigorous than other meth-
ods, because all but very simple data types can bedefined by the user. This avoids
the need to use pre-defined mathematical models which may have unnecessary
or undesirable properties for a particular specification. Use of a theorem prover,
however, remains an activity requiring specialised knowledge and experience,
and there is little practical experience to date of the application of these methods
to system development. In fact, it is the motivation in this work to concentrate on
the application of this particular technique to engineering problems. In the fol-
lowing chapters, a particular higher order logic system called HOL is described,
and its use in specifying and verifying practical engineering problems will be
discussed.
Chapter 4
HOL Theorem Prover
4.1 Introduction
The HOL system, developed by Michael Gordon and his team at the University
of Cambridge, is a tool intended primarily for hardware specification and verifi-
cation using higher-order logic. It is implemented on top of Cambridge LCF [93]
and supersedes the earlier system LCF-LSM [44].
HOL is the name given to the entire theorem proving system which supports
higher order logic as a fonnalism for writing specifications and conducting formal
proofs. Incases where it is necessary to distinguish between the computer system
and the species of higher order logic embedded within it, the terminology HOL
system and HOL logic are used respectively.
A detailed account of both the HOL system and the HOL logic can be found
in [SO]. In order to make this thesis self-contained, however, a brief introduction
to HOL is given in the following sections. This should enable the reader with
little or no experience with HOL to follow the rest of this thesis. Some familiarity
with predicate logic is assumed.
4.2 Background
The early work of Milner and others on the LCF project [43] inspired much effort in
the area of mechanised theorem proving. A specialised language was developed
53
4.3. The HOL logic 54
for specifying and verifying hardware [44) which led to the development of
the interim LCF-LSM theorem proving system [46). Many examples were done
using this system ir-cludlng the verification of a simple computer [47). Many
improvements to the LCF system have been made over the years, including an
improved rewriting package [91], and a new tactics package [92]. Hanna and
Daeche then independently developed the VERITAS theorem prover based on
higher-order logic [53,54]. With the improved expressive power of higher-order
logic becoming increasingly attractive, and with the experience gained from the
LCF family of theorem provers, Gordon then developed the HOL theorem proving
system [49, SO],which forms the basis of the work done in this thesis. A number
of examples have been successfully completed which demonstrate the use of
higher-order logic as a vehicle for specification and verification. These include
the verification at the detailed timing level of a D-ilipflop implemented in logic
gates [53,56] for proofs done in the VERITASand the HOL systems respectively),
the verification of a ring interface chip [48], re-proof of the computer inHOL [68],
and the first level proof of correctness of VIPER in the Viper research project [31].
4.3 The HOL logic
The type of higher order logic usedwithin the HOL system is a version of Church's
Simple Type Theory [29]. The HOL logic uses standard predicate logic notation in
which one makes use of the propositional logic connectives denoting negation (-'),
conjunction (A), disjunction (v), implication (::» and equivalence (=) to connect
propositions (such as properties and relations) to form more complicated sen-
tences. Variables in such sentences are bound using universal CV> and existential
(3) quantification.
Table 4.1 outlines the syntax and informal semantics of predicate logic, In
the table, t, t1 and t1 stands for arbitrary terms while t[x] stands for some term
containing free occurrences of the variable x.
Higher order logic generalises first order predicate calculus by allowing one to
4.3. The HOL logic 55
Notation Meaning
P(x) x has property P
tu», y) relation R holds between x and y
-iiI not ti
tl V t2 t1 or t2
tl A t2 t1 and t2
tl :::> t2 tl implies t2
tl = t1 tl if and only if t2
"Ix. t[xl t[xl is true for all x
3x. t[xl t[x] is true for some x
(t ::} tl I t2) if t is true then tl else t2
Table 4.1: Predicate logic notation
use higher order variables - i.e, variables ranging over functions and predicates.
For example, the induction axiom for natural numbers can be written as,
VP.(P (0) A ("In. P (n) :::> P (n + 1» :::> "In. P (n))
Here, the variable P is quantified and ranges over predicates; such variables are
said to be higher order.
4.3.1 Terms
The HOL logic uses four kinds of terms: variables, constants, function applications,
and lambda expressions.
Variables and constants are denoted by sequences of letters or digits starting
with a letter. For example, x, Yl, and gnd can be names of variables or constants.
The difference between variables and constants is not apparent at this stage but
will be dealt with in later section on the HOL system when the notion of a theory
is introduced.
Function applications have the form tl (t2), where the subterm t1 is called the
operator and t2 is called the operand (or argument). Due to the higher order nature
of the logic, the results of function applications can themselves be functions, Le.
functions can take functions as arguments or return functions as results.
4.3. The HOL logic 56
Tominimise bracketing, function applications can be written as / x instead of
/(x). Furthermore, application associates to the left and so, t1 t2 ... t« abbreviates
«t 1 t2) ... tn).
Lambda-expressions are the means of denoting functions within higher order
logic. The term >'x.t (where t is any expression) denotes the function I, say,
defined by
/ (x) = t
Ifwe take t in the above >.-expression to be the expression x + 11 such that we have
the term >'x.x + y then x is said to bound variable, y is a free variable and x + y is
called the body of the >.-expression.
4.3.2 Types
The HOL logic is a strong typed logic, i.e. all terms expressed in this version
of higher order logic must have a type. Without types, the HOL logic would be
unsound as the availability of higher order variables can give rise to a version
of Russell's paradox [49]. The type system used in the HOL logic is derived
from that of PPLAMBDA [43] which, in tum, descends from the type system
formulated by Church [29]. It allows types to be either,
• atomic (e.g. bool to denote the sets of booleans or num to denotes natural
numbers), or
• compound (i.e, those types built from atomic (or other compound) types by
using type operators).
Examples of type operators in the HOL logic are list, - and #, where list is a
unary type operator used to denote a list of values (e.g, num list denotes a list
of natural numbers) while - and # are infixed binary type operators used to
denote sets of functions and pairs respectively. For example, (n um #num) - bool
denotes the type of a function with a domain of pairs of natural numbers and a
range of boolean truth values.
4.3. The HOL logic 57
Types in the HOL logic can contain variables. In order to demonstrate this, let
us consider the function compose defined below,
compose = >"1. >..g.>..x.I (g x)
If compose is applied to two functions, I and g say, then the result would be a
function which would apply g to its argument and I to that result.
For example, if not is a the boolean negation function of type bool -+ bool and
even is a function of type num -+ bool which returns true if its arguments are
even natural numbers and false otherwise, then the result of applying compose to
not and even in that order would be >..x.not (even x) which is a function of type
num -- bool,
On the other hand, if rnd is a function of type real -+ num which rounds off
a positive real number 1 to the nearest natural number, and log is the arithmetic
logarithmic function of type real - real, the result of applying compose to rnd
and then log is the function >..x.rnd (log e) of type real -- num. The function
compose, therefore, appears to have two different types,
(6001- bool) -- (num - boo/) - (num - bool)
and,
(real -- num) -- (real- real) - (real- num)
Indeed it appears that it can have many different types, depending on the types
of the functions I and 9 it is applied to. In the HOL logic, type variables are used
to allow functions with more than one possible type to be expressed within the
logic. Without type variables, a different function would have to be defined for
every type because a single function is not allowed to denote several types.
1A real number in HOL can be modeUed as 3-tuple oC<bool#num#num) where the first a.nd
second nurn denotes the integer and decimal part respectively, and the boolean value indicates
the binary sign (positive or negative) of it.
4.3. The HOL logic 58
InHOL, however, it is only necessary to define a single function compose. If
ex, 13 and 'Yare type variables then compose is given the type,
(13 - 1') - (ex - 13) - (ex - 'Y)
These type variables can be instantiated to different types according to the par-
ticular use of the function compose. Types containing type variables are called
polymorphic.
4.3.3 Hilbert's e-operator
Hilbert's choice operator, e, plays a very important part in the HOL logic, It is
most commonly used to denote values one knows to exist but which have no
name.
More precisely, if t[x] is a boolean term containing a free variable x of type ex,
then the term (x. t[x] denotes some value of type a, a say, such that t[a] is true.
For example, e. (7 < x) A (x < 9) denotes 8 while the term (x. x ~ 0 denotes
some unspecified positive number.
In the case where there is no value a such that t[a] is true, then ez, t[x] denotes
a fixed but unspecified value of type a. For example, m : num. -,(n = n) denotes
an unspecified number. The notation term:type is used within the HOL logic to
explicitly specify the type of a term. No further detail regarding (is given here.
For a thorough discussion of Hilbert's e-operator see [73J. A detailed description
of how Hilbert terms are included in HOL to build in the Axiom of Choice [55] is
given in [49].
The features of the HOL logic which are necessary to facilitate the understand-
ing of the rest of this thesis have now been covered and we now go on to show
(very briefly) how the logic is implemented in the HOL system. First, however, a
brief introduction to ML, the meta-language embedded in the HOL system and
with which most of the system is coded, is presented.
4.4. The Meta-Language 59
4.4 The Meta-Language
The aim of this section is to give an introduction to the ML language; mainly
covering those features which are discussed later on in this thesis. The version
of ML described here as part of the HOL system is not Standard ML [115] but
the LCF meta-language version described in the ML Handbook [33], where a
complete description of the ML syntax and semantics is presented.
Recursive functions can be defined in ML in almost the same ways as ordinary
functions. For example, the factorial function, fact, can be defined recursively as,
letrec fac n = if n = 0 then 1 else n * (fact (n + 1»
Of course, fact can be defined iteratively but since we will not be using iterative
loops anywhere in this thesis, the reader is referred to [33] for further details.
One can also represent functions inML as lambda-expressions. The following
two definitions of a function f are equivalent,
(let f z = e) == (let f = ~z.e)
Lists inML are represented by a sequence of objects separated by semi-colon and
enclosed within square brackets. AU objects within a list must be of the same
type. The expressions [J, [1;2;3]and [true;false] are all examples of lists. A list such
as [t;true] will not type check as the objects in the list, 1 and true, are of different
types. The standard list functions are,
• hd - returns the head of a list (e.g. hd[1;2]=1),
• tl- returns the taU of a list (e.g. tl[1;2]=[2]),
• null - boolean function which checks if a list is empty,
• . - infix operator (e.g. 1 . [2] = [1;2]),
• @- infix append operator (e.g. [1) @ [2]=[1;2]).
4.4. The Meta-Language 60
Another data type represented in ML is string. Strings are any sequence of
characters enclosed. within single quotes (e.g. 'This is a string'). There are also
standard functions on strings such as concat, explode and implode.
Variables and functions in ML can be polymorphic. The notion of polymor-
phism has already been explained in section 4.3.2 and so it will suffice here to
give an example of how a polymorphic function is defined in ML. Consider the
function map defined as follows,
letrec map f 1 = (nulll) => 0 If (hd l).(map f(tll»
Since the type s of the two arguments f and I are not specified in the definition of
map, ML assumes the types of f and 1 to be polymorphic and defines map to be a
polymorphic function of the type,
Sequences of asterisks are used to denote type variables InML. The difference
between ML and logic types are briefly explained in the next section.
There are three ways inwhich one can define new types inML. The first is by
using the command new_type_abbrev to define new names to abbreviate previously
defined types. This does not really define a new type but simply binds a name
to a previously defined type. This is useful for shortening long type names or for
renaming types more appropriately. For example,
new_type_abbrev intpair = int#int
defines a type intpair to denote pairs of integers.
The two other ways of defining are used to define altogether new types rather
than just abbreviations. New types can be defined to be concrete or abstract.
Concrete types are used when the objects in the type can be enumerated into
4.4. The Meta-Language 61
subgroups. For example, the declaration,
type signal = hi 110 I float
defines a new type signal which has three possible values hi, 10, or float.
The other way of defining types is by using abstraction. The ML command
abstype allows one to make an abstract type declaration. While defining a type ty,
say, there are two primitive functions, abs_ty and rep.ty, which are usable within
the context of type definition. The function abs.ty maps the representation of ty
to ty while the function rep_tymaps ty to its representation. One can also define,
within the type declaration itself, further primitive functions to manipulate the
new type.
Consider, for example, the type declaration below which introduces a new
type trigger, represented by the type bool:
abstype trigger = bool
with on = abs.trigger true
and off = abs.trigger false
and booLof = rep.trigger
and inv c = abs.trigger (-,( rep_triggerc»
and clock n = ~t. (n = 0) => (abs_triggerfalse) I
«tIn) * n = t) => (abs.trigger true) I (abs.trigger false)
The type declaration makes use of the two locally available functions abs.trigger
and rep.trigger to define the following primitive functions,
• on and off· two constants of type trigger represented by true and false
respectively.
• bccl.of'- a function oftype trigger - bool which maps a valueoftype trigger
to its representative of type bool For example, booLof on = true.
• inv • a function of type trigger - trigger which inverts values of type
4.5. The HOL System 62
trigger, i.e. (inv on = of f) and (inv off = on) •
• clock - a function of type num -+ num -+ trigger. The application (clock n)
returns a function which models a clock with a pulse interval of n. Thus
when n is 0, clock (0) returns a function which models a clock which is
always off (pulse interval is 0, i.e. no pulse). The application clock (1),
on the other hand, returns a clock which is always on (pulse interval is 1,
Le, constant pulse). The application dock (2) models a clock which toggles
on and off alternately, and so on. Hence, in the application (clock n t), n
determines the frequency of the clock and t represents the time at which the
clock value may be evaluated.
4.5 The HOL System
Tenns in HOL logic are represented inML by enclosing them in double quotes,.
The syntax of HOL terms has been described in section 4.3.2 although in practice,
various combinations of ascii characters are used to represent those logic symbols
not supported by the ordinary ascii terminal. For example,
Va b. a ::> b == ~a V b
is represented by
!a b. a··> b • -a \/ b
In the rest of this thesis we shall use the notation of section 4.3.2 (i.e. we will
be using V instead of ! and :::> instead of •• ». For a detailed account of the
representation of the logic in the HOL system see [SO].
When a HOL tenn is entered in ML, it is type-checked (according to the type
rules in logic - not ML) and, if successful it is given the ML type te rm. Care should
be taken here not to confuse the terminology HOL terms and ML expressions and,
moreover, HOL types and ML types. The rule is as follows,
4.5. The HOL System 63
• A HOL term is a special kind of ML expression and is distinguished by a
pair of double quotes enclosing the logical term. HOL terms have an ML
type called term.
• A HOL type is the type of a HOL term and forms an ML type called type.
HOL types are expressions of the form ":...".
For example,
• (t,2) is an ML expression with type (int#int).
• "(1,2)" is an ML expression with type term (since anything enclosed within
double quotes represents a HOL term). The HOL type of this tenn is
(num#num).
• Likewise, ("1","2")is an ML expression with type (term#term) where each
term has HOL type nurn.
• ":num" is an ML expression with ML type type. It represents the HOL type
num.
4.5.1 Theories: definitions, axioms and theorems
In [49], a theorem is defined as a sequence that is either an axiom or follows hom
other theorems by roles of inference, where
• a sequent is a pair (r,t) consisting of a finite set of boolean terms r (called
assumptions) and a boolean term t (called a conclusion),
• an axiom is a sequent postulated to be a theorem, and
• rules of inference are procedures for deducing new theorems from existing
ones (see section 4.5.2).
When a sequent (r,t) is a theorem it is written as r r t or, if r is empty, as
r t. Certain types of axioms are classed as definitions. Definitions are axioms
4.5. The HOL System 64
of the form r c = t where c is a constant not previously defined and t is a term
containing no free variables. Of course, this kind of axiom is always safe as
it merely defines an abbreviation. Ideally, all axioms should be of definitional
form since the freedom to postulate arbitrary axioms allows the introduction of
inconsistencies.
To make a definition, prove a theorem, or declare a new HOL type, one must
first enter a theory. A theory is a collection of types, type operators, constants,
definitions, axioms and theorems.
New constants and types can be declared within theories. The distinction be-
tween variables and constants is, therefore, that variables are those terms (exclud-
ing function applications and A-eXpressions) which are not defined as constants
within a theory.
Theories can have other theories as parents. U one is working within a theory,
th say, and an object from theory th' is required in th, then th' must be declared a
parent of tho If th' is a parent of th then all types, constants, definitions, axioms
and theorems available in th' are available in thoThus, th is said to be a descendant
of th'.
4.5.2 Primitive inference rules
Theorems in HOL are presented by values of type thm and must be distinguished
from values of type (term list)#term. To obtain a new value of type thin,
one must apply a sequence of events (constituting a proof) to either axioms or
previously proved theorems.
Such procedures for deriving new theorems are called rules of inference. The
following is an example of a rule of inference called modus ponens. The example
uses standard natural deduction notation where tl and t'J denote arbitrary terms,
the theorems above the horizontal line are called the hypotheses of the rule and
the theorem below the line is called the consequent.
4.5. The HOL System 65
r1 f- t 1 :) t2 r2 f- t 1
r, U r2 I- t2
Hence, if we have a theorem of the form r1 I- tt :) t2, say
y > 1f- y ~ y :) y2 > y
and we also have the theorem which says that
I-y~y
it means that the antecedent of the implication in the first theorem is true, r2 I- tll
then by the rule of modus ponens the theorem
y> 1f- y2 > y
is derived. It should be noted that in the example above, the assumption r2 is
empty.
Inference rules are represented in the HOL systems as functions in ML. The
core of the HOL system ismade up of a small set of inference rules called primitit!e
inference rules and a small number of definitions and axioms from which all the
standard rules of logic can be derived. Indeed, one can derive further inference
rules (called derived inference rules) which can be justified solely on the basis of
these primitive inference rules and axioms.
The choice of primitive inference rules and primitive axioms in HOL is, to a
certain extent, arbitrary, although it is desirable to keep them as small in number
as possible so that the implementation of the logic can be kept simple and clean.
For the purpose of this thesis, it is not important to list all the inference rules
and axioms. The reader is referred to [49] for further details including a complete
lists of axioms and inference rules in the current version of HOL.
4.5. The HOL System 66
4.5.3 Tactics and tacticals
In the previous section we described rules of inference and how they can be
used to carry out a proof. One starts with a set of definitions and theorems and
manipulates them using the inference rules until the desired theorem to be proved
is achieved. In other words, truth is preserved from truth. This form of proof is
sometimes called forward proof.
The HOL system supports another way of carrying out a proof called goal
directed proof or backward proof. The problem with forward proofs is that it
can often be difficult to foresee which definitions and theorems are required to
prove the end result, especially if the proof is long and complicated. The idea
of goal directed proof is to do the proof backwards, Le, start from the desired
result (called the goal) and manipulate it until it is reduces to a subgoal which is
obviously true.
A tactic is an ML function which reduces goals to subgoals. The concept
of tactics was invented by Robin Milner [43]. They are used for goal directed
proving as described above. Tacticsare written in a similar notation to inference
rules but with a double horizontal line. For example, mathematical induction can
be coded as tactic of the form,
"In.P[n]
prO] "In.P[n] :J P[n + 1]
If the induction tactic is applied to a term of the form "In.P[n], then the two
subgoals prO] and "In.P[n] :J P[n + 1] are generated.
A goal consists of a pair of values and has ML type (term list#term). The
first element of the pair denotes the assumption list and the second element is
the term to be proved. A theorem is proved by applying tactics to every subgoal
generated until all subgoals are shown to be true, without the addition of invalid
assumptions 2.
Tacticscan be combined together byusing certain MLfunctions ealIed tacticals.
:lFor a more detailed discussions on goal directed prooCasee, (or example [50]
4.6. Summary 67
An example of a tactical is THEN where, if tt and t2 are tactics then il THEN t2
evaluates to a tactic which first applies tt to a goal and then applies t2 to the
resulting subgoal or subgoals,
4.6 Summary
The LCF approach to theorem proving used in HOL ensures the soundness of
any proof done in the system. This approach, however, is computationally very
expensive. Completely formal proofs of even simple theorems in higher order
logic can take many primitive inferences, and when these proofs are done in the
HOL system, all the inferences involved must actually be carried out by executing
the corresponding ML procedures.
There are, however, two important features of the HOL system which, to-
gether, allow efficient proof strategies to be programmed. The first of these is a
feature inherited from LCF: theorems proved in HOL can be saved on disk and
therefore do not have to be generated each time they are needed in future proofs.
The second feature is the expressive power of higher order logic itself, which
allows useful and very general lemmas to be stated in the logic. The amount of
inference that a programmed proof rule must do can therefore be reduced by pre-
proving general theorems from which the desired results follow by a relatively
small amount of deduction. These theorems can then be saved and used by the
derived inference rule in future proofs. This strategy of replacing run-time in-
ference by pre-proved theorems is possible inHOL because type polymorphism
and higher-order variables make the logic expressive enough to yield theorems
of sufficient generality.
In the following chapters we move on to show how HOL can be applied
to specifying and verifying the functional behaviour of systems. However, the
appropriate HOL assertions in the subsequent discussions will be presented in
short-hand notations. That is only definitions and derived theorems are included,
fuller inference procedures and proof tactics are included in the appropriate
4.6. Summary 68
annexes. This chapter, although not intended as a HOL manual, has served
as an introduction to the main features of HOL which will facilitate a thorough
understanding of the rest of this thesis. Further information on all aspects of the
HOL theorem proving system can be found in the various references suggested
throughout the text (for example [49,50]).
Chapter 5
Embedded Temporal Logic
5.1 Timing Verification
In a control system, suitable controller characteristics such as latency or task
sched.uling are vital means of satisfying the required. system performance. These
static behavioural relationships can be easily specified by a suitable model using,
for instance, finite-automata theory (77]. However, in order to verify control sys-
tems, such as the Drive-By- Wire system, described in Cha pter 6, which is operated.
in real-time, it is necessary to show that the internal dynamics of the controller
satisfies the required safety and timing characteristics. Therefore, it is necessary
to include a mechanism introducing timing constraints into the specification so
that dynamic behaviour can be reasoned about.
There are a number of formal techniques which support the specification and
verification of the temporal behaviour of systems. The following section outlines
these techniques and discuss their relative merits compared to our approach of
using higher-order logic.
5.1.1 First order logic
Hunt (61] uses the Beyer-Moore theorem prover to prove the correctness of a 16-
bit microprocessor implemented. at the register-transfer level. The behaviour of
combinational circuits is described by recursively defined functions. Sequential
circuits are modelled using functions with explicit clock arguments. These func-
69
5.1. Timing Verification 70
tions call themselves recursively once each clock tick. Thus time is discrete and
behaviour at any given level is related to the representation of a single clock. Since
the logic is first-order and there are no quantifiers, Hunt has difficulty formally
relating clocks at different levels of specification. He overcomes this difficulty
by using oracle functions which guess the exact number of time steps which a
low level representation needs to execute to be equivalent to the next higher level
Specification. If higher order logic is used as the specification language, abstrac-
tion between levels can be expressed directly, and such oracles are not required
[31].
5.1.2 Temporal logic
Another well-known fonnalism for expressing timing behaviour is temporal logic,
An early application of temporal logic to hardware verification is the correctness
proof for the design of an arbiter given by Bochmann [15]. Bochmann uses
temporal operators such as 0 (henceforth) and V (eventually) to capture the time-
dependent properties of hardware components. The arbiter correctness proof in
[15] is done by proving that a collection of 'invariant assertions' hold for all states
that can be reached from the initial state of the device. The correctness of the
design then follows from these invariant assertions.
5.1.3 Interval temporal logic
Moszkowski [88] defines a logical formalism for specifying hardware called ,ITL
(Interval Temporal Logic). The truth of a formula in ITL is defined relative to
a finite interval of discrete time. Modal operators are used to express temporal
concepts in terms of these time intervals. Moszkowski shows how this can be
used to describe formally a wide variety of tirne-dependent aspects of hardware
behaviour. Some extensions to ITL and further applications of ITL to hardware
verification are discussed by Leeser [72] and Hale [52].
5.2. Temporal Operators 71
5.1.4 Other techniques
Other temporal formalisms to express real-time constructs include TImed Petri
nets [74] which are an extension to Petri nets, and Tuned-stability [96], CSP-R
[70]which are extensions of CSP [58].
5.1.5 Higher order logic
It is obvious that temporal logic is useful for specifying and reasoning about rela-
tive order set of events. In temporal logic there are no explicit time variables; time
is an implicit part of the temporal operators. In higher order logic descriptions,
time variables are explicit and signals are functions from time to values, hence
timing behaviour specifications are frequently more complex. However, the ad-
vantage of using higher-order logic is that it is not necessary to have special proof
rules to deal with temporal logic operators, so the proof system is less complex.
Temporal logic can be embedded in higher-order logic; for example Gordon
and Hale (52] have shown how ITLcan be embedded inHOL. Several advantages
result from doing this, including the ability to mix a temporal logic description of
behaviour with explicit time representations.
Our solution to this problem is to embed a form of temporal logic, called
Linear Temporal Logic [39,64] in higher-order logic by regarding a set of temporal
operators as abbreviations for higher-order functions. This approach results in
succinct specifications and simplifies the verification task by hiding some low-
level aspects of proof, in particular, the use of mathematical induction, in derived
inference rules for temporal logic operators.
5.2 Temporal Operators
Temporal logic are often treated as primitive systems based on semantic defini-
tions for temporal logic operators. However, the higher-order logic framework
allows us to regard temporal logic operators as simply abbreviations for higher-
order functions. The following definitions yield temporal logic operators for a
5.2. Temporal Operators 72
form of temporal logic known as Linear Temporal Logic [64].
5.2.1 Basic operations
A number of equivalent functions in predicate calculus can be expressed as tem-
poral constructs using explicit time variables,
I- "Ix y. x And y = At. x t r; Y t
I- "Ix y. x Or y = At. x t V Y t
I- "Ix. Not x = At. -,x t
I- "Ix y. x --. y = At. x t :J y t
For Simplicity, we use two basic operators, Next and Until, from which we can
define many other useful operators including, interrupts and timeouts.
The function Next p is true on an interval if pevaluates to true on the successive
intervals,
I- Vp. Next p = At. p (SUe t)
The function Until is an infix operator which takes two predicates p and q and it
evaluates to true if q holds at some point in time and p holds at least until then,
I- v» q. p Until q = At". 3t. q t A "It'. t' < t :> p t'
The function Sometime p holds if p is eventually true in some state. It should
be noted that the Boolean values True and False are temporal equivalences of the
usual first-order values, ie. it has a HOL type of num -+ bool,
I- Vp. Sometime p = At'. 3t. t > t' " pt
I- True = At. T
I- False = At. F
I- Arb = At.(ARB: *)
5.2. Temporal Operators 73
and, Arb specifies an untyped variable which has an arbitrary value at time t. The
Arb function is useful when defining don't care conditions in digital logic.
The dual construct, Always p, holds if the formula p becomes true on all
subsequent intervals; in other words, there is no such state in which p does not
hold.
f- Vp.Always p = >..t'.Vt.p t
It can easily be proved that,
f- Vp. Sometime p = True Until p
f- Vp. Always p = Not (Sometime Not p)
The function Eq is a temporal infix operator for relating a signal to a particular
value in terms of equality,
f- V/c. / Eq c = >..t./ t = c
5.2.2 Timing conditions
The function First evaluates to true if p holds only at time t and does not become
true at any instance before then,
f- Vp t. First p t = pt" "It'. t' < t J ..,p t'
The formula last p is true if p is true on, and only on, the final state. In other
words, the computation terminates as soon as the formula p becomes true. Related
functions are Fin and Keep. The formula Fin p is true if p is true on the final state,
and Keep p is true if p is true on every state except the last.
f- Vp tt tl.last p (th t2) = (Vt. tt < t "t < t2 J "p t) "p t2
f- Vp tt t2' Fin p (tt. t2) = tl < t2 "p t2
f- Vp t1 t2. Keep p (ttt t2) = t1 < t2 ,,(Vt. tl < t" t < tl :> P t)
5.2. Temporal Operators 74
T ~~= ~~=
F 11~1IlL...- -",~,lIa~1ILoo p n t'
t'-n t' t'+1
o 1 2 3 •.•...•.•..•• n
Figure 5.1: Representation of Len
Thus, it can easily be proved that,
For example, Last (A = 1) asserts that the computation terminates as soon as
A = 1becomes true.
5.2.3 Defining time markers
It is useful to define a marker from which elapsed time can be calculated. The
function Length p n evaluates to true when the event p has occurred for at least n
units of time before the time instant t. It means that the relation p only holds at
time t and does not holds on subsequent intervals. More formally, the function
satisfies the inductive property below,
I-- Length pO = At.p t 1\
Length p (SUe n) = >.t. Length p n t".,p (SUe (n + t))
where sue n is a function which returns the successor of n, and the function
Len p n is then defined as,
I- 't/p n. Len p n = >'t'. Length p n (t' - n)
It means that, Len evaluates to true at a particular instant of time tf if the event p
has occurred at sometime n in the past, and it has not happened since then 1. A
timing diagram of the Len function is illustrated in Fig.S.l.
1Function len is not concerned with value of p just before time t' - n and after time t'.
5.2. Temporal Operators 75
Each operator, described above, is defined in terms of a function of the type
num - bool, which maps discrete points in time, modelled by the natural num-
bers, to Boolean values. These operators can be combined with variables such
as x and y to form assertions in temporal logic. In both first-order logic and
higher-order logic, every assertion, for instance, the relation
Vb. b V ob
is a Boolean expression which is either true or false 2. However, an assertion in
temporal logic such as,
x - Sometime (y Until z)
is only true or false relative to a particular instant in time. When stated as
an assertion, this is informally understood to mean that the assertion is true at
every instant in time. However, to formally represent temporal logic assertions
as assertions in higher-order logic framework, we introduce a notion of validity
where a temporal assertion is valid if and only if it is true infinitely often.
r Vp. Valid p = "It. p e'
Furthermore, if P is a time-dependent relation then it is an increasing function,
that is, it satisfies the predicate,
rVtl t2t3t4' Lastp(t.,t2) 1\ Lastp(t3,t4) 1\ (tt =t3) :::> (t2=t4) 1\
"1nl n2. nt < n2 ::> (p Proj nd < (p Proj n2) 1\
"In. Last p (p Proj n,p Proj (SUe n»
The first theorem asserts that the time interval during which predicate p holds
is unique. The second theorem asserts the well-ordering properties of na tural
numbers, that is, the succesive mapping of p from an abstract time scale to a
2a is true in this case; the law of Excluded Middle
5.2. Temporal Operators 76
concrete time scale is always in increasing order, and the last theorem states that
there is always a successive time interval of n at which p can be projected. The
validity condition can then be specified as follows,
I- 'tip. Valid p = 'tit. p t'
Powerful inference rules for direct manipulation of temporal logic assertions can
be derived in higher-order logic from the above definitions. Many such rules
effectively simplify what would otherwise be tedious and repetitive patterns of
inference. For example, the following theorem provides a particularly useful rule;
this rule achieves, in a single step, an inference which would otherwise involve a
proof by mathematical induction.
I- Vp q r, Valid«Always p And (q Until r» - «q And q) Until (p And r)))
A list of definitions and pre-proved. temporal logic theorems is included. in Annex
B. A recent survey article [27] describes traditional logic (which includes higher-
order logic) and temporal logic as two alternative kinds of pure fonnalisms for
reasoning about time-related. problems. But when temporal logic operators are
simply abbreviations for higher-order functions, anything which can be done
with temporal logic operators can also be done without them using explidt time
variables. In fact, we have taken a mixed.-mode approach of using both temporal
operators and explicit time variables. The right mixture of temporal operators
and explicit time variables yields relatively succinct specifications and much
easier proofs.
Previous work by Hale [52] demonstrated that the idea of embedding tempo-
ral logic in higher-order logic was of practical use. Leeser [72] has also embedded
temporal logic in a theorem proving environment to reason about hardware.
Both Hale and Leeser used another form of temporal logic called Interval Tem-
poral Logic developed by Moszkowski [88,89] to reason about digital systems
in general. However, the more ordinary form of temporal logic captured in our
5.3. Temporal Projection 77
p'
len (Dey X) 10
L- --L L- __ .L OU1pUt(X)
FFT·······TTF····T
pp
Figure 5.2: The projection p When p'
definitions above is adequate for the very specific purpose of reasoning about the
design of control systems.
The following sections discuss some ideas and operations that are particularly
relevant to the description of real-time systems. The first of these new operations
is the temporal projection, which may be used for the interruption and later
resumption of a process. Another important idea in real-time programming is
exception handling, and a general mechanism is defined for this.
5.3 Temporal Projection
Temporal projection is one way to model a system on a number of different
timescales. For example, it may be that one needs to monitor the behaviour of
some device, dev(X) say, but not all the time. Suppose, in fact, that the value
of X is to be output on every tenth state. This is most easily achieved using the
projection operation When,
Always (output (X) When (Len dev (X) 10)) t
TheprojectionofLen deu (X) 10ontooutput (X) repeatedly interrupts the output
process by inserting an interval of length 10 between each pair of states on which
X is output.
The projection p When p' holds if there is a selection of time points on which
p' is true and such that p is true on the subinterval between each pair of adjacent
5.3. Temporal Projection 78
points in the selection. This mapping process is illustrated in Fig.S.2 above.
Suppose that p represents a real-time clock which ticks every second then p is
true at every instant of time. Suppose also that p' is another process which occurs
in parallel, then the problem of mapping between processes, p' onto p, reduces to
the mapping of p' alone from an abstract time scale to a concrete time scale. The
abstract time scale is the state representation on which p' is true infinitely often.
5.3.1 Mapping function
Toderive a definition for When, the first step is to define a general purpose function
Mapped which uses a predicate p to construct a mapping f from an abstract time
scale to a concrete time scale. The following definition of Mapped is similar to
the TimeOf definitions given in previous work by Dhingra (37], Herbert [57) and
Melham [79]. It is defined in terms of the predicates First and last using primitive
recursion,
I- Mapped pO = ,xt. First pt"
Mappedp(SUCn)=,xt.3t'. Mappedpnt'" lastp(t',t)
The first point on the abstract time scale corresponds to the first time that the
predicate p is true with respect to the concrete time scale. Subsequent points
on the abstract time scale are defined recursively. The next point after n on the
abstract time scale, ie. n+1,corresponds to the next time that p holds with respect
to the concrete time scale, as shown in Fig.5.3.
This primitive recursive definition captures the idea that p is true for the nth
time at time t. However, there is no guarantee that such time t exist for aU values
ofpand n.
In order to use this definition, it is necessary to show that if p is true infinitely
often then for all n there is a unique time t at which p is true for the nth time.
The predicate Valid can be used to express the fact that if p is true infinitely
5.3. Temporal Projection 79
p
abstract time
I
I
I
I
: f
I
I
I,
concrete time
to tl tn
Figure 5.3: Mapping from abstract states to time
often then the time at which p is true for the nth time exists for all n, that is,
f- Vp. Valid p :) "In. 3t. Mapped p n t
It is also the case that Mapped defines a unique time t for each value of n. Formally,
f- Vp n t t'. Valid p :) Mapped p n t A Mapped p nt' :) (t = t')
The above theorems can be combined to prove the uniqueness of the time mapping
process as follows,
f- Vp. Valid p :) "In. 3Vt. Mapped p n t
This means that Mapped is a one-one function which corresponds to a unique
mapping between two sets of concrete and abstract time points, i.e, it satisfies the
relation,
Given these theorems, the relation Mapped can now be used to define the function
Proj. Using the Hilbert e-operator, the definition of Proj is given by the following
equation,
f- Vp n. p Proj n = ct. Mapped p n t
5.3. Temporal Projection 80
This means, p Proj n denotes some time t such that Mapped p ntis true or, if
no such time exists, p Projn denotes an arbitrary number. With the use of the e
operator, this definition m.::kes the term p Proj n always denote a total function;
p Proj n is defined for all values of n, even when the predicate p is true at only a
finite number of points of concrete time.
If, however, the signal p is true infinitely often, then for all n there will exist a
time t such that Mapped p ntis true, and this time will be unique. Thus, if Valid p
holds, p Proj n will in fact denote the unique time at which p is true for the nth
time, as desired. More formally,
I- Vp n. Valid p :::> Mapped p n (p Proj n)
which gives the following theorem,
I- \lp n. Valid p :::> P (p Proj n)
This means that if p is true infinitely often; in other words it holds for all t, then
it is also true on its nth projection. That is p Proj n always denotes a point of
concrete time at which p is true, and p Proj projects 0 to the first time at which p
is true. It follows that the two lemmas about the well-ordering properties of the
time sequences can also be proved,
I- Vp n. Valid p :::> p Proj n < p Proj (SUe n)
I- Vp n. Valid p:::> Vt.p Proj n < t 1\ t < p Proj (SUe n):J "p t
The lemmas can be conveniently collected together using the predicate last de-
fined previously, to give the following theorem,
I- Vp r. 3t. pt 1\
\It.p t:::> 3m. last p (t,t + m) 1\ r(t,t + m):::> "In. r(p Proj n,p Proj sue n)
This means that for any predicate p and a next-state relation r, this theorem can
5.3. Temporal Projection 81
be used to reduce the problem of establishing,
'Vn. r (p Proj n,p Proj sue n)
to a pair of simpler problems,
r 3t.p t
r 'Vt.p t:) 3m. last p (t,t +m)" r(t,t + m)
A number of related ideas can be defined in terms of projection operators. For
instance, the relation p When b is true if p holds in the interval made up of just
those states in which the Boolean expression b is true. Thus, the relation
(X Eq 0) When (Len X 7)
means that the variable X is zero at regular intervals of seven units of time.
It should be noted that len (p n) t is true if and only if the predicate p holds at
sometime nth in the past.
The definition of p When b is as follows; successive intervals with b true are
picked out from the projection of p from the abstract time scale to the concrete
time scale,
~ 'Vp b. p When b = 'Vn. b (p Proj n)
The definition of When is particularly useful in describing the simultaneous ac-
tions of parallel processes, such as those in the definition of interrupts and time-
outs which are described in the following sections.
5.3.2 Interrupts
Interrupt handling is a familiar problem in real-time programming when an
interrupt occurs, perhaps because of a device requiring attention, the running
program is suspended and execution begins in the appropriate interrupt service
routine. When the service routine finishes, execution of the interrupted program
5.3. Temporal Projection 82
resumes. This is just the kind of behaviour produced by temporal projection. The
servicing of the interrupt occurs between two consecutive states of the interrupted
program.
Let us write p Upon b to mean that whenever the Boolean expression b is true,
the execution of p is interrupted by ]I. More fonnally,
I- 'rip b. p Upon b = >.p' t.P When b ~ pi tip t
The function p Upon b takes t as its argument, so that it evaluates over the whole
interval of time, and returns true if b is true at t.
An interruption is effected by projecting the corresponding formula onto p.
For example, the relation
pgm Upon Printer [ill.bu] (PrintBuf)
might specify that whenever the signal Printer is set, the running program is
interrupted whilst the PrintBuf is filled.
Interrupts may be nested by simply projecting those of higher-priority onto
those of lower-priority. Ina specification of the fonn
(prog Upon LowPri ... ) Upon HighPri .•.,
the interrupt H ighPri has priority over LowPri, which in tum has priority over
normal processing.
Note tha t the operator Upon isuseful in other situations besides the description
of interrupt behaviour. It is used in the specification of the DBW controller,
described inChapter 6, to add timing details to the specification.
5.3.3 Time limits
Sometimes it is necessary to limit the time spent waiting for a particular condition
to become true. A familiar real-time programming device which does this is the
Timeout. For example, when two processes are exchanging messages, a failure
5.3. Temporal Projection 83
in one process might cause the other to hang waiting for input. In this situation,
the working process can recover by giving up after a pre-arranged time limit has
expired.
The simplest form of Timeout is expressed by the predica te Timeout (t, b)
which waits at most t units of time for the Boolean expression b to become true.
It satisfies the inductive property below,
I- Timeout 0 b = T 1\
Timeout (SUe t) b = b* F ITimeout t b
Another kind of time limit occurs in the specification of real-time systems when
one needs to ensure that a condition does become true within a particular interval
of time. The construct b Within p takes care of this case. The expression b becomes
true within an interval defined by p if there is no such time interval on which p
holds but b is not true at some time.
I- Vb p. b Within p = ~t. ...,(p t 1\ Sometime b t)
The predicate p defines an interval within which p is sometimes true. For instance,
the relation
Always (request - service Within (len request t'» t
indicates that a particular request, which occurs at time t isalways serviced within
t' units of time of being registered.
However, it is often the case that a request is only serviced within a fixed time
provided that no other requests intervene. This can be formulated by combining
the operators Within and When,
I- Always (request - (service Withinlen request t') When Not request') t
The request is serviced within t' time steps on which the alternative request' is
not registered.
5.5. Discussion 84
5.4 Formulation of Temporal Correctness
Having formally defined temporal functions, and shown that they construct a
well defined time mapping for any predicate p that is true at an infinite number
of points of concrete time, it is possible to formulate correctness theorem based
on temporal abstraction by time mapping.
If p is an appropriate predicate that indicates which points of concrete time
correspond to points of abstract time, then a correctness theorem that relates
a design model M[sig}, ... , sign] to an abstract specification S[s}, ... , sn] can be
formulated as follows,
This correctness theorem states that whenever the signals sig1 , ••• , sign satisfy the
model, the abstract states SI, ••• , SrI constructed by projecting on sig1, ... , sign when
the predicate pis true will satisfy the temporally abstract specification. In general,
the predicate p can be defined in terms of the variables sig1, ... , sign to make the
times at which the values in the model are projected depend on the behaviour
of the device itself. This approach is illustrated in a case study described in
Chapter 6. Related work on the verification of temporal correctness using the
time mapping approach can be found in [56,69,79].
5.5 Discussion
The literature contains a number of publications on temporal abstraction and ver-
ification. The work most closely related to the particular formulation of temporal
abstraction by time mapping developed in this chapter is the work on temporal
abstraction reported by Herbert [56] and Melham [79]. Herbert defines a higher
order predicate UP_0F ck n t which is equivalent to the following instance of the
more general Mapped predicate defined in Section 5.3.1. Herbert also defines a
5.5. Discussion 85
mapping function ASS by the equation,
I- ASS select sig n = sig (€;\. select n t)
and uses this function to construct an abstract signal,
ABS(UP_OF ck) sig
by sampling the signal sig on the rising ed.ges of the clock ck, This construction is
equivalent to projecting the signal sig using the When operator defined in Section
5.3.1 as follows,
sig When (Rise ck)
The main difference between these two formulations is that all the constructs
for temporal abstraction by mapping defined in this chapter (e.g, p' When p) are
parameterised by a predicate p that identifies the points of time at which a process
rI lsmapped, while the UP_OFconstruct which forms the basis of Herbert's work
is a specialised predicate for sampling only on the rising edges of a clock.
Melham in [79] also defines a similar function TimeOf and a predicate IsTimeOf
which are adopted from the the work on hard ware verification using higher order
logic discussed by Dhingra [37] and Joyce [69]. Melham uses TimeOf to relate
temporal abstraction of the device at different levels rather than on detailed timing
analysis. Fmally, the two approaches are very similar, but the constructs for
temporal abstraction defined. in the present work (Mapped, When, etc.) are more
general than those defined by Melham in (79]. These temporal constructs are
based on the mapping between processes rather than sampling between different
time scales. Furthermore, temporal abstraction relationships of the kind involving
the time marker function Lenand interrupt operators such as Upon and Timeout
defined in Section 5.3.2 are not considered. in Melham's work. The following
chapter illustrates how these temporal constructs can be embedded into a formal
specification of a real-time control system.
Chapter 6
A Throttle Control System
6.1 Introduction
The value of formal methods for the specification and verification of real-time
systems is well appreciated [95,117]. The purpose of this chapter is to show
how its value to the designer of non-trivial control systems is enhanced when
mathematical logic is used. A particular example, the controller for a car throttle
Drive-By-W11'e[109,110,111] is chosen for illustration. The controller is specified
inHOL, and from that specification isdrawn a prototype which has been imple-
mented in practice. The prototype system has been implemented and tested 1,
and could be formally proved to meet its specification. Most essential aspects of
the system's behaviour are modelled.
The development of a formal specification for the DBW controller is under-
taken in four parts. The first part describes the external interfaces to the controller,
giving first an infonnal description and then a formal representation. The second
part gives a formal specification of the controller in terms of its interface. The third
part discusses some ways of improving the system and the last part concentrates
on verification problems.
lThe system was developed in conjunction with T&N Technology Ltd. a.nd Econocruise Ltd.
in Rugby, England
86
6.1. Introduction 87
6.1.1 System description
The controller is to govern the operation of a throttle in a car's carburettor which
in tum controls the passage of the fuel mixture. It interacts with the environment
through a number of external interfaces,
1. Accelerator pedal: the system interacts with the accelerator via a position
sensor unit, which is basically a linear potentiometer and an idle switch
to calibrate the pedal demand when the system starts up. The idle switch
provides a binary signal, namely idle, which is true when the pedal demand
is zero and false otherwise.
2. Brake: the brake input is also a binary switch, designated brake, which is
true when the brake is applied and false otherwise.
3. Gear: the system senses the gear status by an input signal gear, which is
set to true when the car is in top gear and false otherwise.
4. Control buttons: different functions of the controller can be activated by
buttons on the control panel. There are three control buttons. All controlling
functions are activated by pressing the appropriate buttons, and this will
consequently set the control flags to true if certain pre-defined constraints
are satisfied. For example, the button to request cruising is denoted by the
Boolean signal cruise. The cruise control function is to take over the task
of maintaining a constant speed when commanded to do so by the driver.
When the button is pressed, cruise is set to true only when the engine is
running and the transmission is in top gear. When the cruise control is
activated, the system selects the current speeds, and holds the car at that
speed. Deactivate cruising returns control to the driver regardless of any
other commands.
On the control panel, there is also a resume button which causes the system
to return the car to the speed selected prior to braking or gear shifting.
Function resume is also denoted as a Boolean signal.
6.1. Introduction 88
Interface Unit
Foreground
Control t------+---t
AI orithm
-
Feed back si nals
Figure 6.1: DBW system overview
The traction control is a Boolean signal which activates the traction mode
of the controller when it is pressed and the car is stationary.
5. Actuator: the system controls the car through an actuator attached to a
throttle. This actuator ismechanically in parallel with the accelerator pedal
mechanism, such that whichever one is demanding greater speed controls
the throttle. The system is to drive the actuator by means of an electrical
signal having a linear relationship with throttle deflection, with 0 volts
setting the throttle closed and 16volts setting it fully open.
6. Speed sensor unit: the controller is to measure speed by counting the
pulses it receives from a sensor on the drive shaft. The number of pulses
per second corresponds to vehiclemiles per hour through a proportionality
constant.
6.1.2 System requirements
The system requirements include a number of safety and timing constraints.
These constraints may be specified as follows,
6.1. Introduction 89
Safety
• The most important safety behaviour of the controller is that the system
should never fail with its actuator being stuck opened. The safety property
requires the proof that the system is safe in all modes of operation. More
formally, to prove the safety property of the system, an inductive mechanism
in HOL of the form,
f- 'Vi. SAFEo "
SAFE, :::> SAFE,+!"
FAIL, :::> SAFE,
is required 2. The first part of the theorem asserts that the system always
starts from an initial state 0 which is safe and from its state machine defini-
tion it should show inductively that if its it" state is safe then the next 0+1)th
state should also be safe. The last part of the safety theorem ensures that
the system should never fail with its actuator fully opened.
Timing characteristics
• When the system senses that the speed is above the selected speed, it must
completely release the throttle (this situation would occur when driving
downhill). At any speed below this, itmust drive the throttle to a deflection
proportional to the speed error until it is below the selected speed, the
throttle is fully open (the steep uphill situation). The system thus serves
as the feedback or control part of a servo loop, in which the engine is the
feed-forward part. For smooth and stable servo operation, the system must
update its outputs at least once every second.
• To avoid rapid increases in acceleration, the actuator must never traverse its
full range in less than 10 seconds. This means the system has a maximum
lThe subscript indicates the state i'h or the system.
6.1. Introduction 90
response time of Trea to respond to a pedal demand. It may close at any
rate, however, since the car just coasts when the throttle is closed. The
automotive engineers have detennined that, with these characteristics, the
system will hold the car within ± 1 mph of the selected speed on a normal
gradient, and will give a smooth, and comfortable ride .
• When the car is accelerating, the control system must measure the acceler-
ation and clamp it at 1 mph/sec. Again, the throttle setting will be affected
by the gradient. If the acceleration reaches 1.2 mph/sec, the throttle should
beclosed: at 0.8 mph/sec, it should be fully open. Between these limits, the
opening is to be linearly related to acceleration. More formally, the actuator
characteristics should bedefined such that it should not travel between two
consecutive angular position faster than a pre-defined transit time Ter .
• The movement of the actuator should be modelled in such a way that its
motions are safe. For example, the throttle should not move forward if there
are no requests to go faster, and neither should it close down if there are no
requests to do so.
6.1.3 Design methodology
Fig.6.1. shows the overview of the DBW and its interfaces. The rest of the section
formalises this view. The design methodology follows these steps,
1. Model the control plant using finite-state machine theory. This is not a
formal step in the sense that it relies on the intuition of the designer to
represent the real world by a formal representation.
2. Write HOL formulae specifying the required control behaviour. The spec-
ification may refer to any of the events, data variables and activities of the
plant.
3. The specification is then verified to ensure that it satisfies the required safety
and timing constraints.
6.1. Introduction 91
It is clear from the system description that the controller requires a means to out-
put a pulse-width modulation (pwm) signal to the actuator at a regular interval
such that it would give a smooth and comfortable ride. This can most easily
be achieved by using the temporal interrupt Upon operator described in section
5.3.2. Therefore, the control behaviour of DBW is considered in two different as-
pects, the background behaviour and the foreground behaviour. The background
control task is modelled as a finite-state machine where decision making is es-
sential. Whilst the foreground process, which includes timer interrupts, affects
the dynamic behaviour of the system. The operations of the background and
foreground processes can best be explained from a programming point of view,
where the device cycles indefinitely in a background loops while the foreground
process interferes the operation at pre-defined intervals. Thus, the behavioural
specification for the DBW controller can generally be defined by a relation of the
form,
I- DBW_BEHAV= BACK_BEHAVUpon (timer) FORE_BEHAV
This means that the background process specified by the relation BACK_BEHAV
is regularly interrupted by a foreground process specified by FORE_BEHAVusing
a pre-defined interrupt timer.
The specification of the DBW is defined by predicates which express relations
on time-dependent signals. These predicates are represented, in part, by variables
representing physical input and output Signals. They may also be parameterised
by other signals representing the internal state or external conditions governing
the behaviour of the device. Tune-dependent signals are modelled as functions
from discrete time to signal values. As shown in the following type abbreviation,
discrete time is represented by the natural numbers.
new_type_abbrev ('time', "num")
6.1. Introduction 92
The top level specification for the DBW controller is based on the transformation
of a state vector:
(s, state) = (s, mode, valid.cruise, pwm..act)
where s implies the current status of the input signals. The type of s is represented
as an n-tuple where each element corresponds to one of the primitive operations
on the signal types.
let sig_ty = " : time - bool # % engine running %
time - bool # % top gear signal %
time - bool # % brake input %
time - bool # % watchdog signal %
time -+ bool # % winding opencircuit signal %
time -+ bool # % over temperature signal %
time - bool # % idle signal %
time -+ bool # % traction button %
time -+ bool # % cruis~ button %
time -+ bool # % resume button %
time -+ num # % pedal demand %
time -+ num # % road speed %
time - num" % position feedback %
Selectors for primitive operations in the type sig_ty are defined in the formal
theory by composing various sequences of the two selectors FST and SND to
form projector functions, for instance, the terms GEAR, BRAKEdenote projector
functions for inputting gear and brake signal respectively,
... Vs. GEAR (s : sig_ty) = FST (SND s)
... Vs. BRAKE (s : Asig_ty) = FST (SND (SND s)
6.1. Introduction 93
where the FST and SND are defined as follows,
~ Vx y. FST (x, y) = x
~ Vx y. SND (x, y) = y
The ML variable sig_ty is used throughout the formal specification to denote
the compound type of the representation variable. When it appears inside a
HOL term preceded by a caret ~ (ML anti-quotation), it is expanded to the
type expression shown above. This use of ML anti-quotation is unfortunate, but
proper type abbreviation cannot be introduced here because this type expression
contains polymorphic variables.
The particular ordering of elements in this n-tuple is completely arbitrary.
While a less concrete representation could be used, any extra effort in this regard
is probably not worthwhile. Details of this particular representation are isolated
to a very small part of the formalism and the selector functions for each of the
primitive operations are included inAnnex C.
The set of thirteen individual control signals, represented by the type sig_ty,
run from the interface unit to the controller. It is, however, much more convenient
to view these signals as a single input to the controller, and once it is inside the
system, this bundle of signals is separated into the thirteen individual control
Signals.
In the formal specification, this bundle can be represented as a signal whose
value at any discrete point in time is an n-tuple with thirteen elements. The fol-
lowing definition of the DecodeSig specifies a block of wiring which separates this
bundle of control signals into thirteen individual signals by assigning elements
of n-tuple representation to corresponding control lines.
~ DecodeSig (sig, runningt, geart, braket, uiatchoutt, wfailedt, overtempt,
idlet, tractiont, cruiset, resumet, demandt, speedt, anglet) =
Vt. runningt t, geart t, braket t, watchoutt ',wfailedt t, overtempt t,
idlet t, tractiont t, cruiset t, resumet t, demandt t, speedt t, anglet t = sig t
6.2. Background Behaviour 94
This definition is expressed in terms of an equation where the left and right hand
sides of the equations are n-tuples. Two tuples are equal if and only if they have
exactly the same number of elements and matching elements of each n-tuple are
both equal in type and in value. In effect, we are using properties of n-tuples to
model bit manipulation operations, in particular, the extraction of individual bits
from a group of bits.
The mode variable defines the system operating modes corresponding to the
transition diagram shown in Fig.6.2. There are six discrete states which the FSM
can reach. lU ode is defined as an enumerated variable of the type,
tI» Reset = eo) A Un Idle = et) A
Un Traction = el) A Un Shutdown = e3) A
Un Manual = e.) " Un Cruise = es)
Other state variables, valid..cruise, and pwm..act are the internal variables which
keep tracks of the cruise status flag and the directional directives of the actuator
respectively. The directions of the actuator are specified as an enumera ted variable
of the type Dir,
I- Veo e} e2 ea- 3VIn.
Un Close = eo) A Un Forward = et) A
Un Backward = ell " Un Neutral = e3)
This means that the movement of the actuator is represented by one of these
values, and no other.
6.2 Background Behaviour
Basically, the DBW controller comprises of five functions, namely manual, trac-
tion, cruise, shutdown, and idle control. The background behavioural specifica-
6.2. Background Behaviour 95
idle=oo
ear=offidle=off
brake=on
idlc=oo
run=on
Start
Figure 6.2: DBW State diagram
tion is modelled as a finite-state machine which reads the current status of the
input vector s and then delivers its next state. The decision making algorithm
is based on a set of pre-defined conditions which correspond to different system
operating modes. There are six distinct operating modes which are described as
follows,
6.2.1 Manual control
The manual control is the normal working mode of the controller where the
position demand which is interpreted from the pedal sensor, is directly output to
the actuator. The required input validity conditions are specified by the relation,
f- Vb p.ILLEGAL b p = At . ..,Xor2 (p, b) t
The function ILLEGAL is a temporal construct which takes predicates band p of the
type num -> bool and returns true if band p occurs simultaneously. For instance,
f- stop.ok = (ILLEGAL idle Not(demand Eq 0)) t
6.2. Background Behaviour 96
The predicate stop.ok defines a validity condition which states that the idl e switch
is on iff 3, at the same time, no demand is requested from the pedal sensor.
6.2.2 Cruise/Resume control
The cruise control function is to take over the task of maintaining a constant speed
when commanded to do so by the driver. The cruise control can be operated any
time the engine is running and the transmission is in top gear. When the driver
presses the cruise button to activate cruising, the system selects the current speed,
and holds the car at that speed. The cruise control is activated when the input
vector satisfies the relation,
r CCONDl (cruise, speed,gear, mode,demand,brake) =
~t. (cruise t " -,(speed Eq 0) t " (mode = Manual) V
-,(speed t < demand t) " -,brake t A (mode = Cruise» " gear t
It is clear from the definition that the driver should be able to increase the speed
at any time by depressing the accelerator pedal, or reduce the cruising speed by
depressing the brake pedal, Thus, the driver can go faster than the cruise control
setting simply by depressing the accelerator pedal far enough. When the pedal
is released, the system will regain control. At anytime when the brake pedal is
depressed or the transmission shifts out of top gear, the cruise function must be
inactive. Following this, when the brake is released, the transmission is back in top
gear, and resume is pressed, the system returns the car to the previously selected
speed. However, if the cruise function is deactivated during the intervening
interval, resume has no effect. Therefore, the condition to activate the cruise
control function, by pressing resume, requires that the system is previously in
cruise mode and that the cruise control has not been deactivated. Thus, an
internal flag isneeded to keep track of the cruise status and it can only be modified
if cruise is valid. The resume action can then be captured by the predicate valid_c
3if( stands for if and only if
6.2. Background Behaviour 97
as follows,
f- valid,c = (mode = Cruise) :} -sreset.ok I ualid.cruise
Deactivate cruise returns control to the driver regardless of any other commands.
However, the cruise condition can be re-activated by the resume control. The
resume button causes the system to return the car to the cruising speed selected
prior to braking or gear shifting. Therefore, the resumption of cruising can be
specified as follows,
f- CCOND2 (resume, valid..cruise,gear, mode) =
.\t. (resume t A valid.cruise A (mode = Idle» A gear t
The two validity conditions for cruising mode can be conveniently combined to
give,
I- C_CON 0 (cruise, speed, resume, valid..cruise, gear, mode, demand, brake) =
.\t. «cruise t 1\ -,(speed Eq 0) t 1\ (mode = Manual» V
(-,( speed t < demand t) A -,brake t A (mode = Cruise» V
(resume t A valid..cruise A (mode = Idle») 1\ gear t
6.2.3 Traction control
The traction mode is activated only when the engine power is taken off for traction
or for some other purpose such as running an external pump or air conditioning
device. The DBW controller then monitors the engine speed at pre-defined values
which may be set by the driver or the manufacturer. The main criteria for this
mode to be valid that is the vehicle has to be stationary,
I- T _COND (mode, traction, speed, gear, idle) =
.\t. «mode = Manual) V (mode = Traction» A traction t A
(speed Eq 0) t A ..,gear t 1\ ..,idle t
6.2. Background Behaviour 98
6.2.4 Idle control
The vehicle is in idle mode if there is no pedal demand or if the brake is not
applied. The throttle is then returned to its idle position, i.e. the engine speed
is a minimum. In this case the demand is a pre-defined constant which is set by
the manufacturer. For the purpose of formal proofs, the actual value of the idle
constant is immaterial.
~ LCOND (mode, idle,brake,gear) =
,xt. «mode = Manual) V (mode = Cruise) V (mode = Idle») A
idle t A (brake t V -.gear t)
6.2.5 Shutdown/Reset mode
The system is in the shutdown state when either the external watchdog timer has
timed out or the engine isoverheated or the input state vector is invalid, I.e. the
stop flag is set,
~ S_COND(watchout,overtemp, stop) =
,xt. uiaichout t V overtemp t V stop
The condition in which the system is reset to its initial state is specified by the
relation,
~ R_COND running = ,xt. Not running t
6.2.6 FUnction NextState
The required combination of these state validity conditions can be conveniently
achieved in a function NextState. The function NextState0 gives all possible
transitions for the controller of the form :
NextState (s,state) - (state)
6.2. Background Behaviour 99
f- NextState (s, mode, valid.cruise, pwm_act) = ~t.
(let running = RUNNING sin
(let gear = GEAR s in
(let brake = BRAKE sin
(let watchout = WATCHOUT s in
(let w/ailed = WFAllED s in
(let overtemp = OVERTEMP s in
(let idle = IDLE s in
(let traction = TRACTION s in
(let cruise = CRUISE 8 in
(let resume = RESUME s in
(let demand = DEMAND s in
(let speed = SPEED 8 in
(let angle = ANGLE 8 in
(let stop_ok = (IllEGAL idle (Not (demand Eq 0))) ,
V (wfailedt) V (mode = Shutdown) in
(let reseLok = R_COND (running) t in
(let cruise_ok = ...,reseLok A
CCOND (cruise, speed, resume, valid_cruise, gear, mode, demand, brake)t in
(let traction_ok =..., reset-ok A T_COND (mode,traction,speed,gear, idle) tin
(let shutdown_ok = S_COND (watchout, overtemp, stop_ok) t in
(let idle_ok = -.reseLok A LCOND (mode, idle, brake, gear) t in
(let valid:« = «mode = Cruise) ~ ...,reset-ok I valid_cruise) in
reset-ok ~ (Reset. ualid:», PWM (pwm_act, angle t, zerodemi I
shutdown_ok ~ (Shutdown, volid.c, P WM (pwm_act, angle t, zerodem»
idle_ok ~ (Idle, valid:c, PWM (pwm_act, angle t, idledem» I
cruise_ok ~ (Cruise, ualid:c, PWM (pwm_act, angle t, speed t»
traction.ok ~ (Traction, oalid:«, PWM (pwm_act, angle t, demand t»
(Manual, F, PWM (pwm_act, angle t, demand t))))))))))))))))))))))
6.2. Background Behaviour 100
The function NextState specifies the overall control mechanism for determining
what happens at any instant of time. In the definition of NextState input vec-
tors are used to select the next state and determine the current output of the
machine, hence the function NextState is specified in such a way that the state
vector only includes all internal variables. Thus a sequence of applications of the
function NextState can be represented as a Finite State Machine, where values of
Si represents the input vector at time i,
...NextState (S2' NextState (S1' NextState (so, stateo»)
It should be noted that the function NextState delivers a new machine state which
depends upon the status of the current input vector and internal flags mode,
valid.cruise and pwm..act. The pwm_act £lag indicates the directional directive of
the actuator, and it is defined by the relation PWM. However, a smooth transition
of the actuator movement requires that its direction of travel should be changed
in such a way that it can not be moving forwards one moment and backwards
the next, and vice versa, without ever being neutral, i.e. stand still, for a while.
The function PWM can thus be defined as,
~ PWM (pwm_act,ang,dem) =
(dem = 0) ~ Close I
(dem > ang) ~ (pwm...act = Forward) => Neutral Forward I
(ang > dem) => (pwm...act = Backward) => Neutral I Backward
Neutral
This means that if the previous actuator direction of travel is Forward(or Backward)
then the throttle needs to stop before it can change to the opposite direction,
Backward (or Forward).
Finally, we use the function NextState to define a predicate BACK_BEHAV
which specifies the intended behaviour of the controller relative to tirne-dependent
6.3. Foreground Behaviour 101
Output
Figure 6.3: A Mealy machine
signals sigt, modet, ualid.ci, and puim.actt.
f- BACK_BEHAV (sigt, modet, valid_ct,pwm..actt) =
Xt, NextState (.~igt t, modet t, valid.et t, purm.actt t) t =
(modet (t + 1), valid ..et (t + 1), pwm..nctt (t + l )
It is clear from the definition of NextState that the interpretation algorithm imple-
mented by the control unit is based on conditional instructions, that is, a Mealy
machine approach in contrast to a Moore machine approach which is based on
conditional branches, as shown in Fig.6.3 4.
Possible transitions of the state machine are shown in Fig.6.4. The transition
diagram indicates the possible next state corresponding to a particular set of input
vectors. These vectors are grouped into sets of inputs called validity conditions.
The proof of all fourteen sets of input validity conditions are outlined in Section
6.6.3.
6.3 Foreground Behaviour
The dynamic characteristics of the system is defined such that the system should
respond to the driver demand without taking too long to do so. This section is
concerned with trying to constrain the behaviour of the controller so that it does
a reasonably good job without being too complex. The first few properties are
essential to any reasonable system, and the later properties reflect specific design
4 In the Mealy model, the output function is related to both the current input and the state,
while in the Moore model the output is related only to the state, not to the input.
6.3. Foreground Behaviour 102
TCOND
MCOND
CCONDl
Figure 6.4: DBW state transition diagram
6.3. Foreground Behaviour 103
decisions.
6.3.1 Motion
The movement of an actuator's throttle is controlled by two signals, one to switch
its motor on and off, the other to control the direction of travel. Predicates
act-start and act-stop determine whether the actuator is on or off. They are, of
course mutually exclusive,
I- "It.Always (Xor2 (act-start, act-stop» t
So too are the four temporal directional attributes, forward, backward, neutral
and closewhich determine whether the throttle ison its way forwards, backwards,
stand still, or closing at time t,
I- 'tI t. Always (DecodeCtrl (pwm...act, forward, backward, neutral,
close, act.start, act-stop)
::> Xor2 (close, Xor3 (forward, backward, neutral») t
where the predicate Xor3(x,y,z) denotes the exclusive disjunction of its three
arguments.
I- 'tIx y z. Xor3 (x, y, z) = At. (x t V Y tv z t) "...,(x t r. y tv y t r. z tv z t" x t)
This means that exactly one of x, y, and z is true at any instant in time. The
exclusive disjunction oftwo arguments, Xor2(x, y) is the same as Xor3(x, y, False).
I- "It.Xor2 (x, y) t = Xor3 (x, y, False) t
It should be noted that these four directive signals are decoded from the pwm.act
control flag in the background process using the relation,
I- DecodeCtrl (pwm_act, forward, backward, neutral, close) =
6.3. Foreground Behaviour 104
(At. (JoTu·ard t = (pwm_act = Forward)) 1\
(backtL'ard t = (pwm..act = Backward)) 1\
(neutral t = (pwm_act = Neutral» 1\
(close t = (pwm_act = Close))
That is, the actual movement of the actuator at any time t is controlled indirectly
by an appropriate set of input state vectors and the internal control flags of the
machine via the background process.
Consequently, at any instant in time t, the car is said to be accelerating when
its actuator is on and the throttle is moving forwards, and decelerating when its
actuator is on and the throttle ismoving backwards. It should be noted that the
concept of acceleration and deceleration presented here is purely in terms of the
control system point of view. They only define the behaviour of the actuator at a
particular instant in time. Hence,
I- Accelerate (acL,tart, forward) = act_start And forward
I- Decelerate (act...start, backward) = act-start And backward
It should be noted that the predicate Accelerate and Decelerate are temporal con-
structs of the type nurn - bool.
6.3.2 Real-time characteristics
The most important property of a throttle controller is that it takes the car to a
speed that the driver wants it to go; that is, all demands are eventually achieved.
For example, if a request for full throttle is registered from the accelerator pedal,
then the throttle eventually opens to its full extent. This means that an appropriate
action will be executed at sometime instant in time, i.e.
I- Always (request - Sometime (action»)
6.3. Foreground Behaviour 105
Likewise, a request from the pedal is eventually rewarded with the appropriate
service,
rVt. forward t ~ Sometime (output) t I
backward t ~ Sometime (output) t I
neutral t
The trouble is that for most practical purposes these properties are much too
weak. They allow a throttle to remain idle for a very long time, it could be so long
that it could considerably affect the overall perfonnance of the car 5. Therefore,
the following constraints will ensure that the dynamic behaviour of the controller
is satisfactory.
6.3.3 Maximum response time
To avoid rapid increases in acceleration, the actuator must never traverse its full
range in less than 10 seconds. It may close at any rate, however, since the car just
coasts when the throttle is closed. The automotive engineers have determined
that with these characteristics, the system will hold the car within ±1 mph of the
selected speed on normal gradients, and will give a smooth, comfortable ride.
However, it would be much more useful to put an upper bound Tre• on the
time taken to respond to each throttle demand. A more realistic specification
should take account of this timing requirement, which is most simply done by
counting time when the actuator is on,
... RESPONSE (forward, backward, neutral, output, act...9tart) =
~t. forward t ~ (output Within len act-start Tre.) When act-start
backward t ~ (output Within len act_.,tart Tru) When act-start
neutral t (6.1)
~There is also a technical difficulty with termination because Sometime, as we have it, is a
strong operator which assert. that its argument surely does hold at some time.
6.3. Foreground Behaviour 106
where the operator Within is defined in section 5.3.3. The time limit Trell is the
maximum time for which a throttle can be moving before it reaches the demanded
position. Naturally the constraint only applies when the system is in service.
When it is out of service or shutdown, that is when the stop flag is set, nothing at
all will affect the behaviour of the controller until the stop flag has been reset by
an external agent, probably a service engineer in practice.
The problem has now been transfonned into one of ensuring that the actuator
does not remain stationary forever, ie. it is stuck. This is the purpose of the next
constraint.
6.3.4 Maximum registered time
Consider what happens when the car is stationary with its actuator off. What
makes it ever start moving? Hopefully, when there are demands, and the system
is not out of service, then it will begin to move after waiting a maximum of Treg
time for all other components to be initialised.
~ REGISTER (act-stop, act..start, neutral) =
~t. Always (act-stop And Not neutral
_ act-start Within Len (Not neutral) : Treg) t (6.2)
6.3.5 Maximum transit time
In order to calculate an upper bound for the maximum response time Trw let us
suppose that the controller should take no more than Ttr units of time to travel
between two consecutive demand posttions, that is,
f- TRANSIT (accelerating, decelerating) =
~t. 'r/pos ang.
Always(
(accelerating And Not (pos Belowang)
- (Not (pos Below ang) Within Len accelerating Ttr) And
6.3. Foreground Behaviour 107
(decelerating And Not (pos Above ang)
--+ (Not (pos Above ang) Within Len decelerating Ttr» t (6.3)
The relations Below and Above are temporal infix functions which evaluate to true
if the actuator position pos is equal to ang - 1and ang + 1 respectively 6,
I- Vpos ang.pos Below ang = .xt. ipos Eq (PRE ang)) t
I- Vpos ang.pos Above ang = .xt. (pos Eq (SUe ang» t
In other words, if the throttle is moving forwards and it is at the initial angular
position ang, then within Ttr units of time it will be at least at the next angular
position ang + 1. Similarly, when going backwards, it will reverse to the next
position inTt, time steps.
Suppose that the specification could be ~allsed by having a throttle conti-
nously opening and closing, stopping at every degree, repeatedly making an
entire round trip, then in this case, the maximum time spent in motion is
T,u = 2 x (m - 1) Tt,. where m = 90°
This is an upper bound on the maximum response time for any well designed
system, the average response time ought to be much less than T,e•.
6.3.6 Position and direction
The relationship between the position of a throttle and its direction of travel are
just the obvious ones. That is if its actuator is off then the throttle should recoil to
the close position due to the spring action; if it is going forwards then it should
be seen to go forwards; that is, the width of the fuel flow must not decrease, and
similarly, the width of the passage must not increase when it is going backwards.
I- POS_DIR (act-stop, accelerating, decelerating,
8PRE ang and sue ang are alternati.,e vays of expressing (ang - 1) and (an, + 1)
respecthely.
6.4. Improving the Performance 108
close, forward, backward, neutral) =
At. act-stop t ~ Next (close) t I
accelerating t ~ forward t ~ Next (forward) t I
backward t ~ Next (Not forward) t
Next (neutral) t I
decelerating t ~ forward t ~ Next (Not forward) t
backward t :} Next (backward) t
Next (neutral) t I
Next (neutral) t (6.4)
6.4 Improving the Performance
Conditions (6.1-6.4) do not constrain the controller to be a particularly good one.
They are met, as observed above, by a system in which the throttle repeatedly
opens and closes, stopping at every degree. The next few constraints are aimed
at eliminating some undesirable behaviour by modelling the actuator behaviour
as described in Section 6.1.2
First, suppose that the throttle is stationary. Constraint (6.2) determines the
maximum time for which it can remain stationary if there are outstanding de-
mands. However, it should not begin to move if there are no function requests
or throttle demands; or if it is held at an angle and when it does begin to move
it must decide whether to go forwards or backwards. The only constraint on this
choice is that it should not head off forwards if there are no requests to go faster,
and neither should it close down if there are no requests to do so.
r- PERFORMl (acL,top, act-start, accelerating, decelerating,
forward, backward, neutral, close) =
6.4. Improving the Performance 109
)..t. Always (act-stop -- Next (neutral) t ~ act-stop ,
act..start And (Not decelerating) t ~ forward
act..start And (Not accelerating) t => backward I
close) t
Note that when its actuator is on, the throttle must be moving in some direction,
I- PERFORM2 (act-start, neutral) = )..t. Always (act..start -- Not neutral) t
Next, consider what happens once the throttle has started to move? How does
its position change, and when should it stop? Constraint (6.3) and (6.4) ensure
that within Ttr units of time it arrives at the next position. It must then decide
whether or not to stop. If there is still a demand at that point then the throttle
must stop, but it should not stop if it is not required to do so.
I- PERFORM3 (forward, backward, neutral, act.stop, act..start) =
At. Always (
forward t => Next (Not forward) t ~ act-stop 'forward,
backward t => Next (Not backward) t => act..stop , backward
neutral t => Next (Not neutral) t => act-start , act.stop ,
act..stop) t
This simple method of deciding when to stop, using a finite step size, only works
if,as directed by constraint (6.4), the throttle can not swing past a position without
ever being at it. Otherwise it must have been decided in advance when to stop.
Lastly, in the interest of fairness, the throttle should keep going in the same
direction for as long as possible. If it is idle then it should remain so until there
are demands to respond to.
I- PERFORM4 (forward, backward, neutral, accelerating, decelerating) =
)..t. Always (
6.4. Improving the Performance 110
forward t => Next (accelerating t => forward I neutral) I
backward t => Next (decelerating t => backward I neutral I
Next neutral) t
This decision only comes into effect when the throttle is stopped at a position
because PERFORM3 prevents the throttle from ever changing direction unless it
is stopped.
The above constraints can be combined to specify the foreground process
which is defined by the relation FORE_BEHAV,
I- FORE_BEHAV (pwm_act, output) =
~t. Vact_start act-stop close forward backward neutral.
(let accelerating = Accelerate (act_starl,Jorward) in
(let decelerating = Decelerate (acLstart, backward) in
OecodeCtrl (pwm_act, forward, backward, neutral, close) And
RESPONSE (forward, backward, neutral, output, act..start) And
REGISTER (act_stop, act-start, neutral) And
TRANSIT (accelerating, decelerating) And
POS_OIR (act_stop, accelerating, decelerating, close,
forward, backward, neutral) And
PERFORMl (act-stop, acLstart, accelerating, decelerating,
forward, backward, neutral, close) And
PERFORM2 (act_start, neutral) And
PERFORM3 (forward, backward, neutral, act.stop, act..start) And
PERFORM4 (forward, backward, neutral, accelerating, decelerating)
»t
The FORE_BEHAVrelation is a time-dependent function, therefore at any time
t it receives a flag pwm..act from the background process BACK_BEHAVand de-
livers an output signal to the external actuator whose dynamic characteristics are
specified by the timing constraints described above.
6.6. Verification Plan and Methodology 111
6.5 The Complete Specification
The normal behaviour of the controller, when it is in service, is described by a
combination of the above constraints. But when the shutdown flag is set those
constraints no longer apply and the system goes out of service. However, the
total behaviour can be captured in the predicate OBW_BEHAV,
I- DBW_BEHAV =
Always (BACK_BEHAV (sigt, modet, validct,pwmactt) Upon timer
FORE_BEHAV (pwmodt t, output» t
This means that the controller comprises of two processes 7. The background
process is continually interrupted by the foreground process which controls the
actual movement of the actuator.
The additional condition, which is required to make the system functional,
is that the timer interrupt must be true infinitely often, that is, it satisfies the
predicate,
I- "It. Valid timer
Thus, the complete DBW specification can be defined as follows,
I- DBW_BEHAV =
Always (BACK_BEHAV (sigt, modet, validct, pwmactt) Upon timer
FORE_BEHAV (pwmactt t, output) And Valid timer) t
6.6 Verification Plan and Methodology
This section describes the logical form used to sta te correctness results for the DBW
controller, a plan to achieve these results and some of the basic proof techniques
which are used to carry out this plan in the HOL system.
TIt should be noted that these processes are not in parallel.
6.6. Verification Plan and Methodology 112
6.6.1 Proof plan
Although the terms correctness and verification may be understood in an informal
context to mean different things to different people, these terms have a precise,
technical meaning when formal logic is used to verify a design. The formal
verification (or proof of correctness) for the DBW system refers to the derivation
of a theorem by formal proof in the HOL formulation of higher-order logic. This
theorem relates the specification of the intended behaviour, given by the predicate
DBW_BEHAV, to some safety and timing constraints.
The bulk of the formal proof of the DBW controller is organised into two main
steps:
1. Prove that the design is safe, i.e. it is required to verify that the behaviour
of the system is safe at all times and in all possible states.
2 Prove that each state transition correctly interpretes the specification of the
background process. That is the correctness of the state diagram shown in
Fig.6.2 must be preserved.
The proof is complete ina third (and a relatively short) step by establishing a for-
mally defined theorem which states that the intended behaviour of the controller
satisfies a deterministic finite-state machine relation.
3. Prove that DBW specification is a formally well-defined finite-state machine.
6.6.2 Safety properties
The most important safety rule which applies to the controller design is that, at
any instant in time t, the system should never fail with its throttle fully opened.
Thus, a state is considered to be safe iff it satisfies the predicate,
I- Vs rn v p. State.Safe (s, rn, v,p) = At. -.WFAllED s t V (p = Close)
6.6. Verification Plan and Methodology 113
Following this, the system is safe if it delivers a next set of outputs which belong
to a safe operating mode, i.e.
I- Vs rn v p, SAFE (s, rn, v,p) = At. State.Safe (s, NextState (s, m, v, p) t) t
Thus, theorems which define the safe behaviour of the system can be proved as
follows,
I- Vt. Always (Not (RUNNING s) -+ SAFE (s, rn, v,p» t (6.5)
~ W. Always «WFAllED s And RUNNING s) -+ SAFE (s, m, v,p» t (6.6)
It should be noted that these theorems are effectivelystating the behaviour of the
system in static and dynamic failure conditions. That is, the first theorem ensures
that if the system is not in service then it is apparently safe, and the second asserts
that the system results in a safe state if the actuator failed while the engine is
running.
It is clear from the specification of NextState and SAFEthat if the system
receives an input vector which is safe at time t then it delivers an operating
condition which is also safe at time t + 1. However, it is not obvious how
the controller gets into a safe state at the beginning. Therefore, the following
constraint defines the initial or startup mode of the system,
~ Vs m v p. INIT (s, m, v,p) = ~t. ..,RUNNING s t A (DEMAND s Eq 0) t
The definition asserts that the controller is initialised whenever the engine is not
running and there is no demand from the pedal sensor. It can easily be proved
that the following condition always holds,
I- Vt. Always (INIT [s, rn, v,p) - SAFE (s, rn, v,p» t (6.7)
The problem now is to verify the total safety property of the controller. The proof
procedure is outlined as follows,
6.6. Verification Plan and Methodology 114
1. First prove that the initial state is safe, then
2. Use induction to prove that if the system is safe at any time t then it should
deliver a next state at time t + 1which is also safe.
The safety property is proved to give the following theorem 8,
f- 'It. INIT (s t,m t, v t,p t) t ::> SAFE (s t,m t, v t,p t) t A
BACK_BEHAV (s,m,v,p)t A SAFE (s t,m t,v t,pt) t
:J State.Safe (s t,m (t + 1), v (t + l),p (t + 1» t (6.8)
This asserts that if the system starts up in an initially safe state and, the current
mode at any time t is safe then it delivers a next state which is safe at time t + 1.
In fact, the theorems (6.5-6.8) provide an inductive mechanism for verifying
the total safety behaviour of the system It has been shown in (6.7) that the
controller will startup with a safe state, and then by induction, the theorem (6.8)
asserts that the system will also be safe as long as it is running, and finally,
theorems (6.5-6.6) ensure that the controller will stop in a safe mode when it is
out of service.
6.6.3 State transitions
Verifying the correctness of the DBW at the state level is relatively simple because
each state transition is implemented by a fixed sequence (or finite set of sequences)
of input vectors.
It is relatively straightforward to reason about a fixed sequence (or a finite set
of fixed sequences) of inputs. To derive its cumulative effect, we use inference
rules of higher -order logic to symbolically execute this sequence of inputs. The tenn
symbolic execution is used here in a purely descriptive sense for a proof technique
which is actually nothing more than repeatedly unfolding various parts of the
specification (or consequence of this specification).
'Details of the proof are included in Annex C
6.6. Verification Plan and Methodology 115
Forward proof is used to symbolically execute a sequence of inputs starting
with assumptions about the initial state and applying inference rules to derive
subsequent states in the computation. Similar techniques were also used to
partially verify the VIPER microprocessor [31,32].
The analysis of the way machine states follow each other leads to a represen-
tation of the state transitions as a tree (or more accurately, a graph). Each state
transition is implemented as a sequence of input events which may effect the
internal states or flags of the machine. The sequence is detennined as the inputs
are read, according to the internal state and the current input vector. The possible
sequences define a graph of transition states, each state pointing to one or more
others, and one designated Reset state, as shown in Fig.6.4.
The first step of the proof procedure is to show that the system always delivers
a new state from a current set of internal variables, i.e. the system is functional at
all time, thus,
~ 'v'm v pt. 309. 3'Vm' v' p'. NextState (09, m, v,p) t = (m', v',p')
The theorem asserts that given a set of current states, there is at least one set of
input which delivers a new operating condition which is uniquely defined by the
NextState function.
What has to be proved next is that under certain pre-defined conditions, the
functional Specification agrees with the intended behaviour. The first thing to
establish is what that state is; the second is whether NextState gives that state. All
connections in Fig.6.4 are labelled with the corresponding state transition lemmas
9
Wherever possible, two or more transitions having the same transfonning
effects are grouped together to fonn a single transition. For example, the transition
R_COND represents a set of transitions from all states having running signal
9These proofs are included in Annex C
6.6. Verification Plan and Methodology 116
evaluates to False at time t,
I- Vt. (s = False, Arb, Arb, Arb, Arb, Arb, Arb, Arb, Arb, Arb, Arb, Arb, Arb)
:) (m = Cruise) * NextState (s,m,v,p)t = (Reset,F,Close)
NextState (s, rn, v,p) t = (Reset, v, Close)
The theorem asserts that provided the state vector s satisfies the indicated value
then the controller will be reset, internal flags being modified appropriately. Each
transition in the graph is therefore characterised by saying how NextState changes
a state and selects the next node during that transition 10.
All the state transitions shown above have been proved. The proofs are tedious
and messy since there are many cases to consider, however, they follow the same
pattern of tactics. Therefore proof procedures are not repeated here but included
in Annex C for convenience.
6.6.4 Deterministic state-machine
A state machine is deterministic if the next state is uniquely determined by the
current state and its input. If all states of the machine are labelled then it is called
a labelled-state automata [75].
I- VQ Ne. lSA (Q,N) e =
3s. Q(eO,sO) A Vt. N(et,st)(e(SUCt),s(SUCt)
The definition states that a function N is a Labelled-State Automata (lSA) iff there
exists an initial condition Q which is true at time 0 and N holds for successive
time interval of t. Inother words, LSA divides the operating domain of the state
machine into two subsets; one set comprises of initial conditions and the other is
a set of normal operations which recursively holds for all time t.
Following this, a deterministic machine is safe if it can consequently be clas-
10Note that by using the Arb function the state vector, at time t represents a Id or inputs.
6.7. Discussion 117
sified into three domains; initial, normal and safety subsets 11.
~ "IQ P N e. PlSA (Q, P, N) e =
3s. Q (e 0,30) A "It.P (e t,s t» A "It. N (e t,s t) (e (sue t),s (sue t)
The equivalence proofs of these assertions are shown in [75] and not repeated
here. The main aim is to prove that the state machine behaviour of the DBW
satisfies these characteristics. The following theorem has been proved,
~'Vipop. Init(ip,op):J Safe(ip,op)A
Yipopip'op'. Nextstate(ip,op)(ip',op') A Safe(ip,op):JSafe(ip',op')
:J Ye. LSA(Init, Nextstate) e = PLSA(Init,Safe, Nextstate) e
The theorem asserts that provided the initial and all its subsequent states are safe
then it is deterministic. In fact, this theorem holds for all states since the safety
property of the DBW has been proved insection 6.6.2. The derivation of this proof
is shown in Annex C.
6.7 Discussion
In this case study, the FSM/TL n framework is used for modelling, specifying
and verifying systems composed of real-time discrete event processes. Finite state
machines are used to represent event processes, and temporal logic provides the
assertions for specification and verification.
The connection between FSM and TL is made via a transition system which
consists of a (possibly infinite) state space, a set of transitions defining state trans-
formation, a set of initial states, and a safety family. A computation is expressed
as a sequence of states whose initial state is in the initial state set, whose successor
states are obtained by applying permitted transitions, and where the safety family
llThis is called a Partitioned Label State Automata (PlSA).
12Finite-State Machine/Temporal Logic
6.7. Discussion 118
are used to ensure that certain sets of transitions that are continuously enabled or
infinitely often enabled. in the computation are achieved. The approach used in
this case study can form the basis for subsequent behavioural analysis of real-time
discrete event systems and its charactertstlcs can be summarised as follows,
• State transitions have associated lower and upper time bounds (measured.
with respect to a global clock) so that real-time properties (including delays
and timeouts) can be represented.
• Two different variables are introduced: a time variable t (the current clock
time) and an implicit next-transition variable n (for referring to the events
of complex systems).
• Instead of computations, the state transition generates trajectories or se-
quence of states that take into account the lower and upper time bounds of
transitions.
• The trajectories can be interpreted in temporal logic which uses a mixture of
standard operators together with the time variable to express quantitative
timing properties.
The expressive power of higher-order logic has been an advantage in several
ways for the work described in this case study. One of the most important uses
of higher-order functions and relations has been to parameterise definitions by
a representational variable providing a formal basis for our approach to abstract
specification.
We have found several instances where the ability to use a relation in place of
a function was very desirable. Our model of control signals with relations as an
alternative to using combining functions.
A number of errors in the design and specification of DBW were discovered
in the course of verifying its correctness. A few of these errors were not simple
mistakes and not the kind of error easily revealed. by simulation (they were con-
cerned with subtle aspects of the interrupt specification). However, many simple
6.7. Discussion 119
mistakes were also found by verification but they could have been discovered ear-
lier without incurring the high cost of verification if the specifications had been
executable. Camilleri [25] points out the advantage of executing formal specifi-
cations as a means of supporting a verification methodology. In this respect, the
Boyer-Moore approach [14] offers the advantage of directly executable specifica-
tions. The increased expressiveness of higher-order logic results in terms which
do not always have an obvious executable specification. However, the imple-
mentation of an executable subset of higher-order logic is a foreseeable addition
to the HOL system 13.
It was extremely useful (in fact, much more useful than we initially expected)
to embed some operators from temporal logic in our higher-order framework.
It is likely that work in embedding other calculi in higher-order logic will be a
particular interesting area of future development in HOL. In addition to Hale's
work on Interval Temporal Logic [52], some other examples include work by
Gordon on programming logic [51], by Loewenstein on a theory for determin-
istic and non-deterministic state machines [75], and related work by Joyce on
asynchronous memory [69].
13Camilleri [25] describes simulation tools Coran executable subset oC higher-order logic oriented
towards hardware simulation.
Chapter 7
Mechanical Solid Modelling
7.1 Introduction
This chapter deals with the specification issues encountered when designing me-
chanical components. Most mechanical products are collections of rigid solids
which are manufactured and assembled via processes whose effects are primarily
geometricaL Geometrical information - for specifying parts and products, and
for controlling processes - obviously is of crucial importance in the mechanical
industries, and techniques for modelling and handling such information are re-
quired for automatic or computer-aided design and production. Although there
are a number of geometric modelling systems commercially available [9,16,19],
most of them rely on the user to verify the completeness, validity, and uniqueness
of a model, Such manual verification becomes increasingly more difficult- as the
model becomes more complex, even with sophisticated computer graphic display
techniques. The work presented in this chapter describes an attempt to automate
the verification of such modelling process by introducing a fonnal solid model,
and from which other geometric properties of rigid solid objects can be reasoned
about.
The difficulty in the present application is the verification problem when de-
signing mechanical parts of transformers with complicated shapes to fit into a
certain predefined environmental space. Furthermore, the electrical character-
istics of the transformer itself are heavily dependent upon the relative spatial
120
7.2. Designing Mechanical Parts 121
positions and dimensions of their components such as core, coils and cooling
sections [3,38). This means that a valid geometric model will playa key role in
the verification of the transformer design process 1.
However, the need for a verified modelling theory has to be preceded by a
thorough understanding of what does constitutes a valid, complete and unique
model, and this motivation results in the work described in this chapter. In
the following sections, a formal geometric modelling framework which is based
on Higher-Order Logic and set-theoretic topology is introduced. This chapter
describes the work involving in modelling rigid solid objects as set-theoretic
compositions of primitive solid building blocks. The solid geometry is based
on Euclidean geometry and general point-set topology [102]. The mathematical
foundations and certain elementary, but specialised results, of point-set topology
which are required in the study of geometric modelling are also discussed.
The development of the geometric modelling theory is in three presented
stages. The first part describes the mathematical foundation of point-set topology
which is represented and verified using Higher-Order logic. The second part gives
a formal representation of solid primitives and a Boolean model as its connective
mechanism and, the last part discusses some practical examples of the application
of theory to the specifications of the mechanical parts of a simple transfonner.
7.2 Designing Mechanical Parts
In conventional design and manufacturing, information about dimensional (3-
D) shapes is described using engineering drawings. However, drawing-based
design presents several problems. This section discusses the problems involved in
conventional 3-D design of mechanical parts, particularly to those of transformers,
and then describes how geometric model-based design can solve these problems.
IThia work was ca.rried out in colla.boration of Goodyear Transformers Ltd. in Birmingham.
7.2. Designing Mechanical Parts 122
7.2.1 Communication between the designer and the modeller
Although the designed object is 3-D, the information in the drawing is 2-D,so the
information passed from the designer to the modeller is incomplete. Generally,
the designer is not satisfied with the first model. When the shape includes
many surfaces, the problem is particularly serious. To define these surfaces,
therefore, a designer will draw many cross-sections. However, the designer often
cannot adequately express the shape that he/ she envisages, so the first model (or
drawing) may need many modifications. To satisfy these design requirements,
the modeller will then make a new model and this process will be repeated as
necessary. However, because both the finance and the time available for design
are in general limited, the designer is not always satisfied with the finalmodel.
7.2.2 Time taken and costs incurred in the design process
After the designer has specified the modifications required, obviously he/she
would like the new model to bemade as quickly as possible, and for the modeller
to make as many models as necessary. However, it takes some time to make each
model, and they are generally expensive to produce. Indeveloping a commercial
product, it is desirable to shorten the time taken in designing it and to minimise
expenditure. It is therefore difficult to allow the designer to produce as many
models as he or she might wish.
Tosolve these problems, a system ofdesign based on geometric modelling can
be envisaged. Fig.7.1b shows such a design process. In this method, the designer
does not produce a finished drawing, but works interactively on a computer to
refine the design and produce a geometric model. To ensure the validity and
rigidity of the design, the model is manipulated using a number of correctness-
preserving transformations. That is each geometrical operation applied to the
valid model should produce a new single or compound solid that is also valid.
7.3. Geometric Modelling in Transformer Design 123
Final Model
Drawing-based design
Ca)
Verification
'--- .. Final Model
Geometric-based design
(b)
Figure 7.1: The use of formal geometrical model
7.3 Geometric Modelling in Transformer Design
A geometric modelling theory does not only provide solutions to the commu-
nication problems outlined above but it also supports the following geometric
verifications which are crucial in the development of high-cost products. This
present study will concentrate on one such example which is the design of large
power transformers used in safety-critical applications such as nuclear power
plans, or in a space-limited environment such as the Channel Tunnel.
7.3.1 Spatial arrangement
A typical schematic diagram of a power transformer is shown in Fig.7.2 with its
usual fittings. An important consideration in designing transformers is that the
electrical characteristics are closely related to its mechanical arrangement. For
example, in the design of winding coils and former, the designer has to rnake sure
that the windings will fit into the window space of the laminated core. A small
change in the dimensions of the former or coils will greatly affect the reactance
paths and consequently the eddy losses of the transformer. Moreover, additional
fittings such as bushings, switch gears and tap changers, further complicate the
7.4. Mathematical Foundations 124
mechanical design.
7.3.2 Volumetric verification
When transfonners are designed for indoor applications, the spatial occupancy
becomes more important. Since large power transfonners normally have very
complicated shapes, the task of keeping track ofits spatial occupancy is not trivial,
particularly when the design has a number of modifications, which is the usual
case. Therefore, by presenting the mechanical structure of the design using a
fonnal solid model the overall space of the finished product can then be deduced.
To represent the compositional relationship between the various mechanical
parts, we use a formal model of a binary tree ~to verify geometric operations and
the design's verification is achieved indirectly by ensuring that each operation in
the resultant btree is a formally valid transformation. The approach in this case
study can easily be justified. Let us consider the compositional representation of
the btree of the simplified transformer shown in Fig.7.2. It is obvious that even
with a very simple compound object, the verification of its validity is not a trivial
task, and furthermore the size of the btree grows rapidly as the model becomes
more complex. Thus, if solid primitives and their associated operations can be
formally represented as geometrically valid transformations then the validity of
the final object can be implicitly assured.
The following sections discuss some representational issues and requirements
of a valid solid modelling system, and then from these mathematical foundations
its formal Specification can be defined and then verified using appropriate topolo-
gies.
7.4 Mathematical Foundations
There are many different viewpoints about the notions of representational com-
pleteness and consistency. A definition of the so-called geometrical completeness
lThla is also referred to u a btree.
7.4. Mathematical Foundations 125
bushings
lugs
tank
cool ing tank
radiators
o base o
(a) An oversimplified power transformer diagram
transformer
coil2
bushings coil3 core
Ii\~ Ii\ ...
cable bolt \,\" primitives pnrmuves
base ~ primitives
tank
1\
~rimitives
primitives
lugs
If\
primitives primitives
(b) Structure of the compositional tree
Figure 7.2: The schematic diagram of a simplified transformer
7.4. Mathematical Foundations 126
can be described as follows [10],
A specification is geometrically complete if it contains information suf-
ficient to compute and reason about the geometric properties of the
specified entity.
Fig.7.3 suggests a useful way of looking at the problem. Firstly objects in the
real world must be replaced by a mathematical model, ie. by abstract entities
defined in an appropriate domain of mathematics. This domain includes subsets
of the three-dimensional Euclidean space which possess the properties of com-
pactness and regularity. This class of subsets excludes curves, surfaces, and other
sets which are not solid, le, homogeneously three dimensional or simply regular.
The geometric property can be precisely defined by the mappings or functions
which take regular sets and produce well-defined mathematical formulae. For
instance, volume is a geometrical property of an object because it can be defined
by a function that maps regular sets of points into positive numbers.
The relation labelled representation scheme in Fig.7.3 takes regular sets and
produces mathematically defined symbol structures. Eventually such symbol
structures must be further mapped into storage structures in the computer but
this step is not considered here. The notion of geometrical completeness may
be expressed quite simply in this framework: it requires that the inverse of
the representation scheme relation be a single-valued function, i.e. that each
representation corresponds to a one-one function f which satisfies the relation,
I- Vf. ONE_ONE f = '1Xl X2. (f Xl = f X2) ::> (xl = x2)
Clearly, if the set that corresponds to a given representation is known then we
have all the geometrical information which is required to determine its geometric
properties.
7.5. Point-Set Algebra 127
Mathematics
Physical
Object
Figure 7.3: Representation scheme
7.5 Point-Set Algebra
In solid modelling, when we combine simple shapes, called primitives, to form
more complex shapes, the application of set theory becomes useful. Solid mod-
elling techniques, in particular have drawn considerably from the axioms of set
theory. The term set denotes a well-defined collection of objects. Objects belong-
ing to a set are its elements or members. The basic element in our modelling
approach is the point. The application of set operations to sets of points in Carte-
sian space is therefore referred to as point-set algebra.
It should be noted that definitions and theorems represented in this chapter
are using the general form of set notation, that is, a set S which contains all points
x that satisfies a rela tion P( x) is denoted. as,
S = {x I P(x)}
where the symbol 'I' is called a set-builder notation and it describes the set in
terms of conditions on any arbitrary element of the set. For example,
S = {x 11 < z < ID}
is a set consisting of all natural numbers in the specified interval excluding its
end points. The condition on the right hand side of the vertical line represents
the condition for set membership.
7.5. Point-Set Algebra 128
Any set that contains all the elements of all the sets under consideration is the
universal set UNIV, and conversely, EMPTY is a set which has no elements. More
formally,
I- UNIV = {x I true}
I- EMPTY = {x I false}
There are three basic operations which are frequently used in this modelling
theory. These are intersection, union, and difference between sets. They are
defined in HOL as follows,
I-Vst.sUNIONt={xlx E s v » E t}
I-Vst.sINTERt = {x Ix E s s:» E t}
I- Vs t, 8 DIFF t = {z I x E 81\. -,z E t}
The complement of 5with respect to the universal set UNIV is denoted by COMPs,
I- Vs. CaMP" = UNIV DIFF "
The following theorems about basic properties of set topology (71) can easily be
proved 3,
I- Vs.s UNION (CaMP s) = UNIV
I- Vs. slNTER (COMP 8) = EMPTY
I- Vs t. CaMP (s UNION t) = (CaMP s) INTER (CaMP t)
I- Vs t. CaMP (s INTER t) = (CaMP s) UNION (CaMP t)
I- Vs t.CaMP (s DIFF t) = (CaMP s) UNION t
I- Vs t. (s = t) :J (CaMP s = CaMP t)
I- Vs. COMP(COMP s) = s
3The proofs a.re included in Annex D.
7.5. Point-Set Algebra 129
A comprehensive list of theorems about the basic properties of sets is included
in Annex 0 4. The following sections describe some elementary, but essential
concepts which are used. in the geometric modelling theory.
1.5.1 Metric space
A metric space is a pair (s,d) where s is a set and d: * X • - num is a function
called the distance or the metric function, such that for all z, y and z in s, the
function d asserts the following properties,
r 'Vd.METRIC d =
("Ix y.O 5 d x y) A
(Vxy.dx'l=dyx)A
("Ix y. x = y :::> d x y = 0) A
(Vxyz.dxz ~ dxy+dyz)
We may think of the distance function d as providing a quantitative measure of
the degree of closeness of two points. Inparticular, the triangularity relation
rVx1Jz.dxz ~ dxy+dyz
may be thought of as an assertion of the transitivity of closeness; that is, if z is
close to y and y is close to z, then x is close to z, The existence theorem follows
immediately from the definition of the METRIC definition,
rVx.3Rd.x E sAMETRICd:J (dxx) 5 R
This means that for any point z in a set s, there always exists an appropriate
function to qualify the set s to be a metric space. However, it should be noted that
the metric function d represents an abstract measure of the degree of closeness
of pairs of points and it does not necessarily relate to the concept of the usual
tTheorems about algebraic topology were originally introduced by Artin [6].
7.5. Point-Set Algebra 130
geometrical distance. For instance, suppose that a metric space is the Euclidean
geometry with its concept of distance defined by a metric function as follows,
r "Ix y. DISTANCE (x, y) = (x = y) ~ 0 I 1
then it can easily be proved that the set of all points defined by DISTANCE satisfy
the metric space 5, that is
r METRIC(DISTANCE)
In fact, DISTANCE describes a 2-dimensional grid of points in the first quadrant
of the Cartesian coordinates. In fact, an integer is defined in HOL as a tuple of
pair (b,n), where n is a natural number and b is a boolean value which is true if n
represents a positive integer, and false otherwise. The first quadrant of Cartesian
coordinate is therefore represented as a 2-tuple of pair «true,x),(true,y», where z
and yare coordinates of integer values.
In geometry, we are usually concerned with sets that have no limit points. For
example, the set of all points in the Cartesian space is infinite and one often refers
to this class of sets as open sets [6].
7.5.2 Open sets and neighbourhood
A subset s of a metric space is open if it contains an open ball about each of its
points, that is
r "Is. OPENs = "Ix. 3R. x E OPEN_BAll s x R
where the circle about each point x in s is defined by the relation OPEN_BAll,
where
r "Is x R. OPEN_BAll s x R =
{y 13d.(y e s " METRICd) :J (dxy) S R}
~The proof of this example is given in Annex D
7.5. Point-Set Algebra 131
This means that if the pair (09, d) is a metric space, and z is a point of 09 then the
open ball of radius R about e, is the set of all points y whose distance from :r is
less than R. For instance, suppose 09 is a real line with its usual distance. An open
ball about a real point x is an open interval of length 2R about z,
Open sets in a metric space have the following properties; the empty set
EMPTY and the UNIV are open 6,
I- OPEN (EMPTY: (.)set)
I- OPEN (UNIV : (*)set)
The intersection of a finite number of open sets is an open set,
I- Vs t. OPEN s A OPEN t :::> OPEN (s INTER t)
and, similarly, the union of a finite number of open sets is also an open set,
I- Vs t.OPEN s A OPEN t :::> OPEN (s UNION t)
The neighbourhood of a point x in set s is any subset of s which contains an open
set which contains z, Formally,
I- Vs z: NEIGHBOUR (z,s) = {y I (y E s) A (3y~ y'= xH
A neighbourhood of z in 09 may be thought of as a set which contains all the
points of s that are sufficiently close to z or enclosing z since it contains some
OPEN_BAll about z: In particular, these open balls have the property that they
are neighbourhood of each of their points, that is
I- Vs R y. y E OPEN_BALL (09, x, R) :::>
OPEN_BALL (s,x, R) = NEIGHBOUR (y,OPEN_BAll(s,x, R»
IINotation (.).td represents sets of polymorphic type.
7.5. Point-Set Algebra 132
Figure 7.4: Neighbourhood in an open ball
The proof of this theorem can be illustrated pictorially in Fig.7.4 7.
1.5.3 Closed sets
A subset s of a topological space is dosed iff its complement is open,
I- Vs. CLOSED s = OPEN (COMP s)
It should be noted that closed sets are not the opposite of open sets. In fact, there
are sets which are both open and closed, such as the UNIV and EMPTY set,
I- CLOSED (UNIV: (.)set)
I- CLOSED (EMPTY: (.)set)
(7.1)
(7.2)
The closed sets have the following properties,
I- Vs t. CLOSED s /\ CLOSED t :) CLOSED (s INTER t)
I- Vs t. CLOSED s /\ CLOSED t :) CLOSED (8 UNION t)
(7.3)
(7.4)
It is clear that a set 8 is characterised by two subsets; one includes its interior
members and the other contains those on its edges as illustrated in Fig.7.5 and
Fig.7.6. It should be noted that the abstract concepts of OPEN and CLOSED may
7HOL proof of this theorem is included in Annex D.
7.5. Point-Set Algebra 133
lead to the incorrect conclusion that a set can not both be opened and closed. An
obvious example is that, in any metric space, the two sets EMPTY and UNIV are
open and consequently, their complements UNIV and EMPTY are both closed as
shown in previous sections. There are also other subsets that are simultaneously
open and closed, and they represent an important property of topology which is
described as connectedness, that is
... "Is. CONNECTED s = OPEN s A CLOSED s
The concept of connectedness is useful in the formal definition of rigid solid
objects as was outlined in section 7.6.1.
7.5.4 Closure
A point x isa limit point of a subset 8of a topological space if each neighbourhood
of x contains at least a point of 8 different from x .
...Vs z, LIMIT (x,s) =
VS1.(81 = NEIGHBOUR(x,s» A (3y.y E 81 A .., (y = x»
It can easily be proved that a set is closed iff it contains all its limit points,
I- Vs. CLOSED s = "Ix. LIMIT (x, 8) :::> (z E s)
The closure of a subset 8 is then defined as the union of 8 with the set of all its
limit points,
I- "Is. CLOSURE 8 = s UNION {x I LIMIT (x, s)}
It follows that if z is a point in the closure of s then each neighbourhood of x
intersects s. In other words, the intersection of s with each neighbourhood of z
results in non-empty sets,
I- "Ix s, x E CLOSURE 8 :::> "'(8 INTER NEIGHBOUR (x, s) = EMPTY)
7.5. Point-Set Algebra 134
Furthermore, a set s is closed iff it is identical to its closure, i.e.
~ Vs. (CLOSED s) = (s = CLOSURE s) (7.5)
The following theorems are proved for the properties of closure operations 8,
~ Vs t.set ::)(CLOSURE s) C (CLOSURE t)
~ Vs t. CLOSURE (s UNION t) = (CLOSURE s) UNION (CLOSURE t)
~ Vs t.CLOSURE (s INTER t) c (CLOSURE s) INTER (CLOSURE t) (7.7)
(7.6)
The interesting fact about the last property (7.7) is that the closure of set inter-
section may be strictly smaller than the set intersection itself. For instance, let us
suppose that sand t are the intervals (0,5) and (5,7), then
CLOSURE (8 INTER t) = {}
whilst the intersection of their closures is a singleton set,
(CLOSURE ,,) INTER (CLOSURE t) = {5}
It should be noted from theorem (7.5) that by taking the CLOSURE of a set, we
apparently associate it to a new subset, denoted by CLOSURE s. This correspon-
dence or operation on sets satisfies the following properties whose proofs are
given in Annex D,
I- CLOSURE (EMPTY) = EMPTY
I- Vs. CLOSURE s = s
~ Vs. s C (CLOSURE s)
~ Vs t.CLOSURE (s UNION t) = CLOSURE s UNIONCLOSURE t
~ Vs. CLOSURE (CLOSURE s) = CLOSURE 8
'Derivations of proofs are shown in Annex D.
7.5. Point-Set Algebra 135
These properties (or more precisely, theorems) are considered as a set of axioms
for what we will call a closure space and then from theorems (7.1-7.6) it follows
that there is a one-one correspondence between the topological spaces and the
closure spaces.
So far, it has been shown that the closure of a set s is the smallest closed subset
containing s. Another significant subset associated with s is the interior of s,
which is the largest open set contained in s.
7.5.5 Interior
An interior of a subset s of a topological space is a set which contains all points
x such that there is at least a neighbourhood of x which is an open subset of s.
More fonnally,
r "Is. INTERIOR s = {x 13t.OPEN t " (t C s) A [z E tn
Consequently, a point x is inside a set s iff it belongs to the interior of 8,
r Vs x.INSIDE (x,s) = x E INTERIOR s
It follows immediately that if x is inside 8 then its neighbourhood is equal to 8,
I- "Ix s.INSIDE (x, s) J (s = NEIGHBOUR(x,s»
It is clear that INTERIOR s, being the union of open sets, is itself open 9, and it is
the largest open set contained in s, that is
r Vs. (s = INTERIOR s) = OPEN s
Furthermore, if s contains a family of open sets then the complement of its in terior
is the family of closed sets contains COMP 8,
I- Vs. COMP (INTERIOR s) = CLOSURE(COMP s)
'From section 1.5.2
7.5. Point-Set Algebra 136
Interior of set union Interior of set intersection
Interior of set difference
Figure 7.5: Defining the interior of set operations
and, conversely
f-Vs.INTERIOR s = COMP(CLOSURE(COMP s))
The interior of a set which results from set operations such as intersection, union
and difference is illustrated in Fig.7.5 and the following theorems have been
proved using the HaL system,
f- Vs t.INTERIOR (s UNION t) = (INTERIOR s) UNION (INTERIOR t)
f- Vs t.INTERIOR (s INTER t) = (INTERIOR s) INTER (INTERIOR t)
f- Vs t.INTERIOR (s DIFF t) = (INTERIOR s) DIFF (INTERIOR t)
Further theorems about the interior operation on sets are included in Annex D.
7.5.6 Boundary
A boundary of a subset s is a set which includes all points x such that x belongs
to both s and its complement set, thus
f- Vs. BOUNDARY s =
7.5. Point-Set Algebra 137
{x I (x e CLOSUREs) A (x e CLOSURE (COMP s»)} (7.8)
Consequently, a point x is considered to be on the boundary of a subset s iff it is
a member of the boundary subset,
I- Vs z . ON (x,s) = x e BOUNDARY s
Definition (7.8) asserts informally that the boundary of a set s contains all points
that are arbitrarily close to both s and its complement set, that is
I- Vs. BOUNDARY s = (CLOSURE s) INTER CLOSURE (COMP s)
It follows that sand COMP s have the same boundary, since
I- Vs. BOUNDARY (COMP 8) =
CLOSURE (COMP s) INTER CLOSURE (COMP(COMP 8» (7.9)
and itwas shown earlier that,
I- Vs. COMP(COMP s) = s (7.10)
Hence, by rewriting theorem (7.9) with theorem (7.10) we have,
I- Vs. BOUNDARY (COMP s) = CLOSURE (COMP s) INTER CLOSURE s
It follows immediately from the symmetrical property of the INTER operation
and the definition of BOUNDARY that,
I- Vs. BOUNDARY (COMP s)
= (CLOSURE s) INTER CLOSURE (COMP s)
= BOUNDARY s (7.11)
7.5. Point-Set Algebra 138
Furthermore, for any set s in a topological space, it can easily be proved that,
I- 'Vs. CLOSED(BOUNDARY s)
I- 'Vs. CLOSURE s = (INTERIOR s) UNION (BOUNDARY s)
I- 'Vs. CLOSURE 8 = (s UNION BOUNDARY s)
I- 'Vs. (INTERIOR s) DISJOINT (BOUNDARY s)
Up to this point, we have formally shown that in any topological space, a closed
set can be uniquely defined by its interior subset and a boundary subset. Any
operations on sets should therefore preserve the closed-set property. This means
that they also result in a valid set with a uniquely defined interior and boundary
subsets. It was shown in section 7.5.5 and illustrated in Fig.7.S that the interior of
set operations on any two sets is a proper subset. However, it ismore difficult to
define the boundary of the resultant set.
Let us consider a simple example of defining the boundary of set intersection
as shown in Fig.7.6. The boundary of siNTER t comprises of three subsets,
denoted by A, B, and C. The problem of defining the boundary of siNTER t
reduces to a simpler problem of identifying these three subsets. It can be shown
geometrically from Flg.7.6, and is shown formally in Annex 0, that the subset A
satisfies the relation,
I- A = (BOUNDARY t) INTER (INTERIOR s)
and, similarly
I- B = (INTERIOR t) INTER (BOUNDARY 8)
It is obvious that the subset C includes the isolated points at the boundary junc-
tions, i.e.
...C = (BOUNDARY 8) INTER (BOUNDARY t)
7.5. Point-Set Algebra 139
Set s
~
Figure 7.6: Set compositions of the boundary of 3 INTER t
Furthermore, to account for the gaps around these boundary junctions, we have
to include the intersection of both closures of 3 and t, the relation for defining
subset C then becomes,
f- C = (BOUNDARY s) INTER (BOUNDARY t) INTER CLOSURE (s INTER t)
In fact, the following theorem has been verified in HaL and its proof is given in
AnnexD,
f- Vs t. BOUNDARY (3 INTER t) =
(BOUNDARY t INTER INTERIOR 8) UNION
(INTERIOR t INTER BOUNDARY 8) UNION
(BOUNDARY 8 INTER BOUNDARY tiNTER
CLOSURE (s INTER t» (7.12)
The boundary of set unions and differences can be verified similarly, and theorems
for defining their boundaries are given below,
f- Vs t. BOUNDARY (s UNION t) =
(BOUNDARY 3 INTER INTERIOR (COMP t») UNION
(INTERIOR (COMP s) INTER BOUNDARY t) UNION
(BOUNDARY s INTER BOUNDARY tiNTER
7.5. Point-Set Algebra 140
CLOSURE (COMP 8 INTER COMP t))
I- "'18 t. BOUNDARY (8 DIFF t) =
(BOUNDARY 8 INTER INTERIOR (COMP t» UNION
(INTERIOR 8 INTER BOUNDARY t) UNION
(BOUNDARY 8 INTER BOUNDARY tiNTER
CLOSURE (8 INTER COMP t»
(7.13)
(7.14)
It follows immediately from theorems (7.12-7.14) that,
I-V8t.(8 c n o
t = (INTERIOR 8 UNION BOUNDARY 8 UNION INTERIOR (COMP 8»
...Vs t. BOUNDARY (s UNION t) c (BOUNDARY 8 UNION BOUNDARY t)
I- Vs t.BOUNDARY (8 INTER t) C (BOUNDARY s UNION BOUNDARY t)
I- Vs t.BOUNDARY (8 DIFF t) C (BOUNDARY 8 UNION BOUNDARY t)
...Vs t.INTERIOR (s UNION t) C (INTERIOR s UNION INTERIOR t
UNION (BOUNDARY s INTER BOUNDARY t))
7.5.7 Dimensional property or boundary
Let us consider a set s which includes all the points in the interval (0,1). It can
easily be shown from the definitions described in earlier sections that,
INTERIOR 8 = {}
CLOSURE s = {O,I}
BOUNDARY 8 = {O,I}
What has been illustrated in this example is that, when the interior of a set is
empty, the abstract concept of the boundary of a set 8 is a thin set which separates
8 from its complement counterpart COM P 8 is not adequately represented. Since,
7.5. Point-Set Algebra 141
in this case,
BOUNDARY s = CLOSURE s
from which the BOUNDARY is interpreted as having some degree of thickness.
Therefore in this section, we introduce a class of sets whose boundaries are suit-
ably thin for the intuitive concept of BOUNDARY to be justifiable. A set s is
considered to be thin if it satisfies the relation,
r Vs. THIN s = INTERIOR (CLOSURE s) = {}
It should be noted that THIN sets have empty INTERIOR but the converse is not
true in general. For instance, the set of rationals has empty interior and yet it is
not a THIN set, since the interior of its closure is the whole real1ine.
The following properties ensures that any operation on sets preserves the
dimensionality of the resulting component, that is
I- Vs t, THIN" " THIN t ::> THIN (" UNION t)
I- Vs t.THIN s " THIN t ::> THIN (8 INTER t)
r Vs t.THIN s " THIN t ::> THIN (8 DIFF t)
I- Vs t. (THIN" Ate s) ::> THIN t
It follows that the abstract concept of a thin boundary can be defined formally in
HOL as follows,
I- Vs. THIN BOUND s = THIN (BOUNDARY 8)
and it can easily be verified that the boundary of any closed or open set is a thin
set, that is
I- Vs. CLOSED s ::> THINBOUND s
I- Vs. OPEN s ::> THINBOUND s
(7.15)
(7.16)
7.6. Closed Point-Set Topology 142
The proofs of these theorems are shown in Annex D. The last property (7.16) can
be readily be derived from (7.15) and theorem (7.11), which is shown in section
7.5.6 as follows; if s is open then from theorem (7.15\ we can assert that,
r- Vs. THINBOUND (COMP s)
since CaMP s is dosed. Then from theorem (7.11), which states that a set sand
its complement have the same boundary subset, that is
r- Vs. BOUNDARY (CaMP s) = BOUNDARY s
It follows immediately that,
r- THINBOUND (CaMP s)
= THIN (BOUNDARY (CaMP a»
= THIN (BOUNDARY s)
= THINBOUND s
1.6 Closed Point-Set Topology
So far, we have introduced the operations on open and closed sets which are of
polymorphic types 10. This means that these sets are defined in HOL to have an
arbitrary type of the form (• )set which represents a set taking all elements of the
same (.) type. In this modelling theory, we only deal with spatial properties and
the set theory is therefore instantiated using an appropriate type definition. In
this model the basic element is the point which is represented as a tuple of three
elements,
point : num #num # num
lODefinitioDI and properties of polymorphic types are discussed in Chapter 2.
7.6. Closed Point-Set Topology 143
This definition corresponds to a HOL type of three integers representing X, V, Z
coordinates respectively 11,where
I- Vp. X (p: ·point) = FST p
I- Vp. V (p: ·point) = FST (SND p)
.. Vp. Z (p: ·point) = SND (SND p)
Ifwe denote the three-dimensional Cartesian space as E3 then any region Rwhich
is a subset of E3 is a finite and bounded portion of E3. Points that comprise any
region are individually characterised as either lying entirely within the region or
on its boundary. Thus the set of points denoted by R can be divided conveniently
into two subsets i Rand b R, where iRis the set of points in the interior of a
region and b R is the set of all points which are on its boundary. Hence,
.. YR. R = i RUNION b R
where band iare defined by the function BOUNDARYand INTERIORu, which
maps the set of points R into its boundary and interior subset respectively. It
follows that the BOUNDARYfunction has the following type,
BOUNDARY : (point)set # (point)set - (point)set
and similarly,
INTERIOR : {point)set # (point)set - (point)set
In general, a region can be described as a topological space which is defined by
a tuple (b R, iR) where bRand i R are the boundary and interior subsets of R
respectively.
It follows that the closure of a region R, denoted (lOS URE R, is the union of
l1The use of the caret." symbol to represent polymorphic types is explained in Chapter 4.
12These functions are defined in section 7.5.5 and 7.5.6.
7.6. Closed Point-Set Topology 144
all its interior and boundary points, that is
I- 'VR. CLOSURE R = b RUNION iR
7.6.1 Defining OBJECT
To establish formal modelling criteria, we abstract a set of geometric characteris-
tics from solid physical objects. The most important property is the concept of an
object and it is determined by the total spatial point-set that defines it.
o However, in geometric modelling, we are only interested in those objects that
are bounded and connected. From the set topology discussed earlier in section
7.5.4, it follows that a set is bounded iff it is definable within a finite space that is if
it is a closed set. Also from section 7.5.3 it has been shown that a set is connected
iff it is both open and closed. An object must also satisfy certain conditions,
• It has distinguished member sets, ie. the boundary and interior are disjoint,
• Itmust be closed, ie. the boundary is a finite point-set, and
• Its closure is upper and lower bounded.
Thus, an object can be described formally inHOL as follows,
I- Va.OBJECT a = CONNECTED a"
.,(b a = EMPTY) " (3n. HAS_CARD (CLOSURE a) n)
where EMPTY represents the empty set {} and HAS_CARD is a binary function
which returns a TRUE value if the cardinal of the set CLOSURE a is equal to n,
and FALSE otherwise, that is
I- Vs n. HAS_CARD s n = (CARD s = n)
It should be noted that the definition is a partial specification and it is true under
the intended interpretation. One important feature of the function OBJECT is
7.6. Closed Point-Set Topology 145
Class name InteriorBoundary
No interior point
Set of points on the curve
except the end points
Set of points on surface
except those on bounding curves
Set of points within solid
except those on bounding
surfa.ces
Point
Curve
The point itself
End points
Surface Fini te closed
curves
Finite surfacesSolid
Table 7.1: Definitions of geometric objects
that it specifies an object rather than describes it. This means that it places bounds
on certain aspects of its behaviour and remains silent on other aspects.
For example, if we assert that for an object a, OBJECT (J delivers true, this
asserts that it is an object within the domain of closed-set and remains silent about
its characteristics outside that domain. In this context, it is interesting to note that
a dot which has a single point in its boundary and an empty interior is also a
valid object however, as it will be shown later in section 7.6.2 that it is not a valid
solid primitive.
Other basic geometric objects can be defined similarly in HOL as classified in
Table 7.1, from which, for example, a CURVE is defined as an object having an
finite BOUNDARY set of points and a non-empty INTERIOR set as follows,
I- Vc. CURVE c = OBJECT c /\ -,(i c = EMPTY) /\ FINITE (b c)
The definition can be expanded to include special cases for CLOSED_CURVE and
OPEN_CURVE as follows,
I- Vc. CLOSED_CURVE c = CURVE c /\ (b c = EMPTY)
I- Vc~OPEN_CURVE c = CURVE c /\ tiAS_CARD (b c) 2
A surface is then defined as having a BOUNDARY which contains one or more
7.6. Closed Point-Set Topology 146
CLOSED_CURVE and a finite INTERIOR set,
I- Vs. SURFACE s = OBJECT s "
-,(i s = EMPTY) " (3c. CLOSED_CURVE c " CLOSURE c C (b s»)
1.6.2 Solid primitives
As is shown in Table 7.1, a solid primitive must satisfy the following set of
conditions,
• A finite number of surfaces defines the boundary of a solid
• A face of a solid is a subset of the solid's boundary
• The union of all faces of an object defines its boundary
Therefore, a solid primitive can be defined inHOL as follows,
... 'lip. PRIMITIVE p = OBJECT p"
(3 s, SURFACE /J " (CLOSURE s C bp) " -,(i p = EMPTY))
It can be shown that three basic properties of geometric solids [20], ie. bounded-
ness, connectedness and point inclusion can be derived as shown below.
A primitive comprises of a bounded subset of the Cartesian space if it is
bounded, i.e. it has a finite CLOSU RE subset. Fonnally, it can be proved that,
I- 'lip. PRIMITIVE p ::> FINITE (CLOSURE p)
and a solid primitive is connected if any two points inside its interior can be joined
by a line without exiting the interior.
I- 'lip. PRIMITIVE p ::>
(VXI X2. (Xl e p " X2 e p» ::>
(3c.(CURVE c " c C p " Xl e c " X2 E e»
7.6. Closed Point-Set Topology 147
:::> ('tIx' . x' E C :::> x' E p)
The theorem asserts that if p is a PRIMITIVE then for all points Xl and X2 inside
p, there is always a CURVE c, which is a subset of p, that joins these two points
without leaving the INTERIOR of p.
It follows immediately that, given a primitive solid p, the position of all points
in the Cartesian space can be defined relative to p, that is
r'tlp x. X E (i p) V -.(x E CLOSURE p) V X E (b p)
Up to this point, we have formally defined and consequently verified basic prop-
erties of a rigid solid model, that is of an object which satisfies the relation
PRIMITIVE. The question now is how to define quantitatively how such an
object can be constructed in the real world. There are a number of modelling sys-
tems which use different methods of modelling solid objects. Three basic types
of modelling systems are the wire-frame model, surface model and solid model
[19,78,20,94].
In a wire-frame model, objects are represented by a table defining edges and
points [78]. The start point and the end point of each edge are stored in the
edge table. An edge may be a line or a curve. The coordinates (x,y,z) of each
point are stored in the point table. This representation is simple and natural
for designers who is familiar with mechanical drawings, since it is the lines and
curves in a drawing that define a 3-D shape. However, a wire-frame model is
ambiguous when determining the surface area and volume of an object since
different interpretations can be derived from a particular wire-frame drawing
[99].
A surface model is represented by a set of edges and points, as is a wire-frame
model, plus a set of faces. The surface-model is unambiguous when determining
the volume and other spa tial properties of single object which is defined by unique
surfaces. However, it is more difficult to represent a combination of a number of
objects of different shapes and sizes [28].
1.6. Closed Point-Set Topology 148
A solid model defines an object as a spatial point set which serves conse-
quently as an abstract definition of solids [20,94J. The object's representation is
unambiguous and subsequently, the model can be used to reason about many
basic properties of physical objects such as interference and membership classi-
fication. However, the main problem with solid model representation is that it
lacks quantitative measures for physical characteristics such as the representation
of volume and surface areas, and therefore, the solid model is often referred to as
an unevaluated model [87].
Our approach in this modelling theory is a combination of solid representation
and surface model. That is, a solid primitive is defined as an object which sa tisfies
the PRIMITIVE predicate and its boundary is defined by boolean combinations of
directed hall-surfaces.
Informally, a directed surface is a surface whose normal at any point deter-
mines the inside and outside of the primitive solid. Since an unbounded surface
divides the Cartesian space into two regions, each region is called a half-space,
and the surface is therefore referred to as a half-surface. The region which is near-
est to the origin of the coordinate is called a NEAR.5PACE and the other further
away from the origin is a FAR_SPACE. The boolean intersection of an appropriate
set of half-spaces can form a closed 3-D solid. An object, or primitive, can thus be
defined by the union of the intersection of all its directed surfaces [80], as follows,
where fij are directed surfaces or half-spaces, and the directed surfaces can be
fonnally defined in HOL as follows,
~ "If. FAR_SPACE f(k,l,m,n) = SURFACE f 1\
("Ix. (x e CLOSURE f) :J (k * X(x) + 1* Y(x) + m * Z(x» ~ n)
~ "If. NEAR_SPACE f(k,l, m, n) = SURFACE f 1\
("Ix. (x e CLOSURE f) :J (k * X(x) + 1* Y(x) + m * Z(x)) ~ n)
7.6. Closed Point-Set Topology 149
L7
Figure 7.7: Scaling transformation
It should be noted that points in the boundary subset belong to both the NEA R_5PAC E
and FAR_SPACE surfaces, that is
I-'v'px.x E (bp) ::)
(x E NEAR.5PACE f(k,l,m,n) /\ x E FAR_SPACE f(k,l,m,n))
7.6.3 Generic and parameterised primitives
The approach taken in this modelling system is to generate a finite set of basic
primitives whose size, shape and orientation are determined by a set of user-
defined parameters. The primitives themselves are represented by the intersec-
tion of a set of curved or planar half-spaces. For example, the primitive block is
represented by the intersection of six planar half-spaces and the cylinder by the
intersection of a cylindrical half-space and two planar half-spaces.
A direct way of defining a new solid is to apply a sequence of simple linear
transformations to an existing one. Consider a unit cube. There are several ways
of transforming it into a new shape by using scaling operators. Fig.7.7 is an
example of how an unlimited variety of specific instances of an original solid
is created by simple scaling transformations. Notice that such transformations
T.6. Closed Point-Set Topology 150
affect the geometry but not the topology of a shape, that is, the transformation
preserves the shape of the modified objects [2].
To adequately define the shape of a rela ~ively simple class of objects such as
blocks, and cylinders, a small set of key dimensions is sufficient. Ifeach dimension
is an independent variable, then we can produce a particular solid within a class by
specifying a few key dimensions or parameters. In this modelling theory, many
manufactured parts can be grouped into a class of families of similar shapes,
where individual members of a family are distinguished by a few parameters.
A single family of shapes is a generic primitive, and individual members are
called instances or parameterised primitives. Formal definitions of some basic
parameterised primitives are shown below,
I- BLOCK (dx,dy,dz)(l,w,h)=
{p 13e. PRIMITIVE e ApE eA
(FAR.5PACE (b e)(l,O,O,dx» A (NEAR.SPACE (b e)(l,O,O,1 + dx» 1\
(FAR.5PACE (b e)(O, 1,O,dy» A (NEAR_SPACE (b e)(O, 1,0, w + dy» 1\
(FAR.5PACE (b e)(O,O, l,dz» A (NEAR.5PACE (b e)(O,O, l,h+ dz»}
I- CYLINOER_Z (dx,dy,dz)(r,h) =
{p 13c. PRIMITIVE cAp E cA
(NEAR_SPACE (b c)(O,O, 1,dz» 1\ (FAR..5PACE (b c)(O,O, 1,h + dz» A
(SQR(X(p) + dx) + SQR(Y(p) + dy) ~ SQR r)}
Translational movements of pritimive solids are modelled by the increments dz,
dy, dz to represent displacements along the x, y, and z axis respectively. The
CYU N0 ER_Zdefines a cylindrical object placed along the z-axis, Primitives along
other axes are similarly specified by its diameter, height and appropriate trans-
lational movements. Definitions of other solid primitives are given in Annex
D.
7.7. Combinations of Solid Primitives 151
7.7 Combinations of Solid Primitives
It was noted in section 7.1 that we wish to model interfaces and volumetric
operations on solids, as well as the results of such operations on solids. It is
obvious that if we model solids by closed regular sets 13 then we must model
operations on solids by means of mathematical operations which take regular
sets into closed regular sets. In other words, all set operations have to preserve
the dimensionality of the solids which undergo these operations. This implies
that the usual set operators may not be used because they destroy regularity. A
set s is REGULAR iff it is equal to the CLOSURE of its interior subset, that is
I- Vs. REGULAR s = CLOSURE (INTERIOR s)
where the CLOSURE and INTERIOR functions are defined in section 7.5.4 and
7.5.5 respectively. We can consider intuitively that a closed regular set is an open
set (its interior) covered with a tight skin, each point in the interior is therefore
completely surrounded by other points in the set.
In other words, all geometric objects under consideration are those being
defined as closed sets of points having a boundary subset and a finite interior
subset. Boolean operations, such as set intersection, union and difference, are
used to combine simple objects to form more complex ones. The algorithms that
perform these operations must produce objects that are also closed sets of points
and preserve the dimensionality of the initial objects. The latter requirement
means that in any Boolean operation, such as a INTER b = c, all the objects must
be of the same spatial dimension.
Infact, it is possible that the set operations on well-defined objects can produce
a degenerate result which is not a solid object. The following section illustrates
one such example.
13Regularity means three-dimensionally homogenous [97].
7.7. Combinations of Solid Primitives 152
A INfER B = C where bC is finite and iC = ()
dangling faces C
Figure 7.8: Dangling faces
7.1.1 Modified boolean operations
Let us consider the set operations on well-defined objects shown in Fig.7.8. A
and B are well-defined because each possesses a boundary set b A and b Band
an interior i A and i B. The resulting intersection is mathematically correct but
geometrically improper, because C has no interior. Thus C is not like A and B, it is
not a solid object, and the intersection operation does not preserve dimensionality.
It follows that the concept of modified boolean operators are required to recognise
this condition and produce an EMPTY set.
Let us consider the example shown in Fig.7.8 in more detail. Suppose that A.
and B are both well-defined objects, that is closed and dimensionally homoge-
nous. Thus, A and B can be expressed as
f- A = b A UNION i A
f- B = b BUNION i B
Next, translate A and B into position prior to combining them by Boolean op-
eration to form object C. First, perform the set-theoretic intersection, with the
result shown in Fig.7.S. It should be noted that the dangling edge is obviously
not dimensionally homogenous, yet it is a correct set intersection. To produce
the expected result, which is obviously an EMPTY set in this case, the set inter-
7.7. Combinations of Solid Primitives 153
section operation is modified such that it always gives a resultant set which is
regular. The modified set intersection denoted by REG_lNTER is defined in HOL
as follows,
I- 'Vs t. s REGJNTER t = REGULAR (s INTER t)
To illustrate how the modified operation can achieve regularity, let us consider
another example which is shown in Fig.7.9. From set intersection we have,
C = A INTER B
Rewriting this with the closed-set definitions, we have
C = (b A UNION iA) INTER (b BUNION iB)
which can be expanded to,
C = (b A INTER b B) UNION (i A INTER b B) UNION
(b A INTER i B) UNION (iA INTER i B)
The geometric interpretation of each of the above four terms is illustrated in
Fig.7.9. Since C = b C UNION iC we have to find the subsets of b C and iC that
form a closed, dimensionally homogenous object C. We can easily recognise the
dimensional interior of C from Fig.7.9d that is,
I- iC = iA INTER iB
The problem now is that we have to detennine bC, where be is a valid combi-
nation of b A and b B. Notice that the boundaries of any new object will always
consist of boundary segments of the combining elements. We can generalise this
observation as follows: boundary points can become interior points, whereas
interior points cannot become boundary points. Further more, for regularised
7.7. Combinations of Solid Primitives 154
bAINTER bB
A Section (1)-----j(1,
tit
I I I
I I I
I t I
iA INTER bB
A----I
1__ It__
I
I
I
I
-_-_-_-rJ
(a) "'"
Section (2)
(b)
bAINTER iB iA INTER iB
A----I
~-1
____llfJ
A----ILL
I I I
I I I
t I I
I I I I
__________ L__
(c) (d)
Figure 7.9: Geometric components of A REG_lNTER B
intersections, we have proved that 14,
f- (i A INTER b B) c b C
I- (b A INTER i B) Cbe
So far, we have accounted for Fig.7.9b-Fig.7.9d of the set combination for the
regularised intersection. The problem now is to analyse (b A INTER b B) shown
in Fig.7.9a to determine which of its subsets are a valid set of the boundary of C.
Consider two identical overlapping intersections of A and B. These two sections
both belong to (b A INTER b B), however it can be shown that, section (2) only
includes points that belong to both the INTERIOR of A and the CLOSURE of B,
and it therefore can be identified by the relation,
(b A INTER b B) INTER CLOSURE (i A INTER CLOSURE B)
ItProofs are shown in Annex D
7.7. Combinations of Solid Primitives 155
In fact, the following theorem defining the boundary subset of regularised inter-
section has been proved in Annex D,
r- Vs t.BOUNDARY (s REG_lNTER t) =
(BOUNDARY s INTER INTERIOR t) UNION
(BOUNDARY t INTER INTERIOR s) UNION
(BOUNDARY s INTER BOUNDARY tiNTER
CLOSURE (INTERIOR s INTER CLOSURE t»
By following the same arguments and proof procedures as shown above, defi-
nitions for regularised union, difference and complement of regular sets can be
shown as follows,
r- Vs t.8 REG_UNION t = REGULAR (s UNION t)
r- Vs t. s REG_DIFF t = REGULAR (8 DIFF t)
r- Vs. REG_COMP s = REGULAR (COMP 8)
and consequently, theorems to evaluate their resultant BOUNDARY have been
proved as follows 15,
r- Vs t. BOUNDARY (8 REG_UNION t) =
(BOUNDARY siNTER COMP t) UNION
(COMP t INTER BOUNDARY t) UNION
(BOUNDARY s INTER BOUNDARY tiNTER
CLOSURE (COMP siNTER COMP t»
r- Vs t. BOUNDARY (s REG_DIFF t) =
(CLOSURE siNTER BOUNDARY (COMP t» UNION
(INTERIOR s INTER BOUNDARY t) UNION
UThese theorems are produced by geometrical considerations and then formally verified in
HOL as shown in Annex D.
7.7. Combinations of Solid Primitives 156
(BOUNDARY s INTER BOUNDARY tiNTER
CL05URE(INTERIOR siNTER COMP t))
I- 'Vs t. BOUNDARY (f,.EG_COMP s] = BOUNDARY s
So far, it has been formally shown that by representing physical objects in a closed
point-set topology and applying modified boolean operations to these subsets,
we can ensure that the homogenous dimensionality of the combined object is
preserved. Let us now turn our attention to the problem of specifying complex
solid objects using these boolean operations. The following section discusses a
formal scheme for combining solid primitives based on a representation called a
Boolean model.
1.1.2 Boolean model
A representation is a Boolean model when a solid object is represented by the
modified boolean combination of two or more Simpler objects. U A, Band C
denote solids and ifC = A (OP) B, where (OP) is any modified boolean operator,
then A (OP) B is called a boolean model of C. It is clear from section 7.7 that as
a result of the modified boolean operations, A, Band C are of the same spatial
dimension.
Boolean models are, in fact, a generalisation of cell decomposition [18]. In cell
decomposition models, individual cells are combined using a gluing operation,
which is a limited form of the union operator where components are joined at
only perfectly matched faces. Modified boolean operators are more versatile,
since boundaries of joined components need not match and interiors need not be
disjoint. Furthermore, in this model, all the modified boolean operators union,
difference, and intersection are used, so that material can be added as well as
removed.
Boolean models of objects are represented as ordered binary trees btree whose
leaves or terminal nodes are either primitives or transformational motions. Each
7.8. Solid Modelling in Transformer Designs 157
subtree of a node 16 represent a solid resulting from the combination and trans-
formation operations indicated below it. The root represents the final object.
Boolean trees may be defined by the following recursive definition,
(btree) := (primitive leaf) I
(btree) (set operator node) (btree)
(btree) (motion node)
The semantic of btree representation is clear; each subtree that is not a trans-
formation leaf represents a set resulting from the application of the indicated
motional/ combinational operators to the sets represented by the primitive leaves.
When the primitive solids of a boolean model are bounded, and hence are
closed-sets, the algebraic properties of closed-sets guarantee that any btree is
a valid representation of closed-sets if the primitive leaves are valid. Because
primitive leaf validity may be easily assessed, the validity of a btree based on
bounded primitives may be ensured essentially at the syntactical level.
It should be noted that the basic idea behind the boolean model of btree is not
new. Boolean representations are natural and most suitable for representing and
manipulating binary relations. In fact, a similar definition of btree has been used
to define data type abstraction, for example, by Melham [79].
7.8 Solid Modelling in Transformer Designs
Since there is no ambiguity in using a Boolean model to represent a 3-D shape,
the importance of using solid modelling in mechanical designs is well recognised.
This section discusses the use of such formal models in the design of mechanical
parts of transformers. Itshould be noted that in designing mechanical parts using
the formal model of btree as described in section 7.7.2 the design verification is
implicit. This means that successive operations on solids will result in a valid
object by using correctness-preserving transformations of the regularised boolean
llWhich is not a. transformation leaf
7.8. Solid Modelling in Transformer Designs 158
Figure 7.10: A geometric model of a power transformer
7.8. Solid Modelling in Transformer Designs 159
operations. In other words, by starting with valid objects such as pre-defined
primitives and applying operations such as REG_lNTER, REG_UNION, REG_DIFF
and REG_CO MP successively, it will always ensure a valid resultant object without
the need to verify the rigidity of the final model. Let us consider the schema of the
Simplified transformer shown earlier in Fig.7.2. Its description can be formally
specified inHOL as follows,
I- transformer.Imp =
let core = BLOCK (1375, 1000,750)(1757,750,2000) REG_UNION
BLOCK (1500, 1250,500)(250,250,500) REG_UNION
BLOCK (2750, 1250,500)(250,250,500» REG_DIFF
BLOCK (1625,500,1000)(500,2000,1500» REG_DIFF
BLOCK (2375,500, 1000), (500, 2000, 1500)) in
let coil = (CYLINDER_l (1500, 1375,900)(1500,300) REG_DIFF
CYLlNDER_l (1500, 1375,900)(1400,400» REG_UNION
(CYLINDER_l (2250, 1375,900)(1500,300) REG_DIFF
CYLINDER..l (2250, 1375,900)(1400,400» REG_UNION
(CYLINDER-Z (3000, 1375,900)(1500.300) REG_DIFF
CYLINDER..l (3000, 1375,900)( 1400,400» in
let lugs = (BLOCK (750, 1500,3600)(250,100,400) REG_DIFF
CYLINDER_Y (875,1400,3800)(600,75» REG_UNION
(BLOCK (3500,1500,3600)(250. 100,400) REG_DIFF
CYLINDER_Y (3625, 1400,3800)(600,75» in
let tank = BLOCK (1000,500,500)(2500,2000,3500) in
let cooling = CYLINDER..x (0, 1400,4250)(1500,400) REG_UNION
CYLINDER_l (1250, 1700,3900)(300, 100) in
let cable = BLOCK (1875,2500,2750)(750,500,750) REG_UNION
BLOCK (2000,2625,2500)(500,250,500) REG_UNION
CYLINDER_Y (2000,2750,3000)(350,50) REG_UNION
CYLINDER_Y (2250,2750,3000)(350,50) REG_UNION
7.S. Solid Modelling in Transformer Designs 160
CYLINDER_Y (2500,2750,3000)(350,50) in
let bushing = CYLINDER..1 (3250,1500,4100)(50,150) REG_UNION
CYLINDER.1 (3250,1500,4250)(50,150) REG_UNION
CYLINDER2 (3250,1500,4400)(50,150) REG_UNION
CYLINDER2 (3250,1500,4000)(650,50) REG_UNION
CYLINDER..1 (2850,1500,4100)(50,150) REG_UNION
CYLINDER2 (2850, 1500,4250)(50,150) REG_UNION
CYLINDER2 (2850,1500,4400)(50,150) REG_UNION
CYLINDER2 (2850,1500,4000)(650,50) REG_UNION
CYlINDER2 (2450, 1500,4100)(50,150) REG_UNION
CYLINDER..1 (2450,1500,4250)(50,150) REG_UNION
CYLINDER2 (2450,1500,4400)(50,150) REG_UNION
CYLINDER2 (2450, 1500,4000)(650,50) REG_UNION in
let radiator = BLOCK (850,750,750)(50,1500,2500) REG_UNION
BLOCK (700, 750, 750)(50,1500.2500) REG_UNION
BLOCK (550,750,750)(50,1500,2500) REG_UNION
BLOCK (400,750,750)(50,1500,2500) REG_UNION
BLOCK (250,750,750)(50,1500,2500) REG_UNION
BLOCK (100,750,750)(50,1500,2500) REG_UNION
BLOCK (3650,750,750)(50,1500,2500) REG_UNION
BLOCK (3800,750,750)(50,1500,2500) REG_UNION
BLOCK (3950,750,750)(50,1500,2500) REG_UNION
BLOCK (4100,750,750)(50,1500.2500) REG_UNION
BLOCK (4250,750,750)(50,1500,2500) REG_UNION
BLOCK (4400,750,750)(50,1500,2500) REG_UNION in
let base = (BLOCK (500,500,0),3500,2000,500) REG_DIFF
CYLINDER_Y (750,0,250)(4000,50» REG_DIFF
CYLINDER_Y (3750,0,250)(4000,50) in
BUILD [core, coil, lugs, tank, cooling,
7.8. Solid l\IIodelling in Transformer Designs 161
cable, bushing, radiator, base] REG_UNION
where BUILDis a higher-order recursive function of the form,
I- BUILD[]= st. {} A
BUILD (CONS hd tl) = >tl. hd I BUILD [tI]
The function BUILDtakes a list of closed point-sets as its argument and applies
the infix function I recursively to its components. In this case, I represents the
regularised operators. If the argument list of BUILDis an empty list, it is obvious
that the function will return a null set { }.
The diagram shown in Fig.7.10 is a bit-map image of a power transformer
specified by the above formal specification. The solid modeller is implemented
in Pascal and it operates in batch processing mode. A detailed description of the
system and the actual inputs for the transformer model in Fig.7.10 is induded
in the Annex A. The size of the specification in this example has shown that,
to achieve the desired integrity and validity of the intended model, the formal
descriptions of mechanical components can become very complex, even for a
simplified description of devices. The verification therefore becomes complica ted,
and the solid modeller is built in this case to automatically keep track and verify
the design steps.
However, the above specification is in fact incomplete, since in the design of
transformers, as well as in other solid modelling applications, there is a generic
problem which requires further considerations, namely null object detection.
7.S.1 Null-object detection
The null-object detection problem can be stated as follows: given a representation
R of an object s determine from computations on R whether or not s = { }. As a
matter of fact, null-object detection is important mainly for interference detection,
which can be stated as follows: given two solids A and B, is their common volume
7.8. Solid IvIodelling in Transformer Designs 162
BI
C6r-
V
C4.C5
C2
I-
Cl CS
C7r-
C9.ClO ==::t=t
C3 Cll '-
Cross section of object A Cross section of object B
( }
.......
.
... Cl C2 C3 C4 CS
" ........
Solid B
, \
\\
.
CS C9 CIO Cll
\. ..
......................................
A complex representation of a null set
Figure 7.11: An example of a null object
7.8. Solid Modelling in Transformer Designs 163
empty? 11. The detection of null-objects can be specified using the function BUILD
as follows,
I- 'Tt s. NULLDETECT s = BUILD s REG_lNTER = { }
where s represents a list of valid primitives. In the above example, we have
described the mechanical components of the transformer without making any
assertions about its relative spatial properties, for instance, we need to ensure
that the components of the device should not geometrically interfere with each
other, i.e. they do not have a common volume, that is
I- BUILD [core, coil, lugs, tank, cooling,
cable, bushing, radiator, base] REG_lNTER = {}
The set operators provide a powerful means of defining objects and also for
modelling some important phenomena - intersection for spatial collision or com-
mon volume, as noted earlier, and set difference for material removal, as in
machining. Unfortunately, representation of btree does not always give trivial
null-object detection algorithms because the null set can have arbitrarily complex
btree representations as shown inFig.7.1118• The tree inFig.7.11b isa typical btree
representation of the null set. It corresponds to the volume cornmon to a pair of
solids that fit together as shown in Fig.7.11a.
Null-object detection is therefore a non-trivial problem because the null set
(which is geometrically very simple) can have arbitrarily complex btree structures.
The approach presented here seeks to reduce (or simplify) the btree of the null
set by removing redundant primitives. The following section describes a formal
mechanism from which manufacturing process can be manipulated without loss
of the integrity of the solid objects.
17The common volume is in fact another solid in mathematical terms
18To avoid cluttering the diagram, the symbol +. -, and x are used to denote REG_UNION.
REG_DIFF and REGJNTER respectively.
1.S. Solid Modelling in Transformer Designs 164
7.8.2 Specifying the manufacturing process
One of the most important applications of solid modelling theory, is the simplifi-
cation of manufacturing processes. Solid modelling, as has been shown in earlier
sections, is suitable as a mechanism for describing manufacturing procedures,
since Boolean operations such as intersection, union and difference between solid
primitives are analogous to industrial processes of welding, cutting and drilling
operations. Therefore, most of manufactured assemblies can be easily described
using the boolean model semantic, as described in section 7.7.2, however, the
modelling theory can be used to optimise the manufacturing process. For in-
stance, consider the procedure of manufacturing the object shown in Fig;7.12a, in
which the object is represented by the corresponding btree. The modelling theory
can improve the manufacturing process by rearranging the structure of btree and
grouping together those operations of the same type or of practical preference.
Such rearrangement or Simplification can be formulated in the following two
steps,
1. Tree reconstruction in which all partidpating nodes of the feature are located
and grouped together to form a subtree.
2. Tree transformation in which the subtree resulting from step 1 is replaced
by an equivalent subtree.
Both steps are subject to the condition that the object must remain the same. Their
difference is that each node is relocated in step 1 but is replaced by a different
new node in step 2. To implement the node relocation algorithm, we replace
each algebraic representation of the boolean function associated with btree by its
positive form 19, which uses only regularised intersection and union operators
but represents rigorously the same boolean function and thus the same solid as
the original tree. The regularised operators, union, intersection and complement,
form a boolean algebra over regular sets. Therefore, De Morgan's law can be
invoked to manipulate btree expressions.
111A positive form of a btree is one which does not include REG_DIFF operations.
7.8. Solid Modelling in Transformer Designs 165
C 0 E F
Negative fonn
(a)
-
C
- - -o E F
Positive form
(b)
Figure 7.12: An example of process simplification
A btree can be converted into its positive form by a preorder traversal of the
tree applying, where appropriate, the following transformations to each node 20,
I- 'Ixy. x REG_DIFF y = x REG_lNTER (REG_COMP y)
I- Vxy. REG_CaMP (x REG_UNION y) =
(REG_COMP x) REG_lNTER (REG_COMP y)
I- 'Ixy. REG_CaMP (x REG_lNTER y) =
(REG_COMP x) REG_UNION (REG_CaMP y)
I- V. REG_COMP (REG_CaMP x) = x
This reformulation, which is illustrated in Fig.7.12, exchanges the REG_!NTER and
REG_UNION operators at negative internal nodes, replaces REG_OIFF operator by
REG_!NTER if the corresponding node is positive and by REG_UNION otherwise,
and replaces negative primitives by their regularised components. The resulting
positive form contains only REG_lNTER and REG_UNION operators. In a positive
form, all nodes are positive, but may represent unbounded regular sets. However,
the set represented by the entire positive form is equal to the solid represented by
the original btree, and is hence bounded. The btree in Fig.7.12 is verified by the
20 The proof of these theorems are shown in Annex D
7.S. Solid Modelling in Transformer Designs 166
following theorem, its proof is shown inAnnex 0,
r (a REG_UNION b) REG_DIFF
«c REG_DIFF d) REGJNTER (e REG_UNION f) =
(a REG_UNION b) REGJNTER
«(REG_COMP c) REG_UNION d) REG_UNION
«REG_COMP e) REGJNTER (REG_COMP /»
1.8.3 Computation of overall volume
The volume of a designed solid is conventionally calculated using a mechanical
drawing and 3-D models. Using information derived from solid models, the
overall volume of the resulting transformer can be verified against its original
specification. The overall dimensions of the compound object can be inferred
from the overall dimensions of its components as specified below,
r OVERALLB (dx, dy, dz)(l, w, h» =
{p IX(p) within (dx,l + dx) A
yep) within (dy, w + dy) A
Z(p) within (dz,h + dz)} (7.17)
where within is an infix function which asserts whether the corresponding coor-
dinate is included in the specified interval,
r'v'n.nwithin(k,p)=k<p A k$n" n$p
Overall dimensions of cylindrical parts can be also be deduced from their rectan-
gular bounding box as follows,
I- OVERALLCX (dz, dy, dz)(r, h) =
OVERALLS (dz,dy,dz)(h,2. r,2 * r)
r OVERALLCY (dx,dy,dz)(r,h) =
(7.18)
7.S. Solid Modelling in Transformer Designs 167
OVERALLS (dx,dy,dz)(2. r,h,2. r)
I- OVERAlLCZ (dx,dy,dz)(r,h) =
OVERALLS (dx, dy, dz)(2. r,2. r, h»
(7.19)
(7.20)
The overall volume of the resulting object is derived by replacing the solid prim-
itives by their overall counterparts. Inference rules for manipulating the ranges
of coordinates can easily be derived in HOL using the well-order properties of
integers as follows 21,
I- V nab c d. (n within (a, b) A n within (c, d» :J
(a ~ cAd ~ b) => n within (a,b) I n within (a, d)
I-V nab c d. (n within (a,6) V n within (c,d» :::>
(a ~ cAd ~ 6) => n within (a, b) I n within (a, d)
I-Vna6cd.(nwithin(a,6) A -'(nwithin(c,d»):::>
(e ~ 6 A d < 6) => (n within (a, c) A n within (d, b) I
(c ~ 6 A b ~ d) => (n within (a, c) I n within (a, b»
(7.21)
(7.22)
(7.23)
It should be noted that theorems (7.21-7.23) are used to derive the overall dimen-
sions of objects combined by regularised operators REG_UNION, REG_lNTER and
REG_DIFF respectively.
Fig.7.13 illustrates the overall volume of a simple compound object. Formally,
the volume is specified by the relation,
I- volume = OVERALLS (SLOCK (1,0,1)(4,4,4» REG_UNION
OVERAlLCY (CYlINDER_Y (4,0,4)(2,3» (7.24)
By rewriting (7.24) with (7.17-7.23) consecutively, we have,
21 Proofs of these theorems are included in Annex D
7.9. Discussion 168
y
x
overall volume
Figure 7.13: An example of volume verification
f- volume = {p"ll::; X(p) 1\ X(p) ::; 6 1\
o ::; yep) 1\ Y(p)::; 4 1\
1 ::;Z(p) 1\ Z(p)::; 6}
This means that the space occupied by the resulting object is defined by a closed
point-set which satisfies the volume relation. In fact, the algorithm does not
give an explicit numerical volumetric result for the occupied space, however the
dimensions indicated by the relation volume can be used for verification against
the original specification. In practice, the derivation of the overall volume can
be automated using an ML function which maps the solid components to their
corresponding bounding boxes and subsequently rewrites the resultant set with
theorems (7.17-7.23),
7.9 Discussion
In this chapter, a mechanisation of a solid modelling theory in higher-order logic
was undertaken with the aim of facilitating reasoning about solid properties. The
mechanisation was entirely carried out using the HaL theorem prover so all the
theorems shown in this work were proved mechanically from their definitions
using the HaL system.
This work focuses on the representational issues that arise in the design and
7.9. Discussion 169
analysis of solid models. The distinguishing feature of the present treatment is the
clear distinction between a physical solid and its abstract mathematical model.
The distinction has several advantages. Specifically;
• Mathematical models can be studied and reasoned rigorously and indepen-
dently of computational considerations, and
• Important concepts such as model validity and ambiguity can be defined
mathematically with the assistance of a mechanical theorem prover.
A fundamental requirement for the effective use of model abstraction in reasoning
about its behaviour is, of course, a formal representation of the model itself. This
chapter has shown how solid objects can be characterised formally in higher-
order logic, and has given examples to illustrate how this model can be used to
support reasoning about physical properties.
A common theme of these examples is the importance of an appropriate
choice of abstraction for the polymorphic type of sets. For instance, in section
7.6, a simple tuple of the type point was used to formulate a boolean model for
combining objects.
The formal specification of the solid model addresses several aspects which
hitherto were only informally stated in user manuals for graphic systems. The
model for specifying the object is novel. The construction of the invariant btree
schema brings out the fact that even at an abstract level, solid modelling systems
are inherently complex to specify.
There are a number of related work on formal specification of graphics sys-
tems. The work reported by Mallgren [76] ismost closely related to the particular
formulation of BUILDtransformation described insection 7.B.1. Mallgren defines
four general concepts which he uses as the basis for the specification of graphics
data types, region, picture, graphic transformation and hierarchical picture structure.
Each concept is treated as a collection of objects operated upon by well-defined
operations. For example, the key operation on a hierarchical picture structure is
display, which converts it into the resulting picture.
7.9. Discussion 170
The main difference between these two approaches is the fact that all the geo-
metric abstractions defined in this chapter are concerned with 3-D representations
of solids while the basis of Mallgren's work is specialised for concepts to incor-
porate into 2-D graphical display of objects. The argument against his approach
is that the modeller has to work with abstractions that do not correspond to those
normally used in drawing and in consequence they have to be aware of repre-
sentations at an inappropriate level of detail. Also responsibility for the integrity
of the structures constructed rests with the modeller. The approach used in this
work however, relies on the sequence of correctness-preserving transformations
to maintain the integrity and validity of the resulting solids, and consequently
the verification of the model is implidt.
Finally, we have shown that formal specification help us to reason about the
modelling of rigid solid objects, both formally and informally, but the work is
incomplete. For example, we have dealt with only partial correctness.
An area we have not touched upon is the specification of the modelling sys-
tem at the user dialogue level. Such a specification represents the highest level
abstraction, in that only the behaviour of the interface as it is seen by the user is
determined.
,
Chapter 8
Concluding Remarks
In this chapter we evaluate the research described in this thesis. We present a
summary of the results achieved, discuss the problems arising from the research
and suggest solutions to these problems as well as ideas for future research.
8.1 Summary of Thesis
The goal of the research described in this thesis was to investigate the extent to
which a subset of formal methods, namely Higher Order Logic could be used
to specify safety-related systems. It enables engineers to design systems within
a formal verification environment, with the aim of obtaining correct specifica-
tions earlier in the design process. The research was undertaken using the HOL
theorem proving system and can be summarised as follows.
8.1.1 Methodology
A methodology for using formal techniques of specification and verification in
the design process has been presented. A crucial concern is how the target system
acts on the plant and, in particular, how a failure of the system can bring the plant
into a state where an accident is likely to occur. Not all system failures lead
to accidents. The progression from a system failure to destruction goes via an
intermediate, dangerous state of the plant. This state may lead to an accident, but
in principle, the plant may be returned to a safe state. Indeed, this restoration is
171
8.1. Summary of Thesis 172
the goal of the safety system.
It is important to realise that hazards may continue to exist despite the safety
system. Each hazard has a certain risk associated with it. The purpose of a
safety system is to reduce the risk associated with the hazards to a value below an
acceptable level, according to some appropriate criteria. By definition, a system
will be safe if the level of risk is less than the agreed acceptable value. In fact,
there are five main principles in the design methodology described in this thesis.
They can be summarised as follows,
• Independent analysis of system sarety: In order to establish safety
requirements, one has to identify the possible impact the plant has on its en-
vironment. This hazard analysis step aims to identify and evaluate hazards
and also to identify the general safety criteria to be used in the design.
• Structuring according to criticality: The separation of the system
functions into safety classes is used to guide the design which should aim
to preserve this separation at the modular level. Having preserved this
separation, extra eff~rt can be devoted to increase the quality of the safety-
critical modules without the risks of incurring excessive development costs.
• Achieving high reliability of the safety-critical modules: The pre-
vious principle states that the system structure should support the division
between safety-critical and non safety-critical functions. If such a separa tion
is guaranteed then the primary concern is the correctness and reliability of
the safety critical parts. This concentration on the safety-critical parts of the
target system offers two benefits. The first is that the scale of the problem is
reduced, since the safety critical part is usually only a small proportion of
the complete system. The second is that since timescales and budgets are
usually limited, it delineates those parts of the system which need special
attention from the rest. However, this is not to say that the quality of the
rest of the system is of no importance, but it has to be recognised that it
is neither possible nor cost effective to build the whole system to the same
8.1. Summary of Thesis 173
quality level.
• Design for safe states: To achieve system safety, the possibility of
bringing the system into a safe state, or into a state of reduced risk, should
be investigated. Such safe states are states where other quality factors (eg.
reliability, risk, ...) are considerably reduced.
• Continuous monitoring of safety: Despite the effort to increase reliabil-
ity of the safety critical components, the system itself and the environment
should be continuously monitored to intercept failures before they evolve
into accidents. This principle is based on the recognition of the fact that no
presently available means can guarantee absolute safety.
8.1.2 Specification techniques
A formal specification technique has been presented to show that the formal
design rules, in the form of heuristics, can be efficiently formalised in Higher
Order Logic.
First, an informal description of this design style was given to highlight vari-
ousaspects which need to be formalised. Then a complete list of heuristic rules for
designing practical systems was compiled. Engineering systems are intrinsically
classified into two subsets, namely memory bearing systems and memoryless
systems. Based on this classification, a method was presented to derive the cor-
rectness statements for classes in the system. This method relies on the fact that
the form of the correctness statement developed is uniform across the whole range
of engineering problems.
The use of these formal techniques were then demonstrated through a number
of worked examples, ranging from a simple model of a timing marker to the
complete specification of a CAD package. In each case the form of the derived
correctness statement was identical. This is an important factor in using such
formal design techniques. U the statement of correctness has the same general
form at each level, then the arbitrary mixing of complex and trivial problems can
8.1. Summary of Thesis 174
be done with confidence.
8.1.3 Timing analysis
The process of generating and verifying the timing conditions of a system is
called. timing analysis. Tuning analysis is important at all levels of description.
In performing temporal abstraction we generate a number of timing conditions
which must hold if the system is to achieve the intended performance criteria.
Having formally defined. temporal functions, and shown that they construct a
well defined time mapping for any predicate that is true at an infinite number of
points of concrete time, it is possible to formulate a correctness theorem based on
temporal abstraction by time mapping. For instance, if p is an appropriate predi-
cate that indicates which points of concrete time correspond to points of abstract
time, then a correctness theorem that re1ates a design model M[sigh ..., sign1 to
an abstract specification S[SI' ••., sn] can be formulated as follows,
I- M[sig1, ... , sig,,1 ::> S[8ig1 When p, ... , 8ign When p]
This correctness theorem states that whenever the signals 8ig1, ... , sig" satisfy
the model, the abstract states SI, ... , s" constructed by projecting on Sigl, ... , sign
when the predicate p is true will satisfy the temporally abstract specification.
In general, the predicate p can be defined in terms of the variables 8ig1, ... , 8ig"
to make the times at which the values in the model are projected depend on
the behaviour of the device itself. This approach is illustrated in a case study
described in Chapter 6 using a theory of temporal abstraction. The theory of
temporal abstraction is defined in the general purpose typed lambda calculus
used by the HOL theorem prover. The theory is not only applied using HOL, it is
derived in it as well. This ensures the validity of the theory. Polymorphic typing
in the logic allows the theory to be totally independent of the representation of
the actual implementation.
8.1. Summa.ry of Thesis 175
8.1.4 Specifying behaviour
Two case studies were presented to illustrate how formal techniques can help in
the specification and the design of systems. The first of these is an automotive
device, DSW, which is useful in the design of memory bearing systems, and
closed-loop control systems. Based on a simple top level specification of this
device, a formal proof of correctness was carried out illustrating how such formal
techniques can help to improve and sharpen the final Specification in order to
verify that the design meets its intended safety requirements and integrity level.
The last case study shows a new design for a CAD drawing package. This has
been designed down to the primitive level using the design style described earlier
on, and has been simulated using a simple drawing simulator. A fundamental
requirement for the effective use of model abstraction in reasoning about its
behaviour is, of course, a formal representation of the model itself. In this case
study, it has been shown that solid objects can be characterised formally in higher-
order logic, and we have presented examples to illustrate how this model can be
used to support reasoning about physical properties.
The formal specification of the solid model addresses several aspects which
hitherto were only inlormally stated in user manuals for graphic systems. The
model for specifying the object is novel. The construction of the invariant btree
schema brings out the fact that even at an abstract level, solid modelling systems
are inherently complex to specify. Furthermore, in this case study, although we
have shown that formal specifications aid in reasoning about the modelling of
rigid solid objects, both formally and informally, the work is incomplete. For
example, we have dealt with only partial correctness. An area we have not
touched upon is the specification of the modelling system at the user dialogue
level Such a specification represents the highest level abstraction, in that only
the behaviour of the interface as it is seen by the user is determined.
8.2. Discussion 176
8.2 Discussion
In the following sections, some of the points above are discussed further, along
with suggestions on how future research may proceed to develop and improve
the ideas.
8.2.1 Correctness of a real design
In the case studies we have specified and verified a real system design. By real we
mean that the DBW system was designed and fabricated for a practical purpose,
independent of the case study. The DBW system was first manufactured in 1990
by Econocruise Limited. A commercial version of the system is now available
[t11].
Modelling and verifying a real design brings forwards issues not dealt with
in contrived examples. It is dangerous, however, to claim that a design has real-
world correctness. If the mathematical system is sound then a proof of correctness
is valid. However, the mathematical system employs models of real devices and
their interconnections. The user must accept that the proofs are based on these
models and do not verify the behaviour of real devices outside these models. This
is no different from other CAD tools, which are all based on models which the
user can accept or reject as accurate models.
In the real world the DBW system sometimes malfunctions. The malfunctions
are, for example, due to badly behaved signals from its environment. The partial
specification in HOL demands certain behaviour from the environment to ensure
the desired output behaviour, the behaviour in the presence of badly behaved
environment signals is not described. The malfunctions of the DBW do not
reflect on the validity of the formal proofs of correctness. In the presence of well
behaved signals the system functions correctly. It is important however that the
user appreciates the limitations as well as the power of the formal techniques.
8.2. Discussion 177
8.2.2 Relating different levels of abstraction
A methodology for using formal techniques of specification and verification in
the design process has been presented. We have indicated above some of the dif-
ficulties found in these case studies. Although many problems could be avoided
by a restricted design style, we believe that some basic problems endure. It is
difficult to devise an accurate but abstract formal specification of a complex de-
vice. It is necessary to refine the formal specification at the higher levels as the
specifications at lower levels become fixed.
The end product of formal verification is a theorem stating that a behavioural
specification is a logical consequence of a structural specification and assumptions
about the behaviour of a small set of primitive components which can be imple-
mentedas physical devices. While formal verification offers greater certainty than
simulation, the mere generation of such a theorem is not completely satisfactory
evidence that a design is correct. First, validity of the theorem depends on the
behavioural models used for primitive components and external devices. Second,
the behavioural specification may be misread or its full Implications may not be
fully understood. Complete solutions for this second problem are more difficult
to propose. However, the problem is partially solved by relating behaviour to
increasingly abstract levels such as the semantics of a programming language.
8.2.3 Verification process
A sceptical view of the formal design lifecyc1e suggests that the automation
of the verification process is impractical because the process simply cannot be
completely automated. In our view, complete automation would undermine the
real value of formal verification. As part of a system design methodology, the
actual process of verifying a design may be of more value than the end product.
Constructing a formal proof forces a designer to consider exactly why a design is
correct. As suggested in [27], an untidy step in the proof may indicate the need
for a design modification. Furthermore, the designer is more likely to understand
the full implications of a behavioural specification after the effort of producing
8.3. Future Work 178
the proof. Powerful tools such as the HOL system automate most of the tedious
steps in a large proof. This allows a designer to reason efficiently about a system
specification. The underlying formalism ensures that this reasoning process is
absolutely correct.
8.3 Future Work
In this section, some subtle aspects of the work in this thesis are discussed and
further research in the related areas are proposed.
8.3.1 Executable specifications
A major obstacle in the development of these examples was the ina bility to execute
the formal specification. Several errors in the design and specification of the case
studies were discovered in the course of verifying their correctness, many of these
errors would have been revealed earlier if the specifications were executable.
Verification was an efficient way to find some of the more obvious errors in the
initial specification. Camilleri [25] points out the advantage of executing formal
specifications as a means of supporting a verification methodology. In this respect,
the Boyer-Moore theorem prover [17] offers the advantage of directly executable
specifications. The increased expressiveness of higher order logic results in terms
which do not always have an obvious interpretation asan executable specification.
However, the implementation of an executable subset of higher order logic is a
foreseeable addition to the HOL system.
8.3.2 Computer aided design with formal methods
We have described formally how to build solid components and derive their
functional behaviour from top-level descriptions. This only addresses one aspect
of the design cycle. This approach should be incorporated into a computer aided
design system which encourages designers to apply formal methods from design
conception to final implementation. A proposal for such a system is described
8.4. Final Thoughts 179
below. Subrahmanyam [106] describes an expert system for VlSI design which
incorporates formal methods as well as more conventional tools. This is an
evolutionary approach. The system r=lates different levels of description formally,
but the designer has the feeling of using tools he/ she is familiar with. Milne [84]
describes a more revolutionary approach, which does not attempt to incorporate
existing tools, where a system can be described at various different levels from
specification to layout and the different levels can be formally related.
A computer aided design system should consist of an interactive workstation
which includes graphical tools as well as formal methods for reasoning about
drawings. Such a workstation should provide tools for top-down and bottom-up
design. In addition, such a system should keep the various different levels of
representation of a solid model consistent.
Verification will be done at many different levels, This involves using mathe-
matical theorem proving techniques to determine that the design correctly imple-
ments the specification. Tedious aspects of such techniques should be automated.
When a designer completes the design of a component, he/she can verify that
the implementation of that component meets its specification. When a set of
components are interconnected, their specifications are composed and checked
against the specification of the larger model
An advantage of such a workstation is tha t it keeps all the different representa-
tion of a model consistent. This is accompanied by formally abstracting between
different levels of description. When a level of description changes, the system
should alert the user to the changes that are required at other levels to maintain
consistency.
8.4 Final Thoughts
Finally, from a more general perspective, the work presented in this thesis has
concentrated on the design process. If a fully formal integrated design methodol-
ogy is to be developed - progressing from the early stages of concept development
8.4. Final Thoughts 180
to the final implementation - then what has been presented here should aid the de-
sign, and inparticular the specification and verification process. These phases in
the design process are still some distance from the final manufacturing stage. As
the verification technology matures and permeates both top level specifications
and the lower level descriptions of implementations, formally verified systems in
safety-related engineering applications should become a reality.
References
1. ACARD: Software: A Vital Key to UK Competitiveness, HMSO, 1986.
2. Agin G.J., and Binford T.O., Computer Descriptions of Curved Objects, IEEE
Trans. Comp., Vol C-2S, No.4, pp 439-449, April 1976.
3. Anderson L.R., Electric Machines and Transfonners, Reston Publishing Co.,
1981.
4. AQAP1,NATOQualityControISystemRequirementsforlndustry,Septem-
ber,1985.
5. AQAP 13, NATO Software Quality Control System Requirements, Septem-
ber 1985.
6. Artin E., Introduction to Algebraic Topology, Columbus, Merrill, 1969.
7. Back R.J.R., Mannila H., A Semantic Approach to Program Modularity, Re-
port C-1982-102, Department of Computer Science, University of Helsinki,
1982.
8. Back R.J.R., Wright, J. Von, Refinement Concepts Formalised in Higher
Order Logic, in Proceedings of IFD' Working Conference on Programming
Concepts and Methods, Broy M., Jones C.B. (eds), Amsterdam, Elsevier,
1990.
9. Baer A., Eastman C.M., and Henrion, M., Geometric Modelling: A Survey"
Computer Aided Design, 11, 1980, pp 253-272.
181
References 182
10. Barnhill RE., Riesenfeld RF. (eds), Computer Aided Geometric Design,
New York, Academic Press, 1974.
11. Barker J.W., Mathematical Theory of Program Correctness, Prentice-Hall,
1981.
12. Barrow H.G., Proving the Correctness of Digital Hardware Designs, in VISI
Design, Vo1.7,July 1984, pp M-77.
13. Bergstra J.A. et al, Module Algebra, Report CS-R8617, Centre for Mathemat-
ics and Computer Science, Amsterdam, 1986.
14. Bevier W., et al,An Approach to Systems Verification, Journal of Automated
Reasoning, Vol.S, No.4, November 1989.
15. Bochmann G.v., Hardware Verification with Temporal Logic: An Example.
IEEE Transactions on Computers, C-32, Part 3, March 1982, pp 223-231.
16. Bohn W., Fam G., and Kahmann J., A Survey of Curve and Surface Models
inCAGO" Computer Aided Geometric Design, 1, 1984, pp 1-60.
17. Boyer RS., Moore J.S., A Computational Logic Handbook, Boston, MA:
Academic, 1988.
18. Boyse J.W., Preliminary Design for a Geometric Modeller, Report GMR-
2768,Computer Science Dept., General Motors Research Ltd., July 1978.
19. Braid I.C., Three Systems for Shape Design and Representation - A Review,
in Proc. CAM-I International CAM Seminar, CAM-I, England, April 1975,
pp60-67.
20. Braid I.C., Designing With Volumes, PhD Dissertation, University of Cam-
bridge, Cambridge, 1973.
21. Bryant RE., A Switch Level Simulation Model for Integrated Logic Circuits,
PhD Thesis, Laboratory for Computer Science, MIT, March 1981.
References 183
22. BS5750:1987, Guide to Quality Management and Quality System.
23. BS 5882:1980, Specification for a Total Quality Assurance Programme for
Nuclear Power Plants.
24. Burstall R.M., Goguen J.A., The Semantic of Clear, A Specification Language,
in Lecture Notes in Computer Science 86, Springer-Verlag, 1980, pp 292-332.
25. Camilleri A.J., Executing Behavioural Definitions in Higher-Order Logic,
Report No. 140, Computer Laboratory, Cambridge University, February,
1988.
26. Camilleri A.J., Mechanising CSP Trace Theory in Higher Order Logic, IEEE
Transactions on Software Engineering, Vol.16, No.9, September, 1990, pp
993-1004.
27. Camurati P., Prinetto P., Formal Verification of Hardware Correctness, IEEE
Computer, Vol21, No.7, July 1988, pp 8-19.
28. Chiyokura H., Kimura R, Design of Solids With Free-Form Surfaces, Com-
puter Graphics, Proc, of SIGGRAPH, 1983, 17, pp 289-198.
29. Church A., A Formulation of the Simple Theory of Types, The Journal of
Symbolic Logic, 1940, Vo15, pp 56-58.
30. Cohen B. et al, Specifica tions of Complex Systems, Addison-Wesley, 1986.
31. Cohn A., Correctness Properties of the Viper Block Model: The Second
Level, Technical Report 134, University of Cambridge, May 1988.
32. Cohn A., The Notion of Proof in Hardware Verification, Journal of Auto-
mated Reasoning, Vo1.S,May 1989, pp 127-139.
33. Cousineau G., Huet G., Paulson L., The ML Handbook, INRIA, 1986.
References 184
34. Craigen D., et al, rn-EVES: A tool for Verifying Software, in Proceedings
of 10th International Conference on Software Engineering, Los Alamitos,
California, April, 1988, pp 324-333.
35. Cullyer W.J., Implementing Safety-Critical Systems: The Viper Micropro-
cessor, in VLSI Specification, Verification and Synthesis, Birthwistle G., Sub-
rahrnanyam P.A. (eds.), Kluwer Academic Publishers, 1988, pp 1 -25.
36. Def Stan 00-16: Guide to the Achievement of Quality in Software, MOD.
37. Dhingra 1.5.,Formalising an Integrated Circuit Design Style in Higher-Order
Logic, Ph.D. Thesis, Report No. 1St, Computer Laboratory, Cambridge
University,1989.
38. Feinberg R., Modem Power Transfonner Practice, Macmillan Press, 1979.
39. Fujita M. et al, Verification With Prolog and Temporal Logic, in Computer
Hardware Description Languages and Their Applications, Uehara T. Bar-
bacd M. (eds.), North-Holland, 1983, pp 103-114.
40. Goguen J.A., Tardo, J., An Introduction to OBJ: A language for Writing and
Testing Algebraic Program Specification, in Software Specification Tech-
niques, Gehani N., McGettrick A., (eds), Reading, MA: Addison-Wesley,
1979.
41. Goguen I.A., Burstall RM., A Study in the Foundation of Programming
Methodology: Specifications, Institutions, Charters and Parchments, in Cat-
egory Theory and Computer Programming, Pitt D. et al (eds.), Lectures
Notes in Computer Science, Springer-Verlag, 1986, pp 313-333.
42. Good D.I. et al, Principles of Proving Concurrent Program in Gypsy, Institute
of Computer Science, Univerity of Texas, Austin, Technical Report, ICSCA-
CMP-15,Ianuary,1979.
43. Gordon M.I.C., Milner A.J.,Wadsworth c.P., Edinburgh LCF: AMechanized
Logic of Computation, Springer Lecture Notes in Computer Science 78,
References 186
Springer Verlag, 1979.
44. Gordon M.I.C., LCF-lSM, Technical Report No.41, University of Cam-
bridge, Computer Laboratory, 1981.
45. Gordon M.I.C., A Model of Register Transfer Systems With Application to
Microcode and V1.S1 Correctness, Technical Report CSR-82-8t, Department
of Computer Science, University of Edinburgh, May 1982.
46. Gordon M.I.C., LCF-ISM :A System for Specifying and Verifying Hardware,
Technical Report 41, Computer Laboratory, University of Cambridge, UK,
1983.
47. Gordon M.I.C., Proving a Computer Correct With the LCF-lSM Hardware
Verification System, Technical Report 42, Computer Laboratory, University
of Cambridge, UK, 1983.
48. Gordon M.J.C, and Herbert, J., A Formal Hardware Verification Methodol-
ogy and Its Application to a Network Interface Chip, Technical Report 66,
Computer Laboratory, University of Cambridge, UK, 1985.
49. Gondon M.J.C., HOL : A Machine Oriented Formulation of Higher Order
Logic, Technical Report No.68, Computer Laboratory, University of Cam-
bridge, Cambridge, UK, 1985.
SO. Gordon M.J.C., HOL- A Proof Generating System for Higher-Order Logic, in
VISI Specification, Verification and Synthesis, Birtwistle G., Subrahmanyam
P.A. (eds), Kluwer Academic Publishers, Boston, 1988, pp 73-128, Proceed-
ings of the Hardware Verification Workshop, Calgary, Canada, 12-16, Jan-
uary, 1987.
51. Gordon M., Mechanizing Programming Logics in Higher-Order Logic, in
Current Trends inHardware Verification and Automated Theorem Proving,
Birthwistle G. and Subrahmanyam P. (eds.), Springer-Verlag, New York,
1989, pp 387-439.
References 186
52. Hale R.S., Programming in Temporal Logic, Ph.D. Thesis, Report No. 173,
Computer Laboratory, Cambridge University, July, 1989.
53. Hanna F.K., Daeche N., Specification and Verification Using Higher Order
Logic: A Case Study, In Formal Aspects of VLSI Design: Proc. of the 1985
Edinburgh Conference on VLSI, Milne G.J., Subrahmanyam P.A., (eels), pp
179-213, North Holland, 1986.
54. Hanna F.K.,and Daeche N., Specification and Verification of Digital Systems
Using Higher Order Predicate Logic, IEEE Proceedings, Part E, September
1986, pp 242-254.
55. Hatcher W., The Logical Foundations of Mathematics, Pergamon Press,
1982.
56. Herbert J., Application of Formal Methods to Digital System Design, Ph.D.
Dissertation, University of Cambridge, 1986.
57. Herbert J., Temporal Abstraction of Digital Designs, inThe Fusion of Hard-
ware Design and Verification, Milne G. (ed), Procs. of the IFIP WG 10.2,
International Working Conf., North-Holland, 1988, pp 1-25.
58. Hoare C.A., Communicating Sequential Processes, Prentice-Hall, 1985.
59. Hoare C.A.R. et al., Weakest Prespecifications, Technical Report PRG-44,
Programming Research Group, Oxford University, 1985.
60. HSE PES: Programmable Electronic Systems in Safety-Related Applications,
Vol.l. An introductory Guide, Vo1.2.General Technical Guidelines, HMSO,
1987.
61. Hunt W.A., FM8510: A Verified Microprocessor, Ph.D. Thesis, Institute for
Computer Science, University of Texas at Austin, 1986.
62. IEC 880: Software for Computers in Safety Systems of Nuclear Power Sta-
tions, International Electrotechnical Commission, IEC, 1986.
References 187
63. lEC SC6SA WG9 /10, Software for Computers in the Applications of Indus-
trial Safety-Related Systems, Proposal for a Standard, International Elec-
trot xhnkal Commission, Subcommittee 6SA, Working Group 9, 1989.
64. Inan K, Varaiya P., Finitely Recursive Process Models for Discrete Event
Systems, lEEE Transactions on Automatic Control, Vol. 33, July 1988, pp
626-639.
6S. Interim Defence Standard 00-31: Development of Safety Critical Software
for Aircraft, MOD, 1987.
66. Interim Def Stan OO-SS,Requirements For the Procurement of Safety Critical
Software in Defence Equipment, Draft, Ministry of Defence, 1989.
67. Jones CB., Systematic Development Using VDM, Prentice-Hall, 1986.
68. Joyce J., Fonnal Verification and Implementation of a Microprocessor, in
VLSISpecification, Verification and Synthesis, Birtwistle G., Subrahmanyam
P. (eds.), Kluwer Academic Publisher, 1988. pp 129-1S7.
69. Joyce J., Fonnal Specification and Verification of Asynchronous Processes
inHigher-Order Logic, Report No. 136, Computer Laboratory, Cambridge
University, June 1988.
70. Koymans R. et al, Compositional Semantics for Real-Tune Distributed Com-
puting, LNCS 193, Springer-Verlag, June 1985.
71. Kuratowski K, Mowtowski A., Set Theory, Amsterdam, North Holland
Publishing Co., 1976.
72. Leeser M.E., Reasoning about the Function and Tuning of Integrated Cir-
cuits with Prolog and Temporal Logic, Ph.D. Thesis, Computer Laboratory,
Report No. 132, Computer Laboratory, Cambridge University, April 1988.
73. Leisenring A., Mathematical Logic and Hilbert's e-Symbol, Macdonald &
Co. Ltd., London, 1969.
References 188
74. Leveson N.G., Stolzy J.L, Safety Analysis Using Petri Nets, IEEETransaction
on Software Engineering, SE-13(3), March 1987, pp 386-397.
75. Loewenstein P., Reasoning about State Machines in Higher-Order Logic, in
Specification, Verification and Synthesis: Mathematical Aspects, Goos G. et
al (eds.), Lecture Notes in Computer Science, Vol408, 1990, Springer-Verlag,
pp 67-89.
76. Mallgren W.R., Formal Specification of Graphic Data Types, ACM Trans-'
actions on Programming Languages and Systems, Vol.4, October 1982, pp
687-710.
77. Manna Z., Pnueli A., The Anchored Version of the Temporal Framework.
InModels of Concurrency: Linear, Branching and Partial Orders, Barker J.
W. et al (eds.), LNCS. Springer-Verlag, 1989.
78. Markowski, G., Wesley M.A., Fleshing Out Wll'e Frame, mM Journal of
Research and Development, 1980, 24, pp 582-597.
79. Melham T.,Abstraction Mechanisms for Hardware Verification, Report No.
103, Computer Laboratory, Cambridge University, January 1987.
SO. Middleditch A.E. et al, Blend Surfaces for Set Theoretic Volume Modelling,
Computer Graphics, Proc. ofSIGGRAPH85, 1985, 19, pp 161-170.
81. Milne G.J., Milner R., Concurrent Processes and Their Syntax, Journal of the
ACM, Vo1.26,April 1979.
82. Milne G.J., CIRCAL: A Calculus for Circuit Description, Integration, Vol.1,
Part 2-3, October 1983, pp 121-160.
83. Milne G.J., CIRCAL and the Representation of Communication, Concur-
rency and TIme, Technical Report CSR-151-83,. Department of Computer
Science, University of Edinburgh, Novemebr 1983.
References 189
84. Milne R, Design Transformation and Chip Planning, In Milne G., Subrah-
manyam P.A. (eds.), Formal Aspects ofVLSI Design, North-Holland, 1986,
pp 23-43.
85. Milner R, A Calculus of Communicating Systems, in Lectures Notes in
Computer Science, Vo1.92,Springer Verlag, 1980.
86. Milner R, Calculi for Synchrony and Asynchrony, Technical Report CSR-
104-82, Department of Computer Science, University of Edinburgh, August
1982.
87. Mortenson M.E., Geometric Modelling, New York, John Wlley, 1985.
88. Moszkowski B.C., Reasoning about Digital Circuits, Ph.D. Thesis, Report
CS-83-970, Dept of Computer Science, Stanford University, 1983.
89. Moszkowski B.C., A Temporal Logic for Multilevel Reasoning about Hard-
ware, IEEE Computer Vol 18, No.2, February 1985, pp 10-19.
90. NES 620, Requirements for Software for Use With Digital Computers.
91. Paulson L, A Higher-order Implementation of Rewriting, Science of Com-
puter Programming, Volume 3, Part 2, August 1983, pp 119-149.
92. Paulson L, Tactics and Tacticals in Cambridge LCF, Technical Report 39,
Computer Laboratory, University of Cambridge, UK, 1983.
93. Paulson L., Logic and Computation, Cambridge University Press, 1987.
94. Pickett M.S., Boyse J.W., Solid Modelling by Computers, New York, Plenum
Press, 1984.
95. Quirk W.,Verification and Validation of Real time Software, Springer-Verlag,
•Berlin,1985.
96. Reed G.M., A Tuned Model for Communicating Sequential Processes, in
Proceedings ICALP 86, Springer-Verlag, LNCS 226, 1986.
References 190
97. Requieha A.A., Tilcve R.B., General Topology of Closed Regular Sets, Tech.
Memo. No.27, Production Automation Project, University of Rochester,
June 1978.
98. RTCA/DO-178: Software Considerations in Airborne Systems and Equip-
ment Certification, Published by Radio Technical Commission for Aeronau-
tics, Washington, DC, November, 1985.
99. Sabin M.A., Some Negative Results in N sided Patches, Computer Aided
Design, 18, 1986, pp 38-44.
100. Sanella D.T.,WlrSing M., A Kernel Language for Algebraic Specification and
Implementations, Report CSR-131-83, Department of Computer Science,
University of Edinburgh, 1983.
101. Sheeran M., pFP, An Algebraic VISI Design Language, PhD Thesis, Univer-
sity of Oxford, November 1983.
102 Simmons G.P', Introduction to Topology and Modern Analysis, New York,
Mc GrawHill, 1968.
103. Sokolowski 5., Soundness of Hoare's Logic: An Automatic Proof Using LCF,
ACM Transactions on Programming Languages and Systems, Vo1.9, 1987,
pp 100-120.
104. Spivey J.M., Understanding Z, Cambridge University Press, 1988.
105. STARTS Purchasers Handbook - Procuring Software-Based Systems, NCe
Ltd. Manchester, 1989.
106. Subrahmanyam P.A., Synapse: An Expert System for VLSI Design, Com-
puter, 1986, pp 78-89.
107. Tran 5., Guidelines for Hazard Analysis, Technical Report No. 620/010/90,
T&tNTechnology Ltd., July 1989.:
References 191
108. Tran 5., Standard for the Procurement of Electronic Systems in Vehicle,
Technical Report No. 621/010/90, T&N Technology Ltd, Sept 1989.
109. Tran 5., Cullyer J., Hines E., Marks K, The Development of a High Quality
Software Design Methodology for Automotive Applications, lEE Conf. on
Safety Critical Software in Vehicle and Traffic Control, London, Feb 1990.
110. Tran 5., Cullyer J., Hines E., Marks K, Formal Methods in Automotive
Applications, in the Proc. of the 22nd ISATA International Conference,
Florence, Italy, May 1990.
111. Tran 5., Cullyer J., Hines E., Marks K, On the Development of Formal
Methods Based Software Design Methodology for Automotive Applica-
tions, Microprocessor and Microsystems, 14(5), June 1990, pp 320-323.
112. Traub N., A Lisp Based CIRCAL Environment, Technical Report CSR-152-
83, Department of Computer Science, University of Edinburgh, November
1983.
113. Traub N., A Formal Approach to Hardware Analysis, Technical Report CST-
43-87, Department of Computer Science, University of Edinburgh, March
1987.
114. Van Eijk P.H.J., Visser C.A., Diaz M. (eds.), The Formal Description Tech-
nique LOTOS, Elsevier North-Holland, New York, 1989.
115. Wikstrom A., Functional Programming Using Standard ML, Prentice Hall
International,1987.
116. Wmskel G., A Compositional Model of MOS Circuits, in VIS! Specifica-
tion, Verification and Synthesis, Birthwistle G., Subrahmanyam P.A. (eds.),
Kluwer Academic Publishers, 1988, pp 323-347.
117. Zave P., An Operational Approach to Requirements Specification for Em-
bedded Systems, IEEE Transactions on Software Engineering, Vol. 8, Part 3,
May 1982, pp 250-269.
APPLICATIONS OF FORMAL METHODS
IN ENGINEERING
Volume 2 of 2
Sang Cong Tran
B.Eng (Hons.), M.Phll (Eng.)
A thesis submitted for the degree of
Doctor of Philosophy in the Engineering Department
University of Warwick
December 1991
BEST COpy
.
, .AVAILABLE
. Variable print quality
,
Acknowledgement
During the time of this project, it is pleasing to note the number of people who
have given their help and support. Thanks are due to my supervisor Dr. Evor
Hines. He diligently read through the various drafts of this thesis and made
valuable written comments. His insistence on clear writing has set a standard
which I will always try to aim for.
In addition, I would like to express my sincerest thanks to Professor John
Cullyer. This work could never have taken shape without his continued guidance
and support. His patience during my earlier da ys and his ever optimistic manner
has brought me through some of the most difficult times. He made valuable
suggestions on earlier drafts of this thesis, and was the source of many excellent
discussions.
This work could not have started without the financial support of T&N Tech-
nology Limited, GoodyearTransformers Limited and the Science and Engineering
Research Council. The technical advice and individual guidance received while
working there greatly help in this project. Of the innumerable people who helped,
I must explicitly acknowledge Kevin Marks at T&N Technology Ltd. and Ken
Frewin at Goodyear Transformers Ltd., who were the source of many stimulating
discussions.
Thanks are also due to colleagues who have been around at various times
to ask questions or answer mine. I would particularly like to thank Wai Wong
for help at various times with HOL theorems and tactics and in response to my
persistent questions about L~TEXtypesetting.
This work would not have been completed without the HOL system. Thanks
are due to the hardware verification group at Cambridge University; I am espe-
cially grateful to Dr. Mike Gordon for leading the way in hardware verification
and giving advice when it was most needed.
Abstract
The main idea presented in this thesis is to propose and justify a general frame-
work for the development of safety-related systems based on a selection of crit-
icality and the required level of integrity. We show that formal methods can be
practically and consistently introduced into the system design lifecycle without
incurring excessive development cost.
An insight into the process of generating and validating a formal specification
from an engineering point of view is illustrated, in conjunction with formal defi-
nitions of specification models, safety criteria and risk assessments. Engineering
specifications are classified into two main classes of systems, memory less and
memory b€aring systems. Heuristic approaches for specification generation and
validation of these systems are presented and discussed with a brief summary of
currently available formal systems and their supporting tools.
It is further shown that to efficiently address different aspects of real-world
problems, the concept of embedding one logic within another mechanised logic,
in order to provide mechanical support for proofs and reasoning, is practical, A
temporal logic framework, which is embedded in Higher Order Logic, is used
to verify and validate the design of a real-time system. Formal definitions and
properties of temporal operators are defined in HOL and real-time concepts such
as timing marker, interrupt and timeout are presented. A second major case
study is presented on the specification a solid model for mechanical parts. This .
work discusses the modelling theory with set theoretic topology and Boolean
operations. The theory is used to specify the mechanical properties of large
distribution transformers. Associated mechanical properties such as volumetric
operations are also discussed.
Declaration
tt
This dissertation is the result of my own work and, unless otherwise stated in the
text, includes nothing which is the outcome of work done in collaboration. No
part of this dissertation has already been, or is currently being. submitted for any
degree, diploma or other qualification at any other university.
Contents
Abstract il
Acknowledgement iv
VOLUME 1
1 Introduction 1
1.1 Background and Related Work. . . . . . . . . . . . . . . . . . .. 3
1.1.1 Design methodologies. . . . . . . . . . . . . . . . . . . .. 3
1.1.2 Specification and verification for software. . . . . . . . .. 4
1.1.3 Specification and verification for hardware . . . . . . . .. 4
1.2 Overview of Thesis. . . . . . . . . . . . . . . . . . . . . . . . . .. 7
2 Formal Methods in Safety-Related Systems 10
2.1 The Concept of Safety . . . . . . . . . . . . . . . . . 11
2.1.1 Safety in computer-based systems . . . . . . . . . 11
2.1.2 Applying formal methods. . . . . . . . . . . . . . . . . 12
2.2 Design Methodology. . . . . . . . . . . . . . . . . . . . . . . . 13
2.2.1 Development lifecycle . . . . . . . . . . . . . . . . 14
2.3 Safety Criteria Selection . . . . . . . . . . . . . . . . 16
2.3.1 Measures of risk . . . . . . . . . . . . . . . . . . . . . . 18
2.3.2 Safety integrity levels . . . . . . . . . . . . . 19
202.4 Determination of Assessment Levels .
2.4.1 Level selection . . . . . . . . . . . . . . . . . . . . . . . 22
2.S Selection of Development Techniques . . . . . . . . . . . . . . 22
vi
CONTENTS
2.6 Validation and Verification ....................
2.6.1 Informal techniques
2.6.2 Semi-formal techniques
2.6.3 Formal techniques . . . . . .
2.7 Discussion .
3 Formal Specifications in Engineering
3.1 Introduction .
3.1.1 System Classification .. ..
3.2 Formal Model of Safety . . . . . . .
3.2.1 Risk assessment
3.3 A SpecificationModel . . . . . . . . . . . . . . . . .
3.3.1 Model representation .
3.3.2 Formula of correctness .
3.3.3 Total and partial correctness .
3.4 Specification Generation . . . . . . . . . . . . . . . . . . . . . . . .
3.4.1 Memoryless systems . . . . . . . . . . . . . . . . . . . . . .
3.4.2 Memory bearing systems . . . . . . . . . . . . . . . . . . .
3.5 Specification Validation . . . . . . . . . . . . . . . . . . . . . . . .
3.5.1 Memoryless systems . . . . . . . . . . . . . . . . . . . . . .
3.5.2 Memory bearing systems . . . . . . . . . . . . . . . . . . .
3.6 Description of Formal Methods . . . . . . . . . . . . . . . . . . . .
3.6.1 First order logic .
3.6.2 Higher order logic . . . . . . . . . . . . . . .
3.6.3 Temporallogic.........................
3.7 Discussion .
4 HOL Theorem Prover
4.1 Introduction .....
4.2 Background...............................
4.3 The HOL logic . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
vii
23
24
25
25
26
28
28
29
31
32
34
35
36
38
40
40
43
43
44
45
47
48
49
50
51
53
53
53
54
CONTENTS
4.3.1 Terms
4.3.2 Types . . . . . . . . . . . . . . . . . . . . 56
4.3.3 Hilbert's e-operator 58
4.4 The Meta-Language . . . . . . . . . . . . . . . . . . . . . . . . .. 59
4.5 The HOL System . . . . . . . . . . . . . . . . . . . . . . . . . . .. 62
4.5.1 Theories: definitions, axioms and theorems . . . . . . . .. 63
4.5.2 Primitive inference rules ...................
4.5.3 Tactics and tacticals ...
4.6 Summary.............
5 Embedded Temporal Logic
5.1 TuningVerification. . . . . . . . . . . . . . . . . . . . . . . . . . .
5.1.1 First order logic .
5.1.2 Temporallogic .
5.1.3 Interval temporallogic ........•...........
5.1.4 Other techniques .
5.1.5 Higher order logic . . . . . . . . . . . . . . . . . . . . . . .
5.2 TemporalOperators . . . • . . . . . • . . . . . . . . . . . . . . . .
52.1 Basic operations . . . . . • . • . . . . . . . . . . . . . . . .
5.22 Tuningconditions . . . . . . . . . . . . . . . . . . . . . . .
5.23 Defining time markers. . . . . . . . . . . . . . . . . . . . .
5.3 Temporal Projection . • . .. . . . . . . . . . . . . . . . . . . . . .
5.3.1 Mapping function . . . . . . . . . . . . . . . . . . . . . . .
5.3.2 Interrupts............................
5.3.3 Tune limits . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.4 Formulation of Temporal Correctness .
5.5 Discussion .
6 A Throttle Control System
6.1 Introduction .
6.1.1 System description .
viii
55
64
66
67
69
69
69
70
70
71
71
71
72
73
74
77
78
81
82
84
84
86
86
87
CONTENTS ix
6.1.2 System requirements
6.1.3 Design methodology
6.2 Background Behaviour .
6.2.1 Manual control . . . . . . . . . . .
6.2.2 Cruise/Resume control . . . . ..
6.2.3 Traction control .
6.2.4 Idle control . . . . . . . .
88
90
94
95
96
97
98
98
98
101
103
6.2.5 Shutdown/Reset mode .
6.2.6 Function NextState . . . .
6.3 Foreground Behaviour .
6.3.1 Motion . . . . .
6.3.2 Real-time characteristics. . . . . . . . . . . . . . . . . . 104
6.3.3 Maximum response time ..... . . . . . . . . . 105
6.3.4 Maximum registered time . . . . . . . . . . . . . . . . . .. 106
6.3.5 Maximum transit time . . . . . . . . . . . . . . . . . . . .. 106
6.3.6 Position and direction . . . . . . . . . . . . . . . . . . . .. 107
6.4 Improving the Performance . . . . . . . . . . . . . . . . . . . . .. 108
6.5 The Complete Specification . . . . . . . . . . . . . . . . . . . . .. 111
6.6 VerificationPlan and Methodology. . . . . . . . . . . . . . . . .. 111
6.6.1 Proof plan 112
6.6.2 Safety properties. . . . . . . . . . . . . . . . . . . . . . .. 112
6.6.3 State transitions 114
6.6.4 Deterministic state-machine 116
6.7 Discussion 117
7 Mechanical Solid Modelling
7.1 Introduction .
120
120
7.2 Designing Mechanical Parts. . . . . . . . . . . . . . . . . . . . .. 121
7.2.1 Communication between the designer and the modeller .. 122
7.2.2 Tune taken and costs incurred in the design process . . .. 122
7.3 Geometric Modelling inTransformer Design ..... . . . . . .. 123
CONTENTS x
7.3.1
7.3.2
Spatial arrangement . . .
7.5.4 Closure
123
124
124
127
129
130
132
133
Volumetric verification .
7.4 Mathematical Foundations . . .
7.5 Point-Set Algebra .
7.5.1 Metric space . . . . . . . . . . . .
7.5.2 Open sets and neighbourhood . . . . . . . . .
7.5.3 Closed sets .
7.5.5 Interior............................. 135
7.5.6 Boundary............................ 136
7.5.7 Dimensional property of boundary 140
7.6 Closed Point-Set Topology 142
7.6.1 Defining OBJECT . . . . . . . . . . . . . . . . . 144
7.6.2 Solid primitives 146
7.6.3 Generic and parameterised primitives. . . . . . . . . . .. 149
7.7 Combinations of Solid Primitives. . . . . . . . . . . . . . . . . .. 151
7.7.1 Modified boolean operations . . . . . . . . . . . . . . . .. 152
7.7.2 Boolean model . . . . . . . . . . . . . . . . . . . . . . . .. 156
7.8 Solid Modelling inTransformer Designs. . . . . . . . . . 157
7.8.1 Null-object detection 161
7.8.2 Specifying the manufacturing process . . . . . . . 164
7.8.3 Computation of overall volume 166
7.9 Discussion . 168
8 Concluding Remarks
8.1 Summary of Thesis . . . . . . . .
8.1.1 Methodology.......
171
8.1.2 Specification techniques .
8.1.3 Timing analysis .....
8.1.4 Specifying behaviour ..
IiI
IiI
li3
1i4
liS
8.2 Discussion . 1i6
CONTENTS
8.2.1 Correctness of a real design . . . . . . .
8.2.2 Relating different levels of abstraction .
8.2.3 Verification process
8.3 Future Work .
8.3.1 Executable specifications
8.3.2 Computer aided design with formal methods.
8.4 Final Thoughts . . . . . . . . . . . . . . . . . . . . . .
References
VOLUME 2
A. A Formal Solid Modelling System
B. Temporal Definitions and Theorems
C. HOL Specification of DBW Controller
D. Formal Specification of Solid Modelling
E. Paper > The Development of a High Quality Software Design
Methodology for Automotive Applications
F. Papee » Formal Methods in Automotive Applications
G. Paper > On the Development of Formal Methods Based Soft-
ware Design Methodology for Automotive Applications
H. Paper « Formal Solid Modelling Using Higher-Order Logic
I. Paper· Applications of Formal Methods in the Transformer
Industry
xi
176
17i
177
178
178
178
179
181
Annex A: A Formal Solid
Modelling System
A.1 Introduction
In order to support the solid modelling theory described in chapter 7, a simple
solid modeller has been implemented. The program was written using a subset
of Pascal into which the HOL source can be translated directly. The system in-
cludes a set of pre-constructed primitives and can support a number of geometric
operations.
Basically, the program is a batch based solid modeller. It reads commands
either from keyboard or file and executes the commands in order to create new
3-dimensional objects. It is based on the HOL theory of solid modelling which
is a formal representation scheme in which complex solid may be defined as
combinations of primitive solid IlIIi/dinu !J/nrh via the regularised set operators.
The architecture of the system is shown in Fig.A.l.
A.2 System Descriptions
The definition of objects in FSMSconsists of two types of statements: definitional
statements and commands in imperative format. For instance,
(1) cl=cylin(vector(1500,1375,900),vector(O,O,1500),300);
(2) c2=cylin(vector(1500,1375,900),vector(O,O,1400),400);
(3) coill=c2-cl;
192
Annex A: A For-mal Solid Modelling System 193
Object
Definitions CRT Displays
Commands
Input Medium Output Medium
Fig. A.I System architecture
In this example, statements (1) and (2) define primitive solids, which are cylindri-
cal objects in this case. Composite solids a re defi ned via regularised set opera tions
in statement (3) 1.
A.3 Data Types
Table A.1 shows data types supported by FSMS. To ensure the consistencies and
validity of the formal theory, the system types are defined in a similar way as
those specified in the HOL theory. There are three main types, From these generic
Type Value
ObjectType Solid.
N IImeric'Ty pe Integer type.
ObjListType list. of (auv of the above type) objects.
Table A.l System data. types
system types, an entity type may be determined by its symbolic name. In the
example presented above, cl is a symbolic name of the cylinder specified by its
appropriate dimensions. However, names in FSMS are not variables, thus only
lIn FS~IS. regularised set operat ious havr- ill the sa me format as Boolean operations.
Annex A: A Formal Solid Modelling System 194
one value may be associated to each name in the definition.
A.4 Prhnitive Solids
The system supports two primitive solids: blocks and three versions of cylinders,
whose axes must be parallel to the (X, Y,Z) master coordinate system. These are
defined as follows,
BOX(Point, Ox, Oy, Oz)
defines a rectangular solid block at a base position of Point and Ox, Oy, Dz as its
dimensions. Note that negative dimensions are not allowed. The basic element
in FSMS is defined as Point which is a 3-tupple of the form (x.y.z) where x, y, z
are its real coordinates.
In a similar manner, a cylinder is presented by a formula
CYLIN (Centra, Direction, Radius)
where the cylinder is a geometrical solid object which has Cantre as its base
centre, and Radius as its radial dimension. Direction is presented as a tupple
of 3-element, ie, a vector of the form (dx,dy,dz) where the magnitude of each
element represents the cylinder height. Therefore, the formula can be used to
present cylindrical objects in all three dimensions.
X direction
Y direction
Z direction
CYLIN (Centre, (10,0,0), Radius)
CYLIN (Centre, (0,10,0), Radius)
CYLIN (Centre, (0,0,10), Radius)
These formulae represents cylinder of the same size in X, Y, Z direction respec-
tively.
A.5 System Operators
Three types of operators are available in FSMS,
Annex A: A Formal Solid Modelling System 195
• Positional operators (rigid motion)
The translational function TRANS (Distance) translates a solid by the spec-
ified Distance argument. Since HOl theory does not support rational
arguments, therefore to preserve the validity, rotational operations are not
implemented in FSMS.
• Combinational operators on solid
The three regularised set-theoretical operators UNION, INTER and DIFF are
included. Combinational operators are written in infix form. Precedence
between operators is defined by bracketing structures. It should be noted
that, regularised set operators are Ufllfl'll/, and may be applied to primitives
as well as any parts defined in FSMS. In this way, complex solid objects can
be hierarchically defined without the risk of introducing inconsistencies at
any stage in the design since each step of the development is verified by the
system.
• Arithmetic operators
The system supports the usual arithmetic operators such as +, -, ...which
operate on integers. Division operation however, is not included.
A.6 Definitional Statements
There are two kinds of definitional statements. These are object definitional
statements, and value assignment statements. Object definitional statements are
of the form
<name> = <obj>
where <obj> is any expression that has a ."olid value. Statements 0) and (2)
in the earlier example are definitional statements. Value assignment statements
associate values with numbers, for example,
x = 5
Annex A: A Formal Solid Modelling System 196
The order of definitional statements in FSMS is important, a name can not be used
before it has been assigned a value.
A.7 Commands
A number of useful commands are included to support the design environment.
Commands may appear any ..vhere in J FSMS definition and are executed imme-
diately if possible. FSMS has three types of commands,
• Utility commands, ego to INCLUDE and LOAD files containing definitions.
• Editing commands: editing can be done interactively at the system prompt
in a line editing format, or in screen editing format of the user's specified
editor. A setup file allows user to specify his/her chosen editor before
starting FSMS.
• Graphic commands: FSMS graphic commands were implemented in a way
to relieve users of the burden of specifying the multitude of parameters
needed to ensure that displays fit on the screen. The basic syntax is
VIEW (ObjectList. ClearWindow)
The VIEW command takes a list of objects and draw on the screen. The
Boolean value ClearWindow specifies whether the graphic screen is blanked
before drawing. In fact, function VIEW is described in exactly the same way
as the HOL function BUILD specified in chapter 7.
A.8 Lim itat ions
There are a number of restrictions on the operations between objects.
• No intersection of co-planar objects is allowed. One can always overcome
its model by moving one of the operands in the boolean operation by a
small amount.
Annex A: A Formal Solid Modelling System 197
• If the intersection of two objects falis exactly on their boundaries, the system
will alarm that the two object do not intersect at all, since their intersection
results in dangling faces .
• Intersection that results with cl point or a line will probably cause wrong
propagation of the inner and outer part of one object relative to the other.
There are bugs in the SOUNDARY evaluation algorithms which remain
intact.
A.9 Comments
This modelling system is far from been practical. The main aim of implementing
FSMS is to give a visual demonstrations of the validity of the modelling theory
which is, due to its generality, of a high level of abstraction. However, it may
serve as a pointer which illustrates the feasibility of combining formal techniques
to real-world problems.
A.I0 Design Example
An FSMS source for modelling a distribution transformer is included as follows,
# Dimension in mm
# CORE = «(BOX(1375,1000,750)(1757,750,2000) REG_UNION
#
#
#
#
BDX(1500,1250,500)(250,250,SOO) REG_UNION
BOX(2750,1250,500)(2S0,2S0,SOO» REG_DIFF
BDX(162S,500,1000)(SOO.2000.1S00» REG_DIFF
BDX(2375,500,1000),(SOO.2000.1500»
core=box(vector(1375,1000.750).1750.750,2000);
bl=box(vector(1500.1250,500).250.250.500);
b2=box(vector(2750,12S0,SOO).2S0.2S0.S00);
core=core+bl ;
core=core+b2;
Annex A: A Formal Solid Modelling System 198
free(bl);
free(b2);
bl=box(vector(1625,500,1000),500,2000,1500);
b2=box(vector(2375,500,1000),500,2000,1500);
core=core-bl;
core=core-b2;
free(bl);
free(b2);
view(list(core),off);
free(core);
# COIL = (CYLINDER_Z(1500,1375,900)(1500,300) REG_DIFF
# CYLINDER_Z(1500,1375,900)(1400,400» REG_UNION
# (CYLINDER_Z(2250,137S,900)(lS00,300) REG_DIFF
# CYLINDER_Z(2250,1375,900)(1400,400» REG_UNION
# (CYLINDER_Z(3000,137S,900)(1500,300) REG_DIFF
# CYLINDER_Z(3000,137S,900)(1400,400»
cl=cylin(vector(lS00, 1375,900) ,vector(O,O,1500) ,300);
c2=cylin(vector(1500,131S,900),vector(O,O,1400),400)j
coil1=c2-cl ;
free(c1) j
free(c2);
view(list(coill) ,off);
free(coil1) j
cl=cylin(vector(2250,1375,900),vector(O,O,1500).300);
c2=cylin(vector(2250,1375,900).vector(O,O.1400),400);
coil2=c2-cl ;
free(e1);
free(e2);
view(list(coi12),off);
free(coil2);
cl=cylin(vector(3000.1375,900).vector(O,O,1500),300);
c2=eylin(veetor(3000,1375,900).veetor(O.O.1400),400);
Annex A: A Formal Solid Modelling System 199
eoil3=e2-el ;
free(el);
free(c2);
view(list(eoi13),off);
free(eoil3) ;
# LUGS = (BOX(750,1500,3600)(250,100,400) REG_DIFF
# CYLINDER_Y(875,1400,3800)(600,75» REG_UNION
# (BOX(3500,1500,3600)(250,100,400) REG_DIFF
# CYLINDER_Y(3625,1400,3800)(600,75»
lug=box(veetor(750,1500,3600),250,100,400);
e=eylin(veetor(875.1400,3800),veetor(O,600,O),75);
lug = lug-e;
view(list(lug),off);
free (lug) ;
free(e);
lug=box(veetor(3500,1500,3600),250,100,400);
e=eylin(veetor(3625,1400,3800),veetor(O,600,O),75):
lug = lug-c;
view(list(lug),off);
free(lug):
free(e);
# TANK = BOX(1000,SOO,500) (2500,2000,3500)
tank = box(vector(1000,500,500).2500,2000.3500);
view(list(tank) ,off):
free(tank);
# COOLING = CYLINDER_X(O,1400,4250)(1500,400) REG_UNION
# CYLINDER_Z(12S0, 1700,3900)(300,100)
eooling=eylin(veetor(O, 1400.4250) ,veetor(1500,O,O) ,400):
Annex A: A For mnl Solid Mo delli ug System 200
c=cylin(vector(12S0,1700,3900),vector(O,O,300),100);
cooling = cooling+c;
view(list(cooling) ,off);
tree(c);
free(cooling);
# CABLE = BOX(1875,2500,2750)(750,500,750) REG_UNION
#
#
#
#
BOX(2000,2625,2500)(500,250,500) REG_UNION
CYLINDER_Y(2000,2750,3000)(350,SO) REG_UNION
CYLINDER_Y(2250,2750,3000)(350,SO) REG_UNION
CYLINDER_Y(2500,2750,3000)(350,50)
b1 = box(vector(187S,2500,2750),750,500,750);
b2 = box(vector(2000.2625,2500),500.250,500);
cable=b1+b2;
fre.Cbi) j
free(b2) j
c1=cylin(vector(2000.2750.3000).vector(0.350.0).50)j
c2=cylin(vector(2250.2750,3000).vector(O.350.0).50);
c3=cylin(vector(2500.27S0.3000).vector(O.350.0).50);
cable = cable+c1;
cable = cable+c2j
cable = cable+c3j
fre.(c1)j
free(c2);
free(c3)j
color(cable,red);
view(list(cable).ott);
tree(cable);
# BUSHING = CYLINDER_Z(3250, 1500,4100)(50.150) REG_UNION
#
#
#
CYLINDER_Z(32S0,1500,4250)(50.150) REG_UNION
CYLINDER_Z(3250.1500.4400)(50.150) REG_UNION
CYLINDER_Z(3250.1500.4000)(650.50) REG_UNION
Annex A: A Formal Solid Modelling System 201
#
# CYLINDER_Z(2850.1500.4100)(50.150) REG_UNION
# CYLINDER_Z(2850.1500.4250)(50.150) REG_UNION
# CYLINDER_Z(2850.1500.4400)(50.150) REG_UNIOH
# CYLINDER_Z(2850.1500.4000)(650,50) REG_UNION
#
# CYLINDER_Z(2450, 1500,4100) (50,150) REG_UNION
# CYLINDER_Z(24S0,lS00,42S0)(SO.lS0) REG_UNION
# CYLINDER_Z(2450.1500.4400)(SO.lS0) REG_UNIOli
# CYLINDER_Z(2450, 1500,4000)(650,50) REG_UNION
bl=cylin(veetor(32S0,1500,4100).veetor(O.O.SO).lS0);
b2=eylin(veetor(32S0,lS00,4250),veetor(O.O,SO),150);
b3=cylin(vector(3250,lS00,4400).veetor(O,O,SO),150);
col=cylin(vector(3250,1500,4000).vector(O,O,6S0) ,50);
bushingl=bl+b2;
bushingl=bushingl+b3;
bushingl=bushingl+eol;
fr.e(eol);
fre.(b1) ;
fre.(b2);
free(b3);
view(list(bushingl) ,off);
free(bushingl);
bl=cylin(vector(2850,1500,4100),veetor(O,O.SO),150);
b2=cylin(veetor(28S0,1500.4250),veetor(O,O.50),150);
b3=cylin(veetor(2850,1500.4400),veetor(O,O,50),150);
col=eylin(vector(2850,1500.4000),veetor(O,O,650),50);
bushing2=bl+b2;
bushing2=bushing2+b3;
bushing2=bushing2+eolj
free(eol);
free(bl);
free(b2)j
Annex A: A Formal Solid Modelling System 202
free(b3);
view(list(bushing2).off);
free(bushing2);
b1=cylin(vector(2450,1500.4100).vector(O,O,50),lS0);
b2=cylin(vector(24S0,1500,42S0),vector(O,O,50),150);
b3=cylin(vector(2450,1500,4400),vector(O,O,50),150);
col=cylin(vector(2450,1500,4000),vector(O,O,650),50);
bushing3=b1+b2;
bushing3=bushing3+b3;
bushing3=bushing3+col;
free(col);
free(bl) ;
free(b2);
free(b3);
view(list(bushing3) ,off);
free(bushing3);
# RADIATOR = 80X(850,750,750)(50,1500,2500) REG_UNION
# 80X(700,750,750)(50,1500,2500) REG_UNIOI
# 80X(550,750,750)(50,1500,2500) REG_UNION
# 80X(400,750,750)(50,1500,2500) REG_UNION
# 80X(250,750,750)(50,1500,2500) REG_UNION
# 80X(100,750,750)(50,1500,2500) REG_UNIOI
# 80X(3650,750,750)(50, 1500,2500) REG_UNION
# 80X(3800,750,750)(50,1500,2500) REG_UNION
# 80X(3950,750,750)(50,1500,2500) REG_UNION
# 80X(4100,750,750)(50,1500,2500) REG_UNION
# 80X(4250,750,750)(50,1500,2500) REG_UNION
# 80X(4400,750,750)(50,1500,2500) REG_UNION
panel1=box(vector(850,750,750),50,1500,2500);
pane12=box(vector(700,750,750),50,1500,2500);
Annex A: A. Formal Solid Moclelling System 203
pane13=box(vector(550.750.750).SO.lS00.2500);
pane14=box(vector(400.750.750).50.1500.2500);
panelS=box(vector(2S0.7S0.7S0).SO.lS00.2S00);
pane16=box(vector(100.7S0.750).SO.1500.2500);
radiatorl=panell+pane12;
radiatorl=radiatorl+pane13;
radiatorl=radiatorl+pane14;
radiatorl=radiatorl+panelS;
radiatorl=radiatorl+pane16;
free(tube2);
free(tube1) ;
free(panel1);
free(pane12);
free(pane13);
free(pane14);
free(panelS);
free(pane16);
view(list(radiatorl).on);
free (radiator1) ;
panell=box(vector(36S0.750.750).50.1500.2500);
pane12=box(vector(3800.750.7S0).SO.1500.2500);
pane13=box(vector(39S0.750.7S0).SO.lS00.2S00);
pane14=box(vector(4100.7S0.7S0).50.1S00.2S00);
panelS=box(vector(42S0.7S0.7S0).SO.lS00.2500);
pane16=box(vector(4400,7S0,750),SO,lS00,2S00);
radiator2=panell+pane12;
radiator2=radiator2+pane13;
radiator2=radiator2+pane14;
radiator2=radiator2+pane15;
radiator2=radiator2+pane16;
free(tube2);
free(tube1) ;
free(panel1) ;
free(pane12);
Annex A: A For m al Solid Modelling System 204
free(panel3) ;
free(panel4);
free(panel5);
free(panel6);
view(list(radiator2),off);
free(radiator2);
# BASE = (BDX(SOO,SOO,O),3500,2000,500) REG_DIFF
#
#
CYLINDER_Y(750,O,250)(4000,50» REG_DIFF
CYLINDER_Y(3750,O,250)(4000,SO)
bottom = box(vector(500,SOO,O),3500,2000,500);
holel = cylin(vector(750,O,250),vector(O,4000,O),50);
hole2 = cylin(vector(3750,O,2S0),vector(O,4000,O),50);
base = bottom _ holel;
base = base _ hole2;
free(bottom);
free(holel);
pfree(hole2);
view(list(base) ,off);
free(base);
Annex B: Temporal
Definitions and Theorems
B.l Definitions
And_DEF I- Vx u. x And u = pI. :1: I /\ Y l)
Or_l)EF I- Vx y . .c Or y = (At . .c t V !1 t)
Not_DEF I- \:Ix. Not .r. = (.\t . ....,r t)
Imp_l)EF I- VJ: y. X ----> Y = (,\t. x I ::) y t)
Xor2_DEF I- \:Ix y. Xor2 (x, y) = (Al. (.r t V Y 1) /\ -'(.1' t /\ Y t))
Xor3_DEF I- \:Ix !I ::. Xor3 (x, y,::) = (At. (x t V Y tV:: t)
/\ ""'(J:t /\ yt V!l1 /\::t V::l /\ xl})
True _l)EF I- True = ('\t. T)
False_l)EF I- False = (At. F)
Next_l)EF I- \:Ip. Next p = (,\1.11 (SUe I))
Until_l)EF I- Vp 'I· P Until fJ = Pt. (.3/1.1::; i, /\ 11/1 /\
("It";!. I ::; /'2 r; I:! < II ::) pi:!)))
Somet ime_l)EF f- Vp. Sometime /1 = i». (3/'. I ::; /' /\ P t'))
Always_l)EF I- Vp. Always JI = (,\f. (VI'. I ::; /' ::) p f'))
Eq_l)EF f- Vf c. f Eq c = ('\/. f / = c-)
Equiv_l)EF I- VJlI[. Ji Equiv 'I = (,\/./' / = 'I t)
First_l)EF I- Vp I. First 1/ I = /' / /\ (V/'.l' < t :J ""'p t')
LastJ)EF I-\:Iptl t:!.lastp(tl./2)=(Vt./1 <1/\ I<t'_! :) ....,pt) /\ pt.
20.5
Annex B: Tem por-al Definitions and T'heoi-erns 206
Fin...DEF f-Vptlt:.!.Finp(II,I:!)=tt<l~ 1\ r t:
1- 'lip It i'.!. Keep JI (lIJ2) = tl < 12 1\ ('It. II < t 1\ t < t2 J pt)Keep...DEF
Length...DEF f- (VI). Length p 0 = (At. pt)) !,
(Vp n. Length p (SUe 1/.) = (/\1. Length P 11 t 1\ =» (SUe (n + t»)
Len...DEF f- Vp 71, Len p n = i Xt", Length p n (t' - 11)
Mapped...DEF 1- (Vp. Mapped pO = (At. First p t)) 1\
(Vp n. Mapped ]J (SUe 11) = (At. (:It'. Mapped p 11 t' 1\ Last p (t', t»)
Proj...DEF f- 'lip n.p Proj n = is:t . Mapped p n t)
ValidJ)EF f- Vp. Valid P = ('if. pI)
When...DEF f- Vp b.p When b ::: (Vn.b (/) Proj 1/))
Upon...DEF f- Vp b.p Upon b:::: (,\p' t. (JJ When b => p' tip I)
Timeout...DEF
1- Cvb. Timeout 0 b = T) 1\ ('It b. Timeout (SUe t) b = (b => F I Timeoutt b))
Within...DEF f- 'Vb p, b Within p = (At. ,(p t 1\ Sometime b t))
B.2 Theorems
LESSEQ f- 'Va b. -.(a < b) J b:5 (J
SUC..LESS_SUC f- 'Vt r, sue t :5 f' J sue t :5 sue l'
NOT..EQ..R.EFL f- Va b. (,(I:::: b):::: (a:::: ,b)
IMP.-AND f- Va b c. (I J (b :) c) = a 1\ b :) C
LESS..EQ_TRANS 1- 'V(I b c. et :5 Ii 1\ b :S r :) fI,:5 c
IMP _CONTRAPOS f- Va h.(/ J b:::: ,b J ,a
IMP _SELF f-Vab.ul/:) (bl/:) on)
lemma1 I-- V.L'. .1' And .f :::: .1,'
lemma2 f- V.v y .. 1: And y ::::.If And .1:
lemma3 f- V:t· II:. (.1' And y) And: = £ And (.11 And :)
lemma4 f- 'V.I~.. I: And True =.1'
Annex B: Temporal Definitions and Theorems 20i
lemmaS
lemma6
lemma7
lemmaS
lemma9
lemmal0
lemmall
lemma12
lemma13
lemma14
lemmalS
lemma16
lemma17
lemma1a
lemma19
lemma20
lemma21
lemma22
lemma23
lemma24
lemma25
lemma26
lemma27
lemma28
lemma29
f- "1.1: . .1.' And False = False
f- "1,1' . .I' Or .c = J'
I- "1.1.: y . .1.' 0 r y = 11 0 r ./
f- Vx !J ::. (x Or .II) Or :: = .I; Or (.II Or z ]
f- "I.e . .1.' Or True = True
f- V.r: . .I' Or False =.r
f- "1'/'. Xor2 (.I: .. J:) = False
I- V.e!/. Xor2 (.I:. y) = Xor2 (.II. x)
I- "Ix. Xor2 (:r, True) = Not z
I- "Ix. Xor2 (.r. y) = Xor3 (x. y. False)
I- (Not True = False) /\ (Not False = True)
I- Vp 'I t~. 'I < t : /\ Last P (tl, t',)) =
Keep (Notp)(tI,12) /\ Finp(tl!l2)
f- Vp. Sometime p = True Until p
f- 'tip. Always p = Not (Sometime (Not p))
l- 'lip. Valid (p - Sometime p)
f- VI'. Valid (Next P - Sometime p)
f- "lp, Sometime (Not [I) = Not (Always p)
f- 'lip 'I. Valid (Always (p - 'I) - (Sometime p - Sometime q))
I- 'lip 'I. Always (I' And 'I) = Always p And Always (I
I- 'lip 'I. Sometime (I' Or 1/) = Sometime P Or Sometime 1/
I- Vp ,/ Valid ((Always II And Always If) - Always (p Or q))
I- VplJ. Valid (Sometime (JI And 'I) - (Sometime P And Sometime 'I))
I- Vp 'I. Next {fl And 'I) = Next P And Next II
f- vv '/. Next (/1 Or 'I) = Next 11Or Next q
I- 'lip 'f. Next lJI - 1/) = Next JI - Next 1/
Annex B: Temporal Definitions and Theorems 208
lenuna30
lenuna31
lenuna32
lenuna33
lenuna34
lenuna35
lenuna36
lenuna37
lenuna38
lenuna39
lenuna40
lemma41
lemma42
lemma43
lemma44
lemma45
lemma46
lemma47
lenuna48
lemma49
lemma50
lemma51
f- Vp 'l Valid ((Always J1 And Sometime (f} - (I' Until 'I))
f- Vp, Valid (Sometime (Next p) - Next (Sometime jI))
f- \:I/i Valid (Always (Sometime (Always I))) - Sometime (Always p))
f- Vll 'l- Valid ((Always p And Sometime 'I) - Sometime (p And 'I))
f- \:lp, Valid (Always (/i - 'I) - (Always p - Always 'I))
f- \:lp, Valid (Always l' - p)
f- \:lp, Next (Not p) = Not (Next p)
f- \:Ip 'l Valid (Next ([' - 'I) - (Next p - Next q))
f- \:lp, Valid (Always p - Next p)
f- \:lp, Valid (Always P - Next (Always 1'))
f- \:lp, Valid '» - Sometime p)
f- \:Ip 'l- Valid (Always (p - q) - (Sometime p ---+ Sometime 'I))
f- \:1)1 1/, Valid (Always (p - '1) - (Next I' - Next q))
f- \:Ip 'l 1', Valid (((Always p _' Always q) And (Always 'I -- Always r»
_ (Always p - Always ,'))
f- \:Ip 'I I', Valid (((Always JI-' Always 'I) And
(Always 'l _' Sometime ,.)) - (Always p --+ Sometime r)
f- \:Ip (II', Valid (((Always p _ Always q) And (Always 'I --+ Next 1')
- (Always p - Next 1'))
f- Vp 't /', Valid (({ji - Sometime 'I) And Always ('I - 1')
- (JI - Sometime I')
f- \:lp, II' 0 /\ Valid (/I' - Next tu) :) Valid (Always w)
f- Vp II, Valid (/1 - 'I) :) Valid (Sometime p - Sometime 'I)
f- \:II-' I[ r, Valid ((U) And III Until r ] - ((p Until r ] And ('1 Until I')))
f- VI' I[ r. Valid ((Always I) And (,/ Untilr))
- ((p And 'I) Until (,/ Until I')))
f- Vp, Valid ((Not /1 Until p) - Sometimep)
Annex B: Tem po ra l Definitions and 'I'heor ems 209
lernma52
lemma53
lemma54
lemma55
lemma56
lemma57
lemma58
lemma59
lemma60
lemma61
lemma62
lemma63
lemma64
lemma65
lemma66
lemma67
lemma68
lemma69
lemma70
lemma71
lemma72
lemma73
lemma74
lemma75
lemma76
r Vp. Valid /) :J (VII. (31 Mapped /) 11 I))
r Vp 11. Valid /) :J Mapped p // (p Proj /I.)
r Vp 11. Valid I) :J /' (p Proj 11.)
r VI). Valid [J :J (Vn. (3VI. Mapped p n t))
r Vp 11 I I'. Valid II :J (Mapped P n t 1\ Mapped p n i' ::> (t = t'))
r Vp. Valid Jl ::> P Proj /1 < p Proj sue n
r Vp. Valid p ::> (V/I t. Jl Proj n < t 1\ I < p Proj sue n ::> =» t)
f- VII II. Valid (p Equiv If) ::> (Valid p = Valid q)
f- Vp 'l- Valid (p - 'I) :J (Valid p ::> Valid q)
1- Vp q. Valid (p And 'I) = Valid I' 1\ Valid q
f- Vp. Valid (p Equiv p)
f- 'tip. Valid (p - p)
f- 'tip q. Valid (p Equiv 1]) = Valid (q Equiv p)
f- Vp q. Not (p And q) = Not p Or Not q
l- VI' q. Not (I' Or 'i) = Not I' And Not 'l
f- 'tip '1. Not P Or 'I = Jl - q
f- 'tip '17". Valid (((p Equiv q) And (q Equiv 1")) -- (p Equiv 1"))
f- Vp q. (p - 'I) And ((/ - p) = p Equiv q
f- Vp '/ I'. Valid (((p - 'I) And (,/ - ")) - (p - I'))
f- Vp'l 1'. Valid ((U, -,d And ((/ Equiv 1')) - (I' - r))
r Vp If I', Valid (((/1 Equiv 1/) And ((1 - 1')) -- (p -. 1'))
f- Vp '/ " Valid (((p - 'I) And (1/ -- /')) - (p - (I] And "»))
r VPI/ /' II'. Valid (((II Equiv q) And (,' Equiv wi)
- ((/1 And /.) Equiv ('I And /1')))
r Vpl/" Valid (((/, - ('1 - 1')) And (p - q)) - (p - 1'))
f- Vp (/ "./) And ('/ And ,.) = (p And 'I) And I'
Annex B: Tempor al Defi uit ions and Theorems 210
lemma77 I- Vp q r, 11Or ('lOr /') = (p Or 'I) Or "
lemma78 I- VI) 'l I'. P And ('lOr ,.) = (p And II) Or (p And 1')
lemma79 I- Vp 'I r. (p Or 'il And I' = (p And I') Or (q And 1')
lemma80 I- Vp '1'" jJ Or (II And r) = (p Or q) And (p Or 1')
lemma81 I- Vp 'I r. (p And q) Or " = (p Or r) And ('lOr r )
lemma82 I- Vi). P And Not P = False
lemma83 I- Vp. False And P = False
lemma84 I- Vp. l' And False = False
lemma85 I- Vp. True And P = p
lemma86 I- Vp. I' And True = i'
lemma87 I- Vp. p Or Not p = True
lemma88 I- Vp. True Or}J = True
lemma89 I- Vp. p Or True = True
lemma90 I- 'Vp. False Or p = p
lemma91 I- Vp. P Or False = p
lemma92 r Vp 1/ " w. (p And q) And (,' And tu) = (p And r) And ('I And w)
lemma93 I- Vp. P ~ False = Not p
lemma94 r Vp 'I Valid (p - 'I) 1\ Valid p :J Valid '/
lemma9S I- Vp. Not (Sometime II) = Always (Not p)
lemma96 I- VII. Not (Always /1) = Sometime (Not p)
lemma97 r VI' 'I· Valid (Always (I' - 'I) - (Always p- Always q))
lemma98 r Vp. Valid (Always I' - /,)
lemma99 I- Vp. Not (Next I') = Next (Not ,,)
lemmal00 r Vp II. Valid (Next (/1 - 'I) - (Next p - Next q))
lemma101 r Vp. Valid (Always I' - Next ]i)
lemmal02 r Vp. Valid (Always l' - Next (Always JI))
Annex B: Tem poi-al Definitions and T'heore ms 211
lemmal03 f- Vp. Valid (Always (/1 - Next p) - l/i - Always p))
lemmal04 f- Vpll." Until II = II Or (p And Next (p Untill/))
lemmal05 r Vpll. Valid ((p Until III - Sometime 1/)
lemmal06 r Vp 1/. P - 1/ = Not 'l - Not]J
lemmal07 r Vp. Not (Not 71)= l'
lemmal08 f- Vp. Valid p :) Valid (Always p)
lemmal09 r Vp. Valid p :J Valid (Next fl)
lemmall0 r Vp. Valid (ji - Sometime /i)
lemmal11 r Vp. Valid p :J Valid (Sometime p)
lemmal12 r Vp. Valid (Next l' - Sometime p)
lemma113 r Vp q . Valid (p - q) :J Valid (Always p - Always q)
lemma114 f- Vp 1/. Valid (p - III :J Valid (Sometime p - ... Sometime q)
lemma115 f- Vp 'l Valid (p - 1/) :J Valid (Next p - Next If)
lemma116 f- Vp. Valid (p - Next p) :J Valid (p - Always p)
lemma1l7 I- Vp. Always 11= Always (Always 11)
lemma118 f- Vp. Sometirne p = Sometime (Sometime p)
lemma119 f- Vp 1/. Valid (Always (p- 1/)) :)
Valid (Sometime p -- Sometime q)
lemma120 r Vp 1/. Always (p And q) = Always l' And Always q
lemma121 f- Vp 1/. Sometime \/1 Or 1/) = Sometime t! Or Sometime q
lemma122 I- Vp 1/. Valid ((Alwaysi' Or Always 'I) - Always (JI Or q))
lemma123 I- V/I II. Valid (Sometime lJl And II) - (Sometime /) And Sometime II))
lemma124 f- Vp (/. Valid ((Always /) And Sometime II) - Sometime (/I And q))
lernrna125 r Vp II. Next (/1 And '/) = Next Jl And Next IJ
lernma126 r Vp 1/. Next (/1 Or 1/) = Next fJ Or Next (I
lernma127 f- Vp 1/. Next (p - 1/) = Next /) - Next (/
Annex B: Te m por al Definitions and Theorems 212
lemma128 f- VII 'I· Next {fl Equiv ,tl = Next II Equiv Next 'I
lemma129 f- 'lip. Valid (p And Sometime (Not jJ)) :J
Valid (Sometime (fl And Next II))
lemma130 f- VPl 1'2 'II £1'2. Valid (Ill _ P'2) /\ Valid (P'2 _ Always (Id /\
Valid ('/1 - 'I:d :J Valid (PI - Always ({2)
lemma131 f- VPi JI~ 'Ii '12. Valid (PI _ P2) /\ Valid (p'2 _. Sometime '11) /\
Valid ('II _ '1'2) :J Valid (PI - Sometime q'2)
lemma132 f- VPl 1''2 'II '/~· Valid lill _ 1''2) /\ Valid (P'2 ~ Next qd /\
Valid ('II - 'I:!l :J Valid (Pi - Next fJ2)
lemma133 f- 'lip '! r, Valid (UI - Always 'I) And (q _ Always ,.)) :::>
Valid (p - Always ).)
lemma134 I- 'lip 'I 1'. Valid ((/) - Sometime ,,) And (q - Sometime ).)) :::>
Valid (p - Sometime .,,)
lemma135 f- 'lip '11'. Valid (UI - Sometime 'I) And
(I' - (q And (p And Next r)))) :::> Valid (I' __.. (1' Until q))
lemma136 I- "JPl P2 'II q2· Valid (fll - (12) /I. Valid ('11 - q2) :::>
Valid ((PI Until '11) - (P2 Until (/2))
lemma137 I- 'lip 'I. Valid ((Always p And Sometime q) ___...(p Until 'I))
lemma138 I- 'lip 'I 1'. Valid ((Always P And (q Until,.))
- ((I' And 'I) Until (I) And ,.)))
lemma139 f- VII 'II'. Valid (UI Until (I And r)) - ((p Untilq) And (p Until r)))
lemma140 f- 'lip 'I r, Valid ((" Until ('I And 1')) - ((p Until q) Until 1'))
B.3 Procedures of Proofs and Tactics
new_ type_abbrev ( "t ime' •" : nura") ; ;
%<------------------------~----------------------------------
General Tactics and Theorems
----------------------------------------------------------->%
Annex B: Temporal Definitions and Theorems 213
let FORALL_EQ_TAC:tactic(asl,w)=
(let tl,t2 = dest_eq w in
let xl,pl = dest_forall tl and x2,p2 dest_forall t2 in
if (type_of xl)=(type_of x2) then
(let x'=genvar(type_of xl) in
[asl,mk_eq (pl,p2)] ,\[th]. FORALL_EQ (x') th)
else fail? failwith 'FORALL_EQ_TAC');;
letrec DEPTH_FIRST_CONV conv tm
FIRST_CONV
[conv;
RATOR_CONV (DEPTH_FIRST_CONV conv);
RAND_CONV
ABS_CONV
(DEPTH_FIRST_CONV conv);
(DEPTH_FIRST_CONV conv)]
tm; ;
let ONCE_LEFT_TO_RIGHT_DEPTH_FIRST_REWRITE_TAC =
GEN_REWRITE_TAC DEPTH_FIRST_CONV basic_rewrites;;
letrec DEPTH_FST_CONV conv tm =
FIRST_CONV
[RATOR_CONV (DEPTH_FST_CONV conv);
RAND_CONV
ABS_CONV
conv]
(DEPTH_FST_CONV conv);
(DEPTH_FST_CONV conv);
tm; ;
let ONCE_DEPTH_FST_REWRITE_TAC =
GEN_REWRITE_TAC DEPTH_FST_CONV basic_rewrites;;
let change_var trm =
let trm_s, trm_t = dest var trm ln
mk_comb (mk_var( ,t -trm_s," :num->bool") ,"(e:num) ");;
Annex B: Tempol'al Defl n itio ns and 'I'heo re.ms 214
let CONVERT thm =
(let (bv,body) = strip_forall (concl thm) in
let vars = map change_var bv in
SPECL vars thm)
? failwith 'CONVERT';;
let LESSEQ = prove_thm ('LESSEQ',
"!a b. -(a<b) ==> (b<=a)",
REPEAT GEN_TAC
THEN REWRITE_TAC[IMP_DISJ_THM;LESS_CASES]);;
let SUe_lESS_SUe = prove_thm ('SUe_LESS_SUe',
"! t t'. (SUC t)<=t' ==> (SUC t)<=(sue t')",
REPEAT STRIP_TAC THEN RE~RITE_TAC[LESS_EQ_MONO]
THEN ASSUME_TAC (SPEC "t:num" LESS_EQ_SUC_REFL)
THEN ASSUME_TAC LESS_EQ_TRANS THEN RES_TAC);
let NOT_EQ_REFL = prove_thm ('NOT_EQ_REFL',
"!a b. (-a = b) = (a = -b)",
REPEAT GEN_TAC THEN BOOL_CASES_TAC "a:bool"
THEN REWRITE_TAC[]);;
let IMP_AND = prove_thm ('IMP_AND',
"{a b c. (a ==> b ==> c) = (a /\ b) ==> c",
REPEAT GEN_TAC THEN BOOL_CASES_TAC "a:bool"
THEN REWRITE_TACO);;
let LESS_EQ_TRANS = prove_thm ('LESS_EQ_TRANS',
"!a b c. (a<=b) /\ (bc=c) ==> (a<=c)",
REPEAT GEN_TAC THEN REWRITE_TAC[LESS_OR_EQ]
THEN STRIP_TAC THEN ASH_REWRITE_TAC[LESS_TRANS]
THENL [MP_TAC (SPECL["a:num";"b:num";"c:num"] LESS_TRANS)
THEN ASM_REWRITE_TACO
THEN STRIP_TAC THEN ASH_REWRITE_TAC[];
Annex B: Temporal Defi nitious and Theorems 215
ASSUM_LIST (\t. (REWRITE_TAG[SYM (ell t)]))
THEN ASM_REWRITE_TAC[]]);;
let IMP_CONTRAPOS = prove_thm ('IMP_GONTRAPOS',
"!ab. (a ==> b) = (-b ==> -a)",
REPEAT GEN_TAC THEN BOOL_GASES_TAG "a:bool"
THEN REWRITE_TACO);;
let IMP_SELF = prove_thm ('IMP_SELF',
"!(a:num->bool) (b:num->bool). a n ==> (b n ==> an)".
REPEAT GEN_TAG THEN BOOL_GASES_TAC "(a:num->bool) n"
THEN REWRITE_TAC[]);;
%<-----------------------------------------------------------
Temporal Definitions
----------------------------------------------------------->%
let And = new_infix_definition ('And_DEF',
..And x y ::\(t:time). x t /\ y t");;
let Or ::new_infix_definition ('Or_DEF',
"Or x y :: \(t: time). x t \/ y t");;
let Not:: new_definition ('Not_DEF',
"Not x:: \(t:time). -(x t)");;
let Imp = new_infix_definition ('Imp_DEF',
"$--> x y = \(t:time) . ex t ) ==> (y t)");;
let Xor2 ::new_definition('Xor2-DEF'.
"Xor2 (x,y) =\(t:time). (x t \/ y t ) /\ -(x t /\ y t)");;
let Xor3 = new_definition('Xor3_DEF'.
"Xor3 (x,y,z) =\(t:time). (x t \I Y t \I z 1:)
/\ -«x t /\ y t ) \/ (y t /\ z t) \/ (z t /\ x t))");;
Annex B: Temporal Definitions and Theorems 216
let True = new def ini tion ('True_DEF'. "True = \t. T");;
let False = new_definition ('False_DEF'. "False = \t. F");;
let Next = new_definition ('Next_DEF'.
"Next p = \t. «p (Sue t»):bool)");;
let Until = new_infix_definition ('Until_DEFt.
"Until p q = \t. (?tl. (t<=t1) /\ (q t t ) /\
(!t2. «t<=t2) /\ (t2<t1)) ==> (p t2»)");;
let Sometime = new_definition ('Sometime_DEFt.
"Sometime (p:time->bool) = \t. ?t·. (t c=t ") /\ pt' "); j
let Always = new_definition ('Always_DEFt.
"Always (p:time->bool) = \t. !t'. (t<=t') ==> pt''');;
let Eq = new_intix_definition ('Eq_DEFt.
"Eq (t:time->*) c = \t. t t = c");;
let Equiv = new_infix_definition (tEquiv_DEF'.
"Equiv (p:time->bool) (q:tlme->bool) =
\t. (p t) = (q t)");;
let First = new_definition ('First_DEFt.
"First p t = P t /\ (!t'. t'<t ==> -Cp t')");;
let Last = new_definition ('Last_DEF'.
"Last p (tl.t2) =
(!t. tl<t /\ t<t2 ==> -(p t» /\ (p t2)");;
let Fin = new_definition ('Fin_DEF'.
"Fin (p:time->bool) (tl:time.t2) = (tl<t2) /\ p t2");;
Annex B: Temporal Definitions and Theorems 217
let Keep = new_definition C'Keep_DEF'.
"Keep p Ctl.t2) =
(tl<t2) /\ (It. tl<t /\ t<t2 ==> (p t))");;
let Length = new_prim_rec_definition ('Length_DEF',
"(Length p 0 = \t. P t) /\
(Length p (SUe n) = \t. Length p n t /\ -p(SUC (n+t»)");;
let Len = new_definition ('Len_DEF' I
"Len p n = \t'. Length p n (t'-n)");;
let Mapped = new_prim_rec_definition ('Mapped_DEFt,
"(Mapped p 0 = \t. First p t) /\
(Mapped p (SUe n) =
\t.?t'. Mappedpnt' /\ Last p (t',t»)");;
let Proj = new_infix_definition ('Proj_DEFt,
"Proj p n = <Qt. Mapped p n tOO);;
let Valid = new_definition ('Valid_DEFt,
"Valid p = !t. pt");;
let When = new_infix_definition ('When_DEF',
"When p b = In. bf p Proj n}");;
let Upon = new_infix_definition ('Upon_DEFt•
"Upon p b = \p'. \t. p When b => p ' tip t");;
let Timeout = new_prim_rec_definition ('Timeout_DEFt,
"(Timeout 0 b = T) /\
(Timeout (sue t) b = b => F I Timeout t b)");;
let Within = new_infix_definition ('Within_DEF',
Annex B: Temporal Defi uitio ns a nd T'heot-ems-------------------------------------------218
"Within b P = \t. -Cp t /\ Sometime b t)");;
%<-----------------------------------------------------------
Temporal Theorems
----------------------------------------------------------->%
let lemma1 = prove_thm ('lemma1',
"!x. x And x = x",
GEN_TAC THEN CONV_TAC FUN_EQ_CONV
THEN REWRITE_TAC[And] THEN BETA_TAC
THEN GEN_TAC THEN REFL_TAC);;
let lemma2 = prove_thm ('lemma2',
"!x y. x And y = y And x",
REPEAT GEN_TAC THEN CONV_TAC FUN_EQ_CONV
THEN REWRITE_TAC[And] THEN BETA_TAC
THEN ONCE_DEPTH_FST_REWRITE_TAC[CONJ_SYM]
THEN GEN_TAC THEN REFL_TAC);;
let lernma3 = prove_thm ('lemroa3',
"!X y z. (x And y) And z = x And (y And z)",
REPEAT GEN_TAC THEN CONV_TAC FUN_EQ_CONV
THEN REWRITE_TAC[And] THEN BETA_TAC
THEN GEN_TAC THEN BOOL_CASES_TAC "(x:time->bool) nil
THEN REWRITE_TAC[]);;
let lemma4 = prove_thm ('lemma4',
"!x. x And True = x",
GEN_TAC THEN CONV_TAC FUN_EQ_CONV
THEN REWRITE_TAC[And;True]
THEN BETA_TAC THEN GEN_TAC THEN REFL_TAC);;
let lemmaS = prove_thm ('lenma5',
"!x. x And False = False",
REWRITE_TAC[And;False]);;
Annex B: Tel1lpor~l Defl uitio ns a ud Theorems------------------------------------------ 219
let lemma6 = prove_thm ('lemma6',
"!x. x Or x = x",
GEN_TAC THEN REWRITE_TAC[Or]
THEN CONY_TAC FUN_EQ_CONY
THEN BETA_TAC THEN GEN_TAC
THEN REFL_TAC);;
let lemma7 = prove_thm ('lemma7',
"IX y. X Or y = y Or x",
REPEAT GEN_TAC THEN CONY_TAC FUN_EQ_CONV
THEN REWRITE_TAC[Or] THEN BETA_TAC THEN GEN_TAC
THEN BOOL_CASES_TAC "(x:time->bool) n"
THEN REWRITE_TAC[]);;
let lemma8 = prove_thm ('lemma8',
" !x Y z , (x Or y) Or z = x Or (y Or z )?",
REPEAT GEN_TAC THEN CONV_TAC FUN_EQ_CONV
THEN REWRITE_TAC[Or] THEN BETA_TAC
THEN GEN_TAC
THEN BOOL_CASES_TAC "(x:tiIne->bool) n"
THEN REWRITE_TAC[]);;
let lemma9 = prove_thm ('lemma9'.
"!x. x Or True = True",
REWRITE_TAC[Or;True]); ;
let lemma10 = prove_thrn ('lemmalO',
"!x. x Or False = x",
REWRITE_TAC[Or;False] THEN GEN_TAC
THEN CONV_TAC FUN_EQ_CONV THEN BETA_TAC
THEN GEN_TAC THEN REFL_TAC);;
let lemma!1 = prove_thIn ('lemma11',
Annex B: Tempo .."l Deft n itio us and Theorems 220
"!x. Xor2(x,x) = False",
GEN_TAC THEN CONV_TAC FUN_EO_CONV
THEN REWRITE_TAC[Xor2;False]
THEN BETA_TAC THEN GEN_TAC
THEN BOOL_CASES_TAC "(x:time->bool) n"
THEN REWRITE_TAC[]);;
let lemma12 = prov9_thm ('lemma12',
"!x y. Xor2(x,y) = Xor2(y,x)",
REPEAT GEN_TAC THEN CONV_TAC FUN_EQ_CONV
THEN REWRITE_TAC[Xor2] THEN BETA_TAC
THEN GEN_TAC
THEN BooL_CASES_TAC "(x:time->bool) n"
THEN REWRITE_TAC[]);;
let lemma13 = prove_thm ('lemma13',
"!x. Xor2(x,True) = Not x",
GEN_TAC THEN CoNV_TAC FUN_EO_CoNV
THEN REWRITE_TAC[Xor2;True;Not]
THEN BETA_TAC);;
let lemrna14 = prove_thm ('lemrna14',
"!x. Xor2(x,y) = Xor3(x,y,False)",
GEN_TAC THEN CONV_TAC FUN_EO_CONV
THEN REWRITE_TAC[Xor2;Xor3;False]
THEN BETA_TAC);;
let lemrna15 = prove_thm ('lemma15',
"(Not True = False) /\ (Not False = True)",
REWRITE_TAC[True;False;Not]); ;
let lemma16 = prove_thm ('lemma16',
"!p tl t2. (tl<t2) /\ Last p (t i ,t2) =
Keep (Not p)(tl,t2) /\ Fin p(tl,t2)",
Annex B: Te m pora l Definitions and Theorems 221
REPEAT GEN_TAC THEN REWRITE_TAC[Fin;Last;Keep;Not]
THEN BETA_TAC THEN EO_TAC THEN REPEAT STRIP_TAC
THEN RES_TAC THEN ASH_REWRITE_TAC[]);;
let lemma17 = prove_thm ('lemma17'.
"!p. Sometime p = True Until p",
GEN_TAC THEN CONV_TAC FUN_EO_CONV
THEN REWRITE_TAC[Sometime;True;Until]);;
let lemma18 = prove_thm ('lemma18'.
"!p. Always p = Not(Sometime (Not p»",
GEN_TAC THEN CONV_TAC FUN_EO_CONV
THEN REWRITE_TAC[Always;Sometime;Not]
THEN BETA_TAC
THEN CONV_TAC (DEPTH_CONV NOT_EXISTS_CONV)
THEN REWRITE_TAC[OE_MORGAN_THM;IHP_DISJ_THM]);;
let lemma19 = prove_thm ('lemma19',
"!p, Valid ep __> Sometime p)".
GEM_TAC THEN REWRITE_TAC[Valid;Sometime;Imp]
THEN BETA_TAC THEN REPEAT STRIP_TAC
THEN EXISTS_TAC "t"
THEN ASM_REWRITE_TACCLESS_EQ_REFLJ);;
let lemma20 = prove_thm ('lemma20',
"!p. Valid (Next p -_> Sometime p)",
GEN_TAC
THEN REWRITE_TAC[Valid;Imp;Next;Sometime]
THEN BETA_TAC THEN REPEAT STRIP_TAC
THEN EXISTS_TAC "SUC tOO
THEN ASM_REWRITE_TACCLESS_EQ_SUC_REFLJ);;
let lemma21 = prove_thrn ('lemma21',
"!p. Sometime (Not p):; Not (Always p)",
Annex B: Te rn pore l Defi nit ious a nd Theorems 222
GEN_TAC THEN CONV_TAC FUN_EO_CONV
THEN REWRITE_TACCSometime;Not;Always]
THEN BETA_TAC
THEN CONV_TAC (DEPTH_CONV NOT_FORALL_CONV)
THEN REWRITE_TACCIMP_DISJ_THM;DE_MORGAN_THMJ);;
let lemma22 = prove_thm ('lemma22',
"!p q. Valid (Always(p-->q) -->
(Sometime p --> Sometime q»",
REPEAT GEN_TAC
THEN REWRITE_TACCValid;Always;Imp;Sometime]
THEN BETA_TAC THEN REPEAT STRIP_TAC
THEN RES_TAC THEN EXISTS_TAC "t'"
THEN ASH_REWRITE_TAC[]);;
let lemma23 = prove_thm ('lemma23',
"!p q. Always (p And q) = (Always p) And (Always q)",
REPEAT GEN_TAC THEN CONV_TAC FUN_EQ_CONV
THEN REWRITE_TAC[Always;And] THEN BETA_TAC
THEN GEN_TAC THEN EO_TAC
THEN REPEAT STRIP_TAC THEN RES_TAC);;
let lemma24 = prove_thrn ('lemma24',
"!p q. Sometime (p Or q) = (Sometime p) Or (Sometime q)II,
REPEAT GEN_TAC THEN CONV_TAC FUN_EO_CONV
THEN REWRITE_TACCSometime;Or]
THEN BETA_TAC THEN GEN_TAC THEN EQ_TAC
THENL CREPEAT STRIP_TAC
THEN CoNV_TAC OR_EXISTS_CONV
THEN EXISTS_TAC "t'"
THEN ASM_REWRITE_TACC];
CoNV_TAC (DEPTH_CONV OR_EXISTS_CONV)
THEN CONV_TAC LEFT_IMP_EXISTS_CONV
THEN REPEAT STRIP_TAC
Annex B: Temporal Defi uitio us and Theorems 223
THEN EXISTS_TAC "t'"
THEN ASM_REWRITE_TAC[J));;
let lemma25 ; prove_thm ('lemma25',
"!p q. Valid «Always p And Always q) --> Alnys(p Or q»".
REPEAT GEN_TAC
THEN REWRITE_TAC[Valid;Imp;Always;And;Or]
THEN BETA_TAC THEN REPEAT STRIP_TAC
THEN RES_TAC THEN ASM_REWRITE_TAC[]);;
let lemma26 ; prove_thm ('lemma26'.
"!p q. Valid (Sometime (p And q)
--> (Sometime p) And (Sometime q))".
REPEAT GEll_TAG
THEN REWRITE_TAC[Valid;Sometime;And;Imp]
THEN BETA_TAC THEN REPEAT STRIP_TAC
THEN EXISTS_ TAC "t'" THEN ASM_REWRITE_ TAC 0) ; ;
let lemma27 = prove_thm ('lemma27'.
"!p q. Next (p And q) ; (Next p) And (Next q)",
REPEAT GEN_TAG THEN CONV_TAC FUN_EQ_CONV
THEN REWRITE_TAC[Next;And] THEN BETA_TAC
THEN GEN_TAC THEN REFL_TAC);;
let lemrna28 = prove_thm ('lemma28'.
"!p q. Next (p Or q) = (Next p) Or (Next q)".
REPEAT GEN_TAC THEN CONV_TAC FUN_EQ_CONV
THEN REWRITE_TAC[Next;Or]
THEN BETA_TAC THEN GEN_TAC THEN REFL_TAC);;
let lemrna29 = prove_thm ('lemma29'.
"!p q. Next (p-->q) = Next p --> Next q".
REPEAT GEN_TAC THEN CONV_TAC FUN_EQ_CONV
THEN REWRITE_TAG[Next;lmp)
Annex B: 'I'ern porn l Definitions and Theorems 224
THEN BETA_TAC THEN GEN_TAC THEN REFL_TAC);;
let lemma30 = prove_thm ('lemma30',
"!p q, Valid «Always p And Sometime q)-->(p Until q)",
REPEAT GEN_TAC
THEN REWRITE_TAC[Valid;Always;Imp;And;Sometime;Until]
THEN BETA_TAC THEN REPEAT STRIP_TAC
THEN EXISTS_TAC "t'" THEN ASM_REWRITE_TAC[]
THEN REPEAT STRIP_TAC THEN RES_TAC);;
let lemma31 = prove_thm ('lemma31',
"!p, Valid (Sometime(Next p) --> Next(Sometime p»",
GEN_TAC
THEN REWRITE_TAC[Sometime;Valid;Next;Imp]
THEN BETA_TAC THEN GEN_TAC
THEN CONV_TAC (DEPTH_CONV LEFT_IMP_EXISTS_CONV)
THEN REPEAT STRIP_TAC
THEN EXISTS_TAC "sue t'oo
THEN ASM_REWRITE_TAG[LESS_EQ_MONO]);;
let lemma32 = prove_thm ('lemma32',
"!p, Valid (Always(Sometime (Always p»
--> Sometime(Always p»",
GEN_TAC
THEN REWRITE_TAC [Always;Sometime;Imp;Valid]
THEN BETA_TAC THEN GEN_TAC
THEN CONV_TAG LEFT_IMP_FORALL_CONV
THEN EXISTS_TAG "tOO
THEN REWRITE_TAC[LESS_EQ_REFL]);;
let lemma33 = prove_thm ('lemma33',
"!p q , Valid ((Always p And Sometime q)
--> Sometime (p And q»",
REPEAT GEN_TAC
Annex B: Temporal Defl u it ious and Theorems 225
THEN REWRITE_TAC[Valid;Imp;And;Sometime;Always]
THEN BETA_TAC THEN REPEAT STRIP_TAC
THEN EXISTS_TAC "t'" THEN RES_TAC
THEN ASM_REWRITE_TAC[]);;
let lemrna34 = prove_thrn ('lemrna34'.
"!p. Valid (Ahrays(p-->q) --> Always p --> Always q)".
GEN_TAC THEN REWRITE_TAC[Valid;Always;Imp]
THEN BETA_TAC THEN REPEAT STRIP_TAC
THEN RES_TAC);;
let lemrna35 = prove_thrn ('lemrna35'.
"!p. Valid «Always p)-->p)".
GEN_TAC THEN REWRITE_TAC[Valid;Always;Imp]
THEN BETA_TAC
THEN CONV_TAC (OEPTH_CONV LEFT_IMP_FORALL_CONV)
THEN GEN_TAC THEN EXISTS_TAC lit"
THEN REWRITE_TAC(LESS_EQ_REFL]);;
let lemrna36 = prove_thrn ('lemma36'.
"!p. Next (Not p) = Not (Next p)".
GEN_TAC THEN CONV_TAC FUN_EQ_CONV
THEN REWRITE_TAC(Next;Not] THEN BETA_TAC
THEN GEN_TAC THEN REFL_TAC);;
let lemrna37 = prove_thm ('lemma37'.
"!p q. Valid (Next(p-->q) -_> (Next p __> Next q))".
REPEAT GEN_TAC THEN REWRITE_TAC[Valid;Next;Imp]
THEN BETA_TAC THEN GEN_TAG THEN STRIP_TAC);;
let lemrna38 = prove_thm ('lemma38'.
"!p. Valid «Always p)-->Next p)".
GEN_TAC
THEN REWRITE_TAC[Valid;Always;Next;Imp]
Annex B: Temponu Defi nit ious and Theorems------------------------------------------
226
THEN BETA_TAC
THEN CONV_TAC (DEPTH_CONV LEFT_IMP_FORALL_CONV)
THEN GEN_TAC THEN EXISTS_TAC "sue tOO
THEN REWRITE_TAC[LESS_EQ_SUC_REFLJ);;
let 1ernrna39= prove_thm ('lernrna39'.
"!p. Valid (Always p --> Next (Always p))".
GEN_TAC
THEN REWRITE_TAC[Va1id;Always;Imp;Next]
THEN BETA_TAC THEN REPEAT STRIP_TAC
THEN ASSUME_TAC (SPEC "t" LESS_EQ_SUC_REFL)
THEN ASSUME_TAC LESS_EO_TRANS
THEN RES_TAC THEN RES_TAC);;
let 1ernrna40= prove_thm ('lemma40'.
" !p. Valid (p __> Sometime p )!",
GEN_TAC
THEN REWRITE_TAC[Va1id;Imp;Sometime]
THEN BETA_TAC THEN REPEAT STRIP_TAC
THEN EXISTS_TAC "t"
THEN ASM_REWRITE_TACCLESS_EQ_REFL]);;
let lemma41 = prove_thm ('lemma41'.
"!p q. Valid (Always(p-->q)
_-> (Sometime p --> Sometime q»)".
REPEAT GEH_TAC
THEN REWRITE_TAC[Va1id;Always;Imp;Sometime]
THEN BETA_TAC THEN REPEAT STRIP_TAC
THEN EXISTS_TAC "t'" THEN ASM_RE\~RITE_TAC[J
THEN RES_TAC) ;;
let lemma42 = prove_thm ('lemma42'.
"!p q. Valid (Allo1ays(p-->q)--> (Next p __> Next q»".
REPEAT GEH_TAC
Annex B: Tem pornl Defi n itio ns and T'heore m s 227
THEN REWRITE_TAC[Valid;Always;Imp;Next]
THEN BETA_TAG
THEN GONV_TAG(DEPTH_CONV LEFT_IMP_FORALL_CONV)
THEN GEN_TAC THEN EXISTS_TAG "suc t"
THEN REWRITE_TAC[LESS_EQ_SUC_REFL]);;
let 1emma43 = prove_thm ('lernma43',
"!p q r ,
Valid «(Always p __> Always q) And
(Always q __> Always r»
__> (Always p __> Always r»",
REPEAT GEN_TAC
THEN REWRITE_TAC[Va1id;Always;Imp;And]
THEN BETA_TAC THEN REPEAT STRIP_TAC
THEN ASSUM_LIST (\tho
ASSUME_TAC(REWRITE_RULE[(e1 2 th)] (el 4 th»)
THEN ASSUM_LIST (\tho
ASSUME_TAC(REWRITE_RULE[(e1 1 th)] (e1 4 th»)
THEN RES_TAC); ;
let lemma44 = prove_thm ('lemma44'.
"!p q r .
Valid «(Always p __> Always q) And
(Always q -_> Sometime r»
_-> (Always p --> Sometime r»",
REPEAT GEN_TAC
THEN REWRITE_TAG[Va1id;Always;Imp;And;Sornetime]
THEN BETA_TAC THEN REPEAT STRIP_TAC
THEN ASSUM_LIST (\tho
ASSUME_TAC(REI~RITE_RULE[(el 1 th)] (el 3 th»)
THEN ASSUM_LIST (\tho
ASM_REWRITE_TAG[REWRITE_RULE[(e11 th)] (e13 th)]»;;
let lemma45 = prove_thrn ('lemma45',
Annex B: Temporal Defi ui t ious and 'Eheoi-e ms 228
"!p q r. Valid(
«Always p __> Always q) And (Always q __> Next r»
__ > (Always p __ > Next r»".
REPEAT GEN_TAC
THEN REWRITE_TAC[Always;Imp;And;Next;Valid]
THEN BETA_TAC THEN REPEAT STRIP_TAC
THEN ASSUM_LIST (\th. ASSUME_TAC(
REWRITE_RULE[(el 1 th)] (el 3 th»)
THEN ASSUM_LIST (\th. ASM_REWRITE_TAC[
REWRITE_RULE[(el 1 th») (el 3 th)]»;;
let lemma46 = prove_thm ('lemma46'.
"!p q r. Valid(
«p-->Sometime q) And Always (q-->r»
__> (p-->Sometime r»",
REPEAT GEN_TAC
THEN REWRITE_TAC[Valid;Sometime;And;Imp;Always)
THEN BETA_TAC THEN REPEAT STRIP_TAC
THEN ASSUM_LIST (\th. ASSUME_TAC(
REWRITE_RULE[(el 1 th)] (el 3 th}»
THEN POP_ASSUM MP_TAC
THEN CONV_TAe LEFT_IMP_EXISTS_CONV
THEN REPEAT STRIP_TAC THEN EXISTS_TAC "t'"
THEN RES_TAC THEN ASM_REWRITE_TACO);;
let lemrna47 = prove_thm ('lemma47'.
"!p. w 0 /\ Valid(w-->Next w) ==> Valid(Always w)",
GEN_TAC
THEN REWRITE_TAC[Imp;Next;Valid;Always]
THEN BETA_TAe THEN REPEAT STRIP_TAC
THEN ASSUME_TAC (SPEC "w:num->bool" HIDUCTION)
THEN RES_TAC THEN ASH_REWRITE_TACO);;
let lemma48 = prove_thm ('lemma48'.
Annex B: Tern po ral Defi nit io us and T'lreo rem s 229
"!p q, Valid(p-->q) ==> Valid(Sornetime p --> Sometime q)".
REPEAT GEN_TAC
THEN REWRITE_TAC[Valid;Imp;Sometime]
THEN BETA_TAC THEN DISCH_TAC
THEN REPEAT STRIP_TAC THEN EXISTS_TAC "t'"
THEN RES_TAC THEN ASM_REWRITE_TAC[]);;
let lemma49 = prove_thm ('lemma49'.
"!p q r , Valid«(p And q) Until r)
--> «p Until r)And(q Until r)))".
REPEAT GEN_TAC
THEN REWRITE_TAe[Valid;And;Until;Imp]
THEN BETA_TAC THEN REPEAT STRIP_TAC
THEN EXISTS_TAe "ti" THEN ASM_REWRITE_TAC[]
THEN GEN_TAC THEN POP_ASSUM HP_TAC
THEN CONV_TAC(DEPTH_CONV LEFT_IMP_FORALL_CONV>
THEN EXISTS_TAe "t2" THEN REPEAT STRIP_TAe
THEN RES_TAe);;
let lemma50 = prove_thm ('lemma50'.
"!p q r , Valid«(Always p)And(q Until r)
-->«p And q)Until(q Until r») ".
REPEAT GEN_TAe
THEN REWRITE_TAC[Valid;Always;And;Until;Imp]
THEN BETA_TAC THEN REPEAT STRIP_TAC
THEN EXISTS_ TAC lit1" THEN ASM_REWRITE_ TAC []
THEN REPEAT STRIP_TAC
THENL [EXISTS_TAe "t1"
THEN ASM_REWRITE_TAC[LESS_EO_REFLJ
THEN GEN_TAC THEN POP_ASSUM MP_TAC
THEN CONV_TAC (DEPTH_CONV LEFT_IMP_FORALL_CONV)
THEN EXISTS_TAC "t2" THEN REPEAT STRIP_TAC
THEN ASSUME_TAC(
SPECL ["t:num";"t1:num";"t2:num"] LESS_EO_TRANS)
Annex B: Temporal Defl ni t ions and Theorems 230
THEN RES_TAC;RES_TAC;RES_TAC]);
let lemmaSl = prove_thm ('lemmaSl',
"!p. Valid «(Not p) Until p) __> Sometime p)",
GEN_TAC
THEN REWRITE_TAC[Valid;Not;Until;Imp;Sometime]
THEN BETA_TAC THEN GEN_TAC
THEN CONV_TAC(DEPTH_CONV LEFT_IMP_EXISTS_CONV)
THEN REPEAT STRIP_TAC
THEN EXISTS_TAC "tl"
THEN ASM_REWRITE_TAC[]);;
let lemmaS2 = prove_thm ('lemmaS2',
"!p. Valid p ==> !n. ?t. Mapped p n t",
REWRITE_TAC [Valid]
THEN GEN_TAC THEN DISCH_TAC THEN INDUCT_TAC
THENL [REWRITE_TAC[Mapped;First]
THEN BETA_TAC THEN EXISTS_TAC "0"
THEN REWRITE_TAC[NOT_LESS_O]
THEN POP_ASSUM MP_TAC
THEN REPEAT STRIP_TAC
THEN ASM_REWRITE_TAC[];
POP_ASSUM MP_TAC
THEN REWRITE_TAC[Mapped]
THEN BETA_TAC THEN REPEAT STRIP_TAC
THEN EXISTS_TAC "0" THEN EXISTS_TAC "t"
THEN ASM_REWRITE_TACO
THEN REWRITE_TAC[Last;NOT_LESS_O]
THEN ASM_REWRITE_TAC(]]);;
let lemmaS3 = prove_thm ('lemmaS3'.
"!p n. Valid p ==> Mapped p n (p Proj n)".
REWRITE_TAC[Valid;Proj]
THEN CONV_TAC (DEPTH_CONV SELECT_CONV)
Annex B: Temporal Definitions and 'T'heo reru s 231
THEN GEN_TAC
THEN INDUGT_TAG
THENL [REWRITE_TAG[Mapped;First]
THEN BETA_TAC
THEN DISGH_TAG
THEN EXISTS_TAC "0"
THEN ASM_REWRITE_TAG[NOT_LESS_O];
STRIP_TAG THEN RES_TAG
THEN EXISTS_TAG "t"
THEN REWRITE_TAC[Mapped]
THEN BETA_TAC
THEN EXISTS_TAG "t"
THEN ASM_REWRITE_TAG[Last;LESS_ANTISYM]]
) ; ;
let lemma54 = prove_thm ('lemma54'.
U!p n. Valid p ==> p (Proj p n)".
GEN_TAG THEN REWRITE_TAG[Valid]
THEN INDUCT_TAC
THENL [REWRITE_TAC[Proj;Mapped]
THEN BETA_TAe THEN DISCH_TAC
THEN ASM_REWRITE_TAC[First];
REPEAT STRIP_TAC
THEN REWRITE_TAC[Proj;Mapped]
THEN BETA_TAC THEN ASM_REWRITE_TAC[]]);;
let lemma55 = prove_thm ('lemma55'.
"!p. Validp =;:> In. ?It.l~appedpnt".
REWRITE_TAC[Valid] THEN GEN_TAC THEN DISCH_TAC
THEN INDUCT_TAC
THENL [CONV_TAC EXISTS_UNIQUE_CONV
THEN REWRITE_TAC[Mapped;First]
THEN BETA_TAG THEN STRIP_TAC
THENL [EXISTS_TAC "0"
Annex B: Tem poral Den uit ions and Theorems 232
THEN ASM_REWRITE_TAC[NOT_LESS_O];
ASM_REWRITE_TACO
THEN REPEAT STRIP_TAC
THEN POP_ASSUM MP_TAC
THEN CONV_TAC LEFT_IMP_FORALL_CONV
THEN EXISTS_TAC "t"
THEN POP_ASSUM MP_TAC
THEN CONV_TAC LEFT_IHP_FORALL_CONV
THEN EXISTS_TAC "t'"
THEN REPEAT STRIP_TAC
THEN ASSUME_TAC LESSEQ
THEN RES_TAC
THEN ASSUME_TAC LESS_EQUAL_ANTISYM
THEN RES_TAC];
POP_ASSUM MP_TAC
THEN CONV_TAC (DEPTH_CONV EXISTS_UNIQUE_CONV)
THEN REPEAT STRIP_TAC
THENL [EXISTS_TAC "0"
THEN REWRITE_TAC(Mapped]
THEN BETA_TAC THEN EXISTS_TAC "t"
THEN ASM_REWRITE_TAC[Last;NOT_LESS_O];
POP_ASSUM MP_TAC THEN POP_ASSUM MP_TAC
THEN REWRITE_TAC[Mapped]
THEN BETA_TAC THEN REPEAT STRIP_TAC
THEN RES_TAC]]);;
let lemma56 = prove_thm ('lemma56'.
"!p n t t'. Valid p ==>
«Mapped p n t /\ Mapped p n t') ==> (t=t'»",
GEN_TAC THEN REWRITE_TAC[Valid]
THEN INDUCT_TAC
THENL [REWRITE_TAC(Happed;First]
THEN BETA_TAC THEN REPEAT STRIP_TAC
THEN POP_ASSUM MP_TAC
Annex B: Tempol'al Definitions and Theorems 233
THEN CONV_TAC LEFT_IMP_FORALL_CONV
THEN EXISTS_TAC "t" THEN ASH_REWRITE_TACE]
THEN POP_ASSUM(\~hl.POP_ASSUM(\th2.
(ASSUME_TAC thl THEN (ASSUME_TAC th2»»
THEN POP_ASSUM MP_TAC
THEN CONV_TAC(DEPTH_CONV LEFT_IMP_FORALL_CONV)
THEN EXISTS_TAC "t'" THEN ASH_REWRITE_TACE]
THEN REPEAT STRIP_TAG THEN ASSUME_TAC LESSEQ
THEN RES_TAC THEN ASSUME_TAC LESS_EQUAL_ANTISYH
THEN RES_TAC;
POP_ASSUM MP_TAC THEN REWRITE_TAC[Mapped]
THEN BETA_TAG THEN REPEAT STRIP_TAC
THEN RES_TAG THEN RES_TAC]);;
let lemma57 = prove_thm ('lemrna57'.
"!p. Valid p ==> (p Proj n) < (p Proj (SUC n»".
GEN_TAC THEN REWRITE_TAC[Valid]
THEN CONV_TAC (DEPTH_CONV LEFT_IMP_FORALL_CONV)
THEN STRIP_TAG THEN POP_ASSUM (\th. ALL_TAC)
THEN POP_ASSUM MP_TAC
THEN COnV_TAC (DEPTH_CONV LEFT_IMP_FORALL_GONV)
THEN EXISTS_TAG "n"
THEN CONV_TAC (DEPTH_CONV LEFT_IMP_FORALL_CONV)
THEN EXISTS_TAG "suc n"
THEN ASM_REWRITE_TAC[LESS_SUC_REFL]);;
let lemma58 = prove_thm ('lemma58'.
"!p. Valid p ==>
!n t. CCp Proj n)<t /\ t ct p Proj (SUG n») ==> -p
GEN_TAC THEN REWRITE_TAG[Valid]
THEN REPEAT STRIP_TAC THEN RES_TAC);;
t" .
%< - - __ - - __ - - -_- __ - _
More Temporal Theorems
Annex B: Temporal Definitions and TheOl'ems 234
_______________ - >%
let lemma59 = prove_thm ('lemma59',
"Ip q. Valid (p Equiv q) ==> (Valid p = Valid q)",
REPEAT GEN_TAC THEN REWRITE_TAC[Valid;Equiv]
THEN BETA_TAC THEN STRIP_TAC
THEN ASM_REWRITE_TAC[]);;
let lemma60 = prove_thm ('lemma60',
"!p q. Valid (p-->q) ==> Valid p ==> Valid q",
REPEAT GEN_TAC THEN REWRITE_TAC[Valid;Imp]
THEN BETA_TAC THEN REPEAT STRIP_TAC
THEN ASSUM_LIST (\t. MATCH_MP_TAC (el 2 t»
THEN ASM_REWRITE_TAC[]);;
let lemma61 = prove_thm ('lemma61',
"!p q. Valid (p And q) = Valid p /\ Valid q",
REPEAT GEN_TAC THEN REWRITE_TAC(Valid;And]
THEN BETA_TAC THEN CONV_TAC (DEPTH_CONV AND_FORALL_CONV)
THEN REFL_ TAC) ;;
let lemma62 = prove_thm ('lemma62',
"!p. Valid (p Equiv p)",
GEN_TAC THEN REWRITE_TAC[Valid;Equiv]
THEN BETA_TAC);;
let lemrna63 = prove_thm ('lemma63',
"!p. Valid (p _-> p)",
GEN_TAC THEN REWRITE_TAC[Valid;Imp]
THEN BETA_TAC);;
let lernrna64= prove_thm ('lemma64',
"!p q. Valid (p Equiv q) = Valid (q Equiv p)",
REPEAT GEN_TAC THEN REWRITE_TAC[Valid;Equiv]
THEN BETA_TAC THEN EO_TAC THEN STRIP_TAC
Annex B: Tem pOI'al Deft uit io us and T'heore ms.----------------------------------
235
THEN ASH_REWRITE_TACO);;
let lemrn~65 ~ prove_thrn ('lemrna65',
"!p q. Not(p And q) = (Not p) Or (No t q)",
REPEAT GEN_TAC THEN CONY_TAC FUN_EO_CONY
THEN REWRITE_TAC[Not;And;Or] THEN BETA_TAC
THEN REWRITE_TAC[DE_MORGAN_THM]
THEN REFL_TAC);;
let lemrna66 = prove_thrn ('lemrna66',
"!p q. Not (p Or q) = (Not p) And (Not q)",
REPEAT GEN_TAC THEN CONY_TAC FUN_EO_CONY
THEN REWRITE_TAC[Not;Or;And]
THEN BETA_TAC THEN REWRITE_TAC[DE_HORGAN_THM]
THEN REFL_ TAC) ;;
let lemrna67 = prov6_thrn ('lemrna67',
"!p q. (Not p) Or q = (p__>q)",
REPEAT GEN_TAC THEN CONV_TAC FUN_EO_CONV
THEN REWRITE_TAC[Not;Or;Imp) THEN BETA_TAC
THEN REWRITE_TAC[IMP_DISJ_THM]);;
let lemrna68 = prove_thrn ('lemma68',
"!p q r. Valid «(p Equiv q) And (q Equiv r»
__ > (p Equiv r»",
REPEAT GEN_TAC
THEN REWRITE_TAC[Valid;Equiv;And;Imp]
THEN BETA_TAC THEN REPEAT STRIP_TAC
THEN ASH_REWRITE_TAC[]);;
let lernma69 = prove_thm ('lemma69',
"!p q. (Cp-->q) And Cq-->p» = (p Equiv q)",
REPEAT GEN_TAC THEN CONV_TAC FUN_EO_CONV
THEN REWRITE_TAC[Imp;And;Equiv]
Annex B: Te m po i-al Defi u it io us and T'heo re m s 236
THEN BETA_TAC THEN GEN_TAC THEN EQ_TAC
THENL [STRIP_TAC THEN Eq_TAC
THEN ASH_REWRITE_TAC[];
STRIP_TAC THEN ASM_REWRITE_TACO]);;
let lemma70 = prove_thm ('lemma70',
"!p q r. Valid «Cp-->q) And Cq-->r» --> Cp-->r»",
REPEAT GEN_TAC THEN REWRITE_TAC[Imp;And;Valid]
THEN BETA_TAC THEN REPEAT STRIP_TAC
THEN REPEAT RES_TAC);;
let lemma71 = prove_thm ('lemma71',
"!p q r. Valid «(p-->q) And (q Equiv r» --> (p-->r»",
REPEAT GEN_TAC
THEN REWRITE_TAC[Valid;Imp;And;Equiv]
THEN BETA_TAC THEN REPEAT STRIP_TAC THEN RES_TAC
THEN ASSUM_LIST (\th. ASM_REWRITE_TAC[SYM (el 3 th)]»;;
let lemma72 = prove_thm ('lemma72',
"!p q r. Valid «(p Equiv q) And (q-->r» --> (p-->r»",
REPEAT GEN_TAC THEN REWRITE_TAC[Valid;Imp;And;Equiv]
THEN BETA_TAC THEN REPEAT STRIP_TAC
THEN REPEAT RES_TAC);;
let lemma73 = prove_thm ('lemma73',
"!p q r. Valid «Cp-->q) And (q-->r»
--> (p-->(q And r»)",
REPEAT GEN_TAC THEN REWRITE_TAC[Valid;And;Imp]
THEN BETA_TAC THEN REPEAT STRIP_TAC
THEN RES_TAC THEN RES_TAC);;
let lemma74 = prove_thm ('lemma74',
"!p q r w. Valid «(p Equiv q) And (r Equiv w» -->
«p And r) Equiv (q And w»)",
Annex B: Temporal Definitions and T'heo re m s 237
REPEAT GEN_TAC
THEN REWRITE_TAC(Valid;Equiv;And;Irnp]
THEN BETA_TAC THEN REPEAT STRIP_TAG
THEN ASM_REWRITE_TAC(]);;
let lemma75 = prove_thm ('lemma75',
"!p q r. Valid «(p-->(q-->r» And (p-->q» --> (p-->r»",
REPEAT GEN_TAC THEN REWRITE_TAC(Valid;Imp;And]
THEN BETA_TAC THEN REPEAT STRIP_TAC
THEN RES_TAC);;
let lemma76 = prove_thm ('lemma76',
"!p q r. p And (q And r) = (p And q) And r",
REPEAT GEN_TAC THEN CONV_TAC FUN_EQ_CONV
THEN REWRITE_TAC[And] THEN BETA_TAC
THEN GEN_TAC THEN BOOL_CASES_TAC "(q:time->bool) nil
THEN REWRITE_TAC[]);;
let lemma77 = prove_thm ('lemma77'.
"!p q r. p Or (q Or r) = (p Or q) Or r",
REPEAT GEN_TAC THEN CONV_TAC FUN_EO_CONV
THEN REWRITE_TAC[Or] THEN BETA_TAC
THEN GEN_TAC THEN BOOL_CASES_TAC "(q:time->bool) nil
THEN REWRITE_TAC[]);;
let lemma78 = prove_thm ('lemma78',
"!p q r. p And (q Or r) = (p And q) Or (p And r)".
REPEAT GEN_TAC THEN CONV_TAC FUN_EQ_CONV
THEN REWRITE_TAC[And;Or] THEN BETA_TAC
THEN GEN_TAC THEN BOOL_CASES_TAC "(p:time->bool) n"
THEN REWRITE_TAC[]);;
let lemma79 = prove_thm ('lemma79'.
"!p q r. CCp Or q) And r) = «p And r) Or (q And r»",
Annex B: TemporRI Definitions and T'h eo re m s~~--~~----~-----~~~~~~~--~--- 238
REPEAT GEN_TAC THEN CONV_TAC FUN_EQ_CONV
THEN REWRITE_TAC[And;OrJ THEN BETA_TAC
THEN GEN_TAC
THEN BOOL_CASES_TAC "(r:time->bool) n"
THEN REWRITE_TAC[]);;
let lemma80 = prove_thm ('lemma80',
"!p q r. (p Or Cq And r ) = CCp Or q) And (p Or r»",
REPEAT GEN_TAC THEN CONV_TAC FUN_EQ_CONV
THEN REWRITE_TAC[And;Or] THEN BETA_TAC
THEN GEN_TAC
THEN BOOL_CASES_TAC "Cp:time->bool) n"
THEN REWRITE_TAC[]);;
let lemma81 = prove_thm ('lemma81',
"!p q r , CCp And q) Or r) = «p Or r) And (q Or r»)",
REPEAT GEN_TAC THEN CONV_TAC FUN_EO_CONV
THEN REWRITE_TAC[And;OrJ THEN BETA_TAC
THEN GEN_TAC THEN BOOL_CASES_TAC "Cr:time->bool) n"
THEN REWRITE_TAC[]);;
let lemma82 = prove_thm ('lemma82',
"!po p And Not p = False",
GEN_TAC THEN CONV_TAC FUN_EO_CONV
THEN REWRITE_TAC[And;Not;False]
THEN BETA_TAC THEN GEN_TAC
THEN BOOL_CASES_TAC "(p:time->bool) n"
THEN REWRITE_TAC[]);;
let lemma83 = prove_thm ('lemma83',
"!po False And p = False",
GEN_TAC THEN CONV_TAC FUN_EQ_CoNV
THEN REWRITE_TAC[And;false]
THEN BETA_TAC);;
Annex B: Tempol'al Definitions and T'heor ems 239
let lemma84 = prove_thm ('lemma84',
"!p. p And False = False",
GEN_TAC THEN CONV_TAC FUN_EO_CONV
THEN REWRITE_TAC[And;False] THEN BETA_TAC);;
let lemma85 = prove_thm ('lemma85',
"!p. True And p = p",
GEN_TAC THEN CONV_TAC FUN_EO_CONV
THEN REWRITE_TAC[And;True]
THEN BETA_TAC THEN GEN_TAC THEN REFL_TAC);;
let lernma86 = prove_thm ('lemma86'.
"!p. p And True = p",
GEN_TAC THEN CONV_TAC FUN_EO_CONV
THEN REWRITE_TAC[And;True]
THEN BETA_TAC THEN GEN_TAC THEN REFL_TAC);;
let lemma87 = prove_thm ('lemrna87',
"!p. p Or Not p = True",
GEN_TAC THEN CONV_TAC FUN_EO_CONV
THEN REWRITE_TAC[Or;Not;True]
THEN BETA_TAC THEN REWRITE_TAC[EXCLUDED_MIDDLE]);;
let lemma88 = prove_thm ('lemma88',
"!p. True Or p = True",
GEN_TAC THEN CONV_TAC FUN_EQ_CONV
THEN REWRITE_TAC[Or;True] THEN BETA_TAC);;
let lernma89 = prove_thrn ('lernrna89',
"!p. p Or True = True",
GEN_TAC THEN CONV_TAe FUN_EQ_CONV
THEN REWRITE_TAC[Or;True] THEN BETA_TAC);;
Annex B: Tem pot-al Definitions and Theorems 240
let lernma90 = prove_thm ('lemma90'.
"!p. False Or p = p",
GEN_TAC THEN CONV_TAC FUN_EQ_CONV
THEN REWRITE_TAC[Or;False] THEN BETA_TAC
THEN GEN_TAC THEN REFL_TAC);;
let lemma91 = prove_thm ('lemma91',
"!p. p Or False = p",
GEN_TAC THEN CONV_TAC FUN_EQ_CONV
THEN REWRITE_TAC[Or;False] THEN BETA TAC
THEN GEN_TAC THEN REFL_TAC);;
let lemma92 = prove_thm ('lernma92',
"!p q r Y. (p And q) And (r And w) =
(p And r) And (q And W)",
REPEAT GEH_TAC THEN CONV_TAC FUN_EQ_CONV
THEN REWRITE_TAC[And) THEN BETA_TAC
THEN GEN_TAC
THEN BOOL_CASES_TAC "Cr:time->bool) nil
THEN REWRITE_TAC[]
THEN BOOL_CASES_TAC "(q:time->bool) n"
THEN REWRITE_TAC[);;
let lemma93 = prove_thm C'lemma93',
"!p. (p-->False) = Not p",
GEN_TAC THEN CONV_TAC FUN_EQ_CONV
THEN REWRITE_TAC[And;Not;Imp;False) THEN BETA_TAC);;
let lemma94 = prove_thm C'lemma94',
"!p q. ValidCp-->q) /\ Valid p ==> Valid q",
REPEAT GEN_TAC THEN REWRITE_TAC[Valid;Imp)
THEN BETA_TAC THEN REPEAT STRIP_TAC
THEN ASSUM_LIST (\t. MATCH_MP_TAC (el 2 t»
THEN ASH_REWRITE_TACO);;
Annex B: Temporal Definitions and Theorems 241
let lemrna95 = prove_thm ('lemma95'.
"!p. Not(Sometime p) = Always(Not p)".
GEN_TAC THEN CONV_TAC FUN_EQ_CONV
THEN REWRITE_TAC(Sometime;Always;Not] THEN BETA_TAC
THEN CONV_TAC (DEPTH_CONV NOT_EXISTS_CONV)
THEN GEN_TAC THEN EQ_TAe THEN REPEAT STRIP_TAC
THEN RES_TAC);;
let lemrna96 = prove_thm ('lemma96'.
"!p. Not(Always p) = Sometime(Not p)".
GEN_TAC THEN CONV_TAC FUN_EQ_CONV
THEN REWRITE_TAC[Sometime;Always;Not]
THEN BETA_TAC THEN ONCE_REWRITE_TAC[NOT_EQ_REFLJ
THEN CONV_TAe (DEPTH_CONY NOT_EXISTS_CONY)
THEN GEN_TAC THEN EQ_TAC
THENt [REPEAT STRIP_TAC THEN RES_TAC THEN RES_TAC;
REPEAT STRIP_TAe THEN RES_TAe
THEN POP_ASSUM (ASSUME_TAe o(\th.
REWRITE_RULE[IMP_DISJ_THM] th»
THEN ASM_RE\O/RITE_TAC 0] ) ; ;
let lemma97 = prove_thm ('lemma97'.
"!p q. Valid (Always(p-->q) _-> (Always p _-> Always q»".
REPEAT GEN_TAC THEN REWRITE_TAC[Imp;Always;Valid]
THEN BETA_TAC THEN REWRITE_TAC[IMP_AND]
THEN REPEAT STRIP_TAC THEN RES_TAC);;
let lemma98 = prove_thm ('lemma98',
"!p. Valid (Always p --> p)".
GEN_TAC THEN REWRITE_TAC[Imp;Always;Valid]
THEN BETA_TAC THEN REPEAT STRIP_TAC
THEN POP_ASSUM MATCH_MP_TAC
THEN REWRITE_TAC[LESS_EQ_REFL]);;
Annex B: Tem po ral Defi uit ions and Theorems 242
let lemma99 = prove_thm ('lemma99',
"!p. Not(Next p) = Next(Not p )?",
GEN_TAC THEN CONV_TAC FUN_EQ_CONV
THEN REWRITE_TAC[Not;Next]
THEN BETA_TAC THEN GEN_TAC THEN REFL_TAC);;
let lemmal00 = prove_thm ('lemmal00',
"!p qo Valid (Next(p-->q) --> (Next p --> Next q»",
REPEAT GEN_TAC THEN REWRITE_TAC[Valid;Next;Imp]
THEN BETA_TAe THEN REPEAT STRIP_TAe
THEN ASH_REWRITE_TACO);;
let lemmal0! = prove_thm ('lemmatOt',
"!p. Valid (Always p --> Next p)",
GEN_TAC THEN REWRITE_TAC[Valid;Alllays;Next;Imp]
THEN REPEAT STRIP_TAe THEN BETA_TAe
THEN CONV_TAC LEFT_IMP_FORALL_CONV
THEN EXISTS_TAe "suc tOO
THEN REWRITE_TAC[LESS_EQ_SUC_REFLJ);;
let lemma!02 = prove_thm ('lemmal02',
"!p. Valid (Al'iJaysp --> Next(Alliays p»",
GEN_TAC THEN REWRITE_TAC[Valid;Next;Imp;Always]
THEN BETA_TAC THEN REPEAT STRIP_TAC
THEN ASSUM_LIST (\to MATCH_MP_TAC Cel 2 t»
THEN MATCH_MP_TAC (
SPECL ["t:num";"SUC t";"tt:num"] LESS_EO_TRANS)
THEN ASM_REWRITE_TAC[LESS_EO_SUC_REFL]);;
let lemmal03 = prove_thm ('lemmal03'.
"!po Valid (Always(p-->Next p) __> (p-->Alliays p»",
GEN_TAC THEN REWRITE_TAC[Valid;Alllays;Next;Imp)
THEN BETA_TAC THEN INDUCT_TAC
Annex B: Temporal Deft nit ions and Theorems 243
THENL [REWRITE_TAC[ZERO_LESS_EO;IMP_AND]
THEN ASSUME_TAC(
ONCE_REWRITE_RULE[CONJ_SYM] INDUCTION)
THEN ASM_REWRITE_TAC[];
STRIP_TAC THEN STRIP_TAC THEN INDUCT_TAC
THENL [REWRITE_TAC[LESS_OR_EO;NOT_LESS_O;NDT_SUC];
REWRITE_TAC[LESS_OR_EQ;LESS_MONO_EQ;INV_SUC_EQ]
THEN ASM_CASES_TAC "(SUC t)<=tl"
THEN RES_TAC THEN ASM_REWRITE_TAC[]
THEN ASSUME_TAC LESS_EO THEN RES_TAC
THEN ASM_REWRITE_TAC[] THEN STRIP_TAC
THENL [ASSUM_LIST (\th. ASSUME_TAC
(REWRITE_RULE[(e19 th)] (el 6 th»)
THEN RES_TAC;
POP_ASSUM MP_TAC
THEN CONY_TAC CONCE_DEPTH_CONY SYH_CONY)
THEN STRIP_TAC THEN ASH_REWRITE_TAC[];
ASSUM_LIST C\th. ASSUME_TAC
(REWRITE_RULE[(el 7 th)] (el 4 th»)
THEN RES_TAC;
POP_ASSUM MP_TAC
THEN CONV_TAC (ONCE_DEPTH_CONY SYM_CONV)
THEN STRIP_TAC
THEN ASM_REWRITE_ TAC 0] J] ) ; ;
let lemmal04 = prove_thm ('lemmal04'.
"!p q. P Until q = q Or (p And Next Ip Until q»".
REPEAT GEN_TAC THEN CONV_TAC FUN_EO_CONV
THEN REWRITE_TAC[Until;Or;And;Next]
THEN BETA_TAC THEN GEM_TAC THEN EO_TAC
THEN STRIP_TAC
THENL [ASM_CASES_TAC "n<tl"
THENL [MATCH_MP_TAC OR_INTRO_THM2
THEN ASSur~_LIST
Annex B: Tem poral Definitions and Theorems 244
(\th,ASH_REWRITE_TAC[REWRITE_RULE
[LESS_EQ_REFL;(e11 th)]
(SPEC "n:num" (e12 th»])
THEU EXISTS_TAC "tl:num"
THEN ASSUME_TAC LESS_EO
THEN RES_TAC THEN ASM_REWRITE_TAC[]
THEN REPEAT STRIP_TAC
THEN ASSUM_LIST (\th, ASSUME_TAC (REWRITE_RULE
[LESS_OR_EQ;(el 10 th);(e1 7 th)]
(SPEC "t2:num" (el 8 th))))
THEN RES_TAC THEN RES_TAC;
ASSUH_LIST (\th. ASM_REWRITE_TAC[REWRITE_RULE
[LESS_OR_EO;(ell th)] (el 4 th)])];
EXISTS_TAe "n:num"
THEN ASM_REWRITE_TAC[LESS_EQ_REFL]
THEN ONCE_REWRITE_TAC[CONJ_SYM]
THEN REWRITE_TAC[LESS_EO_ANTISYM];
EXISTS_TAC "tl:num" THEN IMP_RES_TAC LESS_EO
THEN ASM_REWRITE_TAC[LESS_OR_EQ]
THEN REPEAT STRIP_TAC
THENL [ASSUME_TAC LESS_EO THEN RES_TAC;
POP_ASSUM (\t. ALL_TAC) THEN POP_ASSUM MP_TAC
THEN CONV_TAC (ONCE_DEPTH_CONV SYM_CONV)
THEN STRIP_TAC THEN ASM_REWRITE_TAC[]]]);;
let lemmal0S = prove_thm ('lemmalOS' I
"!p q. Valid «p Until q) --> Sometime q)" I
REPEAT GEN_TAC THEN REWRITE_TAC[Valid;Until;Sometime;Imp]
THEN BETA_TAC THEN REPEAT STRIP_TAC
THEN EXISTS_TAC "tl :num" THEN ASM_REWRITE_TAC[]);;
let lemmal06 = prove_thm ('lemmal06' I
"!p q. p-->q = «Not q) --> (Uot p»".
REPEAT GEN_TAC THEN CONV_TAC FUN_EO_CONV
Annex B: Tem po rn l Definitions and Theorems 245
THEN REWRITE_TAG[Imp;Not] THEN BETA_TAG
THEN REWRITE_TAC[IMP_DISJ_THM]
THEN GEN_TAC THEN EO_TAC THEN REPEAT STRIP_TAC
THEN ASH_REWRITE_TAC[]);;
let lemmal07 = prove_thrn ('lernrnal07',
"Ip. Not(Not p) = p",
GEN_TAC THEN CONV_TAC FUN_EO_CONV
THEN REWRITE_TAC[Not] THEN BETA_TAC
THEN REWRITE_TAG(]);;
let lemmalOa = prove_thm ('lemmal0a',
"!p. Valid p ==> Valid(Always p)",
GEN_TAG THEN REWRITE_TAC[Valid;Always]
THEN BETA_TAC THEN REPEAT STRIP_TAC
THEN ASH_REWRITE_TAG(]);;
let lemmal09 = prove_thm ('lemmal09',
"!p. Valid p ==> Valid(Next p)",
GEH_TAC THEN REWRITE_TAC(Valid;Next]
THEN BETA_TAC THEN STRIP_TAC THEN INDUCT_TAC
THEN ASH_REWRITE_TAC(]);;
let lemmallO = prove_thm ('lemma!!O',
"!p. Valid (p-->Sometime p)",
GEN_TAC THEN REWRITE_TAG[Valid;Sometime;Imp]
THEN BETA_TAC THEN REPEAT STRIP_TAC THEN EXISTS_TAG "t"
THEN ASH_REWRITE_TAG[LESS_EQ_REFLJ);;
let lemmal!! = prove_thm ('lemmall1'.
"Ip. Valid p ==> Valid(Sometime p)",
GEN_TAC THEN REWRITE_TAC(Valid;Sometime]
THEN BETA_TAC THEN REPEAT STRIP_TAC
THEN EXISTS_TAC "t"
Annex B: Temporal Defi uit ions and Theorems 246
THEN ASM_REWRITE_TAC[LESS_EQ_REFLJ);;
let lemmal12 = prove_thm ('lernrna112',
"!p. Valid «Next p) --> Sometime p)",
GEN_TAC THEN REWRITE_TAC[Valid;Next;Sometime;ImpJ
THEN BETA_TAC THEN REPEAT STRIP_TAC
THEN EXISTS_TAC "SUC tOO
THEN ASM_REWRITE_TAC[LESS_EQ_SUC_REFL]);;
let lemmal13 = prove_thm ('lernrnal13',
"!p q. Valid (p-->q) ==> Valid(Always p --> Always q)",
REPEAT GEN_TAC
THEN REWRITE_TAC[Valid;Imp;Always]
THEN BETA_TAC THEN REPEAT STRIP_TAC
THEN RES_TAC THEN RES_TAC);;
let lernma114 = prove_thm ('lemma114',
"!p q. Valid (p-->q) ==> Valid(Sometime p --> Sometime q)",
REPEAT GEN_TAC THEN REWRITE_TAC[Valid;Sometime;Imp]
THEN BETA_TAC THEN REPEAT STRIP_TAC
THEN RES_TAC THEN EXISTS_TAC "t'"
THEN ASM_REWRITE_TAC[]);;
let lemma115 = prove_thm ('lemma115',
"!p q. Valid (p-->q) ==> Valid(Next p -->Next q)",
REPEAT GEN_TAC THEN REWRITE_TAC[Valid;Imp;Next]
THEN BETA_TAC THEN STRIP_TAC
THEN ASM_REWRITE_TAC[]);;
let lemma116 = prove_thm ('lemma116'.
"!p. Valid (p-->Next p) ==> Valid(p-->Always p)",
GEN_TAC THEN REWRITE_TAC[Valid;Always;Next;Imp]
THEN BETA_TAC THEN STRIP_TAC THEN INDUCT_TAC
THENL [REWRITE_TAC[ZERO_LESS_EQ]
Annex B: Te m poral Defi u itio us and Theorems 247
THEN POP_ASSUM MP_TAC
THEN REWRITE_TAC[IMP_AND]
THEN ASSUHE_TACC
ONCE_REWRITE_RULE[CONJ_SYM] INDUCTION)
THEN ASM_REWRITE_TAC[];
STRIP_TAC THEN INDUCT_TAC
THENL [REWRITE_TAC [LESS_OR_EQ; NOT_LESS_O; NOT_SUC] ;
REWRITE_TAC[LESS_OR_EQ;
LESS_MONO_EQ;INV_SUC_EQ]
THEN ASM_CASES_TAC "(SUC t)<=tl" THEN RES_TAC
THEN ASSUME_TAC LESS_EQ THEN RES_TAC
THEN ASM_REWRITE_TAC[] THEN STRIP_TAC
THENL [ASSUME_TAC SUC_LESS_SUC
THEN RES_TAC THEN RES_TAC;
ASSUM_LIST (\th. ASM_REWRITE_TAC[
REWRITE_RULE [(ell th)] (e1 8 th»));
RES_TAC THEN RES_TAe;
ASSUM_LIST (\th. ASM_REWRITE_TAC[
REWRITE_RULE [(ell th») (e17 th»)))));;
let lemma117 = prove_thm {'lemmal17',
"!p. Always p = Always (Always p)II,
GEN_TAC THEN CONV_TAC FUN_EQ_CONV
THEN REWRITE_TAC[Always] THEN BETA TAC
THEN GEN_TAC THEN EQ_TAC
TRENt [REPEAT STRIP_TAC THEN ASSUME_TAC LESS_EQ_TRANS
THEN RES_TAC THEN RES_TAC;
REPEAT STRIP_TAC
THEN ASSUME_TAC (SPEC "n:num" LESS_EQ_REFL)
THEN RES_TAC] );;
let lemma118 = prove_thm C'lemma118',
"!p. Sometime p = Sometime (Sometime p)II,
GEN_TAC THEN CONV_TAC FUN_EQ_CONV
Annex B: Temporal Defi n it io us and Theorems 248
THEN REWRITE_TACCSometime] THEN BETA_TAC
THEN GEN_TAC THEN EO_TAC
THENL [REPEAT STRIP_TAC THEN EXISTS_TAC "t'"
THEN ASM_REWRITE_TAC[] THEN EXISTS_TAC "t'"
THEN ASM_REWRITE_TACCLESS_EO_REFL];
STRIP_TAC THEN EXISTS_TAC "t" :num"
THEN ASSUME_TAC LESS_EO_TRANS
THEN RES_TAC THEN ASM_REWRITE_TAC[]]);;
let 1emmal19 = prove_thm ('lemma119',
"!p q. Valid(Always(p-->q»
==> Valid(Sometime p -_> Sometime q)",
REPEAT GEN_TAC
THEN REWRITE_TAC[Valid;Always;Imp;Sometime]
THEN BETA_TAC THEN REPEAT STRIP_TAC
THEN RES_TAC THEN EXISTS_TAC "t'"
THEN ASH_REWRITE_TAC[]);;
let lemma120 = prove_thm ('lemma120',
"!p q. Always(p And q) = (Always p) And (Always q)",
REPEAT GEN_TAC THEN CONV_TAC FUN_EO_CONV
THEN REWRITE_TAC[Always;And] THEN BETA_TAC
THEN GEH_TAC THEN EO_TAC THEN REPEAT STRIP_TAC
THEN RES_TAC);;
let lemma121 = prove_thm ('lemma121',
"!p q. Sometime(p Or q) = (Sometime p) Or (Sometime q)",
REPEAT GEN_TAC THEN CONV_TAC FUN_EO_CONV
THEN REWRITE_TAC[Sometime;Or] THEN BETA_TAC
THEN GEN_TAC THEN EO_TAC
THENL (REPEAT STRIP_TAC THEN CONV_TAC OR_EXISTS_CONV
THEN EXISTS_ TAC lOt'" THEN ASM_RE!~RITE_TAC C] ;
STRIP_TAC THEN EXISTS_TAC "t'"
THEN ASM_REWRITE_TAC[]]);;
Annex B: Te m poi-al Defi ui t io ns a ud T'heo rerns-------------------------------------------- 249
let lemrna122 ::prove_thm ('lemma122',
"!p q. Valid «Always p Or Always q) --> Always(p Or q»",
REPEAT GEN TAC THEN REWRITE_TAC(Valid;Always;Or;Irnp]
THEN BETA_TAC THEN REPEAT STRIP_TAC
THEN RES_TAC THEN ASM_REWRITE_TACO);;
let lemrna123 = prove_thrn ('lemrna123',
"!p q. Valid (Sornetime(p And q)
--> (Sometime p And Sometime q)",
REPEAT GEN_TAC
THEN REWRITE_TAC(Valid;Sometime;Imp;And]
THEN BETA_TAC THEN REPEAT STRIP_TAC
THEN EXISTS_TAC"t'" THEN ASH_REWRITE_TAC[]);;
let lernma124 = prove_thm ('lemrna124',
"!P q. Valid «(Always p) And (Sometime q))
--> Sometime(p And q»)II,
REPEAT GEH_TAC
THEN REWRITE_TAC[Valid;Always;And;Imp;Sornetime]
THEN BETA_TAC THEN REPEAT STRIP_TAC
THEN RES_TAC THEN EXISTS_TAC lit"'
THEN ASH_REWRITE_TAC(]);;
let lernma125 ::prove_thm ('lemma125',
"!p q. Next(p And q) ::«Next p) And (Next q)",
REPEAT GEN_TAC THEN CONV_TAC FUN_EQ_CONV
THEN REWRITE_TAC[Next;And] THEN BETA_TAC
THEN GEN_TAC THEN REFL_TAC);;
let lemrna126 = prove_thm ('lemma126',
"!p q. Next(p Or q) :: «Ne:n: p) Or (Next q»",
REPEAT GEN_TAC THEN CONV_TAC FUN_EQ_CONV
THEN REWRITE_TAC[Next;Or] THEN BETA_TAC
Annex B: Tem pora l Defi n it.ions a ud T'heorerns 250
THEN GEN_TAC THEN REFL_TAC);;
let lemma127 = prove_thm ('lemma127',
"!p q. Next(p-->q) = «Next p)-->(Next q»",
REPEAT GEN_TAC THEN CONV_TAC FUN_EC_CONV
THEN REWRITE_TACClmp;Next] THEN BETA_TAC
THEN GEN_TAC THEN REFL_TAC);;
let lemma128 = prove_thm ('lemma128',
"!p q. Next(p Equiv q) = «Next p) Equiv (Next q»",
REPEAT GEN_TAC THEN CONV_TAC FUN_EQ_CONV
THEN REWRITE_TAC[Next;Equiv] THEN BETA_TAC
THEN GEN_TAC THEN REFL_TAC);;
let lemma129 = prove_thm ('lemma129',
"!p. Valid(p And (Sometime(Not p»)
==> Valid(Sometime(p And (Next p»)",
GEN_TAC
THEN REWRITE_TAC[Valid;And;Sometime;Not;Imp;Next]
THEN BETA_TAe THEN REPEAT STRIP_TAe
THEN EXISTS_TAC "t" THEN ASM_REWRITE_TACCLESS_EQ_REFL]);;
let lemma130 = prove_thm ('lemma130',
"!pi p2 ql q2.
(Valid (pl-->p2» /\ (Valid(p2-->(Always ql»)
/\ (Valid(ql-->q2» ==> (Valid(pl-->(Always q2»)",
REPEAT GEN_TAC THEN REWRITE_TAC[Valid;Imp;Always]
THEN BETA_TAe THEN REPEAT STRIP_TAC THEN RES_TAe
THEN RES_TAC THEN RES_TAC);;
let lemma131 = prove_thm ('lemma131',
"!p1 p2 ql q2.
(Valid (pl-->p2» /\ (Valid(p2-->(Sometime ql»)
/\ (Valid(ql-->q2» ==> (Valid(pl-->(Sometime q2»)",
Annex B: Temporal Defi nitio ns a nd Theorems 251
REPEAT GEN_TAC THEN REWRITE_TAC[Valid;Imp;Sometime]
THEN BETA_TAG THEN REPEAT STRIP_TAG THEN RES_TAC
THEN RES_TAC THEN EXISTS_TAG "t'"
THEN ASM_REWRITE_TAC[] THEN RES_TAC);;
let lemma132 = prove_thm ('lemma132'.
"'pi p2 qi q2.
(Valid (pl-->p2» /\ (Valid(p2-->(Next ql»)
/\ (Valid(ql-->q2» ==> (Valid(pl-->(Next q2»)",
REPEAT GEN_TAC THEN REWRITE_TAC[Valid;Imp;Next]
THEN BETA_TAC THEN REPEAT STRIP_TAC
THEN RES_TAC THEN RES_TAG THEN RES_TAC);;
let lemma133 = prove_thm ('lemma133'.
OI!pq r. Valid( (p-->Always q) And (q-->Always r)
==> Valid(p-->(Always r»".
REPEAT GEN_TAC
THEN REWRITE_TAG[Valid;Always;Imp;And]
THEN BETA_TAC THEN REPEAT STRIP_TAC
THEN RES_TAC THEN RES_TAC THEN POP_ASSUM HP_TAC
THEN CONV_TAC(DEPTH_CONV LEFT_IMP_FORALL_CONV)
THEN EXISTS_TAC lit'"
THEN REWRITE_TACCLESS_EQ_REFLJ);;
let lemma134 = prove_thm ('lemm~134'.
"!p q r. Valid «p-->Sometime q) And (q-->Sometime r»
==> Valid(p-->Sometime r)",
REPEAT GEN_TAC
THEN REWRITE_TAC[Valid;Imp;Sometime;And]
THEN BETA_TAC THEN REPEAT STRIP_TAC
THEN RES_TAC THEN RES_TAG
THEN ASSUME_ TAC (SPEGL ["t :num" ;lOt):num" ;"t )I ) : num"]
LESS_EQ_TRANS)
THEN RES_TAC THEN EXISTS_TAC "t' II :num"
Annex B: Temporal Defi n itio us and Theorems 252
THEN ASM_REwRIrE_rAc[]);;
let lemma135 = prove_thm ('lemma135',
"!p q r. Valid(
Cp-->Sometime q) And (r-->(q And (p And (Next r»»)
==> Valid(r-->(p Until q»",
REPEAT GEN_TAC
THEN REWRITE_TAC[Valid;Imp;Sometime;Or;And;Next;Until]
THEN BETA_TAC THEN REPEAT STRIP_TAC
THEN EXISTS_TAC "tilTHEN REWR.ITE_TAC(LESS_EQ_REFL]
THEN RES_TAC THEN ASM_REWRITE_TAC[]
THEN REPEAT STRIP_TAC
THEN ASSUME_TAC(
SPECL[lt2:numl;"t:num"]LESS_IMP_LESS_OR._EQ)
THEN ASSUH_LIST(\th. ASSUME_TAC(
REWRITE_RULE [eel 2 th)](el 1 th))
THEN ASSUM_LIST (\th. ASSUME_TAC (REWR.ITE_RULE
[(e14 th);(el 1 th)] (SPECL["t:numl;lt2:num"]
LESS_EQUAL_ANTISYM)))
THEN ASSUM_LIST (\th. ASM_REWRITE_TAC [
REWRITE_RULE [(ell th)] Cel 7 th)]»;;
let lemma136 = prove_thm ('lemma136',
"!pl p2 ql q2. (Valid(pl-->p2» /\ (Valid(ql-->q2)) ==>
(Valid «p1 Until qi ) --> (p2 Until q2»)II,
REPEAT GEN_TAC THEN REWRITE_TAC[Valid;Imp;Until]
THEN BETA_TAC THEN REPEAT STRIP_TAC
THEN EXISTS_TAC "tl" THEN RES_TAC
THEN ASH_REWRITE_TAC[] THEN REPEAT STRIP_TAC
THEN RES_TAC THEN RES_TAC);;
let lemma137 = prove_thm ('lemma137'.
"!p q.
Valid «(Always p) And (Sometime q) --> (p Until q»",
Annex B: Tem po rn l Defi u it ions and Theorems 253
REPEAT GEN_TAG
THEN REWRITE_TAC[Valid;Always;And;Sometime;Until;Imp]
THEN BETA_TAC THEN REPEAT STRIP_TAG THEN EXISTS_TAG Ut'"
THEN ASM_REWRITE_TAG[] THEN REPEAT STRIP_TAG
THEN RES_TAG);;
let lemma138 = prove_thm ('lemma138'.
U!p q r. Valid «(Always p) And (q Until r» -->
Up And q) Until (p And r»)".
REPEAT GEN_TAG
THEN REWRITE_TAG[Until;Valid;Imp;Always;And]
THEN BETA_TAG THEN REPEAT STRIP_TAG
THEN EXISTS_TAC "ti" THEN RES_TAC
THEN ASM_REWRITE_TACC] THEN REPEAT STRIP_TAG
THEN RES_TAC);;
let lemma139 = prov9_thm ('lemma139'.
"!p q r. Valid (p Until (q And r»
--> «p Until q) And (p Until r»)".
REPEAT GEN_TAC
THEN REWRITE_TAC[Valid;Until;And;Imp]
THEN BETA_TAG THEN REPEAT STRIP_TAG
THEN EXISTS_TAC "tl:num" THEN ASM_REWRITE_TAC[]);;
let lemma140 = prove_thm ('lemma140'.
"!p q r.
Valid (Lp Until (q And r) -->«p Until q) Until r»".
REPEAT GEN_TAG THEN REWRITE_TAC[Valid;Until;And;ImpJ
THEN BETA_TAC THEN REPEAT STRIP_TAe
THEN EXISTS_TAC"t1" THEN REPEAT STRIP TAC
THENL [ASM_REWRITE_TACO;
ASM_REWRITE_TAC[];
EXISTS_TAC "t1"
THEN ASSUM_LIST(\th.
Annex B: Tern por al Defi n it ions and Theorems 254
ASSUME_TAC(REWRITE_RULE[(el 1 th)]
(SPEGL ["t2:num";"tl:num"]LESS_IMP_LESS_OR_EQ)))
THEtI ASM_RE\~RITE_TAG [] THEN REPEAT STRIP _TAC
THEN ASSUM_LIST(\th.ASSUME_TAG(
REWRITE_RULE[(e15 th);(el 2 th)]
(SPEGL ["t: num" ;"t2:num" ;"t2' :num"] LESS_EQ_ TRANS)))
THEN RES_TAC]); ;
%<---------------------------------------------------------->
Annex C: HOL Specification of
DBW Controller
C.l Definitions
Mode_TY_j)EF
f- 3,·ep. TYPE_DEFINITION (TRP (Av u. (v = 1NL one) /I. (LENGTH tl = 0) V
(v = INR (1NL one» /I. (LENGTH II = 0) V (v = INR (INR (1NL one)) /I.
(LENGTH 11=0) V (1' = INR (INR (INR (1NL one)))) /I. (LENGTH t/ = 0) V
(v = INR (INR (INR (INR (1NL one»») /I. (LENGTH t l = 0) V
(v = INR (INR (INR (INR (INRone»)) /I. (LENGTH tl = 0») rep
Mode..ISO_j)EF f- ('tIa. A BS_I'vlode (REP_Mode fI) = Cl) /I. ('til'. TRP ('\u tI. (v = 1NL one) /I.
(LENGTH it = 0) V (v = INR (1NL one) /I. (LENGTH tI = 0) V
(v = INR (INR (1NL cnejj) /I. (LENGTH tl = 0) V
(v = INR (INR (INR (1NL one l l l] 1\ (LENGTH il = 0) V
(v = INR (INR (INR (INR (1NL one))) /I. (LENGTH 11=0) V
(u = INR (INR (INR (INR (INR one))))) /I.
(LENGTH II = 0)) I = (REP_Mode (ABS_Mode 1') = 1'»
Reset..DEF f- Reset = ABS_rvlode (Node (1NL one) [j)
Idle..DEF f- Idle = f.\BS_Mode (Node (INR (1NL one» (ll
Traction..DEF f- Traction = ABS_lVlode (Node (INR (INR (1NL one j I) (ll
Shutdown...DEF f-- Shutdown = ABS_Mode (Node (INR (INR (INR (1NL one»)) (ll
Manual..DEF f-- Manual = ABS_Mode (Node (INR (INR (INR (INR (1NL one»») [J)
Cruise...DEF f- Cruise = ABSJvlode (Node (INR (INR (INR (INR (INR one»»)) [j)
RUNNING...DEF f-- 'tis. RUNNING ...= FST .'
Annex C: HOL Specificat.ion of DBvV Co ntro ller 256
GEAR-.DEF I-V.'i.GEAR.,:o:: FST (SND.s)
BRAKE-.DEF I- V ....BRAKE., :0:: FST (SND (SND .,))
WATCHOUT-.DEF I- Vs. WATCHOUT, = FST (SND (SND (SND 8)))
WFAILED-.DEF I- V.,. WFAILED., = FST (SND (SND (SND (SND si)))
OVERTEMP-.DEF I- V;;. OVERTEMP s = FST (SND (SND (SND (SND (SND si))))
IDLE_l)EF I- "Is. IDLE .'; = FST (SND (SND (SND (SND (SND (SND sill)))
TRACTION-.DEF I- VS. TRACTION .' =
FST (SND (SND (SND (SND (SND (SND (SND -nm»
CRUISE-.DEF I- "18. CRUISE,.; =
FST (SND (SND (SND (SND (SND (SND (SND (SND »mn»
RESUME-.DEF I- Vs. RESUME ...= FST (SND (SND (SND (SND
(SND (SND (SND (SND (SND 8)))))))))
DEMAND.DEF I- Vs. DEMAND s = FST (SND (SND (SND (SND (SND
(SND (SND (SND (SND (SND -nnnn»
SPEED-.DEF I- VS. SPEED s = FST (SND (SND (SND (SND (SND
(SND (SND (SND (SND (SND (SND s)))))))))))
FBANG-.DEF I- Vs. FBANG s = SND (SND (SND (SND (SND (SND
(SND (SND (SND (SND (SND (SND 05)))))))))))
R_COND..DEF I- V/'t/llII i ui], R_COND ruun iuq = (Al. Not rUI/Hill!) I)
lLCOND-.DEF I- Vmo!lf idlr /)1'01..'( !lr(II·.
LCOND i n u»!«, i.l]. ./JI'Id·f.fj'·III') =
(,\l.((lIlOdf=Manual) V (IIIn,11 =Cruise) V (1II1J(Ip=ldle)) /\ id/el /\
(In'oh 1 V ~!I,al'/)1
S_COND-.DEF I- V//'ale/IIIIII o t, I'i, "'1' .'10/'.
S_COND (/('(11"/10111. orc rt i III/). _,/0/') =
(At. u-at cliout 1 If o t:« rl r '"/) 1 V :'/0/')
C_COND-.DEF I- VCI'IIi8r spr rs! rcs u t u« fa/iil_Cl'uist flUII' iuodr demand brake,
C_COND t cru isr. "/'" d. I'f'.' u u u . 1'1I/irl_(.'l'lIi.,p, !INn', mode, derruuul, b'l'a/a) =
Pt. (cl'lIi." I. /\ ~'I" {(I Eq 01 /\ (1lIOrip = Manual) V
Annex C: HOL Specification of DBvY Controller 257
-'(sperd 1< ,/('II/(/IIt! /) /\ -,!J/'ah I /\ i niodr = Cruise) V I'eool/Ill/, t /\
volid.rrui.« /\ (/110'/(' = Idle)) /\ !!fllr I.)
T_COND..DEF I- Ifmode Irae! iOIl "I" ed [leCLI' ull«.
T _CON D i inode . I rod io n, "lleed, !leal', idle) =
(At. ((IlIodr = Manual) V (II/odl' = Traction)) /\ traction I /\
speed Eq 0 I /\ -'~/NII' t /\ <idl e I)
Dir_TY..DEF I- 31'1',]1. TYPE_DEFINITION (TRP PlI u. (v = 1NL one) /\ (LENGTH tl = 0) V
(v = INR (1NL one)) /\ (LENGTH /I = 0) V (v = INR (INR (1NL one))) /\
(LENGTH 11= 0) V ((I = INR (INR (INR one))) ./\ (LENGTH 1I = 0))) rep
Dir_ISO..DEF I- (Va. ASS_Dir (REP_Dir (I) = 0) /\ (ifI'. TRP (,\1' fl. (II = 1NL one) /\
(LENGTH 11=0) V (Il = INR (1NL one)) /\ (LENGTH tI = 0) V
(v = INR (INR (1NL one))) /\ (LENGTH u = 0) V
{u = INR (INR (INR one))) /\
(LENGTH tl = 0)) I' = (REP_Dir (ABS_Djr I') = 1'))
CloseJ)EF f- Close = ABS_Djr (Node (IN Lone) [])
ForYardJ)EF f- Forward = ABS_Dir (Node {INR (1NL one)) [])
Backilard..DEF f- Backward = ASS_Djr (Node (INR (INR (1NL one))) [J)
NeutralJ)EF I- Neutral = ABS_Dir (Node (INR {INR (INR one))) [j)
PWMJ)EF f- VPWnlJlcI. ans; driu .
PWM (plI·/I1_acl.oll!l.de1l1) =
ILLEGAL
((dem. = 0) ::;. Close I
((clem> allY) => ({JilI'IIIJI('/ = Forward) => Neutral I Forward) I
({an!! > ,Ifill)::;' ((JIII'IIU/CI = Backward) => Neutral I Backward) I
Neutral)) )
I-Ifb p.ILLEGAL h II = i», -,Xor2 (/1. b) I)
DecodeSig...DEF f-If ..,i!l 1'IIIIIIillfil fIWI'IIJ/·,11.:t1 u-ul ch oull 1L'.f([iledt ore rl cm pt
idlct /.1'([diOIlI cru ts» I 1'( .'"11/11 drnnt n d! sJicult III(llIyl.
DecodeSig ( ...i'l. ru nntntt! , !Ie II I'! .In-ukcl, 1I.'oLchollll. wJ([ilcdl,
01'(' /'If Ill/II. idlF! .11'''1'1 iO/lI. ('I'I/ i.~r/ . 1'('1> II IlH?I. rle I/I!ll/dl., 8Jifedl, jlmn fit) =
(Vt. rUllllill!!1 !. !!wd /..111'(1"':1 I. Il'ILlc/wult I. wf(liledl t. oL'erlempl t.
idlet t.lme/inn! I. ('l'lIi •.;cl 1.,·('oolIl1Id t.demandl f.speedll.jbangt I = si!l t)
Annex C: HOL Specification of DBW Controller 258
NextState.DEF I- \:j.<; 1//1)(11' 1·"lit/Jrlli.," IJI/"IIUlti.
NextState (", iu ot], . "di,I_''I'lIi,w, 111I'III_ad) =
(,\t.iet ru n u i u q = RUNNING s ill
(let yew' = GEAR ..; ill
(let brakr = BRAKE, in
(let lL'al"'/I)1I1 = WATCHOUT " ill
(letlcJllilrd = WFAILED sill
(let oncrt cm p = OVERTEMP" ill
(let id!« = IDLE ..; ill
(let /,'({('I ion = TRACTION "ill
(let crnl-:« = CRUISE" ill
(let "'C.'illlllt' = RESUME ., ill
(let de IIIU lid = DEMAND s ill
(let s peed. = SPEED" ill
(let J/IIlI/!! = FBANG ,'i ill
(let st ou.oi: = ILLEGAL idle (Not t demand Eq 0)) t V IVJailed t V
(mode = Shutdown)) in
(let re set sok: = R_COND ruun inu L ill
(let cruise.ol: = ("'f sei.ol: 1\
C_CON D icruise , spc etl, reSllllle, cal id.cruise, !lear, mode, demand. b,'ake) t) in
(let tract ion.ok = (,/,c8eLok 1\
T_(OND (1110(/",/""('/;011,,'/' r.l, !/t:(I1', idle) I) ill
(let "!I,,f,/OIl'ILOA' = S_COND (lI'alc/wltt, ore rt emp, Mop_ok) t ill
(let idle_Ill.: = ('1'181'/_111.' 1\
L(OND (111011(. idlr-.llI'(l~·I·, !I(t/I') t) ill
(let r({litl_(, = ((lIIutl, = Cruise) => -'/,1':,e1_01.·, (,I/Iicl_c"llisf) ill
i reset sol: = (Reset.l,fli.J_("PWM (J11I'III_ad.Jhal/(lI,O)'
(s"ttfr!UII'II_OA' = (Shutdown, rul i.l,r. PWM (j/1l'lIulrl. [luuu; z.o) I
(idle_ok = (Idle, I .ilid:«, PWI\'1 (/1I1'lIulc·l. lliulIg 1.1) I
i cr u! ..;,,_ok "'" (Cruise, rul nl;«, PWM (/fICIIUlri. //)011(/1, speed t) I
(il'uelioll_iIl' => (Traction, ootid:«. PWM (tJII'IIUICf, Ibany t . demand t),
(Manual, F, PWM (/IIIIII_{J('/,J'/'rlll!l ti de ma nr; f))))))))))))))))))))))))))
BACK-BEHAV..DEF I- '</"Ifft uiodr t rul itl :«! lill'IIUlctt.
BACICBE HAV (.,1,/1, /I/O", I, 1'01 id .ct . ]11l'IIUICIl) =
Annex C: HOL Specification of DBW Co nt ro ller 259
(.At. NextState (.,i!ll I. II/()(/< t I.!"o/id_et l.jlll'lIulcl/ /) 1=
modr! (I + 1), ral id :«! (f + 1),/J{{,IIUICIl (I + 1))
DecodeCrtl r 'r//i/('IIIJld Inl'lI'ril'd fmd'u'!lnllli 1111'1// cl ose .
DecodeCtri (/'II'III_od, /IJI'{("I//"(/, hor-!.'{!"o/'d, 111'1"1'(11, cl o...e) =
(>'1, (fo/'II'(/'I'I/1 = (f,{('III_tl('/ = Forward)) 1\
(back ll'(/ I'd l = (JIII'I/UlcI = Backward)) 1\
i ne ul r al t = (plI'l/uld = Neutral)) 1\
i cloee I. = (JJII'III_od = Close)))
Accelerate....DEF I- 'r/«(:/_, ...tar/ [oruard,
Accelerate (01'1_,;101'1, JOl"ll'llrd) = «ct ist ar! And [oru.ord
Decelerate....DEF r 'r/ftcL,;tar/ "((('/.;teare/.
Decelerate (ueL.;lurl, bad:wal'd) = oct.start And backward
RESPONSE....DEF f- V [oru-n rrl bad:u'ard ne ut ral oul.p ul. act.start.
RESPONSE (j'orll'rtl'ri.lwckn·(ll'(i, neutral, output, act.siartv =
p.t, (fOI'/((/.I·(/ I ~ (Oil! put Within Len act.start 10) When oct.start I
(barktl'(Lrd t ~ (olll/Illt Within Len act.start 10) When oct.start I
!letttraft))
REGISTER....DEF f- VClcL~I()Jl £I,d_,.;ll/rl. ne ul rul .
REGISTER (lIcL,lo/l, arl sst ar]: IIcllil'a/) =
(M,Always (((u'Lslop And Not neutNtl)
_. (acl_,,'ur! Within Len (Not lIeu.tntl) 5)) t)
Below....DEF f- 'r/pO.'i II"!!. po, .. Below (I/tll = (,\t. p08 Eq (PRE any) t}
Above....DEF r 'r/J1V$ III1Y,tl!)"; Above a"1{ = (,\t,/,ns Eq (SUC al/y) t)
TRANSIT....DEF r 'r/accdu'u/ill'l ri, (', lr rat im],
TRANSIT i arri l, rultus}, ,1,,'( /"I'l/liIlY) =
(,\t, (Vpo., (lilY, Always (((f/('u-/rrf//ifl!l And Not (pas Below an.y))
_ (Not (jJ(),' Below nl'!f) Within Len IIccc/rl'ntillf/2))
And ((dFf'r/uoliIlY And Not (/,0,' Above (l1I!/))
_ (Not (/IU.' Above I/I/Ill Within Len dtCelf.l'alill(12))) I))
POS...DIR....DEF r 'r/acL,/o/J </i,!,< II r,lIill!1 d(('r/FI'Olill,il c/o"" fOI'1I'ClI'(/ /)nd:lL'(LI'(/
n.eutl'al POS_DIR (nl'! _,,1011,<I('('r/(/'ol illfl, (/tee/untillfl.
Annex C: HOL Specification of DB\V Co ut roller 260
close: fOI·t('ol'd./JUd·I('(II'I!. /1(11/1'''/) =
{,.\1.(act_.'i/oJi/ =:;- Next close /1
(aeee/fl'(J/iIlY / :::::;.(jol'll'<ll'(i/ :0;' Next [orirurd / I
(bacf..:tl'lll'd I =:;- Next (Not j'ol'II(lI'If) / I Next I1CU/I'(t/ I)) I
(deep/n'{(/iIlY / ~ (fuI'IUII'd/ :::::;.Next (Not fOl'lI'w'rl) /1
(bad:/I'(lI'd I:::::;. Next /JflCI.-IL·C/I'c/ / I Next I/(u/I'(/I i)) I Next /ll?uil'a/I))))
PERFORM1..DEF I- Vac/_s/op a('L.,/ol'/ arcrlr ral ins] dC(,c/fl'rllillfJ [oruard
back u-ar d ne ul ral cl as«,
PER FOR M 1 ((lc/ _.,/ UI). (J ct :«! (/1'1. a ccr.l e rat hu], (ifcp le j'n / ill!t.
[oru-a nlLacku.anl, nrut ral , closr ;=
(At. Always ({(cl_:,/o/I - Next (II( 11/1'01 t ~ acl sstop I
i act sst cr! And (Not "('('(fun/illY) I ~ [oruiartl I
iuct.stovt And (Not accelr rat in q ; I ::::-buckua rd I clo.~e)))) t)
PERFORM2..DEF I- Vacf_:;lad tieul rnl, PERFORM2 (acLstal'l,neull'al) =
(At. Always ((jcl_.~lrtl'1 - Not nellll'a/) I)
PERFORM3..DEF f- V[oruard I)(Jc/.:II'(t.l'dne ut ral act sslop act.sstart,
PERFORM3 (jo/'lcol'd, bacf..:!{·(I,/'(i, neutral, act.stop, acLslad) =
(.~t.Always i jor uard t =:> Next (Not JIJI'wan[ t =:> act.stop I jO/'l(lal'd) I
ibock u-ard I => Next (Not back u-a n! t => act.stop I back/vani) I
ineutro! t => Next (Not IIFu/1'1I11 :::::;.act ist art I (lcLstop) I acLstop))) I)
PERFORM4..DEF I- V [oruard IIt/('~'tl'at'(llir II/ ral occel eru! illY r/f'cf'iel'alin!7.
PERFORM4 (jo/'{I'((l'rl, lnu-kuard, neutral, acccleratinq, dece/eI'ating) =
(At, Always (jOI'II'al'r! 1::::- Next ((I(w/Pl'a/itl!! t => fOI'II'(I1'd I neuiral) I
(bacl.:u·orr/ / => Next ((ho I('ro/ill!! I :::::;.I)(Id:!1'f/1'I11 Tlellll'a/) I Next nellt/'al)) t)
FORE...BEHAV..DEF I- V/JlI'liu/d oll//'ul. FORE_BEHAV (JU/'tll_oCt,Oltt/Jllt) =
(At. (Vocl_.'/ur/ ol'/_,,/nl) clll,'''' fO/'(/','I',1 I)ocl.:'(,(/.I'r/lleu/I'ol.
let (lc('d ( 1'0 I iI/!I = Acceler a te ((/ cl _.'il a ri, fur //10 I'd )iu(lctde et lual in!J =
Decelerate (acl_.,lol'/, /',,('1.-11(11'11) ill
(DecodeCtri (jJlt'III_IId, fUI'II""'I/, /)IIr-i.'II'(II'ci, 111'1111'01,c/o ..;e)) And
(RESPONSE (Inl'II'II I'll, Iilld·1I'o I'd. 1/ r II/ I'a/. 011/ pili, aet _.;1 0rI) And
(REGISTER (oc!_.,lu/l.ud_.'/II1'/. n(lIlntl) And
(TRANSIT (Ol.'('f/; 1'(1/illY, ",('t/'I'Ofi/I!/) And
(POS_DI R (ot/_"I (l/,. IIudr 1'0/ ill fl. "rcr/r 1'01 i II!/,clo,~e,
Annex C: HOL Sp ecific atio u of D8\tV Co nt rol ler 261
[ovuard. iJ(lekicll/'i/. 1/( 1111'(1/) And
(PERFORl'vll (lId_.,II/II. nclssl url ,accele rotnu], decelerat iiut,
fOI'II'oNt, back ua nl, 1/(1111'(1/, c/o ..;e) And
(PERFORM2 (II('/_.'/III'I, 1If.II./ra/) And
(PERFORM3 (j'ul'lI'lIrrl,IJllcinl'fll'lt, nru] rol .rcct.st op, (teLsial'l) And
(PERFORM4 (jul'lI'ul'ri,I){lchcard.nrllll'o/, «cccl r rat inq, dl"ce/eJ'aling)))))))) t)l)
DBIoI_.BEHAV...DEF r DBVV_BEHAV = (V/si'lt IIIO"r/' I'a/ir/,.l pWII/flrll oul p ul Lh ner.
Always ((BACK_BEHAV (8i!li, modet . l'fI/id"/,pwm,,ctl) Upon limel')
(FORE_BEHAV (I"/'I/I"clf t.Ol/tpl/t))) I 1\ Valid lillJu)
State_$afe_DEF r "18 II/ /' II. Stare.Safe (.~,111. (!, p) =
(At. -,WFAILED., I V (p = Close))
SAFE_DEF r V.S III /' I). SAFE (s, Ill. 1'./1) =
(.At. State.Safe (s, NextState ( ..., III, 1', JI) I) I,)
r Vs III l' jJ.INIT ("./11.1'.[» =
(At, ......RUNNING s I 1\ (DEMAND s) Eq 0 i)
ArbNotO_DEF r ArbNotO = (,\1. (~II. --( Il = 0)))
INIT...DEF
Arb...DEF
Zero_DEF
Init_DEF
Safe_DEF
r Arb = (,\1. ARB)
f- Zero = (,\1.0)
f- Vip op, In it (ip, (J/I) := (VI, IN IT (i I), (Jp) I)
r Vip 0/1. Safe (ill,nl') = (VI. SAFE (irl,I)!)) I)
Nextstate_DEF r v.-; II/ /' Ii .,' /II' /,1 1/.
Nextsta te (". 11/, ('. I' ) (,", /II'. 1", 1/) = (VI. Nex tSta te (oS. 111. 1'. Jl) I = /II'. (I' •p' )
C.2 Theorems
Mode...Axiom r Veo "I ,~ ':1 'I '-,. {3Vfll (/1/ Reset = 1'0) 1\ Un Idle = "1) 1\
(/11 Traction = ,~) 1\ (/1/ Shutdown = r::J! 1\ Un Manual = e.d 1\
Un Cruise = {~,)I
Mode_Dist inct r --(Reset = Idle) 1\ --( Reset = Traction) 1\ -,( Reset = Shutdown) 1\
-,(Reset = Manual) 1\ --(Reset = Cruise) 1\ -,(Idle = Traction) 1\
-,(Idle = Shutdown) t, --(Idle = Manual) A -,(Idle = Cruise) 1\
Annex C: HOL Specification of DBW Controller 262
.(Traction = Shutdown) /\ .( Traction = Manual) /\ ...,(Traction = Cruise) /\
.(Shutdown = Manu31) 1\ .(Shutdown = Cruise) 1\ ...,(Manual = Cruise)
Mode_Induct f- VP. PReset /\ I' Idle /\ P Traction /\ P Shutdown /\ P Manual /\
P Cruise J (V.\I. P ,\f)
Mode_Cases f- V,\{. (M = Reset) V (,\f = Idle) V (.\f = Traction) V (!If = Shutdown) V
(I'll = Manual) V (M=Cruise)
Dir..Axiom f- Veo 1'1 f'"! C3· (3Vln. (fit Close = eo) /\ (fll Forward = et) 1\
Un Backward = 1':) /\ i]» Neutral = I';d)
Dir...Distinct f- ...,(Close = Forward) /\ .(Close = Backward) /\ -;(Close = Neutral) 1\
.(Forward = Backward) /\ .(Forward = Neutral) /\ .(Backward = Neutral)
Dir_Induct f- "iP. P Close /\ P Forward /\ P Backward /\ P Neutral J (VD. P D)
Dir_Cases f- VD.(D = Close) V (f) = Forward) V (D = Backward) V (D = Neutral)
Zero...Eq_O f- Vt. Zero Eq 0 I
ArbNotO_Not..2ero f- .(ArbNotO t. = 0)
Arb_True f- Va b. (I V (t V ""'a V b
Mode_distl I-VM.(Jf = Reset) V (ill = Idle) V (M = Shutdown) V (M = Traction) V
(M = Manual)::> ....,(.\f = Cruise)
Mode_dist2 f- ....,(Cruise = Shutdown)
Hode_dist3 f- ....,(Manual = Shutdown)
Dir _.lemma f- Vi. Always
(DecodeCtri (/11/'"1_(/1'1. /()I'INI.I'II./wd'I/·(lI·d. neul ral . clo..;;;)
- Xor2 (c/o .«r . Xor3 (fnl·II'(//'{I./)(/ck!NII'd.Ilr'III/'rt/))) I
STATE...EQl f- V.~ ../ I. (." = .,') /\ ...,RUNNING.~ I J .RUNNING~' I
STATE2..EQ t- V., ,;' I. (., = .,,') /\ ...,WFAILED s I J ...,WFAILED.s' I
STOP....sAFE f- V..; III 1'1' I.Always (Not (RUNNING .,) - SAFE (8. III. t'. p)) f
FAIL....sAFE f- VS III I JI I.
Always ((WFAILED., And RUNNING 'i) - SAFE (.<;, 111.1',/1)) I
INIT....sAFE f- Vs /I) I P I. Always (INIT (.~, Ill. "./1) - SAFE (s. 111., t', p)) t
Annex C: HOL Specification of' DB\V Controller 263
STATES_UNIQUE f-- 'Vm I' /1/, (3,-; (:I'VIII' I.' //, NextState (s, rn, II,]» t = III', (".p'))
SAFETY f-- 'VI. (INIT (,' /.1111.1' /./) /) / => SAFE (., t . iu L, IIl.JI t) l) /\
(SACK_BEHAV ('" III. U. fi) f /\ SAFE (.-; i. lilt, V i. l' f) l
=> State.Safe l·' f. III (l + 1). l' (I + 1), /) (t + 1)) I)
RCOND~emma f-- 'Vl S III t· l'
(8 = False, Arb, Arb, Arb, Arb, Arb. Arb. Arb, Arb, Arb, Arb, Arb, Arb)
=> ((m = Cruise) ~ (NextState (_,. III .• P. Ji) l = Reset. F. Close) I
(NextState (s. III. "./1) t = Reset. 1'. Close))
SCOND1~emma f-- 'Vf .'i III I' fl. (III = Shutdown) /\
(s = True. Arb. Arb. Arb, Arb, Arb, Arb. Arb, Arb. Arb, Arb. Arb, Arb)
=> (NextState ('" III. I', /1) I = Shutdown, I', Close)
SCOND2~emma f-- 'VI S III I' Ji.
(8 = True. Arb, Arb, True, Arb, Arb, Arb, Arb, Arb, Arb, Arb, Arb, Arb) V
(8 = True. Arb. Arb, Arb. Arb, True. Arb, Arb. Arb, Arb, Arb. Arb, Arb) V
(8 = True, Arb, Arb. Arb, True, Arb, Arb. Arb. Arb. Arb. ArbNotO, Arb. Arb)
=> «(m = Cruise) ~ (Next State (s. III. '1'./1) t = Shutdown, T, Close} I
(NextState (8.111,1'. ji) t = Shutdown, II. Close))
SCOND3~emma f-- 'VI 8 III, II p,
(8 = True. Arb. Arb, Arb. False, Arb. Arb. Arb. Arb, Arb. Zero, Arb, Arb)
=> (('m = Cruise) ~ (NextState (s. Ill. v, /I) t = Shutdown. T, Close) I
(NextState (". 111,1'./,) t = Shutdown.!', Close))
SCOND4~emma f-- VI., III I' P.
(8 = True. Arb, Arb. Arb, Arb. Arb, True, Arb. Arb, Arb, ArbNotO. Arb. Arb) V
(s = True. Arb. Arb. Arb. Arb. Arb, False, Arb. Arb, Arb. Zero, Arb. Arb)
::> (( m = Cruise) ~ (NextState (s. III, /1, p) t, = Shutdown, T, Close) I
(NextState (". III. r. I') t = Shutdown, I:, Close))
ICOND1~emma f-- 'VI S III [1 II. (III = Cruise) /\
(8 = True. False. Arb. False, False. False. True. Arb, Arb. Arb, Zero. Arb. Arb)
::> (NextState (.,. til. I, ,,) / = Idle. T. PWM (/1. FBANG ., f. 1))
ICOND2~emma f-- 'VI S III I' I'. (III = Cruise) /\
(8 = True. Arb, True. False. False. False, True. Arb, Arb, Arb, Zero, Arb, Arb)
::> (NextState (,'.111.1./,) I = Idle, T, PWM (JI, FBANG" t . 1))
Annex C: HOL Specification of DBW Cout ro ller 264
ICOND3~emma f- VI 8 11/ I' /,. (1/1 = Manual) 1\
((8 = True. False. False. False. False. False, True, Arb. Arb. Arb. Zero, Arb. Arb) V
(8 = True. False. True. False. False. False. True. Arb. Arb. Arb, Zero. Arb. Arb) V
(8 = True. True. True. False, False. False, True, Arb, Arb, Arb, Zero, Arb, Arb))
~ (NextState ( .... 11/. 1./1) I = Idle. (I. PWM (/', FBANG s I, 1))
CCOND1~emma f- VI oS 111 l' JJ. (III = Manual) 1\
(8 = True, True. False. False, False, False, False. Arb, True,
Arb, ArbNotO. ArbNotO, Arb)
~ (N ex t S tat e ( s . III. r, II) I = Cru ise, r, PW M (}J. FBAN G 8 I,SPEE D s t))
CCOND2~emma f- VI S III II I). (11/ = Idle) 1\
(8 = True, True, False. False. False, False. True, Arb. Arb. True, Zero, Arb, Arb)
~ (NextState ( .... 111. T. JI) t = Cruise. T. PWM (II, FBANG 8 t, SPEED 8 i))
TCOND..lemma f- Vt s 1l/. up. (111 = Manual) 1\
(s = True, False. Arb. False. False. False, False. True, Arb. Arb, ArbNotO, Zero, Arb)
~ (NextState (.'i, 1/1. 1'. p) I. = Traction. (I, PWM t». FBANG 8 i. DEMAND s Il)
HCOND..lemma f- Vi s m (I p, -,( III = Shutdown 1 1\
(s = True, Arb, Arb. False. False. False, False, False. False. False, ArbNotO, Arb, Arb)
~ (NextState (.s. III. 1'.]1) t = Manual, F. PWM (p, FBANG s i, DEMAND s t))
FSM f- (Vip op.lnit (ip. opl :J Safe (ip. op)) 1\
(Vip 0/1 ip' op". Nextstate (iii. op) (ip'. op') 1\ Safe (jp, (Jp) ~ Safe (ip', op'))
~ ("Ie. LSA (Init. Nextstate) r = PLSA (Init. Safe. Nextstate) e)
C.3 Procedures of Proofs and Tactics
let Mode_Axiom = define_type 'Mode_Axiom'
'Mode=ResetIIdleITractionIShutdownIManualICruise'; ;
let Mode_Distinct = save_thm ('Mode_Distinct',
prove_constructors_distinct Mode_Axiom);;
let Mode_Induct = save_thm ('Mode_Induct',
prove_induction_thrn Mode_Axiom);;
Annex C: HOL Sp ecifi cnt.io n of DBvV Co nt ro ller 265
let Mode_Cases = save_thm ('Mode_Cases',
prove_cases_thm Mode_Induct);;
let sig_ty = ":(num->bool)#(num->bool)#(num->bool)#
(num->bool)#(num->bool)#(num->bool)#
(nurn->bool)#(num->bool)#(num->bool)#
(num->bool)#(num->num)#(num->num)#
(num-onum):"; ;
nell_type_abbrev ('Cntrl_ty', ":bool#bool#bool#bool#bool#
bool#bool#bool#bool#bool#
num#nurn#nurn");;
let RUNNING = nell_definition ('RUNNING_DEF',
"RUNNING (s:-sig_ty) = FST s
") ; ;
let GEAR = nell_definition ('GEAR_DEF',
"GEAR (s:-sig_ty)=FST(SND s)
") ; ;
let BRAKE = nell_definition ('BRAKE_DEF',
"BRAKE (s:-sig_ty)=FST(SND(SND s)
)") ; ;
let WATCHOUT = nell_definition ('WATCHOUT_DEF',
"WATCHOUT (s:-sig_ty)=FST(SND(SND(SND s)
»") ; ;
let WFAILED = new_definition ('WFAILED_DEF',
"WFAILED (s:-sig_ty)=FST(SND(SND(SND(SND s)
»)") ; ;
let OVERTEMP = new_definition ('OVERTEMP_DEF',
"OVERTEMP (s:-sig_ty)=FST(SND(SND(SND(SND(SND s)
»»-i..
let IDLE = nell_definition ('IDLE_DEF',
"IDLE (s:-sig_ty)=FST(SND(SND(SND(SND(SND(SND s)
»»)");;
Annex C: HOL Specification of DB\V Coutroller 266
let TRACTION = new_definition ('TRACTION_DEF',
"TRACTION (s:-sig_ty)=FST(SND(SND(SND(SND(SND(SND(SND s)
»»»");;
let CRUISE = new_definition ('CRUISE_DEF'.
"CRUISE (s:-sig_ty)=FST(SND(SND(SND(SND(SND(SND(SND(SND s)
»m»-».
let RESUME = new_definition ('RESUME_DEF',
"RESUME (s:-sig_ty)=FST(SND(SND(SND(SND(
SND(SND(SND(SND(SND s»»»»)");;
let DEMAND = new_defini~ion ('DEMAND_DEF'.
"DEMAND (s:-sig_ty)= FST(SND(SND(SND(SND(SND(SND
(SND(SND(SrW(SND s»»»»»");;
let SPEED = new_definition ('SPEED_DEF',
"SPEED (s:-sig_ty)= FST(SND(SND(SND(SND(SND(SND(SND
(SND(SND(SND(SND s»»»»»)");;
let ANGLE = new_definition ('ANGLE_DEFf,
"ANGLE (s:-sig_ty)= SND(SNO(SND(SND(SND(SND(SND(SND
(SND(SND(SND(SND s»»»»»)");;
%------------------------------------------------------------
% Reset state %
%------------------------------------------------------------
let R_CONO = new_definition ('R_CONO_DEF',
"R_CONO (running)=
\(t:time). Not running t");;
%------------------------------------------------------------
% Idle state %
'l.------------------------------------------------------------
let I_CONO = new_definition ('I_COND_DEF',
"I_eONO (mode,idle,brake,gear)=
\(t:time).
«mode=Manual) \/ (mode=Cruise) \/ (rnode=Idle» /\
idle t /\ (brake t \/ -gear ~)");;
Annex C: HOL Sp ecificntiou of DB \V Co nt rol ler------------------------------267
%------------------------------------------------------------
% Shutdown state %
%------------------------------------------------------------
let S_COND = new_definition ('S_COND_DEF',
"S_COND (watchout,overtemp,stop)=
\(t:time).
watchout t \/ overtemp t \/ stop");;
%------------------------------------------------------------
% Cruise state %
%------------------------------------------------------------
let C_COND = new_detinition ('C_COND_DEF',
"C_CONO (cruise,speed,resume,valid_cruise,
gear,mode,demand,brake) = \(t:time).
«cruise t /\ ~(speed Eq O)t /\ (mode=Manual» \/
(-(speed t < demand t) /\ -brake t /\ (mode=Cruise»
\/ (resume t /\ valid_cruise /\ (mode=Idle»)
/\ gear too);;
%------------------------------------------------------------
% Traction state %
%------------------------------------------------------------
let T_COND = new_detinition ('T_CONO_DEF',
"T_CONO (mode,traction,speed,gear,idle)= \(t:time).
«mode=Manual) \/ (mode=Traction» /\
traction t /\ (speed Eq O)t /\ ~(gear t)
/\ ~(idle t)");;
%------------------------------------------------------------
% Movement of actuator's throttle
%------------------------------------------------------------
let Dir_Axiom = define_type 'Oir_Axiom'
'Dir = Close I Forward I Backward I Neutral';;
Annex C: HOL Specification of DB\V Co nt rol ler------------------------------------------ 268
let Dir_Distinct = save_thm ('Dir_Distinct',
prove_constructors_distinct Dir_Axiom);;
let Dir_Induct = save_thm ('Dir_Induct',
prove_induction_thm Dir_Axiom);;
let Dir_Cases = save_thm C'Dir_Cases',
prove_cases_thm Dir_Induct);;
%------------------------------------------------------------
% Actuator behavioural spec.
%------------------------------------------------------------
let PWM = ney_definition ('PWM_DEF',
"PWM (pwm_act,ang,dem) =
(dem=O) => Close I
(dem>ang) => «pwm_act = Forcard ) =>
NeutrallForward) I
(ang>dem) => «pwm_act = Backward) =>
Neutral IBackward) I Neutral");;
%------------------------------------------------------------
% Validity conditions of interface signals
%------------------------------------------------------------
let ILLEGAL = new_definitionC'ILLEGAL-DEF',
"ILLEGAL b P = \(t:time). "Xor2(p,b)t");;
let DecodeSig = new_definitlon ('DecodeSig_DEF',
"DecodeSig «sig:time->Cntrl_ty),
(runningt:time->bool),(geart:time->bool),
(braket:time->bool),(watchoutt:time->bool),
(wfailedt:time->bool),(overtempt:time->bool),
(idlet:time->bool),(tractiont:tlme->bool),
(cruiset:time->bool),(resumet:time->bool),
Annex C: HOL Specification of DB\V Contl'ollel' 269
(demandt:time->num).(speedt:time->num).
(anglet:tirne->num» =
!(t:time),«runningt t) .(geart t) .(br~ket t),
(watchoutt t).(wfailedt t),(overtempt t),
(idlet t) .(tractiont t).(cruiset t).
(resumet t).(demandt t).(speedt t).
(anglet t ) = (sig t)");;
%------------------------------------------------------------
% Main loop %
%------------------------------------------------------------
let NextState = new_definition ('NextState_DEf',
"NextState(s,mode,valid_cruise.pwm_<l.ct)
\(t:time).
(let running = RUNNING 5 in
(let gear = GEAR s in
(let brake = BRAKE s in
(let watchout = WATCHOUT s in
(let wtailed = WFAILED s in
(let overtemp = OVERTEMP s in
(let idle = IDLE s in
(let traction = TRACTION s in
(let cruise = CRUISE 5 in
(let resume = RESUME s in
(let demand = DEMAND 5 in
(let speed = SPEED s in
(let angle ANGLE s in
(let stop_ok = (ILLEGAL ldle (Not(demand Eq O»)t
\/ (wfailed t) \/ (mode=Shutdown) in
(let reset_ok = R_COND(running)t in
(let cruise_ok = "reset_ok /\
C_COND(cruise.speed.resume.valid-cruise.
gear.mode.demand.brake)t in
(let traction_ok = "reset_ok /\
Annex C: HOL Specification of DB\V Co nt.roller 270
T_COND(mode,traction,speed,gear,idle)t in
(let shutdown_ok = S_COND(watchout,overtemp,stop_ok)t in
(let idle_ok = -reset_ok /\
I_COND(mode,idle,brake,gear)t in
(let valid_c = «mode=Cruise) => -reset_ok
valid_cruise) in
reset_ok=>
(Reset,valid_c,PWM(pwm_act,angle t,~zerodem))1
shutdown_ok=>
(Shutdown,valid_c,PWM(pwm_act,angle t,-zerodem»1
idle_ok=>
(Idle,valid_c,PWM(pwm_act,angle t,-idledem)I
cruise_ok=>
(Cruise,valid_c,PWI~(pwm_act,angle t,speed e) I
traction_ok=>
(Traction, valid_c, PI.JM(pwm_act,angle t ,demand t») I
(Manual,F,PWM(p~m_act,angle t,demand t))
»»»»»»»»»»");;
let BACK_BEHAV = new_definition ('BACK_BEHAV_DEF',
"BACK_BEHAV «sigt:time->~sig_ty),(modet:time->Mode),
(valid_ct:time->bool),(pwm_actt:time->Dir» =
\(t:time).
NextState «sigt t), modet t, valid_ct t, pwm_actt t)t
= (mode t f t+f ) . valid_ct(t+1), pwm_actt(t+l»");;
let DecodeCtrl = new_definition ('DecodeCrtlt,
"DecodeCtrl (pwm_act,forward,backward,neutral,close) =
\(t:time). (forward t = (pwm_.:lct= Forward») /\
(backward t = (p~m_act = Back~ard) /\
(neutral t = (pwm_act = Neutral) /\
(close t = (pwm_act = Close))");;
let Accelerate = ne~_definition ('Accelerate_DEFt•
Annex C: HOL Speclficat iou of DB\V Co nt i-ol ler 271
"Accelerate (act_start.forlolard) act start And forward");;
let Decelerate = new_deflnition ('Decelerate_DEF'.
"Decelerate (act_start. backward) "
act_start And back"ard");;
let RESPONSE = new_definition ('RESPONSE_DEF',
"RESPONSE (forward,backward.neutral.output,act_start) =
\(t:time).
forward t =>
«output Within (Len Cact_start) -Tres»
When act_start) I
backward t =>
«output Within (Len (act_start) -Tres»
When ac t i s t ar t ) I
neutral til); ;
let REGISTER = new_definition ('REGISTER_DEF',
"REGISTER (act_stop.act_start,neutral) =
\(t:time).
Always «act_stop And (Not neutral» -->
(act_start Within (Len (Not neutral) -Treg»)t")j j
let Below = new_infix_definition ('Below_DEF',
"Below pos ang = \t. (pos Eq (PRE ang)}t,,); ;
let Above = new_infix_definition ('Above_DEF'.
"Above pos ang = \t. (pos Eq (SUe ang»t");;
let TRANSIT = new_definition ('TRANSIT_DEF',
"TRANSIT (accelerating.decelerating)
\(t:time). !pos ang.
Always (
«accelerating And Not(pos Below ang» -->
Annex C: HOL Sp ecifica tio u of DB\V Co nt ro ller------------------------------------------272
(Not(pos Below ang) Within
(Len accelerating -Ttr»)) And
«decelerating And Not(pos Above ang)) -->
(Not(pos Above ang) Within
(Len de ceLer atmg -Ttr»»t");;
let POS_OIR = new_definition ('POS_OIR_DEF',
"POS_DIR (act_stop,accelerating,decelerating,
close,forward,backward,neutral) =
\(t:time).
act_stop t => Next(close)t
accelerating t => (forward t => Next(forward)t
backward t => Next(Not forward)t
Next(neutral)t) I
decelerating t => (forward t => Next(Not forward)t
backward t => Next(backward)t
Next(neutral)t) I
Next(neutral)t"); ;
let PERFORM! = new_definition ('PERFORM1_DEF',
"PERFORM1 (act_stop,act_start.accelerating.decelerating,
forward,backward.neutral.close) =
\(t:time).
Always (act_stop -->
Next (neutral t => act_stop I
(act_start And Not decelerating)t => forward I
(act_start And Not accelerating)t => backward I
close) )t");;
let PERFORM2 = new_definition ('PERFORM2_DEF',
"PERFORM2 (act_start,neutral) =
\(t:time). Always (act_start --> Not neutral)t");;
let PERFORM3 = new_definition «PERFORM3_0EF',
Annex C: HOL Sp ecificat ion of DB\V Co ut ro lle r 273
"PERFORM3 (forward, backvard ,neutral, act_stop, act_start) =
\(t:time).
Always (
forward t => Next(Not(forward)t =>
act_stop I forward) I
backward t=> Next(Not(backward)t =>
act_stop I backward) I
neutral t => Next(Not(neutral)t =>
act_start I act_stop) I
act_stoph") ;;
let PERFORM4 = new_definition ('PERFORM4_DEF',
"PERFORM4 (forward,backward,neutral,
accelerating,decelerating) =
\(t:time).
Always (
torward t => Next(accelerating t =>
forward I neutral) I
backward t => Next(decelerating t =>
backward I neutral) I
Next(neutral) )too);;
let FORE_BEHAV = new_definition ('FORE_BEHAV_DEF'.
"FORE_BEHAV (pwm_act.output) =
\(t:time). lact_start act_stop close forward
backward neutral.
(let accelerating = Accelerate(act_start,forward) in
(let decelerating = Decelerate(act_start,backward) in
(DecodeCtrl (pwm_act.forward,backw~d,neutral,close)
And
RESPONSE (forward,backward.neutral,output,act_start)
And
REGISTER (act_stop,act_start.neutral) And
TRANSIT (accelerating,decelerating) And
Annex C: HOL Sp ec ific at.io n of DB\,y Cout ro ller 274
POS_DIR (act_stop.accelerating.decelerating.
close,forward,backward,neutral) And
PERFORMl (act_scop.act_start,accelerating,
decelerating,forward,backward,neutral,close) And
PERFORM2 (act_start.neutral) And
PERFORM3 (forward.backward.neutral,
act_stop,act_start) And
PERFORM4 (forward,backward,neutral,
accelerat ing,decelerat ing»)t» ..);;
let DBW_BEHAV = new_definition ('DBW_BEHAV_DEF',
"DBW_BEHAV =
!(t:time) sigt modet valid_ct pwm_actt output timer.
Always «BACK_BEHAV(sigt,modet,valid_ct,pwm_actt)
Upon timer) (FORE_BEHAV(pwm_actt t,output»)t
/\ Valid timer"); ;
let State_Sate = new_definition ('State_Sate_DEFt,
"State_Safe (s,(m:Mode),(v:bool),p) =
\t. -(WFAILED s)t \/ (p=Close)");;
let SAFE = new_definition ('SAFE_DEF',
"SAFE (s,m,v,p) =
\t. State_Sate(s, (NextState (s,m,v ,p)t))t");;
let INIT = new_definition ('INIT_DEF',
"INIT (s,(m:Mode),(v:bool),(p:Dir» =
\t. -(RUNNING s)t /\ (ODlAND s Eq O)t");;
let ArbNotO = new_definition ('ArbNotO_DEF',
"ArbNotO = \(t:time). <On. -(n=O)");;
let Arb = new_definition ('Arb_DEF',
"Arb = \(t:time). (ARB:*)");;
Annex C: HOL Specifi catio u of DBW Co nt ro lle r
let Zero = new_definition ('Zero_DEF'.
"Zero = \(t:tirne). 0");;
let Zero_Eq_O = prove_thm ('Zero_Eq_O'.
"!t. (ZeroEqO)t".
GEN_TAC THEN REWRITE_TAC[Zero;Eq_DEF]);;
let ArbNotO_Not_Zero = prove_thm('ArbNotO_Not_Zero',
"-(ArbNotO t=O)".
REWRITE_TAC[ArbNotO] THEN CONV_TAC SELECT_CONY
THEN EXISTS_TAC "SUC 0"
THEN MATCH_ACCEPT_TAC SUC_ID);;
let Arb_True = prove_thm ('Arb_True'.
"!a b. a \/ a \! -a \! b",
REPEAT GBN_TAC THElf BOOL_CASES_TAC "a"
THEN REWRITE_TAC[]);;
let Mode_distl = prove_thm('Mode_distl'.
"!M. (M=Reset)\/(M=Idle)\/(M=Shutdown)\/
(M=Traction)\!(M=Manual) ==> -(M=Cruise)",
GEH_TAC THEN STRIP_TAC THEN ASH_REWRITE_TAC[]
THEN REWRITE_TAC[Mode_Distinct]);;
let Mode_dist2 = prove_thm('Mode_dist2',
"-(Cruise=Shutdown)".
MP_TAC Mode_Distinct THEN STRIP_TAC
THEN POP_ASSUM (\thl. POP_ASSUM (\th2. (ASSUME_TAC th2)))
THEN CONV_TAC (ONCE_DEPTH_CONV SYM_CONV)
THEN ASM_REWRITE_TAC[]);;
let Mode_dist3 = prove_thm('Mode_dist3'.
"-(Manual=Shutdown)",
275
Annex C: HOL Specifi ca rio n of DB\V Contl'Ollel' 276
MP_TAC Mode_Distinct THEN STRIP_TAC
THEN POP_ASSUM (\th!. POP_ASSUM (\th2. (ASSUME_TAG th2»)
THEN CONY_TAC (ONCE_DEPTH_CONV SYM_CONY)
THEN ASM_REWRITE_TAC[]);;
let Dir_lernma = prove_thrn ('Dir_lernma',
"!(t:time). Always (
DecodeCtrl (p~m_act,forward,backward,neutral.close)
--> Xor2(close,Xor3(forward,backward,neutral»)t",
GEN_TAC
THEN REWRITE_TAC[Xor2_DEF;Xor3_DEF;Always_DEF;
DecodeCtrl;Imp_DEF)
THEN BETA_TAC THEN REPEAT STRIP_TAC
THENL [%1%
ASH_REWRITE_TAC[] THEN ASSUME_TAC (Dir_Cases)
THEN POP_ASSUM MP_TAC
THEN CONV_TAC LEFT_IMP_FORALL_CONY
THEN EXISTS_TAC "pwm_act" THEN REPEAT STRIP_TAC
THENL [ASM_REWRITE_TAC(];
ASM_REWRITE_TAC[Dir_Distinct];
ASK_REWRITE_TAC[)
THEN CONY_TAC(ONCE_OEPTH_CONV SYM_CONV)
THEN REWRITE_TAC(Oir_Distinct]
THEN CONV_TAC(ONCE_DEPTH_CONV SYM_CONY)
THEN REWRITE_TAC[Dir_Distinct];
ASM_R~WRITE_TAC[]
THEN CONV_TAC(ONCE_DEPTH_CONV SYM_CONV)
THEN REWRITE_TAC[Dir_Distinct]];
POP_ASSUM (\th. ALL_TAC) THEN RES_TAC
THEN POP_ASSUM HP_TAC THEN ASM_REWRITE_TACO
THEN REWRITE_TAC[Dir_Dlstlnct);
POP_ASSUM (\th. ALL_TAC) THEN RES_TAC
THEN POP_ASSUK MP_TAC THEN ASM_REWRITE_TAC[]
THEN REWRITE_TAC[Dir_Distinct];
Annex C: HOL Sp eciflcn t io n of DB\V Controller 277
POP_ASSUM (\th. ALL_TAC) THEN RES_TAC
THEN POP_ASSUM MP_TAC THEN ASM_REWRITE_TAC[]
THEN REWRITE_TAC[Dir_Distinct]]);;
let STATE_EQl = prove_thm ('STATE_E01',
"!s s' t. (a=s ") /\ -(RUNNIlIG s)t ==> -(RUNNING s')t",
REPEAT GEN_TAC THEN STRIP_TAC
THEN POP_ASSUM MP_TAC THEN ASM_REWRITE_TAC[]);;
let STATE_EQ2 = prove_thm ('STATE2_EQ',
"!s s' t. (a=s ") /\ -(WFAILED s)t ==> -(WFAILED s')t",
REPEAT GEH_TAC THEN STRIP_TAC
THEN POP_ASSUM MP_TAC THEN ASM_REWRITE_TAC[]);;
%------------------------------------------------------------
Proving Safety Properties
%------------------------------------------------------------
let STOP_SAFE = prove_thm ('STOP_SAFE',
"!s m v p t. Always (Not(RUNNING s) --) SAFE(s,m,v,p»t",
REPEAT GEN_TAC
THEN REWRITE_TAC[SAFE;Always_DEF;Imp_DEF]
THEN REWRITE_TAC[NextState;S_GOND;R_COND;Not_DEF]
THEN BETA_TAC THEN REPEAT STRIP_TAC
THEN CONV_TAC(DEPTH_CONV let_CONV)
THEN ASM_REWRITE_TAC[]
THEN REWRITE_TAC[State_Safe]
THEN BETA_TAG THEN REWRITE_TAG[PWM]);;
let FAIL_SAFE = prove_thm ('FAIL_SAFE',
"!s m v p t.
Always«WFAILED 5 And RUNNING s)-->SAFE(s,m,v,p)t",
REPEAT GEN_TAC
THEN REWRITE_TACCSAFE;Always_DEF;Imp_DEF]
THEN REWRITE_TAC[NextState;S-GOND;
Annex C: HOL Specific.:1t io u of 0 B \V Co ut roller 278
R_COND;And_DEF;Not_DEFJ
THEN BETA_TAC THEN REPEAT STRIP_TAC
THEN CONV_TAC(DEPTH_CONV let_CONY)
THEN ASM_REWRITE_TAC[IMP_CLAUSES]
THEN REWRITE_TAC[State_Safe]
THEN BETA_TAC THEN REWRITE_TAC[PWM]);;
let INIT_SAFE = prove_thm ('INIT_SAFE'.
"!s m v p t. Always(IIlIT(s.m.v.p) --> SAFE(s.m.v.p»)t".
REWRITE_TAC[Always_DEF;Imp_DEF;INIT;SAFE]
THEN REWRITE_TACCNextState;R_COND;Not_DEF]
THEN BETA_TAC THEN REPEAT STRIP_TAC
THEN CONV_TAC(DEPTH_CONV let_CONY)
THEN ASH_REWRITE_TAC[IHP_CLAUSES]
THEN REWRITE_TAC[PWM;State_Safe));;
let STATES_UNIQUE = prove_thm ('STATES_UNIQUE'.
"!mvpt. ?s. ?!m' v ' p ".
NextState(s.m.v.p)t = (m'.v'.p·)".
REPEAT GEN_TAC
THEN EXISTS_TAC "False.(Arb:num->bool).(Arb:num->bool).
(Arb:num->bool) ,(Arb:num->bool).
(Arb:num->bool).(Arb:num->bool).
(Arb:num->bool) ,(Arb:num->bool),
(Arb:num->bool).(Arb:num->num).
(Arb:num->num).(Arb:nurn->num)"
THEN PURE_REWRITE_TAC[False_DEF;NextState;RUNNING;FST]
THEN CONV_TAC(DEPTH_CONV let_CONY)
THEN PURE_REWRITE_TACCR_COND;Not_DEF] THEN BETA_TAC
THEN REWRITE_TACCNOT_CLAUSES;ANGLE;SND;PWM]
THEN CONV_TAC EXISTS_UNIQUE_CONV THEN STRIP TAC
THENL [EXISTS_TAC "Reset"
THEN CONV_TAC EXISTS_UNIQUE_CONV THEN STRIP_TAC
THENL [EXISTS_TAC "(m=Cruise)=>Flv"
Annex C: HOL Specifi cnt.iou of 0 BvV Controller 279
THEN CONV_TAC EXISTS_UNIQUE_CONV THEN STRIP_TAC
THENL [EXISTS_TAC "Close" THEN REFL_TAC;
REPEAT STRIP_TAC THEN POP_ASSUM MP_TAC
THEN PURE_ASM_REWRITE_TAC[]
THEN PURE_REWRITE_TAC[PAIR_EQ]
THEN REPEAT STRIP_TAC);
REPEAT GEN_TAC
THEN CONV_TAC(DEPTH_CONV EXISTS_UNIQUE_CONV)
THEN STRIP_TAC THEN POP_ASSUM (\t. ALL_TAC)
THEN POP_ASSUM MP_TAC THEN PURE_ASM_REWRITE_TACO
THEN PURE_REWRITE_TACCPAIR_EQJ
THEN REPEAT STRIP_TAC];
REPEAT GEN_TAC
THEN CONV_TAC(DEPTH_CONV EXISTS_UNIQUE_CONV)
THEN STRIP_TAC THEN POP_ASSUM (\th. ALL_TAC)
THEN POP_ASSUM (\th. ALL_TAC) THEN POP_ASSUM MP_TAC
THEN PURE_ASM_REWRITE_TAC(]
THEN PURE_REWRITE_TAC(PAIR_EQJ
THEN REPEAT STRIP_TAC]);;
let SAFETY = prove_thm ('SAFETY',
"!t. (INIT(s t,m t,v t,p t)t ==> SAFE(s t,m t,v t,p t)t) /\
«BACK_BEHAV(s,m,v.p)t /\ SAFE(s t.m t,v t.p t)t)
==> State_Safe(s t,m(t+l),v(t+l),p(t+l»t)",
GEN_TAC THEN STRIP_TAC
THENt [PURE_REWRITE_TAC[INIT;SAFE]
THEN BETA_TAC THEN REPEAT STRIP_TAC
THEN PURE_RE\·/RITE_TAC [NextState ;R_COND; Not_DEFJ
THEN BETA_TAC THEN CONV_TAC(DEPTH_CONV let_CONY)
THEN ASM_REWRITE_TAC[PWM)
THEN PURE_REWRITE_TAC[State_Safe]
THEN BETA_TAC THEN REWRITE_TAC[];
PURE_REWRITE_TAC[BACK_BEHAV;SAFE] THEN BETA_TAC
THEN REPEAT STRIP_TAC THEN POP_AS SUM MP_TAC
Annex C: HOL Specific:ltion of OBvV Controller 280
THEN ASH_REWRITE_TAe[]]);;
%------------------------------------------------------------
Proving state transition diagrams
%------------------------------------------------------------
% Reset transition condition %
let RCOND_le~~a = prove_thm('RCOND_lemma',
"!(t:time) s m v p.
(s=False,Arb,Arb,Arb,Arb,Arb,Arb,
Arb,Arb,Arb,Arb,Arb,Arb)
==> (m=Cruise)=>(NextState(s,m,v,p)t=(Reset,F,Close»1
(NextState(s,m,v,p)t=(Reset,v,Closa»",
REPEAT GEN_TAC THEN PURE_REWRITE_TAC[NextStata]
THEN DISCH_THEN (\th. PURE_REWRITE_TAC(th])
THEN PURE_REWRITE_TACCRUNNING;R_COND]
THEN CONV_TAC (DEPTH_CONV let_CONV)
THEN PURE_REWRITE_TACCFalse_DEF;Not_DEFJ
THEN BETA_TAC THEN CONO_CASES_TAC
THEN REWRITE_TAC[PWH]);;
% Shutdown transition condition 1 %
let SCON01_lemma = prove_thm('SCOND1_lemma',
"!(t:time) s m v p. (m=Shutdown) /\
(s=True,Arb,Arb,Arb.Arb,Arb,Arb,
Arb,Arb,Arb.Arb.Arb.Arb)
==> (HextState(s,m,v,p)t=(Shutdown,v.Close»",
REPEAT GEH_TAC
THEN PURE_REWRITE_TACCNextState;R_COND;RUNNIHG;S_COND;
WATCHOUT;OVERTEMP;WFAILED;DEMAND;IDLE;ILLEGAL;
Xor2_DEF;False_DEF;True_DEF;Not_DEFJ
THEN BETA_TAC THEN REPEAT STRIP_TAC
THEN ASH_REWRITE_TAC[]
THEN CONV_TAC (DEPTH_CONV let_CONV)
THEN REWRITE_TAC[PWM;Hode_Distinct]);;
Annex C: HOL Specification of DB\V Co nt ro ller 281
% Shutdown transition conditlon 2 f.
let SCOND2_lemma = prove_thm('SCOND2_lernma',
"!(t:time) 5 m v p.
(s=True,Arb,Arb,True,Arb,Arb,Arb,
Arb,Arb,Arb,Arb,Arb,Arb) \/
(s=True,Arb,Arb,Arb,Arb,True,Arb,
Arb,Arb,Arb,Arb,Arb,Arb) \/
(s=True,Arb,Arb,Arb,True,Arb,Arb,
Arb,Arb,Arb,ArbNotO,Arb,Arb) ==>
(m=Cruise)=>(NextState(s,m,v,p)t=(Shutdown,T,Close)I
(NextState(s,m,v,p)t=(Shutdown,v,Close»",
REPEAT GEN_TAC
THEN PURE_REWRITE_TAC[NextState;R_COND;RUNNING;S_COND;
WATCHOUT;OVERTEMP;WFAILED;DEHAND; IDL£;ILLEGAL;
Xor2_DEF;True_DEF;False_DEF;Not_DEF]
THEN BETA_TAC THEN REPEAT STRIP_TAC
THEN ASH_REWRITE_TAC[]
THEN CONV_TAC (DEPTH_CONV let_CONY)
THEN REWRITE_TAC[] THEN COND_CASES_TAC
THEN REWRITE_TAC[PWM);;
Yo Shutdown transition condition 3 f.
let SCOND3_lemma = prove_thm('SCOND3_lemma',
"!(t:time) s m v p.
(s=True,Arb,Arb,Arb,False,Arb,
Arb,Arb,Arb,Arb,Zero,Arb,Arb) ==>
(m=Cruise)=>(NextState(s,m,v.p)t=(Shutdown,T,Close»I
(NextState(s,m,v,p)t=(Shutdown,v,Close»",
REPEAT GEN_TAC
THEN PURE_REWRITE_TAC[NextState;R_COND;RUNNING;S_COND;
WATCHOUT;OVERTEMP;WFAILED;DEMAND;IDLE;ILLEGAL;
Xor2_DEF;True_DEF;False_DEF;Wot_DEF)
THEN BETA_TAC THEN REPEAT STRIP_TAC
Annex C: HOL Specificat.ion of DB \V Controller 282
THEN ASM_REWRITE_TAC[]
THEN CONV_TAC (DEPTH_CONV let_CONY)
THEN REWRITE_TAC[] THEN CORD_CASES_TAC
THEN REWRITE_TAC[Zero_Eq_O;Arb_True;PWM]);;
% Shutdown transition condition 4 %
let SCOND4_1emma = prove_thm('SCOND4_1emrna',
"!(t:time) s m v p.
(s=True,Arb,Arb,Arb,Arb,Arb,True,
Arb,Arb,Arb,ArbNotO,Arb,Arb)\/
(s=True,Arb,Arb,Arb,Arb,Arb,False,
Arb,Arb,Arb,Zero,Arb,Arb) ==>
(m=Cruise)=>(NextState(s,rn,v,p)t=(Shutdown,T,Close»I
(NextState(s ,m,v ,p)t=(Shutdown, v ,Close»",
REPEAT GEN_TAC
THEH PURE_REWRITE_TAC[NextState;R_COND;RUNNING;S_COND;
WATCHOUTjOVERTEMP;WFAILED;DEMAND; IDLE; ILLEGAL;
Xor2_DEF;True_DEF;False_DEF;Not_DEF]
THEN BETA_TAC THEN REPEAT STRIP_TAC
THEN ASH_REWRITE_TAC(]
THEN CONV_TAC (DEPTH_CONV let_CONY)
THEN REWRITE_TAC(] THEN CONO_CASES_TAC
THEN REWRITE_TAC(PWH;Eq_DEF;Zero] THEN BETA_TAC
THEN REWRITE_TAC[ArbNotO_Not_Zero]);;
% Idle transition condition 1 %
let ICON01_lemma = prove_thm(' ICorml_lemrna' •
"!(t:time) s m v p.
«m=Cruise) /\ (s=True,False,Arb,False,False,False,
True.Arb.Arb.Arb.Zero.Arb.Arb»
==> (NextState(s.m,v.p)t=
(Idle,T,PWH(p,ANGLE s t,-idledern))",
PURE_REWRITE_TAC[NextState;R_COND;S_CONDiI_COND;RUNNING;
WATCHOUT;OVERTEMP;WFAILEO;DEMAND; IDLE; ILLEGAL;BRAKE;
Annex C: HOL Specification of DB\V Controller 283
GEAR;CRUISE;Xor2_DEF;True_DEF;False_DEFJ
THEN BETA_TAC THEN REPEAT STRIP_TAC
THEN ASH_REWRITE_TACC]
THEN CONY_TAC (DEPTH_CONV let_CONY)
THEN REWRITE_TAC[Not_DEF] THEN BETA TAC
THEN REWRITE_TAC[Zero_Eq_O]
THEN REWRITE_TAC[Mode_dist2]);;
% Idle transition condition 2 %
let ICOND2_lemma prove_thm('ICOND2_1emma',
H!(t:time) s m v p.
«m=Cruise) 1\ (s=True,Arb.True.False.False.False.
True.Arb.Arb.Arb.Zero.Arb.Arb»
==> (NextState(s.m.v.p)t=
(Idle.T.PWM(p,ANGLE s t.-idledem»)",
PURE_REWRITE_TAC[NextState;R_CO~fD;S_COND;I_COND;RUNNING;
WATCHOUT;OVERTEMP;WFAILED;DEMAND;IDLE; ILLEGAL;BRAKE;
GEAR;CRUISE;Xor2_DEF;True_DEF;False_DEF]
THEN BETA_TAC THEN REPEAT STRIP_TAC
THEN ASH_REWRITE_TAC(]
THEN CONY_TAC (DEPTH_CONV let_CONY)
THEN REWRITE_TAC[Not_DEF] THEN BETA_TAC
THEN REWRITE_TAC(Zero_Eq_O;Mode_dist2]);;
% Idle transition condition 3 %
let ICOND3_1emma = prove_thm('ICOND3_1emma'.
H!(t:time) s m v p.
(m=Hanual) /\
«s=True,False,False,False,False,False.
r"
True,Arb,Arb,Arb,Zero,Arb,Arb)\/
(s=True,False,True.False,False,False,
True.Arb.Arb.Arb.Zero.Arb.Arb) \/
(s=True.True.True.False.False,False.
True.Arb.Arb.Arb.Zero.Arb,Arb»
Annex C: HOL Specification of DB\V Co nt ro ller 284
==> (NextState(s,m,v,p)t=
(Idle,v,PWM(p,ANGLE s t,-idledem»)",
PURE_REWRITE_TAC[NextState;R_COND;S_COND;I_COND;RUNNING]
THEN PURE_REWRITE_TAC[WATCHOUT;OVERTEMP;WFAILED;DEMAND]
THEN PURE_REWRITE_TAC[IDLE;ILLEGAL;BRAKE;GEAR;CRUISE]
THEN PURE_REWRITE_TAC[Xor2_DEF;True_DEF;False_DEF]
THEN BETA_TAC THEN REPEAT STRIP_TAC
THEN ASH_REWRITE_TAC[]
THEN CONV_TAC (DEPTH_CONV let_CONY)
THEN REWRITE_TAC[Not_DEF] THEN BETA_TAC
THEN REWRITE_TAC[Zero_Eq_O;Mode_Distinct;Mode_dist3]);;
Yo Cruise transition condition 1 %
let CCOND1_lemma = prove_thm('CCOND1_lemma',
II !(t :time) s m v p.
«m=Hanual) /\
(s=True,True,False,False,False,False,False.
Arb,True,Arb,ArbNotO,ArbNotO,Arb))
==>(NextState(s,m,v,p)t=
(Cruise,v,PWM(p,ANGLE s t,SPEED s t)))".
REPEAT GEN_TAC
THEN PURE_REWRITE_TAC[NextState;R_COND;S_COND;I_COND;
C_COND;RUNNING;WATCHOUT;OVERTEMP;WFAILED;DEMAND;
SPEED;RESUME;IDLE;ILLEGAL;BRAKE;GEAR;CRUISE;
Xor2_DEF;True_DEF;False_DEF;Not_DEF]
THEN BETA_TAC THEN REPEAT STRIP_TAe
THEN ASM_REWRITE_TACC)
THEN CONV_TAC (DEPTH_CONV let_CONY)
THEN REWRITE_TACCEq_DEFJ THEN BETA_TAC
THEN REWRITE_TAC[Mode_Distlnct;Mode_dist3;
ArbNotO_Not_Zero); ;
% Cruise transition condition 2 %
let CCOND2_lemma = prove_ thm( (CCmID2_lemma (,
Annex C: HOL Spe cificnf.io u of DBW Co nt roller 285
"!(t:time) s m v p.
«m=Idle) /\
(s=True,True,False,False,False,False.
True,Arb,Arb,True,Zero,Arb,Arb»
==>(NextState(s,m,T,p)t=
(Cruise,T,PWM(p,ANGLE s t,SPEED s t)))",
PURE_REWRITE_TAG[NextState;R_GOND;S_COND;
I_GOND;G_GONO;RUNNING;WATGHOUT;OVERTEMP;WFAILED;
DEMANO;SPEED;RESUME;IDLE;ILLEGAL;BRAKE;GEAR;CRUISE;
Xor2_DEF;True_DEF;False_DEF;Not_DEF]
THEN BETA_TAC THEN REPEAT STRIP_TAe
THEN ASK_REWRITE_TAC[]
THEN CONV_TAG (DEPTH_CONV let_CONV)
THEN REWRITE_TAG[Zero_Eq_O;Mode_Distinct);;
X Traction transition condition %
let TCONO_lemma = prove_thm('TCOND_lemma',
"!(t:time) s m v p.
«m=Kanual) /\
(s=True,False,Arb.False,False,False,False.
Tru6,Arb,Arb.ArbNotO.Zero.Arb» ==>
(NextState(s.m.v.p)t=
(Traction,v,PWK(p,ANGLE s t,DEMAND s t»)II.
REPEAT GEN_TAG
THEN PURE_REWRITE_TAGCNextState;R_COND;S_COND;I_COND;
G_COND;T_COND;WATCHOUT;OVERTEMP;WFAILED;DEMAND;SPEED;
RESUME;IDLE;ILLEGAL;BRAKE;GEAR;CRUISE;TRACTION;
RUNNING;Xor2_DEF;True_DEF;False_DEF;Not_DEF]
THEN BETA_TAG THEN REPEAT STRIP_TAG
THEN ASH_REWRITE_TAC[]
THEN CONV_TAG (DEPTH_CONV let_CONY)
THEN REWRITE_TAG[Mode_Distinct;ArbNotO_Not_Zero]
THEN REWRITE_TAC[Hode_dist3;Eq_DEF]
THEN BETA_TAG THEN REWRITE_TAC[ArbNotO_Not_Zero;Zero]
•
Annex C: HOL Sp ec ific at io u of DB\V Cout ro ller 286
THEN BETA_TAC);;
% Manual transition condition %
let MCOND_lemma = prove_thm('MCOND_lemma',
"!(t:time) s m v p.
(-(m=Shutdown) /\
(s=True,Arb,Arb,False,False,False,False,False,
False,False,ArbNotO,Arb,Arb)) ==>
(NextState(s,m,v,p)t=
(Hanual,F,P\o1M(p,ANGLEs t,(DEHAND s)t)))",
REPEAT STRIP_TAC
THEN PURE_REWRITE_TAC[NextState;R_COND;S_COND;I_COND;
C_COND;T_COND;WATCHOUT;OVERTEMP;WFAILED;DEMAND;SPEED;
RESUME;IDLE;ILLEGAL;BRAKE;GEAR;CRUISE;TRACTION;
RUNNING;Xor2_DEF;True_DEF;False_DEF;Not_DEF]
THEN BETA_ TAC THEU ASM_REl.O/RITE_TAC C]
THEN CONV_TAC(DEPTH_CONV let_CONV)
THEN REWRITE_TACCTrue_DEF;False_DEF;Eq_DEF;
ArbNotO_Not_Zero]
THEN BETA_TAC THEN BOOL_CASES_TAC "Arb t:bool"
THEN REWRITE_TAC[]);;
%------------------------------------------------------------
% Deterministic properties of the Finite State Machine
%------------------------------------------------------------
new_type_abbrev ('OpSig' ,":Mode#bool#Dir");;
let Init = new_definition ('Init_DEF',
"Init (ip,op) = It. INIT(ip.op)t");;
let Sate = new_definition ('Safe_DEF',
"Safe (ip,op) = !t. SAFE(ip.op)t");;
Annex C: HOL Spec ifi catio u of DBvV Cant rolie l' 287
let Nextstate = new_definition ('Nextstate_DEF',
"Nextstate (s ,rn,v ,p) «(s': -sig_ty) ,m' .v ' ,p')
!t. NextState(s,m,v,p)t = (m',v',p')");;
let FSM = prove_thm ('FSM',
"(!ip op. Init(ip,op) ==> Saf eIi.pj op) /\
( ! ip op ip' op'.
Nextstate (ip,op)(ip',op') /\ Safe(ip,op) ==>
Sate(ip' ,op'» ==>('(e:time->-sig_ty).
LSA (Init ,Next state) e=PLSA (Init ,Sate ,Nexts tat e)e)" ,
STRIP_TAC
THEN POP_ASSUH (MP_TAC 0 GEN_ALL 0 (SPECL[
"(ip: t i.me->" sig_ty)t" ;..(op:time->OpSig) t" i
"(ip:time->-sig_ty)(SUC t)";"(op:time->OpSig)
(SUC t)"]»
THEN POP_ASSUM (MP_TAe 0 GEN_ALL 0 (SPECL[
,,(ip:time->- sig_ty)t"; "{cp :time->OpSig)t"]»
THEN REWRITE_TAC [LSA;PLSA] THEN REPEAT STRIP_TAC
THEN EQ_TAC THENL [STRIP_TAC
THEN EXISTS_TAe "s:time->OpSig"
THEN ASM_REWRITE_TAC[] THEN INDUCT_TAC
THENL [RES_TAC;
RES_TAC THEN POP_ASSUH(\th.ALL_TAC)
THEN POP_ASSUH HP_TAC
THEN ASH_REWRITE_TACO];
STRIP_TAC THEN EXISTS_TAe "s:time->OpSig"
THEN ASH_REWRITE_TAC()]);;
Annex D: Formal Specification
of Solid Modelling
D.l Definitions
V" COMP...DEF f- 'Vs. COMP 8 = UNIV DIFF 8
VMETRIC..DEF I- 'VI'. METRIC r = (V.I' y. 0::; " ,r!l) 1\ (V.r y. r;; ,II = r !I.I;) 1\
("1:1: y. (.1: = y) :J (,..1' y = 0)) /\ (V,I' .II':. I' ,I' ::::; I' .1:.11 + /'!J';)
x
DISTANCE_DEF I- v.-c y. DISTANCE ,1'.11 = ((.!: = .II) => 0 11)
.,I.
OPEN-BALL...DEF I- Vs .r R. OPEN_BALL"s ,I:R =
r>
{y 1/3d .II IN s /\ METRIC s : d .1' .11 ::; n}
,; OPEN...DEF I- Vs. OPEN s = (V,/:, (3R . .l: IN OPEN_BALL .5 .c U))
x_ NEIGHBOUR..DEF I- VJ: :;. NEIGHBOUR (.r ...;) = {.II I !/IN :; /\ (3.1/'. y' = .d}
./ CLOSEDJ)EF I- 'Vs, CLOSED,.; = OPEN (COMP ,~)
x LIMIT...DEF I- V,I: s . LIMIT [r. .,):::(Vs' (.s' = NEIGHBOUR (x. s')) /\ (3!J. ylN s' r; ~
~ "'"
_., (!J = ,r))) \\JVv.-.-:-I OAI w<.(" ....\ ~p
/ CLOSURE_DEF I- Vs, CLOSURE" =,~ UNION {.L·I LIMIT (,r.s)}
y' ,/ INTERIOR_DEF I- Vs, INTERIOR" = {,I' I 31, OPEN 1 /\ 1 SUBSET.~ /\ .1' IN l}
Y / INSIDE..DEF I- V.V -'.INSIDE (,r.") = .r IN INTERIOR ,;
X / BOUNDARY..DEF I- V", BOUNDARY, =
{x 1;1: IN CLOSURE" /\ s: IN CLOSURE (COMP sl}
/ ON...DEF I- V,I' s . ON (.I' ..~) = ,f' IN BOUNDARY"
/ THIN...DEF I- V.s, THIN:,; = (INTERIOR (CLOSURE s) = { })
Annex D: Formal Specification of Solid Modelling---------------------------------------289
THINBOUND_j)EF f-- V..,.THINBOUND, = THIN (BOUNDARY,;)
REGULAR_j)EF r V.~.REGULAR .; = CLOSURE (INTERIOR 8)
REGULARISED_j)EF f-- VS. REGULARISED -' = (.;= REGULAR ,,)
REG_UNION_j)EF r V ..; t ,» REG_UNION t = REGULAR (s UNION t)
REG_INTER_j)EF r V.~ t. 8 REG_lNTER t = REGULAR (s INTER t)
REG_j)IFF_j)EF f- V., to" REG_DIFF t = REGULAR (s DIFF t)
REG_COMP_j)EF f- V .s. REG_COMP., = REGULAR (COMP 05)
in..DEF r Vt s. t in s = t REG_lNTER INTERIOR s
on..DEF f- Vt s . t. on oS = I REG _INTER BOUNDARY.,
r Vt s.L outs = t REG_lNTER COMP ...out..DEF
point_TY..DEF f-- 3l'ep. TYPE_DEFINITION (TRP (Av tI. (3110 111 n~. " = Ho, III. ,,~) 1\
(LENGTH /I = 0))) i'(P
point_ISO..DEF f-- (Va. ABS_point ( REP_point Cl) = (I.) 1\
(VI'. TRP (Au tl. (31/{) III ",!. I' = nn. "'1. /1.2) 1\
(LENGTH tl = 0)) ,. = (REP_point (ABS_point ,.) = 1'))
POINT.DEF r 'Vno lit /1.2, POINT i/Q III /I.,! = ABS_point (Node (110, 1I1,Il:.!) [J)
X_j)EF r VJ: !I z . X (POINT.I' .'I:) = J'
Y..DEF f-- 'V£ !J r ,Y (POINT J'.lI :) = .II
Z.DEF r 'Vx ,I}':. Z (POINT .1' !I :) = .:
object_TY..DEF f-- 3,'ep. TYPE_DEFINITION (TRP (,\[1 II. (3so SI· l' = So, sd 1\
(LENGTH tl = 0))) 1'( i'
object...ISO_j)EF r ('Va.ABS_object I REP_object (1\ = (I) 1\
('V,.. TRP PI If. (3"",!, ( = .'ft·'1 i 1\
(LENGTH 11= 0)) i' = IREP_object (ABS_object r ) = I'))
OBject.DEF f- 'Vsn'l. OBject "11 ·'1 = f\BS_object (Node (,;(). "1) [j)
b_j)EF r Villff.rio,· bou ud, b iOBject i ut r rt o r !'ollnd) = bound
LDEF f-- 'Vil1/Fl'iol' bOlil/ri. i I OBject ililuiol' hOllllrl) = inferior
Closure_j)EF r V.·\. Closure ,., = b . \ UNION i ..\
Annex D: For-mal Sp ecificat ion of Solid Modelling 290
HAS_CARD..DEF f-- V.\ II. HAS_CARD.\ II = (C.<\RD.I = 1/)
OBJECT..DEF I- V.\. OBJECT.\ = CLOSED (Closure .\) /\ .(b .-1= {}) 1\
(3n. HAS_CARD (Closure .-\l 1/)
OBJ..DEF f-- V.-\. OBJ .-1= (OBject (i .\) (b .-1))
DOT..DEF ~- VD. DOT D = OBJECT U 1\ (CARD (b J)) = I) 1\ (i D = {})
CURVE..DEF I- Vc. CURVE (' = OBJECT C 1\ .(i (' = {}) 1\ (FINITE (b C))
OPEN_CURVE..DEF I- VC. OPEN_CURVE (' = CURVE C 1\ (HAS_CARD (b C) 1)
SURFACE..DEF I- Vs. SURFACE., = OBJECT 8 1\ .(i.'i = { }) 1\
(3 C. CLOSED_CURVE C 1\ (Closure C SUBSET (b »»
PRIMITIVE..DEF I- Vp. PRIMITIVE p = OBJECT p 1\ (Vs! S2. SURFACE St 1\
SURFACE S2 :J (DISJOINT (Closure si ) (Closure S2)))
HOLLOWED..DEF I- Vk. HOLLOWED I.: = PRIMITIVE I.: 1\ (V"I s'!. SURFACE St 1\
SURFACE s~ :J (DISJOINT (Closure ~I) (Closure s2)))
PLANE-DEF I- Vp. PLANE p = SURFACE p 1\ (VIt. (h IN (Closure JI)) :J (31.: I ni n.]: *
X (h) + I * Y (h) + II/ * Z (h) = n)}
FAR...5PACE-DEF I- Vf I.: I rH II. FAR_SPACE f(I.:.I. m. n ) = SURFACE f 1\
('r/x. (.I: IN Closure f)) :J (/.: * X (,I:) + I * Y (x) + III. Z (.r) ~ n)
NEAR_SPACE..DEF I- Vf I.: / III II NEAR_SPACE f(I.:.I. Ill. II) = SURFACE f 1\
(V.I:. (x IN Closure f)l :J (1..;< X (.1') + I * Y (.I') + III. Z (x) :5 11)
BLOCK...DEF I- VdJ.' rly d z: l irli . BLOCK (d.l'.dy.d;) (1.11'. h) =
{p 13(. PRIMITIVE t 1\ (fliN t) 1\
(FAR_SPACE(b.)(I O.O.d.l') 1\ (NEAR_SPACE(bt') (I.O.O.I+rI.r) 1\
(FAR_SPACE(bc) (O.l.O.tI.II) 1\ (NEAR_SPACE(bel (O.l.O,w+riy) 1\
(FAR_SPACE(b t') ((J.U.l.d:) 1\ (NEAR_SPACE(b F) (O.O.l,h+d::)))))))}
SQR...DEF f-- VJ'. SQ R .t = .1' * .1'
CYLINDER.J{-DEF I- Vd.1' d.ll d : ,./1. CYLINDER_X \'/1'.1/.1/ . .1:) (I'. II} =
{p I 3e. PRIMITIVE r 1\ (jl IN cj 1\
(NEAR_SPACE(bc) (l,il.U.Jrj 1\ (FAR_SPACE(b r) (t.O,O,h+rI.l') 1\
(SQR (Y (/1) + ".1/) + SQR (Z (/1) + d::) ::; SQR (/'))))}
Annex D: Formal Specification of Solid Mo delli ng 291
CYLINDER_Y_DEF I-- Vd.: dy cl: I It. CYLINDER_Y (Jr. dfl. <I::) (I'. h) =
{p I 3c. PRIMITIVE (" 1\ (p IN c) 1\
(NEAR_SPACE tb c) (\i. l. u. ",Ii) 1\ (FAR_SPACE (b c) lOo I, O. II + ely) 1\
(SQR (X (p) + Jr) + SQR (Z (fl) + cl::) :::; SQR (r))))}
CYLINDER.2_DEF I-- Vd.!: dy"~ I It. CYLINDER-Z (b. d.ll. r/::) (I', h) =
{p I 3c. PRIMITIVE c 1\ (piN c) 1\
(NEAR_SPACElbr·)(O.U.l,rI::) 1\ (FAR_SPACE(bc)(O.O.I,h+d:) 1\
(SQR (X (p) + ,IJ') + SQR (Y (p) + rI.II) :::; SQR (,'))))}
BUILD...DEF I-- (Vf. BUILD 0 = ,\/. { }) 1\ (V/. BUILD (CONS hd II) = ).,f.lul f BUILD [II])
NULL...DETECT...DEF I-- Vs. = ((BUILD.) REGJNTER) = {I)
lo7ithin...DEF I-- Vn k p. within 1/ (A-. p) = ((k :::; I') 1\ (I.-:::; II.) 1\ (11 S p»)
OVERALL..B...DEF I-- Vr/;- dy tl : I II' h. OVERALL_B i dr. dy. d::) (I. ur, II) =
{p I (X (/1) within (d.l'.1 + ri.r)) 1\ (Y (d within (fly. (II + dy)) 1\
(Z (p) within t d z . h + d:))}
OVERALL_CX_DEF I-- Vd.l: dy d : I' h.
OVERALL-CX (dr.. dy. if:) (I'. h) = OVERALL_B id», dy. d::) (h, 2 * 1',2 * r )
OVERALLCY...DEF I-- Vdx ely d : I' h.
OVERALL_CV (dr, d.'/. d:) (I', Ir) = OVERALLB t d», uy, cl:) (2 * 1', h. 2 * r ]
OVERALL_CZ_DEF f-- Vd.L· dy cl: I' I,.
OVERALL_CZ (b. Ii!!. d::) (". II) = OVERALLB ((/.1;, d u, Ii::) (2 * 1', '2 * 1', h)
D.2 T'heor ems
DIFLUNION I-- Va c rI. (J DIFF ((' UNION di = 1/. DIFF (cl UNION c)
AND...DISTR I-- V.I' ,II:. (.r V .tI) 1\ : =1' 1\ :: V .'/ 1\ ::
UNION__.5UBSET I-- Va (' d. (a UNION ,.) SUBSET cl =:ll{ SUBSET r/ 1\ (. SUBSET cl
SUBSET...ABSORP I-- Va I'. (J SUBSET, =:l (II UNION (' = (.)
COMP_UNIV I-- V8 .. - UNION COMP .- = UNIV
COMP...DISJOINT f-- V.~.. ~ INTER (orvIP.', = { }
COMP_UNION f-- VS I. COMP (, UNION t) = COMP., INTER COMP I
Annex D: Formal Specificat.ion of Solid Modelling--------------------------292
COMP_INTER i-- V" /. COMP (s INTER l) = COMP.'i UNION COMP t
COMP...DIFF I-- Vs t. COMP (., DIFF /) = COMP s UNION I
COMP-EQ i-- V...t. (" = t) => (COMP.'i = COMP /)
CaMP_IDEM I-- VS. COMP (COMP ,) = .')
METRIC...DISTANCE I-- METRIC DISTANCE
OPEN...EMPTY I-- OPEN { }
OIST..REFL I-- Vr d. METRIC d => (d :1: .1: = 0)
METRIC~enuna f- Vs .r'. (3R d. J,I IN ,..;/\ METRIC cl => d J.I x' '5 m
OPEN_UNIV f- OPEN UNIV
OPEN_INTER f- Vs t. OPEN Ii ;\ OPEN t J OPEN (., INTER /)
OPElLUNION f- Vs /. OPEN s /\ OPEN t J OPEN (,' UNION t)
CLOSED-EMPTY f- CLOSED { }
CLOSEO_UNIV f- CLOSED UNIV
CLOSED_INTER f- Vs t. CLOSED s /\ CLOSED I. J CLOSED (s INTER t)
CLOSED_UNION f- Vs t. CLOSED s r; CLOSED I J CLOSED (s UNION t.)
IN..LIHIT f- "1$. CLOSED 8 = (V.I'. LIMIT (.1.: . .5) J .1: IN ,,)
IN_CLOSURE f- Vx 8 . .r IN CLOSURE s J -,(-'INTER NEIGHBOUR (.1:. s) = {})
CLOSURE_CLOSED i-- 1:/ ..... CLOSED ., = (., = CLOSURE ..;)
LIMIT..REFL I-- Vs. s UNION {.r I LIMIT (.1' .. 'i)} = .'i
CLOSURE_5UBSET i-- 1:/ .• t .. 'i SUBSET t J CLOSURE.'i SUBSET CLOSURE I
CLOSURE_UNION i-- 'V'~ t. CLOSURE ( ....UNION /) = CLOSURE .'i UNION CLOSURE t
CLOSURE~emma I-- V... I. CLOSURE (-' INTER /) SUBSET (CLOSURE.s INTER CLOSURE t)
BOUNDED f- v.!: x , INSIDE (.T' •.... ) J I' = NEIGHBOUR (.,. ....))
INTERIOR...DISJOINT i- Vs ,r. -'(./'IN INTERIOR., 1\ .r IN COMP (INTERIOR .5))
INTERIOR_IOEM f- Vs. INTERIOR .'i =.,
INTERIOR-EMPTY f- 'V.,.(INTERIOR.'i = {}) J (s = {})
Annex D: Formal Specification of Solid Modelling 293
INTERIOR....DPEN r vs . (s :::: INTERIOR .-;) :::: OPEN .,
INTERIOR...sUBSET r V.-; t. s SUBSET I =:l INTERIOR s SUBSET INTERIOR t
EXISTS....DPEN r 'i8 I. (:3i'. OPEN /' 1\ (V.r'. x' IN /' =:l .r' IN s V x' IN i))
INTERIOR..INTER r V.., i.INTERIOR ( ., INTER /) :::: INTERIOR s INTER INTERIOR t
INTERIOR_UNION r Vs t. (INTERIOR s UNION INTERIOR I) SUBSET
INTERIOR (s UNION t)
INTERIOR_CLOSURE r "Is. INTERIOR s SUBSET INTERIOR (CLOSURE s)
INTERIOR_DIFF r VoSI. INTERIOR (8 DIFF I) :::: INTERIOR.-; DIFF INTERIOR t
BOUNDARY..l.emma r "18. BOUNDARY.j ::::CLOSURE.) INTER CLOSURE (COMP ,~)
BOUNDARY-CLOSED r Vs. CLOSED (BOUNDARY s )
BOUNDARY-COMP r 'is. BOUNDARY.s :::: BOUNDARY (COMP..;)
CLOSURE...BOUNDED r Vs. CLOSURE.~ :::: s UNION BOUNDARY s
CLOSURE..IDEM r VS. CLOSURE ., ::::S
CLOSURE..INTER f- Vs I. CLOSURE (8 INTER I) :::: CLOSURE s INTER CLOSURE t
CLOSURE..l.emrnal r "18. CLOSURE 8:::: INTERIOR.> UNION BOUNDARY s
INTERIOR_COMP f- Vs. INTERIOR.~ :::: COMP (CLOSURE (COMP si)
COMP_rNTERIOR I- Vs. COMP (INTERIOR s ] = CLOSURE (COMP s ]
COMP_CLOSURE r "1$. COMP (CLOSURE ...) :::: INTERIOR (COMP s)
CLDSURE_DISJOINT r VS. DISJOINT (INTERIOR .,) (BOUNDARY 8)
UNIV_COMPOSIT r Vs I. INTERIOR .- UNION (BOUNDARY .; UNION
INTERIOR (COIV1P .,)) :::: UNIV
BOUNDARY-UNION...sUBSET r V, I. BOUNDARY l·'; UNION I) SUBSET
(BOUNDARY., UNION BOUNDARY I)
BOUNDARY..INTER...sUBSET r V, I. BOUNDARY (s INTER I) SUBSET
(BOUNDARY., UNION BOUNDARY I)
BOUNDARY_DIFF...sUBSET r V., I. BOUNDARY (., DIFF I) SUBSET
(BOUNDARY ...UNION BOUNDARY / j
Annex D: Formal Specification of Solid Modelling 294
INTERIOR_UNIOLSUBSET r V..;I INTERIOR (s UNION I) SUBSET
(INTERIOR ., UNION (INTERIOR I UNION
(BOUNDARY.~ INTER BOUNDARY I)))
BOUNDARY_UNION r "18 I. BOUNDARY (.-; UNION l) =
(BOUNDARY,~ INTER INTERIOR (COMP I)) UNION
((INTERIOR (COMP ,,) INTER BOUNDARY l) UNION
(BOUNDARY 8 INTER (BOUNDARY tiNTER
CLOSURE (COMP 8 INTER COMP I))))
BOUNDARY..INTER I- Vs t. BOUNDARY (., INTER I) =
(BOUNDARY.~ INTER INTERIOR I) UNION
((INTERIOR ..;INTER BOUNDARY /) UNION
(BOUNDARY s INTER (BOUNDARY I INTER
CLOSURE (8 INTER f))))
BOUNDARYJHFF f- Vs f. BOUNDARY (..;DIFF f) =
(BOUNDARY.'i INTER INTERIOR (COMP I)) UNION
((INTERIOR s INTER BOUNDARY t) UNION
(BOUNDARY 8 INTER (BOUNDARY liNTER
CLOSURE (s INTER COMP I))))
CLOSED...BOUNDARY..INTERl r V..;;/. CLOSED.~ /\ CLOSED f :)
(BOUNDARY (8 INTER t) =
(BOUNDARY s INTER INTERIOR t) UNION
((INTERIOR oS INTER BOUNDARY t) UNION
(BOUNDARY.s INTER BOUNDARY f)))
CLOSED..BOUNDARY..INTER2 f- V., /. CLOSED., /\ CLOSED / :J
(BOUNDARY (8 INTER /) = (., INTER BOUNDARY /) UNION
(BOUNDARY siNTER Il)
THIN...sUBSET f- '<:I ...; I. THIN.- /\ I SUBSET -':J THIN 1
THINBOUND_CLOSED I- V..;.CLOSED, :J THINBOUND ..;
THINBOUND_OPEN r Vs. OPEN .' :J THINBOUND,
THIN_UNION I- 'lis I.THIN 8 r. THIN I :J THIN (.- UNION I)
THIN_INTER r 'rf.~ /. THIN.~ II THIN / :J THIN (., INTER /)
Annex D: Formal Specification of Solid Modelling 295
THIN...DIFF r "Is /. THIN :i A THIN I :J THIN (., DIFF t)
THINBOUND_UNIOLSUBSETl rV, f. THINBOUND.s A THINBOUND I :J
INTERIOR (05 UNION /) SUBSET CLOSURE (INTERIOR s UNION INTERIOR I)
THINBOUND_UNION_5UBSET2 r V., /. THINBOUND s A THINBOUND t :J
(CLOSURE (INTERIOR (.~ UNION I)) =
CLOSURE (INTERIOR., UNION INTERIOR /))
THINBOUND-INTER_5UBSETl r '1.-; f. THIN BOUND.., A THINBOUND I :J
INTERIOR (CLOSURE" INTER CLOSURE t) SUBSET CLOSURE (8 INTER /)
THINBOUND-INTER_5UBSET2 r Vs / THIN BOUND .., 1\ THINBOUND I :J
(INTERIOR (CLOSURE (., INTER I)) =
INTERIOR (CLOSURE., INTER CLOSURE t)l
REGULAR_CLOSED r "1.'<. CLOSED (REGULAR s )
THIN...REGULAR I- V,.,. THINBOUND (REGULAR "l
REGULAR...EMPTY r Vs. REGULARISED.~ A (INTERIOR 8 = { }) :::> ($ = { })
REGULAR-IDEM r Vs. REGULAR 8 = 8
REGULAR...REFL f- VS. REGULARISED (REGULAR.'i)
IMP-LEFT f- Va b c. (a:::> b A c) :J (1/ :J Ii)
IN_IMP! r "Is I i'. (V,t'. x IN t' :J ,I' IN ..; A ,I: IN l) :::> (V.r. x IN l' :::> x IN s)
IN_IMP2 f- "Is I t'. (V.r . .r IN /' :J.I: IN sA." IN /) :::> (V,e. J: IN I' :::> J: IN t)
REGULAR-INTER f- Vs /. REGULAR (., INTER /) = REGULAR 8 INTER REGULAR t
INTERIOR...REG_INTER f- Vs/.INTERIOR ( .; REGJNTER I) =
INTERIOR (REGULAR ., INTER REGULAR f)
REGULAR...REG_INTER r Vs t» REG_lNTER / = REGULAR.~ REGJNTER REGULAR /
REGULAR_UNION f- Vs /. REGULAR (0; UNION /) = REGULAR.., UNION REGULAR t
REGULARISED...REG_INTER r V..; /. REGULARISED., A REGULARISED t :J
(INTERIOR (" REGJNTER /) = INTERIOR., INTER INTERIOR I)
REGULARISED...REG_UNION I- V., /. REGULARISED., A
REGULARISED / :J (.0; REG_UNION t = ..;UNION l)
Annex D: For-mal Specification of Solid Mocle lli ng 296
REGULARISED..R.EG...DIFF f- V .., I. REGULARISED., 1\
REGULARISED / :J (., REG_DIFF / =.' REG_lNTER REG_COMP I)
REG_COMP_lemma f- Vs. CLOSED., :J (REG_COMP 0; = CLOSURE (COMP si)
REG...DIFF_lemma f- V" I. s REG_DIFF / =, REG_lNTER COMP 1
COMP.JI.EG_UNION f- Vs /. COMP (., REG_UNION I) = COMP.,; INTER COMP t
INTERIOR.JI.EG_COMP f- Vs i.INTERIOR (REG_COMP .,) = COMP s
BOUNDARY.JI.EG_COMP f- Vs t. BOUNDARY (REG_COMP 8) = BOUNDARY s
COMP.JI.EG_COMP f- V., /. COMP (REG_COMP.,) = INTERIOR oS
INTERIOR..R.EG...DIFF f- Vs t. INTERIOR (., REG_DIFF I) = INTERIOR slNTER COMP t
BOUNDARY.JI.EG_UNION f- Vii I. BOUNDARY (., REG_UNION I) =
(BOUNDARY.s INTER COIVIP I) UNION
((COMP / INTER BOUNDARY /) UNION
(BOUNDARY.5 INTER (BOUNDARY 1 INTER
CLOSURE (COMP.5 INTER COMP til))
BOUNDARY.JI.EG_INTER f- VS I. BOUNDARY (,,; REG_lNTER I) =
(BOUNDARY s INTER INTERIOR /) UNION
((BOUNDARY t INTER INTERIOR s ) UNION
(BOUNDARY 8 INTER (BOUNDARY I INTER
CLOSURE (INTERIOR s INTER CLOSURE I))))
BOUNDARY.JI.EG...DIFF f- Vs/. BOUNDARY (.~ REG_DIFF l) =
(CLOSURE 8 INTER BOUNDARY (COMP I)) UNION
((INTERIOR oS INTER BOUNDARY I) UNION
(BOUNDARY siNTER (BOUNDARY / INTER
CLOSURE (INTERIOR.-; INTER COMP I))))
MEMBER-1emma f- V.'i /.1 = (/ in .,) UNION ((Ion') UNION (i out .,))
MEMBER...DISJOINT /- Vs I. ((/ in .,) REG_lrHER (/ on .,) = { }) 1\
((Ion x ] REG_lNTER (/ out .,) = { I) 1\ ((/ in 8) REG_lNTER (/ out 8) = {})
IN...sUBSET f- VS I. (I in "') SUBSET REGULAR (INTERIOR s)
ON...sUBSET f- V81.(1 on 8) SUBSET REGULAR (BOUNDARY,;)
OUT..sUBSET f- Vs t. (t out 8) SUBSET REGULAR (COMP .,)
Annex D: Formal Specification of Solid Modelling 297
MEMBER..INTER I- V8 St "'"2 I. (.- =-'i REG_lNTER '';'!) :)
(t in -' = (I in SI) REGJNTER (t in s:.»)
Point_Axiom I- vi.(?N!II. (VII\j lit "> III (POINT 110 "I II~):= f 110 IItIl2))
Obj ec ti.Ax i om I- Vf. (?NJII. (V"I) "1, I" (OBject "11 "I) = f So St))
EXISTS_OBJECT I- ::lA. OBJECT ..\
FINITE..oBJECT I- VA. OBJ ECT . \ J (-,(Closure :1 = { }))
UNIqUE_OBJECT I- V ;\1 N. OBJECT H 1\ OBJECT jV :) (((b (.\f) = b (;V)) /\
(i (.\1) = i (;\'))) J (OBJ .If = OBJ.v))
DISJOINT ..MEMBER I- V:\ B.
(DISJOINT (Closure .·1) (Closure U)):) ((i"-\ INTER i B = {}) /\
(b ,.\ INTER i B = ( }) 1\ (i.1 INTER b B = { }) /\ (b;\ INTER b 8 = { }))
NON_OVERLAP...ELEMI- V.l.OBJECT.1 J (i.1 (·'O;VSTINTf:;R b A = {})
DOTJWT_CURVE I- VD DOT n J ..,(CURVE ())
DOT...NOT..sURFACE I- VD. DOT J) J -,(SURFACE D)
NON-EMPTY I- Vp. PRIMITIVE i' J (3a. et IN (Closure p))
ENCLOSED I- 'tip I'. (l/IN (Closure ,')) = ((piN (b 1')) V (p IN (i I')))
BOUNDED I- V P. PRIM ITIVE IJ J -,(Closure l' = { })
CONNECTED I- 'tIP::lC. PRIMITIVE P 1\ CURVE C' /\
((Closure C) SUBSET (Closure 1')) J (V.', IJ. ((,., IN (Closure Cl) /\
(8 IN (Closure C))):> ((." IN (Closure fJ)) 1\ (8 IN (Closure P))))
DOT...NOT_PRIMITIVE I- VD. DOT f) J -,(PRIMITIVE D)
POINT_INCLUSION I- Va p. -'((1 IN (Closure I')) V (a IN (b /1)) V (a IN (i p))
welLorderl I- VII n h (' d. ((1/ within ((I. b)) /\ (II within (c. d))) J (((a::; c) /\
(el::; h)) => (II within (0. I,)) I (/I within (c. d)))
welLorder2 I- Vn a II r d. ((/I within If! /,)) V (II within (I', d))) J ((((I ::; r) 1\
(cl::; b)) => (/I within (11./,)) I (/I within (c. d)))
welLorder3 I- '<i11 a h c d. ((II within (a./,)) /\ -'(1/ within (c, rI))) :) ((e::; b) /\
(d::; h)) => ((II within (OJ)) 1\ (II within (d./J))) I ((c S b) /\
(b Sri)) => (II within ((1,(.)) I (II within (n. I,))
Annex D: Formal Sp ecificntio u of Solid f-..lodellillg 298
D.3 Procedures of Proofs and Tactics
%<----------------------------------------------------------
General theorems and tactics
---------------------------------------------------------->%
let DIFF_UNION = prove_thm ('DIFF_UNION'.
"! (a:C*)set) c d. a DIFF (c UNI01~ d) = a DIFF (d UNION c)",
REPEAT GEN_TAC
THEN ONCE_DEPTH_FST_REWRITE_TAC[UNION_COMM]
THEN REFL_TAC);;
let AND_DISTR = prove_thm ('AND_DISTR',
"!x y z , (x \/ y) /\ z = (x /\ z ) \I (y /\ z ) '",
REPEAT GEN_TAC THEN BOOL_CASES_ TAC "x: bool"
THENL [REWRITE_ TAC [] THEN BOOL_CASES_ TAC "y: bool"
THEN REWRITE_TAC[);REWRITE_TAC[)));;
let UNION_SUBSET = prove_thm ('UNION_SUBSET',
"! (a:C*)set) c d. (a UNION c) SUBSET d
==> Ca SUBSET d) /\ (c SUBSET d)".
REWRITE_TAC[SUBSET_DEF;IN_UNION]
THEN REPEAT STRIP_TAC THEN RES_TAC);;
let SUBSET_ABSORP = prove_thm ('SUBSET_ABSORP',
"! (a:C*)set) c. a SUBSET c ==> (a UNION c = c)".
REWRITE_TAC[EXTENSION;SUBSET_DEF;IN_UNION]
THEN REPEAT STRIP_TAC THEN EO_TAC
THEN STRIP_TAC THENL[RES_TAC;ASM_REWRITE_TAC[]]);;
%<----------------------------------------------------------
Extension definitions and theorems for set algebra
---------------------------------------------------------->%
let COMP = new_definition ('COMP_DEF',
"COMP (s:(.)set) = UNIV DIrr s");;
Annex D: Formal Specificntion of Solid Mo dell ing
------------------------------
299
let COMP_UNIV = prove_thm ('COMP_UNIV',
"!(s:(*)set). s UNION (COHP s) = UNIV",
GEN_TAC
THEN REWRITE_TAC[COMP;EXTENSION;IN_UNION;IN_DIFF]
THEN STRIP_TAC THEN EO_TAC
THENL [STRIP_TAC THEN REWRITE_TAC[IN_UNIV];
REWRITE_TAC[IN_UNIV;EXCLUDED_MIDDLE]]);;
let COMP_DISJOINT = prove_thm ('COMP_DISJOINT',
"!(s:(*)set). sINTER (COliPs) = n".
GEN_TAC
THEN REWRITE_TAC[COHP;EXTENSION;IN_INTER;IN_DIFF]
THEN STRIP_TAC THEN EO_TAC
THENL [REWRITE_TAC[IN_UNIV]
THEN STRIP_TAC THEN RES_TAC;
STRIP_TAC THEN REWRITE_TAC[IN_UNIV)
THEN BOOL_CASES_TAC "Cx IN s):bool"
THEN ASSUME_TAC NOT_IN_EMPTY THEN RES_TAC]);;
let COMP_UNION = prove_thm ('COMP_UNION'.
"!(s:(*)set) (t:(*)set).
COMP(s UNION t) = COMP(s) INTER COMP(t)",
REPEAT GEN_TAC
THEN REWRITE_TAC[COMP;EXTENSION;IN_DIFF;IN_UNION;
IN_INTER; IN_DIFF; IN_UN IV]
THEN GEN_TAC THEN REWRITE_TAC[DE_MORGAN_THM]);;
let COMP_INTER = prove_thm ('COMP_INTER',
"!(s:(*)set) (t:(*)set).
COMP(s INTER t) = COMP(s) UNION COMP(t)",
REPEAT GEN_TAC
THEN REWRITE_TAC[COMP;EXTENSION;IN_DIFF;IN_UNION)
THEN REWRITE_TAC[IN_INTER;IN_DIFF;IN_UNIV]
Annex D: Fonnal Specification of Solid l\lodelling 300
THEN REWRITE_TACCDE_HORGAN_THM]);;
let COMP_DIFF = prove_thm ('COMP_DIFF',
"! (s:(*)set) (t : (*)set).
CaMP(s DIFF t) = COHP(s) UNION t",
REPEAT GEN_TAC
THEN REWRITE_TACCCOMP;EXTENSION;IN_DIFF;IN_UNION]
THEN REWRITE_TACCIN_DIFF;IN_UNIV;DE_MORGAN_THM]);;
let COMP_EQ = prove_thm ('COMP_EQ',
"!(s:(*)set) (t:(*)set). Cs=t ) ==> «COMP s)=(COMP t»",
REPEAT STRIP_TAC THEN ONCE_ASM_REWRITE_TACO
THEN REFL_TAC);;
let COMP_IDEM = prove_thm ('CaMP_IDEM',
"!(s:(*)set). CaMP(COHP s)= S",
REWRITE_TACCCOMP;EXTENSION;IN-DIFF;IN-UNIV]); ;
%<----------------------------------------------------------
Topological space definitions and theorems
---------------------------------------------------------->%
let METRIC = new_definition ('METRIC_DEF',
"METRIC (r:*->*->num) =
(!x y. O<=(r x y» /\
(!x y. (r x y)=(r y x» /\
(!x y. (x=y) ==> «r x y) =0» /\
(!x Y z. er x z) <= er x y) + (r y z»");;
%<----------------------------------------------------------
A METRIC example : 2-D grid in first quadrant
---------------------------------------------------------->%
let DISTANCE = new_definition ('DISTANCE_DEF',
"DISTANCE x Y = (x=y ) => 0 I 1");;
Annex D: Formal Specification of Solid Modelling 301
let METRIC_DISTANCE ~ prove_thm ('METRIC_DISTANCE',
"METRIC(DISTANCE:*->*->num)",
REWRITE_TAC[DISTANCE;METRIC]
THEN REPEAT STRIP_TAC
THENL [COHD_CASES_TAC
THENL [RE~RITE_TAC[LESS_EQ_REFL];
REWRITE_TAC[ZERO_LESS_EQ]];COND_CASES_TAC
THENL [ONCE_ASM_REWRITE_TAC[] THEN REWRITE_TAC[];
COND_CASES_TAC
THENL [POP_ASSUM (\thl. POP_ASSUM(\th2.
ASSUME_TAC thl THEN ASSUME_TAC th2»
THEN POP_ASSUM MP_TAC THEN ONCE_ASM_REWRITE_TAC[]
THEN REWRITE_TAC[IMP_DISJ_THM) ;REFL_TAC]];
ONeE_ASM_REWRITE_TAC[]
THEN REWRITE_TAC[IMP_CLAUSES];
COND_CASES_TAC
THENL [RE~RITE_TAC[ZERO_LESS_EQJ;
COND_eASES_TAC
THENL [COND_CASES_TAC
TRENL [ASSUM_LIST(\t.ASSUME_TAC(
ONCE_RE~RITE_RULE[(el 1 t)] (el 2 t»)
THEN RES_TAC;
REWRITE_TAC[ADD_CLAUSES;LESS_EQ_REFL]];
COND_eASES_TAC
TRENL[REWRITE_TAC[ADD_CLAUSES;LESS_EQ_REFL] ;
REWRITE_ TAC [LESS_EO_ADD]]]]]) ;;
let OPEN_BALL ~ new_definition ('OPEN_BALL_DEF',
"OPEN_BALL 5 x R ~
{y I ?d. «y IN 5) /\ HETRIC(d»)==> (d x y)<=R}");;
let OPEN ~ new_definition C'OPEN_DEF'.
"OPEN 5 = !x.?K. x IN OPEt~_BALL s x R");;
Annex D: Formal Specification of Solid Modelling 302
let OPEN_EMPTY = prove_thm ('OPEN_EMPTY',
"OPEN (EMPTY:(*)set)",
REWRITE_TACCOPEN;OPEN_BALL;NOT_IN_EMPTYJ
THEN GEN_TAC THEN CONV_TAC SET_SPEC_CONV);;
let DIST_REFL = prove_thm ('DIST_REFL',
"!x d, METRICCd) ==> (Cd x x)=O)",
REPEAT GEN_TAC THEN REWRITE_TAC[METRICJ
THEN REPEAT STRIP_TAC THEN POP_ASSUM (\th, ALL_TAC)
THEN POP_ASSUM MP_TAC
THEN CONV_TAC LEFT_IMP_FORALL_CONV
THEN EXISTS_TAC "x"
THEN CONV_TAC LEFT_IMP_FORALL_CONV
THEN EXISTS_TAC "x" THEU ASSUNE_TAC EQ_REFL
THEN ONCE_ASM_REWRITE_TACC] THEN REWRITE_TAC[]);;
let METRIC_lemma = prove_thm ('METRIC_lemma'.
"! (s:(*)set) x ", ?R d. x ' IU s /\ METRIC d
==> (d x' x') <= RIO,
REPEAT GEH_TAe THEN EXISTS_TAC "RIO
THEN EXISTS_TAC "d" THEN REPEAT STRIP_TAC
THEN ASSUME_TAC DIST_REFL THEN RES_TAC
THEN ASM_REWRITE_TACCZERO_LESS_EQ]);;
let OPEN_UN IV = prove_thm ('OPEN_UNIV',
"OPEN (UNIV:(*)set)",
REWRITE_TAC[OPEN;OPEN_BALL;IN_UNIV]
THEN GEN_TAC THEN EXISTS_TAC "R"
THEN CONV_TAC SET_SPEC_CONV THEN EXISTS_TAC "d"
THEN STRIP_TAC THEN ASSUME_TAC DIST_REFL
THEN RES_TAC THEN ASM_REWRITE_TACCZERO_LESS_EQ]);;
let OPEN_INTER = prove_thm ('OPEN_INTER',
"!(s:(*)set) (t:(*)set).
Annex D: Formal Specification of Solid Mocle lliug 303
(OPEN s) /\ (OPEN t) ==> (OPEN (s INTER t))",
REPEAT GEN_TAC THEN REWRITE_TAC[OPEN;OPEN_BALL]
THEN CONV_TAC(DEPTH_CONV SET_SPEC_CONV)
THEN REWRITE_TAC[IN_INTER] THEN REPEAT STRIP_TAC
THEN EXISTS_TAC "R" THEN EXISTS_TAC "d"
THEN REPEAT STRIP_TAC THEN ASSUME_TAC DIST_REFL
THEN RES_TAC THEN ASM_REWRITE_TAC[ZERO_LESS_EQ]);;
let OPEN_UNION = prove_thm (rOPEN_UNION',
"!(s:(*)set) (t:(*)set).
(OPEN s) /\ (OPEN t) ==> (OPEN (s UNION t))",
REPEAT GEN_TAC THEN REWRITE_TAC[OPEN;OPEN_BALL]
THEN CONV_TAC(DEPTH_CONV SET_SPEC_CONV)
THEN REWRITE_TAC[IN_UNION] THEN REPEAT STRIP_TAC
THEN EXISTS_TAC "R" THEN EXISTS_TAC "d"
THEN REPEAT STRIP_TAC THEN ASSUME_TAC DIST_REFL
THEN RES_TAC THEN ASM_REWRITE_TAC[ZERO_LESS_EQ]);;
%< - --------------_-----_-
Closed-set detinitions and theorems_________ - - -__- -__-_---_- __-_--_------------>%
let NEIGHBOUR = new_definition ('NEIGHBOUR_DEF',
"NEIGHBOUR (x,(s:(*)set» = {y I (y IN s) /\ (7y. y=x)}");;
let CLOSED = new_definition ('CLOSED_DEF',
"CLOSED (s:(*)set) = OPEI~ (COI1P5)");;
let CLOSED_EMPTY = prove_thm ('CLOSED_EMPTY',
"CLOSED (EMPTY:(*)set)",
REWRITE_TAC[CLOSED;OPEN;COMP;OPEN_BALL;IN_DIFF]
THEN GEN_TAC THEN EXISTS_TAC "R"
THEN CONV_TAC SET_SPEC_CONV THEN EXISTS_TAC "d"
THEN REWRITE_TAC[IN_UNIV;NOT_IN_EMPTY]
THEN STRIP_TAC THEN ASSUME_TAC DIST_REFL
Annex D: Formal Specification of Solid Modelling 304
THEN RES_TAC THEN ASM_REWRITE_TAC[ZERO_LESS_EQ);;
let CLOSED_UNIV = prove_thm ('CLOSED_UNIV',
"CLOSED (UNIV:(*)set)",
REWRITE_TAC[CLOSED;OPEN;COMP;OPEN_BALL;IN_DIFF)
THEN GEN_TAC THEN EXISTS_TAC "R"
THEN CONV_TAC SET_SPEC_CONV THEN REWRITE_TAC[IN_UNIV]);;
let CLOSED_INTER = prove_thm ('CLOSED_INTER',
"!(s:(*)set) (t:(*)set).
(CLOSED s) /\ (CLOSED t) ==> CLOSED (s INTER t)",
REPEAT GEN_TAC
THEN REWRITE_TAC[CLOSED;OPEN;OPEN_BALL;
COMP;IN_DIFF;IN_UNIV]
THEN REPEAT GEN_TAC
THEN CONV_TAC (DEPTH_CONV SET_SPEC_CONV)
THEN REWRITE_TAC[IN_INTER] THEN REPEAT STRIP_TAC
THEN EXISTS_TAC "R" THEN EXISTS_TAC "d"
THEN REPEAT STRIP_TAC THEN ASSUME_TAC DIST_REFL
THEN RES_TAC THEN ASM_REWRITE_TAC[ZERO_LESS_EQ));;
let CLOSED_UNION = prove_thm ('CLOSED_UNION',
"!(s:(*)set) (t:(*)set).
(CLOSED s) /\ (CLOSED e) ==> CLOSED (s UNION t)".
REPEAT GEN_TAC
THEN REWRITE_TAC[CLOSED;OPEN;OPEN_BALL;
COMP;IN_DIFF;IN_UNIV)
THEN REPEAT GEN_TAC
THEN CONV_TAC (DEPTH_CONV SET_SPEC_CONV)
THEN REWRITE_TAC[IN_UNION] THEN REPEAT STRIP_TAC
THEN EXISTS_TAC "R" THEN EXISTS_TAC "d"
THEN REPEAT STRIP_TAC THEN ASSUME_TAC DIST_REFL
THEN RES_TAC THEN ASM_RE~RITE_TAC[ZERO_LESS_EQ);;
Annex D: For-mal Specification of Solid Mo del liug 305
let LIMIT = new_definition ('LIMIT_DEF',
"LIMIT (x,(s:(*)set» =
!(s:(*)set). (s=NEIGHBOUR(x,s» /\
Oy. y IN s /\ (y=x»");;
let IN_LIMIT = prove_thm ('IN_LIMIT',
"!(s:(*)set). CLOSED(s) = (!x. LIIHT(x,s) ==> (x IN s»",
GEN_TAC
THEN REWRITE_TAC[CLOSED;LIMIT;OPEN;COMP;NEIGHBOUR]
THEN REWRITE_TAC[OPEN_BALL;IN_DIFF;IN_UNIV;EXTENSIONJ
THEN CONV_TAC(DEPTH_CDNV SET_SPEC_CDNV)
THEN EQ_TAC
THENL [CONV_TAC(DEPTH_CGNV LEFT_IMP_FORALL_CONVl
THEN EXISTS_TAC "x"
THEN CONV_TAC(DEPTH_CONV LEFT_IMP_EXISTS_CONV)
THEN CONV_TAC(DEPTH_GONV LEFT_IMP_EXISTS_CONV)
THEN REPEAT STRIP_TAC THEN EXISTS_TAC "s"
THEN REPEAT STRIP_TAC
THEN ASSUM_LIST(\th. ASSUME_TAC(
REWRITE_RULE[(ell th)](el 2 th»)
THEN PDP_ASSUM MATCH_ACCEPT_TAC;
CONV_TAC(DEPTH_CONV LEFT_IMP_FORALL_CONV)
THEN EXISTS_TAC "x"
THEN CONV_TAC(DEPTH_CONV LEFT_IMP_EXISTS_CONV)
THEN REPEAT STRIP_TAC THEN EXISTS_TAG "R"
THEN EXISTS_TAC "d" THEN REPEAT STRIP_TAC
THEN ASSUME_TAC DIST_REFL
THEN RES_TAC THEN ASM_REWRITE_TAG[ZERO_LESS_EQ]]);;
%<------------------------------------------------------
Closure definitions and theorems
------------------------------------------------------>1.
let CLOSURE = new_definition ('CLOSURE_DEF'.
"CLOSURE (s:(*)set) = s UNION {x l LIMIT(x,s)}");;
Annex D: Formal Specification of Solid Modelling 306
let IN_CLOSURE = prove_thm ('IN_CLOSURE'.
"!x (s:(*)set). (x IN CLOSURE 5) ==>
-(5 INTER NEIGHBOUR(x.s)={})".
REPEAT GEN_TAC
THEN REWRITE_TAC[CLOSURE;NEIGHBOUR;EXTENSION;IN_UNION]
THEN REWRITE_TAC[IN_INTER;NOT_IN_EMPTY]
THEN CONV_TAC(DEPTH_CONV SET_SPEC_CONV)
THEN REWRITE_TAC[DE_MORGAN_THHJ
THEN STRIP_TAC
THENL [CONY_TAC NOT_FORALL_CONY
THEN EXISTS_ TAC "x" THEN ASI1_REWRITE_TAC [DE_MORGAN_ THM]
THEN EXISTS_TAC "x" THEN REFL_TAC;
POP_ASSUH MP_TAC THEN REWRITE_TAC[LIMIT]
THEN CONV_TAC LEFT_IMP_FORALL_CONV
THEN EXISTS_TAC "s" THEN STRIP_TAC
THEN CONY_TAC NOT_FORALL_CONY
THEN EXISTS_TAC "x" THEN REWRITE_TAC[DE_MORGAN_THM]
THEN ASSUM_LIST(
\th.ASSUME_TAC(REWRITE_RULE[(ell th)](el 2 th»)
THEN ASH_REWRITE_TAC[] THEN EXISTS_TAC "x"
THEN REFL_TAC]);;
let CLOSURE_CLOSED = prove_thm ('CLOSURE_CLOSED'.
"! (s :(*)set). (CLOSED s) = (s=CLOSURE s)".
GEN_TAC
THEN REWRITE_TAC[EXTENSION;CLOSURE;CLOSED;OPEN;
COMP;OPEN_BALL;IN_DIFF;IN_UNION;IN_UNIV;LIMITJ
THEN CONV_TAC(DEPTH_CONV SET_SPEC_CONV) THEN EQ_TAC
THENL [REPEAT STRIP_TAC THEN EQ_TAC
THENL [REPEAT STRIP_TAC THEl~ ASH_REWRITE_TACO;
REWRITE_TAC[NEIGHBOUR;EXTENSION]
THEN CONV_TAC(DEPTH_CONV SET_SPEC_CONY)
THEN REPEAT STRIP_TAC THEN POP_ASSUM HP_TAC
Annex D: For m al Specification of Solid Mo del ling 307
THEN CONV_TAC LEFT_IMP_FORALL_CONV
THEN EXISTS_TAC "5" THEN REPEAT STRIP TAC
THEN ASSUM_LIST(\th.ASSUME_TAC(
REWRITE_RULE[(el 1 th)](el 2 th»)
THEN ASM_REWRITE_TAC[]];
REWRITE_TAC[NEIGHBOUR]
THEN CONV_TAC(DEPTH_CONV LEFT_IMP_FORALL_CONV)
THEN EXISTS_TAC "x" THEN REPEAT STRIP_TAG
THEN EXISTS_TAC "R" THEN EXISTS_TAC "d"
THEN ASSUME_TAC DIST_REFL THEN REPEAT STRIP_TAC
THEN RES_TAC THEN ASM_REWRITE_TAC[ZERO_LESS_EQ]]);;
let LIMIT_REFL = prove_thm ('LIMIT_REFL',
"!(s:(*)set). s UNION {x l LIMIT(x,s)} = s",
GEN_TAC
THEN REWRITE_TAC[LIMIT;EXTENSION;IN_UNION;NEIGHBOUR]
THEN CONV_TAC(DEPTH_CONV SET_SPEC_CONV)
THEN GEH_TAC THEN EQ_TAC
THENL [REPEAT STRIP_TAC THEN POP_ASSUM MP_TAG
THEN CONV_TAC LEFT_IMP_FORALL_CONV
THEN EXISTS_TAC "s" THEN REPEAT STRIP_TAC
THEN ASSUM_LIST(
\th.ASSUME_TAC(REWRITE_RULE[(el th)](e12 th»)
THEN POP_ASSUM MATCH_ACCEPT_TAC;
REPEAT STRIP_TAC THEN ASM_REWRITE_TAC[]]);;
let CLOSURE_SUBSET = prove_thm ('CLOSURE_SUBSET',
"!(s:(*)set) (t:(*)set).
(5 SUBSET t) ==> «CLOSURE 5) SUBSET (CLOSURE t»",
REPEAT GEN_TAC
THEN REWRITE_TAC[CLOSURE;SUBSET_DEF;IN_UNION;LIMIT]
THEN CONV_TAC(DEPTH_CONV SET_SPEC_CONV)
THEN REPEAT STRIP_TAC
THENL [RES_TAC THEN ASM_REWRITE_TAC[];
Annex D: Formal Spec ifi ca tio n of Solid Mo d ell iug
POP_ASSUM MP_TAC THEN CONV_TAC LEFT_IMP_FORALL_CONV
THEN EXISTS_TAC "5" THEN REPEAT STRIP_TAC
THEN ASSUM_LISTC
\th.ASSUME_TAC(REWRITE_RULE[(ell th)]eel 2 th»)
THEN RES_TAC THEN ASM_REWRITE_TAC[]]);;
let CLOSURE_UNION = prove_thm ('CLOSURE_UNION',
"! (s:(*)5et) et:C*)set).
CLOSURE (s UNION t) = «CLOSURE 5) UNION (CLOSURE t»",
REPEAT GEN_TAC
THEN REWRITE_TAC[CLOSURE;EXTENSION;IN_UNION;LIMIT]
THEN CONV_TAC(DEPTH_CONV SET_SPEC_CONV)
THEN GEN_TAe THEN EQ_TAC
THENL [REPEAT STRIP_TAC
THENL [ASH_REWRITE_TAC[]; ASM_REWRITE_TAC[];
POP_ASSUM MP_TAC
THEN CONV_TAC(DEPTH_CONV SET_SPEC_CONV)
THEN CONV_TAC(DEPTH_CONV LEFT_IHP_FORALL_CONV)
THEN REWRITE_TAC[IN_UNION]
THEN EXISTS_TAC "s" THEN REPEAT STRIP_TAC
THEN ASSUH_LIST(\th.ASSUME_TAC(
REWRITE_RULE[(ell th)](el 2 th»)
THEN ASM_REWRITE_TAC []];REI~RITE_TAC [NEIGHBOUR]
THEN CONV_TAC(DEPTH_CONV SET_SPEC_CONV)
THEN REWRITE_TAC[IN_UNION] THEN REPEAT STRIP_TAC
THENL [ASH_REWRITE_TAC[];
POP_ASSUH MP_TAC THEN CONV_TAC LEFT_IMP_FORALL_CONV
THEN EXISTS_TAC "5" THEN REPEAT STRIP_TAC
THEN ASSUM_LIST(\th.ASSUME_TAC(
REWRITE_RULE[(ell th)](el 2 th»)
THEN ASH_REWRITE_TAC[];
ASH_REWRITE_ TAC 0 ;POP_ASSUM HP_TAC
THEN CONV_TAC LEFT_IMP_FORALL_CONV
THEN EXISTS_TAC "5" THEN REPEAT STRIP TAC
308
Annex D: Fm'mal Specification of Solid Mod e lling 309
THEN ASSUM_LIST(\th.ASSUME_TAC(
REWRITE_RULE[(ell th)](el 2 th»)
THEN ASM_REWRITE_TAC[]]]);;
let CLOSURE_lemma = prove_thm ('CLOSURE_lemma'.
"!(s:(*)set) (t:(*)set).
CLOSURE (s INTER t) SUBSET
«CLOSURE s) INTER (CLOSURE t»".
REPEAT GEN_TAC
THEN REWRITE_TACCCLOSURE;SUBSET_DEF;IN_UNION]
THEN REWRITE_TACCIN_INTER;IN_UNION;LIMIT]
THEN CONV_TAC (DEPTH_CONV SET_SPEC_CONV)
THEN REPEAT STRIP_TAC
THENL [ASH_REWRITE_TAC[];ASM_REWRITE_TAC[];
POP_ASSUM MP_TAC THEN REWRITE_TAC[NEIGHBOUR;EXTENSION]
THEH CONV_TAC(DEPTH_CONV SET_SPEC_CONV)
THEN REWRITE_TACCIN_INTER]
THEN CONV_TAC (DEPTH_CONV LEFT_IMP_FORALL_CONV)
THEN EXISTS_TAC "s" THEN REPEAT STRIP_TAC
THEN ASSUM_LIST(\th.ASSUME_TAC(
REWRITE_RULE[(ell th)](el 2 th»)
THEN ASM_REWRITE_TAC[];
POP_AS SUM MP_TAC THEN REWRITE_TAC[NEIGHBOUR;EXTENSION]
THEN CONV_TAC(DEPTH_CONV SET_SPEC_CONV)
THEN REWRITE_TACCIN_INTERJ
THEN CONV_TAC (DEPTH_CONV LEFT_IMP_FORALL_CONV)
THEN EXISTS_TAG "t" THEN REPEAT STRIP_TAG
THEN ASSUM_LIST(\th.ASSUME_TAC(
REWRITE_RULE[(ell th)](el 2 th»)
THEN ASH_REWRITE_TAC[]]);;
%<-- -- ---_-_--- __--------------_-- ---__
Interior definitions and theorems
_--_--_--_-_---- __-__--------------------------------->/,
Annex D: Formal Sp ec iflcat io n of Solid Modelling
-------------------------------------310
let INTERIOR: new_definition ('INTERIOR_DEF',
"INTERIOR (s:(*)set) =
{x ] ?(t: (*)set). OPEN t /\ (t SUBSET s) /\ (x IN t)}");;
let INSIDE: new_definition ('INSIDE_DEF',
"INSIDE (x,(s:(*)set) = x IN INTERIOR s");;
let BOUNDED = prove_thm ('BOUNDED',
"!x (s:(*)set). INSIDE(x,s) ==> (s=NEIGHBOURCx,s»",
REPEAT GEN_TAC
THEN REWRITE_TAC[INSIDE;NEIGHBOUR;INTERIOR;EXTENSION]
THEN CONV_TAC(DEPTH_CONV SET_SPEC_CONV)
THEN CONV_TAC LEFT_IMP_EXISTS_CONV
THEN REWRITE_TAC[SUBSET_DEF]
THEN REPEAT STRIP_TAC THEN EQ_TAC
THENL [REPEAT STRIP_TAe THEN ASM_REWRITE_TAC[]
THEN EXISTS_TAC "x" THEN REFL_TAC;
REPEAT STRIP_TAC THEN ASM_REWRITE_TAC[]]);;
let INTERIOR_DISJOINT = prove_thm ('INTERIOR_DISJOINT'.
"!(s:C*)set) Cx:*).
-«x IN INTERIOR s) /\ ex IN COMP(INTERIOR s»)".
REPEAT GEN_TAC
THEN REWRITE_TAC[COMP;IN_DIFF;DE_MORGAN_THM;IN_UNIV]
THEN REWRITE_TAC[ONCE_REWRITE_RULE[DISJ_SYM]
(SPEC "(x IN (nITERIOR s»:bool" EXCLUDED_MIDDLE)]);;
let INTERIOR_IDEM = prove_thm ('INTERIOR_IDEM',
"!(s:(*)set). INTERIOR s = s",
GEN_TAC THEN REWRITE_TAC[EXTENSION;INTERIOR]
THEN CONV_TAC(DEPTH_CONV SET_SPEC_CONV)
THEN REWRITE_TAC[OPEN;OPEN_BALL;SUBSET_DEF]
THEN GEN_TAC THEN EQ_TAC
THENL [REPEAT STRIP_TAC THEN RES_TAC;
Annex D: Formal Specification of Solid Mo de lling 311
REPEAT STRIP_TAC THEN EXISTS_TAC "s"
THEN ASM_REWRITE_TACe]
THE~ CONV_TAC(DEPTH_CONV SET_SPEC_CONV)
THEN REWRITE_TAC[METRIC_lemma]]);;
let INTERIOR_EMPTY = prove_thm ('INTERIOR_EMPTY',
"!(s:(.)set). (INTERIOR s = {}) ==> (s={})",
CONV_TAC(ONCE_DEPTH_CONV SYM_CONV)
THEN REPEAT STRIP_TAC
THEN ASM_REWRITE_TAC[]
THEN MATCH_ACCEPT_TAC INTERIOR_IDEM);;
let INTERIOR_OPEN = prove_thm ('INTERIOR_OPEN',
"!(s:(*)set). (s=INTERIOR s) = OPEN s",
GEN_TAC
THEN REWRITE_TAC(EXTENSIONjINTERIORjOPEN;
SUBSET_DEFjOPEN_BALL]
THEN CONV_TAC(DEPTH_CONV SET_SPEC_CONV) THEN EQ_TAC
THENL (CONV_TAC(LEFT_IMP_FORALL_CONV) THEN EXISTS_TAC "x"
THEN BOOL_CASES_TAC "(x IN s):bool"
THENL [REWRITE_TACCJ
THEN CONV_TAC LEFT_IMP_EXISTS_CONV
THEN REPEAT STRIP_TAC THEN EXISTS_TAC "R"
THEN EXISTS_TAC "d" THEN REPEAT STRIP_TAC
THEN ASSUME_TAC DIST_REFL THEN RES_TAC
THEN ASM_REWRITE_TAC[ZERO_LESS_EQ];
REWRITE_TAC[]
THEN CONV_TAC (DEPTH_CONV NOT_EXISTS_CONV)
THEN REWRITE_TAC[DE_MORGAN_THM]
THEN CONV_TAC(DEPTH_CONV LEFT_IMP_FORALL_CONV)
THEN EXISTS_TAC "s" THEN STRIP_TAC
THEN GEN_TAC THEN EXISTS_TAC "R"
THEN EXISTS_TAC "dOl THEN REPEAT STRIP_TAC
THEN ASSUME_TAC DIST_REFL THEN RES_TAC
Annex D: Formal Specification of Solid Modelling 312
THEN ASK_REWRITE_TAC[ZERO_LESS_EO]];
DISCH_TAC THEN GEN_TAC THEN EO_TAC
THENL [STRIP_TAC THEN EXISTS_TAC "5"
THEN ASK_REWRITE_TAC[] ;
CONV_TAC LEFT_IMP_EXISTS_CONV
THEN REPEAT STRIP_TAC THEN RES_TAC]]);;
let INTERIOR_SUBSET = prove_thm ('INTERIOR_SUBSET'.
"!(s:(*)set) (t:(*)set).
(s SUBSET t ) ==> «(INTERIOR 5) SUBSET (INTERIOR t»".
REPEAT GEN_TAC
THEN REWRITE_TAC[INTERIORjSUBSET_DEF]
THEN CONV_TAC(DEPTH_CONV SET_SPEC_CONV)
THEN REPEAT STRIP_TAC THEN EXISTS_TAC "t' :(*)set"
THEN ASM_REWRITE_TAC[] THEN REPEAT STRIP_TAC
THEN RES_TAC THEN RES_TAC);;
let EXISTS_OPEN = prove_thm ('EXISTS_OPEN'.
"! (s : (*)set)(t: (*)set).
(?(t':(*)set). OPEN t' /\ (!x'. X' IN t '
==> X, IN s \/ X' IN t»".
REPEAT GEN_TAC THEN EXISTS_TAC "t"
THEN REWRITE_TAC[OPEN;OPEN_BALL]
THEN CONV_TAC(DEPTH_CONV SET_SPEC_CONV)
THEN REWRITE_TAC[METRIC_lemma]
THEN REPEAT STRIP_TAC THEN ASM_REWRITE_TAC[]);;
let INTERIOR_INTER = prove_thm ('INTERIOR_INTER'.
"!(s:(*)set) (t:(*)set).
INTERIOR(s INTER t) =
«(INTERIOR s) INTER (INTERIOR t»",
REWRITE_TAC[INTERIOR_IDEM]);;
let INTERIOR_UNION = prove_thm ('INTERIOR_UNION'.
Annex D: Formal Specification of Solid Mo de lli ng 313
"!(s:(*)set) (t:(*)set).
«INTERIOR s) UNION (INTERIOR t»
SUBSET INTERIOR(s UNION t)",
REPEAT GEN_TAC
THEN REWRITE_TAC[INTERIOR;SUBSET-DEF;IN_UNION]
THEN CONV_TAC(DEPTH_CONV SET_SPEC_CO~V)
THEN REPEAT STRIP_TAC THEN EXISTS_TAC "t' :(*)set"
THEN ASM_REWRITE_TAC[] THEN REPEAT STRIP_TAC
THEN RES_TAC THEN ASM_REWRITE_TACO);;
let INTERIOR_CLOSURE::; prove_thm ('INTERIOR_CLOSURE'.
"!(s:(*)set). (INTERIOR s) SUBSET (INTERIOR(CLOSURE s»",
GEN_TAC
THEN REWRITE_TAC[INTERIOR;SUBSET_DEF;CLOSURE;IN-UNION]
THEN REWRITE_TAC[LIMIT;NEIGHBOUR;EXTSNSION]
THEN CONV_TAC(DEPTH_CONV SET_SPEC_COUV)
THEN REPEAT STRIP_TAG THEN EXISTS_TAe "t"
THEN ASM_REWRITE_TACC] THEN REPEAT STRIP_TAe
THEN RES_TAC THEN ASH_REWRITE_TAC[]);;
let INTERIOR_DIFF::; prove_thm ('INTERIOR_DIFF',
"!(s:(*)set) (t:(*)set).
INTERIoR(s DIFF t ) ::;«(INTERIOR s) DIFF (INTERIOR t»",
REWRITE_TAC[INTERIOR-IDEM);;
%<------------------------------------------------------
Boundary definitions and theorems
------------------------------------------------------>%
let BOUNDARY::; new_definition ('BOUNDARY_DEF',
"BOUNDARY (s:(*)set) ::;
{x l (x IN CLOSURE s) /\ (x Il~CLOSURE(COMP s»}");;
let ON = new_definition ('oN_DEF',
"ON (x,(s: (*)set» = x IN BOUrWARY sit);;
Annex D: Fat'mal Specitlcation of Solid :\Iodellillg
let BOUNDARY_lemma = prove_thm ('BOUNDARY_lerr~a',
"!(s :(*)set).
BOUNDARY s = «CLOSURE s) INTER (CLOSURE(COMP s»)",
GEN_TAC THEN REWRITE_TAC[EXTENSION;IN_INTER;BOUNDARY]
THEN CONV_TAC(DEPTH_CONV SET_SPEC_CONV)
THEN REPEAT GEN_TAC THEN REFL_TAC);;
let BOUNDARY_CLOSED = prove_thm ('BOUNDARY_CLOSED',
"!(s:(*)set). CLOSED(BOUNDARY s)",
REWRITE_TAC[CLOSED;BOUNDARY;COMP;OPEN;OPEN_BALL;CLOSURE]
THEN REWRITE_TAC[IN_DIFF;IN_UNION;IN_UNIVJ
THEN CONV_TAC(DEPTH_CONV SET_SPEC_CONV)
THEN REWRITE_TAC[LIKIT;NEIGHBOUR;IN_DIFF;
IN_UNIV;EXTENSION]
THEN CONV_TAC(DEPTH_CONV SET_SPEC_CONV)
THEN REPEAT STRIP_TAC THEN EXISTS_TAC "R"
THEN EXISTS_TAC "d" THEN REPEAT STRIP_TAC
THEN ASSUME_TAC DIST_REFL THEN RES_TAC
THEN ASM_REWRITE_TAC[ZERO_LESS_EQJ);;
let BOUNDARY_CaMP = prove_thm ('BOUNDARY_COMP',
"!(s:(*)set). BOUNDARY s ::BOUNDARY(COMP s)",
GEM_TAC THEN REWRITE_TAC[EXTENSION;BOUNDARY;COMP_IDEM]
THEN ONCE_LEFT_TO_RIGHT_DEPTH_FIRST_REWRITE_TAC[CONJ_SYMJ
THEN GEN_TAC THEN REFL_TAC);;
let CLOSURE_BOUNDED = prove_thm ('CLOSURE_BOUNDED',
U!(s:(*)set). CLOSURE s = (s UNION BOUNDARY s)",
GEN_TAC
THEN REWRITE_TAC[EXTENSIDN;CLOSURE;IN_UNION;BOUNDARY]
THEN REWRITE_TAC[LIMIT;COMP;IN_DIFF;IN_UNIV]
THEN CONV_TAC(DEPTH_CONV SET_SPEC_CONV)
THEN GEN_TAe THEN EO_TAC
314
Annex D: For-mal Specification of Solid Modelling 315
THENL [% Subgoal 1.0 %REPEAT STRIP_TAC
THENL [% 1.1 % ASH_REWRITE_TAC[];
'le 1.2 % ONCE_ASH_REWRITE_TAC[]
THEN REWRITE_TAC[NEIGHBOUR;EXTENSION]
THEN CONV_TAC(DEPTH_CONV SET_SPEC_CONV)
THEN BOoL_CASES_TAC "(x IN s) :bool"
THENL ['le 1.2.1 % REWRITE_TAC[]
THEN CONV_TAC LEFT_OR_EXISTS_CoNV
THEN EXISTS_ TAC "x" THEN ONCE_REl.'IRITE_TAC [EQ_SYM]
THEN REWRITE_TAC[];
Yo 1.2.2 % REWRITE_TAC[] THEN REPEAT GEN_TAC
THEN EQ_TAC THEN REPEAT STRIP_TAC
THENL [% 1.2.2.1 'le ASH_REWRITE_TAC[];
% 1.2.2.2 % EXISTS_TAC "y':(*)"
THEN ASH_REWRITE_TAC[];
'le 1.2.2.3 % EXISTS_TAC "y':(*)"
THEN ASM_REWRITE_TAC[];
% 1.2.2.4 % ASM_REWRITE_TAC[];
% 1.2.2.5 % EXISTS_TAC "y':(*)"
THEN ASM_REWRITE_TAC[]]]];
% Subgoal 2.0 % REPEAT STRIP_TAC
THENL [I. 2.1 I. ASM_REWRITE_TAC[];
% 2.2 % POP_ASSUH (\th. ALL_TAe)
THEN ASM_REWRITE_TAC[];
'le 2.3 % oNCE_ASM_REWRITE_TACO THEN REWRITE_TAC[];
% 2.4 % ONCE_ASM_REWRITE_TAC[]
THEN REWRITE_TAC[NEIGHBOUR;EXTENSIoN]
THEN CONV_rAC(DEPTH_CONV SET_SPEC_CoNV)
THEN REPEAT GEN_TAC THEN EQ_TAC
THENL [% 2.4.1 'le REPEAT STRIP_TAC
THENL [ASM_REWRITE_rAC[];
EXISTS_TAC "y': (*)" THEN ASM_REWRITE_TAC[J;
EXISTS_TAC "r': (*)" THEN ASM_RE\~RITE_TAC[JJ;
% 2.4.2 % REPEAT STRIP_TAC
Annex D: Formal Specific<ltioll of Solid Modelling 316
THENL [ASM_REWRITE_TAC[];
EXISTS_TAC "y': (*)"
THEN ASH_REWRITE_ TAC C] ] ] ;
% 2.5 % ONCE_ASM_REWRITE_TAC[]
THEN REWRITE_TAC[NEIGHBOUR;EXTENSION]
THEN CONV_TAC(DEPTH_CONV SET_SPEC_CONV)
THEN BOOL_CASES_TAC "ex IN s):bool"
THENL [% 2.5.1 % REWRITE_TAC[]
THEN CONV_TAC LEFT_OR_EXISTS_CONV
THEN EXISTS_TAC "x"
THEN ONCE_REWRITE_TAC[EQ_SYM] THEN REWRITE_TAC[];
% 2.5.2 % REWRITE_TACO
THEN REPEAT GEN_TAC THEN EO_TAC
THENL [% 2.5.2.1 % REPEAT STRIP_TAC
THENL [ASK_REWRITE_TAC[];
EXISTS_TAC "y': (*)" THEN ASM_REWRITE_TACO;
EXISTS_TAC "y': (*)" THEN ASM_RE\~RITE_TAC[]];
% 2.5.2.2 % REPEAT STRIP_TAC
THENL [ASM_REWRITE_TAC(] ;EXISTS_TAC lOy' :(*)"
THEN ASM_REWRITE_TACO]]]]]);;
let CLOSURE_IDEM = prove_thm ('CLOSURE_IDEM'.
"!(s:(*)set). (CLOSURE s) = S",
GEN_TAC
THEN REWRITE_TAC[EXTENSION;CLOSURE;LIMIT;IN_UNION]
THEN REWRITE_TAC[NEIGHBOUR;EXTENSION]
THEN CONV_TAC(DEPTH_COUV SET_SPEC_CONV)
THEN GEN_TAC THEN EO_TAC
THENL [STRIP_TAC THEN POP_ASSUM HP_TAC
THEN CONV_TAC LEFT_IMP_FORALL_CONV
THEN EXISTS_TAC "s" THEN REPEAT STRIP_TAC
THEN ASSUM_LIST(
\t.ASSUME_TAC(REWRITE_RULE[(ell t)]eel 2 t)))
THEN POP_ASSUN MATCH_ACCEPT_TAC;
Annex D: Formal Sp eciflcat iou of So lid Mo de lli ug 317
REPEAT STRIP_TAC THEN ASM_REWRITE_TAC[JJ);;
let CLOSURE_INTER = prove_thm ('CLOSURE_INTER',
"!(s:(.)set)( t :(•)set) .
CLOSURE(s INTER t) = «CLOSURE s) UTER (CLOSURE t»",
REWRITE_TAC[CLOSURE_IDEM]); ;
let CLOSURE_lemmal = prove_thm ('CLOSURE_lemmal',
"! (s:(.)set).
CLOSURE s = «INTERIOR s) UNION (BOUNDARY s»",
REWRITE_TAC[BOUNDARY_lemma;INTERIOR_IDEM;
CLOSURE_IDEM;COMP_DISJOINT;UNION_EMPTY]);;
let INTERIOR_COMP = prove_thm ('INTERIOR_COMP',
"!(s:(*)set). INTERIOR s = COMP(CLOSURE(COMP s»",
GEN_TAC THEN ASSUME_TAC INTERIOR_IDEM
THEN POP_ASSUM MP_TAC
THEN CONV_TAC(ONCE_DEPTH_CONV SYM_CONV)
THEN DISCH_TAC
THEN POP_ASSUM(\th.ONCE_ASM_REWRITE_TAC[th)
THEN ONCE_REWRITE_TACe
(SPEC "(COMP s):(.)set" CLOSURE_IDEM)]
THEN REWRITE_TAC[COMP_IDEM;INTERIOR_IDEM);;
let CaMP_INTERIOR = prove_thm ('COMP_INTERIOR',
"!(s:(*)set). COMP(INTERIOR s) = CLOSURE(COMP s)",
GEN_TAC THEN ASSUME_TAC(SPEC "s:(.)set" INTERIOR_COMP)
THEN ASSUME_TAC
(SPEC "(CLOSURE(COHP s»:(*)set" COI1P_IDEM)
THEN ASSUME_TAC(SPECL ["«INTERIOR s):(*)set)";
,,«COMP (CLOSURE (CaMP s»): (*)set) "J CDl1P_EO)
THEN RES_TAC THEN ASSUM_LIST(\th. ASSUME_TACe
ONCE_REWRITE_RULE[(e13 th)J(el 1 th»)
THEN POP_ASSUM MATCH_ACCEPT_TAC);;
Annex D: Fonnal Specification of Solid Mocle lliu g 318
let COMP_CLOSURE : prove_thm ('COMP_CLOSURE',
"!(s:(*)set). COMP(CLOSUR.E s) = INTERIOR(COI~P s)",
GEN_TAC THEN ASSUME_TAC(REWRITE_RULE[(COMP_IDEM)]
(SPEC"(COM? s):(*)set" COHP_INTERIOR»
THEN ASSUME_TAC
(SPECL ["«COMP(INTERIOR(COt4P s»):(*)set)";
"«CLOSURE s): (*)set)"] COMP_EQ)
THEN RES_TAC THEN ASSUM_LIST(\th.ASM_REWRITE_TAC[
REWRITE_RULE[(COMP_IDEM») (ell th»));;
let CLOSURE_DISJOINT = prove_thm ('CLOSURE_DISJOINT',
"!(s:(*)set). DISJOINT (INTERIOR s) (BOUNDARY s):";
REWRITE_ TAC [INTERIOR_IDEM; BOUNDARY _lemma; CLOSURE_IDEM]
THEN REWRITE_TAC(COMP_DISJOINT;
DlSJOINT_DEF;lNTER_EMPTY);;
let UNlV_COMPOSlT = prove_thm ('UNIV_COMPOSIT',
"!(s:(*)set) (t:(*)set).
(INTERIOR s) UNION (BOUNDARY 5) UNION
(INTERIOR(COMP s» = UNIV",
REWRITE_ TAC [INTERIOR_IDEM; BOUNDARY _lenuna;CLOSURE_IDEM]
THEN REWRITE_TAC[COMP_DISJOINT;UNION_EMPTY;COMP_UNIV]
THEN REWRITE_TAC[EXTENSION;IN_UNIV]);;
let BOUNDARY_UN ION_SUBSET = prove_thm
('BOUNDARY_UNION_SUBSET' ,
"!(s:(*)set) (t:(*)set).
BOUNDARY(s UNION t) SUBSET «BOUNDARY s)
UNION (BOUNDARY t»",
REWRITE_TAC[BOUNDARY_lemma;CLOSURE_IDEM;COMP_DISJOINT]
THEN REWRITE_TAC[UNION_EMPTY;SUBSET_DEF);;
let BOUNDARY_INTER_SUBSET = prove_thm
Annex D: FOl"lllai Sp ecifi cutio n of Solid Mo delli ng.--------------------------------------
319
('BOUNDARY_INTER_SUBSET',
"!(s:(*)set) (t:(*)set).
BOUNDARY(s INTER t) SUBSET «BOUNDARY s)
UNION (BOUNDARY t))",
REWRITE_TAC[BOUNDARY_lemma;CLOSURE_IDEM;COH?_DISJOINT]
THEN REWRITE_TAC[UNION_EMPTY;SUBSET_DEF]);;
let BOUNDARY_DIFF_SUBSET = prove_thm ('BOUNDARY_DIFF_SUBSET',
"!(s:(*)set) (t:(*)set).
BOUNDARY(s DIFF t) SUBSET «BOUNDARY 5)
UNION (BOUNDARY t))".
RE~RITE_TAC[BOUNDARY_lemma;CLOSURE_IDEM;COMP_DISJOINT]
THEN REWRITE_TAC[UNION_EMPTY;SUBSET_DEF]);;
let INTERIOR_UNION_SUBSET = prove_thm
('INTERIOR_UNION_SUBSET' ,
"!(s:(*)set) (t:(*)set).
INTERIOR(s UNION t) SUBSET
«INTERIOR s) UNIO~ (INTERIOR t) UNION
«BOUNDARY s) INTER (BOUNDARY t»)",
REWRITE_TAC[INTERIOR_IDEM;BOUNDARY_lemma;CLOSURE_IDEM]
THEN REWRITE_TAC[COMP_DISJOINT;INTER_EMPTY;
UNION_EMPTY;SUBSET_DEF]);;
let BOUNDARY_UNION = prove_thm ('BOUNDARY_UNIoN',
"! (s:(*)set) (t:(*)set).
BOUNDARY(s UNION t) =
(BOUNDARY sINTER (INTERIOR(COMP t)) UNION
(INTERIOR(COMP 5) INTER BOUNDARY t) UNION
«BOUNDARY s) INTER (BOUNDARY t) INTER
CLOSURE(COMP 5 INTER COH? t»",
REWRITE_TAC [BOUNDARY_lemma;CLOSURE_IbEM; INTERIOR_IDEM]
THEN REWRITE_TAC[COM?_DISJOINT;
INTER_EMPTY;UNION_EHPTY]); ;
Annex D: FOl'mal Sp ecific atlo u of Solid iVlodellillg 320
let BOUNDARY_INTER = prove_thm ('BOUNDARY_INTER',
"I(s:(*)set) (t:(*)set).
BOUNDARY(s INTER t) =
«BOUNDARY s) INTER (INTERIOR t» UNION
«INTERIOR s) INTER (BOUNDARY t) UNION
«BOUNDARY s) INTER (BOUNDARY t) INTER
CLOSURE(s INTER t»",
REWRITE_TAC[INTERIOR_IDEM;BOUNDARY_lemma;
CLOSURE_IDEH;COMP_DISJOINT)
THEN REWRITE_TAC(UNION_EMPTY;INTER_EMPTY);;
let BOUNDARY_DIFF = prove_thm ('80UNDARY_DIFF',
"!(s:(*)set) (t:(*)set).
BOUNDARY(s DIFF t) =
«BOUNDARY s) INTER (INTERIOR(COMP t») UNION
«INTERIOR s) INTER (BOUNDARY t» UNION
«BOUNDARY s) INTER (BOUNDARY t) INTER
CLOSURE(s INTER (COMP t»)",
REWRITE_ TAC [INTERIOR_IDEM; BOUNDARY _1emma;
CLOSURE_IDEM;COMP_DISJOINT]
THEN REWRITE_TAC[UNION_EMPTY;INTER_EMPTY]);;
let CLOSED_BOUNDARY_INTERl = prove_thm
('CLOSED_BOUNDARY_INTERl' .
"!(s:(*)set) (t:(*)set).
(CLOSED s) /\ (CLOSED t) ==>
(BOUNDARY(s INTER t) =
«(BOUNDARY s) INTER (INTERIOR t» UNION
«INTERIOR s) INTER (BOUNDARY t» UNION
«BOUNDARY s) IIITER (BOUt/DARY t»»".
REWRITE_ TAC [INTERIOR_IDEi'[;BCUIIDARY_lemma; CLOSURE_IDEM]
THEN REWRITE_TAC[COMP_DISJOINT;
INTER_EMPTY;UNION_EHPTY]); ;
Annex D: FOl'll1al Sp ecifi cntio n of Solid Mo del iiug 321
let CLOSED_BOUNDARY_INTER2 = prova_thm
('CLOSED_BOUNDARY_INTER2' .
"!(5:(*)set) (t:(*)5et).
(CLOSED s) /\ (CLOSED t) ==>
(BOUNDARY(s INTER t) =
(s INTER BOUNDARY t ) UIHON «BOUHDARY 5) INTER o i-:
REWRITE_TAC[BOUNDARY_lemma;CLOSURE_IDEM]
THEN REWRITE_TAC[COMP_DISJOINT;
INTER_EMPTY;UNION_EMPTY]);;
%<------------------------------------------------------
Dimensional property of boundary definitions and theorems
------------------------------------------------------>1.
let THIN = new_definition ('THIN_DEF',
"THIN (s:(*)set) = (INTERIOR(CLOSURE s)={})");;
let THIN_SUBSET = prove_thm ('THIN_SUBSET',
"!(s:(*)set) (t:(*)5et).
(THIN s /\ (t SUBSET s» ==> THIN t",
REWRITE_TAC[THIN;INTERIOR_IDEM;CLOSURE_IDEM]
THEN REPEAT STRIP_TAC
THEN ASSUM_LIST(
\th. ASSUME_TAC(REWRITE_RULE[(el 2 th)](el 1 th»)
THEN ASSUM_LIST(\th. ONCE_ASM_REWRITE_TAC[
REWRITE_RULE[SUBSET_EMPTY](ell th)])
THEN REFL_TAC);;
let THINBOUND = new_definition ('THINBOUND_DEF',
"THINBOUND (s:(*)set) = THIN(BOUNDARY s)");;
let THINBOUND_CLOSED = prove_thm ('THINBOUND_CLOSEO'.
"!(s:(*)set). CLOSED s ==> THINBOU!m s",
GEN_TAC
Annex D: Fm'mal Sp ec ifi cn t io n of Solid l\lodelling 322
THEN REWRITE_ TAC [THINBOUIW; BOUIWARY _lem.'l1a;
THIN;CLOSURE_IDEM]
THEN REWRITE_TAC[COMP_DISJOINT] THEN STRIP_TAC
THEN REWRITE_TAC[INTERIOR;EXTENSION;NOT_IN_EMPTY]
THEN CONV_TAC(DEPTH_CONV SET_SPEC_CONV)
THEN REWRITE_TAC[SUBSET_EMPTY]
THEN CONV_TAC(DEPTH_CONV NOT_EXISTS_CONV)
THEN REPEAT STRIP_TAC
THEN ASSUM_LIST(
\th.ASSUME_TAC(REWRITE_RULE[(e12 th)](el 1 th»)
THEN ASSUME_TAC NOT_IN_EMPTY THEN RES_TAC);;
let THINBOUND_OPEN = prove_thm ('THINBOUND_OPEN',
"l(s:(*)set). OPEN s ==> THINBOUND S",
REWRITE_TAC[THINBOUND;THIN;CLOSURE_IDEM;INTERIOR_IDEM]
THEN REWRITE_TAC[BOUNDARY_lemma;
CLOSURE_IDEM;COMP_DISJOINT);;
let THIN_UNION = prove_thm ('THIN_UNION'.
"l(s:(*)set) (t:(*)set). THIN s /\ THIN t
==> THIN(s UNION t)",
REPEAT GEN_TAC THEN REWRITE_TAC[THIN;INTERIOR_IDEM]
THEN REWRITE_TAC[CLOSURE_IDEM)
THEN REPEAT STRIP_TAC
THEN ASM_REWRITE_TAC[UNION_EMPTY);;
let THIN_INTER = prove_thm ('THIN_INTER',
"l(s:(*)set) (t:(*)set).
THIN s /\ THIN t ==> THINes INTER t)",
REWRITE_TAC[THIN;CLOSURE_IDEM;INTERIOR_IDEM)
THEN REPEAT STRIP_TAC
THEN ASM_REWRITE_TAC[INTER_EMPTY);;
let THIN_DIFF = prove_thm ('THIN_DIFF'.
Annex D: Formal Specification of Solid Modelling 323
"!(s:(*)set) (t:(*)set).
THIN s /\ THIN t ==> THINes DIFF t)",
REWRITE_TAC[THIN;CLOSURE_IDEM;INTERIOR_IDEM]
THEN REPEAT STRIP_TAC
THEN ASM_REWRITE_TAC[DIFF_EMPTY]);;
let THINBOUND_UNION_SUBSETl = prove_thm
('THINBOUND_UNION_SUBSET1' ,
"!(s:(*)set) (t:(*)set). THINBOUND s /\ THINBOUND t ==>
«INTERIOR(s UNION t» SUBSET
CLOSURE(eINTERIOR s) UNION (INTERIOR t»)",
REWRITE_ TAC [THINBOU1JD;THIN; BOUNDARY _lemma;
CLOSURE_IDEM;INTERIOR_IDEMJ
THEN REWRITE_TAC[COMP_DISJOINT;SUBSET_DEF]);;
let THINBOUND_UNION_SUBSET2 ; prove_thm
('THINBOUND_UNION_SUBSET2',
"!(s:(*)set) (t:(*)set). THINBOUND s /\ THINBOUND t ==>
(CLOSURE(INTERIOR(s UNION t» =
CLOSURE«IHTERIOR s) UtHON (INTERIOR t»)",
REWRITE_TAC[THINBOUND;THIN;BOUNDARY_lemrna;
CLOSURE_IDEM;INTERIOR_IDEM);;
let THINBOUND_INTER_SUBSETl = prove_thm
('THINBOUND_INTER_SUBSET1' ,
"!(s:(*)set) (t:(*)set). THINBOUND $ /\ THINBOUND t ==>
(INTERIOR«CLOSURE s) INTER (CLOSURE t» SUBSET
CLOSURE(s INTER t»",
REWRITE_TAC[THINBOUND;THIN;BOUNDARY_lemma;
CLOSURE_IDEM;INTERIOR_IDEH]
THEN REWRITE_TAC[COMP_DISJOINT;SUBSET_DEF);;
let THINBOUND_INTER_SUBSET2 : prove_~hm
('THINBOUND_INTER_SUBSET2',
Annex D: Formal Specification of Solid Mo delli ng 324
"l(s:(*)set) (t:(*)set). THINBOUND s /\ THINBoUND t ==>
(INTERIoR(CLOSURE(s INTER t» =
INTERIOR « CLOSURE s) INTER (CLOSURE t»)",
REWRITE_TAC[THINBoUND;THIN;BOUNDARY-lemma;
CLOSURE_IDEM; INTERIOR_IDEM]
THEN REWRITE_TAC[COMP-DISJoINT;SUBSET-DEF]);;
%<------------------------------------------------------
Regularity definitions and theorems
------------------------------------------------------>%
let REGULAR = ne~_definition ('REGULAR_DEF'.
"REGULAR (s:(*)set) = CLOSURE (INTERIOR s)");;
let REGULARISED = new_definition ('REGULARISED_DEF'.
"REGULARISED (s:(*)set) = (s = REGULAR s)");;
let REGULAR_CLOSED = prove_thm ('REGULAR_CLOSED'.
"l(s:(*)set). CLOSED(REGULAR s)" J
GEN_TAC
THEN REWRITE_TAC[REGULAR;CLOSURE_CLOSED]
THEN REWRITE_TAC[SPEC "(CLOSURE s):(*)set"
CLOSURE_IDEM] );;
let THIN_REGULAR = prove_thm ('THIN_REGULAR'.
"l(s:(*)set). THINBOUND(REGULAR s)",
REWRITE_ TAC [THINBOUND; THI~I;REGULAR ;BOUNDARY_lemma]
THEN REWRITE_TAC[CLOSURE_IDEM;INTERIOR_IDEM;
COMP_DISJOINT]); ;
let REGULAR_EMPTY = prove_thm ('RSGULAR_EMPTY',
"!(s:(*)set).
REGULARISED s /\ (INTERIOR s ={}) ==> (s={})".
REPEAT STRIP_TAC THEN ASSUME_TAG INTERIOR_EMPTY
THEN RES_TAC);;
Annex D: For-mal Sp ec ifi cn tiou of Solid Modelling 325
let REGULAR_IDEM = prove_thm ('REGULAR_IDEl-!'.
"!(s:(*)set). REGULAR s = 5",
GEN_TAC
THEN REWRITE_TAC[REGULAR;CLOSURE_IDEM;INTERIOR_IDEM]);;
let REGULAR_REFL = prove_thm ('REGULAR_REFL',
"!(s:(*)set). REGULARISED(REGULAR s)",
GEN_TAC THEN REWRITE_TAC[REGULARISED;REGULAR_IDEM]);;
let IMP_LEFT = prove_thm ('IMP_LEFT',
II !a b c. (a ==> b /\ c) ==> (a ==> b)",
REPEAT GEN_TAG THEN BOOL_CASES_TAG "a:bool"
THEN REWRITE_TAC[AND1_THM);;
let IN_IMP1 = prove_thm ('IN_IMP1',
" !(s : (*)set)( t :(*) set) (t':(.)set) .
(!x. X IN t' ==> X IN s /\ x IN t)
==> (!x. X IN t' ==> X IN s)",
REPEAT GEN_TAC THEN DISCH_TAG THEN REPEAT STRIP_TAC
THEN RES_TAC); ;
let IN_IMP2 = prove_thm (CIN_IMP2',
"! (s : (*)set)(t:(*)set)(t': (*)set).
(!x. x IN t' ==> x IN s /\ x IN t)
==> (!x. X IN t' ==> x IN t)",
REPEAT GEN_TAC THEN DISGH_TAG THEN REPEAT STRIP_TAG
THEN RES_TAC);;
let REGULAR_INTER = prove_thm ('REGULAR_INTER',
"!(s:(*)set)(t:(*)set).
REGULAR(s INTER t) = «REGULAR s) INTER (REGULAR t»",
REWRITE_TAC[REGULAR; GLOSURE_IDEM; INTERIOR_IDEM]
THEN REFL_TAC);;
Annex D: Fo rmn l Sp ec ificn tio n of Solid Mo de lli ug 326
%<------------------------------------------------------
Regularised-operator defluitions and theorems
------------------------------------------------------>'l.
let REG_UNION = new_infix_definition ('REG_URION_DEF',
"$REG_UNION (s:(*)set) (t:(*)set) = REGULAR(s UNION t)");;
let REG_INTER = new_infix_definition ('REG_INTER_DEF',
"$REG_INTER (s:(*)set) (t:(*)set) = REGULAR(s INTER t)");;
let REG_DIFF = new_infix_deiinition ('REG_DIFF_DEF',
"$REG_DIFF (s:(*)set) (t:(I<)set) = REGULAR(s DIFF t)");;
let REG_COMP = new_definition ('REG_COMP_DEF',
"$REG_COMP (s:(*)set) = REGULAR(COMP s)");;
let INTERIOR_REG_INTER = prove_thm ('INTERIOR_REG_INTER',
"!(s:(*)set) (t:(*)set).
INTERIOR(s REG_INTER t) =
INTERIOR«REGULAR 5) INTER (REGULAR t»",
REWRITE_TAC[REGULAR;REG_INTER;
CLOSURE_IDEM;INTERIOR_IDEM);;
let REGULAR_REG_INTER = prove_thm ('REGULAR_REG_INTERt,
"!(s:(*)set) (t:(*)set).
s REG_INTER t = «REGULAR s) REG_INTER (REGULAR t»",
REWRITE_TAC[REGULAR;REG_INTER;
CLOSURE_IDEM;INTERIOR_IDEM); ;
let REGULAR_UNION = prove_thm ('REGULAR_UNION',
"!(s:(*)set) (t:(*)set).
REGULAR(s UNION t) = «REGULAR 5) UNION (REGULAR t»",
REWRITE_TAC[REGULAR;INTERIOR_IDEM;CLOSURE_IDEM]); ;
Annex D: For-mal Specification of Solid Modelling 327
let REGULARISED_REG_INTER = prove_thm
('REGULARISED_REG_INTER' ,
"I(s:(*)set) (t:(*)set).
«REGULARISED s) /\ (REGULARISED t)) ==>
(INTERIOR(s REG_INTER t) =
«(INTERIOR s) INTER (INTERIOR t»))",
REWRITE_TAC[REG_INTER;REGULAR;
INTERIOR_IDEM;CLOSURE_IDEM]);;
let REGULARISED_REG_UNION = prove_thm
('REGULARISED_REG_UNION' ,
"!(s:(*)set) (t:(*)set).
«REGULARISED s) /\ (REGULARISED t» ==>
«s REG_UNION t) = (s UNION t»",
REWRITE_TAC [REGULARISED; REG_UNION; REGULAR;
INTERIOR_IDEM;CLOSURE_IDEM]); ;
let REGULARISED_REG_DIFF = prove_thm ('REGULARISED_REG_DIFF'•
"!(s:(*)set) (t:(*)set).
«REGULARISED s) /\ (REGULARISED t» ==>
«s REG_DIFF t) = (s REG_INTER (REG_COMP t»)",
REWRITE_TAC[REGULARISED;REG_INTER;
REGULAR;REG_COMP;REG_OIFF]
THEN REWRITE_TAC[INTERIOR_IDEM;CLOSURE_IDEM;EXTENSION]
THEN REWRITE_TAC[IN_DIFF;IN_INTER;COMP;
IN_DIFF;IN_UNIV]); ;
let REG_COMP _lemma = prove_ thm ('REG_COI1P_lemma' ,
"!(s:(*)set). CLOSED s ==>
«REG_COMP s) = CLOSURE(CDt1P s»",
REWRITE_TAC[REG_COMP;REG_DIFF;CLOSURE_IDEM;COMP;REGULARJ
THEN REWRITE_TAC[CLOSURE_IDEM;INTERIOR_IDEM]);;
let REG_DIFF_lemma = prove_thm ('REG_DIFF_lemma'.
Annex D: Formal Sp ecificnt io u of Solid Modelling 328
"!(s:(.)set) (t: (.)set).
(s REG_DIFF t ) = (s REG_INTER (CO~lP t»",
REWRITE_ TAC CREG_DIFF; REG_IifTER;COl'I?;REGULAR; EXTEI~SION]
THEN REWRITE_TAC[CLOSURE_IDEM;INTERIOR_IDEM;
IN_INTER;IN_DIFF;IN_UNIV]); ;
'l.<------------------------------------------------------
Recursion formulae for interior, boundary, complement
---------------------_------- __------- __-------------->%
let COMP_REG_UNION = prove_thm ('COMP_REG_UNION',
"!(s :(.)set) (t: (.)set) .
COMP(s REG_UlnON t ) = (CONP s) INTER (COHP t»",
REWRITE_TAC[REG_UNION;COMP;REGULAR]
THEN REWRITE_TAC[CLOSURE_IDEM;INTERIOR_IDEM;EXTENSION]
THEN REWRITE_TAC[IN_DIFF:IN_INTER;IN_UNION;IN_UNIV]
THEN REWRITE_TAC[DE_MORGAN_THM]);;
let INTERIOR_REG_COMP = prove_thm ('INTERIOR_REG_COMP',
"!(s:(*)set) (t:(.)set). INTERIOR,(REG_COI1P s)=COMP s",
REWRITE_TAC[REG_COMP;INTERIOR_IDEM;CLOSURE_IDEM]
THEN REWRITE_TAC[REGULAR;INTERIOR_IDEM;
CLOSURE_IDEM;COMP]);;
let BOUNDARY_REG_COMP = prove_thm ('BOUNDARY_REG_COMP',
"!(s :(*)set) (t: (.)set).
BOUNDARY(REG_COMP s) = BOUNDARY s",
REIoIRITE_TAC[REGULARISED;REG_COHP;REGULAR;BOUNDARY_lemrna]
THEN REWRITE_TAC[CLOSURE_IDEM;INTERIOR_IDEM;COMP_IDEM]
THEN ONCE_LEFT_TO_RIGHT_DEPTH_FIRST_REWRITE_TAC
[INTER_COMM] THEI~ GE:l_TAC THEN REFL_TAC);;
let COMP_REG_COMP = prove_thm ('COMP_REG_COMP',
"!(s:(*)set) (t: (.)set). COHP(REG_COI1P s) = INTERIOR 5",
REWRITE_TAC [REG_COMP; REGULAR]
Annex D: FOl'lnal Spec ificat io u of Solid Modelling-------------------------------------329
THEN REWRITE_ TAC [INTERIOR_IDEl~;CLOSURE_IDEM; COMP _IDEM] );;
let INTERIOR_REG_DIFF = prove_thm ('INTERIOR_REG_DIFF',
"!(s:(*)set) (t:(*)set).
INTERIOR(s REG_DIFF t) =
«INTERIOR s) INTER (CONP t»",
REWRITE_TAC[REG_DIFF; REGULAR; INTERIOR_IDEM]
THEN REWRITE_TAC[CLOSURE_IDEM;COMP;EXTENSION]
THEN REWRITE_TAC[IN_INTER;IN_DIFF;IN_UNIV]);;
let BOUNDARY_REG_UNION = prove_thm ('BOUNDARY_REG_UNION',
"! (s: (*)set) (t: (*)set).
BOUNDARY(s REG_UNION t) =
«(BOUNDARY 5) INTER (COM? t» UNION
«COMP t) INTER (BOUNDARY t» UNION
«BOUNDARY s) INTER (BOUNDARY t) INTER
(CLOSURE«COMP s) INTER (cot,,? t»»)",
REWRITE_TAC[REG_UNION;REGULAR]
THEN REWRITE_TAC[BOUNDARY_lemma;CLOSURE_IDEM;
INTERIOR_IDEM;COMP_DISJOINT;
INTER_EMPTY;UNION_EMPTY]);;
let BOUNDARY_REG_INTER = prove_thm ('BOUNDARY_REG_INTER',
"!(s:(*)set) (t:(*)set).
BOUNDARY(s REG_INTER t) =
«(BOUNDARY 5) INTER (INTERIOR t» UNION
«BOUNDARY t) INTER (INTERIOR s» UNION
«BOUNDARY 5) INTER (BOUNDARY t) INTER
(CLOSURE«INTERIOR 5) INTER (CLOSURE t»»)",
REWRITE_TAC[REG_INTER;REGULAR;BOUNDARY_lemma]
THEN REWRITE_TAC[CLOSURE_IDEM;
INTERIOR_IDEM;COHP_DISJOINT]
THEN REWRITE_TAC[INTER_EM?TY;UNION_EHPTY]);;
Annex D: FOl"mal Spec ificat iou of Solid Modelling 330
let BOUNDARY_REG_DIFF = prove_thm ('BOUNDARY_REG_DIFF',
"!(s:(*)set) (t:(*)set).
BOUNDARY(s REG_DIFF t) =
«(CLOSURE s) INTER (BOUNDARY(COHP t») UNION
«INTERIOR s) INTER (BOUNDARY t» UNION
«BOUNDARY 5) INTER (BOUNDARY t) INTER
(CLOSURE«INTERIOR s) INTER (CmIP t»»)",
REWRITE_TAC[REG_DIFF; REGULAR; BOUNDARY_lemma)
THEN REWRITE_TAC[CLOSURE_IDEM;
INTERIOR_IDEM;COMP_DISJOINT]
THEN REWRITE_TAC[INTER_EMPTY;UNION_EMPTY);;
%< - -- __ - __ - - __ - __ -_- _
Menbership classifications
__________________ -_- -_-__- -_- -_>%
let in = new_infix_definition ('in_DEF' I
"in (t:(*)set) (s:(*)set) = t REG_INTER (INTERIOR s)");;
let on = new_infix_definition ('on_DEF',
"on (t:(*)set) (s:(*)set) = t REG_INTER (BOUNDARY s)");;
let out = new_infix_definition ('out_DEFt,
"out (t:(*)set) (s:(*)set) = t REG_INTER (COMP s)");;
let MEMBER_lemma = prove_ thm (t MEHBER_lemma t ,
"!(s:(*)set) (t:(*)5et).
t = (t in s) UNION (t on s) UNION et out s)",
REWRITE_TAC[in;on;out;REG_INTER;REGULAR;
CLOSURE_IDEM;INTERIOR_IDEMJ
THEN REWRITE_TAC[BOUNDARY_lemma;
CLOSURE_IDEM;COMP_DISJOINT]
THEN REWRITE_TAC[INTER_EMPTY;UNION_EMPTY;EXTENSION)
THEN REWRITE_TAC[IN_UNION;IN_INTER]
THEN REPEAT GEN_TAC THEN EQ_TAC
Annex D: Formal Specification of' Solid Mo del liug 331
THENL [STRIP_TAC THEN ASM_RE\.JRITE_TAC [COMP]
THEN REWRITE_TACCIN_DIFF;IN_UNIV;EXCLUDED_MIDDLE];
REPEAT STRIP_TAC]);;
let MEMBER_DISJOINT = prove_thm ('KEMBER_DISJOINT'.
"!(s: (*)set) et:e*)set).
«t in s) REG INTER (t on s) = {}) /\
«t on s) REG INTER (t out s) = {}) /\
«t in s) REG INTER et out s) = {})".
RE~RITE_TAC[in;on;out;REG_INTER;REGULAR;
CLOSURE_IDEM;INTERIOR_IDEM]
THEN REWRITE_TAC[BOUNDARY_lemma;
CLOSURE_IDEM;COMP_DISJOINT]
THEN REWRITE_TAC[INTER_EMPTY;EXTENSION;
IN_INTER;COMP;IN_DIFF]
THEN REWRITE_TAC[IN_UNIV;NOT_IN_EMPTY]
THEN REPEAT GEN_TAC THEN REWRITE_TAC[DE_MORGAN_THM]
THEN BOOL_CASES_TAC "«x:*) IN (t:(*)set»:bool"
THENL [ONCE_REWRITE_TAC[DISJ_SYMJ
THEN REWRITE_TAC[SPEC "(x IN s):bool" EXCLUDED_MIDDLE);
REWRITE_TAC[]]);;
let IN_SUBSET = prove_thm ('IN_SUBSET'.
"!(s:(*)set) (t:(*)set).
(t in s) SUBSET REGULAR (INTERIOR s)".
REWRITE_TAC[in;REG_INTER;REGULAR;
INTERIOR_IDEM;CLOSURE_IDEM]
THEN REWRITE_TAC[SUBSET_DEF;IN_INTERJ
THEN REPEAT STRIP_TAC);;
let ON_SUBSET = prove_thm ('ON_SUSSET'.
"!(s:(*)set) (t:(*)set).
(t on s) SUBSET REGULAR(BOUNDARY s)".
REWRITE_TAC[on;REG_INTER;REGULAR;
Annex D: FOl'lnul Specification of Solid Modelling 332
BOUNDARY_lemrna;CLOSURE_IDEI1]
THEN REWRITE_TAC[INTERIOR_IDEM;SUBSET_DEF;IN_INTER]
THEN REPEAT STRIP_TAC THEN ASH_REWRITE_TAC[]);;
let OUT_SUBSET = prove_thm ('OUT_SUBSET',
"!(s:(*)set) (t:(*)set). Ct out s) SUBSET REGULAR(COMP s)?",
REWRITE_TAC[out;REG_INTER;REGULAR;
CLOSURE_IDEM;INTERIOR_IDEM]
THEN REWRITE_TAC[SUBSET_DEF;IN_INTERJ
THEN REPEAT STRIP_TAC);;
let MEMBER_INTER = prove_thm ('MEMBER_INTER'.
"!(s:(*)5et) (sl:(*)set) (s2:(*)set) (t:(*)set).
(s = sl REG_INTER 52) ==>
«t in 5) = (t in s i ) REG_INTER (t in 52»",
REWRITE_TAC[in; REG_INTER; REGULAR;
CLOSURE_IDEM;INTERIOR_IDEMJ
THEN REWRITE_TAC[EXTENSION;IN_INTER]
THEN REPEAT STRIP_TAC THEN ASM_REWRITE_TAC[]
THEN EQ_TAC THEN REPEAT STRIP_TAC
THEN PURE_ASM_REWRITE_TAC[]);;
%<-------------_- __----- -_-_------------_------_--------
Description of points in 3-D coordinates
----------_----------------------------------------------->%
let Point_Axiom = define_type 'Point_Axiom'
'point = POINT num num num';;
let X = new_recursive_definltion
false Point_Axiom 'X_DEF'
"X (POINT x y z) = x";;
let Y = new_recursive_definition
Annex D: Formal Specificnt io u of Solid :\ lodelling------------------------------------
333
false Point_Axiom 'Y_DEF'
lOy (POINT x y z) = y";;
let Z = new_recursive_definition
false Point_Axiom 'Z_DEF'
"Z (POINT x y z) = z";;
%<----------------------------------------------------------
A type object contains two subsets of points
One is set ot points on the interior and the other
is set of points on the boundary
The constraints on an object type is that the baoundary
is finite and the interior and boundary are disjoint.
---------------------------------------------------------->%
let Object_Axiom = define_type 'Object_Axiom'
'object = OBject (point)set (point)set';;
let b = new_recursive_detinition
false Object_Axiom 'b_DEF'
"b(OBject interior bound) = bound";;
let i = new_recursive_definition
false Object_Axiom 'i_DEF'
"iCOBject interior bound) = interior";;
let Closure = new_definition ('Closure_DEF'.
"Closure A = b(A) UNIOl'li(A)");;
let HAS_CARD = new_definition C'HAS_CARD_DEF'.
"HAS_CARD (A: (*)set) n = CARD A = n");;
%< closure of an object is both upper and lower bounded >Y.
let OBJECT = new_definition ('OBJECT_DEF'.
"OBJECT A = CLOSED(Closure A) /\ -Cb A = ENPTY) /\
Annex D: Formal Sp ecificnt iou of Solid Mo de lli ug
-----------------------------------
334
(?n. HAS_CARD (Closure A) n)");;
let OBJ = new_definition ('OBJ_DEF',
"OBJ A = OBject (i A) (b A)");;
let obj_constructor_ll = prove_constructors_one_one
Object_Axiom; ;
%<-----------------------------------------------------------
Some tacts about objects
---------------------- --__- -- --__- >%
%< existency theorem >%
let EXISTS_OBJECT = prove_thm ('EXISTS_OBJECT',
""?A.OBJECT A",
REWRITE_TAC[OBJECT;Closure]
THEN EXISTS_TAC "OBJECT
(EMPTY: (point)set) «x:point) INSERT EMPTY)"
THEN REWRITE_TAC[b;i;IN_UNION]
THEN STRIP_TAC
THENL [REWRITE_TAC[CLOSEO);
CONV_TAC NOT_EXISTS_CONV
THEN REWRITE_TAC[NOT_IN_EMPTY]]);;
%< Physically exists>%
let FINITE_OBJECT = prove_thm ('FINITE_OBJECT',
"!A. OBJECT A ==> -(Closure A = {})",
GEN_TAC THEN REWRITE_TAC[OBJECT;Closure;DISJOINT_DEF]
THEN STRIP_TAC THEN REWRITE_TAC[EMPTY_UNION]
THEN ASM_REWRITE_TACO);;
%< uniqueness theorem >%
let UNIQUE_OBJECT = prove_thm ('UNIQUE_OBJECT',
" !M N. OBJECT 11/\ OBJECT N
==> (b(M) = beN»~ /\ (i(N) = i(N» ==> (OBJ M = OBJ N)",
Annex D: Formal Specific:ltioll of Solid I\Jodellillg 335
REPEAT GEN_TAC
THEN REWRITE_TAC[OBJECT;OBJ;obj_constructor_ll]
THEN REPEAT STRIP_TAC THEN ASH_REWRITE_TAC[]);;
%< two disjoint primitives have no common member >%
let DISJOINT_MEMBER = prove_thm ('DISJOINT_MEMBER',
"!A B. DISJOINT (Closure A) (Closure B) ==>
(i A INTER i B = EMPTY) /\ (b A INTER i B = EMPTY) /\
(i A INTER b B = EMPTY) /\ (b A INTER b B = EMPTY)",
REPEAT GEN_TAC
THEN REWRITE_TAC[Closure;DISJOINT_DEF;
UNION_OVER_INTER;EMPTY_UNION]
THEN ONCE_REWRITE_TAC[INTER_CDMM]
THEN REWRITE_TAC[UUION_OVER_INTER;EMPTY_UNIDN]
THEN DISCH_TAC THEN ASH_REWRITE_TACO);;
1.<----------------------------------------------------------
Some basic definitions about objects in 3-D Euclidean
space
--------------------------------------------------------->1.
%< A dot by definition is an object with no interior
and a boundary of one member >%
let DOT = neq_definition ('DOT_DEF',
"DOT 0 = (OBJECT D) /\
(CARD(b 0)=1) /\ (i 0 = EHPTY)");;
1.< A curve by definition is an object with finite
interior and finite boundary >'l.
let CURVE = new_definition ('CURVE_DEF',
"CURVE C = (OBJECT C) /\
-(i C = EMPTY) /\ FINITE(b C)");;
1.< A curve is open if there exists exactly two
boundary points >1.
Annex D: FonDal Specificatioll of Solid l'vIodelliug----------------------------------- 336
let OPEN_CURVE = new_definition ('OPEN_CURVE',
"OPEN_CURVE C = CURVE C /\ CHAS_CARD(b crn- i..
%< A closed curve has finite interior with no boundary >%
let CLOSED_CURVE = new_definition ('CLOSED_CURVE_DEF',
"CLOSED_CURVE C = CURVE C /\ (b C=EMPTY)"); ;
%< A surface by definition is an object which has
finite interior and a boundary of at least one
closed curve >%
let SURFACE = new_definition ('SURFACE_DEF'.
"SURFACE s = (OBJECT s) /\ -(i s = EMPTY) /\
(?C. CLOSED_CURVE C /\ Closure C SUBSET (b s»");;
%< A primitive is an simplest constructionall object
This is an abstract definition: a primitive has
finite interior and its boundary has at least one
closed surface>%
let PRIMITIVE = new_definition ('PRIMITIVE_DEF',
"PRIMITIVE P = (OBJECT p) /\
(?s. SURFACE s /\ Closure s SUBSET
(b p) /\ -Cl p = EMPTY»");;
let HOLLOWED = new_definition ('HOLLOWED_DEF',
"HOLLOWED k = (PRIMITIVE k) /\
(!sl s2. SURFACE si /\ SURFACE s2
==> DISJOINT (Closure si) (Closure s2»");;
%<---------------------------------------------------------
Some basic geometrical facts
--------------------------------------------------------->%
%< boundary and interior points are distinct >%
let NON_OVERLAP_ELEM = prove_thm ('NoN_oVERLAP_ELEM',
"!A. OBJECT A ==> (i A IlHER b A = EHPTY)".
Annex D: Formal Specification of Solid Mo de lling 337
RE~RITE_TAC[OBJECT;DrSJOINT_DEF]
THEN REPEAT STRIP_TAC);;
%< dot and a curve is also distinct >Y,
let DOT_NOT_CURVE = prove_thm ('DOT_NOT_CURVE'.
"ID. DOT D ==> -(CURVE D)".
REWRITE_TAC[DOT;CURVE] THEN REPEAT STRIP_TAC
THEN RES_TAC);;
%< dot and surface is also distinct >%
let DOT_NOT_SURFACE = prove_thm ('DOT_NOT_SURFACE'.
"!O. DOT D ==> -(SURFACE 0)00.
REWRITE_TAC[DOT;SURFACE] THEN REPEAT STRIP_TAC
THEN RES_TAC); ;
%<-------------------------------------------------------
Some basic properties of a primitive
------------------------------------------------------->Y,
%< a primitive has at least one point i.a a dot >%
let NON_EMPTY = prova_thm ('NON_EMPTY',
"!p. PRIMITIVE P ==> ?a. a IN (Closure p)",
GEN_TAC THEN REWRITE_TAC[PRIMITIVE;OBJECT]
THEN DISCH_TAC
THEN REPEAT(POP_ASSUH(ASSUME_TAC o(\th. CONJUNCTt th)))
THEN ASSUME_ TACONST _TYPE [00: point", 00: *"]
MEMBER_NOT_EMPTY) THEN RES_TAC
THEN REWRITE_TAC[Closure;IN_UNION]
THEN EXISTS_TAC "x:point" THEIlASH_RE!~RITE_TAC[]);;
%< an element of an object 1S enclosed >%
let ENCLOSED = prove_thm ('ENCLOSED',
"Ip r. (p IN Closure r ) = (p IN Cb r) \I (p IN (i r»",
REPEAT STRIP_TAC THEN REWRITE_TAC[Closure]
THEN EQ_TAC
Annex D: FOl'll1al Sp ec ificu t.io n of Solid Mo de lli ug---------------------------------338
THENL[STRIP_TAC THEN POP_ASSUH(ASSUME_TAC o(\th.
REWRITE_RULE[Closure;IN_UNION] th))
THEN POP_ASSUM MATCH_ACCEPT_TAC;
DISCH_TAC THEN REWRITE_TAC[IN_UNION]
THEN ASH_REWRITE_TAC[]]);;
Xc primitive is definable in a finite space >X
let BOUNDED = prove_thm ('BOUNDED'.
"!P. PRIMITIVE P ==> -(Closure P={})".
GEN_TAC
THEN REWRITE_TAC[PRIMITIVE;OBJECT;Closure;EMPTY_UNION]
THEN REPEAT STRIP_TAC THEN RES_TAC);;
X< a primitive is connected if any two points on its
boundary can be joined by a curve
let CONNECTED = prove_thm ('CONNECTED'.
"! P.?C. PRIMITIVE P /\
CURVE C /\ (Closure C SUBSET Closure P) ==>
(!A B. (A IN Closure C) /\ (B IN Closure C) ==>
(A IN Closure P) /\ (B IN Closure P))II.
REPEAT STRIP_TAC THEN EXISTS_TAC "C:object"
THEN DISCH_TAC
THEN POP_ASSUM (ASSUME_TAC o(\th. CDNJUNCT2 th))
THEN POP_ASSUM (ASSUME_TAC o(\th. CDNJUNCT2 th))
THEN ASSUHE_TAC(INST_TYPEC":point".":*"] SUBSET_DEF)
THEN REPEAT STRIP_TAC THEN RES_TAC);;
>X
Xc dot is not a primitive >%
let DOT_NOT_PRIM = prove_thm ('DOT_NOT_PRIM'.
"!D. DOT 0 ==> -(PRIMITIVE D)".
REWRITE_TAC[PRIMITIVE;DOT]
THEN REPEAT STRIP_TAC THEN RES_TAC);;
X< inclusion property - a point is either inside an object
Annex D: Formal Specification of Solid Modelling 339
or on its boundary or in its inter~or>%
let POINT_INCLUSION = prove_thm ('POINT_INCLUSION',
"!a p. -(a IN Closure p) \/ a IN (b p) \I a IN (i p)",
REPEAT GEN_TAC THEN REWRITE_TAC[Closure;IN_UNION]
THEN MATCH_ACCEPT_TAC (ONCE_REWRITE_RULE[DISJ_SYM]
EXCLUDED_MIDDLE));;
%<----------------------------------------------------------
Analytical descriptions of object
---------------------------------------------------------->%
%< A plane in 3-D representation >%
let PLANE = new_definition ('PLANE_DEF',
"PLANE P = (SURFACE p) /\
(!h. (h IN Closure(p)) ==>
?k 1 m n. k*X(h)+l*Y(h)+m*Z(h) = n)");;
%< Boundary of a region in space. Any plane divides the space
into 2 half-spaces: one further from the origin
called FAR_SPACE and one nearer, called NEAR_SPACE
which both includes the surface itself>%
let FAR_SPACE = new_definition ('FAR_SPACE_DEF',
"FAR_SPACE f(k,l,m,n) = (SURFACE f) /\
(!x. (x IN Closure(f)) ==>
(k*X(x)+l*Y(x)+m*Z(x)) >= n)");;
let NEAR_SPACE = new_definition ('NEAR_SPACE_DEF',
"NEAR_SPACE f(k,l,m,n) = (SURFACE f) /\
(!x. (x IN Closure(f)) ==>
(k*X(x)+l*Y(x)+m*Z(x)) <= n)");;
%< A solid block is defined by its 6 surfaces. These are
left,right,back, front, bottom and top respectively
Parameters are : c is centre of block
Annex D: Formal Specificat iOIl of Solid Mo delli ug 340
1 is half length (along x-axis)
w is half width (along y-axis)
h is half height (along z-axis»%
let BLOCK = new_definition ('BLOCK_DEF',
"BLOCK (dx,dy,dz)(l,w,h) =
{p I ?e. PRIMITIVE e /\ p IN e /\
(FAR_SPACE (b e)(l,O,O,dx) /\
(NEAR_SPACE Cb e)(l,O,O,l+dx» /\
(FAR_SPACE (b e)(O,l,O,dy» /\
(NEAR_SPACE (b e)(O,l,O,w+dy» /\
(FAR_SPACE (b e)(O,O,l,dz) /\
(NEAR_SPACE (b e)(O,O,l,h+dz)))))");;
%< Square of a number >%
let SOR = new_definition ('SQR_DEF',
"SQR(x) = x*x");;
%< A solid cylindrical object is defined by
m(x,y,z)
r
centre of cylinder
radius
half height (along axis)h
The cylinder is an open region which is
defined as an infinite tube >'l.
let CYLINDER_X = new_definition C'CYLINDER_X_DEF',
"CYLINDER_X (dx,dy,dz)(r,h) =
{p I ?c. PRIMITIVE c /\ P IN c /\
(NEAR_SPACE (b c)(l.O,O,dx) /\
(FAR_SPACE Cb c)Cl,O,O,h+dx) /\
(SQR(Y(p)+dy)+SQR(Z(p)+dz)<=SQR(r»» "); ;
let CYLINDER_Y = new_definition ('CYLINDER_Y_DEF',
"CYLINDER_Y (dx,dy,dz)(r,h) =
Annex D: FOl'lnul Sp ecificatio n of Solid Modelling 341
{p I ?c. PRIMITIVE c /\ P IN c /\
(NEAR_SPACE (b c)(O,l,O,dy) /\
(FAR_SPACE (b c)(O,l,O,h+dy) /\
(SQR(X(p)+dx)+SQR(Z(p)+dz)<=SQRCr»»"); ;
let CYLINDER_Z = new_definition C'CYLINDER_Z_DEF',
"CYLINDER_Z (dx,dy,dz)(r.h) =
{p I ?c. PRIMITIVE c /\ P IN c /\
(NEAR_SPACE (b c)(O.O.l.dz) /\
(FAR_SPACE (b c)(O,O,l,h+dz) /\
(SQR(X(p)+dx)+SQR(Y(p)+dy)<=SQR(r»»"); ;
%<----------------------------------------------------------
Build function to combined list of objects
---------------------------------------------------------->%
let BUILD = new_list_recursive_definition ('BUILD_DEF',
"BUILD [] = \!. EMPTY /\
BUILD (CONS hd tl) = \t. hd t BUILD [tl]");;
let NULL_DETECT = new_definition ('NULL_DETECT_DEF'.
"NULL_DETECT s = BUILD s REG_INTER = U");;
%<----------------------------------------------------------
Computation of overall volume
---------------------------------------------------------->%
let within = new_infix_definition ('within_DEF',
"within n (k,p) = k<=p /\ k<=n /\ n<=p");;
% Overall volume of rectangular block %
let OVERALL_B = new_definition ('OVERALL_B_DEF'.
"OVERALL_B (dx,dy,dz)(l,w.h)
{p I X(p) within (dx,l+dx) /\
yep) within (dy,w+dy) /\
Z(p) within (dz,h+dz)");;
Annex D: Formal Sp ec ifl ca t io u of Solid l\1odelling
----------------------------------342
% Overall volume of an X-cylinder %
let OVERALL_CX = new_definition ('OVERALL_CX_DEF',
"OVERALL_CX (dx,dy,dz)(r,h) =
OVERALL_B (dx,dy,dz)(h,2*r,2*r)");;
% Overall volume of an V-cylinder %
let OVERALL_CY = new_definition ('OVERALL_CY_DEF',
"OVERALL_CY (dx,dy,dz)(r,h) =
OVERALL_B (dx,dy,dz)(2.r,h,2*r)");;
% Overall volume of an Z-cylinder %
let OVERALL_CZ = new_definition ('OVERALL_CZ_DEFt,
"OVERALL_CZ (dx,dy,dz)(r,h) =
OVERALL_B (dx,dy,dz)(2*r, 2*r,h)") ;;
let well_orderl = prove_thm ('well_orderl',
"!n abc d. (n within (a,b) /\ n within (c.d)
==> (a<=c /\ d<=b) => n within (a,b) I n within (c,d)",
REPEAT GEN_TAC THEN REwRITE_TAC[within]
THEN CONO_CASES_TAC
THENL [REPEAT STRIP_TAC THEN ASM~REWRITE_TACO;
REPEAT STRIP_TAC THEN ASM_REWRITE_TAC[]]);;
let well_order2 = prove_thm ('well_order2',
"!n abc d. (n lJithin (a,b) \/ n lJithin (c,d»
==> (a<=c /\ d<=b) => n lJithin (a,b) I n within (a,d)",
REPEAT GEN_TAC THEN RE~RITE_TACCwithin]
THEN CONO_CASES_TAC
THENL [REPEAT STRIP_TAC
THENL [ASM_REWRITE_TAC[] ;ASM_REWRITE_TACD;
ASM_REWRITE_TAC[] ;
ASSUME_TAC(
SPECL C"a:num";"c:num";"d:num"] LESS_EO_TRANS)
Annex D: Formal Sp ecifi cn t io n of Solid Mo cle lli ng 343
THEN RES_TAC
THEN ASSUM_LIST (\th. ASSUME_TAC(
REWRITE_RULE[(e16 th)] (ell th»)
THEN ASSUME_TACe
SPECL ["a:num";"d:num";"b:num"] LESS_EO_TRANS)
THEN RES_TAC
THEN ASSUM_LIST (\th.
ACCEPT_TAC(REWRITE_RULE[(e19 th)] (ell th»);
ASSUME_TAC(
SPECL ["a:num";"e:num";"n:num"] LESS_EO_TRANS)
THEN RES_TAC
THEN ASSUM_LIST (\th.
ACCEPT_TAC(RE'NRITE_RULE[(e16 th)] (ell th»);
ASSUME_TAC(
SPECL ["n:num";"d:nurn";"b:nurn"]LESS_EO_TRANS)
THEN RES_TAC
THEN ASSUM_LIST (\th.
ACCEPT_TAC(REWRITE_RULE[(el 6 th)] (ell th»)];
POP_ASSUM MATCH_ACCEPT_TAC];;
let well_order3 = prove_thm e'well_order3',
"!n abc d. (n within (a,b) /\ -en within (e,d») ==>
(e<=b /\ d<=b) => (n within (a,e) /\ n within Cd,b»
(e<=b /\ b<=d) => n within (a,e) I n within (a,b)",
REPEAT GEN_TAC THEN REWRITE_TAC[within]
THEN REPEAT STRIP_TAG THEN COND_CASES_TAC
THENL [ASM_REWRITE_TACO THEN REPEAT STRIP_TAC
THEN ASSUME_TACe
SPECL ["a:num";"d:num";"b:num"] LESS_EO_TRANS)
THEN RES_TAC
THEN ASSUM_LIST (\th.
ACCEPT_TACeRE~RITE_RULE[eel 9 th)] (ell th»);
ASSUME_TAC(
SPECL ["a:num";"e:nurn";"n:num"] LESS_EO_TRANS)
Annex D: Formal Specification of Solid Modelling 344
THEN RES_TAC;
POP_ASSUM MATCH_ACCEPT_TAC]);;
close_theoryO; ;
345350358 362 375
