Modelling Architecture Styles by Mavridou, Anastasia
POUR L'OBTENTION DU GRADE DE DOCTEUR ÈS SCIENCES
acceptée sur proposition du jury:
Prof. B. Faltings, président du jury
Prof. J. Sifakis, Dr S. Bliudze, directeurs de thèse
Prof. J. Sztipanovits, rapporteur
Prof. B. Rumpe, rapporteur
Prof. R. Guerraoui, rapporteur
Modelling Architecture Styles
THÈSE NO 7324 (2016)
ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE
PRÉSENTÉE LE 21 DÉCEMBRE 2016
À LA FACULTÉ INFORMATIQUE ET COMMUNICATIONS
LABORATOIRE POUR LA CONCEPTION RIGOUREUSE DES SYSTÈMES
PROGRAMME DOCTORAL EN INFORMATIQUE ET COMMUNICATIONS 
Suisse
2016
PAR
Anastasia MAVRIDOU

Σα βγεις στον πηγαιμό για την Ιθάκη,
να εύχεσαι νάναι μακρύς ο δρόμος,
γεμάτος περιπέτειες, γεμάτος γνώσεις.
Κ. Π. Καβάφης
Στους παππούδες μου Αναστασία & Ιωάννη,
στους γονείς μου Ισαβέλλα & Ιωάννη,
& σε όλους τους δασκάλους μου.
To my grandparents Anastasia & Ioanni,
to my parents Isavella & Ioanni,
& to all my teachers.

Acknowledgements
I had the fortune, the honour and the absolute privilege to be advised by Prof. Joseph
Sifakis and Dr. Simon Bliudze. Prof. Sifakis gave me the opportunity to explore very
interesting research problems, while teaching me the beauty of theoretical rigour. Working
with Prof. Sifakis has been a unique experience; I truly admire his passion and energy, as
well as the enthusiasm with which he disseminates his knowledge. Dr. Bliudze always kept
an open door, was happy to help with any kind of issue and patiently answer my numerous
questions. I thank him for the insightful scientiﬁc discussions, which I greatly enjoyed.
Ultimately, a few sentences would show nothing about how indebted I feel towards both
Prof. Sifakis and Dr. Bliudze. The support and guidance I received was unbounded and
highly motivational. I sincerely hope that my future work would partly meet their eﬀorts.
I am grateful to Prof. Boi Faltings, Prof. Rachid Guerraoui, Prof. Bernhard Rumpe and
Prof. Janos Sztipanovits for honouring me by accepting to serve on my thesis committee.
I thank them for taking the time to read my thesis and for their invaluable comments on
my work and its perspectives. I would like to additionally thank Prof. Sztipanovits for
being my mentor during a summer internship at Vanderbilt University, which helped me to
signiﬁcantly increase my knowledge on model-based software engineering.
Special thanks go to Stefanos Skalistis, Goran Radanovic, Manos Karpathiotakis and Aron
Laszka for proofreading my thesis. They helped me improve the ﬂow and presentation of
the thesis by ﬁnding several places in which further clariﬁcations were needed.
I want to thank all my colleagues with whom I co-authored a paper: Emmanouela Stachtiari,
Prof. Panagiotis Katsaros, Dr. Anton Ivanov and Alina Zolotukhina. Special thanks go
to Dr. Radoslaw Szymanek for his invaluable guidance on the implementation parts of
this thesis. Special thanks also go to Eduard Baranov with whom I had the pleasure to
extensively interact, constructively argue and co-author several papers. I also thank my
colleagues Alena Simalatsar, Wang Qiang, Wajeb Saab, Alexandre Sikiaridis and Vladimir
Ilievski for creating a pleasant and motivating working environment. I thank Mrs. Arianne
Staudenmann for her continuous help on administrative tasks while always having a smile
on her face.
I would also like to express my gratitude to my dear friends for their continuous support and
for making my life happier. Thank you Alex, Christos, Eleni, Eralia, Evi, Giannis, Iliana,
Katerina, Kiki, Loukia, Manos, Matt, Pavlos, Stefanos, Theano and Zoi.
i
Acknowledgements
Last but not least, I thank my parents, Isavella and Ioannis, and my sister, Iﬁgeneia for
their unconditional love throughout the years. They were there for me, even when we were
physically apart.
Lausanne, 14 December 2016 A. M.
ii
Abstract
Software systems tend to increase over time in size and complexity. Their development
usually spans a long period of time and may result in systems that are hard to understand,
debug and maintain. Architectures are common means for organising coordination between
components in order to build complex systems and make them manageable. They allow
thinking on a higher plane and avoiding low-level mistakes. Grouping architectures that
share common characteristics into architecture styles assists component re-use and thus,
the cost-eﬀective development of systems. Architecture styles provide means for ensuring
correctness-by-construction by enforcing global properties. The main goal of this thesis is to
propose and study formalisms for modelling architectures and architecture styles.
For the speciﬁcation of architectures, we study interaction logics, which are Boolean algebras
on a set of component actions. We study a modelling methodology based on ﬁrst-order
interaction logic for writing architecture constraints. To validate the applicability of the
approach, we developed the JavaBIP framework that integrates architectures into mainstream
software development. JavaBIP receives as input architecture speciﬁcations, which it then
uses to coordinate software components without requiring access to their source code.
JavaBIP implements the principles of the BIP component framework.
For the speciﬁcation of architecture styles, we propose conﬁguration logics, which are powerset
extensions of interaction logic. Propositional conﬁguration logic formulas are generated from
formulas of interaction logic by using the operators union, intersection and complementation,
as well as a coalescing operator. We provide a complete axiomatisation of the propositional
conﬁguration logic and a decision procedure for checking that an architecture satisﬁes given
logical speciﬁcations. To allow genericity of speciﬁcations, we study higher-order extensions of
the propositional conﬁguration logic. We provide several examples illustrating the application
of conﬁguration logics to the characterisation of architecture styles.
For the speciﬁcation of architecture styles, we also propose architecture diagrams, which is
a graphical language rooted in rigorous semantics. We provide methods to assist software
developers to specify consistent architecture diagrams, generate the conforming architectures
of a style and check whether an architecture model meets given style requirements. We
present a full encoding of architecture diagrams into conﬁguration logics. Finally, we report
on applications of architecture diagrams to modelling architecture styles identiﬁed in realistic
case studies of on-board satellite software.
iii
Acknowledgements
Keywords: architecture styles, architectures, interaction logics, conﬁguration logics, archi-
tecture diagrams, architecture-based design, BIP, JavaBIP, component coordination.
iv
Résumé
Les logiciels informatiques ont tendance à augmenter au ﬁl du temps en taille et en complexité.
Leur développement couvre généralement une longue période de temps et se traduit souvent
par des systèmes qui sont diﬃciles à comprendre, réparer et maintenir. Les architectures
sont un moyen répandu pour organiser la coordination de composants aﬁn de construire
des systèmes complexes et simpliﬁer leur gestion. Ils permettent de penser à un niveau
d’abstraction supérieur et éviter les erreurs de bas niveau. Regrouper des architectures
partageant des caractéristiques communes en des styles d’architecture aide à la réutilisation
des composants et ainsi, au développement rentable de systèmes. En outre, les styles
d’architecture oﬀrent des moyens pour assurer l’exactitude par construction de systèmes,
par l’application de propriétés globales. Le principal objectif de cette thèse est de proposer
et étudier des formalismes pour modéliser des architectures et des styles d’architecture.
Pour la spéciﬁcation d’architectures, nous étudions des logiques d’interaction, c’est-à-dire
l’application d’algèbre booléenne sur des ensembles d’actions de composants. Nous étudions
une méthodologie de modélisation basée sur la logique d’interaction de premier ordre pour
l’écriture des contraintes d’architecture. Pour valider cette approche, nous avons développé le
cadre JavaBIP, qui intègre les architectures dans le développement de logiciels grand public.
JavaBIP reçoit comme entrée les spéciﬁcations d’architectures, qui sont ensuite utilisées pour
coordonner les composants logiciels sans nécessiter l’accès à leur code source. JavaBIP met
ainsi en œuvre les principes du cadre de programmation de composants BIP.
Pour la spéciﬁcation des styles d’architecture, nous proposons des logiques de conﬁguration,
qui sont des extensions en ensemble des parties d’un ensemble (powerset en anglais) de la
logique d’interaction. Les formules logiques de conﬁguration propositionnelles sont générées
à partir des formules logiques d’interaction à l’aide des opérateurs d’union, d’intersection et
de complémentation, ainsi qu’un opérateur coalescent. Nous fournissons une axiomatisation
complète de la logique de conﬁguration propositionnelle et une procédure de décision pour
vériﬁer qu’une architecture satisfait les spéciﬁcations logiques données. Pour permettre la
généricité des spéciﬁcations, nous étudions les extensions d’ordre supérieur de la logique de
conﬁguration propositionnelle. Nous proposons plusieurs exemples illustrant l’application de
la logique de conﬁguration à la caractérisation des styles d’architecture.
Pour la spéciﬁcation des styles d’architecture, nous proposons également des diagrammes
d’architecture, c’est-à-dire un langage graphique basé sur une sémantique rigoureuse. Nous
fournissons des méthodes pour aider les développeurs de logiciels à spéciﬁer des diagrammes
v
Résumé
d’architecture cohérents, à générer des architectures conformes à un style, et à vériﬁer
qu’un modèle d’architecture réponde aux exigences d’un style donné. Nous présentons un
encodage complet des diagrammes d’architecture dans les logiques de conﬁguration. Enﬁn,
nous présentons des applications de diagrammes d’architecture à des styles d’architecture
de modélisation, identiﬁées dans des études de cas réalistes de logiciel embarqué pour un
satellite.
Mots clefs : styles d’architecture, architectures, logiques d’interaction, logiques de conﬁgura-
tion, diagrammes d’architecture, design basé sur une architecture, BIP, JavaBIP, coordination
de composants.
vi
Contents
Acknowledgements i
Abstract (English/Français) iii
List of ﬁgures xi
List of tables xv
1 Introduction 1
1.1 Architectures in BIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2 Architecture styles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.3 Our contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.3.1 Modelling and implementation of architectures . . . . . . . . . . . . . 5
1.3.2 Modelling architecture styles . . . . . . . . . . . . . . . . . . . . . . . 7
1.4 Thesis outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2 Preliminaries 11
2.1 BIP component framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.2 Basic semantic model of BIP . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.3 Representations of the BIP interaction model . . . . . . . . . . . . . . . . . . 15
2.3.1 Algebra of interactions . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.3.2 Algebra of connectors . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
2.3.3 Propositional interaction logic . . . . . . . . . . . . . . . . . . . . . . . 17
2.4 Architectures in BIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
3 Interaction logic and JavaBIP 21
3.1 JavaBIP design workﬂow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
3.2 JavaBIP by example: Camel routes . . . . . . . . . . . . . . . . . . . . . . . . 23
3.3 Theoretical foundations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
3.3.1 Component model without data . . . . . . . . . . . . . . . . . . . . . 27
3.3.2 Extension of the model with data . . . . . . . . . . . . . . . . . . . . . 29
3.3.3 First-order interaction logic . . . . . . . . . . . . . . . . . . . . . . . . 32
3.3.4 Macro notation based on component types . . . . . . . . . . . . . . . 33
3.4 System speciﬁcation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
3.4.1 Behaviour speciﬁcation . . . . . . . . . . . . . . . . . . . . . . . . . . 38
vii
Contents
3.4.2 Architecture speciﬁcation . . . . . . . . . . . . . . . . . . . . . . . . . 40
3.4.3 Data-wire speciﬁcation . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
3.5 Implementation of the JavaBIP engine . . . . . . . . . . . . . . . . . . . . . . 43
3.5.1 Engine kernel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
3.5.2 Coordinators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
3.5.3 Experimental evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . 45
3.6 Related work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
3.7 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
4 Conﬁguration logics 51
4.1 Propositional conﬁguration logic (PCL) . . . . . . . . . . . . . . . . . . . . . 52
4.1.1 Properties of PCL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
4.1.2 Normal form and axiomatisation of PCL formulas . . . . . . . . . . . 66
4.1.3 Soundness and completeness . . . . . . . . . . . . . . . . . . . . . . . 71
4.1.4 Checking satisfaction of PCL formulas . . . . . . . . . . . . . . . . . . 72
4.2 First and second order extensions of PCL . . . . . . . . . . . . . . . . . . . . 73
4.2.1 First-order conﬁguration logic . . . . . . . . . . . . . . . . . . . . . . . 74
4.2.2 First-order conﬁguration logic with ordered components . . . . . . . . 80
4.2.3 Second-order conﬁguration logic . . . . . . . . . . . . . . . . . . . . . 83
4.3 Related work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
4.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
5 Architecture diagrams 89
5.1 Simple architecture diagrams . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
5.1.1 Syntax and semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
5.1.2 Consistency conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
5.1.3 Synthesis of conﬁgurations . . . . . . . . . . . . . . . . . . . . . . . . . 94
5.1.4 Architecture style speciﬁcation examples . . . . . . . . . . . . . . . . . 98
5.2 Interval architecture diagrams . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
5.2.1 Syntax and semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
5.2.2 Consistency conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
5.2.3 Synthesis of conﬁgurations . . . . . . . . . . . . . . . . . . . . . . . . . 104
5.2.4 Architecture style speciﬁcation examples . . . . . . . . . . . . . . . . . 105
5.3 Index architecture diagrams . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
5.3.1 Syntax and semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
5.3.2 Architecture style speciﬁcation examples . . . . . . . . . . . . . . . . . 109
5.4 General architecture diagrams . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
5.4.1 Syntax and Semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
5.4.2 Architecture style speciﬁcation examples . . . . . . . . . . . . . . . . . 112
5.5 Checking conformance of diagrams . . . . . . . . . . . . . . . . . . . . . . . . 115
5.6 Encoding of architecture diagrams into conﬁguration logics . . . . . . . . . . 116
5.7 Related work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
5.8 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
viii
Contents
6 Case studies 133
6.1 The CubETH case study . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
6.1.1 A taxonomy of architecture styles for on-board software . . . . . . . . 134
6.1.2 Architecture application and composition examples . . . . . . . . . . . 145
6.1.3 Model veriﬁcation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
6.1.4 Validation of the approach . . . . . . . . . . . . . . . . . . . . . . . . 149
6.2 The Sentinel 3 case study . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
6.3 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
7 Conclusion and future work 153
7.1 Modelling and implementation of architectures . . . . . . . . . . . . . . . . . 153
7.2 Modelling architecture styles . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
A Appendix 157
A.1 JavaBIP use case: Publish-Subscribe server . . . . . . . . . . . . . . . . . . . 157
A.2 List of requirements of CubETH case study . . . . . . . . . . . . . . . . . . . 160
A.3 BIP model of CubETH case study . . . . . . . . . . . . . . . . . . . . . . . . 161
Bibliography 179
ix

List of Figures
1.1 Mutual exclusion model in BIP . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2 Mutual exclusion architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.3 Architecture diagram of the Mutual exclusion style . . . . . . . . . . . . . . . 8
2.1 A BIP system with three atomic components . . . . . . . . . . . . . . . . . . 14
2.2 BIP connectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2.3 Components (a) and coordinator (b) for Example 2.4.3 . . . . . . . . . . . . . 20
3.1 JavaBIP design workﬂow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
3.2 JavaBIP models of three routes and a monitor . . . . . . . . . . . . . . . . . 24
3.3 Annotations for the Route component type . . . . . . . . . . . . . . . . . . . 25
3.4 Annotations for the Monitor component type . . . . . . . . . . . . . . . . . . 26
3.5 JavaBIP models of one tracker and two peers . . . . . . . . . . . . . . . . . . 37
3.6 Architecture speciﬁcation for the Trackers and Peers example . . . . . . . . . 41
3.7 Data-wire speciﬁcation for Trackers and Peers . . . . . . . . . . . . . . . . . . 41
3.8 JavaBIP software architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
3.9 Performance diagrams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
4.1 Lattices of interactions, conﬁgurations and conﬁguration sets . . . . . . . . . 51
4.2 Master/Slave architectures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
4.3 Correspondence between the lattices of PIL and PCL . . . . . . . . . . . . . . 59
4.4 Correspondence between negation and complementation of interaction formulas 62
4.5 PCL lattice. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
4.6 Rewriting system for computing the normal form . . . . . . . . . . . . . . . . 67
4.7 Procedure for computing the normal form . . . . . . . . . . . . . . . . . . . . 68
4.8 A Star architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
4.9 A Pipes and Filters architecture . . . . . . . . . . . . . . . . . . . . . . . . . 77
4.10 A Blackboard architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
4.11 A Request/Response architecture . . . . . . . . . . . . . . . . . . . . . . . . . 79
4.12 A Ring architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
4.13 A Linear architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
4.14 A Square Grid architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
5.1 An architecture diagram . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
5.2 Conforming architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
xi
List of Figures
5.3 Composition for the diagram in Figure 5.1 . . . . . . . . . . . . . . . . . . . . 90
5.4 The four classes of architecture diagrams . . . . . . . . . . . . . . . . . . . . . 90
5.5 A simple architecture diagram . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
5.6 Quaternary synchronisation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
5.7 Binary synchronisation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
5.8 An inconsistent diagram . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
5.9 Regular conﬁgurations of p with np = 4, mp = 2 . . . . . . . . . . . . . . . . . 94
5.10 Architecture diagram of Example 5.1.5 . . . . . . . . . . . . . . . . . . . . . . 96
5.11 Star architecture style with architecture diagrams . . . . . . . . . . . . . . . . 98
5.12 Multi-star architecture style with architecture diagrams . . . . . . . . . . . . 98
5.13 Master/Slave architectures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
5.14 Architecture diagram that deﬁnes the set of architectures in Figure 5.13 . . . 100
5.15 Master/Slave architecture style with architecture diagrams . . . . . . . . . . 105
5.16 A Master/Slave architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
5.17 Repository architecture style with architecture diagrams . . . . . . . . . . . . 106
5.18 Pipes and Filters architecture style with architecture diagrams . . . . . . . . 106
5.19 Map-Reduce architecture style with architecture diagrams . . . . . . . . . . . 107
5.20 A Map-Reduce architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
5.21 An index architecture diagram . . . . . . . . . . . . . . . . . . . . . . . . . . 109
5.22 Request/Response style with architecture diagrams . . . . . . . . . . . . . . . 110
5.23 Ring style with architecture diagrams . . . . . . . . . . . . . . . . . . . . . . 110
5.24 Peer-to-Peer style with architecture diagrams . . . . . . . . . . . . . . . . . . 113
5.25 Square Grid style with architecture diagrams . . . . . . . . . . . . . . . . . . 113
5.26 Triple Modular Redundancy architectures . . . . . . . . . . . . . . . . . . . . 114
5.27 Triple Modular Redundancy style with architecture diagrams . . . . . . . . . 115
5.28 The simple architecture diagram encoded in Example 5.6.1 . . . . . . . . . . 121
6.1 Architecture-based design ﬂow . . . . . . . . . . . . . . . . . . . . . . . . . . 134
6.2 The high-level interaction model . . . . . . . . . . . . . . . . . . . . . . . . . 135
6.3 Mutual Exclusion style with architecture diagrams . . . . . . . . . . . . . . . 136
6.4 Client-Server style with architecture diagrams . . . . . . . . . . . . . . . . . . 137
6.5 Action ﬂow style with architecture diagrams . . . . . . . . . . . . . . . . . . . 138
6.6 Action ﬂow with abort style with architecture diagrams . . . . . . . . . . . . 139
6.7 Failure monitoring style with architecture diagrams . . . . . . . . . . . . . . . 140
6.8 Mode management style with architecture diagrams . . . . . . . . . . . . . . 141
6.9 Buﬀer management style with architecture diagrams . . . . . . . . . . . . . . 142
6.10 Event monitoring style with architecture diagrams . . . . . . . . . . . . . . . 143
6.11 Priority management style with architecture diagrams . . . . . . . . . . . . . 144
6.12 Application of Action ﬂow architecture . . . . . . . . . . . . . . . . . . . . . . 146
6.13 Application of Client-Server architecture . . . . . . . . . . . . . . . . . . . . . 146
6.14 Application of Failure monitoring architecture . . . . . . . . . . . . . . . . . . 147
6.15 Application of Mode management architecture . . . . . . . . . . . . . . . . . 147
6.16 Composition of Client-Server and Mode management architectures . . . . . . 149
xii
List of Figures
6.17 Software architecture of Sentinel 3 . . . . . . . . . . . . . . . . . . . . . . . . 151
A.1 JavaBIP models of a Publish-Subscribe server . . . . . . . . . . . . . . . . . . 157
A.2 Annotations for the CommandBuﬀer component type . . . . . . . . . . . . . 158
A.3 Annotations for the TopicManager component type . . . . . . . . . . . . . . . 159
A.4 Meaning of connections between hexagons in Figure 6.2 . . . . . . . . . . . . 162
A.5 Library components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
A.6 Housekeeping report enable and disable . . . . . . . . . . . . . . . . . . . . . 163
A.7 Packet storage enable and disable . . . . . . . . . . . . . . . . . . . . . . . . . 163
A.8 The error logging compound . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
A.9 The Payload compound . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
A.10 The Housekeeping Payload compound . . . . . . . . . . . . . . . . . . . . . . 167
A.11 The Housekeeping EPS compound . . . . . . . . . . . . . . . . . . . . . . . . 167
A.12 The Housekeeping COM compound . . . . . . . . . . . . . . . . . . . . . . . . 168
A.13 The Internal Housekeeping compound . . . . . . . . . . . . . . . . . . . . . . 168
A.14 The I2C_sat compound . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
A.15 The ﬂash memory compound . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
xiii

List of Tables
1.1 Architecture-based design in BIP: the global picture and our contributions . . 6
2.1 AI(P ), AC(P ) and PIL(P ) representations of four basic coordination mechanisms 18
3.1 Engine times and BDD Manager peak memory usages. . . . . . . . . . . . . . 46
3.2 Number of Boolean variables for states, ports and data. . . . . . . . . . . . . 46
3.3 Total number of Boolean variables and number of possible interactions. . . . 47
5.1 Vector representation of regular conﬁgurations . . . . . . . . . . . . . . . . . 95
6.1 CubETH: Representative requirements for CDMS status and HK_PL . . . . 145
6.2 CubETH: Statistics of models and veriﬁcation . . . . . . . . . . . . . . . . . . 150
A.1 CubETH: Complete list of requirements . . . . . . . . . . . . . . . . . . . . . 161
xv

1 Introduction
Component-based engineering is essential for modern systems because it enhances correctness
and productivity [33, 9]. It has been successfully used in many engineering disciplines such
as civil, mechanical and electrical engineering. Based on the principles of component-based
engineering, hardware systems can be constructed using a limited and well-deﬁned number
of components, such as registers, memories, buses, ALUs, etc., for which there exist speciﬁc
composition rules [92]. Since hardware components have reached an adequate level of
reliability [48, 59], the focus of system designers has shifted from the hardware counterparts
of the systems to the software ones [89, 83].
Modern software systems are highly concurrent. They consist of multiple components that
run simultaneously and share access to resources provided by the execution platform. To deal
with this high level of concurrency, software architects use a vast variety of heterogeneous
components with diﬀerent behaviour and coordination mechanisms: synchronous or asyn-
chronous, object-based or actor-based, event-based or data-based. Nevertheless, according
to Sifakis [90], software lacks a well-deﬁned component taxonomy and theory for component
composition.
Two approaches exist for designing and developing component-based software systems. The
ﬁrst approach, namely the architecture-agnostic approach [23], considers the distinction
between components and their associated coordination mechanisms to be irrelevant. It uses
coordination primitives, which are spread across component behaviour. For instance, in
Java, C, C++ and other programming languages the operations of concurrent programs
are implemented as built-in features of the language [65, 103]. Synchronization primitives
such as locks, semaphores and monitors are used to express coordination constraints. These
low-level primitives are mixed up with the functional code, forcing developers to keep in mind
both aspects simultaneously at design time, which often results in synchronization errors
that introduce race conditions and deadlocks. In order to analyse the behaviour of such a
software system, one has to consider all possible interleavings of the operations executed by
its components. Thus, the complexity is exponential in the number of components, making
a posteriori veriﬁcation of their correctness practically infeasible. In fact, software architects
1
Chapter 1. Introduction
and researchers at Microsoft underline the need for higher-level parallel constructs that more
clearly express a programmer’s intent, so that the parallel architecture of a program is more
visible, easily understood and veriﬁable [95].
The second approach, namely the architecture-based approach [23], allows software architects
to think on a higher abstraction level, separating functional and coordination aspects of the
system behaviour. This approach uses architectures [84, 88, 96] to shift the focus of architects
from low-level code to high-level structures ensuring coordination. Informally, architectures
are characterized by the structure of the interactions between a set of component types.
The structure is usually speciﬁed as a relation, e.g. connectors between component ports.
Architectures can be understood as constraints that adequately restrict the behaviour of
the coordinated components so as to achieve a desired coordination property. Software
developers extensively use libraries of reference architectures ensuring both functional and non-
functional properties; examples include fault-tolerant architectures, architectures for resource
management and QoS control, time-triggered architectures and security architectures. When
architectures are described in formal languages, they provide means for ensuring correctness-
by-construction, shifting the burden of veriﬁcation from a full model to architectures, which
are considerably smaller in size and can be reused.
The importance of software architecture has been greatly acknowledged by the industry
and academia. Standards have been produced by various organisations, the latest one
being ISO/IEC/IEEE 42010 [53], which aims at standardising conventions on architectural
descriptions. Additionally, there has been an increasing interest in deﬁning languages
that support the architecture-based approach, e.g. UML [78] and architecture description
languages (ADLs) [75, 104, 80]. All these works rely on the distinction between behaviour of
individual components and their coordination in the overall system organization. Nevertheless,
they have a number of shortcomings. For instance, the connectivity primitives of some
ADLs [45, 68, 61] allow only binary interactions. To specify n-ary interactions, these ADLs
require an additional entity connected by n binary links with the interacting components.
Additionally, these languages often lack formal semantics [87, 99, 79, 78]. As a result, analysis
is carried out on models that cannot be rigorously related to system development formalisms.
This introduces gaps in the design process which reduce productivity and limit the ability
for ensuring correctness. In fact, in a survey conducted in the industrial sector regarding
architecture description languages, it is stated that practising architects nowadays emphasize
the need to reconcile informal notations with more formal and analysable ones [69].
Over the past two decades, there has been considerable progress in developing architecture-
based design. Nevertheless, according to Garlan [42] “the ﬁeld of software architecture
remains relatively immature”. A lot of foundational issues remain open. We consider that a
theory of architectures must address, among others, the following fundamental questions:
1. How does one model and implement architectures? A rigorous theory requires formal
deﬁnition of semantics. Characteristic properties of architectures must be under-
standable and veriﬁable by architects. Architecture speciﬁcations must be suﬃciently
2
1.1. Architectures in BIP
Figure 1.1 – Mutual exclusion model in BIP
versatile to be applicable to a variety of components and must not rely on the charac-
teristics of any speciﬁc execution platform. Tools must provide support for integrating
architectures into mainstream software development by raising the abstraction level and
supporting separation of concerns, e.g. decoupling between behaviour and interaction.
2. How to guide software developers in their choice of architectures? Several architectures
might enforce the same characteristic property, involve the same component types and
coordination structure. In this case, we can group architectures in architecture styles
to create a taxonomy of them and assist component-reuse.
3. How does one specify architecture styles? To be applicable to a variety of architecture
styles, a rigorous theory requires formal semantics and versatile speciﬁcations. The
speciﬁcation language must be expressive and usable by architects. Additionally,
mechanisms must exist to assist architects to correctly specify architecture styles,
generate architectures from a style and check the conformance of an architecture to a
speciﬁc style.
1.1 Architectures in BIP
A formal notion of architectures was proposed by Attie et al. [6], based on the Behaviour-
Interaction-Priority (BIP) framework [9]. BIP is a component-based framework that provides
an expressive formal language for the design of correct-by-construction systems. BIP
superposes three layers. In the ﬁrst layer, component behaviour is described by Finite State
Machines having transitions labelled with ports. Ports form the interface of a component and
are used to deﬁne its interactions with other components. The second layer deﬁnes component
coordination by means of sets of interactions, i.e. sets of ports. A set of interactions is
deﬁned in a structured manner by using connectors [20]. In the third layer, priorities are
used to impose scheduling constraints and to resolve conﬂicts when multiple interactions are
enabled simultaneously.
Figure 1.1 shows a simple BIP model for mutual exclusion between two tasks. B1, B2 model
the tasks and Mutex Manager coordinates their actions. Initial states of the components are
3
Chapter 1. Introduction
Figure 1.2 – Mutual exclusion architecture
shown with double lines. The four binary connectors synchronise each of the begin actions
(resp. finish) of the tasks with the action take (resp. release) of the coordinator.
An architecture can be viewed as a BIP model, in which some of the atomic components
are considered as coordinators, while the rest are parameters. When an architecture is
applied to a set of components, these components are used as operands to replace the
parameters of the architecture. Figure 1.2 shows an architecture that enforces the mutual
exclusion characteristic property on two components B1 and B2 with interfaces begin,
finish. The characteristic property of the architecture can be expressed in Computation
Tree Logic (CTL) as AG¬(cs[1] ∧ cs[2]), where cs[i] is an atomic predicate that evaluates to
true when the component B[i] is in its critical section (e.g. in the state work, for B1, B2 of
Figure 1.1). The architecture can be successfully applied if B1 and B2 satisfy the formula
AG
(
finish[i] → A [¬cs[i] W begin[i]]), where begin[i] and finish[i] are atomic predicates that
evaluate to true in the states right after the execution of actions begin, finish, respectively.
1.2 Architecture styles
The deﬁnition of an architecture implicitly deﬁnes the number of components it is applied to.
Architecture styles can be used to generalize this for any number of components. Architecture
styles characterize not a single architecture but a family of architectures sharing common
characteristics, such as the type of the involved components and the characteristic properties
they impose [73]. Examples of architecture styles are Pipeline, Mutual Exclusion, Triple
Modular Redundancy, Ring, Master/Slave, Pipe and Filter.
For instance, let us consider the Mutual exclusion architecture in Figure 1.2, which is applied
on a set of precisely two operand components. The Mutual exclusion architecture style
characterizes all the architectures that satisfy mutual exclusion for any number of operand
components. The characteristic property of the Mutual exclusion architecture style is the
following: ‘no two components can be in their critical section simultaneously’. This property is
expressed by the CTL formula: AG¬(∨i=j∈[1,n] cs[i]∧cs[j]), where cs[i] is an atomic predicate
that evaluates to true when the component Bi is in its critical section.
4
1.3. Our contributions
The beneﬁts of using architecture styles are numerous [96]. In particular, styles:
1. provide a disciplined and coherent way to specify and group coordination mechanisms
as a means to master complexity in system design;
2. are means for ensuring correctness-by-construction since they enforce global properties
characterizing the coordination among components;
3. provide a common vocabulary that promotes understanding of design decisions and
makes communication between architects more eﬃcient;
4. allow component re-use, enable the use of code generation and the development of
systems in a cost-eﬀective manner.
1.3 Our contributions
This thesis proposes a framework for the speciﬁcation of architectures and architectures
styles. The framework includes three speciﬁcation languages: 1) interaction logics for
the speciﬁcation of architectures; 2) conﬁguration logics and 3) architecture diagrams for
the speciﬁcation of architecture styles. The presented results build on previous work on
architecture modelling in BIP [9]. In particular, they are based on propositional interaction
logic and connectors studied in [20, 21, 22, 91].
Table 1.1 presents the global picture of formalisms for architecture-based design in BIP.
For modelling architectures and architecture styles, we distinguish between: 1) logic-based
formalisms, i.e. interaction logics and conﬁguration logics and 2) graphical formalisms, i.e.
connectors and architecture diagrams. Depending on the features of the formalisms we
can achieve diﬀerent levels of expressiveness. Component variables are needed to describe
generic models and properties, while variables over sets of components are needed to describe
dynamic creation/deletion and dynamic conﬁgurations. The darker grey colour elements of
the table indicate languages that are proposed in this thesis. The next subsections present
in more detail our contributions.
1.3.1 Modelling and implementation of architectures
To answer the ﬁrst fundamental question of “how does one model and implement archi-
tectures?”, we studied ﬁrst-order interaction logic (FOIL) for modelling architectures and
developed the JavaBIP tool that supports architecture-based software development. FOIL
encompasses quantiﬁcation over instances of component types and FOIL formulas charac-
terise sets of interactions. The semantics of FOIL is deﬁned via a satisfaction relation |=i
between interactions and formulas. Given a FOIL formula, a feasible interaction is any set
of ports characterised by a valuation which satisﬁes the formula.
JavaBIP—a Java adaptation of BIP [9]—allows coordination of existing concurrent software
5

1.3. Our contributions
1.3.2 Modelling architecture styles
To answer the second and third fundamental questions of “how to guide software developers
in their choice of architectures?” and “how does one specify architecture styles?”, we
studied conﬁguration logics and architecture diagrams for the speciﬁcation of architecture
styles. Conﬁguration logic is a powerful and expressive declarative formalism. Architecture
diagrams is an imperative, graphical formalism. Using architecture diagrams instead of
purely logic-based speciﬁcations confers the usability advantages of graphical formalisms.
Conﬁguration logics
Conﬁguration logic formulas characterize interaction conﬁgurations between instances of
component types. Conﬁguration logic formulas are generated from formulas of the propo-
sitional interaction logic by using the operators union, intersection and complementation,
as well as a coalescing operator +. To avoid ambiguity, we refer to the formulas of the
conﬁguration logic that syntactically are also formulas of the interaction logics as interaction
formulas.
The semantics of the conﬁguration logic is deﬁned via a satisfaction relation |= between
conﬁgurations γ = {a1, ..., an} and formulas. An interaction formula f represents any
conﬁguration consisting of interactions satisfying it; that is γ |= f if, for all a ∈ γ, a |=i f .
For set-theoretic operators, we take the standard meaning. The meaning of formulas of the
form f1 + f2 is all conﬁgurations γ that can be decomposed into γ1 and γ2 (γ = γ1 ∪ γ2)
satisfying, respectively, f1 and f2. The formula f1 + f2 represents conﬁgurations obtained as
the union of conﬁgurations of f1 with conﬁgurations of f2.
The following conﬁguration logic formula characterizes the Mutual exclusion architecture
style:
∃m :MutexManager . Σb :B.
(
(b.begin m.take) + (b.ﬁnish m.release)
)
∧
∀m :MutexManager . ∀m′ :MutexManager . (m = m′) ∧
∀m :MutexManager . ∀b :B. ∀b′ :B (b′ = b).(
(b.begin b′.begin ) ∧ (b.ﬁnish b′.ﬁnish ) ∧ (b.begin b′.ﬁnish ) ∧ (m.take m.release )
)
.
Architecture diagrams
Architecture diagrams allow the speciﬁcation of generic coordination mechanisms based on
the concept of connector. An architecture diagram consists of a set of component types, a
cardinality function and a set of connector motifs. Component types are characterised by sets
of port types. The cardinality function associates each component type with its cardinality,
i.e. number of instances. Cardinality can be a ﬁxed value or an interval. The architecture
diagram of Figure 1.3 deﬁnes the Mutual exclusion architecture style. The cardinality of the
7
Chapter 1. Introduction
Figure 1.3 – Architecture diagram of the Mutual exclusion style
Mutex Manager component type is 1, while the cardinality of the B component is n.
Connector motifs are non-empty sets of port types. Each port type p in a connector motif
has associated multiplicity and degree constraints, represented as a pair m : d. Multiplicity
m speciﬁes the number of port instances pi of type p that are involved in each connector
deﬁned by the motif. Degree d speciﬁes the number of connectors that each port instance pi
of type p is attached to. Multiplicities and degrees can be either ﬁxed values or intervals.
In Figure 1.3, the multiplicities of all port types are equal to 1, meaning that exactly one
instance of each port type must be involved in each connector and thus, all connectors
must be binary. The degrees require that each port instance of type begin and finish be
attached to a single connector and each port instance of type take and release be attached
to n connectors.
List of contributions
• We provide a full axiomatisation of the propositional conﬁguration logic and a normal
form similar to the disjunctive normal form in Boolean algebras. The existence of such
a normal form implies the decidability of formula equality and satisfaction of a formula
by an architecture model.
• To allow genericity of speciﬁcations, we studied higher-order extensions of the proposi-
tional conﬁguration logic. Higher-order conﬁguration logics allow to specify architecture
styles for any number of components. First-order logic formulas involve quantiﬁcation
over component variables, while second-order logic formulas involve quantiﬁcation over
variables representing sets of components. Second-order logic is needed to express some
interesting properties, e.g. the existence of cycles of interactions.
• We studied a hierarchy consisting of four classes of architecture diagrams: 1)simple
architecture diagrams, where the cardinality, multiplicity and degree constraints are
positive integers; 2) index architecture diagrams, where we introduce index variables and
arithmetic predicates on index variables; 3) interval architecture diagrams, where the
cardinality, multiplicity and degree constraints are intervals and 4) general architecture
diagrams, which we obtained by merging 2) and 3) and additional arithmetic predicates
on multiplicities and degrees.
• We present methods to assist software architects and developers to correctly specify
8
1.4. Thesis outline
architecture styles. In particular, we present a polynomial-time algorithm to check
if an architecture model conforms to the architecture style speciﬁed by an architec-
ture diagram. We also present a set of consistency conditions and a method that
compositionally characterises all the architectures of an architecture diagram.
• We use conﬁguration logics as a uniﬁed semantic framework. To this end, we studied
a full encoding of architecture diagrams into conﬁguration logics, thus, proving that
conﬁguration logics are at least as expressive as architecture diagrams.
• We illustrate the application of architecture diagrams in non-trivial case studies. We
identiﬁed recurring patterns in on-board satellite software which we formalised with
architecture diagrams to create a taxonomy of architecture styles. From the identiﬁed
styles we generated architectures, which were used to develop satellite software that is
correct-by-construction.
1.4 Thesis outline
The rest of the thesis is structured as follows:
Chapter 2 provides background information on the BIP framework, the propositional
interaction logic, the notion of architectures in BIP and the architecture composition
operator.
Chapter 3 presents the ﬁrst-order interaction logic and its application in the JavaBIP
framework. It describes the JavaBIP design work-ﬂow, the formal component and coordina-
tion model underlying JavaBIP, the implementation details of the extensible symbolic engine
and performance evaluation results. Related work on on-the-ﬂy coordination mechanisms for
software components is discussed. The obtained results is presented in [17, 18].
Chapter 4 presents the propositional conﬁguration logic, its properties and the deﬁnition
of a normal form which allows the decidability of equality of formulas and the satisfaction of
a formula by an architecture. Additionally, Chapter 4 presents ﬁrst-order and second-order
extensions of the propositional logic. The use of conﬁguration logics is illustrated through
the speciﬁcation of several architecture styles. Related work on declarative architecture
languages is discussed. The obtained results is presented in [70, 73].
Chapter 5 presents the four classes architecture diagrams. It proposes a set of necessary and
suﬃcient consistency conditions and a method that allows characterising compositionally the
speciﬁed architectures. The chapter also presents a polynomial-time algorithm for checking
that a given architecture conforms to an architecture diagram. We additionally present a
full encoding of architecture diagrams into conﬁguration logics and discuss related work on
graphical architecture languages. The obtained results is presented in [71, 72].
Chapter 6 describes applications of architecture diagrams on specifying architecture styles
9
Chapter 1. Introduction
identiﬁed in non-trivial case-studies of on-board satellite software. The obtained results is
presented in [74].
Chapter 7 summarises the contributions of the thesis to the speciﬁcation of architectures
and architecture styles. The chapter also discusses directions for future work.
List of papers
The main results of this thesis were presented in the following papers (reference numbers
coincide with the ones in the Bibliography section):
[17] Bliudze, S., Mavridou, A., Szymanek, R., & Zolotukhina, A. (2014). Coordination
of software components with BIP: application to OSGi. 6th International Workshop on
Modeling in Software Engineering (pp. 25-30). ACM.
[18] Bliudze, S., Mavridou, A., Szymanek, R., & Zolotukhina, A. (2016). Exogenous
Coordination of Concurrent Software Components with JavaBIP. Submitted to: Software:
Practice and Experience. Under review.
[70] Mavridou, A., Baranov, E., Bliudze, S., & Sifakis, J. (2015). Conﬁguration Logics: Mod-
elling Architectures Styles. 12th International Conference on Formal Aspects of Component
Software. Lecture Notes in Computer Science 9539.
[71] Mavridou, A., Baranov, E., Bliudze, S., & Sifakis, J. (2016). Architecture Diagrams: A
Graphical Language for Architecture Style Speciﬁcation. 9th Interaction and Concurrency
Experience. Electronic Proceedings in Theoretical Computer Science.
[72] Mavridou, A., Baranov, E., Bliudze, S., & Sifakis, J. (2016). Conﬁguration Logics and
Architecture Diagrams for Modelling Architecture Styles. Submitted to: Science of Computer
Programming. Under review.
[73] Mavridou, A., Baranov, E., Bliudze, S., & Sifakis, J. (2017). Conﬁguration Logics:
Modelling Architectures Styles. Journal of Logical and Algebraic methods in Programming.
86(1):2 - 29.
[74] Mavridou, A., Stachtiari, E., Bliudze, S., Ivanov, A., Katsaros, P., & Sifakis, J. (2016).
Architecture-based Design: A Satellite On-board Software Case Study. Accepted to the 13th
International Conference on Formal Aspects of Component Software.
10
2 Preliminaries
In this chapter, we provide the formal component and coordination model underlying BIP.
We present two diﬀerent representations of the BIP interaction model by using 1) algebra
of connectors and 2) propositional interaction logic. Connectors are most appropriate
for graphical design and representation of interactions, whereas interaction logic formulas
are most appropriate for manipulation and eﬃcient encoding in the BIP Engine. We
additionally present the notion of architectures in BIP and theoretical results on architecture
composability.
The formal model of BIP has been used as the basis for the deﬁnition of the formal model
of JavaBIP presented in Chapter 3. Algebra of connectors is necessary for the deﬁnition of
architecture diagrams in Chapter 5. Propositional interaction logic serves as a basis for the
deﬁnition of ﬁrst-order interaction logic in Chapter 3 and propositional conﬁguration logic
in Chapter 4. Finally, the architecture composability results are used in the case-studies
presented in Chapter 6.
2.1 BIP component framework
BIP [12] is a framework for component-based design of correct-by-construction applications.
It provides a simple but powerful mechanism for coordination of concurrent components
by superposing three layers: Behaviour, Interaction, and Priority. The ﬁrst layer describes
the behaviour of components as Finite State Machines (FSM) having transitions labelled
with ports and extended with data stored in local variables. Ports form the interface of a
component and are used to deﬁne its interactions with other components. They can also
export part of the local variables, allowing access to the component’s data.
The second layer deﬁnes component coordination by means of interaction models, i.e. sets
of interactions. Interactions are sets of ports that deﬁne allowed synchronizations between
components. An interaction model is deﬁned in a structured manner by using connectors [20]
or by using interaction logic [20, 21, 22], which is a Boolean algebra on the set of ports
11
Chapter 2. Preliminaries
of the composed system. For each interaction, a connector also speciﬁes how the data is
retrieved, ﬁltered and updated in each of the participating components. In particular, a
Boolean guard can be associated to an interaction. The interaction is only enabled if the
data provided by the components satisﬁes the guard [23]. In the third layer, priorities are
used to impose scheduling constraints and to resolve conﬂicts when multiple interactions are
enabled simultaneously.
The BIP component framework encompasses an expressive language and a dedicated tool-set.
The BIP language oﬀers primitives and constructs for modelling and composing layered
components. The BIP tool-set comprises translators from various programming models into
BIP, source-to-source transformers as well as compilers for generating code executable by
dedicated engines. The tool-set also provides tools for deadlock detection, state reachability
analysis and an interface with the nuXmv model checker.
The execution of a BIP system is driven by the BIP engine applying the following protocol
in a cyclic manner:
1. upon reaching a state, each component notiﬁes the engine about the possible outgoing
transitions;
2. the engine chooses an interaction satisfying the input speciﬁcations, performs the data
transfer and notiﬁes all the involved components;
3. the notiﬁed components execute the functions associated with the transitions that were
chosen by the engine at step 2.
2.2 Basic semantic model of BIP
We present the formal component model underlying the BIP framework focusing on the
operational semantics of component interaction and priorities as deﬁned in [46, 19].
Deﬁnition 2.2.1. For a set of ports P , an interaction is a non-empty subset a ⊆ P of ports.
To simplify notation we represent an interaction {p1, p2, . . . pn} as p1p2 . . . pn.
Behaviour
Deﬁnition 2.2.2. A Finite State Machine (FSM) given by a triple (Q,P,−→), where Q is a
set of states, P is a set of communication ports, and −→ ⊆ Q × 2P × Q is a set of transitions
labelled by sets of ports. For any pair of states q, q′ ∈ Q and an interaction a ∈ 2P , we write
q
a−→ q′ iﬀ (q, a, q′) ∈−→.
An interaction a is enabled in state q, denoted q a−→, iﬀ there exists q′ ∈ Q such that q a−→ q′.
We abbreviate q  a−→ def= ¬(q a−→). A port p is active iﬀ it belongs to an enabled interaction.
12
2.2. Basic semantic model of BIP
To model unobservable transitions, one can use a reserved label, e.g. τ or ε, and restrict the
ways it can be synchronised with other transitions [76, 50].
In BIP, a system can be obtained as the composition of n components, each modelled by
FSMs Bi = (Qi, Pi,−→i), for i ∈ [1, n], such that their sets of ports are pairwise disjoint,
i.e. i = j implies Pi ∩ Pj = Qi ∩ Qj = ∅. We take P def= ⋃ni=1 Pi, the set of all ports in the
system.
In the rest of the thesis, we will drop the indices on transition relations and denote them by
−→, whenever the indices are clear from the context.
To deﬁne operational semantics, we use Structural Operational Semantics (SOS) [85] rules.
An SOS rule has the following form: premises
conclusion
, where premises is a set of state predicates
on the components composing the system, while conclusion is a state predicate on its global
state. A rule is interpreted as follows: if all premises are satisﬁed, then the conclusion is
satisﬁed.
Interaction
Deﬁnition 2.2.3. An interaction model is a set of interactions γ ⊆ 2P . The component
γ(B1, . . . , Bn) is deﬁned by the behaviour (Q,P,−→γ), with Q = ∏ni=1 Qi and the transition
relation −→γ inductively deﬁned by the rule
a ∈ γ
{
qi
a∩Pi−−−→ q′i
∣∣∣ i ∈ I} {qi = q′i ∣∣∣ i ∈ I}
q1 . . . qn
a−→γ q′1 . . . q′n
, (2.1)
where I = {i ∈ [1, n] | a ∩ Pi = ∅}.
Notice that an interaction a ∈ γ is enabled in γ(B1, . . . , Bn), only if, for each i ∈ [1, n], the
interaction a ∩ Pi is enabled in Bi; the states of components that do not participate in the
interaction remain unchanged.
Priority
Several distinct interactions can be enabled at the same time, thus introducing non-
determinism in the product behaviour. This can be restricted by means of priorities.
Deﬁnition 2.2.4. Given a system B = γ(B1, . . . , Bn), a priority model π is a strict partial
order on γ. We write a ≺ b as a shorthand for (a, b) ∈ π, which means that interaction a
has a lower priority than interaction b.
For B = (Q,P,−→) and a priority model π, the transition system π(B) = (Q,P,−→π) is
13
Chapter 2. Preliminaries
Figure 2.1 – A BIP system with three atomic components
deﬁned by the rule
q
a−→ q′
{
q  b−→
∣∣∣ a ≺ b}
q
a−→π q′
. (2.2)
An interaction is enabled in π(B) only if it is enabled in B and is maximal according to π.
Example 2.2.5. Consider the component πγ(S,R1, R2) shown in Figure 2.1 which is the
composition of three atomic components: a sender S and two receivers R1, R2. The sender
has a port s for sending messages and each receiver has a port ri (i = 1, 2) for receiving
them. We consider the following four coordination schemes:
• Rendezvous ensures strong synchronization between S and all Ri. Rendezvous is
speciﬁed by a single interaction involving all ports: γ = {sr1r2}. This interaction
can occur only if all of the components are in states enabling transitions labelled,
respectively, by s, r1 and r2.
• Broadcast allows all interactions involving S and any (possible empty) subset of Ri.
Broadcast is speciﬁed by the set of all interactions containing s: γ = {s, sr1, sr2, sr1r2}.
These interactions can only occur if S is in a state enabling s. Each Ri participates in
an interaction only if it is in a state enabling ri.
• Atomic broadcast ensures that either all or none of the receivers are involved in
the interaction: γ = {s, sr1r2}. the s interaction can occur only if at least one of
the receiving ports is not enabled. The sr1r2 interaction corresponds to a strong
synchronization among the sender and all receivers.
• Causal chain ensures that for a message to be received by Ri, it has to be received at
the same time by all Rj , for i < i. This coordination scheme is common in reactive
systems.
14
2.3. Representations of the BIP interaction model
For strong synchronization, the priority model is empty. For all other coordination schemes,
whenever several interactions are possible, the interaction involving the maximal number of
ports has the highest priority, i.e. π = {(a, a′)|a ⊂ a′}. In BIP, this is known as the maximal
progress rule.
2.3 Representations of the BIP interaction model
In this section, we recall the syntax and semantics of the diﬀerent representations of BIP
interaction models. Consider a family of components, indexed by I and equipped with sets
of ports Pi, for i ∈ I, through which they can interact. Let P = ∪i∈IPi be a set of ports of
the system and assume that 0, 1 ∈ P .
2.3.1 Algebra of interactions
The algebra of interactions AI(P ) was introduced in [20] as an auxiliary algebra to deﬁne the
interaction semantics of the algebra of connectors presented in the Subsection 2.3.2. Each
element in AI(P ) should be considered as a set of possible interactions. The elements of this
algebra can be bijectively mapped to interaction models, i.e. subsets of 2P .
Syntax. The syntax of the AI(P ) is deﬁned by the following grammar
x ::= 0 | 1 | p | x · x | x + x , (2.3)
with p ∈ P as an arbitrary port and +’ and ‘·’ as the binary operators, respectively called
union and synchronisation. Synchronisation binds stronger than union.
Semantics. The semantics of AI(P ) is given by the function ‖ · ‖ : AI(P ) → 22P , deﬁned by
‖0‖ = ∅, ‖1‖ = {∅}, ‖p‖ =
{
{p}
}
,
‖x1 + x2‖ = ‖x1‖ ∪ ‖x2‖,
‖x1 · x2‖ =
{
a1 ∪ a2
∣∣∣ a1 ∈ ‖x1‖, a2 ∈ ‖x2‖},
(2.4)
for p ∈ P and x1, x2 ∈ AI(P ). Terms of AI(P ) represent sets of interactions.
The corresponding equivalence relation on AI(P ) is deﬁned as follows: two terms x, y ∈ AI(P )
are equivalent, denoted by x  y iﬀ ‖x‖ = ‖y‖. A sound and complete axiomatisation of
AI(P ) with respect to the semantic equivalence is provided in [19].
Example 2.3.1. In AI(P ), the interaction sets of the four coordination schemes of Exam-
ple 2.2.5 are as follows (also presented in the second column of Table 2.1):
• Rendezvous is represented by sr1r2;
15
Chapter 2. Preliminaries
• Broadcast is represented by s(1 + r1)(1 + r2);
• Atomic Broadcast is represented by s(1 + r1r2);
• Causal Chain is represented by s(1 + r1(1 + r2)).
This representation is more compact and exhibits more information: e.g. the expression
(1 + r1) suggests that the port ri is optional.
2.3.2 Algebra of connectors
The algebra of connectors AC(P ) was introduced in [20], which formalises the concept of
connector supported by the BIP language. Connectors can express complex coordination
schemes combining synchronisation by rendezvous and broadcast.
Syntax. The syntax of AC(P ) is deﬁned by the following grammar
s ::= [0] | [1] | [p] | [x] (synchrons)
t ::= [0]′ | [1]′ | [p]′ | [x]′ (triggers)
x ::= s | t | x · x | x + x ,
(2.5)
for p ∈ P , and where ‘+’ is a binary operator called union, ‘·’ is a binary operator called
fusion, and brackets ‘[·]’ and ‘[·]′’ are unary typing operators. Fusion binds stronger than
union.
Union has the same meaning as union in AI(P ). Fusion is a generalisation of the synchroni-
sation in AI(P ). Typing is used to form typed connectors: ‘[·]’ deﬁnes synchrons (Figure
2.2a) which require synchronisation with other ports in order to interact and ‘[·]′’ deﬁnes
triggers (Figure 2.2a) which can initiate an interaction.
In order to simplify notation, we will omit brackets on 0, 1, and ports p ∈ P , as well as ‘·’
for the fusion operation.
Semantics. The semantics of AC(P ) is given by the function | · | : AC(P ) → AI(P ) (we use
the ∑ and ∏ notation for the union and fusion of multiple terms of AC(P )):
|[p]| = p , |x1 + x2| = |x1| + |x2| ,
∣∣∣∣∣
n∏
i=1
[xi]
∣∣∣∣∣ =
n∏
i=1
|xk| , (2.6)∣∣∣∣∣∣
n∏
i=1
[xi]′
m∏
j=1
[yj ]
∣∣∣∣∣∣ =
n∑
i=1
|xi|
⎛⎝∏
k =i
(
1 + |xk|
) m∏
j=1
(
1 + |yj |
)⎞⎠ (2.7)
for n > 0, m ≥ 0, x1, . . . , xn, y1, . . . , ym ∈ AC(P ) and p ∈ P ∪ {0, 1}.
16
2.3. Representations of the BIP interaction model
synchron trigger
(a) Port attributes
s r1 r2
{sr1r2}
(b) Rendezvous
s r1 r2
{s, sr1, sr2, sr1r2}
(c) Broadcast
r1 r2s
Rendezvous
{sr1r2}
r1 r2s
Atomic broadcast
{s, sr1r2}
r1 r2s
Causal chain
{s, sr1, sr1r2}
(d) Hierarchical connectors
Figure 2.2 – BIP connectors: below each connector, we show the set of interactions it deﬁnes
A complete axiomatisation of AC(P ) with respect to the semantic equivalence is provided in
[20].
Example 2.3.2. The interaction sets of the four coordination schemes of Example 2.2.5 are
represented in AC(P ) as follows (also presented in the third column of Table 2.1):
• Rendezvous is represented by sr1r2, where all connected ports are synchrons (Figure
2.2b);
• Broadcast is represented by s′r1r2, where there is at least one trigger (Figure 2.2c);
• Atomic Broadcast is represented by s′[r1r2] which corresponds to a hierarchical con-
nector (Figure 2.2d);
• Causal Chain is represented by s′[r′1r2] which corresponds to a hierarchical connector
(Figure 2.2d).
AC(P ) allows compact representation of interactions and, moreover, explicitly captures the
diﬀerence between broadcast and rendezvous.
2.3.3 Propositional interaction logic
The propositional interaction logic (PIL), studied in [20, 21], is a Boolean logic used to
characterize the interactions between components.
Syntax. The propositional interaction logic is deﬁned by the grammar:
φ ::= true | p | φ | φ ∨ φ , with any p ∈ P . (2.8)
17
Chapter 2. Preliminaries
Conjunction is deﬁned as follows: φ1 ∧ φ2 def= (φ1 ∨ φ2 ) . Implication is deﬁned as follows:
φ1 ⇒ φ2 def= φ1 ∨ φ2. To simplify the notation, we omit conjunction in monomials, e.g.
writing sr1r2 instead of s ∧ r1 ∧ r2.
Semantics. The meaning of a PIL formula φ is deﬁned by the following satisfaction relation.
For an interaction a ⊆ P we deﬁne a |=i φ iﬀ φ evaluates to true for the valuation p = true,
for all p ∈ a and p = false, for all p ∈ a. We denote by |φ| def= ∑a|=iφ a the union (from
AI(P )) of the interactions satisfying φ. Thus we have | · | : PIL(P ) → AI(P ), where PIL(P )
is the Boolean algebra over the set of port variables P .
The operators meet the usual Boolean axioms.
An interaction a can be associated to a characteristic monomial ma =
∧
p∈a p ∧
∧
p∈a p such
that a′ |=i ma iﬀ a′ = a.
Table 2.1 – AI(P ), AC(P ) and PIL(P ) representations of four basic coordination mechanisms
Coordination
mechanism AI(P ) AC(P ) PIL(P )
Rendezvous sr1r2 sr1r2 sr1r2
Broadcast s(1 + r1)(1 + r2) s′r1r2 s
Atomic broadcast s(1 + r1r2) s′[r1r2] sr1 r2 ∨ sr1r2
Causal chain s(1 + r1(1 + r2)) s′[r′1r2]
sr1 r2 ∨ sr1r2 ∨
sr1r2
Example 2.3.3. The coordination schemes of Example 2.2.5 can be expressed in PIL as
follows (also presented in the fourth column of Table 2.1) :
• Rendezvous is represented by the monomial sr1r2;
• Broadcast is represented by the formula s, which can be expanded to sr1 r2 ∨ sr1r2 ∨
sr1r2 ∨ sr1r2;
• Atomic broadcast can be characterised by the formula sr1 r2 ∨ sr1r2;
• Causal chain can be characterised by the formula (r1 ⇒ r2) ∧ (r1 ⇒ s), which can be
expanded to sr1 r2 ∨ sr1r2 ∨ sr1r2.
Deﬁnition 2.3.4. For an interaction model γ ⊆ 2P over a set of ports P , its characteristic
predicate is a disjunction of characteristic monomials for all interactions in γ:
φγ =
∨
a∈γ
( ∧
p∈a
p ∧
∧
p∈a
p
)
.
A predicate φ uniquely deﬁnes an interaction model γφ such that ‖φ‖ = γφ.
18
2.4. Architectures in BIP
2.4 Architectures in BIP
A formal notion of architectures was proposed in [6], based on BIP [9]. An architecture can be
viewed as a BIP model, where some of the atomic components are considered as coordinators,
while the rest are parameters. When an architecture is applied to a set of components, these
components are used as operands to replace the parameters of the architecture. Architectures
generalise the BIP interaction model by introducing stateful coordinator components. The
interface of an architecture is a set of ports that comprises both the ports of the coordinating
components and additional dangling ports that belong to operand components.
Deﬁnition 2.4.1. An architecture is a tuple A = (C, PA, γ), where C is a ﬁnite set of
coordinating components with pairwise disjoint sets of ports, PA is a set of ports, such that⋃
C∈C PC ⊆ PA, and γ ⊆ 2PA is an interaction model over PA.
An architecture A can be applied to any set of components B that contains all the dangling
ports of A. Intuitively, an architecture enforces coordination constraints on the components
in B. The interface PA of an architecture A contains all ports of the coordinating components
C and some additional ports, which must belong to the components in B. In the application
A(B), the ports belonging to PA can only participate in the interactions deﬁned by the
interaction model γ of A. Ports that do not belong to PA are not restricted and can
participate in any interaction.
Deﬁnition 2.4.2. Let A = (C, PA, γ) be an architecture and let B be a set of components,
such that ⋃B∈B PB ∩ ⋃C∈C PC = ∅ and PA ⊆ P def= ⋃B∈B∪C PB. The application of an
architecture A to the components B is the component
A(B) def=
(
γ  2P\PA
)
(C ∪ B) , (2.9)
where, for interaction models γ′ and γ′′ over disjoint domains P ′ and P ′′ respectively,
γ′  γ′′ def= {a′ ∪ a′′ | a′ ∈ γ′, a′′ ∈ γ′′}
is an interaction model over P ′ ∪ P ′′.
Notice that, when the interface of the architecture covers all ports of the system, i.e. P = PA,
we have 2P\PA = {∅} and the only interactions allowed in A(B) are those belonging to γ.
Example 2.4.3. Consider the components B1 and B2 in Figure 2.3(a). In order to ensure
mutual exclusion of their work states, we apply the architecture A12 = ({C12}, P12, γ12), where
C12 is shown in Figure 2.3(b), P12 = {b1, b2, b12, f1, f2, f12}, γ12 =
{∅, b1b12, b2b12, f1f12, f2f12}.
The interface P12 of A12 covers all ports of B1, B2 and C12. Hence, the only possible
interactions are those explicitly belonging to γ12. Assuming that the initial states of B1
and B2 are sleep, and that of C12 is free, neither of the two states (free, work, work) and
19
Chapter 2. Preliminaries
(a) (b)
Figure 2.3 – Components (a) and coordinator (b) for Example 2.4.3
(taken, work, work) is reachable, i.e. the mutual exclusion property (q1 = work) ∨ (q2 =
work)—where q1 and q2 are state variables of B1 and B2 respectively—holds in A12(B1, B2).
Let B3 be a third component, similar to B1 and B2, with the interface {b3, f3}. Since
b3, f3 ∈ P12, the interaction model of the application A12(B1, B2, B3) is γ12 
{∅, b3, f3}.
(We omit the interaction b3f3, since b3 and f3 are never enabled in the same state and,
therefore, cannot be ﬁred simultaneously.) Thus, the component A12(B1, B2, B3) is the
unrestricted product of the components A12(B1, B2) and B3. The application of A12 enforces
mutual exclusion between the work states of B1 and B2, but does not aﬀect the behaviour
of B3.
Architectures can be intuitively understood as enforcing constraints on the global state
space of the system [22, 101]. More precisely, component coordination is realized by limiting
the allowed interactions, thus enforcing constraints on the transitions components can take.
From this perspective, architecture composition can be understood as the conjunction of
their respective constraints. This intuitive notion is formalized by the following deﬁnition.
Deﬁnition 2.4.4. Let Ai = (Ci, PAi , γi), for i = 1, 2 be two architectures and let ϕγ1 , ϕγ2 be
characteristic predicates (Deﬁnition 2.3.4) of γ1, γ2, respectively. The composition of A1 and
A2 is an architecture A1 ⊕A2 = (C1 ∪ C2, PA1 ∪PA2 , γϕ), where ϕ = ϕγ1 ∧ϕγ2 and γϕ = ‖ϕ‖
is an interaction model deﬁned by the predicate ϕ.
The architecture composition operator is commutative, associative and idempotent if all
coordinating components are deterministic [6]. Architecture composition preserves the safety
properties enforced by the individual architectures, while liveness properties are preserved
under an additional non-interference assumption [6].
20
3 Interaction logic and JavaBIP
In most mainstream programming languages, including Java and C++, basic coordination
primitives are implemented as built-in features of the language [103, 65]. Diﬀerent variations
of locks, semaphores and monitors are used to express coordination constraints. However,
these low-level primitives are mixed up with the functional code, forcing developers to keep
both aspects simultaneously in mind—not only at design time, but also during debugging
and maintenance. Since in concurrent environments it is practically infeasible to envision
all possible execution scenarios, synchronization errors can result in race conditions and
deadlocks.
Furthermore, an observable trend in software engineering is the increasing utilisation of
declarative design techniques. Developers provide speciﬁcations of what must be achieved,
rather than how this must be achieved. These speciﬁcations are then interpreted by engines,
which generate—often on the ﬂy—the corresponding software entities. It is not always
possible to instrument or even access the actual source code. Even if the code is generated
explicitly, it is usually not desirable to modify it, since this can lead to a considerable increase
of maintenance costs. This precludes the use of low-level primitives for the coordination of
concurrent components that have to be reusable in diﬀerent conﬁgurations and assemblies.
Therefore, the problem of coordinating concurrent components calls for an exogenous solution
that would allow software developers to think on a higher level of abstraction, separating
functional and coordination aspects.
In this chapter, we present the JavaBIP framework, which provides strong separation of
concerns and raises the abstraction level by integrating architectures into mainstream software
development. For component coordination, JavaBIP provides two primitive mechanisms:
1) multi-party synchronization of component transitions and 2) asynchronous event notiﬁca-
tions. JavaBIP follows an exogenous approach without requiring access to the source code
of the coordinated components; instead, it relies exclusively on existing APIs and external
speciﬁcations ﬁles. The latter include architecture constraints, written in a macro-notation
based on ﬁrst-order interaction logic, that deﬁne the possible synchronizations among actions
of diﬀerent components. Such a separation, between functionality and coordination, results
21
Chapter 3. Interaction logic and JavaBIP
Figure 3.1 – JavaBIP design workﬂow
in modular code, which allows developers to reason compositionally and reuse code. Further-
more, JavaBIP components do not carry coordination logic that relies on the characteristics
of any speciﬁc execution environment.
3.1 JavaBIP design workﬂow
JavaBIP—a Java adaptation of BIP [12]—relies on the following observations. Domain
speciﬁc components have states (e.g. idle, working, suspended) that are known to component
users with domain expertise. Furthermore, components always provide APIs that allow
programs to invoke operations (e.g. suspend or resume) in order to change their state, or
to be notiﬁed when the component changes the state spontaneously. Thus, component
behaviour can be represented by FSM (Deﬁnition 2.2.2). An FSM has a ﬁnite set of states
and a ﬁnite set of transitions between these states. Transitions are associated with calls to
API functions, which force a component to take an action, or with event notiﬁcations that
allow reacting to external events coming from the environment.
Figure 3.1 shows the steps of the JavaBIP design ﬂow. In the step , the system speciﬁcation
is designed, consisting of the following annotated Java classes and XML conﬁguration ﬁles:
• A behaviour speciﬁcation for each component, given by an FSM extended with ports
and data. This is provided as an annotated Java class, whereof the methods can call
APIs provided by the coordinated components.
• The architecture speciﬁcation, which is the interaction model of the system that speciﬁes
how the transitions of diﬀerent components must be synchronized. This is speciﬁed in
22
3.2. JavaBIP by example: Camel routes
a macro-notation that allows compact and high-level expression and is provided as an
XML conﬁguration ﬁle. The semantics of the macro-notation is expressed in ﬁrst-order
interaction logic.
• Optionally, data transfer can be deﬁned, by providing the data-wire speciﬁcation for
each data variable of every component. Data wires specify which data are exchanged
between components and are provided as an XML conﬁguration ﬁle.
The optional analysis loop starts in step , where the system speciﬁcation is automatically
translated into an equivalent model of the system expressed in the BIP language. This model
can then be veriﬁed for deadlock freedom or other safety properties, using DFinder [10],
ESST or nuXmv [16] (step ). Other analyses can be performed using any tool for which a
model transformation from BIP is available. If the required safety properties are not satisﬁed
by the model, the speciﬁcation can be reﬁned by the developers (step ) and analysed
anew. Finally, when developers are satisﬁed with the design, the reﬁned speciﬁcation can be
executed (step ). Steps , , and  are optional and can be repeated several times.
As shown in Figure 3.1, the runnable system consists of two major parts: the engine and
several modules, one for each component to be coordinated. Each module is composed
of a dedicated executor, a behaviour speciﬁcation and the corresponding functional code
of the component (Figure 3.8). The executor has access to the behaviour speciﬁcation of
the component and uses it to drive the module execution. The behaviour speciﬁcation of
each component along with the architecture and data-wire speciﬁcations are provided to
the engine. The engine orchestrates the overall execution of the system by deciding which
component transitions must be executed at each cycle. It then notiﬁes the executors of
the selected transitions and they make the corresponding calls to the functional code. The
execution protocol of the JavaBIP engine is the same as the one described in Section 2.1.
3.2 JavaBIP by example: Camel routes
We present a motivating example illustrating the modelling concepts of JavaBIP. FSM tran-
sitions can be of three types: enforceable, spontaneous and internal. Enforceable transitions
are controlled by the engine. At each execution cycle, executors inform the engine about
enforceable transitions oﬀered by the components in their current state. The engine decides
which of these should be executed and notiﬁes the executors of its decision. Spontaneous
transitions are used to take into account changes in the environment. Therefore, they are not
announced to the engine but rather executed after detection of events in the environment of
the component. Finally, internal transitions allow behaviour speciﬁcations to update its state
based on internal information—when enabled, they are executed immediately. Spontaneous
and internal transitions cannot be used for synchronization with other components. In
Figure 3.2, the initial states of all FSMs are denoted by a double circle; Boolean guards on
transitions are shown in square brackets; enforceable transitions are shown with solid arrows
and spontaneous transitions with dashed arrows.
23
Chapter 3. Interaction logic and JavaBIP
Figure 3.2 – JavaBIP models of three routes and a monitor
A Camel route [98] transfers data among a number of data sources. The data can be
fairly large and may require additional processing. Hence, Camel routes share and compete
for memory. Without additional coordination, simultaneous execution of several Camel
routes can lead to OutOfMemory exceptions, even when each route has been tested and
sized appropriately on its own. The Camel API provides the methods resumeRoute and
suspendRoute to control the activation of a route. For simplicity, we assume here that the
memory used by an active route is known, whereas the memory used by a suspended route
is negligible.
Consider the Route and Monitor models, shown in Figure 3.2. Our goal is to limit the
number of routes running simultaneously to ensure that the available memory is suﬃcient
for the safe functioning of the system. To achieve this, we introduce an additional monitor
component. The behaviour speciﬁcations of the Route and Monitor component types are
shown in Figures 3.3 and 3.4, respectively. The precise syntax is explained in Section 3.4.1.
The Route model, shown in the left-hand side of Figure 3.2, has four states: off, on, wait
and done. Its initial state is off. When the route is at state off, it can start working
by executing the on transition. Similarly, when the route is at state on, it can suspend
its work by executing the off transition. The on and off transitions are both enforceable
(Figure 3.3: lines 3–4) and are associated with the resumeRoute and suspendRoute methods
of the Camel API (Figure 3.3: lines 19–27).
Following the call to suspendRoute associated with the transition off, the route moves to
the state wait. At this point, if the route has ﬁnished processing the previous data batch,
it can be suspended immediately—represented by the internal transition to the done state
(Figure 3.3: lines 32–33). Otherwise, the internal transition is disabled. Instead, to move to
state done, the route has to wait for the processing termination event, associated with the
spontaneous transition end (Figure 3.3: lines 29–30). The guard g (Figure 3.3: lines 38–42)
is used to check whether the route has ﬁnished processing.
24
3.2. JavaBIP by example: Camel routes
1 @Ports ({
2 @Port(name = "end", type = PortType.spontaneous),
3 @Port(name = "on", type = PortType.enforceable),
4 @Port(name = "off", type = PortType.enforceable),
5 @Port(name = "finished", type = PortType.enforceable)
6 })
7 @ComponentType(initial = "off", name = "Route")
8 public class Route implements CamelContextAware {
9
10 private CamelContext camelContext;
11 private String routeId;
12 private int deltaMemory = 100; // Dummy value , for the sake of simplicity
13
14 public Route(String routeId , CamelContext camelContext) {
15 this.routeId = routeId;
16 this.camelContext = camelContext;
17 }
18
19 @Transition(name = "on", source = "off", target = "on")
20 public void startRoute () throws Exception {
21 camelContext.resumeRoute(routeId);
22 }
23
24 @Transition(name = "off", source = "on", target = "wait")
25 public void stopRoute () throws Exception {
26 camelContext.suspendRoute(routeId);
27 }
28
29 @Transition(name = "end", source = "wait", target = "done", guard = "!g")
30 public void spontaneousEnd () {} // "!g" in the guard above means "not g"
31
32 @Transition(name = "", source = "wait", target = "done", guard = "g")
33 public void internalEnd () {}
34
35 @Transition(name = "finished", source = "done", target = "off")
36 public void finishedTransition () {}
37
38 @Guard(name = "g")
39 public boolean isFinished () {
40 return camelContext.getInflightRepository ().
41 size(camelContext.getRoute(routeId).getEndpoint ()) == 0;
42 }
43
44 @Data(name = " deltaMemoryOnTransition",
45 accessTypePort = AccessType.allowed , ports = { "on", "finished" })
46 public int deltaMemoryOnTransition () {
47 return deltaMemory;
48 }
49 }
Figure 3.3 – Annotations for the Route component type
25
Chapter 3. Interaction logic and JavaBIP
1 @Ports ({
2 @Port(name = "add", type = PortType.enforceable),
3 @Port(name = "rm", type = PortType.enforceable)
4 })
5
6 @ComponentType(initial = "on", name = "MemoryMonitor")
7 public class MemoryMonitor {
8
9 final private int memoryLimit;
10 private int currentCapacity = 0;
11
12 public MemoryMonitor(int memoryLimit) {
13 this.memoryLimit = memoryLimit;
14 }
15
16 @Transition(name = "add", source = "on", target = "on",
17 guard = "hasCapacity")
18 public void addRoute(@Data("memoryUsage") Integer deltaMemory) {
19 currentCapacity += deltaMemory;
20 }
21
22 @Transition(name = "rm", source = "on", target = "on")
23 public void removeRoute(@Data(name="memoryUsage") Integer deltaMemory) {
24 currentCapacity -= deltaMemory;
25 }
26
27 @Guard(name = "hasCapacity")
28 public boolean hasCapacity(@Data("memoryUsage") Integer memoryUsage) {
29 return currentCapacity + memoryUsage < memoryLimit;
30 }
31 }
Figure 3.4 – Annotations for the Monitor component type
The Monitor model, shown in the right-hand side of Figure 3.2, has only one state and
two enforceable transitions: add (Figure 3.4: lines 16–20) for adding running routes and rm
(Figure 3.4: lines 22–25) for removing them. The add transition has the guard hasCapacity
(Figure 3.4: lines 27–30) that checks whether the available memory limit of the system,
deﬁned through the constructor of the MemoryMonitor class (Figure 3.4: lines 12–14), is
suﬃcient for adding more running routes.
The complete system consists of several routes and one monitor. The Route model is the
same for all routes and the monitor is connected to all of them in the same manner. The
port on of each route component must synchronize with the port add of the monitor. This
means that when a route component is executing the on transition, the monitor component
must execute the add transition simultaneously. Thus, if the available memory capacity is
not suﬃcient, the on transition is blocked. Since the add port of the monitor is connected to
the on ports of several diﬀerent routes by binary connectors, it must only synchronise with
one of them at a time. Similarly, transition finished of each route must be synchronized
with the transition rm of the monitor.
At each execution cycle, the monitor decides whether there is suﬃcient amount of memory
in the system to add another route. To do so, data is exchanged between the non-running
routes and the monitor. Every route has a value of how much memory it consumes if it
26
3.3. Theoretical foundations
resumes working (Figure 3.3: lines 44–48) and sends this to the monitor. The monitor
then decides by computing the hasCapacity guard value and informs the JavaBIP engine
of its decision. Data exchange between the routes and the monitor happens if the on-add
synchronization can be executed, i.e. some of the routes are at state off. Additionally, data
exchange occurs before the finished-rm synchronization is executed: the corresponding
route tells the monitor how much memory it will release upon suspending its execution.
3.3 Theoretical foundations
The formal model underlying the JavaBIP framework extends the BIP formal model (Section
2.2) by considering three types of transitions:
• enforceable transitions represent the controllable behaviour of the component;
• spontaneous transitions represent changes in the environment that aﬀect the component
behaviour, but cannot be controlled;
• internal transitions represent computations independent of the component environment.
We consider a system of components, each represented by a Finite State Machine (FSM)
extended with ports and data. An FSM is speciﬁed by its states and the guarded transitions
between them. Each transition has a function and a port associated to it. In general, one
port can be associated to several transitions. However, the FSM is deterministic in the
following sense: there cannot be two simultaneously enabled transitions leaving the same
state that are both internal or both labelled by the same port.
For the sake of clarity, we will ﬁrst present the model without data and then extend it by
introducing data variables and data-wires used to transfer data among the components.
3.3.1 Component model without data
Deﬁnition 3.3.1. A component is a Finite State Machine (FSM) given by a quadruple
B = (Q,P e, P s,−→ ), where:
• Q is a ﬁnite set of states,
• P e and P s are disjoint ﬁnite sets of, respectively, enforceable and spontaneous ports,
• −→ ⊆ Q × P × Q, with P = P e ∪ P s ∪ {τ} and τ ∈ P e ∪ P s, is a transition relation,
where the special symbol τ labels internal transitions.
Below, we will use the common notation, writing q p−→ q′ as a shorthand for (q, p, q′) ∈−→ .
27
Chapter 3. Interaction logic and JavaBIP
Remark 3.3.2. For the practical implementation, we require that all the components
be deterministic, i.e. such that, for any q ∈ Q and any p ∈ P , there is at most one
outgoing transition from q labelled by p or, formally, |{q′ ∈ Q | (q, p, q′) ∈−→ }| ≤ 1. While
this additional assumption does not have any impact on the theoretical foundations of the
JavaBIP framework, as presented in this section, it noticeably simpliﬁes the implementation.
Let Bi = (Qi, P ei , P si ,−→ ), for i ∈ [1, n], be a set of components with pairwise disjoint sets
Pi = P ei ∪ P si , i.e. Pi ∩ Pj = ∅, for all i = j. We denote P e =
⋃n
i=1 P
e
i and P s =
⋃n
i=1 P
s
i ,
respectively, the sets of all enforceable and spontaneous ports in the system.
A JavaBIP interaction contains only enforceable ports.
Deﬁnition 3.3.3. An interaction is a non-empty subset of enforceable ports a ⊆ P e, such
that |a ∩ P ei | ≤ 1, for all i ∈ [1, n], labelling the transitions to be synchronised.
We require that any interaction contain at most one port from any given component, reﬂecting
the fact that a component can only execute one transition at a time. An interaction model
is the set of interactions that are allowed in the system. Let γ ⊆ 2P e \ {∅} be such a set of
interactions.
Deﬁnition 3.3.4. The composed component is deﬁned as the tuple γ(B1, . . . , Bn) =
(Q, γ, P s,−→ ), where Q = ∏ni=1 Qi is the Cartesian product of the sets of states of the
individual components and −→ is the set of transitions deﬁned as follows:
• spontaneous port
p ∈ P s qi p−→ q′i
q1 . . . qi . . . qn
p−→ q1 . . . q′i . . . qn
, for any i ∈ [1, n]; (3.1)
• internal transition
qi
τ−→ q′i
q1 . . . qi . . . qn
τ−→ q1 . . . q′i . . . qn
, for any i ∈ [1, n]; (3.2)
• interaction
a ∈ γ
{
qi
a∩P ei−−−→ q′i
∣∣∣ i ∈ I} {qi = q′i ∣∣∣ i ∈ I}
q1 . . . qn
a−→γ q′1 . . . q′n
, (3.3)
where I = {i ∈ [1, n] | a ∩ P ei = ∅}.
An interaction a ∈ γ is enabled in γ(B1, . . . , Bn), only if, for each component Ci participating
in a—that is, such that a∩P ei = {pi}, for some pi ∈ P ei —the port pi is enabled in Ci. Notice
that the states of components that do not participate in the interaction remain unchanged.
28
3.3. Theoretical foundations
3.3.2 Extension of the model with data
Data transfer is essential for allowing information ﬂow between components. For each
component, we consider two types of data:
• input data that the component receives from its environment (including other compo-
nents),
• output data that the component provides to other components.
To each type of data, we associate the corresponding set of variables. For simplicity, we
assume in this section that all variables have the same domain D. In our implementation,
variables can have any type that can be deﬁned in a Java program.
In the presence of data, the state of a component is deﬁned by the combination of the control
location and the valuation of its output variables. Since the input data is provided by the
environment, it does not contribute to the state of the component. This is analogous to
the combination of the program counter and the valuation of variables in the semantics of
programming languages. In the absence of data (Section 3.3.1), the state and the control
location coincide. Therefore, for the sake of presentation uniformity, we will continue referring
as “state” to the control location of the FSM underlying the component; we will refer as
“complete state” to the combination of the control location and the valuation of output
variables.
Let us ﬁrst introduce some additional notation. Assume that X in and Xout are two given
sets of, respectively, input and output variables of a component. We denote
B[X in , Xout ] , the set of Boolean predicates on input and output variables,
E[X in , Xout ] , the set of assignment expressions of the form Y := e(X), with
X ⊆ X in ∪ Xout and Y ⊆ Xout .
For a guard g ∈ B[X in , Xout ] or an expression f ∈ E[X in , Xout ], we denote in(g), in(f) ⊆ X in
and out(g), out(f) ⊆ Xout the corresponding sets of input and output variables used in g
and f .
Deﬁnition 3.3.5. A component with data is a tuple B = (Q,P e, P s, X in , Xout , d,−→ ),
where:
• Q is the ﬁnite set of states,
• P e and P s are disjoint ﬁnite sets of, respectively, enforceable and spontaneous ports,
• X in and Xout are disjoint ﬁnite sets of, respectively, input and output variables,
• d : P e → Xout is a data access mapping, associating to each enforceable port p ∈ P e
the list of output variables that are accessible through p;
29
Chapter 3. Interaction logic and JavaBIP
• −→ ⊆ Q × P × G × F × Q is a set of transitions (as above, we write q p,g,f−−−→ q′ as a
shorthand for (q, p, g, f, q′) ∈−→ ), where
– G = B[X in , Xout ] is the set of guards,
– F = E[X in , Xout ] is the set of update expressions
– P = P e ∪ P s ∪ {τ} with τ ∈ P e ∪ P s;
such that in(f) = in(g) = ∅, for any internal transition q −→ τ, g, fq′.
Remark 3.3.6. Similarly to Remark 3.3.2, in the practical implementation, we require
that all the components be deterministic. Formally, for components with data, we require
that for any q ∈ Q, p ∈ P and any valuation of variables v : X in ∪ Xout → D, we have∣∣{(g, f, q′) ∈ G × F × Q | q −→ p, g, fq′, g(v) = true}∣∣ ≤ 1.
Notice that in a component with data, there can be several outgoing transitions in the
same state, labelled with the same port. However, we require that at most one of them be
enabled—meaning that its guard evaluates to true—with any valuation of the component
variables.
The input variables do not have persistent values—they represent the arguments of transition
guards and update expressions, and have to be assigned a value provided by the environment
every time when the corresponding guard or update expression must be evaluated. Hence,
indeed, the sets X in and Xout are disjoint.
As mentioned above, at any given execution cycle, the complete state of the component is
formed by the combination of its current control location and the valuation of its output
variables. The component can change its complete state by executing a transition only if its
environment provides all the necessary inputs—i.e. the input data required by the guard
and the update expression of the transition—and the guard is satisﬁed. Upon executing
the transition, the values of the output variables are modiﬁed using the update expression.
Notice that the values of the output variables that a component provides are those before
the execution of the transition. Furthermore, these need not be the same as the output
variables updated by the transition. In other words, for a transition q p,g,f−−−→ q′, with p ∈ P e,
there is no a priori relation between d(p) and out(f).
We denote B˜ = (Q,P e, P s, da−→ ), with q da−→ pq′ iﬀ q p,g,f−−−→ q′, for some g ∈ G and
f ∈ F , the component obtained by abstracting the data from the component with data
B = (Q,P e, P s, X in , Xout , d,−→ ).
Let Bi = (Qi, P ei , P si , X ini , xouti , di −→ ), for i ∈ [1, n], be a set of components with data
with pairwise disjoint sets of ports Pi = P ei ∪ P si and variables Xi = ∪X ini ∪ Xouti , i.e.
Pi ∩ Pj = Xi ∩ Xj = ∅, for all i = j. We denote P e = ⋃ni=1 P ei and P s = ⋃ni=1 P si ,
respectively, the sets of all enforceable and spontaneous ports in the system; X in = ⋃ni=1 X ini
and Xout = ⋃ni=1 Xouti , respectively, the sets of all input and output variables.
30
3.3. Theoretical foundations
The composition of components with data comprises, in addition to a set of interactions
γ ⊆ 2P e , the data wire relation δ ⊆ X in × Xout , associating input and output variables in
the system.
Deﬁnition 3.3.7. A system is closed if, for each interaction allowed by γ, all input variables
have corresponding output variables. Denoting, for an interaction a = {pi | i ∈ I} ∈ γ,
in(a) = ⋃i∈I(in(gi)∪ in(fi)) and out(a) = ⋃i∈I d(pi), this can be formally deﬁned as follows:
for any set of component transitions {qi pi,gi,fi−−−−→ q′i | i ∈ I}, the following property holds:
∀x ∈ in(a), (∃x′ ∈ out(a) : (x, x′) ∈ δ).
A given interaction is possible in the composed system δγ(B1, . . . , Bn) if and only if the same
interaction would be possible in the data-abstract system γ(B˜1, . . . , B˜n) and, for each of the
involved components, all the necessary inputs—i.e. the input data required by the guard
and the update expression of the corresponding transition—are available and the guard is
satisﬁed.
Deﬁnition 3.3.8. The composed component is deﬁned as the tuple δγ(B1, . . . , Bn) =
(Q, γ, P s, X in , Xout , d −→ ), where Q = ∏ni=1 Qi is the Cartesian product of the sets of
states of the individual components, the data access mapping is deﬁned, for any interaction
a = {pi | i ∈ I}, by letting
d(a) =
⋃
i∈I
di(pi),
and −→ is the set of transitions deﬁned as follows:
• spontaneous port
p ∈ P s qi p,g,f−−−→ q′i
q1 . . . qi . . . qn
p,g,f−−−→ q1 . . . q′i . . . qn
, for any i ∈ [1, n]; (3.4)
• internal transition
qi
τ,g,f−−−→ q′i
q1 . . . qi . . . qn
τ,g,f−−−→ q1 . . . q′i . . . qn
, for any i ∈ [1, n]; (3.5)
• interaction
a ∈ γ
{
qi
a∩P ei ,gi,fi−−−−−−→ q′i
∣∣∣ i ∈ I} {qi = q′i ∣∣∣ i ∈ I} g = ∧i∈I g˜i f = (f˜i)i∈I
q1 . . . qn
a,g,f−−−→ q′1 . . . q′n
,
(3.6)
where I = {i ∈ [1, n] | a ∩ P ei = ∅}. g˜i and f˜i denote the expressions obtained, respec-
tively, from gi and fi, by substituting each input variable x by the corresponding
31
Chapter 3. Interaction logic and JavaBIP
output variable δ′(x); for any mapping δ′ : in(a) → out(a), such that (x, δ′(x)) ∈ δ, for
any x ∈ in(a). (f˜i)i∈I denotes the combined execution of the update expressions f˜i.
Notice that, in the deﬁnition of f , all the assignments are executed in parallel using the
previous values provided as inputs to the component update expressions. Hence, the order
of updates is irrelevant.
3.3.3 First-order interaction logic
We extend the propositional interaction logic presented in Section 2.3.3 with quantiﬁcation
over components to deﬁne interactions independently from the number of component instances.
This extension is particularly useful because, in practice, systems are built from multiple
component instances of the same component type. A ﬁrst-order interaction logic was also
presented in [25] for modelling dynamic architectures with additional history variables.
We make the following assumptions:
• A ﬁnite set of component types T = {T1, . . . , Tn} is given. Instances of a component
type have the same interface and behaviour. We write B :T to denote that a component
B is of type T .
• The interface of each component type has a distinct set of ports. We denote by T.p
the port type p, i.e. a port belonging to the interface of the type T . We write B.p, for
a component B :T , to denote the port instance of the type T.p and B.P e to denote the
set of all enforceable ports of the component B.
Let φ denote any formula in propositional interaction logic.
Syntax. The ﬁrst order interaction logic (FOIL) is deﬁned by the grammar:
Φ ::= true | φ | ¬ Φ | Φ ∨ Φ| ∃c : T (Pr(c)).Φ , (3.7)
where T is a component type, which represents a set of component instances with identical
interfaces and behaviour. Variable c ranges over component instances and must occur in the
scope of a quantiﬁer. Pr(c) is some set-theoretic predicate on c (omitted when Pr = true).
Additionally, we deﬁne the usual notation for universal quantiﬁer:
∀c :T (Pr(c)).Φ def= ¬ ∃c :T (Pr(c)).¬ Φ.
Semantics. The semantics is deﬁned for closed formulas, where, for each variable in the
formula, there is a quantiﬁer over this variable in a higher nesting level. We assume that the
ﬁnite set of component types T = {T1, . . . , Tn} is given. Models are pairs 〈B, a〉, where B
32
3.3. Theoretical foundations
is a set of component instances of types from T and a is an interaction on the set of ports
P of these components. For quantiﬁer-free formulas, the semantics is the same as for PIL
formulas. For formulas with quantiﬁers, the satisfaction relation is deﬁned as follows:
〈B, a〉 |=i ∃c : T
(
Pr(c)
)
.Φ , iﬀ a |=i
∨
c′:T∈B∧Pr(c′)
Φ[c′/c],
where c′ : T ranges over all component instances of type T ∈ T and Φ[c′/c] is obtained by
replacing all occurrences of c in Φ by c′.
Example 3.3.9. Coordination schemes of Example 2.2.5 can be expressed in FOIL, as
follows:
• Rendezvous: ∃s :S. ∀r :R. (s.s r.r) ∧ ∀s′ :S (s = s′). (s.s s′.s );
• Broadcast: ∃s :S. (s.s) ∧ ∀s′ :S (s = s′). (s.s s′.s );
• Atomic broadcast: ∃s :S. ∀r :R. ((s.s r.r) ∨ (s.s r.r¯)) ∧ ∀s′ :S (s = s′). (s.s s′.s ).
Example 3.3.10. In a Star architecture, a single component of type S acts as the center,
and all other components of type C communicate only with the center through binary
rendezvous. The components communicate via rendezvous. This architecture is used in
client-server applications. The Star architecture can be expressed in FOIL, as follows:
∃s :S. ∀c :C. (s.p c.q) ∧ ∀c′ :C (c = c′). (c.q c′.q ) ∧ ∀s′ : S(s = s′).
3.3.4 Macro notation based on component types
JavaBIP relies on component types, rather than on component instances for the deﬁnition of
architecture constraints. The same approach was also taken in [25]. We use two macros to
deﬁne architecture constraints: 1) the Require macro and 2) the Accept macro.
The Require macro
Let us ﬁrst illustrate the use of the Require macro without component types, i.e. for a
system consisting of a given set of components. We want to deﬁne constraints of the form:
p ⇒ a1 ∨ · · · ∨ an , (3.8)
with p being a port and each ai being a conjunction of several ports. We call p the eﬀect
and a1 . . . an the causes. For p to participate in an interaction, all the ports belonging to
at least one of a1 . . . an must participate. Thus, we can say that the participation of ai for
some i ∈ [1, n], in an interaction is the reason why p can participate.
To specify the constraint (3.8), we can use the macro:
33
Chapter 3. Interaction logic and JavaBIP
p Require a1; . . . ; an .
We now extend the Require macro notation for component types, such that all instances of
a given component type are restricted with the same set of synchronisation constraints. Let
T 1, T 2 ∈ T be component types and let B1i :T 1 and B2j :T 2 (with i ∈ [1, n], j ∈ [1,m]) be
the corresponding component instances. We deﬁne
T 1.p Require T 2.q ≡
n∧
i=1
⎛⎝B1i .p ⇒ m∨
j=1
(
B2j .q ∧
∧
k =j
B2k.q
)⎞⎠ ,
which means that, to participate in an interaction, each of the ports B1i .p (with i ∈ [1, n])
requires the participation of precisely one of the ports B2j .q (with j ∈ [1,m]). This is in
contrast with the meaning used in [25], where a separate macro is used to enforce uniqueness
of the cause port. Thus, we have opted for a macro notation where the cardinality of the
causes is explicit: should two instances of the same port type be required, this is speciﬁed
by explicitly putting the cause port type twice:
T 1.p Require T 2.q T 2.q ≡
n∧
i=1
⎛⎝B1i .p ⇒ m∨
j=1
∨
k =j
(
B2j .q B
2
k.q ∧
∧
l =j,k
B2l .q
)⎞⎠
and so on for higher cardinalities. This choice of notation is motivated by our observation
that cardinalities higher than one are very rare in practical examples.
The general form of the Require macro, for any number of component types and corresponding
component instances, can be expressed in FOIL as follows:
T 1.p Require
(
T 1.q1
)m1
. . .
(
T k.qk
)mk ≡
∀B1 :T 1. ∃B11 :T 1, . . . , B1m1 :T 1, . . . , Bk1 :T k, . . . , Bkmk :T k.
∀Bl :T l (B1 = B11 = · · · = Bkmk = Bl).(
B1.p ⇒ B11 .q1 . . . B1m1 .q1 . . . Bk1 .qk . . . Bkmk .qkBl.ql
)
,
where T l ∈ {T 1, . . . , T k}. The cardinality of a cause containing component type Ti is denoted
by mi.
The Accept macro
Accept macros deﬁne optional ports for participation, i.e. they deﬁne the boundary of
interactions. They are expressed by explicitly excluding from interactions all the ports that
are not optional. At propositional level, they are of the form p → false, where port p is
excluded from the interaction. However, adding such conjuncts explicitly for all ports that
34
3.3. Theoretical foundations
do not participate in a connector is rather tedious. Furthermore, it is often convenient to
deﬁne the constraints for a subsystem independently of the way it will be used. In such case,
some ports of the system, which will not participate in the deﬁned interactions, are not yet
known. Hence, one needs a notation to specify that only a certain set of ports are accepted
for interaction, others being implicitly excluded. This is achieved by the macro
p Accept a , which formally means p ⇒
∧
q∈P e\a
q =p
q .
We now extend the Accept macro notation for component types. Let T 1, T 2 ∈ T be
component types and let B1i :T 1 and B2j :T 2 (with i ∈ [1, n], j ∈ [1,m]) be the corresponding
component instances. We deﬁne:
T 1.p Accept T 2.q ≡
n∧
i=1
⎛⎜⎜⎜⎜⎝B1i .p ⇒
∧
r∈P e\{B2j .q | j∈[1,m]}
r =B1i .p
r
⎞⎟⎟⎟⎟⎠ ,
where P e =
⋃
T∈T
⋃
B:T
B.P e .
The general form of the Accept macro, for any number of component types and corresponding
component instances, can be expressed in FOIL as follows:
T 1.p Accept T 1.q1 . . . T k.qk ≡
∀B1 :T 1.
( ∧
T i∈T \{T 1,...,Tk}
∧
ri∈T i.P e
∀Bi :T i. (B1.p ⇒ Bi.ri) ∧
∧
T j∈{T 1,...,Tk}
∧
rk∈T j .P e\T j .qj
∀Bj :T j . (B1.p ⇒ Bj .rk)
)
.
Example 3.3.11. To illustrate the use of the above macro notation, let us consider the
Star architecture example 3.3.10. The architecture constraints are speciﬁed by the following
combination of macros:
C.q Require S.p C.q Accept S.p
S.p Require − S.p Accept C.q ,
where the dash ‘−’ in the last line indicates that the port S.p does not require synchronisation
with any other port.
Example 3.3.12. The architecture constraints of the Camel routes example (Section 3.2)
35
Chapter 3. Interaction logic and JavaBIP
are speciﬁed by the following combination of macros:
Monitor.add Require Route.on Monitor.add Accept Route.on
Monitor.rm Require Route.finished Monitor.rm Accept Route.finished
Route.on Require Monitor.add Route.on Accept Monitor.add
Route.finished Require Monitor.rm Route.finished Accept Monitor.rm
Route.off Require − Route.off Accept − ,
where the dashes ‘−’ in the last line indicate that the port Route.off neither requires, nor
accepts synchronisation with any other port. Recall that the port Route.end is spontaneous.
Hence, it does not have any associated architecture constraints. Finally, notice that this set
of macros is independent of the number of Camel routes in the system.
Example 3.3.13. Now, let us consider an alteration of the previous example, where we
require that the Monitor component removes two routes simultaneously at the execution of
the port rm. Thus, in the require macro for the rm port type, the cardinality of the causes
must be equal to two. This is speciﬁed by putting the cause port type finished twice as
shown below. Notice that the accept macro for the finished port type has also changed, by
accepting not only rm but also finished.
Monitor.add Require Route.on Monitor.add Accept Route.on
Monitor.rm Require Route.finished Monitor.rm Accept Route.finished
Route.finished
Route.on Require Monitor.add Route.on Accept Monitor.add
Route.finished Require Monitor.rm Route.finished Accept Monitor.rm
Route.finished
Route.off Require − Route.off Accept −
Example 3.3.14. Let us now consider a more general example to illustrate the expressiveness
of the JavaBIP glue. Assume that there are three component types A, B, C with port
types a, b, c, respectively. Through the require macros, we enforce the following three
constraints: 1) A.a requires synchronization with two instances of B.b; 2) B.b requires
synchronization either with a) a single instance of A.a and a single instance of C.c or b) just
two instances of C.c; 3) C.c does not require synchronizations with other ports, however
it accepts synchronizations with any possible combination of ports A.a, B.b, C.c. Notice
that by the combination of the ﬁrst two require macros, a synchronization involving exactly
an instance of A.a and two instances of B.b is not allowed, since B.b requires at least one
instance of C.c to also participate in the synchronization.
36
3.3. Theoretical foundations
Figure 3.5 – JavaBIP models of one tracker and two peers
A.a Require B.b B.b A.a Accept A.a B.b C.c
B.b Require A.a C.c ; C.c C.c B.b Accept A.a B.b C.c
C.c Require − C.c Accept A.a B.b C.c
Example 3.3.15. We show the Trackers and Peers example, which has a more complex
architecture speciﬁcation. This example, which was initially presented in [25], considers
a simpliﬁed wireless audio protocol for reliable multicast communication. There are two
component types: Tracker and Peer. The protocol allows an arbitrary number of peers to
communicate along an arbitrary number of wireless communication channels. Each channel
is managed by a unique tracker.
The model for two peers and one tracker is shown in Figure 3.5. Peers are allowed to use
at most one channel at a time. Access to channels is subject to the following registration
mechanism. Every peer selects the channel it wants to use and registers through the
register transition that is synchronized with the log transition of the tracker. During
this synchronization, components are exchanging data. In particular, the tracker sends
its identity to the peer and the peer stores it. Once registered, peers can either speak to
the channel or listen to other registered peers in the channel. To ensure atomicity of each
communication, every tracker enforces that 1) at most one registered component is speaking
and 2) all other registered components are listening.
In the connectors enforcing the above constraints, the broadcast port of a tracker is a trigger.
This allows the broadcast transition to happen on its own, without requiring synchronization
with transitions of other components. However, broadcast accepts synchronization with
the speak and listen transitions. The listen and speak ports are synchrons, i.e. their
corresponding transitions require synchronization with broadcast. Peers can register (resp.
37
Chapter 3. Interaction logic and JavaBIP
unregister) through the register-log (resp. unregister-log) synchronization. The set of
interactions allowed by these connectors can be speciﬁed as follows (notice the semicolon in
the require constraint for Tracker.log):
Peer.speak Require Tracker.broadcast
Peer.speak Accept Tracker.broadcast Peer.listen
Peer.listen Require Tracker.broadcast
Peer.listen Accept Tracker.broadcast Peer.speak Peer.listen
Peer.register Require Tracker.log
Peer.register Accept Tracker.log
Peer.unregister Require Tracker.log
Peer.unregister Accept Tracker.log
Tracker.broadcast Require −
Tracker.broadcast Accept Peer.speak Peer.listen
Tracker.log Require Peer.register ; Peer.unregister
Tracker.log Accept Peer.register Peer.unregister
Notice that the interaction structure of the example is exponentially complex. In particular,
the number of all possible interactions is (2T − 1) · (2P + P · 2P−1 + 2 · P ), where P is the
total number of peers and T is the total number of trackers.
Data transfer is used to ensure that peers can interact only with the tracker they had
previously been registered with: for each interaction, trackers propose their identity as data
and peers use the idOK guard to decide with which trackers they can synchronize. Thus,
all transitions of the system are enforceable and in all possible interactions (except when a
tracker is broadcasting without any registered peers) data is exchanged between components.
3.4 System speciﬁcation
The following subsections present the constructs used to provide behaviour, architecture and
data-wire speciﬁcations (Figure 3.1 step ). We refer to the Camel routes (Section 3.2) and
Trackers and Peers (Example 3.3.15) examples to illustrate these constructs.
3.4.1 Behaviour speciﬁcation
Developers must specify component behaviour through FSMs extended with ports and data.
An FSM has states and guarded transitions between them. Each transition has a method
and a port associated with it. Although, in general, one port can be associated with several
38
3.4. System speciﬁcation
transitions, such transitions must have diﬀerent origin state. In other words, FSM are
deterministic: there cannot be two transitions leaving the same state and labelled by the
same port.
The Behaviour speciﬁcation can be provided via annotations, associated with class, method
and parameter declarations. To write a Behaviour speciﬁcation, developers must use the
following annotations:
• @ComponentType: Annotates a Java class. Declares a component type by specifying
its name and the initial state of the underlying FSM (Figure 3.3: line 7).
• @Port: Annotates a Java class. Declares a port by specifying its name and type—
“spontaneous” or “enforceable” (Figure 3.3: line 2).
• @Ports: Annotates a Java class. Groups all @Port annotations associated to a given
component type (Figure 3.3: line 1).
• @Guard: Annotates a method returning a Boolean value. Declares that the method
can be used as part of a transition guard, by specifying the guard name (Figure 3.3:
line 38).
• @Transition: Annotates a method returning void. Declares an FSM transition, by
specifying the name of the corresponding port, the source and the target states and the
guard, which is a Boolean expression on the guard names declared with the @Guard
annotation (Figure 3.3: line 29). Guard expressions can be deﬁned using parenthesis
and three logical operators: negation ‘!’, conjunction ‘&’ and disjunction ‘|’.
The type of the transition is deﬁned by the type of the port it is labelled with (Figure 3.3:
lines 2–35). Internal transitions are speciﬁed by leaving the transition name empty
(Figure 3.3: line 32).
• @Data: Annotates a non-void method or a method parameter. Deﬁnes the data required
(input) or provided (output) by the component:
– input data, when associated with a parameter of a guard or transition method
(Figure 3.4: line 23);
– output data, when associated with a method returning a value (Figure 3.3: line
44).
@Data annotations always have the ﬁeld name. Data names are used to establish
connections (called data-wires—see Section 3.4.3) between inputs and outputs provided
by the application components. When the @Data annotation is used to deﬁne an output
data, it has two additional ﬁelds: accessTypePort (allowed, disallowed or any) and
ports. The latter is a list of ports of the component in question, which is used to
specify how this data can be accessed, based on the value of the accessTypePort ﬁeld:
– allowed means that the data can be accessed only through the ports in ports;
39
Chapter 3. Interaction logic and JavaBIP
– disallowed means that the data can be accessed only through the ports not in
ports;
– any means that the data can be accessed at any execution point—the list of ports
must be empty.
Notice that the output values are provided by the @Data-annotated methods. The methods
associated to transitions do not return any values—they must be declared as public void.
The usage of data as parameters in guards allows components to disable interactions based
on the data values proposed by other components. For example, in Figure 3.4, transition
add (lines 16–20) depends on the guard hasCapacity, which requires the data memoryUsage
(lines 27–30). This data is received from another component potentially participating in an
interaction. If the proposed data does not satisfy the guard, the interaction among these
particular components is disabled.
3.4.2 Architecture speciﬁcation
To deﬁne the interaction model, a developer must specify the architecture constraints of the
system; i.e. which ports of diﬀerent components must synchronize. Architecture constraints
must be speciﬁed once for each component type of the system.
Architecture constraints are speciﬁed using the macro-notation presented in Section 3.3.4:
• Causal constraints (Require) specify ports of other components, necessary for any
interaction involving the port with which the constraint is associated.
• Acceptance constraints (Accept) deﬁne optional ports of other components, accepted
in the interactions involving the port with which the constraint is associated.
The Architecture speciﬁcation must be provided in an XML ﬁle (Figure 3.6). Each constraint
has two parts: effect and causes. The former deﬁnes the port to which the constraint is
associated—intuitively, the eﬀect is the ﬁring of a transition labelled by this port. The latter
lists the ports that are necessary to “cause” the “eﬀect”. For the require constraints, all
causes must be present; for the accept constraints, any (possibly empty) combination of the
causes is accepted.
The Architecture speciﬁcation for the broadcast and log ports of the Tracker component
type of Example 3.3.15 is shown in Figure 3.6. The causal constraint (Figure 3.6: lines
1–5) means that the broadcast ports of trackers do not require any synchronization with
ports of other components. However, they accept synchronization with the speak and
listen ports of the peers (Figure 3.6: lines 6–12). Notice that the require constraint for the
port log has two causes sections, corresponding to the two independently suﬃcient causes
(Peer.register and Peer.unregister).
40
3.4. System speciﬁcation
1 <require >
2 <effect id="broadcast" specType="Tracker"/>
3 <causes >
4 </causes >
5 </require >
6 <accept >
7 <effect id="broadcast" specType="Tracker"/>
8 <causes >
9 <port id="speak" specType="Peer"/>
10 <port id="listen" specType="Peer"/>
11 </causes >
12 </accept >
13 <require >
14 <effect id="log" specType="Tracker"/>
15 <causes >
16 <port id="register" specType="Peer"/>
17 </causes >
18 <causes >
19 <port id="unregister" specType="Peer"/>
20 </causes >
21 </require >
22 <accept >
23 <effect id="log" specType="Tracker"/>
24 <causes >
25 <port id="register" specType="Peer"/>
26 <port id="unregister" specType="Peer"/>
27 </causes >
28 </accept >
Figure 3.6 – Architecture speciﬁcation for the Trackers and Peers example (Example 3.3.15)
1 <wire>
2 <from specType="Tracker" id="trackerId"/>
3 <to specType="Peer" id="inputID"/>
4 </wire>
Figure 3.7 – Data-wire speciﬁcation for the Trackers and Peers example (Example 3.3.15)
3.4.3 Data-wire speciﬁcation
JavaBIP components exchange data and make decisions concerning the components they
want to interact with based on the data they receive. Data wires specify data that can be
exchanged between components, by connecting the input data with the output data provided
by other components.
The data-wire speciﬁcations must be provided in an XML ﬁle, as shown in Figure 3.7. For
Trackers and Peers (Example 3.3.15), once a peer registers to a tracker, it collects the
tracker’s ID. The data wire of Figure 3.7 connects the input data of the peer (inputID)
with the output data of the Tracker (trackerID). The data transfer is ﬁnalized only if the
associated transitions that require data can be executed, i.e. the corresponding guards
evaluate to true.
41
Chapter 3. Interaction logic and JavaBIP
Fi
gu
re
3.
8
–
Ja
va
BI
P
so
ftw
ar
e
ar
ch
ite
ct
ur
e
42
3.5. Implementation of the JavaBIP engine
3.5 Implementation of the JavaBIP engine
The software architecture of the JavaBIP runnable system is shown in Figure 3.8. It consists
of two main parts: the modules and the engine, as shown, respectively, in the top and
bottom parts of the ﬁgure. The exchange of information between the engine and the modules
is illustrated in Figure 3.8 with arrows. Information is either exchanged only once at
initialization of the engine (illustrated in Figure 3.8 with continuous arrows) or at each
execution cycle (illustrated in Figure 3.8 with dashed arrows).
A module comprises the functional code and the behaviour speciﬁcation of the corresponding
component (Section 3.4.1), as well as a dedicated executor. The behaviour speciﬁcation
contains the FSM with calls to the API methods provided by the component. It is used by
the executor to drive the interaction with the engine and the environment. The JavaBIP
engine creates a new executor instance upon registration of each module. Thus, executors
are almost entirely transparent for developers. Indeed, the Executor class implements several
interfaces, among which the only one that is visible to developers is the interface that provides
only one method for sending spontaneous events to the executor.
The engine takes as input behaviour, architecture and data-wire speciﬁcations. The speci-
ﬁcations are categorized either as permanent or temporary, illustrated in Figure 3.8 with
arrows labelled permanent and temporary, respectively. Permanent speciﬁcations are sent
only at initialization of the engine, while temporary speciﬁcations are sent at each execution
cycle. The implementation of the engine is modular. It consists of a stack of coordinators
and the kernel. The coordinators manage the ﬂow of information between the modules and
the kernel. Coordinators use dedicated encoders to transform the speciﬁcations acquired
from the modules into permanent and temporary constraints that are sent to the kernel.
The kernel solves the combined constraints imposed by the behaviour, architecture and
data-wire speciﬁcations and passes the solution back to the coordinators. Each coordinator
interprets the relevant part of the solution and triggers the corresponding action in the
executors, where the actual API function calls to the controlled source code are made. How
the solution is forwarded from the kernel to the functional code is illustrated in Figure 3.8
with dashed arrows labelled execute. If the kernel cannot ﬁnd a solution because the
combined constraints are contradictory, a deadlock occurs.
3.5.1 Engine kernel
The kernel combines and solves the various constraints of the system. Its implementation is
based on Binary Decision Diagrams (BDDs)1 [2], which are eﬃcient data structures to store
and manipulate Boolean formulas. The kernel applies the three-step protocol presented in
Section 2.1 in a cyclic manner. In particular, it receives from the coordinators constraints
in the form of Boolean formulas and assembles them by taking their conjunction to ﬁnd a
1We have used the JavaBDD package, available at http://javabdd.sourceforge.net
43
Chapter 3. Interaction logic and JavaBIP
solution. The solution is sent back to the coordinators which interpret it and notify the
components accordingly. The imposed constraints can be of two types:
• Permanent constraints that are received only once at initialization. They include
information about the Behaviour, Architecture and Data-wires of the components. In
Figure 3.8, permanent constraints are shown with arrows labelled permanent.
• Temporary constraints that are received at each execution cycle. They include informa-
tion about the enabled transitions of components. In Figure 3.8, temporary constraints
are shown with arrows labelled temporary.
3.5.2 Coordinators
Coordinators manage the ﬂow of information between components and the engine kernel.
They receive diﬀerent types of information and encode them as Boolean constraints using
dedicated encoders. We have developed two coordinators that produce diﬀerent types of
constraints: the Architecture coordinator and the Data coordinator.
The Architecture coordinator manages the information about the behaviour, architecture and
current state of the components. It encompasses three dedicated encoders (Figure 3.8): the
Behaviour encoder, the Architecture encoder and the Current State encoder. The Boolean
constraints encoding component behaviour and architecture are permanent, hence only
computed—by the Behaviour and Architecture encoders, respectively—once at initialization.
The Boolean constraints encoding the current states of components are temporary, hence
recomputed at each execution cycle.
The Data coordinator, relying on one encoder (Data encoder), is used on top of the Archi-
tecture coordinator. It encodes as permanent constraints the information about data-wires,
which connect input and output data provided by the components. At each execution cycle,
the Data coordinator produces temporary constraints imposed on component interaction
by the guards associated to component inputs. These temporary constraints disable the
interactions involving data transfer, where the proposed output data values do not satisfy
the guards associated to the corresponding input data. To this end, each guard that requires
input data is evaluated on all data values, proposed along the data-wires attached to the
corresponding port.
As shown in Figure 3.8, the coordinators form a chain. Depending on the needs of the
application, diﬀerent coordinators can be used. For instance, if there is data transfer, the
Data coordinator must be used on top of the Architecture coordinator. Otherwise, the use
of solely the Architecture coordinator is suﬃcient. Other coordinators can be easily added
to manage other types of constraints—the implementation of the coordinator stack renders
the architecture extensible.
44
3.5. Implementation of the JavaBIP engine
(a) Average engine execution time. (b) BDD Manager peak memory usage.
Figure 3.9 – Performance diagrams
3.5.3 Experimental evaluation
Experimental setup
We show experimental results for three case-studies: 1) two implementations of the Camel
routes example (Section 3.2), i.e. one with and one without data transfer; 2) the Trackers-
and-Peers example (Example 3.3.15) and 3) the Publish-Subscribe example that we have
added in the appendix (Appendix A.1) of the thesis. The experiments were run on Intel
Core i7-2640M CPU at 2.80GHz x 4 with 8GB RAM. The JavaBIP models of these systems
are available at the JavaBIP website2.
In the Camel routes examples (with and without data), we consider C − 1 routes and 1
monitor, where C is the total number of components. In the Trackers-and-Peers example,
there are always four times more peers than trackers. In the Publish-Subscribe example
there is always one buﬀer, one topic-manager, and varying numbers of TCPReaders, handlers
and topics. The number of client-proxies is the same as the number of TCPReaders.
Figure 3.9a shows the average execution time of the ﬁrst 1000 engine cycles for all four
examples, with the number of components ranging from 5 to 75. Figure 3.9b shows the peak
memory usage of the BDD Manager for each of the three examples. Table 3.1 summarizes
all results shown in Figures 3.9a and 3.9b. The Camel routes implementations illustrate the
impact of data transfer on the performance of the engine. The behavior and interaction
models of the two Camel route implementations are equivalent; in the latter, components also
exchange data. Although data transfer causes an increase in the execution time and memory
usage of JavaBIP, the overall coordination overhead remains low. The Publish-Subscribe
example uses both enforceable and spontaneous transitions. Spontaneous transitions are not
controlled by the JavaBIP engine which leads to low coordination overhead as illustrated in
Figure 3.9a.
2http://risd.epﬂ.ch/javabip
45
Chapter 3. Interaction logic and JavaBIP
Table 3.1 – Engine times and BDD Manager peak memory usages. Time is in milliseconds
and memory is in Megabytes.
Nb of Routes no data Routes with data Trackers & Peers Publish-Subscribe
comps Time Memory Time Memory Time Memory Time Memory
5 < 1 0.010 < 1 0.015 < 1 0.640 < 1 0.026
10 < 1 0.029 < 1 0.075 2.103 2.278 < 1 0.048
15 < 1 0.047 1.147 0.099 4.264 7.584 < 1 0.084
20 < 1 0.079 1.254 0.180 6.002 10.338 < 1 0.108
25 < 1 0.099 1.585 0.220 8.980 15.932 < 1 0.130
30 1.254 0.120 1.614 0.324 12.329 23.670 < 1 0.161
35 1.328 0.169 1.895 0.456 18.643 31.896 < 1 0.184
40 1.459 0.200 2.393 0.560 24.727 43.045 < 1 0.233
45 1.874 0.238 2.731 0.700 31.187 51.598 < 1 0.251
50 2.167 0.280 3.568 0.780 38.943 69.984 < 1 0.295
55 2.346 0.340 3.796 0.840 49.766 87.097 < 1 0.315
60 2.786 0.387 5.093 0.920 63.766 99.983 < 1 0.338
65 3.286 0. 410 5.345 1.028 85.327 113.983 < 1 0.366
70 3.749 0.450 5.548 1.105 99.876 131.237 1.001 0.394
75 4.133 0.488 6.970 1.170 113.657 146.476 1.125 0.437
Table 3.2 – Number of Boolean variables used for States (S), Ports (P) and Data Variables
(DV).
Nb of Routes no data Routes with data Trackers & Peers Publish-Subscribe
comps S P DV S P DV S P DV S P DV
5 17 14 - 17 14 8 9 18 16 5 6 5
50 197 149 - 197 149 98 90 180 160 50 51 50
75 297 224 - 297 224 148 135 270 240 75 76 75
It should be noted that the complexity and the overhead induced by the JavaBIP engine
depends on the size of the kernel BDD. This is characterised by the number of Boolean
variables used in the encoding and their ordering in relation with the encoded constraints.
Table 3.2 summarizes the number of Boolean variables used by the engine for each of the four
case-studies for 5, 50 and 75 components. Notice that we take into account only enforceable
ports, which correspond to transitions that are controlled by the JavaBIP engine. Table 3.3
presents the total number of variables (which is the sum of states, ports and data variables
shown in Table 3.2) and the number of possible interactions computed by the engine for
each of the four case-studies for 5, 50 and 75 components. For 75 components, the total
number of variables is: 1) 521 for Camel Routes without data; 2) 669 for Camel Routes with
data; 3) 645 for Trackers & Peers and 4) 226 for Publish-Subscribe.
Although the increase of the number of variables results in increasing the overhead of the
engine, what really aﬀects the performance of the engine is the complexity of the glue
speciﬁcation. We have used the Trackers & Peers case-study as a stress test for the JavaBIP
engine. In particular, in the Trackers & Peers case-study, the number of possible interactions
increases exponentially with the number of components, e.g., for 75 components, there exist
1.17 · 1024 possible interactions (Table 3.3). Coordinating a system of such complexity with
46
3.6. Related work
Table 3.3 – Total number of Boolean Variables (V). Number of possible Interactions (I).
Nb of Routes no data Routes with data Trackers & Peers Publish-Subscribe
comps V I V I V I V I
5 31 8 39 8 43 46 16 5
50 346 98 444 98 430 2.36 · 1016 151 50
75 521 148 669 148 645 1.17 · 1024 226 75
traditional techniques would be very diﬃcult and error-prone. In JavaBIP, the full glue
speciﬁcation does not exceed 20 lines of code and is speciﬁed externally for the global system.
To compare the engine’s execution time, we have used Camel Routes to transfer ﬁles of
diﬀerent size on an Intel Core i7-2640M CPU at 2.80GHz x 4 with 8GB RAM. We measured
that a Camel Route needs 113ms to transfer a 3KB ﬁle, while for a 75MB ﬁle a Camel Route
needs 890ms. Notice that this is “an ideal scenario” since only one Camel route is running
at each time. In the case where 4 Camel Routes are running simultaneously, to transfer the
75MB ﬁle we need more than 900ms. We argue that the engine’s overhead which is < 1ms
for 4 Camel Routes and 1 Monitor is negligible when compared to 900ms or even to 113ms.
Additionally, the memory usage of the BDD Manager remains very low, less than 2MB for
75 components, for the Camel Routes with data case-study.
3.6 Related work
Locking [103, 65] provides very eﬃcient means for coordinating concurrent access to shared
resources. However, it leads to code that is hard to understand, debug and modify. Several
solutions have been proposed for dealing with these diﬃculties [1, 30]. However, they focus
primarily on scalability at the expense of the expressiveness of coordination primitives. They
do not impose the separation of computation from coordination, thus only partially alleviating
the above diﬃculties and reducing modularity, since the component code substantially
depends on its environment. Xcd [81] and SIP [52], impose the separation of concerns
principles while dealing with coordination of concurrent software components. Xcd makes the
choice of emphasizing speciﬁcally the realizability of distributed architectures, thus excluding
up-front the possibility of centralized synchronization. SIP represents the functional logic
of an application as a state machine and manages synchronization contracts that specify
application needs in resources. Even though this work bears similarity to our approach, it
cannot be used to enforce complex synchronization scenarios as in JavaBIP.
A number of other approaches further explore the issue of coordination in concurrent
environments. An aspect-oriented approach is taken in [105], where the authors focus on
separating the design and the choice of a speciﬁc synchronization mechanism and present a
library allowing declarative speciﬁcation of synchronization using tagging. In [38], discrete-
event systems theory is used to generate concurrency control code. Using control-ﬂow graphs
of threads coupled with predeﬁned relevant control events, the authors build simpliﬁed FSMs
47
Chapter 3. Interaction logic and JavaBIP
for each thread. Based on these FSMs, a general supervisor is constructed, from which the
concurrent code is generated using semaphores. In both of these approaches, tags or events
are embedded in the code, resulting in poor separation of concerns.
In [82], a component model with explicit symbolic protocols based on Symbolic Transition
Systems is presented. The authors deﬁne a component language to describe the interfaces
and the protocol of a component. Connection mechanisms are represented by channels.
However, only one-to-one connections are allowed. Furthermore, even though a controller is
implemented whose role bears similarity to the JavaBIP executor, controller classes have to
be manually created for each component in the architecture.
Using FSMs to model program behaviour constitutes a common practice. In [102], the
authors propose a methodology to automatically extract the ﬁnite-state models of object-
oriented class interfaces. In the extracted FSMs, the states correspond to methods, while the
transitions represent acceptable sequencing of method calls. The extracted models may serve
as documentation, can be used to check whether the program exhibits expected behaviour or
as complementary material in a test suite. In our approach, FSMs deﬁne a relevant abstract
view of the behaviour of the software, which is more complex and complete than just method
call sequencing and therefore can be eﬀectively used for more complex system analysis. For
instance, a state is the combination of the control location (between method calls) and data
valuations, which allows, among others, to consider guards.
Similarly, in [15, 14, 13] behavioural types, i.e. FSMs, are used to describe the behaviour of
component types and their interaction protocols. Behavioural types are used for compatibility
checks between component types and to facilitate correctness through runtime monitors
and discovery of components at runtime. They strictly describe method calls between
components, while data transfer and memory usage are not included. Behavioural types are
also used in the Ptolemy framework with a focus on real-time systems [66].
In [3], the authors argue for the extension of objects with state information through Typestate-
Oriented Programming. A number of works [37, 57] support the importance of this approach,
which allows for the speciﬁcation of classes of temporal safety properties in the form of FSMs.
This extension of types serves in checking whether an operation is allowed in a speciﬁc
context. These works address the problems of retrieving or verifying method call sequences,
whereas JavaBIP focuses on enforcing coordination.
The Behaviour Driven Development [93] software approach puts a strong focus on explicitly
stating the behaviour of system components. In particular, Behaviour Driven Development
focuses on understanding the behaviour of the components deﬁned as simple given-when-
then scenarios. Such a scenario can be simply explained as follows: given the state of the
component, when an action is executed the component reaches the corresponding then state.
The JBehave tool [77] that supports Behaviour Driven Development also requires a user to
create an object model (an instance of a Java class) that directly maps scenarios to functions
within this object model. Similarly to Behaviour Driven Development, our approach puts a
48
3.7. Summary
strong focus on explicitly stating the behaviour of the system components. The JavaBIP
mechanism for behaviour speciﬁcation could be used to deﬁne given-when-then scenarios for
all transitions within a Behaviour speciﬁcation.
3.7 Summary
The main goal of our work was to integrate architectures into mainstream software devel-
opment with Java, in order to raise the abstraction level and separate functionality from
coordination. JavaBIP follows an exogenous approach to the coordination of software com-
ponents relying, for the interaction with the controlled components, on existing APIs. To
this end, JavaBIP speciﬁcations are deﬁned as separate Java classes that, on one hand, allow
the interaction with other components through the mediation of the JavaBIP engine and, on
the other hand, interact with the controlled components through the provided APIs and
notiﬁcations of spontaneous events. All JavaBIP speciﬁcations can be deﬁned and modiﬁed
without altering the functional code, which is impossible with traditional approaches. We
have presented experimental results that validate the eﬀectiveness of JavaBIP for the coordi-
nation of software components. Veriﬁcation tools, e.g., DFinder and nuXmv, can be used
to validate JavaBIP speciﬁcations, ensuring correctness of the designed systems. JavaBIP
coordination has been tested and validated in Connectivity FactoryTM by Crossing-Tech
S.A.
49

4 Conﬁguration logics
Conﬁguration logic is a powerset extension of interaction logic. Conﬁguration logic formulas
are generated from the formulas of propositional interaction logic by using the operators
union, intersection and complementation, as well as a coalescing operator +. The meaning
of a conﬁguration logic formula is a conﬁguration set. A conﬁguration on a set of com-
ponents represents a particular architecture. Thus, conﬁguration logic formulas describe
architecture sets. The deﬁnition of conﬁguration logics requires considering the following
three hierarchically structured semantic domains (Figure 4.1):
1. The lattice of interactions. An interaction a is a non-empty subset of P , the set of
ports of the integrated components. Its execution implies the atomic synchronization
of component actions (at most one action per component) associated with the ports of
a.
2. The lattice of conﬁgurations. Conﬁgurations are non-empty sets of interactions
characterizing architectures.
3. The lattice of conﬁguration sets. Sets of conﬁgurations are properties described
by the conﬁguration logic.
(a) I(P ) = 2P (b) C(P ) = 2I(P )\{∅} (c) CS(P ) = 2C(P )\{∅}
Figure 4.1 – Lattices of interactions (a), conﬁgurations (b) and conﬁguration sets (c) for
P = {p, q}
51
Chapter 4. Conﬁguration logics
We provide a full axiomatisation of the propositional conﬁguration logic and a normal
form similar to the disjunctive normal form in Boolean algebras. The existence of such a
normal form implies the decidability of formula equality and satisfaction of a formula by an
architecture model. To allow genericity of speciﬁcations, we study higher-order extensions of
the propositional conﬁguration logic.
4.1 Propositional conﬁguration logic (PCL)
Syntax. The propositional conﬁguration logic is an extension of propositional interaction
logic (PIL) (Section 2.3.3) deﬁned by the grammar:
f ::= true | φ | ¬ f | f + f | f unionsq f , (4.1)
where φ is a PIL formula; ¬ , + and unionsq are, respectively, the complementation, coalescing
and union operators.
Additionally, we deﬁne the usual notation for intersection and implication:
f1  f2 def= ¬ (¬ f1 unionsq ¬ f2) ,
f1 ⇒ f2 def= ¬ f1 unionsq f2 .
The language of PCL formulas is generated from PIL formulas by using union, coalescing and
complementation operators. The binding strength of the operators is as follows (in decreasing
order): PIL negation, complementation, PIL conjunction, PIL disjunction, coalescing, union.
Henceforth, to avoid confusion, we refer as interaction formulas to the subset of PCL formulas
that syntactically are also PIL formulas. We will use Latin letters f, g, h for general PCL
formulas and Greek letters φ, ψ, ξ for interaction formulas. Interaction formulas inherit all
axioms of PIL.
Semantics. Let P be a set of ports. The semantic domain of PCL is the lattice of
conﬁguration sets CS(P ) = 2C(P )\{∅} (Figure 4.1c). The meaning of a PCL formula f is
deﬁned by the following satisfaction relation. Let γ ∈ C(P ) be a non-empty conﬁguration.
We deﬁne:
γ |= true , always, (4.2)
γ |= φ , if ∀a ∈ γ, a |=i φ, where φ is an interaction formula and
|=i is the satisfaction relation of PIL,
(4.3)
γ |= f1 + f2 , if there exist γ1, γ2 ∈ C(P ) \ {∅}, such that γ = γ1 ∪ γ2,
γ1 |= f1 and γ2 |= f2,
(4.4)
γ |= f1 unionsq f2 , if γ |= f1 or γ |= f2, (4.5)
γ |= ¬ f , if γ |= f (i.e. γ |= f does not hold). (4.6)
52
4.1. Propositional conﬁguration logic (PCL)
p1 p2
q1 q2
M1 M2
S1 S2
p1 p2
q1 q2
M1 M2
S1 S2
p1 p2
q1 q2
M1 M2
S1 S2
p1 p2
q1 q2
M1 M2
S1 S2
p1q1 + p2q2 p1q2 + p2q1 p1q1 + p1q2 p2q1 + p2q2
Figure 4.2 – Master/Slave architectures
In particular, the meaning of an interaction formula φ in PCL is the set 2Ia \ {∅}, with
Ia = {a ∈ I(P ) | a |=i φ}, of all conﬁgurations involving any number of interactions satisfying
φ in PIL.
The semantics of intersection and implication can also be stated directly as follows:
γ |= f1  f2 , if γ |= f1 and γ |= f2, (4.7)
γ |= f1 ⇒ f2 , if γ |= f1 or γ |= f2. (4.8)
We say that two formulas are equivalent f1 ≡ f2 iﬀ, for all γ ∈ C(P ) such that γ = ∅,
γ |= f1 ⇔ γ |= f2.
We denote by |f | def= {γ ∈ C(P ) \ {∅} | γ |= f} the characteristic conﬁguration set of the
formula f . Clearly f1 ≡ f2 iﬀ |f1| = |f2|.
Proposition 4.1.1. Equivalence ≡ is a congruence w.r.t. all PCL operations.
Proof. In order to prove the proposition, it is suﬃcient to show that for each binary operator
op from the PCL grammar (4.1), the characteristic conﬁguration set of the formula f1 op f2
can be expressed as a function of characteristic conﬁguration sets of f1 and f2. In other words,
we have to exhibit a binary operator op′ on sets, such that |f1 op f2| = op′(|f1|, |f2|). Similarly,
we have to exhibit a unary operator on sets, expressing the characteristic conﬁguration set
of the formula ¬ f in terms of the characteristic conﬁguration set of f .
Clearly, the set operators corresponding to ¬ and unionsq are, respectively, complementation
with respect to C(P ) \ {∅} and set union. For the coalescing operator +, it is easy to see
that, deﬁning
op′+(X,Y )
def= {γ1 ∪ γ2 | γ1 ∈ X, γ2 ∈ Y } ,
we have |f1 + f2| = op′+
(|f1|, |f2|).
Example 4.1.2. The Master/Slave architecture style for two masters M1,M2 and two
slaves S1, S2 with ports m1, m2, s1, s2, respectively, characterizes the four conﬁgurations
53
Chapter 4. Conﬁguration logics
of Figure 4.2 as the union: ⊔
i,j∈{1,2}
(φ1,i + φ2,j),
where φi,j = si ∧mj ∧ si′ ∧mj′ for i = i′, j = j′ are monomials deﬁning a binary interaction
between ports si and mj , respectively.
This formula can be alternatively written as a coalescing of interactions for each slave:
(φ1,1 unionsq φ1,2) + (φ2,1 unionsq φ2,2).
Any conﬁguration satisfying this formula consists of two parts, which satisfy, respectively,
the left and the right terms of the coalescing operator. The left term requires either an
interaction {s1,m1} or an interaction {s1,m2}. Similarly, the right term requires exactly
one interaction among {s2,m1} and {s2,m2}. Therefore, there are four possible pairs of
interactions corresponding to the four conﬁgurations of Figure 4.2.
4.1.1 Properties of PCL
In this section, we show that PCL is a conservative extension of PIL. We also present the
key properties of PCL operators, which allow us to deﬁne a normal form (Section 4.1.2), a
sound and complete axiomatisation of PCL (Section 4.1.3) and decision procedures for the
equality and satisfaction of PCL formulas (Subsection 4.1.4).
Conservative extension
Notice that from the PCL semantics of interaction formulas, it follows immediately that PCL
is a conservative extension of PIL. Below we extend the PIL conjunction and disjunction
operators to PCL.
PCL intersection is a conservative extension of PIL conjunction.
Proposition 4.1.3. φ1 ∧ φ2 ≡ φ1  φ2, for any interaction formulas φ1, φ2.
Proof. For any two interaction formulas φ1 and φ2, φ1 ∧ φ2 is also an interaction formula.
Hence, by (4.3), γ |= φ1 ∧ φ2 iﬀ γ ⊆ {a | a |=i φ1 ∧ φ2} = {a | a |=i φ1 ∧ a |=i φ2}. By
(4.7), γ |= φ1  φ2 iﬀ γ |= φ1 and γ |= φ2, that is γ ⊆ {a | a |=i φ1} ∩ {a | a |=i φ2} =
{a | a |=i φ1 ∧ a |=i φ2}. Since characteristic conﬁguration sets of formulas coincide, φ1∧φ2 ≡
φ1  φ2.
Thus, conjunction and intersection coincide on interaction formulas. In the rest of the thesis,
we use the same symbol ∧ to denote both operators.
54
4.1. Propositional conﬁguration logic (PCL)
Disjunction can be conservatively extended to PCL with the following semantics: for any
PCL formulas f1 and f2,
γ |= f1 ∨ f2 , if γ |= f1 unionsq f2 unionsq f1 + f2. (4.9)
Proposition 4.1.4. For any interaction formulas φ1 and φ2 and any γ ∈ C(P ) such that
γ = ∅, we have γ |= φ1 ∨ φ2 iﬀ ∀a ∈ γ, a |=i φ1 ∨ φ2.
Proof. The PCL semantics deﬁnes γ |= φ1 ∨ φ2 if γ |= φ1 or γ |= φ2 or there exist γ1 and
γ2, such that γ = γ1 ∪ γ2, γ1 |= φ1 and γ2 |= φ2, where γ |= φ if for all a ∈ γ, a |=i φ.
Thus, in all three cases all interactions in γ either satisfy φ1 or φ2 and consequently, for all
a ∈ γ, a |=i φ1 ∨ φ2. Conversely, if γ consists of interactions a, such that a |=i φ1 ∨ φ2, these
interactions can be split into two possibly empty sets γ1 and γ2 such that for all a ∈ γj ,
where j ∈ [1, 2], a |=i φj . If one of these groups is empty then the second one contains all
interactions and γ |= φj . Otherwise, γ1 |= φ1 and γ2 |= φ2, where γ1 ∪ γ2 = γ. In all cases
γ |= φ1 ∨ φ2.
Union, complementation and conjunction have the standard set-theoretic meaning.
Proposition 4.1.5. The operators unionsq , ¬ , ∧ satisfy the usual axioms of propositional logic.
Proof. The proof is immediate from the semantics (4.5), (4.6) and (4.7).
The coalescing operator
Notice that coalescing + combines conﬁgurations, as opposed to union unionsq , which combines
conﬁguration sets. Coalescing has the following properties:
Proposition 4.1.6. + is associative, commutative and has an absorbing element false def=
¬true.
Proof. The proof is immediate from the semantics (4.4).
Coalescing distributes over union, as shown in the following proposition:
Proposition 4.1.7. For any formulas f, f1, f2, the following distributivity result holds:
f + (f1 unionsq f2) ≡ f + f1 unionsq f + f2 .
Proof. If γ |= f + (f1 unionsq f2) then there exist γ1 and γ2, such that γ1 ∪ γ2 = γ, γ1 |= f and
γ2 |= f1 unionsq f2. If γ2 |= f1 then γ |= f + f1. Otherwise, γ2 |= f2 and γ |= f + f2. Combining
these two cases we obtain γ |= f + f1 unionsq f + f2.
55
Chapter 4. Conﬁguration logics
If γ |= f + f1 unionsq f + f2 then either γ |= f + f1 or γ |= f + f2. In the ﬁrst case there exist
γ1 and γ2, such that γ1 ∪ γ2 = γ, γ1 |= f and γ2 |= f1. Since γ2 |= f1 implies γ2 |= f1 unionsq f2,
γ |= f + (f1 unionsq f2). The second case is similar.
Associativity of coalescing and union, together with the distributivity of coalescing over union,
immediately imply the following generalisation of the extended semantics of disjunction
(4.9).
Corollary 4.1.8. For any set of formulas {fi}i∈I , we have∨
i∈I
fi ≡
⊔
∅=J⊆I
∑
j∈J
fj ,
where ∑j∈J fj denotes the coalescing of formulas fj, for all j ∈ J .
Example 4.1.9. A conﬁguration γ satisfying the formula f = f1 ∨f2 ∨f3 can be partitioned
into γ = γ1 ∪ γ2 ∪ γ3, such that γi |= fi. However, by the semantics of disjunction, some
γi can be empty. On the contrary, the semantics of coalescing requires all elements of
such partition to be non-empty. Hence, in order to rewrite f without the disjunction
operator, we take the union of all possible coalescings of f1, f2 and f3. Thus, we have
f ≡ f1 unionsq f2 unionsq f3 unionsq (f1 + f2) unionsq (f1 + f3) unionsq (f2 + f3) unionsq (f1 + f2 + f3).
The following proposition shows distributivity results involving disjunction. In particular, it
shows that disjunction distributes over union and coalescing distributes over disjunction.
Proposition 4.1.10. For any formulas f, f1, f2, the following distributivity results hold:
1. f ∨ (f1 unionsq f2) ≡ (f ∨ f1) unionsq (f ∨ f2),
2. f + (f1 ∨ f2) ≡ (f + f1) ∨ (f + f2).
Proof. We have
f ∨ (f1 unionsq f2) ≡ f unionsq (f1 unionsq f2) unionsq f + (f1 unionsq f2)
≡ f unionsq f1 unionsq f + f1 unionsq f unionsq f2 unionsq f + f2 ≡ (f ∨ f1) unionsq (f ∨ f2)
and
f + (f1 ∨ f2) ≡ f + (f1 unionsq f2 unionsq f1 + f2)
≡ f + f1 unionsq f + f2 unionsq f + f1 + f2 ≡ (f + f1) ∨ (f + f2) .
The following example shows that coalescing does not distribute over conjunction.
56
4.1. Propositional conﬁguration logic (PCL)
Example 4.1.11. Let P = {p, q} and consider f = p unionsq q, f1 = p and f2 = q. We then have
(f + f1) ∧ (f + f2) =
(
(p unionsq q) + p) ∧ ((p unionsq q) + q) and f + (f1 ∧ f2) = (p unionsq q) + (p ∧ q).
The conﬁguration
{{p}, {q}} satisﬁes the former, but not the latter.
Proposition 4.1.12. For any formulas f, f1, f2, the following implication is true:
f + (f1 ∧ f2) ⇒ (f + f1) ∧ (f + f2) .
Proof. If γ |= f +(f1 ∧ f2) then there exist γ1 and γ2, such that γ = γ1 ∪γ2, γ1 |= f , γ2 |= f1
and γ2 |= f2. Hence, we have both γ |= f + f1 and γ |= f + f2.
In general, neither conjunction distributes over coalescing nor coalescing over conjunction.
To provide more distributivity results, we introduce the following classes of PCL formulas.
Deﬁnition 4.1.13.
• A formula f is downward-closed iﬀ γ |= f implies ∀γ1 ⊆ γ, γ1 |= f .
• A formula f is upward-closed iﬀ γ |= f implies ∀γ1 ⊇ γ, γ1 |= f .
• A formula f is ∪-closed iﬀ γ1 |= f and γ2 |= f implies γ1 ∪ γ2 |= f .
Example 4.1.14.
• p unionsq q is downward-closed,
• ¬ (p unionsq q) is upward-closed,
• p ∨ q is ∪-closed.
The following propositions show properties of these classes and their relations.
Proposition 4.1.15. If f and g are downward- (resp. upward-) closed then f unionsq g and
f ∧ g are also downward- (resp. upward-) closed.
Proof. If γ |= f unionsq g then γ |= f or γ |= g. If γ |= f then ∀γ1 ⊆ γ γ1 |= f . Thus, γ1 |= f unionsq g.
The case γ |= g is similar.
If γ |= f ∧ g then γ |= f and γ |= g. If γ |= f then ∀γ1 ⊆ γ γ1 |= f and similarly for g.
Thus, γ1 |= f ∧ g.
If γ |= f unionsq g then γ |= f or γ |= g. If γ |= f then ∀γ1 ⊇ γ γ1 |= f . Thus, γ1 |= f unionsq g. The
case γ |= g is similar.
If γ |= f ∧ g then γ |= f and γ |= g. If γ |= f then ∀γ1 ⊇ γ γ1 |= f and similarly for g.
Thus, γ1 |= f ∧ g.
57
Chapter 4. Conﬁguration logics
Proposition 4.1.16. For any formula f , the formula f + true is upward-closed.
Proof. Let γ |= f + true. There exists γ1 ⊆ γ such that γ1 |= f . For any γ2 ⊇ γ holds
γ2 ⊇ γ1 and γ2 |= f + true, since true is satisﬁed by any conﬁguration.
Proposition 4.1.17. If f is upward-closed then f ≡ f + true.
Proof. If γ |= f then γ ∪ γ = γ |= f + true.
If γ |= f + true then there exists γ1 ⊆ γ such that γ1 |= f . Since f is upward-closed, for any
γ ⊇ γ1, holds γ |= f .
Proposition 4.1.18. If f and g are ∪-closed then f + g is also ∪-closed.
Proof. If γ1 |= f + g and γ2 |= f + g then there exist γ1,1, γ1,2, γ2,1 and γ2,2, such that
γi = γi,1 ∪γi,2, γi,1 |= f and γi,2 |= g for i ∈ {1, 2}. Since f and g are ∪-closed, γ1,1 ∪γ2,1 |= f
and γ1,2 ∪ γ2,2 |= g and consequently, γ1 ∪ γ2 |= f + g.
The following proposition shows that the complement of a downward-closed formula is an
upward-closed formula.
Proposition 4.1.19. A formula f is downward-closed iﬀ the formula ¬ f is upward-closed.
Proof. Assume that f is downward-closed and ¬ f is not upward-closed. The latter means
that there exist γ1 and γ2 ⊇ γ1 such that γ1 |= ¬ f and γ2 |= ¬ f . This is equivalent to
γ1 |= f and γ2 |= f , which contradicts the fact that f is downward-closed.
Conversely, assume that ¬ f is upward-closed and f is not downward-closed. The latter
means that there exist γ1 and γ2 ⊆ γ1 such that γ1 |= f and γ2 |= f . This is equivalent to
γ1 |= ¬ f and γ2 |= ¬ f , which contradicts the fact that ¬ f is upward-closed.
Proposition 4.1.20. A formula is ∪-closed and downward-closed iﬀ it is an interaction
formula.
Proof. Let φ be an interaction formula. Consider two conﬁgurations γ1 |= φ and γ2 |= φ.
Any γ′ ⊆ γ1 contains only interactions from γ1, thus, γ′ |= φ. For all a ∈ γ1 ∪ γ2 holds
a |=i φ, consequently γ1 ∪ γ2 |= φ. This shows that φ is ∪-closed and downward-closed.
Conversely, suppose that f is a ∪-closed and downward-closed formula and consider its
characteristic conﬁguration set |f | = {γ ∈ C(P ) \ {∅} | γ |= f}. Let I = ⋃γ∈|f | γ be the set of
all interactions belonging to conﬁgurations satisfying f . Since f is downward-closed, {a} |= f
for any a ∈ I. By the deﬁnition of ∪-closed formulas, the union of models is also a model.
Thus, γ |= f , for any ∅ = γ ⊆ I. Consequently, |f | = {γ ⊆ I | γ = ∅} and f = ∨a∈I ma,
where ma denotes the characteristic monomial of the interaction a.
58
4.1. Propositional conﬁguration logic (PCL)
∨
p∈P p
∨
p∈P p
φ∨φ′
φ
φ∧φ′
φ′
∧
p∈P p¯
∧
p∈P p¯
φ∧φ′
φ φ+φ′
φ′
φ∨φ′
φunionsq φ′
Figure 4.3 – Correspondence between the lattices of PIL and PCL
Thus, interaction formulas are represented by formulas that are both downward-closed and
∪-closed. Figure 4.3 shows the correspondence between the PIL lattice and the PCL lattice.
Notice that, in general, φ unionsq φ′ is not ∪-closed and φ + φ′ is not downward-closed. For
example, for P = {p, q}, f1 = pq unionsq p q is not ∪-closed, since {{p}} and {{q}} are models
of f1 but {{p}, {q}} is not a model of f1. Similarly, f2 = pq + p q is not downward-closed,
since {{p}, {q}} is a model of f2 but neither {{p}} nor {{q}} is.
As shown before, conjunction does not distribute over coalescing. Nevertheless, it distributes
for interaction formulas as shown in the following proposition.
Proposition 4.1.21. For any formulas f1, f2 and interaction formula φ, we have:
φ ∧ (f1 + f2) ≡ (φ ∧ f1) + (φ ∧ f2) .
Proof. If γ is a conﬁguration satisfying φ ∧ (f1 + f2) then γ |= φ and there exist γ1, γ2,
such that γ = γ1 ∪ γ2, γ1 |= f1 and γ2 |= f2. Since φ is an interaction formula, it is
also downward-closed (Proposition 4.1.20). Thus, γ |= φ implies γ1 |= φ and γ2 |= φ.
Consequently, γ1 |= φ ∧ f1 and γ2 |= φ ∧ f2.
Conversely, if γ is a conﬁguration satisfying (φ ∧ f1) + (φ ∧ f2) then γ = γ1 ∪ γ2 such
that γ1 |= f1, γ1 |= φ, γ2 |= f2 and γ2 |= φ. Since φ is ∪-closed, γ |= φ and consequently,
γ |= φ ∧ (f1 + f2).
Notice that coalescing is not idempotent in general, as it is shown in the following example.
Example 4.1.22. (p unionsq q) + (p unionsq q) ≡ p unionsq q. The conﬁguration {{p}, {q}} satisﬁes
(p unionsq q) + (p unionsq q), but it does not satisfy p unionsq q .
Nevertheless, coalescing is idempotent on ∪-closed formulas.
59
Chapter 4. Conﬁguration logics
Proposition 4.1.23. f + f ≡ f for any ∪-closed formula f .
Proof. The implication γ |= f ⇒ γ |= f + f for any γ is trivial.
Conversely, consider a conﬁguration γ |= f + f . By the semantics of coalescing, there
exist γ1, γ2, such that γ = γ1 ∪ γ2, γ1 |= f and γ2 |= f . Since f is ∪-closed, γ1 ∪ γ2 |= f .
Consequently, γ |= f .
The closure operator
Coalescing with true presents a particular interest for writing speciﬁcations, since they allow
adding any set of interactions to the conﬁgurations satisfying f . Notice that true is not a
neutral element of coalescing: only the implication f ⇒ f + true holds in general.
Deﬁnition 4.1.24. For any formula f , the closure operator ∼ is deﬁned by putting ∼f def=
f + true. We give ∼ the same binding power as ¬ .
Although closure is not a primitive operator of PCL, it is easy to see that the semantics of
closure can be directly deﬁned by putting γ |= ∼f iﬀ exists γ1 ⊆ γ such that γ1 |= f .
Example 4.1.25. For P = {p, q, r} the formula f characterizing all the conﬁgurations such
that p must interact with both q and r, is f = pq + pr + true = ∼(pq + qr). Notice that the
only constraint imposed by the formula f is that conﬁgurations that satisfy it must contain
an interaction pqr or both interactions pq and qr. Conﬁgurations satisfying f can contain
any additional interactions.
Proposition 4.1.26. ∼∼f ≡ ∼f for any formula f .
Proof. ∼∼f ≡ ∼f + true ≡ f + true + true ≡ f + true ≡ ∼f .
Notice that, as an immediate corollary of Proposition 4.1.17, the closure of any formula
is upward-closed. The following proposition shows that ∼f is the smallest upward-closed
formula greater than f in the lattice of PCL formulas ordered by implication.
Proposition 4.1.27. For any formula f , holds f ⇒∼ f . Furthermore, for any upward-
closed formula f ′, such that f ⇒ f ′, holds ∼f ⇒ f ′.
Proof. f ⇒ ∼f follows directly from the semantics of the ∼ operator. Assume that there
exists an upward-closed f ′, such that f ⇒ f ′, and a conﬁguration γ, such that γ |=∼f and
γ |= f ′. Since γ |=∼f there exists γ1 ⊆ γ such that γ1 |= f . Since f ⇒ f ′, we have γ1 |= f ′.
The formula f ′ is upward-closed, therefore γ1 |= f ′ implies γ |= f ′, which contradicts our
assumption.
60
4.1. Propositional conﬁguration logic (PCL)
The closure operator can be interpreted as a modal operator with existential quantiﬁcation.
The formula ∼f characterizes conﬁgurations γ, such that there exists a sub-conﬁguration
of γ satisfying f . Thus, ∼f means “possible f”. Dually ¬ ∼¬ f means “always f” in the
following sense: if a conﬁguration γ satisﬁes ¬ ∼¬ f , all sub-conﬁgurations of γ satisfy f .
Corollary 4.1.28. For any formula f , holds ¬ ∼¬f ⇒ f . Furthermore, for any downward-
closed formula f ′, such that f ′ ⇒ f , holds f ′ ⇒ ¬ ∼¬ f .
Proof. By 4.1.27, for any formula f , we have ¬ f ⇒ ∼ ¬ f , which immediately implies
¬ ∼ ¬ f ⇒ f . For any downward-closed f ′, such that f ′ ⇒ f , we observe that, by
Proposition 4.1.19, ¬ f ′ is upward-closed. Hence, by Proposition 4.1.27, ∼¬ f ⇒ ¬ f ′ and,
consequently, f ′ ⇒ ¬ ∼¬ f .
Clearly, if f is downward-closed then ¬ ∼¬ f ≡ f . However, this is not true in general.
Consider f = ma +mb, where ma and mb are characteristic monomials of interactions a and
b, respectively. The only conﬁguration satisfying f is γ = {a, b}. In particular, none of the
sub-conﬁgurations {a}, {b} ⊂ γ satisﬁes f . Thus, ¬ ∼¬ (ma + mb) ≡ false.
Proposition 4.1.29. For any formulas f1, f2, the following distributivity results hold:
1. ∼(f1 unionsq f2) ≡ ∼f1 unionsq ∼f2 ≡ ∼(f1 ∨ f2),
2. ∼f1 + ∼f2 ≡ ∼(f1 + f2) ≡ ∼f1 ∧ ∼f2.
Proof. We have the following equalities:
∼(f1 unionsq f2) ≡ (f1 unionsq f2) + true ≡ f1 + true unionsq f2 + true ≡ ∼f1 unionsq ∼f2 ,
∼(f1 ∨ f2) ≡ f1 + true unionsq f2 + true unionsq f1 + f2 + true
≡ f1 + true unionsq f2 + true ≡ ∼f1 unionsq ∼f2 ,
∼f1+ ∼f2 ≡ f1 + true + f2 + true ≡ f1 + f2 + true ≡ ∼(f1 + f2) ,
∼f1 ∧ ∼f2 ≡ (f1 + true) ∧ (f2 + true) ≡ f1 + f2 + true ≡ ∼(f1 + f2) .
The complementation operator
The following results allow us to address the relation between complementation and negation.
Lemma 4.1.30. For any interaction formula φ, the following two formulas are equivalent:
φ unionsq φ unionsq (φ + φ) ≡ true . (4.10)
61
Chapter 4. Conﬁguration logics
φ
¬ φ ≡ ∼φ
∼φ ≡ ¬ φ
φ ≡ ¬ ∼φ
∼
¬
∼
¬
Figure 4.4 – Correspondence between negation and complementation of interaction formulas
Proof. The proof is immediate from Corollary 4.1.8 and the fact that φ ∨ φ ≡ true, for any
interaction formula φ.
Notice that the three terms in the left-hand side of (4.10) are mutually disjoint.
Proposition 4.1.31. For any interaction formula φ, holds ¬ φ ≡ ∼φ .
Proof. By Lemma 4.1.30, we have ¬ φ ≡ φ unionsq (φ + φ ) ≡ φ + true ≡ ∼φ .
In particular, this means that complementation can also be interpreted as a modality.
Proposition 4.1.31 shows that the complementation of f represents all conﬁgurations that
contain φ . Equivalences ¬φ ≡ ∼φ, ¬ ∼φ ≡ φ , ¬ ∼φ ≡ φ and ∼¬φ ≡ ¬φ, for interaction
formulas φ, are direct corollaries of Proposition 4.1.31 and, for the latter, Proposition 4.1.26.
Figure 4.4 depicts the relations between complementation and negation of the interaction
formulas.
Complementation of coalescings of interaction formulas
The following lemma expresses coalescing through extended disjunction. Coalescing is more
restrictive than extended disjunction requiring the existence of sub-conﬁgurations that satisfy
all operands.
Proposition 4.1.32. For any formulas f , g, we have:
f + g ≡ ∼f ∧ ∼g ∧ (f ∨ g) .
Proof. By (4.9) and Proposition 4.1.29, we have
∼f ∧ ∼g ∧ (f ∨ g) ≡ ∼(f + g) ∧ (f unionsq g unionsq f + g) .
62
4.1. Propositional conﬁguration logic (PCL)
Notice that γ |= ∼ (f + g) ∧ f iﬀ γ |= f and there exists γ1 ⊆ γ such that γ1 |= g. Thus,
∼(f + g) ∧ f ≡ f + (f ∧ g). By applying a similar transformation to g, we obtain
∼(f + g) ∧ (f unionsq g unionsq f + g) ≡ (f + (f ∧ g)) unionsq (g + (f ∧ g)) unionsq (f + g) ≡ f + g ,
where the last equality is an immediate consequence of the fact that f ∧ g ⇒ f and
f ∧ g ⇒ g.
Proposition 4.1.33. For any interaction formulas φ, ψ, the following two formulas are
equivalent:
¬ (φ + ψ) ≡ φ unionsq ψ unionsq ∼(φ ∧ ψ ) .
Proof. By Proposition 4.1.32 φ + ψ ≡∼φ∧ ∼ψ ∧ (φ ∨ ψ). Thus, ¬ (φ + ψ) ≡ ¬ (∼φ∧ ∼
ψ ∧ (φ ∨ ψ)) ≡ ¬ ∼φ unionsq ¬ ∼ψ unionsq ¬ (φ ∨ ψ). Since φ, ψ and φ ∨ ψ are interaction formulas,
the application of Proposition 4.1.31 gives ¬ (φ + ψ) ≡ φ unionsq ψ unionsq ∼(φ ∧ ψ )
Proposition 4.1.33 allows the elimination of complementation as shown in the following
example.
Example 4.1.34. Consider a formula f = ¬ (pq + pr) and a conﬁguration γ |= f . The PCL
semantics requires that γ cannot be split into two non-empty parts γ1 |= pq and γ2 |= pr.
This can happen in two cases: 1) there exists a ∈ γ such that a does not satisfy neither pq
nor pr; 2) one of the monomials is not satisﬁed by any interaction in γ. The former case can
be expressed as ∼(pq pr ) and the latter as pq unionsq pr . The union of these formulas gives the
equivalence ¬ (pq + pr) ≡ pq unionsq pr unionsq ∼(pq pr ).
Lemma 4.1.32 and Proposition 4.1.33 can be generalized as follows:
Proposition 4.1.35. For any set of formulas F , we have:∑
f∈F
f ≡
∧
f∈F
∼f ∧
∨
f∈F
f .
Proposition 4.1.36. For any set of interaction formulas Φ, the following two formulas are
equivalent:
¬
∑
φ∈Φ
φ ≡
⊔
φ∈Φ
φ unionsq ∼
∧
φ∈Φ
φ .
Proofs of Propositions 4.1.35 and 4.1.36 are similar to the proofs of Propositions 4.1.32 and
4.1.33, respectively.
Conjunction of coalescings of interaction formulas
Conjunction of coalescings of interaction formulas can be eliminated by using the following
distributivity result to push it down within the formula tree.
63
Chapter 4. Conﬁguration logics
Proposition 4.1.37. If Φ and Ψ are sets of interaction formulas, then∑
φ∈Φ
φ ∧
∑
ψ∈Ψ
ψ ≡
∑
ξ∈Φ∪Ψ
(
ξ ∧
∨
(φ,ψ)∈Φ×Ψ
(φ ∧ ψ)
)
.
Proof. Notice that∑
φ∈Φ
φ ∧
∑
ψ∈Ψ
ψ ≡ ¬ ¬
(∑
φ∈Φ
φ ∧
∑
ψ∈Ψ
ψ
)
≡ ¬
(
¬
∑
φ∈Φ
φ unionsq ¬
∑
ψ∈Ψ
ψ
)
.
By Proposition 4.1.36, this can be further transformed into
¬
⎛⎝⊔
φ∈Φ
φ unionsq ∼
∧
φ∈Φ
φ unionsq
⊔
ψ∈Ψ
ψ unionsq ∼
∧
ψ∈Ψ
ψ
⎞⎠
≡ ¬
⎛⎝ ⊔
ξ∈Φ∪Ψ
ξ unionsq ∼
∧
φ∈Φ
φ unionsq ∼
∧
ψ∈Ψ
ψ
⎞⎠ ,
which we further transform by applying twice the De Morgan’s law (once for complementation
and union and once for negation and disjunction) and Proposition 4.1.31:
∧
ξ∈Φ∪Ψ
¬ ξ ∧ ¬
(
∼
∧
φ∈Φ
φ
)
∧ ¬
(
∼
∧
ψ∈Ψ
ψ
)
≡
∧
ξ∈Φ∪Ψ
∼ξ ∧
∧
φ∈Φ
φ ∧
∧
ψ∈Ψ
ψ .
By Proposition 4.1.29 and another application of De Morgan’s law, we obtain
∼
∑
ξ∈Φ∪Ψ
ξ ∧
∨
φ∈Φ
φ ∧
∨
ψ∈Ψ
ψ ≡ ∼
∑
ξ∈Φ∪Ψ
ξ ∧
∨
(φ,ψ)∈Φ×Ψ
(φ ∧ ψ) .
Let γ be a conﬁguration satisfying the formula in the right-hand side of this equation. By
(4.7), any interaction a ∈ γ satisﬁes the second conjunct in this formula. Hence, there exists
a pair (φ, ψ) ∈ Φ×Ψ, such that a |=i φ ∧ ψ and, a fortiori, there exists ξ ∈ Φ∪Ψ, such that
a |=i ξ. Thus, the closure operator in the ﬁrst conjunct of this formula can be discarded.
Finally, by Proposition 4.1.21, we have( ∑
ξ∈Φ∪Ψ
ξ
)
∧
∨
(φ,ψ)∈Φ×Ψ
(φ ∧ ψ) ≡
∑
ξ∈Φ∪Ψ
(
ξ ∧
∨
(φ,ψ)∈Φ×Ψ
(φ ∧ ψ)
)
.
Example 4.1.38. Consider a formula f = (φ1 + φ2) ∧ (φ3 + φ4), where φ1, φ2, φ3 and
φ4 are interaction formulas, and a conﬁguration γ |= f . The semantics requires that there
exists two partitions of γ: γ = γ1 ∪ γ2 and γ = γ3 ∪ γ4, such that γi |= φi for i ∈ [1, 4].
Considering an intersection γi,j = γi ∩ γj we have γi,j |= φi ∧ φj . Thus, γ = ⋃ γi,j satisﬁes
φ1φ3 ∨ φ1φ4 ∨ φ2φ3 ∨ φ2φ4 even if some γi,j are empty. Nevertheless, disjunction allows
conﬁgurations such that no interaction satisfy one of the disjunction terms and consequently
some φi. A coalescing of φi allows only conﬁgurations such that each φi is satisﬁed by at least
64
4.1. Propositional conﬁguration logic (PCL)
implication PIL negation complementation
interaction formulas non−interaction formulas
∼ φ∧ ∼ ψ ≡ ¬ (φ unionsq ψ )
φ ∨ ψ
∼ (φ ∧ ψ) ≡ ¬ (φ ∨ ψ )
∼ ψ ≡ ¬ ψ
φ + ψ
¬ (φ + ψ)¬ φ ≡∼ φ ¬ ψ ≡∼ ψ
ψφ
¬ (φ unionsq ψ) ≡∼ φ ∧ ∼ ψ
¬ (φ ∨ ψ) ≡∼ (φ ∧ ψ )
¬ (φ ∧ ψ) ≡ ∼ φ unionsq ∼ ψ
ψφ
φ unionsq ψ
φ ∧ ψ
∼ φunionsq ∼ ψ ≡ ¬ (φ ∧ ψ )
φ ∨ ψ
φ unionsq ψ
∼ φ ≡ ¬ φ
φ ∧ ψ
Figure 4.5 – PCL lattice.
one interaction. Thus, the conjunction of these formulas gives the equivalent representation:
f ≡ (φ1φ3 ∨ φ1φ4 ∨ φ2φ3 ∨ φ2φ4) ∧ (φ1 + φ2 + φ3 + φ4)
= φ1 ∧ (φ1φ3 ∨ φ1φ4 ∨ φ2φ3 ∨ φ2φ4) + φ2 ∧ (φ1φ3 ∨ φ1φ4 ∨ φ2φ3 ∨ φ2φ4)
+ φ3 ∧ (φ1φ3 ∨ φ1φ4 ∨ φ2φ3 ∨ φ2φ4) + φ4 ∧ (φ1φ3 ∨ φ1φ4 ∨ φ2φ3 ∨ φ2φ4) .
The PCL lattice
The PCL lattice is illustrated in Figure 4.5. The circle nodes represent interaction formulas,
whereas the red dot nodes represent all other formulas. Notice that the PCL lattice has two
sub-lattices generated by monomials:
• through disjunction and negation (isomorphic to the PIL lattice);
• through union and complementation (disjunction is not expressible).
Notice that coalescing cannot be expressed in any of these two sub-lattices. Although some
formulas involving the closure operator can be expressed in the second sub-lattice, e.g.
∼ φ ≡ ¬ φ, in general this is not the case, e.g. the formulas ∼ (φ ∧ ψ ) and ∼ φ unionsq ∼ψ
are not part of either sub-lattice. However, the closure operator is expressible by taking as
generators the interaction formulas:
65
Chapter 4. Conﬁguration logics
Proposition 4.1.39. The lattice generated by interaction formulas through union and
complementation is closed under the closure operator ∼.
Proof. We must prove that, for any formula f in this lattice, the formula ∼f is also in the
lattice.
Since union and complementation satisfy the usual axioms of propositional logic, f can be
represented in the equivalent of the disjunction normal form:
f ≡
⊔
i∈I
( ∧
k∈Ki
φk ∧
∧
j∈Ji
¬ φj
)
,
where all φj and φk are interaction formulas. Furthermore, since the conjunction of interaction
formulas ∧k∈Ki φk is also an interaction formula, we can assume, without loss of generality,
that all Ki are singleton sets and
f ≡
⊔
i∈I
(
φi ∧
∧
j∈Ji
¬ φj
)
.
Applying the closure operator, we then have
∼f ≡ ∼
⊔
i∈I
(
φi ∧
∧
j∈Ji
¬ φj
)
≡
⊔
i∈I
∼
(
φi ∧
∧
j∈Ji
¬ φj
)
// by Proposition 4.1.29
≡
⊔
i∈I
∼
(
φi ∧ ∼
( ∑
j∈Ji
φj
))
// by Propositions 4.1.31 and 4.1.29
≡
⊔
i∈I
∼
(
φi +
∑
j∈Ji
(
φi ∧ φj
))
// by Proposition 4.1.21
≡
⊔
i∈I
(
∼φi ∧
∧
j∈Ji
∼(φi ∧ φj )) // by Proposition 4.1.29
≡
⊔
i∈I
(
¬ φi ∧
∧
j∈Ji
¬ φi ∧ φj
)
// by Proposition 4.1.31
≡
⊔
i∈I
¬
(
φi unionsq
⊔
j∈Ji
φi ∧ φj
)
.
Since, for all i and j, both φi and φi ∧ φj are interaction formulas, we conclude that ∼f
belongs to the lattice generated by interaction formulas through union and complementation.
4.1.2 Normal form and axiomatisation of PCL formulas
To simplify the presentation, we assume in this subsection that disjunction can appear only
within interaction formulas, i.e. we do not consider the extension (4.9) of the disjunction
66
4.1. Propositional conﬁguration logic (PCL)
1.
g ∧
⊔
i∈I
fi⊔
i∈I
g ∧ fi
(Proposition 4.1.5)
2.
g +
⊔
i∈I
fi⊔
i∈I
fi + g
(Proposition 4.1.7)
3.
¬
⊔
i∈I
fi∧
i∈I
¬ fi
(Proposition 4.1.5)
4.
¬
∑
φ∈Φ
φ , all φ are interaction formulas
⊔
φ∈Φ
φ unionsq ∼
( ∧
φ∈Φ
φ
) (Proposition 4.1.36)
5.
∑
φ∈Φ
φ ∧
∑
ψ∈Ψ
ψ , all φ ∈ Φ and ψ ∈ Ψ are
interaction formulas∑
ξ∈Φ∪Ψ
(
ξ ∧
∨
(φ,ψ)∈Φ×Ψ
(φ ∧ ψ)
) (Proposition 4.1.37)
Figure 4.6 – Rewriting system for computing the normal form by the procedure in Figure 4.7
operator to general PCL formulas. We prove that any PCL formula can be expressed in
the following normal form: ⊔i∈I ∑j∈Ji ∨k∈Ki,j mi,j,k, where all mi,j,k are monomials. This
normal form can be obtained using the rewriting system given in Figure 4.6 and usual Boolean
transformations for interaction formulas. Notice that no two rules can be simultaneously
applicable to the same node. Normal form of a formula is computed by applying the
procedure in Figure 4.7 to the root of its Abstract Syntax Tree (AST).
An application of a rule to a node of an AST modiﬁes only the subtree rooted at this node.
In order to simplify the reasoning, we impose the following additional constraint on the order
of application of the rules from the rewriting system in Figure 4.6.
Constraint 4.1.40. We require that any rule be applied to a node n only if no rule can be
applied to any other node in the subtree of n.
Remark 4.1.41. We extend Constraint 4.1.40 to include usual Boolean transformations.
Hence, at every step of the process, all interaction sub-formulas are maintained in Disjunctive
Normal Form.
67
Chapter 4. Conﬁguration logics
procedure normalise (node)
if (node is an interaction formula)
transform node into DNF;
return;
endif
foreach child of node do
normalise(child);
od
if (no rule applicable to node)
return;
else
apply rule to node;
normalise(node);
endif
end
Figure 4.7 – Procedure for computing the normal form using the rewriting system of Figure 4.6
Example 4.1.42. The following example illustrates the normalization process:
(pq unionsq r) ∧ (pr + ¬ q) ≡ (pq unionsq r)
∧ (pr + (q unionsq q + true)) // rule 4 with Φ = {q}
≡ (pq unionsq r) ∧ (pr + q + true) // absorption laws
≡ (pq ∧ (pr + q + true))
unionsq (r ∧ (pr + q + true)) // rule 1
≡ ((pq ∧ pr) + (pq ∧ q ) + (pq ∧ true))
unionsq ((r ∧ pr) + (r ∧ q ) + (r ∧ true)) // rule 5
≡ (pqr + false + pq) unionsq (pr + rq + r) // Boolean laws
≡ pr + rq + r . // absorption and identity laws
The ﬁrst step removes the complementation. Then the application of distributivity rules
pushes conjunction down in the expression tree of the formula, to the level of monomials.
Finally, the formula is simpliﬁed, by observing that false is the absorbing element of
coalescing and the identity of union.
Theorem 4.1.43. Under Constraint 4.1.40, the rewriting system in Figure 4.6 has the
following properties:
1. The rewriting system is terminating and conﬂuent.
2. For any formula f ′ derived from a formula f by the application of rewriting rules, we
have f ′ ≡ f .
68
4.1. Propositional conﬁguration logic (PCL)
3. Any irreducible formula is in the normal form ⊔i∈I ∑j∈Ji ∨k∈Ki,j mi,j,k.
Proof. 1. In order to prove that the rewriting system is terminating, we deﬁne a ranking
function on the AST of a formula, with leaves representing interaction sub-formulas. First,
we introduce the following notations:
• Denote p(n) the number of nodes in the subtree with the root n.
• Denote d(n) the depth of the node n in the AST of the formula.
• Let N =∑n p(n)p(n), where the sum is taken over all ¬ -nodes.
• Let C =∑n p(n)p(n), where the sum is taken over all ∧ -nodes.
• Let U =∑n d(n), where the sum is taken over all unionsq -nodes.
• Denote A the number of +-nodes in the AST of the formula.
The ranking function associates a tuple to a tree 〈N,C,U,A〉. We use lexicographical order
to compare the values of the function, i.e. 〈a1, a2, a3, a4〉 < 〈b1, b2, b3, b4〉 iﬀ there exists i ≤ 4
such that aj = bj , for all j < i, and ai < bi. We show that application of each rewriting rule
strictly reduces the value of the ranking function.
• Rule 1 does not change N and reduces C. Let n be the ∧ -node, to which we
apply the Rule 1. For each ∧ -node n′, generated by the application of the rule, we
have p(n′) < p(n). The number of generated ∧ -nodes n′ is less than p(n). Hence,
p(n)p(n) > p(n) ∗ p(n′)p(n′), which implies that the value of C decreases after the
application of the rule. Although, application of Rule 1 increases the value of U , the
ranking function decreases by the deﬁnition of the lexicographical order.
• Application of Rule 2 increases A, but decreases U as it transforms a non-empty set of
unionsq -nodes into one with smaller depth. This rule does not change the values of N or C.
• Application of Rule 3 decreases N . A ¬ -node with value p(n)p(n) is transformed into
less than p(n) nodes of value less than p(n′)p(n′) with p(n′) < p(n).
• Application of Rule 4 decreases N . It transforms a ¬ -node into a union of conjunctions
and coalescing.
• Application of Rule 5 decreases C and does not change N . It transforms a ∧ -node
into a coalescing of interaction formulas.
• Application of usual Boolean transformations makes modiﬁcations only inside leaves,
thus this rule does not aﬀect the function value.
69
Chapter 4. Conﬁguration logics
Since all rewriting rules decrease the rank of the tree and each value is a tuple of ﬁnite
natural numbers, any sequence of applications of rewriting rules is ﬁnite.
Notice that applications of rules in diﬀerent subtrees do not interfere and the order of
rule applications between subtrees does not aﬀect the resulting formula. This observation,
together with Constraint 4.1.40, guarantees the conﬂuence of the rewriting system.
2. Since all rewriting rules in Figure 4.6 preserve equality, the formula obtained by application
of these rules is necessarily equal to the initial one.
3. Let f be an irreducible formula and let T be an AST of f . Any node of T can be
represented by the expression x → (n1, . . . , nk), where x ∈ {unionsq ,+,¬ ,∧} is an operator and
(n1, . . . , nk) is the list of child nodes. We call such a node x → (n1, . . . , nk) an x-node. Notice
that, since all operators of the Conﬁguration Logic are associative, an x-node can always be
merged with its immediate child x-nodes: let n1 = x → (m1, . . . ,ml), then x → (n1, . . . , nk)
can be substituted by x → (m1, . . . ,ml, n2, . . . , nk) without changing the meaning of the
formula (similarly for all ni). Henceforth, we assume that no child node of an x-node is an
x-node.
Let n be a ¬ -node in T , such that none of the nodes in the sub-tree rooted in n is a ¬ -node.
Let n′ be a child node of n. Since Rules 3 and 4 cannot be applied to n, the node n′ is
neither a unionsq -node, nor a node representing an interaction formula. Hence, n′ corresponds to
a conjunction or a coalescing of PCL formulas, among which at least one is not an interaction
formula. Notice that in the subtree rooted at n′ there are neither ¬ -nodes by the assumption
that n is the deepest one nor unionsq -nodes since Rules 1, 2 and 3 cannot be applied. Let n′′
be the deepest coalescing node in the subtree rooted at n′. Children of n′′ are interaction
formulas as subtrees rooted at n′′ cannot contain ¬ -, unionsq - or +-nodes. The parent node of
n′′ cannot be a negation or a union since they cannot appear in the subtree rooted at n′, it
is not a coalescing due to the form of AST and it is not a conjunction since Rule 5 is not
applicable. This contradicts to the assumption that there are ¬ -nodes in the AST.
Since none of the Rules 1, 2 and 3 are applicable, a unionsq -node can only be the root of the AST
of f . Hence, since Rule 5 is not applicable and there are no ¬ -nodes in the AST of f , a
+-node can only be the root or a child of the unionsq -node. Furthermore, for the same reason, the
children of a +-node can only be interaction formulas.
Since all interaction sub-formulas are in their DNF forms (see Remark 4.1.41), we conclude
that f is in normal form.
A full monomial is a monomial, which involves all ports, i.e. m = ∧p∈P+ p ∧∧p∈P− p such
that P = P+ ∪P− and P+ ∩P− = ∅. We deﬁne a full normal form as ⊔i∈I ∑j∈J mi,j,k, where
mi,j,k are full monomials. We show that any formula has an equivalent full normal form.
Lemma 4.1.44. A formula f = ∑i∈I mi, where mi are full monomials, is satisﬁed by
70
4.1. Propositional conﬁguration logic (PCL)
exactly one conﬁguration γ = {ai}i∈I , where ai is an interaction corresponding to the full
monomial mi: mi =
∧
p∈ai p ∧
∧
p∈ai p .
Proof. Since mi is a full monomial, there exists exactly one valuation of ports such that the
monomial evaluates to true, i.e. there exists exactly one interaction ai such that ai |=i mi.
γ |= ∑i∈I mi iﬀ there exists {γi}i∈I such that γ = ⋃i∈I γi and, for all i ∈ I, γi |= mi. For
each mi there exists only one interaction and consequently only one conﬁguration γi |= mi.
Thus, there exists exactly one γ, such that γ |= f .
Theorem 4.1.45. Any formula f has a unique full normal form.
Proof. By Theorem 4.1.43 any formula f can be rewritten as a formula f ′ ≡ f in normal
form. In f ′, any non-full monomial can be transformed into a disjunction of full monomials,
which, by Corollary 4.1.8, can be further transformed into a union of coalesced full monomials.
The application of Proposition 4.1.7 leads to the full normal form. Uniqueness is a corollary
of Lemma 4.1.44.
Example 4.1.46. Let P = {p, q, r} and consider the normal form formula pr + rq . It can
be transformed into full normal form as follows:
pr + rq ≡ (pqr unionsq pq r unionsq pqr + pq r) + (pq r unionsq p q r unionsq pq r + p q r)
≡ (pqr + pq r) unionsq (pqr + p q r) unionsq (pqr + pq r + p q r) unionsq pq r unionsq (pq r + p q r) unionsq (pq r + p q r)
unionsq (pqr + pq r) unionsq (pqr + pq r + p q r) unionsq (pqr + pq r + p q r).
4.1.3 Soundness and completeness
Axioms. PCL operators satisfy the following axioms:
1. The PIL axioms for interaction formulas.
2. The usual axioms of propositional logic for unionsq , ∧ , ¬ .
3. + is associative, commutative and has an absorbing element false.
4. For any formulas f , f1 and f2, holds f + (f1 unionsq f2) ≡ f + f1 unionsq f + f2.
5. For any sets of interaction formulas Φ and Ψ, holds∑
φ∈Φ
φ ∧
∑
ψ∈Ψ
ψ ≡
∑
ξ∈Φ∪Ψ
(
ξ ∧
∨
(φ,ψ)∈Φ×Ψ
(φ ∧ ψ)
)
.
6. For any set of interaction formulas Φ, holds
¬
(∑
φ∈Φ
φ
)
≡
⊔
φ∈Φ
φ unionsq ∼
( ∧
φ∈Φ
φ
)
.
71
Chapter 4. Conﬁguration logics
Theorem 4.1.47. The above axiomatization is sound and complete for the equality in PCL.
Proof. Soundness of all the above axioms has been proved in previous sections. Completeness
is an immediate consequence of the existence of a unique full normal form.
4.1.4 Checking satisfaction of PCL formulas
We provide a method for checking that a conﬁguration of the form γ = {a1, . . . , an} satisﬁes
a formula f . Without loss of generality, we assume that the formula is in normal form
f = ⊔i∈I ∑j∈Ji ∨k∈Ki,j mi,j,k. We have to check that γ satisﬁes at least one of the terms∑
j∈Ji
∨
k∈Ki,j mi,j,k, for some i ∈ I. Algorithm 1 performs this veriﬁcation for one term
(index i is omitted).
Algorithm 1: Algorithm for checking satisfaction of formulas
Data: A sub-formula f =
∑
j∈J
∨
k∈Kj mj,k and a conﬁguration γ = {a1, . . . , an}.
Result: Returns true if γ |= f , otherwise it returns false.
begin
J ′ = ∅;
l = 1;
b = true;
while (l ≤ n and b) do
X = {j ∈ J | al |=i
∨
k∈Kj mj,k};
if X = ∅ then
J ′ = J ′ ∪ X;
else
b = false;
l = l + 1;
return J ′ = J ;
We have to check the validity of the following two statements: 1) each interaction satisﬁes
at least one interaction formula and 2) each interaction formula is satisﬁed by at least one
interaction. The algorithm iterates through the interactions, checking the ﬁrst part and
memorising the satisﬁed interaction formulas. After the iteration stops, it checks whether
all interaction formulas were satisﬁed by at least one interaction. Conﬁguration γ satisﬁes
the formula f iﬀ the disjunction of the results of Algorithm 1, for all terms of the union,
evaluates to true.
An alternative method for checking satisfaction of a formula f by a conﬁguration γ is based
on the existence of a normal form and the completeness theorem.
Consider a formula f and a conﬁguration γ = {a1, ..., an}. In order to decide whether γ |= f ,
we associate with γ a characteristic formula ϕγ = m1+· · ·+mn, where mi = ∧p∈ai p∧∧p∈ai p
are characteristic monomials of the respective interactions ai. Notice that ϕγ has exactly one
model γ (Lemma 4.1.44). If formulas ϕγ and ¬ f have no common models then γ is a model
72
4.2. First and second order extensions of PCL
of f . Thus, γ |= f iﬀ ϕγ ∧ ¬ f ≡ false. This latter equality can be decided by verifying
whether all terms of the normal form of ϕγ ∧ ¬ f are equal to false. Recall that the terms
of a formula in normal form are coalescings of interaction formulas. Therefore, for a term to
be equal to false, it is suﬃcient that one of its participating interaction formulas be equal
to false. Finally, as in Boolean logics, a disjunction of monomials is equal to false iﬀ all
monomials contain one of the variables at least twice in opposite (positive and negative)
forms.
Example 4.1.48. Let P = {p, q, r} and consider f = p q+r p and γ = {{p, q, r}, {q, r}}. In
order to decide whether γ |= f , we ﬁrst apply Algorithm 1. This algorithm iterates through
the interactions of γ and monomials of f : {p, q, r} satisﬁes p q, whereas {q, r} satisﬁes r p .
For both interactions the sets of monomials are not empty and all monomials were visited.
Hence, γ |= f .
Alternatively, we consider the characteristic formula ϕγ = p q r + q r p and check whether
ϕγ ∧ ¬ f = (p q r + q r p ) ∧ ¬ (p q + r p ) ≡ false. We have:
(pqr + qrp ) ∧ ¬ (pq + rp )
≡ (pqr + qrp ) ∧
(
(p ∨ q ) unionsq (r ∨ p)unionsq ∼((p ∨ q ) ∧ (r ∨ p)))
≡
((
pqr ∧ (p ∨ q ))+ (qrp ∧ (p ∨ q ))) unionsq ((pqr ∧ (r ∨ p))+ (qrp ∧ (r ∨ p)))
unionsq
(
(pqr + qrp ) ∧ ((p ∨ q ) ∧ (r ∨ p) + true))
≡ (false + p qr) unionsq (pqr + false) unionsq
(
(pqr + qrp ) ∧ ((p r ∨ q r ∨ p q ) + true))
≡ false unionsq false unionsq
(
(pqr + qrp ) ∧ ((p r ∨ q r ∨ p q ) + true))
≡ (pqr ∨ qrp ) ∧ pqr + (pqr ∨ qrp ) ∧ qrp
+ (pqr ∨ qrp ) ∧ (p r ∨ q r ∨ p q ) + (pqr ∨ qrp ) ∧ true
≡ pqr + qrp + false + (pqr ∨ qrp ) ≡ false .
4.2 First and second order extensions of PCL
PCL is deﬁned for a given set of components and a given set of ports. On the contrary,
architecture styles are deﬁned for arbitrary number of components. In order to specify
architecture styles, we introduce types of components and quantiﬁcation over component
variables. We make the following assumptions:
• A ﬁnite set of component types T = {T1, . . . , Tn} is given. Instances of a component
type have the same interface and behaviour. We write c : T to denote a component c
of type T . Additionally, we denote CT the set of all the components of type T . Finally,
we assume the existence of the universal component type U , such that any component
or component set is of this type. Thus, CU represents all the components of a model.
73
Chapter 4. Conﬁguration logics
• The interface of each component type has a distinct set of ports. We write c.p to
denote the port p of component c and c.P to denote the set of ports of component c.
4.2.1 First-order conﬁguration logic
Syntax. The language of the formulas of the ﬁrst-order conﬁguration logic is an extension
of the PCL language by allowing Boolean expressions on component variables, existential
quantiﬁcation and a speciﬁc coalescing quantiﬁer Σc :T .
F ::= true | φ | ∃c :T (Φ(c)).F | Σc :T (Φ(c)).F | F unionsq F | ¬ F | F + F ,
where φ is an interaction formula, c is a component variable and Φ(c) is some set-theoretic
predicate on c (omitted when Φ = true).
Additionally, we deﬁne the usual notation for universal quantiﬁer:
∀c :T (Φ(c)).F def= ¬ ∃c :T (Φ(c)).¬ F.
Semantics. The semantics is deﬁned for closed formulas, where, for each variable in the
formula, there is a quantiﬁer over this variable in an upper nesting level. We assume that a
ﬁnite set of component types T = {T1, . . . , Tn} is given. Models are pairs 〈B, γ〉, where B is
a set of component instances of types from T and γ is a conﬁguration on the set of ports P
of these components. For quantiﬁer-free closed formulas the semantics is the same as for
PCL formulas. For closed formulas with quantiﬁers the satisfaction relation is deﬁned by
the following rules:
〈B, γ〉 |= ∃c :T (Φ(c)) . F , iﬀ γ |= ⊔
c′:T∈B ∧ Φ(c′)
F [c′/c] ,
〈B, γ〉 |= Σc :T (Φ(c)) . F ,
iﬀ {c′ : T ∈ B |Φ(c′)} = ∅ ∧ γ |=
∑
c′:T∈B ∧ Φ(c′)
F [c′/c] ,
where c′ : T ranges over all component instances of type T ∈ T satisfying Φ and F [c′/c] is
obtained by replacing all occurrences of c in F by c′.
For a more concise representation of formulas, we introduce the following additional notation:
(c1.p1, . . . , cn.pn)
def=
n∧
i=1
ci.pi ∧
n∧
i=1
∧
p∈ci.P\{pi}
ci.p
∧
∧
T∈T
⎛⎝∀c :T (c ∈ {c1, . . . , cn}). ∧
p∈c.P
c.p
⎞⎠ .
74
4.2. First and second order extensions of PCL
The (c1.p1, . . . , cn.pn) notation expresses an exact interaction, i.e. all ports in the arguments
must participate in the interaction and all other ports of the system cannot participate in
the interaction. If 〈B, γ〉 is a model, it can be shown that:
〈B, γ〉 |= (c1.p1, c2.p2, . . . , cn.pn)
iﬀ c1, c2, . . . , cn ∈ B and γ =
{{c1.p1, c2.p2, . . . , cn.pn}} .
The following three examples illustrate the speciﬁcation of simple interactions.
Example 4.2.1 (Single interaction). Assume that there is only one type of components T
with a single port p. We characterize models with a single interaction {c1.p, c2.p}.
The formulas c1.p c2.p and ∼(c1.p c2.p) do not ensure the presence of interaction {c1.p, c2.p},
since the model with γ =
{{c1.p, c2.p, c3.p}} satisﬁes these formulas. The correct speciﬁcation
can be expressed by a monomial, which contains all the negated ports that are not included
in the interaction:
c1.p ∧ c2.p ∧ ∀c :T
(
c ∈ {c1, c2}
)
. c.p . (4.11)
This formula is can be equivalently rewritten using the  notation introduced above:
(c1.p, c2.p).
Example 4.2.2 (No interaction of arity greater than two). Assume again that all components
are of type T with a single port p. We want to express the property that all interactions
involve at most two ports.
If we have three components c1, c2, c3 the formula c1.p c2.p c3.p forbids interactions involving
all of the components. The desired speciﬁcation is obtained by requiring that this formula
holds for any triple of components:
∀c1 : T. ∀c2 : T (c1 = c2). ∀c3 :T
(
c3 ∈ {c1, c2}
)
.(c1.p c2.p c3.p ).
Example 4.2.3 (Binary interactions). Let us further restrict the speciﬁcation of Exam-
ple 4.2.2, so that all binary interactions among components are included. The monomial
c1.p c2.p represents all interactions involving ports c1.p and c2.p. In order to allow other
interactions, we take the closure of this formula, i.e. ∼(c1.p c2.p). To obtain the required
speciﬁcation, we conjunct that of Example 4.2.2 with ∼(c1.p c2.p) for each pair of components
as follows:
∀c1 : T. ∀c2 : T (c1 = c2). ∼(c1.p c2.p)
∧ ∀c1 : T. ∀c2 : T (c1 = c2). ∀c3 :T
(
c3 ∈ {c1, c2}
)
.(c1.p c2.p c3.p ) .
The following examples illustrate the speciﬁcation of architecture styles and patterns.
Example 4.2.4. The Star architecture style, illustrated in Figure 4.8, is deﬁned for a set
of components of the same type. One central component s is connected to every other
75
Chapter 4. Conﬁguration logics
p1T
p2 T
p3 T
p4 T
p5 T
Figure 4.8 – A Star architecture
component through a binary interaction and there are no other interactions. It can be
speciﬁed as follows:
∃s :T. ∀c :T (c = s).
(
∼(c.p s.p) ∧ ∀c′ :T (c′ ∈ {c, s}). (c′.p c.p ))
∧ ¬(∃c :T. ∼(c.p)) . (4.12)
The three conjuncts of this formula express, respectively, the properties: 1) any component
is connected to the center; 2) components other than the center are not connected among
themselves; and 3) unary interactions are forbidden.
Notice that the semantics of the ﬁrst conjunct in (4.12), ∀c : T (c = s). ∼ (c.p s.p), is a
conjunction of closure formulas. In this conjunct, the closure operator also allows interactions
in addition to the ones explicitly deﬁned. Therefore, to correctly specify this style, we forbid
all other interactions by using the second and third conjuncts of the speciﬁcation. A simpler
alternative speciﬁcation uses the Σ quantiﬁer:
∃s :T. Σc :T (c = s). (c.p, s.p) . (4.13)
The  notation requires interactions to be binary and the Σ quantiﬁer allows conﬁgurations
that contain only interactions satisfying (c.p, s.p), for some c. Thus, contrary to (4.12),
we do not need to explicitly forbid unary interactions and connections between non-center
components.
Example 4.2.5. The Pipes and Filters architecture style [44] involves two types of com-
ponents, P and F , each having two ports in and out. Each input (resp. output) of a ﬁlter
is connected to an output (resp. input) of a single pipe. The output of any pipe can be
connected to at most one ﬁlter. One possible conﬁguration is shown in Figure 4.9.
76
4.2. First and second order extensions of PCL
out1P
out2in2 P
out1in1 F
out2in2 F
out3in3 P out3in3 F out4in4 P
in1
Figure 4.9 – A Pipes and Filters architecture
This style can be speciﬁed as follows:
∀f :F. ∃p :P. ∼(f.in p.out) ∧ ∀p′ :P (p = p′). ( f.in p′.out ) (4.14)
∧ ∀f :F. ∃p :P. ∼(f.out p.in) ∧ ∀p′ :P (p = p′). ( f.out p′.in ) (4.15)
∧ ∀p :P. ∃f :F. ∀f ′ :F (f = f ′). ( p.out f ′.in ) (4.16)
∧ ∀p :P.
(
p.in p.out ∧ ∀p′ :P (p = p′). (p.in p′.in ∧ p.in p′.out )) (4.17)
∧ ∀f :F.
(
f.in f.out ∧ ∀f ′ :F (f = f ′). (f.in f ′.in ∧ f.in f ′.out )) . (4.18)
The ﬁrst conjunct (4.14) requires that the input of each ﬁlter be connected to the output of
a single pipe. The second conjunct (4.15) requires that the output of each ﬁlter be connected
to the input of a single pipe. The third conjunct (4.16) requires that the output of a pipe
be connected to at most one ﬁlter. Finally, the fourth and ﬁfth conjuncts (4.17) and (4.18)
require that pipes only be connected to ﬁlters and vice-versa.
Notice that (4.14) and (4.15) in Example 4.2.5 can be simpliﬁed by introducing the additional
notation for “exists unique”:
∃!c :T (Φ(c)). F (c) def= ∃c :T (Φ(c)). F (c) ∧ ∀c′ :T (c = c′ ∧ Φ(c′)). ¬F (c′) . (4.19)
Using this notation, (4.14) and (4.15) can be rewritten, respectively, as
∀f :F. ∃!p :P. ∼(f.in p.out) and ∀f :F. ∃!p :P. ∼(f.out p.in) .
Example 4.2.6. In the Blackboard architecture style [32], a blackboard component of type
B holds data1 that may be updated by a group of knowledge sources of type S. A controller
of type C enforces mutual exclusion of write access. Figure 4.10 depicts a model with three
knowledge sources. We provide speciﬁcations of models composed of: 1) a single blackboard
b with two ports sh (share) and ctrl (control); 2) a single controller c with a port ctrl; and
3) a set of knowledge sources with a port acc (access). No knowledge can be shared without
taking control of the blackboard through the ctrl port.
1We omit the data representation in this example, since only the fact that the data is updated is relevant
and not the data itself.
77
Chapter 4. Conﬁguration logics
ctrl1B
sh1
ctrl1 C
S
acc1
S
acc2
S
acc3
Figure 4.10 – A Blackboard architecture
The Blackboard architecture style can be speciﬁed as follows:
b.ctrl ∧ c.ctrl∧ ∼
(
Σs :S. (s.acc b.sh)
)
∧
(
∀s1 : S. ∀s2 : S(s1 = s2). (s1.acc s2.acc )
)
.
The ﬁrst two conjuncts require that the control ports of blackboard and controller components
participate in all interactions. The third conjunct requires that all knowledge sources be
connected to the blackboard. The last conjunct requires that there be no interactions
involving two or more knowledge sources.
Example 4.2.7. The Request/Response pattern involves Clients and Services. It is deﬁned
as follows [35]:
“Request/Response begins when the client establishes a connection to the service. Once a
connection has been established, the client sends its request and waits for a response. The
service processes the request as soon as it is received and returns a response over the same
connection. This sequence of client-service activities is considered to be synchronous because
the activities occur in a coordinated and strictly ordered sequence. Once the client submits
a request, it cannot continue until the service provides a response."
From this informal description we can infer the following. There are two types of components:
a client Cl and a service S. Clients have three ports: Cl.con, Cl.req and Cl.rec that
correspond to the connect, request and receive actions deﬁned in the pattern, respectively.
Service components have two ports S.get for receiving a request and S.send for sending a
reply to the client that raised a request.
We use a coordinator of type C to enforce the properties: 1) only one client can be
connected at a time to a service; and 2) a client has to connect to the service before
sending a request. A unique coordinator is needed per service and therefore, the number of
coordinators must match the numbers of services. There can be arbitrarily many clients.
Each coordinator has three ports con, get and dsc that correspond to connect, get a request
and disconnect actions. Notice that the behaviour of a coordinator is cyclic involving the
78
4.2. First and second order extensions of PCL
con1
Cl
get1 rec1 con2
Cl
get2 rec2
snd1
S get1
snd1
Creq1
con1
Figure 4.11 – A Request/Response architecture
sequence con → get → dsc → con. The Request/Reply pattern is illustrated in Figure 4.11.
This pattern can be speciﬁed as follows:
Σcl :Cl. Σs :S. ∃c :C.
(
(cl.con, c.con) + (cl.req, s.get, c.get)
+ (cl.rec, s.send, c.dsc)
)
∧ Σcl :Cl. Σc :C. ∃s :S.
(
(cl.con, c.con) + (cl.req, s.get, c.get)
+ (cl.rec, s.send, c.dsc)
)
.
Notice that the ∃ quantiﬁer has the semantics of union. Coalescing distributes over union.
Therefore, the meaning of the nested existential quantiﬁer in the ﬁrst conjunct is several
conﬁgurations, where in each conﬁguration a service is connected to a single coordinator.
The property “a unique coordinator is needed per service” is enforced by the formula as
follows: 1) the ﬁrst conjunct requires that each service be connected to a single coordinator;
and 2) the second conjunct requires that each coordinator be connected to a single service.
Example 4.2.8. The Repository architecture style [31] consists of a repository component
r with a port p and a set of data-accessor components of type A with ports q. We provide
below a list of increasingly strong properties that may be used to characterize this style:
1. The basic property “there exists a single repository and all interactions involve it” is
speciﬁed as follows:
SingleRepo def= ∃r :R. (r.p) ∧ ∀r :R. ∀r′ :R. (r = r′) ,
where the subterm ∀r :R. ∀r′ :R. (r = r′) can be expressed in the logic as ∀r :R. ∀r′ :
79
Chapter 4. Conﬁguration logics
R(r′ = r). false.
2. The additional property “there are some data-accessors and any data-accessor must be
connected to the repository” is enforced by extending the formula as follows:
DataAccessors def= SingleRepo ∧ ∃a :A. true ∧ ∀a :A. ∃r :R. ∼(r.p a.q) .
4.2.2 First-order conﬁguration logic with ordered components
We present an extension of the ﬁrst-order logic in which components are ordered and thus,
we can deﬁne constraints based on component order. As a result, several architecture styles,
for instance the Ring and Linear architecture styles, that are not expressible in the ﬁrst-order
logic can now be expressed [67]. Another diﬀerence with the ﬁrst-order logic presented in
Section 4.2.1 is that we quantify over port variables instead of component variables. This
modiﬁcation allows us to shorten formulas. It does not have any impact on the expressiveness
of the logic since the order of ports and the order of components coincide. We write T.p to
denote the port p of the component type T and T.P to denote the interface of T .
Syntax. The syntax of the ﬁrst-order logic with ordered components is deﬁned by:
F ::= true | φ | F unionsq F | ¬ F | F + F | Qx[i] :T.p (Φ(x[i], i)).F ,
where φ is an interaction formula; x[i], called port variable, refers to the ith instance of the
generic port T.p; Φ(x[i], i) is a predicate based on set-theoretic operations on ports and
arithmetic operations on indices (omitted when Φ = true) and Q∈ {∃,Σ, D} is a quantiﬁer,
corresponding, respectively, to union, coalescing and disjunction operators.
Semantics. The semantics is deﬁned for closed formulas. Models are architectures 〈B, γ〉,
where B is a set of component instances of types from T and γ is a conﬁguration on the set
of ports P of these components.
We denote nT the number of components of type T . Within each component type, components
are ordered linearly, i.e. they can be represented by an array with the index ranging from 1
to nT . Port instances inherit the same ordering: if a component type T has a generic port
T.p, then its ith instance, denoted pi,2 belongs to the ith component instance of type T .
For quantiﬁer-free closed formulas, the semantics is the same as for PCL formulas. For
2To keep full information, the ith instance of a generic port T.p should be denoted (T.p)i. However, since
the type T will always be clear from the context, we omit it to simplify the notation.
80
4.2. First and second order extensions of PCL
quantiﬁers, the satisfaction relation is deﬁned as follows:
〈B, γ〉 |= ∃x[i] :T.p (Φ(x[i], i)) . F , iﬀ γ |= ⊔
j∈[1,nT ]
s.t. Φ(pj ,j)
F
[
pj/x[i]
]
,
〈B, γ〉 |= Σx[i] :T.p (Φ(x[i], i)) . F ,
iﬀ
{
j ∈ [1, nT ]
∣∣Φ(pj , j)} = ∅ ∧ γ |= ∑
j∈[1,nT ]
s.t. Φ(pj ,j)
F
[
pj/x[i]
]
,
〈B, γ〉 |= Dx[i] :T.p (Φ(x[i], i)) . F , iﬀ γ |= ∨
j∈[1,nT ]
s.t. Φ(pj ,j)
F
[
pj/x[i]
]
,
where j ranges over all indices of component instances of type T ∈ T , such that pj and j
satisfy Φ; and F
[
pj/x[i]
]
is the formula obtained by replacing all occurrences of the port
variable x[i] in F by the port instance pj .
For the sake of clarity, we introduce the following additional notations:
• The universal quantiﬁer:
∀x[i] :T.p (Φ(x[i], i)) . F def= ¬ (∃x[i] :T.p (Φ(x[i], i)) . ¬ F) .
• Quantiﬁcation over components:
Qx[i] :T
(
Φ(i)
)
. F
def= Qx[i] :T.p
(
Φ(i)
)
. F ,
for an arbitrary p ∈ T.P and Q∈ {∃,Σ, D,∀}. Here, the predicate Φ does not depend
on x[i], since this variable refers to a component and not to a port.
• For an arbitrary set of port instances S ⊆ U.P (not necessarily instances of the same
generic port):
S
def=
∧
s∈S
s ∧ ∀x[i] :U.P (x[i] ∈ S) . x[i] .
The following examples illustrate the speciﬁcation of architecture styles.
Example 4.2.9. The Repository architecture style, also presented in Example 4.2.8, consists
of one repository component of type R with a port p and a set of data-accessor components
of type A with ports q. We require that any data-accessor component must be connected to
81
Chapter 4. Conﬁguration logics
out1T
in4out4 T
out2in2 T
in3out3 T
in1
Figure 4.12 – A Ring architecture
out1T out2in2 Tin1 out3T out4in4 Tin3
Figure 4.13 – A Linear architecture
the repository. The style can be speciﬁed as follows:
∀r[i] :R . ∀r′[j] :R (i = j) . false ∧ ∃a[i] :A . true
∧ ∃x[i] :R.p .
(
x[i] ∧ ∀y[j] :A.q . ∼(x[i] y[j])
)
.
This formula additionally enforces the existence of a single repository and at least one
data-accessor.
Example 4.2.10. Consider the Request/Response pattern described in Example 4.2.7. The
speciﬁcation of this pattern can be simpliﬁed by requiring connections between pairs of
services and coordinators with equal indices. The Request/Response pattern can be speciﬁed
in the ﬁrst-order conﬁguration logic with ordered components as follows:
Σcl[i] :Cl. Σs[j] :S. ∃c[k] :C(k = j).
(
{cl[i].con, c[k].con}
+ {cl[i].req, s[j].get, c[k].get} + {cl[i].rec, s[j].send, c[k].dsc}
)
.
In the following two examples of this section, we consider systems consisting of components
of a single type T with two generic ports in and out. We assume that every interaction
has at least one in port and at least one out port. Alternatively, this assumption can be
enforced by the constraint
¬
(
∀x[i] :T.out . x[i]
)
∧ ¬
(
∀x[i] :T.in . x[i]
)
.
Example 4.2.11. The Ring architecture style (Example 4.2.15), can be speciﬁed as follows:
Σx[i] :T.out . Σy[j] :T.in (j = i + 1 mod nT ) . {x[i], y[j]}.
The constraint allows only interactions between neighbouring components.
82
4.2. First and second order extensions of PCL
Example 4.2.12. The Linear architecture style, shown in Figure 4.13, involves serially
connected components. It is similar to the Ring architecture style: the diﬀerence being that
in the Linear architecture style, there are two distinguished components that are the ends of
the line such that the input of the ﬁrst component and the output of the last component are
not connected.
Σx[i] :T.out . Σy[j] :T.in (j = i + 1) . {x[i], y[j]} .
The formula is similar to the speciﬁcation of the Ring architecture style. Taking equality
instead of the modular one in the constraint forbids the interaction between the ﬁrst and
the last component.
M p1
q1
s1
r1 M p2
q2
s2
r2
M p3
q3
s3
r3 M p4
q4
s4
r4
Figure 4.14 – A Square Grid architecture
Example 4.2.13. The Square Grid architecture style, shown in Figure 4.14, involves n2
components of type T , each with four ports p, q, r and s. Adjacent components are connected
through ports p and r in each row of the grid and through ports q and s in each column. It
can be speciﬁed as follows:
Σc[i] :T . Σc[j] :T (j = i + 1 ∧ i = 0 mod n) . (c[i].p, c[j].q)
+ Σc[i] :T . Σc[j] :T (j = i + n) . (c[i].r, c[j].t) ,
The formula is based on the speciﬁcation of the Linear architecture style. It requires
components be arranged in n horizontal and n vertical lines of length n.
4.2.3 Second-order conﬁguration logic
Properties stating that two components are connected through a chain of interactions, are
essential for architecture style speciﬁcation. In [60, 67], it is shown that transitive closure,
necessary to specify such reachability properties, cannot be expressed in ﬁrst-order logic
(without or with ordered components). This motivates the introduction of the second-order
conﬁguration logic with quantiﬁcation over sets of components.
This logic extends the ﬁrst-order logic with variables ranging over component sets. We write
C :T to express the fact that all components belonging to C are of type T .
83
Chapter 4. Conﬁguration logics
Syntax. The syntax of the second-order conﬁguration logic is deﬁned by:
S ::= true | φ | ∃c :T (Φ(c)).S | Σc :T (Φ(c)).S | S unionsq S | ¬ S | S + S
| ∃C : T (Ψ(C)).S | ΣC : T (Ψ(C)).S ,
where φ is an interaction formula, c is a component variable, C is a component set variable
and Φ(c), Ψ(C) are some set-theoretic predicates (omitted when true). Additionally, we
deﬁne the usual notation for universal quantiﬁer:
∀C :T (Ψ(C)).S def= ¬ ∃C :T (Ψ(C)).¬ S.
Semantics. The semantics is deﬁned for closed formulas, where, for each variable in the
formula, there is a quantiﬁer over this variable in an upper nesting level. Models are pairs
〈B, γ〉, where B is a set of component instances of types from T and γ is a conﬁguration on
the set of ports P of these components. The meaning of quantiﬁer-free formulas or formulas
with quantiﬁcation only over component variables is as for ﬁrst-order logic. We deﬁne the
meaning of quantiﬁers over component set variables as follows:
〈B, γ〉 |= ∃C :T (Ψ(C)) . S , iﬀ γ |= ⊔
C′:T∈B ∧ Ψ(C′)
S[C ′/C] ,
〈B, γ〉 |= ΣC :T (Ψ(C)) . S ,
iﬀ {C ′ : T ∈ B |Ψ(C ′)} = ∅ ∧ γ |=
∑
C′:T∈B ∧ Ψ(C′)
S[C ′/C] ,
where C ′ :T ranges over all sets of components of type T that satisfy Ψ.
In the examples of this subsection, we consider systems consisting of components of a single
type T with two ports in and out. We assume that every interaction has at least one in port
and at least one out port. Alternatively, this assumption can be enforced by the constraint
¬ (∀c :T. c.out ) ∧ ¬ (∀c :T. c.in ).
Example 4.2.14. The property that the graph, formed by components belonging to a set
C and interactions among their ports, is connected can be expressed as follows:
Connected(C) def= ∀C ′ :T (C ′  C).(
∃c′ :T (c′ ∈ C ′). ∃c :T (c ∈ C \ C ′). ∼(c.in c′.out)unionsq ∼(c′.in c.out)
)
.
In particular, the formula requires that for any subset C ′ of C there exist an interaction
that involves a component that belongs to C ′ and a component that belongs to C \C ′. This
property cannot be expressed in the ﬁrst-order logic and in the ﬁrst-order logic with ordered
components.
84
4.2. First and second order extensions of PCL
We show how the Ring, Linear and Square Grid architecture styles, previously shown in
Examples 4.2.11, 4.2.12, 4.2.13, respectively, are speciﬁed with the Connected predicate.
Example 4.2.15. The component connection graph respects the Ring architecture style
(Figure 4.12) if the following predicate is satisﬁed:
Connected(U) ∧ Σc :T. ∃c′ :T (c = c′). (c.in, c′.out)
∧ Σc :T. ∃c′ :T (c = c′). (c.out, c′.in) ,
The constraint Connected(U) is used to ensure that all components form a single ring, rather
than several disconnected ones. The second and third conjuncts require that each input port
be connected to a unique output port.
Example 4.2.16. Linear architectures (Figure 4.13) involve serially connected components.
The following formula requires that the components in C form a linear architecture:
Linear(C, out, in) def= Connected(U) ∧ ∃c1 :T. ∃c2 :T (c2 = c1).(
Σc :T (c = c1). ∃c′ :T (c′ ∈ {c, c2}). (c.in, c′.out)
∧ Σc :T (c = c2). ∃c′ :T (c′ ∈ {c, c1}). (c.out, c′.in)
)
.
Example 4.2.17. The Square Grid architecture style, shown in Figure 4.14, can be expressed
as follows:(
∀c :T.
(
c.p unionsq ∃c′ :T (c = c′). (c.p, c′.r) + c.p
)
∧
(
c.q unionsq ∃c′ :T (c = c′). (c.q, c′.s) + c.q
)
∧
(
c.r unionsq ∃c′ :T (c = c′). (c.r, c′.p) + c.r
)
∧
(
c.s unionsq ∃c′ :T (c = c′). (c.s, c′.q) + c.s
))
∧ (
∀c :T. ∃C :T (c ∈ C).MaxLinear(C, p, r)
∧∃C ′ :T (C ′ ∩ C = {c} ∧ |C ′| = |C|).MaxLinear(C ′, q, s)
)
∧ (
∀c1 : T. ∀c2 : T (c1 = c2).∀c3 :T
(
c3 ∈ {c1, c2}
)
.
∼(c1.p c2.r + c1.q c3.s) ⇒ ∃c4 :T
(
c4 ∈ {c1, c2, c3}
)
. ∼(c2.q c4.s + c3.p c4.r)
∧ ∼(c1.q c2.s + c1.r c3.p) ⇒ ∃c4 :T
(
c4 ∈ {c1, c2, c3}
)
. ∼(c2.r c4.p + c3.q c4.s)
∧ ∼(c1.r c2.p + c1.s c3.q) ⇒ ∃c4 :T
(
c4 ∈ {c1, c2, c3}
)
. ∼(c2.s c4.q + c3.r c4.p)
∧ ∼(c1.s c2.q + c1.p c3.r) ⇒ ∃c4 :T
(
c4 ∈ {c1, c2, c3}
)
. ∼(c2.p c4.r + c3.s c4.q)
)
∧
Connected(T ),
85
Chapter 4. Conﬁguration logics
where
MaxLinear(C, p1, p2)
def= Linear(C, p1, p2) ∧ ∀C ′ : T (C ⊂ C ′).¬ Linear(C ′, p1, p2).
The four big conjuncts represent, respectively, the following constraints:
1. Each port participates in at most one interaction.
2. Each component belongs in one row and one column of equal sizes. The conjunction
with the ﬁrst constraint ensures that, for any two components, the rows (columns) in
which they belong either coincide or do not intersect.
3. If two components are connected to a third one and all three components do not belong
in the same row or column then there exists a fourth component that is connected
to the ﬁrst two. The conjunction with the second constraint ensures that given two
adjacent components that belong in the same row (column), all other components that
belong in the columns (rows) of the ﬁrst two components are pairwise connected.
4. Components form a single grid instead of several ones. Notice that it is not possible to
distinguish a single grid from several small ones in the ﬁrst-order logic and thus, this
architecture style cannot be expressed in ﬁrst-order logic.
4.3 Related work
An architecture style typically speciﬁes a design vocabulary, constraints on how that vocab-
ulary is used and semantic assumptions about that vocabulary [42]. Constraints may be
about the allowed interactions between components, e.g. strong synchronization between
components. Semantic assumptions concern the behaviour of the involved components, e.g.
loss-less channel, server etc.
A plethora of approaches exist for characterizing architecture styles. For instance, patterns are
very commonly used for this purpose. Patterns in [35, 51] incorporate explicit constructs for
architecture modelling. Nonetheless, they lack formal semantics and they are not amenable
to analysis.
Among the formal approaches for representing and analysing architecture descriptions, we
distinguish two main categories:
• Extensional approaches, where one explicitly deﬁnes every object that is needed for the
speciﬁcation, i.e. the connections inducing interactions among the components (see the
speciﬁcation (4.13) of the Star pattern). All connections, other than the ones speciﬁed,
are excluded. Most ADLs, for instance SOFA [58], Wright [4], XCD [81], adopt this
approach.
86
4.4. Summary
• Intentional approaches, where one does not explicitly specify all the connections among
the components, but these are derived from a set of logical constraints, formulating
the intentions of the designer (see the speciﬁcation (4.12) of the Star pattern). In this
case speciﬁcations are conjunctions of logical formulas.
The proposed framework encompasses both approaches. It allows the description of individual
interactions, e.g. by using interaction formulas. It also allows speciﬁcation of conﬁguration
sets, e.g. by using formulas of the form ∼f .
A large body of literature, originating in [49, 64], studies the use of graph grammars and
transformations [86] to deﬁne software architectures. Although this work focuses mainly on
dynamic reconﬁguration of architectures, e.g. [28, 62, 63], graph grammars can be used to
extensionally deﬁne architecture styles: a style admits all the conﬁgurations that can be
derived by its deﬁning grammar. The main limitations, outlined already in [64], are the
following: 1) the diﬃculty of understanding the architecture style deﬁned by a grammar;
2) the fact that the restriction to context-free grammars precludes the speciﬁcation of
certain styles (e.g. trees with unbounded number of components or interactions, square
grids); 3) the impossibility of combining several styles in a homogeneous manner. To some
extent, the latter two are addressed, respectively, by considering synchronised hyperedge
replacement [41], context-sensitive grammars [39, 106] and architecture views [84]. Our
approach avoids these problems. Combining the extensional and intentional approaches
allows intuitive speciﬁcation of architecture styles. The higher-order extensions of PCL allow
imposing global constraints necessary to specify styles that are not expressible by context-free
graph grammars. Finally, the combination of several architecture styles is deﬁned by the
conjunction of the corresponding PCL formulas.
The proposed framework has similarities, but also signiﬁcant diﬀerences, with the use of
Alloy [55] and OCL [100] for intentional speciﬁcation of architecture styles, respectively, in
ACME and Darwin [43, 45] and in UML [24]. Our approach achieves a strong semantic
integration between architectures and architecture styles. Moreover, conﬁguration logic
allows a ﬁne characterization of the coordination structure by using n-ary connectivity
predicates. On the contrary, the connectivity primitives in [43, 45] are binary predicates
and cannot tightly characterize coordination structures involving multiparty interaction. To
specify an n-ary interaction, these approaches require an additional entity connected by n
binary links with the interacting ports. Since the behaviour of such entities is not part of
the architecture style, it is impossible to distinguish, e.g., between an n-ary synchronisation
and a sequence of n binary ones.
4.4 Summary
We presented conﬁguration logics for the speciﬁcation of architecture styles. Conﬁguration
logic formulas characterize interaction conﬁgurations between instances of typed components.
Conﬁguration logic is a powerset extension of interaction logic used to describe architectures.
87
Chapter 4. Conﬁguration logics
It is integrated in a uniﬁed semantic framework which is equipped with a decision procedure
for checking that a given architecture model meets given style requirements. Quantiﬁcation
over components and sets of components allows the genericity needed for architecture styles.
We have illustrated through multiple examples that conﬁguration logics are a powerful tool
for modelling architecture styles.
88
5 Architecture diagrams
We propose a diﬀerent avenue to architecture style speciﬁcation based on architecture
diagrams, which is a graphical language rooted on rigorous semantics. We focus on the
speciﬁcation of generic coordination mechanisms based on the concept of connector. Notice
that in conﬁguration logics, we use interactions to specify component coordination, whereas
in architecture diagrams we use connectors. In this chapter, we use connectors that are not
hierarchical and do not contain any triggers (Section 2.3.2). As a result, each connector
deﬁnes exactly one interaction and thus, we can use the words connector and interaction
interchangeably.
T1
n1
T2
n2
mp:dp mq:dq
qp
T3
n3
mr:dr
r
Figure 5.1 – An architecture diagram
An architecture diagram consists of a set of component types, a cardinality function and
a set of connector motifs. Instances of a component type have the same interface and
behaviour. The interface of a component type is characterised by a set of port types. The
cardinality function associates each component type with its cardinality, i.e. number of
instances. Figure 5.1 shows an architecture diagram consisting of three component types T1,
T2 and T3 with n1, n2 and n3 instances and port types p, q and r, respectively. Instantiated
components have port instances pi, qj , rk for i, j, k belonging to the intervals [1, n1], [1, n2],
[1, n3], respectively.
Connector motifs are non-empty sets of port types that must interact. Each port type p
in the connector motif has two constraints represented as a pair m : d. Multiplicity m is
the number of port instances pi that are involved in the connectors. Degree d speciﬁes the
89
Chapter 5. Architecture diagrams
number of connectors in which each port instance is involved. A connector motif deﬁnes a
set of conﬁgurations, where a conﬁguration is a set of connectors. The architecture diagram
in Figure 5.1 has a single connector motif involving port types p, q and r.
p1
p2
T3
T1
p3T1
T1
r1
T2q1
q2 T2
Figure 5.2 – Architecture conforming to the
diagram in Figure 5.1
X
p1
p2
T3
T1
p3T1
T1
r1
T2q1
q2 T2
Figure 5.3 – Composition for the diagram in
Figure 5.1
Figure 5.2 shows the unique architecture obtained from the diagram in Figure 5.1 by taking
n1 = 3, mp = 1, dp = 1; n2 = 2, mq = 2, dq = 3; n3 = 1, mr = 1, dr = 3. This is the result
of composition of constraints for port types p, q and r as depicted in Figure 5.3. For port p,
we have three instances and as both the multiplicity and the degree are equal to 1, each port
pi has a single connector lead. For port q, we have two instances and as the multiplicity is
2, we have connectors involving q1 and q2 and their total number is equal to 3 to meet the
degree constraint. Finally, for port r, we have a single instance r1 that has three connector
leads to satisfy the degree constraint.
The semantics of an architecture diagram consisting of a set of connector motifs {Γi}i∈[1..k] is
deﬁned as follows. The meaning of each connector motif Γi is a set of conﬁgurations {γi,j}j∈Ji .
The architecture diagram speciﬁes all the architectures characterised by conﬁgurations of
connectors of the form: γ1,j1 ∪ · · · ∪ γn,jn , where the indices ji ∈ Ji. In other words, the
conﬁguration of an architecture conforming to the diagram is obtained by taking the union
of all sub-conﬁgurations corresponding to each connector motif.
simple
index interval
general
Figure 5.4 – The four classes of architecture diagrams
We propose four classes of architecture diagrams, namely simple, interval, index and general
architecture diagrams. Figure 5.4 shows the expressiveness hierarchy of the four classes.
90
5.1. Simple architecture diagrams
5.1 Simple architecture diagrams
We consider that a component interface is deﬁned by its set of ports, which are used for
interaction with other components. Thus, a component type T has a set of port types T.P .
5.1.1 Syntax and semantics
A simple architecture diagram 〈T , n, C〉 consists of:
• a set of component types T = {T1, . . . , Tk};
• an associated cardinality function n : T → N, where N is the set of natural numbers
(to simplify the notation, we will abbreviate n(Ti) to ni);
• a set of connector motifs C = {Γ1, . . . ,Γl} of the form Γ = (a, {mp : dp}p∈a), where
∅ = a ⊂ ⋃ki=1 Ti.P is a generic connector and mp, dp ∈ N (with mp > 0) are the
multiplicity and degree associated to port type p ∈ a.
Figure 5.5 shows the graphical representation of an architecture diagram with a single
connector motif. It deﬁnes diﬀerent architecture styles, for diﬀerent values of the multiplicity,
degree and cardinality parameters.
T1
n1
T2
n2
mp:dp mq:dq
qp
Figure 5.5 – A simple architecture diagram
An architecture is a pair 〈B, γ〉, where B is an ordered set of components and γ is a
conﬁguration, i.e. a set of connectors among the ports of components in B. We deﬁne a
connector as a set of ports that must interact. For a component B ∈ B and a component
type T , we say that B is of type T if the ports of B are in a bijective correspondence with
the port types in T . Let B1, . . . , Bn be all the components of type T in B. For a port
type p ∈ T.P , we denote the corresponding port instances by p1, . . . , pn and its associated
cardinality by np = n(T ).
Semantics. An architecture 〈B, γ〉 conforms to a diagram 〈T , n, C〉 if, for each i ∈ [1, k], the
number of components of type Ti in B is equal to ni and γ can be partitioned into disjoint
sets γ1, . . . , γl, such that, for each connector motif Γi = (a, {mp : dp}p∈a) ∈ C and each p ∈ a,
1. there are exactly mp instances of p in each connector in γi and
2. each instance of p is involved in exactly dp connectors in γi.
91
Chapter 5. Architecture diagrams
We assume that, for any two connector motifs Γi = (a, {mip : dip}p∈a) (for i = 1, 2) with the
same set of port types a, there exists p ∈ a, such that m1p = m2p. Two connector motifs with
the same set of port types and multiplicities Γi = (a, {mp : dip}p∈a) (for i = 1, 2) can be
replaced by a single connector motif Γ = (a, {mp : d1p + d2p}p∈a), which imposes a weaker
constraint. We consider that the aforementioned assumption does not have signiﬁcant impact
on the expressiveness of the formalism. On the contrary, it greatly simpliﬁes semantics
and analysis. In particular, it ensures that for any conﬁguration γ there exists at most one
partition into disjoint sets γ1, . . . , γl, which correspond to diﬀerent connector motifs. In
other words, a connector cannot correspond to two diﬀerent connector motifs. This greatly
simpliﬁes function VerifyMultiplicity in Subsection 5.5. Furthermore, it also simpliﬁes
the consistency conditions presented in Subsection 5.1.2. Notice that this assumption allows
connector motifs with the same set of port types but diﬀerent multiplicities.
Multiplicity constrains the number of instances of the port type that must participate in a
connector, whereas degree constrains the number of connectors attached to any instance
of the port type. Consider the two diagrams shown in Figures 5.6 and 5.7. They have the
same set of component types and cardinalities. Nevertheless, their multiplicities and degrees
diﬀer, resulting in diﬀerent architectures. Architectures conforming to the two diagrams are
also shown in Figures 5.6 and 5.7.
In Figure 5.6, the multiplicity of the port type p is 1 and the multiplicity of the port type
q is 3, thus, any connector must involve one instance of p and three instances of q. Since
there are only three instances of q, any connector must involve all of them. The degrees of
both port types are 1, so each port is involved in exactly one connector. Thus, the diagram
deﬁnes a single architecture with one quaternary connector.
In Figure 5.7, the multiplicities of both port types p and q is 1. Thus, all connectors are
binary and involve one instance of p and one instance of q. The degree of p is 3, thus three
connectors are attached to each instance of p. Thus, the architecture diagram deﬁnes a
single architecture with three binary connectors.
T1
1
T2
1:1 3:1
qp defines
3
p1
q1
q2
q3
Figure 5.6 – Quaternary synchronisation
T1
1
T2
1:3 1:1
qp defines
3
p1
q1
q2
q3
Figure 5.7 – Binary synchronisation
Notice that component instances of an architecture that conforms to a simple architecture
diagram are not ordered and thus, the following property follows directly from the semantics.
Property 1. Consider an architecture A = 〈B, γ〉, containing two component instances
B1, B2 of type T , that conforms to a simple architecture diagram AD. Then, an architecture
A′ obtained by renaming B1 to B2 and B2 to B1 also conforms to AD.
92
5.1. Simple architecture diagrams
5.1.2 Consistency conditions
Notice that there exist diagrams that do not deﬁne any architecture such as the diagram
shown in Figure 5.8. Since the multiplicity is 1 for both port types p and q, a conforming
architecture must include only binary connectors involving one instance of p and one instance
of q. Additionally, since the degree of both p and q is 1, each port instance must be involved
in exactly one connector. However, the cardinalities impose that there be three connectors
attached to the instances of p, but only two connectors attached to the instances of q. Both
requirements cannot be satisﬁed simultaneously and therefore, no architecture conforms to
this diagram.
T1
3
T2
2
1:1 1:1
qp
Figure 5.8 – An inconsistent diagram
Consider a connector motif Γ = (a, {mp : dp}p∈a) in a diagram 〈T , n, C〉 and a port type
p ∈ a, such that p ∈ T.P , for some T ∈ T . We denote sp = np · dp/mp the matching factor
of p.
A regular conﬁguration of p is a multiset of connectors, such that 1) each connector involves
mp instances of p and no other ports and 2) each instance of the port p is involved in exactly
dp connectors. Notice the diﬀerence between a conﬁguration and a regular conﬁguration of p:
the former deﬁnes a set of connectors, while the latter deﬁnes a multiset of sub-connectors
involving only instances of the port type p. Considering the diagram in Figure 5.1 and the
architecture in Figure 5.2 the only regular conﬁguration of r is the multiset {r1, r1, r1}.
The three copies of the singleton sub-connector r1 are then fused with sub-connectors piq1q2
(i = 1, 2, 3), resulting in a conﬁguration with three distinct connectors.
Lemma 5.1.1. Each regular conﬁguration of a port p has exactly sp connectors.
Proof. 1) We have sp connectors and each connector is a set of mp port instances. Thus,
the sum of connectors’ sizes is sp · mp; 2) Connectors consist of ports and each port instance
is involved in dp connectors. The total number of ports in connectors is np · dp where np is
the number of port instances. Thus sp · mp = np · dp or sp = np · dp/mp.
Notice that, for the diagram of Figure 5.8, we have sp = 3, while sq = 2. To form connectors,
each sub-connector from a regular conﬁguration of p must be fused with exactly one sub-
connector from a regular conﬁguration of q, and vice-versa. Since the sizes of such regular
conﬁgurations are diﬀerent by the above lemma, there is no architecture conforming to this
diagram.
Proposition 5.1.2 provides the necessary and suﬃcient conditions for a simple architecture
93
Chapter 5. Architecture diagrams
diagram to be consistent, i.e. to have at least one conforming architecture. The multiplicity
of a port type must not exceed the number of component instances that contain this port.
The matching factors of all ports participating in the same connector motif must be equal
integers. Finally, since the number of distinct connectors of a connector motif is bounded and
equal to ∏q∈a (nqmq), there must be enough connectors to build a conﬁguration. Notice that
because of the assumption that we made in Subsection 5.1.1 this condition can be applied
independently to each connector motif. Since, by the semantics of diagrams, connector
motifs correspond to disjoint sets of connectors, these conditions are applied separately to
each connector motif.
Proposition 5.1.2. A simple architecture diagram has a conforming architecture iﬀ, for
each connector motif Γ = (a, {mp : dp}p∈a) and each p ∈ a, we have
1. mp ≤ np,
2. ∀q ∈ a, sp = sq ∈ N,
3. sp ≤ ∏q∈a (nqmq).
Proof. This proposition is a special case of Proposition 5.2.5.
5.1.3 Synthesis of conﬁgurations
The synthesis procedure for each connector motif consists of the following two steps: 1)
we ﬁnd regular conﬁgurations for each port type; 2) we fuse these regular conﬁgurations
generating global conﬁgurations speciﬁed by the connector motif.
Regular conﬁgurations of a port type We start with an example illustrating the steps
of the synthesis procedure for a port p.
Example 5.1.3. Consider a port p with np = 4 and mp = 2. There are 6 connectors of
multiplicity 2: p1p2, p1p3, p1p4, p2p3, p2p4, p3p4. They correspond to the set of edges of a
complete graph with vertices p1, p2, p3, p4. The regular conﬁgurations of p for dp = 1, 2, 3,
where each edge appears at most once (i.e. sets of connectors) are shown in Figure 5.9.
p1 p2
p3p4
p1 p2
p3p4
p1 p2
p3p4
p1 p2
p3p4
p1 p2
p3p4
p1 p2
p3p4
Configuration set for 
d=1 (s=2)
Configuration set for 
d=2 (s=4)
p1 p2
p3p4
Configuration set for 
d=3 (s=6)
Figure 5.9 – Regular conﬁgurations of p with np = 4, mp = 2
We provide below an equational characterisation of all the regular conﬁgurations (multisets)
of a given port type p with given np, mp, and dp. For the np port instances, p1, . . . , pn,
94
5.1. Simple architecture diagrams
Table 5.1 – Vector representation of regular conﬁgurations
dp = 1 [100001], [010010], [001100].
dp = 2 [110011], [101101], [011110],
[200002], [020020], [002200].
dp = 3 [111111], [210012], [201102], [120021], [021120],
[012210], [102201], [300003], [030030], [003300].
we have a set {ai}i∈[1,w] of diﬀerent connectors, where w =
(np
mp
)
, to which we associate a
column vector of non-negative integer variables X = [x1, . . . , xw]T .
Consider the Example 5.1.3 and variables x1, . . . , x6 representing the number of occurrences
in a regular conﬁguration of the connectors p1p2, p1p3, p1p4, p2p3, p2p4, p3p4, respectively.
All the regular conﬁgurations (i.e. multisets of connectors), for dp = 1, 2, 3, represented as
vectors of the form [x1, . . . , x6] are listed in Table 5.1. Notice that vectors for dp > 1 can be
obtained as linear combinations of the vectors describing conﬁguration sets for dp = 1.
Then, for the port p we deﬁne an np×w incidence matrix G = [gi,j ]np×w with gi,j = 1 if pi ∈ aj
and gi,j = 0 otherwise. The following equation holds: GX = D, where D = [dp, . . . , dp] (dp
repeated np times). Any non-negative integer solution of this equation deﬁnes a regular
conﬁguration of p. For Example 5.1.3, the equations are:⎧⎪⎪⎪⎪⎪⎪⎨⎪⎪⎪⎪⎪⎪⎩
x1 + x2 + x3 = d,
x1 + x4 + x5 = d,
x2 + x4 + x6 = d,
x3 + x5 + x6 = d ,
which is equivalent to
⎧⎪⎪⎪⎪⎪⎪⎨⎪⎪⎪⎪⎪⎪⎩
x1 + x2 + x3 = d,
x3 = x4,
x2 = x5,
x1 = x6 .
(5.1)
Notice that the vectors of Table 5.1 are solutions of (5.1).
Conﬁgurations of a connector motif Let Γ = (a, {mp : dp}p∈a) be a connector motif
such that all port types of a = {p1, . . . , pv} have the same integer matching factor s. For
each pj ∈ a, let γj = {aji}i∈[1,s] be a regular conﬁguration of pj . For arbitrary permutations
πj of [1, s], a set {a1i ∪
⋃v
j=2 a
j
πj(i)}i∈[1,s] is a conﬁguration speciﬁed by the connector motif.
In order to provide an equational characterisation of the connector motif, we consider, for
each j ∈ [1, v], a corresponding solution vector Xj of equations GjXj = Dj characterising
the regular conﬁgurations of pj . We denote by wj the dimension of the vector Xj .
In order to characterise the conﬁgurations of connectors conforming to Γ, we consider, for
each conﬁguration, the v-dimensional matrix E = [ei1,...,iv ]w1×···×wv of 0-1 variables, such
95
Chapter 5. Architecture diagrams
that ei1,...,iv = 1 if the connector a1i1 ∪ · · · ∪ aviv belongs to the conﬁguration and 0 otherwise.
By deﬁnition, the sum of all elements in E is equal to s. Moreover, the following equations
hold: ⎧⎪⎪⎪⎪⎪⎪⎨⎪⎪⎪⎪⎪⎪⎩
x1i = Σi2,i3...,iv ei,i2,...,iv , for i ∈ [1, w1],
x2i = Σi1,i3,...,iv ei1,i,...,iv , for i ∈ [1, w2],
...
xvi = Σi1,i2,...,iv−1 ei1,...,iv−1,i , for i ∈ [1, wv].
(5.2)
For instance, for a ﬁxed i ∈ [1, w1], all ei,i2,...,iv describe all connectors that contain a1i . The
regular conﬁguration γ1 is characterised by X1, enforcing that a1i belongs to x1i connectors.
The system of linear equations (5.2), combined with the systems of linear equations GjXj =
Dj , for j ∈ [1, v], fully characterises the conﬁgurations of Γ. They can be used to synthesise
architectures from architecture diagrams.
Example 5.1.4. Consider a diagram
({T1, T2}, n, {Γ}), where T1 = {p}, T2 = {q}, n(T1) =
n(T2) = 4 and Γ = (pq, {(mp : dp,mq : dq)}) with mp = 2, mq = 3. The corresponding
equations GpX = Dp, GqY = Dq can be rewritten as⎧⎨⎩x1 + x2 + x3 = dp,x3 = x4, x2 = x5, x1 = x6, and
⎧⎨⎩3y1 = dq,y1 = y2 = y3 = y4. (5.3)
Together with the constraints xi = Σjei,j and yj = Σiei,j , for E = [ei,j ]6×4, equations (5.3)
completely characterise all the conﬁgurations conforming to Γ.
The same methodology can be used to synthesise conﬁgurations with additional constraints.
To impose that some speciﬁc connectors must be included, whereas other speciﬁc connectors
must be excluded from the conﬁgurations, the corresponding variables in the matrix E are
given ﬁxed values: 1 (resp. 0) if the connector must be included (resp. excluded) from the
conﬁgurations. The rest of the synthesis procedure remains the same.
Example 5.1.5. Figure 5.10 shows the architecture diagram from Example 5.1.4, with
dp = 2 and dq = 3. We want to synthesise the conﬁgurations of this diagram with the
following additional constraints: connectors p1p2q1q2q3 and p1p3q2q3q4 must be included,
whereas connector p2p4q1q2q4 must be excluded from the synthesised conﬁgurations.
T1
4
T2
4
2:2 3:3
qp
Figure 5.10 – Architecture diagram of Example 5.1.5
First, we compute the vectors X and Y that represent the regular conﬁgurations of port
types p and q, respectively. Variables x1, . . . , x6 represent the number of occurrences in a
conﬁguration of the connectors p1p2, p1p3, p1p4, p2p3, p2p4, p3p4, respectively. Variables
96
5.1. Simple architecture diagrams
y1, . . . , y4 represent the number of occurrences in a conﬁguration of the connectors q1q2q3,
q1q2q4, q1q3q4, q2q3q4, respectively. Vector X can take one of the following values for
dp = 2: [110011], [101101], [011110], [200002], [020020] or [002200] (Example 5.1.3). Regular
conﬁgurations of q are characterised by the equations 3y1 = d and y1 = y2 = y3 = y4
(Example 5.1.4). For d = 3 there is a single solution Y = [1111].
We now consider the matrix E, where we ﬁx e1,1 = e2,4 = 1 and e5,2 = 0 to impose the
additional synthesis constraints:
E =
⎛⎜⎜⎜⎜⎜⎜⎜⎜⎜⎝
y1 y2 y3 y4
x1 1 e1,2 e1,3 e1,4
x2 e2,1 e2,2 e2,3 1
x3 e3,1 e3,2 e3,3 e3,4
x4 e4,1 e4,2 e4,3 e4,4
x5 e5,1 0 e5,3 e5,4
x6 e6,1 e6,2 e6,3 e6,4
⎞⎟⎟⎟⎟⎟⎟⎟⎟⎟⎠
Since, for all i ∈ [1, 6], we have xi = Σj ei,j , we observe that x1, x2 ≥ 1. The only valuation
of X that satisﬁes this constraint is [110011]; as mentioned above, the only possible valuation
of Y is [1111]. The sum of rows 3 and 4 of E is 0, so all their elements must be 0s. The sum
of rows 1 and 2 as well as the sum of columns 1 and 4 is 1. Since there exists already an
element with value 1, all other elements in these rows and columns must be 0s. This gives
us the following multidimensional matrix:
E =
⎛⎜⎜⎜⎜⎜⎜⎜⎜⎜⎝
y1 y2 y3 y4
x1 1 0 0 0
x2 0 0 0 1
x3 0 0 0 0
x4 0 0 0 0
x5 0 0 e5,3 0
x6 0 e6,2 e6,3 0
⎞⎟⎟⎟⎟⎟⎟⎟⎟⎟⎠
The sums of the remaining rows and columns give us the correct values of the other three
elements. The complete solution is the following:
E =
⎛⎜⎜⎜⎜⎜⎜⎜⎜⎜⎝
y1 y2 y3 y4
x1 1 0 0 0
x2 0 0 0 1
x3 0 0 0 0
x4 0 0 0 0
x5 0 0 1 0
x6 0 1 0 0
⎞⎟⎟⎟⎟⎟⎟⎟⎟⎟⎠
,
97
Chapter 5. Architecture diagrams
which corresponds to the conﬁguration {p1p2q1q2q3, p1p3q2q3q4, p2p4q1q3q4, p3p4q1q2q4}.
5.1.4 Architecture style speciﬁcation examples
Example 5.1.6. The Star architecture style consists of a single center component of type
T1 = {p} and n2 components of type T2 = {q}. The central component is connected to every
other component by a binary connector and there are no other connectors. The diagram in
Figure 5.11 graphically describes the Star architecture style. The speciﬁcation of the Star
style with conﬁguration logics was presented in Example 4.2.4.
defines p1
q1
q2T2
1:n2 1:1
qT1 p
center
n2
qn2
n2
…
1
Figure 5.11 – Star architecture style with architecture diagrams
Example 5.1.7. We now consider the multi-star extension of the Star architecture style,
with n center components of type T1, each connected to d components of type T2 by binary
connectors. As in Example 5.1.6, there are no other connectors. The diagram of Figure 5.12
graphically describes this architecture style.
definesT2
1:d 1:1
qT1
n
p
center
n d.
d d…
n
p1 q2
…
q1
qd
pn
…
q(n-1)d+1
q
q(n-1)d+2
n d.
Figure 5.12 – Multi-star architecture style with architecture diagrams
5.2 Interval architecture diagrams
To further enhance the expressiveness of diagrams we introduce interval architecture diagrams
where the cardinality, multiplicity and degree parameters can be intervals. With simple
architecture diagrams, we cannot express properties such as “component instances of type
T are optional”. For instance, let us consider the example in Figure 5.131, that shows four
Master/Slave architectures involving two masters and two slaves. In this example, one of
the masters might be optional, i.e. it might not interact with any slaves. As illustrated in
1This example was previously shown in Chapter 4, Figure 4.2.
98
5.2. Interval architecture diagrams
Figure 5.13, in the ﬁrst two architectures, each master interacts with one slave, however, in
the last two architectures, a single master interacts with both slaves while the other master
does not interact with any slaves. In other words, the degree of the port type m varies from
0 to 2 and cannot be represented by an integer.
p1 p2
q1 q2
M1 M2
S1 S2
p1 p2
q1 q2
M1 M2
S1 S2
p1 p2
q1 q2
M1 M2
S1 S2
p1 p2
q1 q2
M1 M2
S1 S2
p1q1 + p2q2 p1q2 + p2q1 p1q1 + p1q2 p2q1 + p2q2
Figure 5.13 – Master/Slave architectures
5.2.1 Syntax and semantics
An interval architecture diagram 〈T , n, C〉 consists of:
• a set of component types T = {T1, . . . , Tk};
• a cardinality function n : T → N2, associating, to each Ti ∈ T , an interval n(Ti) =
[nli, nui ] ⊂ N (thus, nli ≤ nui );
• a set of connector motifs C = {Γ1, . . . ,Γl} of the form Γ =
(
a, {ty[mlp,mup ] : ty[dlp, dup ]}p∈a
)
,
where ∅ = a ⊂ ⋃ki=1 Ti.P is a generic connector and ty[mlp,mup ], ty[dlp, dup ], with [mlp,mup ],
[dlp, dup ] ⊂ N non-empty intervals and ty ∈ {mc, sc} (mc means “multiple choice”,
whereas sc means “single choice”), are, respectively, multiplicity and degree constraints
associated to p ∈ a.
Semantics. An architecture 〈B, γ〉 conforms to an interval architecture diagram 〈T , n, C〉
if, for each i ∈ [1, k], the number of components of type Ti in B lies in [nli, nui ] and γ
can be partitioned into disjoint sets γ1, . . . , γl, such that for each connector motif Γi =(
a, {ty[mlp,mup ] : ty[dlp, dup ]}p∈a
) ∈ C and each p ∈ a:
1. there are mp ∈ [mlp,mup ] instances of p in each connector in γi; in case of a single choice
interval, the number of instances of p is equal in all connectors in γi;
2. each instance of p is involved in dp ∈ [dlp, dup ] connectors in γi; in case of a single
choice interval, the number of connectors involving an instance of p is the same for all
instances of p.
In other words, each port type p has an associated pair of intervals deﬁning its multiplicity
and degree. The interval attributes specify whether these constraints are uniformly applied
99
Chapter 5. Architecture diagrams
M
2
S1:mc[0,2] 1:1 qp
2
Figure 5.14 – Architecture diagram that deﬁnes the set of architectures in Figure 5.13
or not. We write sc[x, y] (single choice) to mean that the same multiplicity or degree is
applied to each port instance of p. We write mc[x, y] (multiple choice) to mean that diﬀerent
multiplicities or degrees can be applied to diﬀerent port instances of p, provided that they
lie in the interval.
We assume that, for any two connector motifs Γi = (a, {ty[mlp,mup ]i : ty[dlp, dup ]i}p∈a) (for i =
1, 2) with the same set of port types a, there exists p ∈ a such that [mlp,mup ]1 ∩ [mlp,mup ]2 = ∅.
Similarly to simple architecture diagrams, without signiﬁcant impact on the expressiveness
of the formalism, this assumption greatly simpliﬁes semantics and analysis. In particular,
it ensures that for any conﬁguration γ there exists at most one partition into disjoint
sets γ1, . . . , γl, which correspond to diﬀerent connector motifs, which simpliﬁes function
VerifyMultiplicity in Section 5.5. Furthermore, it simpliﬁes the consistency conditions
in Proposition 5.2.5 that can now be applied independently to each connector motif.
Notice that component instances of an architecture that conforms to an interval architecture
diagram are not ordered and thus, the following property follows directly from the semantics.
Property 2. Consider an architecture A, containing two component instances B1, B2 of
type T , that conforms to an interval architecture diagram AD. Then, an architecture A′ is
obtained by renaming B1 to B2 and B2 to B1 also conforms to AD.
Example 5.2.1. The diagram in Figure 5.14 deﬁnes the set of architectures shown in
Figure 5.13. Notice that the degree of port type p is the multiple choice interval mc[0, 2],
since one master component may be connected to two slaves, while the other master may not
be connected to any slaves. For the sake of simplicity, we represent intervals [x, x], mc[x, x]
and sc[x, x] as x.
Proposition 5.2.2. Interval architecture diagrams are strictly more expressive than simple
architecture diagrams.
Proof. Any cardinality n of a simple architecture diagram can be represented as [n, n]. Any
multiplicity m (resp. degree d) can be represented as sc[m,m] (resp. sc[d, d]). Thus, any
simple architecture diagram can be represented as an interval architecture diagram proving
that interval architecture diagrams are at least as expressive as simple architecture diagrams.
To show that they are strictly more expressive than simple diagrams, let us consider the
diagram in Figure 5.14 and its conforming architectures shown in Figure 5.13. Suppose
that it is possible to express the set of architectures shown in Figure 5.13 with a simple
architecture diagram. The ﬁrst two architectures imply that the degree of port type p would
100
5.2. Interval architecture diagrams
be equal to 1, whereas the port instance p1 of the third architecture implies that the degree
of port type p would be equal to 2. Since the degree of a port type in simple diagrams cannot
have multiple values, this results in a contradiction.
5.2.2 Consistency conditions
Similarly to simple architecture diagrams, there are interval diagrams that do not deﬁne
any architectures. Proposition 5.2.5 provides the necessary and suﬃcient conditions for
the consistency of interval architecture diagrams. A connector cannot contain more port
instances than there exist in the system. Thus, the lower bound of multiplicity should not
exceed the maximal number of instances of the associated component type. For all port
types of a connector motif, there should exist a common matching factor that does not
exceed the maximum number of diﬀerent connectors between these ports. These conditions
are a generalisation of Proposition 5.1.2. Auxiliary Lemmas 5.2.3 and 5.2.4 are necessary for
proving Proposition 5.2.5.
Lemma 5.2.3. Consider a set of port types P and a set of s connectors over these ports.
Assume that connector k ∈ [1, s] contains mk,p port instances of p ∈ P and a port instance pj ∈
p is an element of exactly dp,j connectors. The following equality holds ∀p ∈ P, ∑sk=1 mk,p =∑
pj∈p dp,j.
Proof. Consider a port type p ∈ P . Consider a bipartite graph G = (U, V,E) deﬁned by two
disjoint sets of vertices: set of vertices U where each vertex corresponds to one port instance,
and a set of vertices V where each vertex corresponds to one connector. The graph G has
an edge between vertices u ∈ U and v ∈ V if the port associated to u is an element of the
connector associated to v. A vertex vk ∈ V associated with connector k is adjacent to exactly
mk,p vertices associated with ports p of the connector k. Therefore, the number of edges
between U and V is equal to ∑sk=1 mk,p. Furthermore, the degree of a vertex uj ∈ U is equal
to dp,j because pj is an element of dp,j connectors. Therefore, the number of edges between
U and V must also be equal to ∑pj∈p dp,j . Combining this with our previous observation,
we obtain that ∑sk=1 mk,p =∑pj∈p dp,j . The same reasoning can be applied to any port type
p ∈ P giving the same equality.
Lemma 5.2.4. Let P be a set of port types with two associated parameters: np representing
a number of port instances p ∈ P and [dlp, dup ] for dlp ∈ N, dup ∈ N„ dlp ≤ dup representing
the desired degree interval. Consider a set of s distinct connectors A over P , such that
for a port p ∈ P , a connector a ∈ A contains ma,p instances of p, where ma,p ≤ np, and
np · dlp ≤
∑
a∈A ma,p ≤ np · dup . Then it is possible to construct a set of s distinct connectors
A′ such that a connector a contains ma,p instances of p with the degree of an instance pj
being equal to dp,j ∈ [dlp, dup ].
Proof. Let dp,i be a degree of the port pi in A, i.e. dp,i = |{a ∈ A|pi ∈ a}|. Let us deﬁne
a function f : 2A → N such that f(A) = Σp∈PΣpi∈p mindp∈[dlp,dup ] |dp,i − dp|. Function f(A)
101
Chapter 5. Architecture diagrams
achieves its minimal value f(A) = 0 if and only if the degree dp,i ∈ [dlp, dup ] for all ports.
That is, if f(A) = 0, we construct A′ by the assignment A′ = A.
Suppose now that we have A for which f(A) = 0. Since f(A) = 0, this means that there
is at least one port pi such that dp,i < dlp or dp,i > dup . Without loss of generality we can
assume the ﬁrst case (the other case is symmetric). From Lemma 5.2.3, we know that∑s
k=1 mk,p =
∑
pj∈p dp,j . Thus, for at least one port pj ∈ p holds dp,j > dlp.
Now, observe that for the two ports pi and pj , dp,j > dp,i. This means that we can redeﬁne at
least one connector by replacing port pi with port pj without having duplicated connectors
(otherwise, by the pigeonhole principle port pj would already be an element of two identical
connectors). Consider a new set of s connectors Anew obtained by applying the port
replacement procedure. Its value function is at most f(Anew) ≤ f(A) − 1 < f(A). Since
initial value f(A) is bounded, the consecutive application of the port replacement procedure
eventually leads to set Anew for which f(Anew) = 0. Therefore, it is possible to construct set
A′.
To simplify the presentation of Proposition 5.2.5 we use the following notion of choice
function. Let IT and I be the sets of, respectively, typed intervals and intervals, as in the
deﬁnition of interval diagrams above. A function g : IT → I is a choice function if it satisﬁes
the following constraints:
g(ty[x, y]) =
⎧⎨⎩[x, y], if ty = mc,[z, z], for some z ∈ [x, y], if ty = sc.
Proposition 5.2.5. An interval architecture diagram 〈T , n, C〉 is consistent iﬀ, for each T ∈
T , there exists a cardinality ni ∈ [nli, nui ] and, for each connector motif (a, {Mp : Dp}p∈a) ∈ C
and each p ∈ a, there exist choice functions gmp , gdp, such that, for [mlp,mup ] = gmp (Mp) and
[dlp, dup ] = gdp(Dp) hold:
1. mlp ≤ np, for all p ∈ a, (where np = ni for p ∈ T.P ),
2. (S ∩ U ∩ N) = ∅, where
(a) S = ⋂p∈a sp with sp =
⎧⎪⎪⎪⎪⎪⎪⎪⎨⎪⎪⎪⎪⎪⎪⎪⎩
[
np · dlp
mup
,
np · dup
mlp
], if mlp > 0,
[
np · dlp
mup
,∞), if mlp = 0,
(b) U = [1,∏p∈a∑m∈[mlp,mup ] (npm)].
Proof. Necessity →: Consider an architecture conforming to the diagram. Consider values
nT ∈ [nlT , nuT ] for each T ∈ T equal to the number of components of the corresponding
type in the architecture. Consider a connector motif Γ = (a, {Mp : Dp}p∈a) ∈ C and
102
5.2. Interval architecture diagrams
consider functions gmp , gdp for each port type p ∈ a consistent with the architecture, i.e. if the
multiplicity (degree) of p in the sub-conﬁguration corresponding to the connector motif Γ
in the architecture is equal to v and the multiplicity (degree) interval has type sc then the
corresponding gmp (gdp) returns [v, v].
Condition 1 is trivially obtained - np < mlp cannot occur as the multiplicity of ports cannot
be greater than the number of component instances. In order to show condition 2 we apply
Lemma 5.2.3, ∀p ∈ a, ∑sk=1 mk,p =∑pj∈p dp,j , where s is the number of connectors in the
architecture corresponding to Γ. The lower bound on the left hand side is s · mlp, while
the upper bound on the right hand side is np · dup : these two bounds give us s ≤ np·d
u
p
mlp
(if mlp = 0, s → ∞). By inspecting the upper bound of the left hand side and the lower
bound of the right hand side, we obtain s ≥ np·dlpmup . Thus, s ∈ S. For the set U , notice
that ∏p∈a∑m∈[mlp,mup ] (npm) is equal to the number of diﬀerent ways one could connect ports
in a, so that port p ∈ a has np instances and connector k contains mk,p ∈ [mlp,mup ] ports
pi ∈ p. Therefore, s ∈ U , otherwise, by the pigeonhole principle there would exist duplicated
connectors. Thus, s ∈ S and s ∈ U and s ∈ N so their intersection is not empty. This
reasoning can be applied to any connector motif, proving the necessity of the consistency
conditions.
Suﬃciency ←: We prove this part by construction. Consider values nT and functions g for
which all conditions are satisﬁed. Consider a set of behaviours, such that each type T ∈ T
has nT instances. In order to construct an architecture we need only a set of connectors.
We construct sets for each connector motif independently, taking their union in the ﬁnal
step. Consider a connector motif Γ = (a, {Mp : Dp}p∈a) ∈ C. Suppose that there are no
degree constraints. As in the ﬁrst part of the proof, we know that condition 2 implies that
the number of connectors is bounded by ∏p∈a∑m∈[mlp,mup ] (npm), where mlp ≤ np, which is
satisﬁed by condition 1. Since ∏p∈a∑m∈[mlp,mup ] (npm) is the number of diﬀerent ways one
could connect ports in a, so that port type p ∈ a has np instances and connector k contains
mk,p ∈ [mlp,mup ] port instances of port type p, it follows that it is always possible to select
s distinct connectors (distinct by the set of port instances they contain), where a port
instance pi ∈ p is allowed to have a degree dp,i ∈ [dlp, dup ]. Now, consider one such set A of s
connectors. Since condition 2 is satisﬁed, we know that np · dlp ≤
∑
k∈A mk,p ≤ np · dup for
all p ∈ a, so we can apply the result of Lemma 5.2.4. More precisely, we can iterate over
ports in a (in arbitrary order), and balance the degrees of port instances pi ∈ p, achieving
the degree dp,i ∈ [dlp, dup ]. Since by Lemma 5.2.4 each iteration preserves the distinctness
of connections, once the entire iterative procedure ﬁnishes, we obtain a set of s distinct
connectors for which each port instance has the degree that takes values in [dlp, dup ], and this
holds for all p ∈ a. Considering such sets for each connector motif and taking their union,
we obtain an architecture that conforms to the diagram.
103
Chapter 5. Architecture diagrams
5.2.3 Synthesis of conﬁgurations
The equational characterisation in Section 5.1.3 can be generalised, using systems of inequal-
ities with some additional variables, to interval architecture diagrams. Below, we show how
to characterise the conﬁgurations induced by n instances of a port type p with the associated
degree interval ty[dlp, dup ].
For a given multiplicity m, let X = [x1, . . . , xw]T be the column vector of integer variables,
corresponding to the set {ai}i∈[1,w] (with w =
(n
m
)
) of connectors of multiplicity m, involving
port instances p1, . . . , pn. Let G be the incidence matrix G = [gi,j ]n×w with gi,j = 1 if pi ∈ aj
and gi,j = 0 otherwise. The conﬁgurations induced by the n instances of p are characterised
by the equation GX = D, where D = [d1, . . . , dn]T and the additional (in)equalities:
d1 = · · · = dn = d and dlp ≤ d ≤ dup , for ty = sc,
dlp ≤ d1 ≤ dup , . . . , dlp ≤ dn ≤ dup , for ty = mc.
(5.4)
Example 5.2.6. As in Example 5.1.3, consider a port type p and n = 4, m = 2. For the
degree interval sc[1, 3], the corresponding constraints are 1 ≤ d ≤ 3, x1 + x2 + x3 = d,
x4 = x3, x5 = x2, x6 = x1.
For the degree interval mc[1, 3] the corresponding constraints are 1 ≤ di ≤ 3, for i ∈ [1, 4],
x1 + x2 + x3 = d1, x1 + x4 + x5 = d2, x2 + x4 + x6 = d3, x3 + x5 + x6 = d4. By solving this
system we get: ⎧⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎨⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎩
0 ≤ xi for i ∈ [1..6],
x6 ≤ 3,
x5 ≤ 3 − x6,
x4 ≤ 3 − x6,
x4 ≤ 3 − x5,
1 − x5 − x6 ≤ x3 ≤ 3 − x5 − x6,
1 − x4 − x6 ≤ x2 ≤ 3 − x4 − x6,
x2 ≤ 3 − x3,
1 − x4 − x5 ≤ x1 ≤ 3 − x4 − x5,
1 − x2 − x3 ≤ x1 ≤ 3 − x2 − x3.
Suppose that the multiplicity of p in the motif is given by an interval ty[mlp,mup ]. Contrary
to the degree, multiplicity does not appear explicitly as a variable in the constraints. Instead,
it inﬂuences the number and nature of elements in both the matrix G and vector X.
Therefore, for single choice (i.e. ty = sc), the conﬁgurations induced by n instances of p are
characterised by the disjunction of the instantiations of the system of equalities combining
GmXm = D with (5.4), for m ∈ [mlp,mup ].
104
5.2. Interval architecture diagrams
M
n1
S
1:sc[1,n2] 1:mc[0,1]
qp
n2
Figure 5.15 – Master/Slave architecture style with architecture diagrams
p1
q2
p2
q3
S S S S S
M M
q1 q4 q5
Figure 5.16 – A Master/Slave architecture
For multiple choice (i.e. ty = mc), all the conﬁgurations are characterised by the system
combining (5.4) with ∑
m∈[mlp,mup ]
(GmXm) = D .
Notice that the above modiﬁcations to accommodate for interval-deﬁned multiplicity are
orthogonal to those in (5.4), accommodating for interval-deﬁned degree. Similarly to the
single-choice case for multiplicity, for interval-deﬁned cardinality, the conﬁgurations are
characterised by taking the disjunction of the characterisations for all values n ∈ [nlp, nup ].
Based on the above characterisation for the conﬁgurations of one port type, global conﬁgura-
tions can be characterised by systems of linear constraints in the same manner as for simple
architecture diagrams.
5.2.4 Architecture style speciﬁcation examples
Example 5.2.7. The diagram in Figure 5.15 describes a Master/Slave architecture style. We
require that each slave interact with at most one master and that each master be connected
to the same number of slaves.
Multiplicities of both port types p and q are equal to 1, allowing only binary connectors
between a master and a slave. The single choice degree of port type p ensures that all port
instances are connected to the same number of connectors which is a number in [1, n2]. The
multiple choice degree of port type q ensures that all port instances are connected to at most
one master. A conforming architecture for n1 = 2 and n2 = 5 is shown in Figure 5.16.
Example 5.2.8. The diagram in Figure 5.17 describes the Repository architecture style
involving a single instance of a component of type R and an arbitrary number of data-accessor
components of type A. We require that any data-accessor component be connected to the
repository. In Figure 5.17, we also show conforming architectures for 3 data-accessors. The
105
Chapter 5. Architecture diagrams
R
1
A
1:mc[1,n2] mc[1,n2]:1
qp
n2
defines orp1
q1
q2
q3
R
A
A
A
p1
q1
q2
q3
or …R
A
A
A
Figure 5.17 – Repository architecture style with architecture diagrams
Repository style was speciﬁed with conﬁguration logics in Example 4.2.8.
Example 5.2.9. The Pipes and Filters architecture style [44] involves two types of com-
ponents, P and F , each having two ports in and out. Each input (resp. output) of a ﬁlter
is connected to an output (resp. input) of a single pipe. The output of any pipe can be
connected to at most one ﬁlter. Figure 5.18 graphically describes the Pipes and Filters
architecture style. The Pipes and Filters style was speciﬁed with conﬁguration logics in
Example 4.2.5.
F
n1
P1:1 1:mc[0,n1] inout
n2
in out
1:1 1:mc[0,1]
Figure 5.18 – Pipes and Filters architecture style with architecture diagrams
Example 5.2.10. The Map-Reduce architecture style [36] allows processing large datasets,
such as those found in search engines and social networking sites. Figure 5.19 graphically
describes the Map-Reduce architecture style. A conforming architecture for n1 = 3 and
n2 = 2 is shown in Figure 5.20.
A large dataset is split into smaller datasets and stored in the global ﬁlesystem (GFS). The
Master is responsible for coordinating and distributing the smaller datasets from the GFS
to each of the map worker components (MW ). The port in of each MW is connected to the
Mcontrol and read ports of the Master and the GFS, respectively. Each MW processes
the datasets and writes the result to its dedicated local ﬁlesystem (LFS) through a binary
connector between their out and write ports. The connector is binary since no MW is
allowed to read the output of another MW . Each reduce worker (RW ) reads the results
from multiple LFS as instructed by the Master component. To this end, the in port of each
RW is connected to the Rcontrol and read ports of the Master and some LFS, respectively.
Then, each RW combines the results to produce a ﬁnal result written back to the GFS
through a binary connector between their out and write ports. No RW is allowed to read
the output of another RW .
106
5.2. Interval architecture diagrams
MasterMcontrol
1
Rcontrol
GFS
write
write
1
in out in out
read
readMW RWLFS
n1 n1 n2
1:mc[0,n1]
1:mc[0,1]
1:mc[0,n1]
1:1 1:1
1:mc[n1,n1*n2]
1:mc[0,n1] 
1:mc[1,n2] 
1:1
1:n2
Figure 5.19 – Map-Reduce architecture style with architecture diagrams
MasterMcontrol1 Rcontrol1
GFS
write2
write1
in2 in2 out2
read1
read2MW RWLFS
in1
out2
MW
in3 MW
write1 read1LFS
write3 read3LFS
in1 out1RWout1
out3
Figure 5.20 – A Map-Reduce architecture
107
Chapter 5. Architecture diagrams
5.3 Index architecture diagrams
We extend simple architecture diagrams with index variables on ports. Arithmetic predi-
cates over the set of index variables are associated with connector motifs and restrict the
involvement of port instances in the same connector.
5.3.1 Syntax and semantics
An index architecture diagram 〈T , n, C〉 consists of:
• a set of component types T = {T1, . . . , Tk};
• an associated cardinality function n : T → N, where N is the set of natural numbers
(again, we abbreviate n(Ti) to ni);
• a set of connector motifs C = {Γ1, . . . ,Γl} of the form Γ = (a, {mp : dp}p∈a, {Ip}p∈a,Φ(I)),
where
– ∅ = a ⊂ ⋃ki=1 Ti.P is a generic connector,
– mp, dp ∈ N (with mp > 0) are the multiplicity and degree associated to port type
p ∈ a,
– Ip (with |Ip| = mp) is the set of index variables associated to p,
– Φ(I) is a predicate based on arithmetic operations over the set of index variables
I = ⋃p∈a Ip.
To maintain consistency with the notations used in conﬁguration logics and simple architecture
diagrams, we use the notation p[I] to associate the set of index variables I with a port type
p in the graphical representation of index architecture diagrams.
Semantics. An architecture 〈B, γ〉 conforms to a diagram 〈T , n, C〉 if, for each i ∈ [1, k], the
number of components of type Ti in B is equal to ni and γ can be partitioned into disjoint
sets γ1, . . . , γl, such that, for each connector motif Γi = (a, {mp : dp}p∈a, {Ip}p∈a,Φ(I)) ∈ C
and each p ∈ a,
1. there are exactly mp instances of p in each connector in γi;
2. each instance of p is involved in exactly dp connectors in γi.
3. each connector imposes a valuation of index variables I that satisﬁes the associated
predicate Φ(I).
Similarly to simple diagrams we assume that, for any two connector motifs Γi = (a, {mip :
dip}p∈a,Φ(I)) (for i = 1, 2) with the same set of port types a, there exists p ∈ a, such that
m1p = m2p.
108
5.3. Index architecture diagrams
T1
3
T2
1:1 1:1
q[J]p[I] defines
3
q2
q3
(i=j)
p1 q1
p2
p3
Figure 5.21 – An index architecture diagram
Consider the diagram shown in Figure 5.21. Notice that, since the multiplicities of both
port types in the connector motif are equal to 1, the associated sets of index variables can
be unambiguously assumed to be I = {i} and J = {j}. The predicate (i = j) imposes the
restriction that components can be connected only if their indices are equal. For instance,
the conﬁguration {p1q2, p2q3, p3q1} does not conform to the diagram shown in Figure 5.21.
Since simple architecture diagrams do not have mechanisms to restrict possible conﬁgurations
based on the order of components, we obtain the following result.
Proposition 5.3.1. Index architecture diagrams are strictly more expressive than simple
architecture diagrams.
Proof. Any simple architecture diagram can be represented as an index architecture diagram
if the associated predicate Φ(I) of each connector is equal to true. Thus, index architecture
diagrams are at least as expressive as simple architecture diagrams. To show that they are
strictly more expressive than simple diagrams, let us consider the diagram in Figure 5.21.
Suppose there exists a simple diagram, whereof the only conforming architecture is that in
the right-hand side of Figure 5.21. By Property 1, it has to be that the set of conforming
architectures of this diagram also contains another architecture that diﬀers from the one in
Figure 5.21 by having connectors between p1 − q2 and p2 − q1 instead of connectors between
p1 − q1 and p2 − q2. Thus, the cardinality of the set of conforming architectures of this
diagram is strictly greater than 1, which proves that no simple architecture diagram can
deﬁne exactly the architecture shown in Figure 5.21.
5.3.2 Architecture style speciﬁcation examples
For the sake of simplicity, in the following examples we omit the set of indices of port types
if there is no associated predicate.
Example 5.3.2. The Request/Response pattern is graphically speciﬁed in Figure 5.22.
There are two types of components: a client Cl and a service S. A coordinator of type C
enforces the properties: 1) only one client can be connected at a time to a service; and 2)
a client has to connect to the service before sending a request. A unique coordinator is
needed per service and therefore, the number of coordinators must match the numbers of
109
Chapter 5. Architecture diagrams
S
n2
C 1:n1
1:n2
n2
Cl
con
r
con
q[J]p[I]
n1
1:n1 1:n1
1:n2
(i=j)
Figure 5.22 – Request/Response style with architecture diagrams
T
1:1
p[I]
n
q[J]
1:1
(j=i+1 modn)
Figure 5.23 – Ring style with architecture diagrams
services. There can be arbitrarily many clients. The Request/Reply pattern is illustrated
in Figure 4.11. The property “a unique coordinator is needed per service” is enforced by
choosing pairs of services and coordinators with equal indices. The equivalent speciﬁcation
with conﬁguration logics was presented in Example 4.2.7.
Example 5.3.3. The Ring architecture style is graphically speciﬁed in Figure 5.23. The
predicate (j = i + 1 mod n) ensures that all components are connected in a single ring.
Equivalent speciﬁcations with conﬁguration logics were presented in Example 4.2.15 and
Example 4.2.11.
5.4 General architecture diagrams
General architecture diagrams combine both extensions of simple architecture diagrams, i.e.
indices and intervals and additionally, introduce arithmetic predicates on multiplicities and
degrees. The former are associated with connector motifs, while the latter are associated
with component types.
5.4.1 Syntax and Semantics
A general architecture diagram 〈T , n, C,D〉 consists of:
110
5.4. General architecture diagrams
• a set of component types T = {T1, . . . , Tk};
• a cardinality function n : T → N2, associating, to each Ti ∈ T , an interval n(Ti) =
[nli, nui ] ⊂ N (thus, nli ≤ nui );
• a set of connector motifs C = {Γ1, . . . ,Γl} of the form
Γ =
(
a, {ty[mlp,mup ] : ty[dlp, dup ]}p∈a, {Ip}p∈a,Φ(I), {mp}p∈a, {dp}p∈a,M
)
,
where
– ∅ = a ⊂ ⋃ki=1 Ti.P is a generic connector,
– ty[mlp,mup ], ty[dlp, dup ], with [mlp,mup ], [dlp, dup ] ⊂ N non-empty intervals and ty ∈
{mc, sc} (mc means “multiple choice”, whereas sc means “single choice”), are,
respectively, multiplicity and degree constraints associated to p ∈ a,
– Ip (with |Ip| = mp) is the set of index variables associated to p,
– Φ(I) is a predicate based on arithmetic operations over the set of index variables
I = ⋃p∈a Ip.
– {mp}p∈a and {dp}p∈a are the sets of, respectively, multiplicity and degree variables
associated to p;
– M is a predicate over {mp}p∈a, which constrains the valuation of multiplicities;
• a set of constraints D = {D1, . . . , Dk}, where, for each i ∈ [1, k], Di is a predicate over
the set of degree variables {Γ.dp |Γ ∈ C, p ∈ Γ.a ∩ Ti.P} associated to the port types
in Ti.P .
Semantics. An architecture 〈B, γ〉 conforms to a general architecture diagram 〈T , n, C,D〉
if, for each i ∈ [1, k], the number of components of type Ti in B lies in [nli, nui ], the
degrees of ports of each component of type Ti satisfy the predicate Di and γ can be parti-
tioned into disjoint sets γ1, . . . , γl, such that for each connector motif Γi =
(
a, {ty[mlp,mup ] :
ty[dlp, dup ]}p∈a, {mp}p∈a, {dp}p∈a,M
) ∈ C and each p ∈ a:
1. there are mp ∈ [mlp,mup ] instances of p in each connector in γi; in case of a single choice
interval the number of instances of p is equal in all connectors in γi;
2. each instance of p is involved in dp ∈ [dlp, dup ] connectors in γi; in case of a single
choice interval, the number of connectors involving an instance of p is the same for all
instances of p;
3. each connector imposes a valuation of index variables I that satisﬁes the associated
predicate Φ(I);
4. in each connector, the involved port multiplicities satisfy the corresponding M predi-
cate;
5. in each component of type Ti, the ports degrees satisfy the predicate Di.
111
Chapter 5. Architecture diagrams
Lemma 5.4.1. The expressiveness of index and interval architecture diagrams is incompa-
rable.
Proof. To show that the expressiveness of index and interval architecture diagrams is
incomparable, let us consider the diagrams of Figures 5.21 and 5.13. Suppose there exists an
interval diagram, whereof the only conforming architecture is that in the right-hand side
of Figure 5.21. By Property 2, it has to be that the set of conforming architectures of this
diagram also contains another architecture that diﬀers from the one in Figure 5.21 by having
connectors between p1 − q2 and p2 − q1 instead of connectors between p1 − q1 and p2 − q2.
Thus, the cardinality of the set of conforming architectures of this diagram is strictly greater
than 1, which proves that no interval architecture diagram can deﬁne exactly the architecture
shown in Figure 5.21. Now, suppose that it is possible to express the set of architectures
shown in Figure 5.13 with an index architecture diagram. The ﬁrst two architectures imply
that the degree of port type p would be equal to 1, whereas the port instance p1 of the third
architecture implies that the degree of port type p would be equal to 2. Since the degree of
a port type in index diagrams has a single value this results in a contradiction.
Proposition 5.4.2. General architecture diagrams are strictly more expressive than simple,
interval and index architecture diagrams.
Proof. Any interval architecture diagram can be represented by a general diagram with the
associated predicate Φ(I) of each connector equal to true and predicates D, M equal to
true. Thus, general architecture diagrams are at least as expressive as interval architecture
diagrams. Any cardinality n of an index architecture diagram can be represented as [n, n].
Any multiplicity m (resp. degree d) can be represented as sc[m,m] (resp. sc[d, d]). Thus,
any index architecture diagram can be represented as a general architecture diagram with
predicates D, M equal to true. Thus, general architecture diagrams are at least as expressive
as index architecture diagrams. By Lemma 5.4.1, the expressiveness of index and interval
diagrams is incomparable, which further implies that general diagrams are strictly more
expressive than index and interval diagrams.
5.4.2 Architecture style speciﬁcation examples
Example 5.4.3. The Peer-to-Peer architecture style [44] involves one component type P
with port types r (request) and p (provide). Figure 5.24 graphically describes the style.
Peers request and provide services through binary connectors between their r and p ports.
Since the multiplicities of both ports are 1, the corresponding sets of index variables are
I = {i} and J = {j}. The predicate (i = j) is satisﬁed if there is no connector between two
ports that belong to the same peer.
Example 5.4.4. The Square Grid architecture style involves one component type M with
four port types p, q, r and s. Figure 5.25 graphically describes the style. There are n2
112
5.4. General architecture diagrams
P
1:mc[0,n]
r[I]
n
p[J]
1:mc[0,n]
(i≠j)
Figure 5.24 – Peer-to-Peer style with architecture diagrams
M p[I]
nn.
q[K]
r[J]
s[L]
1:mc[0,1]
1:mc[0,1]
1:mc[0,1]
1:mc[0,1]
(j=i+1) Λ (j/n = i/n)
(l= k+n)
M p1
q1
s1
r1 M p2
q2
s2
r2
M p3
q3
s3
r3 M p4
q4
s4
r4
defines
Figure 5.25 – Square Grid style with architecture diagrams
components that form a square. Multiplicities of all port types are equal to 1, allowing only
binary connectors and, as in the previous example, uniquely deﬁning the index variables.
The multiple choice degrees require that all ports be connected to at most one connector.
Predicates (j = i+1)∧ (j/n = i/n) and l = k+n ensure that components are connected only
to their neighbours in the grid. A conforming architecture for a 2 × 2 grid of components is
also shown in Figure 5.25. Equivalent speciﬁcations with conﬁguration logics were presented
in Example 4.2.17 and Example 4.2.13.
Example 5.4.5. The Triple Modular Redundancy (TMR) [26, 97, 27] architecture style
is graphically described in Figure 5.27. A TMR architecture consists of three modules M ,
three input modules IM , three output modules OM and some voters V . The number of
voters spans from 1 to 3. Notice the predicate din1 + din2 = 1 on the degrees of connector
motifs connected to the port type in of component type OM . This predicate ensures that
the number of connectors connected to each OM component instance is exactly one. In
other words, the output must be taken either directly from a module or from a voter, but
not from both sources simultaneously. A representative set of architectures described by the
diagram in Figure 5.27 is shown in Figure 5.26.
113
Chapter 5. Architecture diagrams
M
ou
t1
IM
ou
t1
in
1
V
ou
t1
in
1
O
M
in
2
IM
ou
t2
IM
ou
t3
M
ou
t2
in
2
M
ou
t3
in
3
O
M
in
1
O
M
in
3
M
ou
t1
IM
ou
t1
in
1
V
ou
t1
in
1
O
M
in
2
IM
ou
t2
IM
ou
t3
M
ou
t2
in
2
M
ou
t3
in
3
O
M
in
1
O
M
in
3
M
ou
t1
IM
ou
t1
in
1
V
ou
t2
in
2
O
M
in
2
IM
ou
t2
IM
ou
t3
M
ou
t2
in
2
M
ou
t3
in
3
O
M
in
1
O
M
in
3
M
ou
t1
IM
ou
t1
in
1
V
ou
t1
in
1
O
M
in
2
IM
ou
t2
IM
ou
t3
M
ou
t2
in
2
M
ou
t3
in
3
O
M
in
1
O
M
in
3
M
ou
t1
IM
ou
t1
in
1
V
ou
t1
in
1
O
M
in
2
IM
ou
t2
IM
ou
t3
M
ou
t2
in
2
M
ou
t3
in
3
O
M
in
1
O
M
in
3
M
ou
t1
IM
ou
t1
in
1
V
ou
t1
in
1
O
M
in
2
IM
ou
t2
IM
ou
t3
M
ou
t2
in
2
M
ou
t3
in
3
O
M
in
1
O
M
in
3
M
ou
t1
IM
ou
t1
in
1
V
ou
t1
in
1
O
M
in
2
IM
ou
t2
IM
ou
t3
M
ou
t2
in
2
M
ou
t3
in
3
O
M
in
1
O
M
in
3
M
ou
t1
IM
ou
t1
in
1
V
ou
t1
in
1
O
M
in
2
IM
ou
t2
IM
ou
t3
M
ou
t2
in
2
M
ou
t3
in
3
O
M
in
1
O
M
in
3
V
ou
t2
in
2
M
ou
t1
IM
ou
t1
in
1
O
M
in
2
IM
ou
t2
IM
ou
t3
M
ou
t2
in
2
M
ou
t3
in
3
O
M
in
1
O
M
in
3
V
ou
t1
in
1
V
ou
t2
in
2
M
ou
t1
IM
ou
t1
in
1
O
M
in
2
IM
ou
t2
IM
ou
t3
M
ou
t2
in
2
M
ou
t3
in
3
O
M
in
1
O
M
in
3
V
ou
t1
in
1
V
ou
t2
in
2
M
ou
t1
IM
ou
t1
in
1
V
ou
t1
in
1
O
M
in
2
IM
ou
t2
IM
ou
t3
M
ou
t2
in
2
M
ou
t3
in
3
O
M
in
1
O
M
in
3
V
ou
t2
in
2
M
ou
t1
IM
ou
t1
in
1
V
ou
t1
in
1
O
M
in
2
IM
ou
t2
IM
ou
t3
M
ou
t2
in
2
M
ou
t3
in
3
O
M
in
1
O
M
in
3
V
ou
t2
in
2
M
ou
t1
IM
ou
t1
in
1
O
M
in
2
IM
ou
t2
IM
ou
t3
M
ou
t2
in
2
M
ou
t3
in
3
O
M
in
1
O
M
in
3
V
ou
t1
in
1
V
ou
t2
in
2
M
ou
t1
IM
ou
t1
in
1
V
ou
t1
in
1
O
M
in
2
IM
ou
t2
IM
ou
t3
M
ou
t2
in
2
M
ou
t3
in
3
O
M
in
1
O
M
in
3
V
ou
t2
in
2
V
ou
t3
in
3
Fi
gu
re
5.
26
–
Tr
ip
le
M
od
ul
ar
R
ed
un
da
nc
y
ar
ch
ite
ct
ur
es
114
5.5. Checking conformance of diagrams
M
3
out[I]IM
3
out in
1:1 1:1
V
[1,3]
outin
1:31:sc[1,3]
OM
3
in[J]
1:1 mc[1,3]:mc[0,1]
1:mc[0,1] 1:mc[0,1]
din1+din2=1
(i=j)
Figure 5.27 – Triple Modular Redundancy style with architecture diagrams
5.5 Checking conformance of diagrams
Algorithm 2 with polynomial-time complexity checks whether an architecture 〈B, γ〉 conforms
to a general architecture diagram 〈T , n, C,D〉. In particular, Algorithm 2 checks the validity
of the following ﬁve statements: 1) the number of components of each type T lies in the
corresponding cardinality interval; 2) there exists a partition of γ into γ1, . . . , γl such that
each γi corresponds to a diﬀerent connector-motif Γi ∈ C of the diagram; 3) for each
connector motif Γi and its corresponding γi, the associated index predicates Φ are satisﬁed;
4) for each connector motif Γi and its corresponding γi, the number of times each port
instance participates in γi satisﬁes the degree constraints and 5) for each component type
the associated degree predicate D are satisﬁed. The ﬁve statements correspond to functions
VerifyCardinality, VerifyMultiplicity, VerifyIndex, VerifyDegree and VerifyDegreePredicates,
respectively. If all statements are valid the algorithm returns true, i.e. the architecture
conforms to the diagram.
Function VerifyCardinality takes as input the architecture diagram 〈T , n, C〉 and the set
of components B of the architecture 〈B, γ〉. It counts the number of components for each
component type in B and it returns true if for each component type T of the diagram its
cardinality matches the corresponding number of components in B. Otherwise it returns
false and algorithm 2 terminates.
Function VerifyMultiplicity takes as input the conﬁguration γ of the architecture 〈B, γ〉 and
the set of connector motifs C of the architecture diagram 〈B, γ〉. The function checks whether
there exists a partition of γ such that each sub-conﬁguration γi of γ corresponds to a distinct
connector motif Ci of C, i.e. each connector k in γi conforms to the multiplicity constraints
of Ci, for which the associated multiplicity predicates M evaluate to true. If such a partition
exists the function returns it. Otherwise, it returns ∅ and algorithm 2 terminates.
Function VerifyIndex takes as input a connector motif Γi of C and its corresponding sub-
conﬁguration γi assigned by VerifyMultiplicity. For each connector in γi, it iterates through
its port instances and checks whether the associated arithmetic predicates on port indices Φ
evaluate to true. If the check fails, algorithm 2 terminates.
Function VerifyDegree takes as input a connector motif Γi of C and its corresponding
sub-conﬁguration γi assigned by VerifyMultiplicity. For each port instance in the sub-
conﬁguration, it checks whether the number of times the port participates in diﬀerent
115
Chapter 5. Architecture diagrams
connectors lies in the corresponding degree interval of the connector motif. If the check fails,
algorithm 2 terminates.
Function VerifyDegreePredicates takes as input the architecture diagram 〈T , n, C〉, the set of
components B of the architecture and the partition Sγ of γ returned by VerifyMultiplicity.
For each component instance T it checks whether the associated degree predicates D evaluate
to true. To do that, for each connector motif and its associated degree predicate, it iterates
through all corresponding connectors in γ and computes the degree of each port instance of
T . If the check fails, algorithm 2 terminates.
Algorithm 2 uses a number of auxiliary functions. Function generic(p) takes a port instance
and returns the corresponding port type. Function typeof(B) returns the component type
of component B. Operation map[key]++ increases the value associated with the key by one
if the key is in the map, otherwise it adds a new key with value 1.
Algorithm 2: VerifyArchitecture
Data: Architecture 〈B, γ〉, diagram 〈T , n, C,D〉
Result: Returns true if the architecture satisﬁes the diagram 〈T , n, C,D〉. Otherwise, it returns
false.
begin
if not VerifyCardinality(B, 〈T , n, C,D〉) then
return false;
/* Splits connectors between connector motifs according to multiplicities constraints.*/
Sγ ←− VerifyMultiplicity(γ, C);
if Sγ = ∅ then
return false;
/* Veriﬁes degree and index constraints for all port types of all connector motifs. */
for Γ ∈ C do
if VerifyIndex(Sγ [Γ],Γ) = true then
return false;
if VerifyDegree(Sγ [Γ],Γ) = true then
return false;
/* Veriﬁes degree predicates D. */
if VerifyDegreePredicates(B, Sγ , 〈T , n, C,D〉)= true then
return false;
return true;
5.6 Encoding of architecture diagrams into conﬁguration log-
ics
To encode architecture diagrams we use the ﬁrst-order conﬁguration logic with ordered
components, which was presented in Section 4.2.2. We start with the encoding of simple
diagrams. Then we discuss the modiﬁcations necessary for obtaining the encodings of the
other three classes of architecture diagrams. Since an empty conﬁguration cannot be part
of the model of a conﬁguration logic formula, in the encoding we consider only non-empty
116
5.6. Encoding of architecture diagrams into conﬁguration logics
Function VerifyCardinality(B, 〈T , n, C,D〉)
Data: Set of components B, diagram 〈T , n, C,D〉
Result: Returns true if the number of components of each type in B lies in the corresponding
cardinality interval speciﬁed in the diagram. Otherwise, it returns false.
begin
/* Creates a map with key: component type, value: number of instances */
countTypes ←− {};
for Bi ∈ B do
countTypes[typeof(Bi)] + +;
for Ti ∈ T do
if countTypes[Ti] ∈ n(Ti) then
return false;
return true;
conﬁgurations deﬁned by connector motifs.
For notational convenience, we introduce the following additional notations for a set of port
variables X[I] =
{
xl[il]
∣∣ l ∈ [1, c]}. Qrepresents any of the following quantiﬁers ∃,Σ, D,∀.
• For a parameter c ∈ N, we deﬁne:
QX[I] :T.p (|X[I]| = c) . F def=
Qx1[i1] :T.p . Qx2[i2] :T.p (i1 = i2) . . . . Qxc[ic] :T.p
(
c−1∧
k=1
ic = ik
)
.
F
[{
x1[i1], . . . , xc[ic]
}
/X[I],
{
i1, . . . , ic
}
/I
]
.
• For n sets of port variables X1[I1], . . . , Xn[In], we deﬁne
(X1[I1], . . . , Xn[In])
def= 
(
n⋃
k=1
Xk[Ik]
)
.
For the sake of simplicity, in the following subsections we omit the set of indices I if there is
no associated predicate.
Encoding of simple architecture diagrams
Consider a simple architecture diagram AD = 〈T , n, C〉. In the encoding we consider T as
a given set of component types. Constraints are imposed by the cardinality n(T ) of each
component type and the connector motifs in C. Cardinalities are independent and thus, we
can deﬁne a constraint per cardinality. Their combined constraint is obtained by conjuncting
all cardinality constraints. The constraints imposed by connector motifs are also independent
and their semantics is deﬁned as a disjoint partition of a conﬁguration such that each part
corresponds to a diﬀerent connector motif. Thus, their combined constraint is obtained by
117
Chapter 5. Architecture diagrams
Function VerifyMultiplicity(γ, C)
Data: Conﬁguration γ, Set of connector motifs C
Result: Returns a partition Pγ of γ such that each part corresponds to one Γ ∈ C. Connectors in
each part satisfy multiplicity constraint of the corresponding connector motif. If no
partition exists, returns ∅.
begin
/* Creates a map for the partition with key: connector motif and value: sub-conﬁguration.*/
partition ←− {};
for Γ ∈ C do
partition[Γ] ←− ∅;
/* Creates a map for the single choice intervals with key: port type of a connector motif and
value: chosen value.*/
scV alues ←− {};
for k ∈ γ do
/* Creates a map with key: port type and value: number of instances of the port type in the
connector. */
portsCount ←− {};
for pi ∈ k do
portsCount[generic(pi)] + +;
x ←− false;
/* Tries to ﬁnd a connector motif such that connector satisﬁes its constraints.*/
for Γ ∈ C do
if a = keys(portsCount) then
y ←− true;
/* Checks the multiplicity intervals.*/
for p ∈ a do
if portsCount[p] ∈ [mlp,mup ] then
y ←− false;
break;
/* Additional check in case of the single choice interval.*/
if ty[mlp,mup ] = sc[mlp,mup ] then
if hasKey(scV alues, 〈Γ, p〉) && scV alues[〈Γ, p〉] = portsCount[p] then
y ←− false;
break;
else
scV alues[〈Γ, p〉] ←− portsCount[p];
/* Checks if the multiplicity predicate M is satisﬁed.*/
if MultiplicityPredicate(portsCount,M) = false then
y ←− false;
if y then
partition[Γ] ←− partition[Γ] ∪ k;
x ←− true;
break;
/* A connector does not satisfy constraints of any connector motif. */
if x = false then
return ∅;
return partition;
118
5.6. Encoding of architecture diagrams into conﬁguration logics
Function VerifyIndex(γi, Γ)
Data: Conﬁguration γi, Connector motif Γ
Result: Returns true if the index requirements are satisﬁed. Otherwise returns false.
begin
for k ∈ γi do
/* Creates a two dimensional array: [port type] [port indices participating in the connector
k] */
ParticipatingPorts ←− {};
/* Iterates through port types. */
for p ∈ a do
ParticipatingPorts[p] ←− {};
/* Iterates through possible indices and denotes which index participates in the
connector k. */
for i ∈ Ip do
if pi ∈ k then
ParticipatingPorts[p][i] = 1;
else
ParticipatingPorts[p][i] = 0;
/* Checks arithmetic predicates Φ. */
if IndexPredicate(ParticipatingPorts,Φ) = false then
return false;
return true;
Function VerifyDegree(γi, Γ)
Data: Conﬁguration γi, Connector motif Γ
Result: Returns true if the degree requirements are satisﬁed. Otherwise returns false.
begin
/* Creates a map with key: port and value: number of connectors it appears in.*/
degrees ←− {};
for k ∈ γi do
for pi ∈ k do
degrees[pi] + +;
/* Creates a map for the single choice intervals with key: port type and value: chosen value.*/
scV alues ←− {};
for pi ∈ keys(degrees) do
p ←− generic(pi);
if degrees[pi] ∈ [dlp, dup ] then
return false;
/* Additional check in case of the single choice interval.*/
if ty[dlp, dup ] = sc[dlp, dup ] then
if hasKey(scV alues, p) && scV alues[p] = degrees[pi] then
return false;
else
scV alues[p] ←− degrees[pi];
return true;
119
Chapter 5. Architecture diagrams
Function VerifyDegreePredicates(B, partition, 〈T , n, C,D〉)
Data: Set of components B, Partition partition, Diagram 〈T , n, C,D〉)
Result: Returns true if the degree requirements D are satisﬁed. Otherwise returns false.
begin
/* Iterates through all component instances. */
for B ∈ B do
i = 0;
Degrees ←− {};
/* Iterates through all γi in the partition. */
/* Finds degree of each port instance for each γi. */
for γi ∈ partition do
Degrees[i] =←− {};
for p ∈ typeof(B).P do
Degrees[i][p] = 0;
for k ∈ γi do
if pt ∈ k then
Degrees[i][p] = Degrees[i][p] + 1;
i = i + 1;
/* Checks degree predicates D. */
if DegreePredicate(Degrees,D) = false then
return false;
return true;
coalescing all connector motif constraints. An encoding of simple architecture diagrams can
be deﬁned as follows:
Encoding(AD) def=
∧
T∈T
CardinalityConstraint(T )
∧
∑
Γ∈C
ConnectorMotifConstraint(Γ) . (5.5)
Cardinality constrains the number of component instances per component type. It can be
encoded as follows:
CardinalityConstraint(T ) def= ∃c[i] :T (i = n(T )) . true ∧ ∀c[i] :T (i > n(T )) . false . (5.6)
Each connector motif Γ =
({T1.p1, . . . , Tn.pn}, {mp, dp}) imposes two types of constraints:
1) a multiplicity constraint; 2) a set of degree constraints, one constraint per port type.
Thus, we have
ConnectorMotifConstraint(Γ) def=
MultiplicityConstraint(Γ) ∧
n∧
i=1
DegreeConstraint(Γ, Ti.pi) . (5.7)
120
5.6. Encoding of architecture diagrams into conﬁguration logics
T1
n
T2
n
2:2
qp
2:2
Figure 5.28 – The simple architecture diagram encoded in Example 5.6.1
Multiplicity constrains the number of involved port instances in each connector. It can be
encoded as follows:
MultiplicityConstraint(Γ) = DX1 :T1.p1 (|X1| = mp1) . . . .
DXn :Tn.pn (|Xn| = mpn) . (X1, . . . , Xn) , (5.8)
(X1, . . . , Xn) allows only connectors that consist of mp1 , . . . ,mpn instances of generic ports
p1, . . . , pn, respectively. The Dquantiﬁer allows to take any number of such connectors.
Degree constrains the number of connectors attached to any instance of a port type. For a
generic port p, it can be encoded as follows:
∀x[k] :T.p .∃X1 :U.P . . . . ∃Xdp :U.P
⎛⎝ dp∧
i=1
x[k] ∈ Xi ∧
∧
i=j
Xi = Xj
⎞⎠ .
dp∑
i=1
(Xi) unionsq
dp∑
i=1
(Xi) + x[k] , (5.9)
For each port instance of the port type p, the formula (5.9) deﬁnes dp sets of ports, one set
per connector that involves the port instance. The union operator allows us to specify all
possible conﬁgurations. ∑dpi=1 (Xi) speciﬁes the case that all connectors are attached to the
port instance of p. ∑dpi=1 (Xi) + x[k] speciﬁes the case that there is at least one connector
that is not attached to the port instance of p.
Example 5.6.1. Consider the diagram shown in Figure 5.28 with two component types
with cardinalities n(T1) = n(T2) = n and a connector motif between port types p and q with
mp = dp = mq = dq = 2. The corresponding encoding is the conjunction of the following
three constraints:
• Cardinality constraints (5.6):
∃c[i] :T1
(
i = n
)
. true ∧ ∀c[i] :T1
(
i > n
)
. false
∧ ∃c[j] :T2
(
j = n
)
. true ∧ ∀c[j] :T2
(
j > n
)
. false .
121
Chapter 5. Architecture diagrams
• Multiplicity constraint (5.8):
DX :T1.p (|X| = 2) . DY :T2.q (|Y | = 2) . (X,Y ).
• Degree constraints (5.9):
∀x[i] :T1.p .∃X1 :U.P
(
x[i] ∈ X1
)
.
∃X2 :U.P
(
X1 = X2 ∧ x[i] ∈ X2
)
.

(
X1, {x[i]}
)
+ 
(
X2, {x[i]}
) unionsq (X1, {x[i]})+ (X2, {x[i]})+ x[i]
∧
∀x[i] :T2.q .∃X1 :U.P
(
x[i] ∈ X1
)
.
∃X2 :U.P
(
X1 = X2 ∧ x[i] ∈ X2
)
.

(
X1, {x[i]}
)
+ 
(
X2, {x[i]}
) unionsq (X1, {x[i]})+ (X2, {x[i]})+ x[i] .
Notice that the two conjuncts of the formula diﬀer only in the type of the variable in
the ﬁrst quantiﬁcation—thus, the formula can be simpliﬁed by quantifying instead
over x[i] :U.P . We keep this presentation for the sake of consistency with the encoding
in (5.7).
Example 5.6.2. Consider the architecture diagram of Example 5.1.7 that describes the
Multi-star architecture style. The encoding of this style is the conjunction of the following
three constraints:
• Cardinality constraints:
∃c[i] :T1
(
i = n
)
. true ∧ ∀c[i] :T1
(
i > n
)
. false
∧ ∃c[j] :T2
(
j = n · d) . true ∧ ∀c[j] :T2 (j > n · d) . false .
• Multiplicity constraint:
Dx[i] :T1.p . Dy[j] :T2.q . {x[i], y[j]} .
• Degree constraints:
∀y[j] :T2.q .∃x[i] :T1.p . {x[i], y[j]} unionsq {x[i], y[j]} + y[j]
∧
∀x[i] :T1.p .∃y[j1] :T2.q .∃y[j2] :T2.q(j1 = j2) . . . .
∃y[jd] :T2.q . (
d∧
k=1
jd = jk) .
d∑
k=1
{x[i], y[jk]} unionsq
d∑
k=1
{x[i], y[jk]} + x[i] .
122
5.6. Encoding of architecture diagrams into conﬁguration logics
Encoding of interval architecture diagrams
Consider an interval architecture diagram AD = 〈T , n, C〉. Similarly to simple architecture
diagrams, there are constraints imposed by cardinalities and connector motifs.
Encoding(AD) =∧
T∈T
CardinalityConstraints(T ) ∧
∑
Γ∈C
ConnectorMotifConstraint(Γ). (5.10)
The cardinality function is now interval-valued. The constraint that the number of compo-
nents of type T must be within the interval [nl, nu] can be represented as follows:
∃c[i] :T (i = nl) . true ∧ ∀c[i] :T (i > nu) . false. (5.11)
As in simple architecture diagrams, the constraint imposed by a connector motif Γ =(
{T1.p1, . . . , Tn.pn}, {ty[mlp,mup ] : ty[dlp, dup ]}
)
can be encoded as follows:
ConnectorMotifConstraint(Γ) def=
MultiplicityConstraint(Γ) ∧
n∧
i=1
DegreeConstraint(Γ, Ti.pi) . (5.12)
Multiplicity requires that the number of involved port instances in each connector be within
the given interval. By choosing a speciﬁc value from each multiplicity interval, we specify a
set of connectors that involve the chosen number of port instances of each port type. This
set of values can be encoded with (5.8). All connectors that are deﬁned by the connector
motif can be obtained by taking all values from all multiplicity intervals. The types of the
intervals deﬁne what subsets of these connectors can form conﬁgurations. The mc type does
not forbid connectors with diﬀerent multiplicities, thus we take a disjunction over all values
in the mc-intervals. On the other hand, the sc type allows only connectors with the same
multiplicity, so we take a union between values of sc-intervals.
Assume that multiplicities of ports T1.p1, . . . , Tk.pk have type sc and multiplicities of ports
Tk+1.pk+1, . . . , Tn.pn have type mc. Since ports in the connector motif are not ordered, this
assumption does not restrict the encoding and is only used to simplify the formula. The
123
Chapter 5. Architecture diagrams
multiplicity constraint can be encoded as follows:
MultiplicityConstraint(Γ) =
mup1⊔
mp1=mlp1
. . .
mupk⊔
mpk=mlpk
mupk+1∨
mpk+1=mlpk+1
. . .
mupn∨
mpn=mlpn
MConstraint(mp1 , . . . ,mpn) , (5.13)
where MConstraint is deﬁned similarly to (5.8):
MConstraint(mp1 , . . . ,mpn) = DX1 :T1.p1 (|X1| = mp1) . . . .
DXn :Tn.pn (|Xn| = mpn) . (X1, . . . , Xn) . (5.14)
The degree associated to a port type p within a connector motif requires all port instances to
be involved in at least dlp and at most dup connectors. This is encoded as a union of formulas
similar to (5.9) for each value in [dlp, dup ]. The type of the interval controls the order of
operators in the encoding. For sc-intervals, degrees have to be equal for all port instances,
while for all ports with mc-interval degrees, we can take any value within the interval. The
degree constraint can be encoded as follows:
DegreeConstraint(Γ, T.p) =⎧⎨⎩
⊔
d∈[dlp,dup ] ∀x[k] :T.p .DConstraint(Γ, x[k], d) , if ty = sc ,
∀x[k] :T.p . ⊔d∈[dlp,dup ] DConstraint(Γ, x[k], d) , if ty = mc , (5.15)
where DConstraint(Γ, x[k], 0) = x[k] and
DConstraint(Γ, x[k], d = 0) =
∃X1 :U.P . . . . ∃Xd :U.P
( dp∧
i=1
x[k] ∈ Xi ∧
∧
i=j
Xi = Xj
)
.
d∑
i=1
(Xi, {x[k]}) unionsq
d∑
i=1
(Xi, {x[k]}) + x[k] . (5.16)
Since the chosen value can be 0, we distinguish this special case.
Example 5.6.3. Consider the architecture diagram of Example 5.2.8 that describes the
Repository architecture style. The diagram is encoded as the conjunction of the following
constraints:
124
5.6. Encoding of architecture diagrams into conﬁguration logics
• Cardinality constraints of R and A (5.12):
∃c[i] :R (i = 1) . true ∧ ∀c[i] :R (i > 1) . false
∧ ∃c[i] :A (i = n2) . true ∧ ∀c[i] :A (i > n2) . false .
• Multiplicity constraint (5.13):
n2∨
mq=1
Dp[i] :R.p . DQ :A.q (|Q| = mq) . (Q, {p[i]}) .
• Degree constraint of R.p (5.15):
∀x[k] :R.p .
⊔
d∈[1,n2]
∃X1 :U.P . . . .
∃Xd :U.P
( dp∧
i=1
x[k] ∈ Xi ∧
∧
i=j
Xi = Xj
)
.
d∑
i=1
(Xi, {x[k]}) unionsq
d∑
i=1
(Xi, {x[k]}) + x[k] .
• Degree constraint of A.q (5.15):
∀x[k] :A.q .∃X :U.P . (X, {x[k}]) unionsq (X, {x[k}]) + x[k] .
Notice that the degree constraint of R.p is implied by the other constraints and it can be
excluded from the formula.
Encoding of index architecture diagrams
Index architecture diagrams introduce arithmetic predicates over the set of index variables on
ports. Arithmetic predicates are associated with connector motifs. They are encoded as part
of the MultiplicityConstraint of the corresponding connector motif. For a connector motif
Γ = ({T1.p1, . . . , Tn.pn}, {mp : dp},Φ(I)) with an associated predicate Φ(I), multiplicity can
be encoded as follows:
MultiplicityConstraint(cm) = DX1[I1] :T1.p1 (|X1[I1]| = mp1) . . . .
DXn[In] :Tn.pn (|Xn[In]| = mpn ∧ Φ(I1 ∪ · · · ∪ In)) .
(X1[I1], . . . , Xn[In]) . (5.17)
(5.17) diﬀers from (5.8) in that in the last quantiﬁcation the extra condition Φ(I1 ∪ · · · ∪ In))
is introduced that ensures the satisfaction of the predicate.
Example 5.6.4. Consider the architecture diagram of Example 5.3.3 that describes the Ring
125
Chapter 5. Architecture diagrams
architecture style. The encoding of this style is a conjunction of the cardinality, multiplicity
and degree constraints:
∃c[i] :T (i = n) . true ∧ ∀c[i] :T (i > n) . false
∧
Dout[i] :T.out . Din[j] :T.in (j = i + 1 mod n) . {out[i], in[j]}
∧
∀r[i] :T.P .∃r[j] :T.P (r[i] = r[j]) . {r[i], r[j]} unionsq {r[i], r[j]} + r[i] .
Notice the quantiﬁcation over r[i] :T.P in the degree constraint instead of the two conjuncts
for each port type.
Encoding of general architecture diagrams
General architecture diagrams combine both extensions of simple architecture diagrams
and additionally have a set of predicates D and M over the set of degree and multiplicity
variables. Consider a general architecture diagram 〈T , n, C,D〉. An encoding of general
diagrams can be deﬁned as follows:
Encoding(AD) =∧
T∈T
CardinalityConstraints(T ) ∧
∑
Γ∈C
ConnectorMotifConstraint(Γ)
∧
∧
DT ∈D
PredicateOnDegrees(DT ), (5.18)
where the cardinality constraint is deﬁned as in interval diagrams 5.11.
The constraint imposed by a connector motif
Γ =
(
{T1.p1, . . . , Tn.pn}, {ty[mlp,mup ] : ty[dlp, dup ]}, {mp}, {dp},M
)
can be encoded as follows:
ConnectorMotifConstraint(Γ) def=
MultiplicityConstraint(Γ) ∧
n∧
i=1
DegreeConstraint(Γ, Ti.pi) , (5.19)
where the degree constraint is deﬁned as in interval diagrams 5.15.
Assume that multiplicities of ports T1.p1, . . . , Tk.pk have type sc and multiplicities of ports
Tk+1.pk+1, . . . , Tn.pn have type mc. Since ports in the connector motif are not ordered, this
assumption does not restrict the encoding and is only used to simplify the formula. The
multiplicity constraint with the predicate M can be deﬁned as follows:
126
5.6. Encoding of architecture diagrams into conﬁguration logics
MultiplicityConstraint(Γ) =
mup1⊔
mp1=mlp1
. . .
mupk⊔
mpk=mlpk
mupk+1∨
mpk+1=mlpk+1
. . .
mupn∨
mpn=mlpn
M(mp1 ,...,mpn )
MConstraint(mp1 , . . . ,mpn) , (5.20)
where MConstraint is deﬁned as in interval diagrams (5.14):
MConstraint(mp1 , . . . ,mpn) = DX1[I1] :T1.p1 (|X1[I1]| = mp1) . . . .
DXn[In] :Tn.pn (|Xn[In]| = mpn ∧ Φ(I1 ∪ · · · ∪ In)) .
(X1[I1], . . . , Xn[In]) , (5.21)
where Φ is a predicate over the set of index variables.
Let us now encode the degree predicates of general diagrams. Each degree predicate DT ∈ D
deﬁnes a constraint over a set of degree variables {Γp.dp |Γ ∈ C, p ∈ Γ.a ∩ T.P} associated
with the port types in T.P . Based on the degree intervals associated with each port type,
the predicate DT has a set of possible solutions {〈dip, diq, . . . , dir〉}i∈I . The degrees of ports of
each component must satisfy one of the solutions. Thus, the predicate can be encoded as
follows:
PredicateOnDegrees(DT ) = ∀c[j] : T .
⊔
i∈I
∑
p∈T.P
DConstraint(Γp, c[j].p, dip) , (5.22)
where DConstraint is deﬁned by the formula (5.16).
Example 5.6.5. Consider the architecture diagram of Example 5.4.3 that describes the
Peer-to-Peer architecture style. The constraints deﬁned by this diagram are encoded as
follows:
∃c[i] :P (i = n) . true ∧ ∀c[i] :P (i > n) . false
∧ Dx[j] :P.p . Dy[i] :P.r (i = j) . {x[j], y[i]}
∧ ∀x[k] :U.P .⊔
d∈[1,n]
(
∃x[i1] :U.P . . . . ∃x[id] :U.P (
d∧
j=1
x[ij ] = x[k] ∧
∧
j =j′
x[ij ] = x[ij′ ]) .
d∑
j=1
{x[k], x[ij ]} unionsq
d∑
j=1
{x[k], x[ij ]} + x[k]
)
unionsq x[k] .
Example 5.6.6. Consider the architecture diagram of Example 5.4.5 describing the TMR
architecture style. The encoding of the diagram is a conjunction of the following constraints:
127
Chapter 5. Architecture diagrams
• Cardinality constraints for all component types:
∃c[i] :IM (i = 3) . true ∧ ∀c[i] :IM (i > 3) . false
∧ ∃c[i] :M (i = 3) . true ∧ ∀c[i] :M (i > 3) . false
∧ ∃c[i] :V (i = 1) . true ∧ ∀c[i] :V (i > 3) . false
∧ ∃c[i] :OM (i = 3) . true ∧ ∀c[i] :OM (i > 3) . false.
• Coalescing of constraints for all connector motifs (all represented as the conjunction of
multiplicity constraint and two degree constraints):
– Connector motif between IM and M : both multiplicities and both degrees are
equal to 1.
Dx[i] :IM.out . Dy[j] :M.in . {x[i], y[j]}
∧ ∀x[i] :IM.out .∃y[j] :M.in . {x[i], y[j]} unionsq {x[i], y[j]} + x[i]
∧ ∀y[j] :M.in .∃x[i] :IM.out . {x[i], y[j]} unionsq {x[i], y[j]} + y[j] .
– Connector motif between M and V : both multiplicities are equal to 1; degree of
M.out is sc[1, 3], thus we take a union of three cases; degree of V.in is 3.
Dx[i] :M.out . Dy[j] :V.in . {x[i], y[j]}
∧
( (
∀x[i] :M.out .∃y[j] :V.in . {x[i], y[j]} unionsq {x[i], y[j]} + x[i]
)
unionsq
(
∀x[i] :M.out . ∃y[j1] :V.in .∃y[j2] :V.in (j1 = j2) .
2∑
k=1
{x[i], y[jk]} unionsq
2∑
k=1
{x[i], y[jk]} + x[i]
)
unionsq
(
∀x[i] :M.out . ∃y[j1] :V.in .∃y[j2] :V.in (j1 = j2) .
∃y[j3] :V.in(j1 = j3 = j2) .
3∑
k=1
{x[i], y[jk]} unionsq
3∑
k=1
{x[i], y[jk]} + x[i]
))
∧ ∀y[i] :V.in .∃x[j1] :M.out . ∃x[j2] :M.out (j1 = j2) .
∃x[j3] :M.out(j1 = j3 = j2) .
3∑
k=1
{y[i], x[jk]} unionsq
3∑
k=1
{y[i], x[jk]} + y[i]
)
.
Since there is a binary connector between every pair of M and V , the encoding
can be simpliﬁed:
Σx[i] :M.out .Σy[j] :V.out . {x[i], y[j]} .
– Connector motif between V and OM : multiplicity of V.out is 1 and of OM.in is
128
5.7. Related work
mc[1, 3], thus it is encoded as a disjunction of three cases; degree of V.out is 1;
degree of OM.in is mc[0, 1] represented as a union of two cases for values 0 and 1.
Dx[i] :V.out .
(
Dy[j] :OM.in . {x[i], y[j]}
∨ DP :OM.in (|P | = 2) . (P, {x[i]})
∨ DP :OM.in (|P | = 3) . (P, {x[i]})
)
∧ ∀x[i] :V.out . ∃P :OM.in .
(P, {x[i]}) unionsq (P, {x[i]}) + x[i]
∧ ∀y[i] :OM.in .
(
y[i] unionsq ∃P :U.P .
({P, y[i]}) unionsq ({P, y[i]}) + y[i]
)
.
– Connector motif between M and OM : both multiplicities are equal to 1; both
degrees are mc[0, 1] represented as unions of two cases.
Dx[i] :M.out . Dy[j] :OM.in . {x[i], y[j]}
∧ ∀x[i] :M.out .
(
x[i] unionsq ∃y[j] :OM.in .
{x[i], y[j]} unionsq {x[i], y[j]} + x[i]
)
∧ ∀y[i] :OM.in .
(
y[i] unionsq ∃x[j] :M.out .
{y[i], x[j]} unionsq {y[i], x[j]} + y[i]
)
.
• Predicate over the set of degree variables of port OM.in that requires the sum of two
degrees be equal to 1. There exist two solutions: 〈0, 1〉 and 〈1, 0〉.
∀x[j] :OM.in .(
x[j] +
(
∃y[i] :V.out . {x[j], y[i]} unionsq {x[j], y[i]} + x[j]
))
unionsq
(
x[j] +
(
∃y[i] :M.out . {x[j], y[i]} unionsq {x[j], y[i]} + in[j]
))
.
5.7 Related work
A plethora of approaches exist for architecture speciﬁcation. Patterns [35, 51] are commonly
used for specifying architectures in practical applications. The speciﬁcation of architectures
is usually done in a graphical way using general purpose graphical tools. Such speciﬁcations
are easy to produce but the meaning of the design may not be clear since the graphical
conventions lack formal semantics and thus, are not amenable to formal analysis.
A number of Architecture Description Languages (ADLs) have been developed for architecture
129
Chapter 5. Architecture diagrams
speciﬁcation [75, 104, 80]. Nevertheless, according to [69], architectural languages used
in practice mostly originate from industrial development instead of academic research.
Practitioners extensively use UML although many scientiﬁc questions remain about its
formal properties [47]. On the contrary, some ADLs have formal semantics [4, 68, 34],
however, they require the use of formal languages which are considered as diﬃcult for
practitioners to master [69]. To address this issue, we propose architecture diagrams that
combine the beneﬁts of graphical languages and rigorous formal semantics. By relying on a
small set of notions, we emphasize the conceptual clarity of our approach.
A number of paradigms for unifying interactions in heterogeneous systems have been stud-
ied [40, 8, 56]. In these works, uniﬁcation is achieved by reduction to a common low-level
semantic model. Coordination mechanisms and their properties are not studied indepen-
dently of behaviour. Architecture diagrams were developed to accommodate architecture
speciﬁcation in BIP [7], wherein connectors are relations among ports and do not carry any
additional behaviour. This strict separation of computation from coordination allows reason-
ing about the coordination constraints structurally and independently from the behaviour of
coordinating components. However, our approach can be extended to describe architecture
styles in other languages by explicitly associating the required behaviour to connector motifs.
For example, this can be applied to specify connector patterns in Reo [5], by associating
multiplicity and degree to source and sink nodes of connectors. The main diﬃculty is to
correctly instantiate the behaviour depending on the number of ends in the connector.
Architecture diagrams consist of component types and connector motifs, respectively com-
parable to UML components and associations [54, 78]. One important diﬀerence between
connector motifs and UML associations is that the latter cannot specify interactions that
involve two or more instances of the same component type [78]. In UML, the term “multi-
plicity” is used to deﬁne both 1) the number of instances of a UML component and 2) the
number of UML links connected to a UML component. In architecture diagrams, we call
these, respectively, “cardinality” and “degree”. We use the term “multiplicity” to denote the
number of components of the same class that can be connected by the same connector. The
distinction between multiplicity and degree is key for allowing n-ary connectors involving
several instances of the same component type.
The use of context-free grammars [49, 64, 28, 62, 63] allows inductive deﬁnitions and reasoning
about architectures and dynamic reconﬁgurations. Graph grammars can be used to deﬁne
architecture styles: a style admits all the conﬁgurations that can be derived by its deﬁning
grammar. The downside is that such deﬁnitions require additional non-terminal symbols
to represent variable size structures, e.g. list of all slaves in a Master/Slave architecture.
We take a diﬀerent approach, whereby all constraints appear directly in the architecture
diagram for which we provide denotational semantics. The rationale is the following: we
assume that the reasoning is carried out by an “expert”, who deﬁnes the architectural style,
whereas the “user” only needs the minimal information in order to select and instantiate
it. Thus, structural information, e.g. necessary information for an inductive proof that the
style imposes a certain property, does not appear in the diagram, but only the entities that
130
5.8. Summary
form the target system.
5.8 Summary
We presented architecture diagrams, a graphical language rooted in well-deﬁned semantics
for the description of architecture styles. Using architecture diagrams instead of purely
logic-based speciﬁcations confers the advantages of graphical formalisms. We proposed four
classes of architecture diagrams. Simple architecture diagrams express uniform degree and
multiplicity constraints. Index architecture diagrams have in addition index variables on
ports and arithmetic predicates which introduce constraints over the set of index variables.
Interval architecture diagrams use intervals for deﬁning cardinality, multiplicity and degree
constraints. General architecture diagrams combine the constraints of index and interval
diagrams and have in addition arithmetic predicates on multiplicities and degrees. We showed
that the four classes of diagrams form a hierarchy. In particular, index and interval diagrams
are strictly more expressive than simple architecture diagrams and general diagrams are
strictly more expressive than all other classes of diagrams. We studied a full encoding of
architecture diagrams into conﬁguration logics and a polynomial-time algorithm for checking
whether an architecture conforms to the architecture style speciﬁed by a general architecture
diagram.
Additionally, we proposed a set of necessary and suﬃcient consistency conditions and a
synthesis procedure for generating compositionally the set of conforming architectures for
simple and interval diagrams. We are currently working on extending the synthesis procedure
for index and general diagrams. Nevertheless, the set of consistency conditions cannot
be generalised to index and general architecture diagrams, since these contain predicates
involving port instances and thus, must be checked at the level of architecture and not at
the level of architecture style. To check the consistency of index and general architecture
diagrams, we can encode the diagrams into conﬁguration logic formulas and check for
non-satisﬁability.
131

6 Case studies
In this chapter, we present two satellite on-board software case studies, CubETH and Sentinel
3, in which we applied the architecture-based approach to achieve correctness by construction.
The CubETH case study is presented in detail, whereas for Sentinel 3 we give only a very
high level presentation of the case-study due to conﬁdentiality restrictions.
The architecture-based design approach consists of the following three stages (Figure 6.1):
1. Pre-design: architecture styles, which represent recurring patterns that are relevant
for the application domain, are identiﬁed and formally deﬁned. The taxonomy of
architecture styles identiﬁed in the CubETH case study was reused in the Sentinel
3 case study, and it can be further reused in the design of other satellite on-board
software. Ideally, this stage is realised only once for each application domain.
2. Design: requirements to be satisﬁed by the system are analysed and formalised. Next,
atomic components realising the basic functionality of the system are designed and used
as operands for the application of architectures instantiated from the styles deﬁned in
the ﬁrst stage. The choice of which architectures to apply is driven by the requirements.
3. Veriﬁcation: the resulting system is checked for deadlock-freedom. Properties which
are not enforced by construction through architecture application must be veriﬁed a
posteriori. In the CubETH case study, we illustrate all steps of this process, except
the requirement formalisation.
6.1 The CubETH case study
CubETH is a nanosatellite based on the CubeSat standard [29]. It contains the following
subsystems: EPS (electrical power subsystem), CDMS (command and data management
subsystem), COM (telecommunication subsystem), ADCS (attitude determination and control
subsystem), PL (payload) and the mechanical structure including the antenna deployment
subsystem.
133
Chapter 6. Case studies
Modelling 
architecture 
styles
Requirements 
formulation & 
formalisation
Pre-design Design
Architecture 
application
Model 
verification
Verification
Figure 6.1 – Architecture-based design ﬂow
This case study focuses on the software running on the CDMS subsystem and in particular
on the following subcomponents of CDMS: 1) CDMS status that is in charge of resetting
internal and external watchdogs; 2) Payload that is in charge of payload operations; 3)
three Housekeeping components that are used to recover engineering data from the EPS, PL
and COM subsystems; 4) CDMS Housekeeping which is internal to the CDMS; 5) I2C_sat that
implements the I2C protocol; 6) Flash memory management that implements a non-volatile
ﬂash memory and its write-read protocol; 7) the s3_5, s3_6, s15_1 and s15_2 services that
are in charge of the activation or deactivation of the housekeeping component actions; 8)
Error Logging that implements a RAM region that is accessible by many users and 9)
the MESSAGE_LIBRARY, MEMORY_LIBRARY and I2C_sat_LIBRARY components, which contain
auxiliary C/C++ functions.
A high-level BIP model of the case-study is shown in Figure 6.2. For the sake of simplicity,
we omit some of the connectors. In particular, we show the connectors involving the
HK_to_MEM, HK_to_I2C and HK_to_I2C_NOFAIL interfaces of the HK_COM subsystem, but
we omit the respective connectors involving the other three Housekeeping subsystems.
The MESSAGE_LIBRARY, MEMORY_LIBRARY, I2C_sat_LIBRARY, s3_5, s3_6, s15_1 and s15_2
components are atomic. The rest are composite components, i.e. compounds.
The full BIP model of the case study comprises 22 operands and 27 coordinators that were
generated from the architecture styles presented in the next subsection.
6.1.1 A taxonomy of architecture styles for on-board software
Since the identiﬁed architecture styles represent recurring patterns of satellite on-board
software, the usage of the presented taxonomy is not limited to this case study. The identiﬁed
styles can also be used for the design and development of other satellite on-board systems.
For each architecture style, we have studied two groups of properties: 1) assumed properties
that the operand components must satisfy so that the architecture can be successfully applied
on them and 2) characteristic properties that are properties the architecture imposes on the
system. All characteristic properties are safety properties.
134
6.1. The CubETH case study
Fi
gu
re
6.
2
–
T
he
hi
gh
-le
ve
li
nt
er
ac
tio
n
m
od
el
135
Chapter 6. Case studies
We have identiﬁed 9 recurring patterns, which we deﬁned formally as architecture styles
by using simple and interval architecture diagrams. For the sake of simplicity of the
presentation, in the next subsections, we omit the cardinality of a port type if it is equal to
1. The cardinality of a component type is indicated right next to its name.
Mutual Exclusion style
The Mutual Exclusion architecture style enforces mutual exclusion on a shared resource. The
unique —due to the cardinality being 1 —coordinator component, Mutex manager, manages
the shared resource, while n parameter components of type B can access it. The multiplicities
of all port types are 1 and therefore, all connectors are binary. The degree constraints require
that each port instance of a component of type B be attached to a single connector and each
port instance of the coordinator be attached to n connectors. The behaviours of the two
component types enforce that once the resource is acquired by a component of type B, it can
only be released by the same component.
Figure 6.3 – Mutual Exclusion style with architecture diagrams
• Assumed property of operands: ‘a component exits its critical section after finish
and cannot enter it again until begin ’
∀ i  n, AG(finish[i] → A[¬cs[i] W begin[i]]),
where cs[i] is an atomic predicate that evaluates to true when the B[i] component is
in the critical section (e.g. in state work for the behaviour shown in Figure 6.3).
• Characteristic property of architecture: ‘no two components are in their critical
section simultaneously’
AG¬(∨i=j∈[1,n] cs[i] ∧ cs[j])
Client-Server style
The Client-Server architecture style ensures that only one client can use a service oﬀered by
the server at any time. It consists of two parameter component types Server and Client
136
6.1. The CubETH case study
with l and n instances, respectively. In the diagram of Figure 6.4, the Server provides two
services through port types offer, offer2. Client has two corresponding port types use,
use2. Since the cardinalities of offer and offer2 are k and k′, respectively, each component
instance of type Server has k port instances of type offer and k′ port instances of type
offer2. Similarly, each component instance of type Client has m port instances of type
use and m′ port instances of type use2.
Two connector motifs connect use (resp. use2) with offer (resp. offer2). The multi-
plicity/degree constraint of offer is 1 : nm. The multiplicity/degree constraint of use is
1 : l k. Since both multiplicities are 1, all connectors are again binary. Because of the degree
constraints, each port instance of use must be attached to l k connectors, while each port
instance of offer must be attached to nm connectors, i.e. all port instances of use are
connected to all port instances of offer.
Figure 6.4 – Client-Server style with architecture diagrams
• Assumed property of operands: ‘the services are provided synchronously, i.e. as
atomic actions’. This is not a temporal property. The duration that a client uses a
service is abstracted to be equal to 0.
• Characteristic property of architecture: ‘only one client can use a provided
service at each time’
∀ i, j  n, ∀ p  k, AG(¬Client[i].use[p] ∧ Client[j].use[p]) ,
∀ i, j  n, ∀ p  k, AG(¬Client[i].use2 [p] ∧ Client[j].use2 [p]) .
Action ﬂow style
The Action ﬂow style enforces a sequence of actions. It has one coordinator component
of type Action Flow Manager and n parameter components of type B. Each component
type has four port types: start, actBegin, actEnd, finish. The cyclic behaviour of the
coordinator enforces an order on the actions of the operands. In the behaviour of the
manager, abi and aei (instances of actBegin and actEnd, resp.) stand for “action i begin”
and “action i end”.
Each operand component c of type B provides nca port instances of type actBegin and
of type actEnd. Notice that nca might be diﬀerent for diﬀerent operands of type B. The
137
Chapter 6. Case studies
cardinalities of port types ab and ae are both equal to N =∑c:B nca, where the sum is over
all operands of type B. The multiplicity and degree constraints require that there be only
binary connectors.
Figure 6.5 – Action ﬂow style with architecture diagrams
• Assumed property of operands: ‘each action is explicitly terminated by actEnd
and no other action can be started until then’
∀i, j  nca, AG
(
B[c].actBegin[i] → AX A[B[c].executing[i] ∧ ¬B[c].executing[j]
W B[c].actEnd[i]]
)
,
∀i  nca, AG
(
B[c].actEnd[i] → AX A[¬B[c].executing[i] W B[c].actBegin[i]])) ,
where B[c].executing[i] is an atomic predicate that evaluates to true when the B[c]
component is executing action i.
• Characteristic property of architecture is the conjunction of: a) ‘on each action
ﬂow’s execution, every action begins only after its previous action has ended’ b) ‘on
each ﬂow execution, every action occurs at most once’ c) ‘the ﬂow ﬁnishes only after
the last action has ended’, d) ‘if an action ends, it can end only after it begins again’
formalised by the following CTL formulas, in which the index i denotes the position of
an action in the action ﬂow.
We consider the following mappings:
– from indices to components seqc : [1, N ] → C, where C is a set containing all
operands that execute an action;
– from indices to actions seqa : [1, N ] → A, where A is a set containing all actions
of the operands,
such that the action seqa(i) belongs to the component seqc(i).
138
6.1. The CubETH case study
Figure 6.6 – Action ﬂow with abort style with architecture diagrams
∀1 < i  N, AG(start → AX A[¬B[seqc(i)].actBegin[seqa(i)]
W B[seqc(i)].actEnd[seqa(i − 1)]
])
,
∀1  i  N, AG(B[seqc(i)].actBegin[seqa(i)] → AX A[¬B[seqc(i)].actBegin[seqa(i)]
W start
])
,
AG
(
start → AX A[¬ﬁnish W B[seqc(i)].actEnd[N ]
])
,
∀1  i  N, AG(B[seqc(i)].actEnd[seqa(i)] → AX A[¬B[seqc(i)].actEnd[seqa(i)]
W B[seqc(i)].actBegin[seqa(i)]
])
.
Action ﬂow with abort style
The Action ﬂow with abort architecture style is very similar to the Action ﬂow style. It
enforces a sequence of N actions. However, each operand has the ability to abort an action.
If a component aborts, the behaviour of the manager is reset back to its initial state. In
this style, both component types have an additional port type actAbort. In the coordinator
behaviour, aai stands for “action i abort”.
• Assumed property of operands: ‘each action is explicitly terminated by actEnd
or actAbort and no other action can be started until then’
∀i, j  nca, AG
(
B[c].actBegin[i] → AX A[B[c].executing[i] ∧ ¬B[c].executing[j]
W B[c].actEnd[i] ∨ actAbort[i]]) ,
∀i  nca, AG
(
B[c].actEnd[i] ∨ actAbort[i] → AX A[¬B[c].executing[i]
W B[c].actBegin[i]]
)
,
where B[c].executing[i] is an atomic predicate that evaluates to true when the B[c]
component is executing action i.
• Characteristic property of architecture is the conjunction of ﬁrst three character-
istic properties of Action ﬂow with the properties: e) ‘if an action is ended or aborted,
139
Chapter 6. Case studies
it can end or abort only after it begins again’ and f) ‘when an action is aborted, an
action can be executed only after the ﬂow is reset’.
We consider the following mappings:
– from indices to components seqc : [1, N ] → C, where C is a set containing all
operands that execute an action;
– from indices to actions seqa : [1, N ] → A, where A is a set containing all actions
of the operands,
such that the action seqa(i) belongs to the component seqc(i).
∀1  i  N, AG(B[seqc(i)].actEnd[seqa(i)] ∨ B[seqc(i)].actAbort[seqa(i)] →
AX A
[¬B[seqc(i)].actAbort[seqa(i)] ∧ ¬B[seqc(i)].actEnd[seqa(i)]
W B[seqc(i)].actBegin[seqa(i)]
])
,
∀1  i, j N, AG(B[seqc(i)].actAbort[seqa(i)] →
AX A
[¬B[seqc(j)].actBegin[seqa(j)] W start]) .
Failure monitoring style
The Failure monitoring (Figure 6.7) provides monitor components that observe the state of
other components. It consists of n coordinator components of type Failure Monitor and
n parameter components of type B1. The cardinality of all port types is 1. Multiplicities
and degrees require that each B1 component instance be connected to its dedicated Failure
monitor instance.
A B1 component may enter the following three states: NOMINAL, ANOMALY, CRITICAL_FAILURE.
When in NOMINAL state, the component is performing correctly. If the component cannot be
reached, or if the engineering data is not correct, the component enters the ANOMALY state.
If a ﬁxed time has passed in which the component has remained in ANOMALY, the component
enters the CRITICAL_FAILURE state.
Figure 6.7 – Failure monitoring style with architecture diagrams
• Assumed property of operands: is ‘B1 will not execute any actions between fail
and resume ’.
140
6.1. The CubETH case study
∀c  n, AG(B1 [c].fail → AX A[(B1 [c].pause W B1 [c].resume)] ,
where B1 [c].pause is an atomic predicate that evaluates to false when the component
B1[c] executes any action other than resume.
• Characteristic property of architecture: ‘if a failure occurs, a ﬁnish happens only
after a resume or reset’
∀c  n, AG(B1 [c].fail → AX A[¬B1 [c].ﬁnish W (B1 [c].resume ∨ reset)]) .
Mode management style
The Mode management style restricts the set of enabled actions, i.e. the actions that can
be executed, according to a set of predeﬁned modes. It consists of one coordinator of type
Mode Manager, n parameter components of type B1 and k parameter components of type B2.
Each B2 component triggers the transition of the Mode Manager to a speciﬁc mode. The
coordinator manages which actions of the B1 components can be executed in each mode.
The behaviour of the Mode Manager has k states, one state per mode. Mode Manager has a
port type toMode with cardinality k and k port types inMode with cardinality 1. Each port
instance of type toMode must be connected through a binary connector with the changeMode
port of a dedicated B2 component.
B1 has k port types modeBegin with cardinality mc[0, 1]. In other words, a component
instance of B1 might have any number of port instances of types modeBegin from 0 until
k. B1 also has a modeEnd port type with cardinality k. mib stands for “mode i begin” and
indicates that an action that is enabled in mode i has begun its execution. mie stands for
“mode i end” and indicates that an action that is enabled in mode i has ﬁnished its execution.
Each inMode port instance of the Mode Manager must be connected with the corresponding
modeBegin port instances of all B2 components through an n-ary connector.
Figure 6.8 – Mode management style with architecture diagrams (component behaviour is
shown for k=3)
141
Chapter 6. Case studies
• Assumed property of operands: ‘a component of type B1 executes actions allowed
in mode i only after it enters mode i’
∀ i  k, AG(m[i]e → A[¬mode[i] W m[i]b]) ,
where mode[i] is an atomic predicate that evaluates to true when a B1 component is
performing an action allowed in mode i.
• Characteristic property of architecture: ‘an action is only performed in a mode
where it is allowed’
∀i  k, AG(B1.m[i]b → ModeManager .inMode[i]) .
Buﬀer management style
The Buﬀer management style controls the access of a set of producers and consumers to a
buﬀer. It consists of a single coordinator component of type Buffer Manager, n parameter
components of type Producer and m parameter components of type Consumer. The Buffer
Manager restricts the behaviour of producers by allowing them to write data to the buﬀer
only if the buﬀer is not full. Similarly, the Buffer Manager restricts the behaviour of
consumers by allowing them to retrieve data from the buﬀer only if the buﬀer is not empty.
The cardinalities of all port types are 1. The multiplicity and degree constraints require that
each Producer component instance and Consumer component instance be connected to the
Buffer manager component instance through binary connectors.
Figure 6.9 – Buﬀer management style with architecture diagrams
• Assumed property of operands: no assumptions
• Characteristic property of architecture is the conjunction of the following prop-
erties: 1)‘data can be stored to the buﬀer only if the buﬀer is not full’; 2)‘data can be
retrieved from the buﬀer only if the buﬀer is not full’
AG
(
BuﬀerManager .enabled(full) → AX A[¬BuﬀerManager .put W BuﬀerManager .get])
AG
(
BuﬀerManager .enabled(empty) → AX A[¬BuﬀerManager .get W BuﬀerManager .put]) ,
142
6.1. The CubETH case study
where enabled(empty) and enabled(full) are atomic predicates that evaluate to true when
the empty and full actions of the Buﬀer manager are enabled.
Event monitoring style
The Event monitoring style is a special case of the Buﬀer management architecture style for
a buﬀer of size 1 and consumer cardinality equal to 1. The Event monitoring style provides
a monitor component that tracks events of other components. For each event, the monitor
generates a report and sends it to a dedicated service component. The style consists of a
single coordinator component of type Event Monitor and n parameter components of type
B. The cardinalities of all port types are 1. The multiplicity and degree constraints require
that each B component instance be connected to the Event monitor component instance.
All connectors must be binary.
Figure 6.10 – Event monitoring style with architecture diagrams
• Assumed property of operands: no assumptions
• Characteristic property of architecture: ‘if an event is sent to the monitor,
another event can be sent to the monitor only after a report is generated’
∀c, c′  n, AG(B[c].sndEvent → AX A[¬B[c′].sndEvent W EventMonitor .report]) .
Priority management style
The Priority management style enforces a priority protocol on the set of actions of n
components. It consists of a single coordinator component of type Priority Manager and
n parameter components of type B. The Priority Manager checks ﬁrst whether the action
with the highest priority can be executed. If this action is enabled, the Priority Manager
executes this action and returns to its initial state. If this action is not enabled, the Priority
Manager checks whether the action with the second highest priority can be executed. If this
action is enabled, the Priority Manager executes this action and returns to its initial state.
If this action is not enabled, it checks whether the action with the third highest priority
can be executed, etc. The cardinalities of the action and noAction port types are n. The
cardinalities of all other port types are 1. The multiplicity and degree constraints require
that each B component instance be connected to the Priority manager component instance
through binary connectors.
143
Chapter 6. Case studies
Figure 6.11 – Priority management style with architecture diagrams
• Assumed property of operands: ‘action and noaction are mutually exclusive
actions’
∀c  n, AG(enabled(B[c].action) XOR enabled(B[c].noaction)) ,
where enabled(B[i].action) (resp. B[i].action) is an atomic predicate that evaluates
to true when the B[i].action (resp. B[i].action) action is enabled.
• Characteristic property of architecture is the conjunction of the following prop-
erties: 1)‘a component cannot execute action i+1 unless noaction i (previous action
with higher priority) has been ﬁred’; 2)‘a component cannot execute noaction i + 1
unless noaction i (previous action with higher priority) has been ﬁred’; 3) ‘a new cycle
can start only after there is a success or fail ’; 4) ‘once a cycle starts, success can
be executed only after an action is executed’; 5) ‘once an action is executed, fail
cannot be executed unless there is an init.
∀i < n, AG(PriorityManager .init → A[¬B[i + 1 ].action W B[i].noaction]) ,
∀i < n, AG(PriorityManager .init → A[¬B[i + 1 ].noaction W B[i].noaction]) ,
AG
(
PriorityManager .init → AX A[¬PriorityManager .init W
(PriorityManager .success ∨ PriorityManager .fail)]) ,
AG
(
PriorityManager .init → A[¬PriorityManager .success W ( n∨
i=1
B[i].action
])
,
∀i < n, AG(B[i].action → A[¬PriorityManager .fail W PriorityManager .init]) .
144
6.1. The CubETH case study
Table 6.1 – CubETH: Representative requirements for CDMS status and HK_PL
ID Description
CDMS-007 The CDMS shall periodically reset both the internal and external watch-
dogs and contact the EPS subsystem with a “heartbeat".
HK-001 The CDMS shall have a Housekeeping activity dedicated to each subsys-
tem.
HK-003 When line-of-sight communication is possible, housekeeping information
shall be transmitted through the COM subsystem.
HK-004 When line-of-sight communication is not possible, housekeeping informa-
tion shall be written to the non-volatile ﬂash memory.
HK-005 A Housekeeping subsystem shall have the following states: NOMINAL,
ANOMALY and CRITICAL_FAILURE.
6.1.2 Architecture application and composition examples
We illustrate the architecture-based approach on the CDMS status, MESSAGE_LIBRARY and
HK PL components. In particular, we present the application of Action ﬂow, Mode man-
agement, Client-Server and Failure monitoring architectures to discharge a subset of the
CubETH functional requirements presented in Table 6.1. The set of requirements of the
CubETH case-study is presented in Table A.1 We additionally present the result of the
composition of Client-Server and Mode management architectures.
Application of Action ﬂow architecture
Requirement CDMS-007, presented in Table 6.1, describes the functionality of CDMS status.
The corresponding BIP model is shown in Figure 6.12. Watchdog reset is an operand
component, which is responsible for resetting the internal and external watchdogs. CDMS
status ACTION FLOW is the coordinator of the architecture applied on Watchdog reset
that imposes the following order of actions: 1) reset internal watchdog; 2) reset external
watchdog; 3) send heartbeat and 4) receive result.
Application of Client-Server architecture
Requirements HK-001 and HK-003, presented in Table 6.1, suggest the application of
the Client-Server architecture on the HK PL, HK CDMS, HK EPS and HK COM housekeeping
compounds (Figure 6.2). The four housekeeping compounds are the clients of the architecture.
In Figure 6.13a, we show how Client-Server is applied on the HK PL process component,
which is a subcomponent of HK PL. The HK PL process component uses the composeMessage
and decodeMessage C/C++ functions of the MESSAGE_LIBRARY component to encode and
decode information transmitted to and from the COM subsystem. Thus, the MESSAGE_LIBRARY
145
Chapter 6. Case studies
Figure 6.12 – Application of Action ﬂow architecture
(a) Architecture application (b) Hexagons of Figure 6.13a
Figure 6.13 – Application of Client-Server architecture
is a server used by the HK PL process client. To enhance readability of ﬁgures in Figure 6.13a,
we use hexagons to group interaction patterns of components. The meaning of these hexagons
is explained in Figure 6.13b.
Application of Failure monitoring architecture
Requirement HK-005, presented in Table 6.1, suggests the application of the Failure
monitoring architecture as shown in Figure 6.14. The BIP model comprises the HK PL
process operand and the HK PL FAILURE MONITORING coordinator. The success port
of HK PL FAILURE MONITORING is connected with the mem_res and I2C_res_TTC ports of
HK PL process. The failure port of HK PL FAILURE MONITORING is connected with the
I2C_fail_PL port of HK PL process. The HK PL process component executes 6 actions
in the following order: 1) start procedure; 2) ask Payload for engineering data; 3) receive
result from Payload or (in case of fail) abort; 4) if line of sight communication is possible
send data to COM, otherwise make a write request to the memory; 5) depending on action 4
either receive COM result or memory result and 6) ﬁnish procedure.
146
6.1. The CubETH case study
Figure 6.14 – Application of Failure monitoring architecture
Figure 6.15 – Application of Mode management architecture
147
Chapter 6. Case studies
Application of Mode management architecture
Requirements HK-003 and HK-004, presented in Table 6.1, suggest the application of a Mode
management architecture with two modes: 1) TTC mode, in which line of sight communication
is possible and 2) MEMORY mode, in which line of sight communication is not possible. The
corresponding BIP model, shown in Figure 6.15, comprises the HK PL process, s15_1
and s15_2 operands and the Packet store MODE MANAGER coordinator. During NOMINAL
operation, the Payload subsystem is contacted to retrieve engineering data. Depending
on the mode of Packet store MODE MANAGER, that data is then sent to the non-volatile
memory, i.e. mem_write_req transition, or directly to the COM subsystem, i.e. ask_I2C_TTC
transition. The mode of Packet store MODE MANAGER is triggered by the s15_1, s15_2
services.
Composition of architectures
The architecture composition was formally deﬁned in Deﬁnition 2.4.4. Here, we provide only
an illustrative example. Combined application of architectures to a common set of operand
components results in merging the connectors that involve ports used by several architectures.
For instance, Figure 6.16 shows the composition of Client-Server and Mode management
architectures. The HK PL process component is a sub-component of HK PL. The appli-
cation of the Client-Server architecture (Figure 6.13) connects its port ask with the port
composeMessage of MESSAGE_LIBRARY through the MES_LIB-HK_to_I2C interface with a bi-
nary connector. Similarly, the application of the Mode management architecture (Figure 6.15)
connects the same port with the port ask_I2C_TTC of Packet store MODE MANAGER with
another binary connector. The composition of the two architectures results in the two
connectors being merged into the ternary connector ask-ask_I2C_TTC-composeMessage
(Figure 6.16).
6.1.3 Model veriﬁcation
Recall (Section 2.4) that safety properties imposed by architectures are preserved by ar-
chitecture composition [6]. Thus, all properties that we have associated to the CubETH
requirements are satisﬁed by construction by the model of the case study, which is included
in the appendix (Section A.3).
Architectures enforce properties by restricting the joint behaviour of the operand components.
Therefore, combined application of architectures can generate deadlocks. We have used the
D-Finder tool [11] to verify deadlock-freedom of the case study model. D-Finder applies
compositional veriﬁcation on BIP models by over-approximating the set of reachable states,
which allows it to analyse very large models. The tool is sound, but incomplete: due to the
above mentioned over-approximation it can produce false positives, i.e. potential deadlock
states that are unreachable in the concrete system. However, our case study model was
shown to be deadlock-free without any potential deadlocks. Thus, no additional reachability
148
6.1. The CubETH case study
Figure 6.16 – Composition of Client-Server and Mode management architectures
analysis was needed.
6.1.4 Validation of the approach
The key advantage of our architecture-based approach is that the burden of veriﬁcation is
shifted from the ﬁnal design to architectures, which are considerably smaller in size and can
be reused. In particular, all the architecture styles that we have identiﬁed for the case study
are simple. Their correctness—enforcing the characteristic properties—can be easily proved
by inspection of the coordinator behaviour. However, in order to increase the conﬁdence
in our approach, we have conducted additional veriﬁcation, using nuXmv to verify that the
characteristic properties of the architectures are indeed satisﬁed. We used the BIP-to-NuSMV
tool1 to translate our BIP models into NuSMV—the nuXmv input language [16].
Veriﬁcation of the complete model with nuXmv did not succeed, running out of memory after
four days of execution. Thus, we repeated the procedure (BIP-to-NuSMV translation and
veriﬁcation using nuXmv) on individual sub-systems. All connectors that crossed sub-system
boundaries were replaced by their corresponding sub-connectors. This introduces additional
interactions, hence, also additional execution branches. Since no priorities are used in the
1http://risd.epﬂ.ch/bip2nusmv
149
Chapter 6. Case studies
Table 6.2 – CubETH: Statistics of models and veriﬁcation
Model Tool Components Connectors RSS Deadlocks Properties
CubETH D-Finder 49 155 - 0 -
Payload nuXmv 13 42 8851 0 9
I2C_sat nuXmv 4 12 52 0 1
HK PL nuXmv 11 12 77274 0 5
HK EPS nuXmv 11 12 77274 0 5
HK COM nuXmv 11 12 77274 0 5
HK CDMS nuXmv 10 9 12798 0 5
Flash Memory nuXmv 6 15 44 0 3
CDMS status nuXmv 3 6 8 0 4
Error Logging nuXmv 2 2 2 0 1
RSS = Reachable State Space
model, this modiﬁcation does not suppress any existing behaviour. Notice that the CTL
properties enforced by the presented architecture styles use only universal quantiﬁcation (A)
over execution branches. Hence, the above approach is a sound abstraction, i.e. the fact that
the properties were shown to hold in the sub-systems immediately entails that they also hold
in the complete model. Table 6.2 presents the complexity measures of the veriﬁcation, which
was carried out on an Intel Core i7 at 3.50GHz with 16GB of RAM. Notice that component
count in sub-systems adds up to more than 49, because some components contribute to
several sub-systems.
6.2 The Sentinel 3 case study
Sentinel 3 is a LEO Earth Observation satellite [94]. The Sentinel 3 mission is part of the
Earth watch line of missions within the ESA’s Living Planet Program. The goal of its
mission is mainly sea-surface topography, measurement of the sea-surface temperature and
the ocean colour characteristics.
The Sentinel 3 case study was based on an extraction of the complete set of requirements of
the Sentinel 3 on-board software. Since the information of the case study is conﬁdential, we
do not provide the requirements and the resulting BIP model of the satellite. Nevertheless it
is interesting to mention that in order to build the resulting model we reused the architecture
styles presented in Section 6.1.1. The complete BIP model of Sentinel 3 has a small number
of operands; it primarily consists of architectures generated from the architecture styles.
The essential safety properties were obtained by construction through the architecture-based
approach.
Next, we give a very high-level description of the Sentinel 3 on-board software. The software
architecture of the on-board software is presented in Figure 6.17. It is composed of the
150
6.2. The Sentinel 3 case study
Figure 6.17 – Software architecture of Sentinel 3 [94]
following 6 main parts:
• the OS and Drivers layer, which comprises the Hardware Dependent Software (HDSW)
and the Real-Time Operating System (RTOS);
• the Middleware, which is mainly composed by Input-Output Services (IOS);
• the Framework which comprises the System Management Software (SMS) and generic
code libraries;
• the Packet Utilisation Service (PUS) library;
• the Software Bus (SWBUS), which allows the diﬀerent components of the architecture
to communicate;
• the Application Software (ASW), which consists of a set of components for subsystem
management.
151
Chapter 6. Case studies
6.3 Summary
The architecture-based approach consists in the application of a number of architectures
starting with a minimal set of atomic components. Each architecture enforces by construction
a characteristic safety property on the joint behaviour of the operand components. The
combined application of architectures is deﬁned by an associative and commutative oper-
ator [6], which guarantees the preservation of the enforced properties. Since architectures
enforce properties by restricting the joint behaviour of the operand components, combined
application of architectures can lead to deadlocks. Thus, the ﬁnal step of the design process
consists in verifying the deadlock-freedom of the obtained model. The key advantage of this
approach is that the burden of veriﬁcation is shifted from the ﬁnal design to architectures,
which are considerably smaller in size and can be reused. This advantage is illustrated
by our veriﬁcation results: while model-checking of the complete model was inconclusive,
veriﬁcation of deadlock-freedom took only a very short time using the D-Finder tool.
The case studies serve as a feasibility proof for the use of architecture-based approach in
satellite on-board software design. An additional contribution of the presented work is
the identiﬁcation and formal modelling—using architecture diagrams—of a taxonomy of
architecture styles. Architecture styles represent recurring coordination patterns: those
identiﬁed in the CubETH case study were also reused in the Sentinel 3 case study and can
be further reused in other satellite on-board software.
152
7 Conclusion and future work
The main goal of this thesis was the development of an expressive and usable framework for
the speciﬁcation of architectures and architecture styles. We focused on providing languages,
methodologies and tools that could be introduced in the system development process. Our
work is part of a broader research program, which has been pursued for more than 15 years,
investigating correct-by-construction approaches. The program aims at developing the BIP
component framework for rigorous system design [89].
The following subsections summarize how our work is related to the three fundamental
questions posed earlier in the introduction. In particular, Section 7.1 addresses the ﬁrst
question of “how does one model and implement architectures?”, while Section 7.2 addresses
the second and third questions of “how to guide software developers in their choice of
architectures?” and “how does one specify architecture styles?”.
7.1 Modelling and implementation of architectures
We presented interaction logics for modelling architectures. We studied a modelling method-
ology based on the ﬁrst-order interaction logic for writing architecture speciﬁcations. The
architecture speciﬁcations are suﬃciently versatile to be applicable to a variety of components
and do not rely on the characteristics of any speciﬁc execution platform. We have developed
JavaBIP, relying on ﬁrst-order interaction logic for the speciﬁcation of the coordination
architecture.
JavaBIP integrates architectures into mainstream software development and thus, raises the
abstraction level and supports separation of concerns, e.g. decoupling between functionality
and coordination. JavaBIP follows an exogenous approach to component coordination relying
on existing APIs for the interaction with the controlled components. All JavaBIP models
are deﬁned separately from the functional code of the components. Furthermore, all input
speciﬁcations are deﬁned and modiﬁed without altering the functional code, which is not
possible with traditional approaches. We presented experimental results that validate the
153
Chapter 7. Conclusion and future work
eﬀectiveness of JavaBIP for the coordination of software components. JavaBIP speciﬁcations
are formally deﬁned and thus, can be veriﬁable. Veriﬁcation tools, e.g. DFinder and nuXmv,
can be used to validate JavaBIP speciﬁcations, ensuring correctness of the designed systems.
Additionally, JavaBIP coordination has been tested and validated in Connectivity Factory
TM by Crossing-Tech S.A.
Future work
Future work comprises several directions. We are currently working on adding dynamicity in
the JavaBIP framework in order to allow insertion and deletion of components at run-time.
Furthermore, we consider creating a library of JavaBIP architecture speciﬁcations so that a
software developer can pick a preferred coordination mechanism directly from the library. It
would also be interesting to add a graphical interface for the speciﬁcation of coordination
mechanisms based on architecture diagrams.
Another possible extension concerns the implementation of JavaBIP. Currently, JavaBIP is
centralised due to the implementation of the JavaBIP engine. Scalability of JavaBIP can be
increased by combining existing techniques from the BIP framework for parallelising and
distributing the JavaBIP engine. Another possible direction for increasing the eﬃciency
of the JavaBIP engine is to add incrementality so that an interaction can be ﬁred without
waiting for all the other components to inform.
7.2 Modelling architecture styles
We studied two rigorous approaches for the speciﬁcation of architecture styles, which are
both applicable to a variety of architecture styles. We studied conﬁguration logics, which
are a powerful and expressive tool to characterize conﬁgurations between instances of typed
components. We studied the properties as well as a sound and complete axiomatisation
for the propositional conﬁguration logic. Conﬁguration logics are integrated in a uniﬁed
semantic framework, which is equipped with a decision procedure for checking that a given
architecture model meets given style requirements. We proposed three high-level extensions
of the propositional conﬁguration logic and showed their applicability in the speciﬁcation of
several architecture styles.
Furthermore, we studied architecture diagrams, which is a graphical language for architecture
style speciﬁcation rooted in rigorous semantics. Using architecture diagrams instead of
purely logic-based speciﬁcations confers the usability advantages of graphical formalisms.
We proposed methods to assist software developers to correctly specify architecture styles,
generate architectures from a style and check whether a given architecture model meets
given style requirements.
To guide developers in their choice of architectures, we grouped architectures that enforce
154
7.2. Modelling architecture styles
the same characteristic properties and involve the same component types into families of
architectures, i.e. architecture styles. In the case studies, presented in Section 6, we deﬁned
a taxonomy of architecture styles that is speciﬁc to on-board satellite software systems [74].
These case studies serve as a feasibility proof for the use of the architecture-based approach
in on-board satellite software design and, more generally, in building systems that are
correct-by-construction. Creating taxonomies and subsequently libraries of architecture
styles promotes component re-use and thus, the development of systems in a cost-eﬀective
manner. Additionally, organising knowledge in the form of architecture styles facilitates the
understanding of design decisions and makes communication more eﬃcient.
Future work
From the speciﬁcation perspective, we plan to incorporate hierarchically structured inter-
actions, data transfer among the participating ports and mechanisms to express dynamic
evolution of architectures. From the practical perspective, we plan on extending the synthesis
procedure to incorporate index and general architecture diagrams, as well as implementing
it using an SMT solver. We have already implemented the checking procedure for the
consistency conditions of simple architecture diagrams using the Z3 SMT solver1 and have
integrated it in the Architecture Manipulation tool that automatically generates and com-
poses architectures from given styles. We are going to extend the current implementation
for interval architecture diagrams.
In the CubETH case study (Section 6.1) we deﬁned a taxonomy of architecture styles
from which architectures were generated and composed to develop the BIP model of the
satellite. We plan on expanding our taxonomy of architecture styles and applying the
architecture-based approach to other application domains.
1https://z3.codeplex.com/
155

A Appendix
A.1 JavaBIP use case: Publish-Subscribe server
In this section, we present a JavaBIP implementation of the Publish-Subscribe server. The
server manages a number of diﬀerent topics to which the clients can subscribe, unsubscribe
and publish messages. To that end, clients send commands, which are handled by the server
in a concurrent fashion.
Consider the model in Figure A.1. The solid connectors between ports denote strong
synchronizations, i.e., the execution of the corresponding transitions must be synchronized.
In all synchronizations, data are exchanged between components. The dotted arrows from
transitions to ports represent asynchronous communication realized by generating events
corresponding to the spontaneous transitions of the receiving components.
The server consists of components of the six types shown in Figure A.1. For each client, there
is a dedicated TCPReader, responsible for receiving commands from the client. Additionally,
for each client there is dedicated a ClientProxy, responsible for receiving acknowledgements
that the client has been added or removed from a topic and messages published from other
clients registered in the same topic. Upon reception by a TCPReader, each command is
forwarded to the unique CommandBuﬀer component through the synchronization of the give
and put enforceable transitions. The guard commandExists of the TCPReader is used to
check whether it has received a new command and the guard notFull of the CommandBuﬀer
is used to check whether the buﬀer is not full before receiving a new command (Figure A.2:
Figure A.1 – JavaBIP models of a Publish-Subscribe server
157
Appendix A. Appendix
1 @Ports ({
2 @Port(name="put", type=PortType.enforceable),
3 @Port(name="get", type=PortType.enforceable)
4 })
5
6 @ComponentType(initial="0", name="CommandBuffer")
7 public class CommandBuffer {
8 private LinkedList <Command > commandList;
9 private int bufferSize;
10
11 public CommandBuffer(int bufferSize){
12 this.bufferSize = bufferSize;
13 this.commandList = new LinkedList <Command >();
14 }
15
16 @Transition(name="get", source="0", target="0", guard="notEmpty")
17 public void get() {
18 commandList.remove ();
19 }
20
21 @Guard(name="notEmpty")
22 public boolean notEmpty () { return !commandList.isEmpty (); }
23
24 @Transition(name="put", source="0", target="0", guard="notFull")
25 public void put(@Data(name="input") Command cmd) {
26 commandList.add(cmd);
27 }
28
29 @Guard(name="notFull")
30 public boolean notFull () { return commandList.size() < bufferSize; }
31
32 @Data(name="command")
33 public Command getNextCommand () { return commandList.get (0); }
34 }
Figure A.2 – Annotations for the CommandBuﬀer component type
lines 29–30). If both guards evaluate to true, the command is transferred as data to the
CommandBuﬀer (Figure A.2: line 25).
The CommandBuﬀer is a passive component: the responsibility for retrieving commands
from the CommandBuﬀer belongs to CommandHandlers. This happens through the synchro-
nization of the handle and get enforceable transitions, when the notEmpty guard evaluates
to true (Figure A.2: lines 21–22). There can be arbitrarily many CommandHandlers that
are concurrently handling commands. The CommandHandlers asynchronously forward com-
mands to the TopicManager, by generating the event associated to the execute spontaneous
transition of the TopicManager (Figure A.3: lines 2 & 13). Notice that the @Data annotation
is used to deﬁne input data necessary for the processing of spontaneous events (Figure A.3:
line 14). This mechanism allows CommandHandlers to send the commands as data to the
TopicManager, in a manner equivalent to asynchronous message passing.
Depending on the type of the command (Figure A.3: lines 16, 20, 24), the TopicManager
asynchronously triggers one of the add, remove or publish transitions of the corresponding
Topic (Figure A.3: lines 18, 22, 26). The Topic executes the commands and triggers the
corresponding transitions of a ClientProxy to either send an acknowledgment to the client
158
A.1. JavaBIP use case: Publish-Subscribe server
1 @Ports ({
2 @Port(name="execute", type=PortType.spontaneous)
3 })
4
5 @ComponentType(initial="0", name="TopicManager")
6 public class TopicManager {
7 private HashMap <String , BIPActor > topics;
8
9 public TopicManager(HashMap <String , BIPActor > topics) {
10 this.topics = topics;
11 }
12
13 @Transition(name="execute", source="0", target="0")
14 public void execute(@Data(name="value") Command c) {
15 switch (c.getId()) {
16 case SUBSCRIBE:
17 Topic topic = topics.get(c.getTopic ());
18 topic.add(c.getClient ()); // Generate an "add" event in the topic
19 break;
20 case UNSUBSCRIBE:
21 Topic topic = topics.get(c.getTopic ());
22 topic.remove(c.getClient ()); // Generate a "remove" event in the topic
23 break;
24 case PUBLISH:
25 Topic topic = topics.get(c.getTopic ());
26 topic.publish(c.getClient (), c.getMessage ());
27 break; // Generate a "publish" event in the topic
28 default:
29 break;
30 }
31 }
32 }
Figure A.3 – Annotations for the TopicManager component type
in the case of the subscribe/unsubscribe commands or to distribute the message to all
the subscribed clients of the topic in the case of a publish command. All transitions of
TopicManager, Topic and ClientProxy components are spontaneous, i.e. they are executed
asynchronously upon reception of the corresponding events.
An example of the above execution is the following: A TCPReader wants to forward the
command subscribe epfl. This data transfer happens through the synchronization of the
give transition of the TCPReader with the put transition of the CommandBuﬀer. A Com-
mandHandler receives the command from the CommandBuﬀer through the synchronization
of the get and handle transitions. Then, the CommandHandler forwards the command
to the TopicManager. This triggers the execute spontaneous transition during which the
client id is transferred to the epfl topic. This results in the asynchronous execution of the
add transition of the epfl topic. During the execution of add the client id is stored and
the name of the topic (epﬂ) is forwarded to the dedicated ClientProxy. The ClientProxy
stores the topic name and writes an acknowledgment in the socket while executing the add
transition in an asynchronous manner.
159
Appendix A. Appendix
A.2 List of requirements of CubETH case study
ID Description
CDMS-001 The CDMS shall be connected to the following sub-systems: Payload
(PL), Communication (COM), Electrical Power Subsystem (EPS) through
an I2C bus.
CDMS-003 The CDMS shall supervise the correct execution of the software functions
on the other subsystems. If a sensor or subsystem indicates anomalous
signals the CDMS shall ask the EPS for a reset of the malfunctioning
hardware.
CDMS-004 The CDMS shall be able to save its status in order to resume correct
operations following an unexpected reset.
CDMS-006 The CDMS shall manage the data generated from the payload and
housekeeping routines in a non volatile memory.
CDMS-007 The CDMS shall periodically reset both the internal and external watch-
dogs and contact the EPS subsystem with a “heartbeat".
PL-001 The Payload shall be able to add a scenario to the payload board.
PL-002 The Payload shall be able to execute scenario telecommand.
PL-003 The Payload shall be able to abort any operation on the payload and data
transfer to transfer data from the payload to the non volatile memory.
PL-004 The Payload shall be able to check the advancement of the payload board
internals algorithms
PL-005 The Payload shall be able to track the upload, execution and result
retrieval of a scenario and enable the corresponding actions.
PL-006 The Payload subsystem shall have the following modes: IDLE, SCE-
NARIO_READY, STARTED and RESULT_READY.
PL-007 The payload shall operate when it is not in IDLE mode.
PL-008 In SCENARIO_READY mode a scenario shall be loaded on the payload
board.
PL-009 In STARTED mode, the payload data acquisition shall begin.
PL-010 The payload shall poll the payload board to check if its memory is full.
If the memory is full, the payload shall change to RESULT_READY
mode.
PL-011 In RESULT_READY mode, the data shall be transferred to the CDMS
non-volatile memory. If the data retrieval is not ﬁnished, payload shall
continue the payload data acquisition until the data retrieval is completed.
HK-001 The CDMS shall have a Housekeeping activity dedicated to each subsys-
tem.
HK-003 When line-of-sight communication is possible, housekeeping information
shall be transmitted through the COM subsystem.
HK-004 When line-of-sight communication is not possible, housekeeping informa-
tion shall be written to the non-volatile ﬂash memory.
160
A.3. BIP model of CubETH case study
HK-005 A Housekeeping subsystem shall have the following states: NOMINAL,
ANOMALY, and CRITICAL_FAILURE.
HK-006 In NOMINAL state, the subsystem shall perform correctly.
HK-007 If a process failure occurs or if the engineering data are not correct the
subsystem shall enter the ANOMALY state.
HK-008 After MAX1 seconds in ANOMALY, the subsystem shall enter the
CRITICAL_FAILURE state.
HK-009 In CRITICAL_FAILURE state, the subsystem shall contact the EPS
and demand a restart of the malfunctioning subsystem.
HK-010 During NOMINAL operation the subsystem shall be contacted to retrieve
engineering data.
I2C-001 A single user shall send one message at a time.
I2C-002 I2C_sat shall implement the I2C protocol.
Log-001 Every time a hardware error is produced, it shall be stored in a memory
region in the RAM.
Log-002 The dedicated RAM region shall be read and written atomically.
Mem-001 The Central Software System shall have a dedicated Flash Memory
Manager activity for managing ﬂash memory operations.
Mem-002 Flash memory shall be read and written atomically.
Mem-003 Flash Memory Manager shall return the SUCCESS or FAIL status for
each requested operation.
Mem-004 Upon a read request, the Flash Memory Manager shall read the data
from the ﬂash memory and perform the Circular Redundancy Check
(CRC).
Mem-005 If CRC fails, the Flash Memory Manager shall reread the data from the
ﬂash memory.
Mem-006 For the same read request, the number of attempts by the Flash Memory
Manager to read data from the ﬂash memory shall have a value not larger
than the parameter MAX_FM_READS.
Mem-007 If the number of attempts by the Flash Memory Manager to read data
from the ﬂash memory exceeds MAX_FM_READS, the read operation
shall be abandoned and a failure shall be reported.
Table A.1 – CubETH: Complete list of requirements
A.3 BIP model of CubETH case study
In this section, we present the full componentization of the case study. The complete model
consists of 22 operand components and 27 coordinator components. We omit the presentation
of the CDMS status compound, which was already presented in Section 6.1.2. We have
1MAX is a parameter. Its value must be ﬁxed through analysis or simulation.
161
Appendix A. Appendix
Figure A.4 – Meaning of connections between hexagons in Figure 6.2
(a) The I2C_sat library com-
ponent
(b) The memory library com-
ponent
(c) The message library com-
ponent
Figure A.5 – Library components
shown the high level interaction model of the case study in Figure 6.2. As discussed earlier,
we use hexagons to group interaction patterns of components. The meaning of connections
between the hexagons in Figure 6.2 is explained in Figure A.4.
Libraries
The model includes three library components that contain helper C/C++ functions. Fig-
ure A.5 shows the I2C_sat_LIBRARY, the MEMORY_LIBRARY and the MESSAGE_LIBRARY com-
ponents. All of them are operands. I2C_sat_LIBRARY contains functions that allow com-
munication on the I2C_sat bus. I2C_sat_LIBRARY contains functions that allow writing,
reading and checking the CRC in the non-volatile ﬂash memory. I2C_sat_LIBRARY allows a
user to compose a message that is going to be send over the I2C_sat bus and also to decode
a message received from the I2C_sat bus.
162
A.3. BIP model of CubETH case study
(a) The s3_5 component (b) The s3_6 component
Figure A.6 – Housekeeping report enable and disable
(a) The s15_1 component (b) The s15_2 component
Figure A.7 – Packet storage enable and disable
Housekeeping report enable, housekeeping report disable
The model includes two service components, namely s3_5 and s3_6, that are in charge of
the activation and deactivation of the housekeeping subsystems. Both of them are operand
components.
Packet storage enable and packet storage disable
The model includes two service components, namely s15_1 and s15_2, that modify the
destination of the housekeeping data, which is either the non-volatile memory or the COM
subsystem. Both of them are operand components.
163
Appendix A. Appendix
Figure A.8 – The error logging compound
Error logging
The Error logging compound, shown in Figure A.8, protects a speciﬁc RAM region that
is accessible by many users. Every time a hardware error is produced, the error is stored in
an array managed by this compound. No two users can log an error at the same time. It is
composed of an operand component Log and a Mutual exclusion coordinator Log MUTEX.
Payload
The Payload (PL) compound, shown in Figure A.9, is in charge of payload operations. It is
composed of the following subcomponents: 1) s128_1 which adds a scenario to the payload
board; 2) s128_4 which executes a scenario telecommand; 3) 128_5 which aborts a payload
operation; 4) data_transfer which transfers data from the payload to the non-volatile
memory; 5) status_verification which checks the advancement of the payload board
internal algorithms and 6) and a PL mode management coordinator.
The s128_1. s128_4, s128_5 and the status_verification components consist of a Mutual
exclusion coordinator and a 128_* process operand. The data_transfer component
consists of a Mode manager coordinator and the data_transfer process operand. The
status_verification component consists of the status_verification process operand
and a Mutex coordinator.
Payload has four modes of operation (IDLE, SCENARIO_READY, STARTED and RESULT_READY),
which comprise the states of the PL mode management coordinator. In IDLE mode, the
payload does not operate. In SCENARIO_READY mode, a scenario is loaded on the payload
board. In STARTED mode, the payload data acquisition begins. The status_verification
component polls the payload board to check whether its memory is full. Once the memory is
full, the mode changes to SCENARIO_READY. SCENARIO_READY mode, the data is transferred
to the non-volatile ﬂash memory, through the data_transfer component.
164
A.3. BIP model of CubETH case study
Fi
gu
re
A
.9
–
T
he
Pa
yl
oa
d
co
m
po
un
d
165
Appendix A. Appendix
Housekeeping subsystems
There are three Housekeeping subsystems, namely HK PL, shown in Figure A.10, HK EPS,
shown in Figure A.11, and HK COM, shown in Figure A.12, that are in charged of recovering
engineering from the PL, EPS, COM subsystems of the satellite, respectively. They are composed
of the same subcomponents: 1) a HK MUTEX coordinator; 2) an HK process operand; 3) an
HK MODE MANAGER coordinator; 4) an Packet store MODE MANAGER coordinator and 5) a
HK FAILURE MONITORING coordinator.
The HK MUTEX component ensures mutual exclusion on the access of the subsystem. During
NOMINAL operation, a subsystem is contacted to retrieve engineering data. That data is then
sent to the non-volatile memory or directly to the COM subsystem, depending on the Packet
store MODE MANAGER coordinator. The HK MODE MANAGER inhibits the HK process.
Internal Housekeeping
The HK CDMS compound, shown in Figure A.13, is internal to the CDMS subsystem. It is very
similar to the rest of Housekeeping subsystems. The diﬀerence is that the Housekeeping
data of the HK CDMS is not retrieved through the I2C bus but through internal processes (e.g.
GPIO and state registers). The Failure monitoring coordinator is also removed because the
EPS subsystem directly monitors the HK CDMS through the heartbeats.
I2C_sat
The I2C_sat compound, shown in Figure A.14, implements the I2C_sat bus protocol. The
request transition is enabled as soon as a user wants to send a message through the I2C bus.
It consists of the I2C_sat read operand, the I2C_sat MODE MANAGEMENT coordinator and
the I2C_sat write operand. Mutual exclusion is ensured by the fact that this compound is
the only one implementing the use of the I2C peripheral. Thus, once a request is issued no
other user can access the bus until it has retuned to the IDLE state of I2C_sat write.
The send transition of I2C_sat write sends a message to the selected slave on the line.
The poll transition of I2C_sat read fetches an answer from the slave.
Flash memory management
The reading and writing procedures to the external non-volatile NOR ﬂash memory are
represented by the compound shown in Figure A.15. The memory device can be read and
written through the write and read transitions. The Flash Memory MUTEX compound ensures
that the memory is accessed by the users atomically. It consists of two operands (Flash
Memory Write and Flash Memory Read), two Mode Manager coordinators and a Mutual
exclusion coordinator.
166
A.3. BIP model of CubETH case study
Figure A.10 – The Housekeeping Payload compound
Figure A.11 – The Housekeeping EPS compound
167
Appendix A. Appendix
Figure A.12 – The Housekeeping COM compound
Figure A.13 – The Internal Housekeeping compound
168
A.3. BIP model of CubETH case study
Figure A.14 – The I2C_sat compound
Figure A.15 – The ﬂash memory compound
169
Appendix A. Appendix
After a write request, Flash Memory Write takes the buﬀer prepared by the user and starts
writing it in the memory. From WAIT to STATUS_WRITE there is an internal transition which
adds a delay for a certain period of time. This is the minimum time to wait for the memory
device to eﬀectively write on the buﬀer. If the buﬀer is bigger than the write sector, then
this procedure continues (synchronization of write with the continue of the Write MODE
MANAGER). If there is no more data to write and the procedure was successful, the ok_write
transition is ﬁred and the coordinator enters the DONE state. The internal finish transition
leads back to the WRITE_BUFFER state. If the memory does not perform as expected, e.g.
internal timeout or error occurs, the writing procedure is aborted with the fail transition.
After a read request, Flash Memory Read reads a part of the memory and puts data in the
buﬀer indicated by the user. After the region is read, a CRC check is performed. If the
result is declared “bad”, the memory region is read again (synchronization of read with the
continue of the Read MODE MANAGER). After a maximum number of tries is reached, the fail
transition is ﬁred. If the CRC check is successful, the ok_read transition is ﬁred to the DONE
state and the internal finish transition leads back to the READ_BUFFER state.
170
Bibliography
[1] Gul Agha. Actors: a model of concurrent computation in distributed systems. MIT
Press, Cambridge, MA, USA, 1986.
[2] Sheldon B. Akers. Binary decision diagrams. IEEE Transactions on Computers,
C-27(6):509–516, 1978.
[3] Jonathan Aldrich, Joshua Sunshine, Darpan Saini, and Zachary Sparks. Typestate-
oriented programming. In OOPSLA ’09, pages 1015–1022, New York, NY, USA, 2009.
ACM.
[4] Robert Allen and David Garlan. Formalizing architectural connection. In Proceedings
of the 16th international conference on Software engineering, pages 71–80. IEEE
Computer Society Press, 1994.
[5] Farhad Arbab. Reo: a channel-based coordination model for component composition.
Mathematical Structures in Computer Science, 14(3):329–366, 2004.
[6] Paul Attie, Eduard Baranov, Simon Bliudze, Mohamad Jaber, and Joseph Sifakis.
A general framework for architecture composability. In Proceedings of the 12th In-
ternational Conference on Software Engineering and Formal Methods (SEFM 2014),
number 8702 in LNCS, pages 128–143. Springer, 2014.
[7] Paul Attie, Eduard Baranov, Simon Bliudze, Mohamad Jaber, and Joseph Sifakis.
A general framework for architecture composability. Formal Aspects of Computing,
28(2):207–231, 2016.
[8] Krishnakumar Balasubramanian, Aniruddha Gokhale, Gabor Karsai, Janos Szti-
panovits, and Sandeep Neema. Developing applications using model-driven design
environments. Computer, 39(2):33–40, 2006.
[9] Ananda Basu, Saddek Bensalem, Marius Bozga, Jacques Combaz, Mohamad Jaber,
Thanh-Hung Nguyen, and Joseph Sifakis. Rigorous component-based system design
using the BIP framework. Software, IEEE, 28(3):41–48, 2011.
[10] Saddek Bensalem, Marius Bozga, Thanh-Hung Nguyen, and Joseph Sifakis. DFinder:
A tool for compositional deadlock detection and veriﬁcation. In Computer Aided
Veriﬁcation, pages 614–619. Springer, 2009.
171
Bibliography
[11] Saddek Bensalem, Andreas Griesmayer, Axel Legay, Thanh-Hung Nguyen, Joseph
Sifakis, and Rongjie Yan. D-Finder 2: towards eﬃcient correctness of incremental
design. In Proceedings of the 3rd international conference on NASA Formal methods,
NFM’11, pages 453–458, Berlin, Heidelberg, 2011. Springer-Verlag.
[12] BIP. http://www-verimag.imag.fr/~async/ BIP/bip.html
[13] Jan Olaf Blech. Ensuring OSGi component based properties at runtime with behavioral
types. In MoDeVVa@ MoDELS, pages 51–60. Citeseer, 2013.
[14] Jan Olaf Blech. Towards a framework for behavioral speciﬁcations of OSGi components.
formal engineering approaches to software components and architectures. Electronic
Proceedings in Theoretical Computer Science, 2013.
[15] Jan Olaf Blech and Peter Herrmann. Behavioral types for component-based develop-
ment of cyber-physical systems. In Software Engineering and Formal Methods, pages
43–52. Springer, 2015.
[16] Simon Bliudze, Alessandro Cimatti, Mohamad Jaber, Sergio Mover, Marco Roveri,
Wajeb Saab, and Qiang Wang. Formal veriﬁcation of inﬁnite-state BIP models. In
International Symposium on Automated Technology for Veriﬁcation and Analysis, pages
326–343. Springer, 2015.
[17] Simon Bliudze, Anastasia Mavridou, Radoslaw Szymanek, and Alina Zolotukhina.
Coordination of software components with BIP: Application to OSGi. In Proceedings
of the 6th International Workshop on Modeling in Software Engineering, MiSE 2014,
pages 25–30, New York, NY, USA, 2014. ACM.
[18] Simon Bliudze, Anastasia Mavridou, Radoslaw Szymanek, and Alina Zolotukhina.
Exogenous Coordination of Concurrent Software Components with JavaBIP. Submitted
to Software - Practice and experience. Under review., 2016.
[19] Simon Bliudze and Joseph Sifakis. The algebra of connectors — Structuring interaction
in BIP. In Proc. of the EMSOFT’07, pages 11–20. ACM SigBED, October 2007.
[20] Simon Bliudze and Joseph Sifakis. The algebra of connectors—structuring interaction
in BIP. IEEE Transactions on Computers, 57(10):1315–1330, 2008.
[21] Simon Bliudze and Joseph Sifakis. Causal semantics for the algebra of connectors.
Formal Methods in System Design, 36(2):167–194, June 2010.
[22] Simon Bliudze and Joseph Sifakis. Synthesizing glue operators from glue constraints
for the construction of component-based systems. In Sven Apel and Ethan Jackson,
editors, 10th International Conference on Software Composition, volume 6708 of LNCS,
pages 51–67. Springer, 2011.
[23] Simon Bliudze, Joseph Sifakis, Marius Dorel Bozga, and Mohamad Jaber. Architecture
internalisation in BIP. In Proceedings of the 17th international ACM Sigsoft symposium
on Component-based software engineering, pages 169–178. ACM, 2014.
172
Bibliography
[24] Grady Booch, James Rumbaugh, and Ivar Jacobson. The uniﬁed modeling language
user guide. Addison-Welsley Longman Inc, 1999.
[25] Marius Bozga, Mohamad Jaber, Nikolaos Maris, and Joseph Sifakis. Modeling dynamic
architectures using Dy-BIP. In Thomas Gschwind, Flavio Paoli, Volker Gruhn, and
Matthias Book, editors, Software Composition, volume 7306 of Lecture Notes in
Computer Science, pages 1–16. Springer Berlin Heidelberg, 2012.
[26] Marco Bozzano, Alessandro Cimatti, and Cristian Mattarei. Automated analysis of
reliability architectures. In Engineering of Complex Computer Systems (ICECCS),
2013 18th International Conference on, pages 198–207. IEEE, 2013.
[27] Marco Bozzano and Adolfo Villaﬁorita. Design and safety assessment of critical
systems. CRC press, 2010.
[28] Roberto Bruni, Alberto Lluch-Lafuente, Ugo Montanari, and Emilio Tuosto. Style-
based architectural reconﬁgurations. Bulletin of the EATCS, 94:161–180, 2008.
[29] California Polytechnic State University. CubeSat Design Speciﬁcation Rev. 13, 2014.
Available online: http://www.cubesat.org/s/cds_rev13_ﬁnal2.pdf.
[30] Vincent Cavé, Zoran Budimlić, and Vivek Sarkar. Comparing the usability of library vs.
language approaches to task parallelism. In Evaluation and Usability of Programming
Languages and Tools, PLATEAU ’10, pages 9:1–9:6. ACM, 2010.
[31] Paul Clements, David Garlan, Len Bass, Judith Staﬀord, Robert Nord, James Ivers,
and Reed Little. Documenting software architectures: views and beyond. Pearson
Education, 2002.
[32] Daniel D. Corkill. Blackboard systems. AI expert, 6(9):40–47, 1991.
[33] Ivica Crnkovic and Magnus Peter Henrik Larsson. Building reliable component-based
software systems. Artech House, 2002.
[34] Carlos E Cuesta, Pablo de la Fuente, Manuel Barrio-Solórzano, and Encarnación
Beato. Coordination in a reﬂective architecture description language. In International
Conference on Coordination Languages and Models, pages 141–148. Springer, 2002.
[35] Robert Daigneau. Service design patterns: Fundamental design solutions for
SOAP/WSDL and restful Web Services. Addison-Wesley, 2011.
[36] Jeﬀrey Dean and Sanjay Ghemawat. MapReduce: Simpliﬁed data processing on large
clusters. Communications of the ACM, 51(1):107–113, January 2008.
[37] Robert DeLine and Manuel Fähndrich. Typestates for objects. In ECOOP 2004,
volume 3086 of LNCS, pages 465–490. Springer, 2004.
173
Bibliography
[38] Christopher Dragert, Juergen Dingel, and Karen Rudie. Generation of concurrency
control code using discrete-event systems theory. In Proceedings of the 16th ACM
SIGSOFT International Symposium on Foundations of Software Engineering, SIGSOFT
’08/FSE-16, pages 146–157, New York, NY, USA, 2008. ACM.
[39] Hartmut Ehrig and Barbara Konig. Deriving bisimulation congruences in the DPO
approach to graph rewriting. In FoSSaCS, volume 2987 of LNCS, pages 151–166.
Springer, 2004.
[40] Johan Eker, Jörn W Janneck, Edward A Lee, Jie Liu, Xiaojun Liu, Jozsef Ludvig,
Stephen Neuendorﬀer, Sonia Sachs, and Yuhong Xiong. Taming heterogeneity-the
ptolemy approach. Proceedings of the IEEE, 91(1):127–144, 2003.
[41] Gian Luigi Ferrari, Dan Hirsch, Ivan Lanese, Ugo Montanari, and Emilio Tuosto.
Synchronised hyperedge replacement as a model for service oriented computing. In
Formal Methods for Components and Objects, pages 22–43. Springer, 2006.
[42] David Garlan. Software architecture: a travelogue. In Proceedings of the on Future of
Software Engineering, pages 29–39. ACM, 2014.
[43] David Garlan, Robert Monroe, and David Wile. Acme: An architecture description
interchange language. In Proceedings of the 1997 Conference of the Centre for Advanced
Studies on Collaborative Research, CASCON ’97, pages 159–173. IBM Press, 1997.
[44] David Garlan and Mary Shaw. An introduction to software architecture. In Advances
in Software Engineering and Knowledge Engineering, pages 1–39. World Scientiﬁc
Publishing Company, 1993.
[45] Ioannis Georgiadis, Jeﬀ Magee, and Jeﬀ Kramer. Self-organising software architectures
for distributed systems. In Proceedings of the ﬁrst workshop on Self-healing systems,
pages 33–38. ACM, 2002.
[46] Gregor Gößler and Joseph Sifakis. Priority systems. In Frank S. de Boer, Marcello M.
Bonsangue, Susanne Graf, and Willem P. de Roever, editors, FMCO, volume 3188 of
Lecture Notes in Computer Science, pages 314–329. Springer, 2003.
[47] David Harel and Bernhard Rumpe. Meaningful modeling: what’s the semantics of
"semantics" ? Computer, 37(10):64–72, 2004.
[48] Thomas A. Henzinger and Joseph Sifakis. FM 2006: Formal Methods: 14th Inter-
national Symposium on Formal Methods, Hamilton, Canada, August 21-27, 2006.
Proceedings, chapter The Embedded Systems Design Challenge, pages 1–15. Springer
Berlin Heidelberg, Berlin, Heidelberg, 2006.
[49] Dan Hirsch, Paola Inverardi, and Ugo Montanari. Modeling software architectures
and styles with graph grammars and constraint solving. In Patrick Donohoe, editor,
Software Architecture, volume 12 of IFIP, pages 127–143. Springer, 1999.
174
Bibliography
[50] Charles Antony Richard Hoare. Communicating Sequential Processes. Prentice Hall
International Series in Computer Science. Prentice Hall, April 1985.
[51] Gregor Hohpe and Bobby Woolf. Enterprise integration patterns: designing, building,
and deploying messaging solutions. Addison-Wesley Longman Publishing Co., Inc.,
Boston, MA, USA, 2003.
[52] Yi Huang, Eric Cheung, Laura K. Dillon, and R. E. Kurt Stirewalt. A thread
synchronization model for SIP servlet containers. In IPTComm ’09, pages 7:1–7:12.
ACM, 2009.
[53] ISO/IEC/IEEE 42010. Systems and software engineering — Architecture description,
2011.
[54] James Ivers, Paul Clements, David Garlan, Robert Nord, Bradley Schmerl, and Jaime R
Silva. Documenting component and connector views with UML 2.0. Technical report,
DTIC Document, 2004.
[55] Daniel Jackson. Alloy: A lightweight object modelling notation. ACM Trans. Softw.
Eng. Methodol., 11(2):256–290, April 2002.
[56] Ethan K Jackson and Janos Sztipanovits. Using separation of concerns for embedded
systems design. In Proceedings of the 5th ACM international conference on Embedded
software, pages 25–34. ACM, 2005.
[57] Pallavi Joshi and Koushik Sen. Predictive typestate checking of multithreaded java
programs. In Proceedings of the 2008 23rd IEEE/ACM international conference on
automated software engineering, pages 288–296. IEEE Computer Society, 2008.
[58] Tomas Kalibera and Petr Tuma. Distributed component system based on architecture
description: The Sofa experience. In On the Move to Meaningful Internet Systems
2002: CoopIS, DOA, and ODBASE, pages 981–994. Springer, 2002.
[59] P.K. Kapur, R.B. Garg, and Santosh Kumar. Contributions to hardware and software
reliability, volume 3. World Scientiﬁc, 1999.
[60] Uwe Keller. Some remarks on the deﬁnability of transitive closure in ﬁrst-order logic
and Datalog. Internal report, Digital Enterprise Research Institute (DERI), University
of Innsbruck, 2004.
[61] Jung Soo Kim and David Garlan. Analyzing architectural styles with Alloy. In
Proceedings of the ISSTA 2006 Workshop on Role of Software Architecture for Testing
and Analysis, ROSATEA ’06, pages 70–80, New York, NY, USA, 2006. ACM.
[62] Christian Koehler, Alexander Lazovik, and Farhad Arbab. Connector rewriting with
high-level replacement systems. Electronic Notes in Theoretical Computer Science,
194(4):77–92, 2008.
175
Bibliography
[63] Christian Krause, Ziyan Maraikar, Alexander Lazovik, and Farhad Arbab. Modeling
dynamic reconﬁgurations in Reo using high-level replacement systems. Sci. of Comp.
Prog., 76(1):23–36, 2011.
[64] Daniel Le Métayer. Describing software architecture styles using graph grammars.
IEEE Transactions on Software Engineering, 24(7):521–533, July 1998.
[65] Douglas Lea. Concurrent programming in Java: design principles and patterns. Addison-
Wesley Professional, 2000.
[66] Edward A. Lee and Yuhong Xiong. A behavioral type system and its application in
Ptolemy II. Formal Aspects of Computing, 16(3):210–237, 2004.
[67] Leonid Libkin. Elements of ﬁnite model theory. Springer Science & Business Media,
2013.
[68] David C. Luckham. Rapide: A language and toolset for simulation of distributed
systems by partial orderings of events, 1996.
[69] Ivano Malavolta, Patricia Lago, Henry Muccini, Patrizio Pelliccione, and Anthony Tang.
What industry needs from architectural languages: A survey. Software Engineering,
IEEE Transactions on, 39(6):869–891, 2013.
[70] Anastasia Mavridou, Eduard Baranov, Simon Bliudze, and Joseph Sifakis. Conﬁgura-
tion logics: Modelling architecture styles. 2015. Proceedings of the 12th International
Conference on Formal Aspects of Component Software, Springer, 2015.
[71] Anastasia Mavridou, Eduard Baranov, Simon Bliudze, and Joseph Sifakis. Architecture
Diagrams: A Graphical Language for Architecture Style Speciﬁcation. In Proceedings of
the 9th Interaction and Concurrency Experience, Electronic Proceedings in Theoretical
Computer Science, 2016.
[72] Anastasia Mavridou, Eduard Baranov, Simon Bliudze, and Joseph Sifakis. Conﬁgura-
tion Logics and Architecture Diagrams for Modelling Architecture Styles. Submitted
to Science of Computer Programming. Under review, 2016.
[73] Anastasia Mavridou, Eduard Baranov, Simon Bliudze, and Joseph Sifakis. Conﬁgura-
tion logics: Modeling architecture styles. Journal of Logical and Algebraic Methods in
Programming, 86(1):2 – 29, 2017.
[74] Anastasia Mavridou, Emmanouela Stachtiari, Simon Bliudze, Anton Ivanov, Panagiotis
Katsaros, and Joseph Sifakis. Architecture-based Design: A Satellite On-board Software
Case Study. Accepted to the 13th International Conderence of Formal Aspects in
Component Software. To appear, 2016.
[75] Nenad Medvidovic and Richard N Taylor. A classiﬁcation and comparison framework for
software architecture description languages. Software Engineering, IEEE Transactions
on, 26(1):70–93, 2000.
176
Bibliography
[76] Robin Milner. Communication and Concurrency. Prentice Hall International Series in
Computer Science. Prentice Hall, 1989.
[77] Dan North. JBehave. A framework for behaviour driven development (BDD), 2011.
[78] OMG Uniﬁed Modeling Language (OMG UML) speciﬁcation, Version 2.5. http:
//www.omg.org/spec/UML/2.5/. (Accessed on 19/01/2016).
[79] Mourad Oussalah, Adel Smeda, and Tahar Khammaci. An explicit deﬁnition of
connectors for component-based software architecture. In Engineering of Computer-
Based Systems, 2004. Proceedings. 11th IEEE International Conference and Workshop
on the, pages 44–51. IEEE, 2004.
[80] Mert Ozkaya and Christos Kloukinas. Are we there yet? Analyzing architecture
description languages for formal analysis, usability, and realizability. In Software
Engineering and Advanced Applications (SEAA), 2013 39th EUROMICRO Conference
on, pages 177–184. IEEE, 2013.
[81] Mert Ozkaya and Christos Kloukinas. Design-by-contract for reusable components
and realizable architectures. In Proceedings of the 17th international ACM Sigsoft
symposium on Component-based software engineering, pages 129–138. ACM, 2014.
[82] Sebastian Pavel, Jacques Noyé, Pascal Poizat, and Jean-Claude Royer. A Java
implementation of a component model with explicit symbolic protocols. In Software
Composition, volume 3628 of LNCS, pages 115–124. Springer, 2005.
[83] Doron A. Peled. Software reliability methods. Springer Science & Business Media,
2013.
[84] Dewayne E. Perry and Alexander L. Wolf. Foundations for the study of software
architecture. ACM SIGSOFT Software Engineering Notes, 17(4):40–52, 1992.
[85] Gordon D. Plotkin. A structural approach to operational semantics. Technical Report
DAIMI FN-19, University of Aarhus, 1981.
[86] Grzegorz Rozenberg. Handbook of graph grammars and computing by graph transfor-
mation, volume 1. World Scientiﬁc, 1997.
[87] Mary Shaw, Robert DeLine, Daniel V. Klein, Theodore L. Ross, David M. Young, and
Gregory Zelesnik. Abstractions for software architecture and tools to support them.
IEEE Transactions on software engineering, 21(4):314–335, 1995.
[88] Mary Shaw and David Garlan. Software architecture: perspectives on an emerging
discipline, volume 1. Prentice Hall Englewood Cliﬀs, 1996.
[89] Joseph Sifakis. A framework for component-based construction. In Third IEEE
International Conference on Software Engineering and Formal Methods (SEFM’05),
pages 293–299. IEEE, 2005.
177
Bibliography
[90] Joseph Sifakis. Rigorous system design. In Proceedings of the 2014 ACM symposium
on Principles of distributed computing, pages 292–292. ACM, 2014.
[91] Joseph Sifakis, Saddek Bensalem, Simon Bliudze, and Marius Bozga. A theory agenda
for component-based design. In Software, Services, and Systems, pages 409–439.
Springer, 2015.
[92] James Smith and Giovanni De Micheli. Automated composition of hardware compo-
nents. In Proceedings of the 35th annual Design Automation Conference, pages 14–19.
ACM, 1998.
[93] Carlos Solís and Xiaofeng Wang. A study of the characteristics of behaviour driven
development. In SEAA 2011, pages 383–387. IEEE, 2011.
[94] Agence spatiale européenne and Karen Fletcher. Sentinel-3: ESA’s Global Land and
Ocean Mission for GMES Operational Services. ESA communications, 2012.
[95] Herb Sutter and James Larus. Software and the concurrency revolution. Queue,
3(7):54–62, September 2005.
[96] Richard N Taylor, Nenad Medvidovic, and Eric M Dashofy. Software architecture:
foundations, theory, and practice. Wiley Publishing, 2009.
[97] Darshan D. Thaker, Rajeevan Amirtharajah, Francois Impens, Isaac L. Chuang, and
Frederic T. Chong. Recursive TMR: Scaling fault tolerance in the nanoscale era. Design
& Test of Computers, IEEE, 22(4):298–305, 2005.
[98] The Apache Software Foundation. Apache Camel:Routes. http://camel.apache.org/
routes.html. (Accessed on 12/02/2016.).
[99] Rob Van Ommering, Frank Van Der Linden, Jeﬀ Kramer, and Jeﬀ Magee. The Koala
component model for consumer electronics software. Computer, 33(3):78–85, 2000.
[100] Jos B. Warmer and Anneke G. Kleppe. The Object Constraint Language: Precise
Modeling With UML. Addison-Wesley, 1998.
[101] Peter Wegner. Coordination as constrained interaction (extended abstract). In Paolo
Ciancarini and Chris Hankin, editors, Coordination Languages and Models, volume
1061 of Lecture Notes in Computer Science, pages 28–33. Springer Berlin Heidelberg,
1996.
[102] John Whaley, Michael C. Martin, and Monica S. Lam. Automatic extraction of
object-oriented component interfaces. SIGSOFT Softw. Eng. Notes, 27(4):218–228,
July 2002.
[103] Anthony Williams. C++ Concurrency in Action: Practical Multithreading. Manning
Publications, 2012.
178
Bibliography
[104] Eoin Woods and Rich Hilliard. Architecture description languages in practice ses-
sion report. In Proceedings of the 5th Working IEEE/IFIP Conference on Software
Architecture (WICSA’05), pages 243–246. IEEE Computer Society, 2005.
[105] Charles Zhang. FlexSync: An aspect-oriented approach to Java synchronization. In
Proceedings of the 31st International Conference on Software Engineering, ICSE ’09,
pages 375–385, Washington, DC, USA, 2009. IEEE Computer Society.
[106] Da-Qian Zhang, Kang Zhang, and Jiannong Cao. A context-sensitive graph grammar
formalism for the speciﬁcation of visual languages. The Computer Journal, 44(3):186–
200, 2001.
179
ANASTASIA MAVRIDOU
EPFL – Rigorous System Design Laboratory 
INJ 338 Station 14,1015 Lausanne, Switzerland 
Email: anastasia.mavridou@epfl.ch 
Web: https://people.epfl.ch/anastasia.mavridou 
École Polytechnique Fédérale de Lausanne (EPFL), Switzerland           September 2012 – present     
PhD in Computer Science 
• PhD thesis title: Modeling Architecture Styles 
• Supervisors: Prof. Joseph Sifakis and Dr. Simon Bliudze 
• Studied Configuration Logics (propositional and higher-order) and Architecture Diagrams 
(graphical language) for modeling architecture styles 
◦ Identified and modeled architecture styles of on-board satellite software 
◦ This work was partially funded by the European Space Agency (ESA) as part of the 
Catalogue of System and Software Properties project 
• Designed and implemented the JavaBIP engine for run-time coordination of software 
components 
◦ Symbolic implementation based on Binary Decision Diagrams  
◦ Implementation available online at: http://risd.epfl.ch/javabip 
◦ This work was partially funded by the Swiss Commission for Technology and Innovation 
as part of the Coordination of software components in Java project 
University of Tulsa (TU), Oklahoma, USA                                                    August 2010 – May 2012 
MSc in Computer Science  
• GPA: 4.0/4.0 
• MSc thesis title: A Situational Awareness Framework for the Smart Grid 
• Supervisor: Prof. Mauricio Papa 
Aristotle University of Thessaloniki (AUTH), Greece                       October 2004 – February 2010 
Dipl.-Ing (5-year program) in Electrical and Computer Engineering  
• Diploma thesis title: Information Assurance for Cybersecurity and Critical Infrastructure 
Protection: Policies, Guidelines and Standards 
• Supervisors: Prof. George Pangalos (AUTH, Greece) and Prof. Bernard S. Doherty (Aston 
University, UK) 
• Architecture-based design 
◦ Specification of architecture styles 
◦ Formal semantics 
◦ Synthesis of configurations 
◦ Composition of architecture styles 
• Coordination of software components 
◦ BIP coordination mechanisms 
◦ Separation of concerns between functionality and coordination 
◦ Coordination of dynamic systems 
• Modeling and analysis of critical systems 
◦ Correctness by construction 
EDUCATION
RESEARCH INTERESTS
Supervision of a Master thesis, EPFL                                                       February 2015 – June 2016 
• Title: Introducing Dynamicity in JavaBIP 
• Student name: Valentin Rutz 
• Extended the theory and implementation of the JavaBIP framework with dependency graphs to 
handle insertion and deletion of components at run-time 
Research Visit, Vanderbilt University                                                           June 2015 – August 2015 
• Institute for Software Integrated Systems, Nashville, Tennessee, USA 
• Supervisor: Prof. Janos Sztipanovits 
• Modeled architecture styles of the Greybus protocol (Google Ara Project) using Configuration 
Logics and Architecture Diagrams 
Graduate Research Assistant, TU                                                                  August 2010 – May 2012 
• Institute for Information Security, Tulsa, Oklahoma, USA 
• Worked on a Critical Infrastructure Protection research project partially funded by DARPA 
• Designed and developed a monitoring system that collects and analyzes industrial traffic of 
SCADA systems to detect behavioral anomalies 
• Supervised two undergraduate students 
Industrial Internship                                                                                      June 2008 – August 2008 
• Panel Industrial Electric company, Istanbul, Turkey 
• Industrial internship as part of the IAESTE student exchange program 
• Developed Ladder Logic programs for Siemens Programmable Logic Controllers 
Reviewer for Journal 
• Information Systems, Elsevier 
Teaching Assistant, EPFL                                                                             September 2013 – present 
• Programming in C (CS-111(f) & CS-111(b)) 
◦ taught  undergraduate students in exercise sessions 
◦ updated course contents 
◦ graded exams 
• Concurrency (CS 206) 
◦ taught undergraduate students in exercise sessions 
◦ graded projects and exams 
• Linear Algebra (MATH-111(e)) 
◦ taught undergraduate students in exercise sessions 
Proceedings 
1. Mavridou, A., Stachtiari, E., Bliudze, S., Ivanov, A., Katsaros, P., & Sifakis, J. (2016). 
Architecture-based Design: A Satellite On-board Software Case Study. Accepted to the 13th 
International Conference on Formal Aspects of Component Software. 
PROFESSIONAL EXPERIENCE
TEACHING EXPERIENCE
PUBLICATIONS
2. Mavridou, A., Baranov, E., Bliudze, S., & Sifakis, J. (2016). Architecture Diagrams: A 
Graphical Language for Architecture Style Specification. 9th Interaction and Concurrency 
Experience. Electronic Proceedings in Theoretical Computer Science. 
3. Mavridou, A., Baranov, E., Bliudze, S., & Sifakis, J. (2015). Configuration Logics: Modelling 
Architectures Styles. 12th International Conference on Formal Aspects of Component Software. 
Lecture Notes in Computer Science 9539. 
4. Bliudze, S., Mavridou, A., Szymanek, R., & Zolotukhina, A. (2014). Coordination of software 
components with BIP: application to OSGi. 6th International Workshop on Modeling in 
Software Engineering (pp. 25-30). ACM. 
5. Mavridou, A., & Papa, M. (2012). A Situational Awareness Architecture for the Smart Grid. 
7th International Conference on Global Security, Safety and Sustainability & e-Democracy (pp. 
229-236). Springer. 
6. Kerkiri, T., Manitsaris, A., Mavridou, A. (2007). Reputation Metadata for Recommending 
Personalized e-Learning Resources. 2nd International Workshop on Semantic Media Adaptation 
and Personalization (pp.110-115). IEEE. 
Journal 
1. Mavridou, A., Baranov, E., Bliudze, S., & Sifakis, J. (2016). Configuration Logics and 
Architecture Diagrams for Modelling Architecture Styles. Submitted to: Science of Computer 
Programming. Under review. 
2. Bliudze, S., Mavridou, A., Szymanek, R., & Zolotukhina, A. (2016). Exogenous Coordination 
of Concurrent Software Components with JavaBIP. Submitted to: Software: Practice and 
Experience. Under review. 
3. Mavridou, A., Baranov, E., Bliudze, S., & Sifakis, J. (2016). Configuration Logics: Modelling 
Architectures Styles. Journal of Logical and Algebraic methods in Programming. 
4. Mavridou, A., Zhou, V., Dawkins, J., & Papa, M. (2012). A situational awareness framework 
for securing the smart grid using monitoring sensors and threat models. International Journal 
of Electronic Security and Digital Forensics, 4(2/3), 138-153. 
Book chapter 
1. Brundage, M., Mavridou, A., Johnson, J., Hawrylak, P. J., & Papa, M. (2012). Distributed 
Monitoring: A Framework for Securing Data Acquisition. Securing Critical Infrastructures and 
Critical Control Systems: Approaches for Threat Protection, 144. 
Technical reports 
1. Mavridou, A., Baranov, E., Bliudze, S., & Sifakis, J. (2016). Architecture Diagrams- A 
Graphical Language for Architecture Style Specification. EPFL Technical report. 
2. Mavridou, A., Baranov, E., Bliudze, S., & Sifakis, J. (2015). Configuration Logics - Modelling 
Architecture Styles. EPFL Technical report. 
3. Bliudze, S., Mavridou, A., Szymanek, R., & Zolotukhina, A. (2013). Integration of BIP into 
Connectivity Factory: Implementation. EPFL Technical report. 
Presentations 
1. Bliudze, S., Mavridou, A., Szymanek R., & Zolotukhina, A. (2013). For Coordination, State 
Component Transitions. EclipseCon. 
2. Brundage, M., Johnson, J., Mavridou, A., Hawrylak, P., Papa, M. (2011). The Internet of 
Things - Critical Infrastructure: Complete Security Solution. AIM Expo. 
• Participation fund, Marktoberdorf Summer School on Dependable Software Systems 
Engineering, Germany (2014) 
• Graduate Tuition Award, University of Tulsa, USA (8/2010 – 5/2012) 
• Erasmus scholarship, Aston University, UK (3/2008-6/2008) 
• Distinction and award, Ministry of Education, Greece (2004) 
Programming languages and tools 
• Java, C/C++ 
• Matlab, Ladder Logic 
• JavaBDD and CUDD libraries for manipulating Binary Decision Diagrams  
Modelling languages and tools 
• BIP 
• Alloy, Alloy Analyzer 
Other tools 
• Z3 theorem prover 
• nuXmv model checker 
• JaCoP constraint solver 
Languages 
• Greek: native 
• English: full professional 
• French: basic 
FUNDS AND SCHOLARSHIPS
SKILLS 
