A visual framework for formal systems development using interval temporal logic. by Chakrapani Rao, Arun
A VISUAL FRAMEWORK FOR 
FORMAL SYSTEMS DEVELOPMENT 
USING INTERVAL TEMPORAL LOGIC 
Ph.D. Thesis 
De Montfort University 
Software Technology Research Laboratory 
Arun Chakrapani Rao 
2002 
Abstract 
This thesis will give an introduction to specification methods for real-
time safety-critical systems includingformal methods. While formal meth-
ods offer various benefits for developing systems and software by virtue 
of their precise semantics, their uptake by a wider spectrum of users, in-
cluding system and software engineers, is hampered by various drawbacks. 
The mathematical notations of formalisms form the main stumbling block 
in their comprehension and hence lead to associated accessibility prob-
lems. Visual languages are excellent candidates as a means to overcome 
this problem. However, most visual languages lack a well-defined formal 
semantics. Hence, the creation of a visual development suite supporting 
refinement and abstraction based on a well-defined formalism has been 
attempted. The Interval Temporal Logic (ITL) formalism is described in 
detail as it forms the basis for our development method. A study was con-
ducted to see how visualisation helps in various domains in fostering in-
creased accessibility of information, language and technology. Identifying 
a design rationale, a simple, intuitive and readable visual language, called 
VisITL with a well-defined formal semantics was designed. A support-
ing visual framework of refinement and abstraction rules was also devised. 
Examples are given depicting the application of these rules to VisITL spec-
ifications. Case studies undertaken to illustrate the use of this visual frame-
work are described. The VisITL tool demonstrates the realisability of this 
approach. Comparisons to related work are made and suggestions are given 
for future efforts in this area. 
Abstract 
This thesis will give an introduction to specification methods for real-
time safety-critical systems includingformal methods. While formal meth-
ods offer various benefits for developing systems and software by virtue 
of their precise semantics, their uptake by a wider spectrum of users, in-
cluding system and software engineers, is hampered by various drawbacks. 
The mathematical notations of formalisms form the main stumbling block 
in their comprehension and hence lead to associated accessibility prob-
lems. Visual languages are excellent candidates as a means to overcome 
this problem. However, most visual languages lack a well-defined formal 
semantics. Hence, the creation of a visual development suite supporting 
refinement and abstraction based on a well-defined formalism has been 
attempted. The Interval Temporal Logic (ITL) formalism is described in 
detail as it forms the basis for our development method. A study was con-
ducted to see how visualisation helps in various domains in fostering in-
creased accessibility of information, language and technology. Identifying 
a design rationale, a simple, intuitive and readable visual language, called 
VislTL with a well-defined formal semantics was designed. A support-
ing visual framework of refinement and abstraction rules was also devised. 
Examples are given depicting the application of these rules to VisITL spec-
ifications. Case studies undertaken to illustrate the use of this visual frame-
work are described. The VisITL tool demonstrates the realisability of this 
approach. Comparisons to related work are made and suggestions are given 
for future efforts in this area. 
Declaration 
I declare that the work described in my thesis is original work undertaken by me be-
tween September 1997 to September 2000, for the degree of Doctor of Philosophy, at 
De Montfort University, United Kingdom. 
This thesis is written by me and produced using Jb.TEX. 
1 
Acknowledgements 
I wish to sincerely acknowledge the help, motivation and encouragement provided to 
me by all my supervisors. In particular, I wish to thank Dr. Antonio Cau, my first super-
visor, with whom I had regular contact and interesting discussions and Prof. Hussein 
Zedan, my second supervisor, with whom I had interesting discussions apart from a lot 
of encouragement and support. I also wish to acknowledge the help from my second 
"second supervisor", Dr. Ben Moszkowski, with whom I had several useful discussions 
and e-mail exchanges. 
The source of inspiration and help that came from my colleagues at the Software 
Technology Research Laboratory is gratefully acknowledged. 
The Research Methods Training Programme is another source which gave me the 
insight and courage to persevere with my research in a positive frame of mind. Thanks 
are due to the research unit for organising this and also helping me keep track of my 
own progress through assessment at regular intervals. 
I also acknowledge the help received from staff and students at the EMTERC during 
my initial difficult months in research which also coincided with my first stay abroad. 
Last but not the least, I wish to acknowledge the support I received from my wife 
Roopa, our family abroad; especially my brother, Praveen, and sister, Brinda. Their 
patience and encouragement has been invaluable. 
11 
I dedicate this thesis to my parents. 
R. Chakrapani Rao and Prema Chakrapani. 
III 
Contents 
1 Overview 1 
2 Formal Software Development Techniques 4 
2.1 Software Development - Process Models and Strategies . 4 
2.1.1 Software Development Process Model . 4 
2.1.2 Software Development Strategy 9 
2.2 Specification .............. 11 
2.3 Real-Time Safety-Critical Systems (RT-SC) Systems 15 
2.4 Specification Methods for Real-Time Safety-Critical Systems . 16 
2.4.1 A Note on Different Levels of Formality . 16 
2.4.2 Models Based on Logic 16 
2.4.3 State Machine Models 19 
2.4.4 Process Algebras . . . 21 
2.5 Analysis Techniques for Real-Time Safety-Critical Systems. 21 
2.5.1 SimulatinglExecuting Specifications . 22 
2.5.2 Model-theoretic Reasoning . . 22 
2.5.3 Proof-theoretic Reasoning 23 
2.6 On the Choice of ITL for this Work 24 
2.7 Drawbacks of Formal Methods . 24 
2.8 Summary ............ 26 
iv 
CONTENTS CONTENTS 
3 Visualisation, Visual Languages and their Design Rationale 28 
3.1 The "What and Whys" of Visualisation. 28 
3.1.1 Public Signs .......... 28 
3.1.2 Operating Systems and Programming Environments 30 
3.1.3 Visual Programming and Program Visualisation . 32 
3.1.4 Computer Simulations 33 
3.1.5 Structured Analysis . . 34 
3.1.6 State Transition Diagrams 34 
3.1.7 Statecharts ....... 36 
3.1.8 Statechart-like Notations 39 
3.1.9 Stateftow Diagrams . 40 
3.1.10 Petri Nets 42 
3.1.11 GIL ... 44 
3.1.12 Ladder Logic Diagrams 46 
3.1.13 Z Schema ........ 48 
3.1.14 Specification Diagrams in UML 48 
3.2 Important Design Features for Visual Representations . 51 
3.3 Chapter Summary . ................... 52 
4 VisITL S4 
4.1 Interval Temporal Logic (ITL) 54 
4.2 Syntax of the Logic 55 
4.2.1 Model ... 58 
4.2.2 Basic ITL Terminology . 59 
4.2.3 Interpretation of Expressions and Formulas 62 
4.2.4 Validity and Satisfiability . 64 
4.2.5 Proof System for ITL . . . 64 
4.2.6 Examples using the ITL Constructs 67 







Execution of Specifications . . . . 
4.3.1 Executable Specifications 
4.3.2 Introduction to Tempura 
4.3.3 Syntax of Tempura . 
4.3.4 Tempura Interpreter 
4.3.5 Examples in Tempura 
4.3.6 Non-executability in Tempura 
4.3.7 Limitations of Tempura . 
Summary of the Sections on ITL 
VisITL .............. 












4.6.1 Key Requirements for a Visual Notation for ITL 86 
4.6.2 Experiences in the Process of Design of such a Visual Notation 87 
4.6.3 Further Design Considerations . 88 
4.6.4 The Syntax . . . . . . . . . . . 94 
4.6.5 Visual Notations for Frequently used Abbreviations. 96 
4.6.6 Visual Notations for Concrete Constructs . . . . . . 97 
4.6.7 Additional Concrete Constructs for Timing constraints, Resource 
Allocation and Concurrency . . . . . . . . . . . . . . . . . . . 100 
4.6.8 Geometrical Guidelines on Constructing VisITL Specifications. 104 
4.7 Summary on the Choice of Visual Notation 
4.8 Collection of Visual Constructs Introduced. 




4.9.1 Some Abstract Examples . . 111 
4.9.2 An Example of An Automobile Cruise Control System . 113 
4.10 Chapter Summary ..... . · 116 
5 A Visual Framework for VisITL 117 
5.1 The Visual Framework . . . · 117 
vi 
CONTENTS 
5.2 Refinement .. . . . . . . . . . . . 
5.2.1 An Overview of Refinement 
5.2.2 Refinement in ITL ... 
5.2.3 Visual Refinement Rules 
5.2.4 Some Examples using Visual Refinement Rules. 
5.3 Abstraction . . . . . 
5.3.1 Introduction. 
5.3.2 Abstraction Rules. 
5.3.3 Visual Abstraction Rules 
5.4 Summary ..... 
6 Case Studies in VisITL 
6.1 A Robot Control System 
6.2 Comments on the Two Approaches . 
6.3 A Mine Pump Control System . . 
6.4 Comments on Visual Abstraction . 
6.5 Summary . 
7 Implementation 
7.1 The Visual Tool . . . . . . . . . . . . . . . 
7.1.1 Block Diagram of the VisITL Tool . 
7.1.2 Features of the VisITL Tool .. . . 
7.1.3 Some Core Procedures of the VisITL Tool. 
7.2 Lessons Learnt and Problems Encountered . 
7.3 Future Work .... 






























8.2 Review of Work Done and Comparisons to Related Work . . . . . 196 
vii 
CONTENTS CONTENTS 
8.3 A Final Note on the Visual Notation and the Visual Framework . . 198 
8.4 Further Work . 198 
8.5 Conclusions. . 199 
References 200 
A Temporal Agent Model 214 
A.I Computational Model . 
B Core Tel· Tk procedures for the VisITL tool 
8.1 Core Drawing Procedures for VisITL Constructs. 
B.2 Procedures for Conversion to Textual ITL 







List of Figures 
2.1 A Simple Form of the Waterfall Model . 5 
2.2 The Prototyping Model . . . . . . 6 
2.3 The Iterative Enhancement Model 6 
2.4 The Spiral Model . 7 
2.5 The V Diagram . . 8 
3.1 Iconic Public Signs 29 
3.2 Flowchart ..... 35 
3.3 An Example State Transition Diagram for an Automaton 36 
3.4 Statecharts Specification showing AND-composition of Train and Gate 37 
3.5 An Example of Resolving Non-determinism in Stateflow 41 
3.6 Example Petri Net . 42 
3.7 GIL Specifications 45 
3.8 AZSchema .... 49 
3.9 The Scope of UML 50 
4.1 Syntax of ITL . . . ................ 55 
4.2 Transformation of the Formula by the Interpreter 78 
4.3 First Visual Notation for ITL Expressions 87 
4.4 First Visual Notation for ITL Formulae. . 88 
4.5 First Visual Notations for some Frequently used ITL Abbreviations . 89 
4.6 Various Ways of Representing "int i" .. 89 
4.7 The New Format for the Formula . 91 
ix 
LIST OF FIGURES 
4.8 Examples of Terms in the Visual Logic of [130] 
4.9 Negation of a Formula 
4.10 The Chop .. 
4.11 The Chopstar 





4.12 Final version ofthe Visual Notation for Primitive ITL Formulae 95 
4.13 Sometime 96 
4.14 Always 96 
4.15 Or . . . 97 
4.16 Implication 97 
4.17 Summary of the Visual Notation for Some Abbreviations 98 
4.18 While . 98 
4.19 While2. 99 
4.20 While3. 99 
4.21 If Then Concrete Statements . 100 
4.22 Denoting Zoom . . . . . . . . 100 
4.23 Channel Communication Constructs . 101 
4.24 Channel Communication Constructs with Icons in Labels . 102 
4.25 Shunt Communication Constructs . 103 
4.26 Delay and Timeout Constructs . . 104 
4.27 Resource Allocation Constructs . 104 
4.28 Primitive Visual ITL Formulae . . 107 
4.29 Frequently used Visual Abbreviations . 108 
4.30 The Concrete Visual Construct for While . 108 
4.31 The Concrere Visual Constructs for If Then, If Then Else . 109 
4.32 The Visual Channel Communication Constructs . 109 
4.33 The Visual Shunt Communication Constructs . 110 
4.34 The Concrete delay and timeout Constructs . . 110 
4.35 The Concrete Resource Allocation Constructs . III 
4.36 Simple Examples . . . . . .. ., . . . . . 111 
x 
LIST OF FIGURES 
4.37 Simple Examples with Different Formula Labels 
4.38 Simple Examples using Parallel Composition 
4.39 Simple Example using Chop 
4.40 Constraint3 
4.41 Initial State 
4.42 Liveness I 
4.43 Liveness2 
4.44 RealI .. 









5.1 The Development Process in a Visual Framework using VisITL . . 118 
5.2 Visual refinement . . . . . . . . . . 120 
5.3 General Visual Refinement Rule 1 
5.4 General Visual Refinement Rule 2 
5.5 General Visual Refinement Rule 3 
5.6 General Visual Refinement Rule 4 
5.7 General Visual Refinement Rule 5 
5.8 Concrete Visual Refinement Rule 1 . 
5.9 Concrete Visual Refinement Rule 2 . 
5.10 Concrete Visual Refinement Rule 3 . 
5.11 Concrete Visual Refinement Rule 4 . 
5.12 Concrete Visual Refinement Rule 5 . 
5.13 Concrete Visual Refinement Rule 6 . 
5.14 Usage ofthe Transitivity Rule ... 
5.15 Usage ofthe General Visual Refinement Rule 2 
5.16 Usage ofthe Assignment Rule . . . . . . ... 
5.17 Visual Primitive Abstraction Rule 1 : Assignment 
5.18 Visual Primitive Abstraction Rule 2: Input Statement. 
5.19 Visual Primitive Abstraction Rule 3: Output Statement 




















LIST OF FIGURES 
5.21 Visual Primitive Abstraction Rule 5 : Delay ... 
5.22 Visual Primitive Abstraction Rule 6 : Sequential . 
LIST OF FIGURES 
· 137 
· 137 
5.23 Soundness Criteria for Visual Primitive Abstraction Rule 6 . 138 
5.24 Visual Compound Abstraction Rule I : Sequential Composition . 138 
5.25 Visual Compound Abstraction Rule 3 : Iteration Statement . 139 
5.26 Visual Compound Abstraction Rule 3 : Parallel . . . . . . . 140 
6.1 A Schematic of the Robot Control System . . . 
6.2 VislTL specification of the Robot Control System . 
6.3 VislTL specification of the Motor Control System . 





6.5 VisITL MCS specification after Applying the While-2 Refinement Rule 145 
6.6 The If-l Refinement Rule. . . . . . . . . . . . . . . . . . . . . .. . 146 
6.7 VislTL MCS specification after Applying the If-I Refinement Rule. . 146 
6.8 Refinement of i-act due to our Design Decision . . . . . . . . . 147 
6.9 VisITL MCS specification after Applying the Design Decision . 147 
6.10 Visual Refinement Rule - General Design Decision 1 . . . . . 147 
6.11 VislTL MCS specification for an Execution Time oft Steps. . 148 
6.12 A Graphical Depiction for Computing the Sum of Sensor Contributions 150 
6.13 VisITL Specification for the Infra-red Control System . . 151 
6.14 VisITL ICS Specification after Applying Vis-while2. . . 151 
6.15 VisITL ICS Specification for an Execution Time of t Steps . 152 
6.16 The VisITL ICS Specification with Zoom-in for infra-red active . 153 
6.17 The Zoomed-in infra-red active for Execution Time oft . . . . . . 153 
6.18 Final Refined ICS for the Special Case of Unit Execution Time . . 154 
6.19 VislTL Operator Control System Specification. . . . 155 
6.20 VisITL OCS Specification after Applying Vis-varl . 155 
6.21 VisITL OCS Specification after Applying Vis-while2 . 156 
6.22 VisITL OCS Specification after Introducing the Assignment Statements 156 
xii 
LIST OF FIGURES LIST OF FIGURES 
6.50 The Composed set-pump Specification after Abstracting Assignments · 176 
7.1 A Block Diagram of the VisITL Tool . · 180 
7.2 The Visualisation Tool for ITL . . . . · 181 
7.3 The Visualisation Tool VisITL-Funcs Menu · 182 
7.4 The Dependencies of some Drawing Procedures . · 183 
7.5 The Procedures for Converting to Textual ITL · 184 
7.6 U sing Chop in Several Forms . . . . . . . . . · 185 
7.7 The Dependencies of Some Procedures for Refinement · 186 
8.1 Summary of the Visual Notation for Primitive ITL Formulae · 192 
8.2 Summary of the Visual Notation for Some Abbreviations · 193 
8.3 Visual Refinement. . . . . . . . . . . . . . . . . . . . . · 195 
xiv 
List of Tables 
4.1 Frequently used Non-temporal Abbreviations 57 
4.2 Frequently used Temporal Abbreviations . 57 
4.3 Frequently used Concrete Abbreviations . 58 
4.4 Frequently used Abbreviations related to Expressions 58 
4.5 Example for Existential Quantification . 61 
4.6 Values of I and J in 3 Different States 64 
4.7 Propositional Axioms and Rules for ITL. . 65 




In the beginning of the year 2002, more than 75 different formal methods were listed 
on the formal methods repository at the WWW virtual library on formal methods [53]. 
These formal methods are in different stages of development. While many have little or 
no tool support, some have good tool support and industrial users. Formal methods are 
evolving at a rapid pace and making inroads into industry. A major issue in technology 
transfer to industry from research laboratories involves tool support. The tool support 
not only has to be adequate but also appropriate. In other words, the tools have to 
support a wide variety of users. They should cater not only for undergraduate users in 
education but also to users in real projects. While formal methods continue to grow in 
popularity, a number of misconceptions regarding formal methods continue to grow in 
tandem [20]. The tools built should collectively overcome these misconceptions. Lean 
Formal Methods as mentioned for the first time in [26] suggest a way forward. 
Scope 
The work broadly aims to contribute towards making formal methods more acceptable 
and convenient to a wide spectrum of users. It aims to integrate formal specifications 
into the system development process without burdening the users with many formal 
notations and the need to work with them manUally. Example specifications are devel-
1 
Chapter 1 1.0 Overview 
oped to show how this can be achieved in practice. Implementation challenges to be 
tackled are identified and future work directions are suggested. 
Original Contribution 
In brief, there are various existing software development process models according to 
which software can be developed. These may involve formal methods and/or system-
atic methods to varying extents. So far, most methods incorporate only systematic 
methods and therefore lack formal mathematical underpinnings. The development of 
real-time safety-critical systems necessitates more formal approaches. Our research 
work involves a lean, formal approach where the accessibility of a formal method is 
tackled through visualisation approaches. 
A formal method like Interval Temporal Logic (ITL) uses a lot of symbols. A user 
who has a lot of interest in Formal Methods (FMs) will not mind this and gets used to 
this pretty fast. However, users involved in other software development activities will 
not find a formal specification easy to read or understand let alone develop their own 
specifications. As a result, a simple graphical notation (called VisITL) was invented 
to enable the creation of more readable specifications. The design rationale for such a 
visual notation is highlighted. A development method involving visual refinement as 
well as abstraction is proposed. Case studies are given to illustrate the use of VisITL in 
a visual development framework. 
Thesis Outline 
Chapter 2 explores process models and strategies in software development and intro-
duces various formal approaches for the development of real-time, safety-critical sys-
tems. It also explains the rationale for the choice of Interval Temporal Logic (ITL) as 
the formalism for our work. 
Chapter 3 provides an insight into how visualisation helps in various domains in foster-
2 
Chapter 1 1.0 Overview 
ing increased accessibility of information, languages and technology through various 
means including better communication and ease of use. 
Chapter 4 first introduces Interval Temporal Logic (lTL) in detail and highlights some 
of the difficulties that have to be tackled to increase its uptake by a wider spectrum of 
users. Then, it details possible approaches to visualisation for ITL and introduces a 
visual notation for ITL called VisITL. The design rationale for such a visual notation is 
explained. Example specifications are given in the visual notation. 
Chapter 5 introduces a development technique based on ITL and integrates it with Vis-
ITL by providing a visual framework for refining and abstracting VisITL specifications. 
Chapter 6 involves case studies demonstrating the use of the visual framework. 
Chapter 7 gives details of the VisITL tool. 
Chapter 8 gives conclusions outlining further work in this area. 
3 
Chapter 2 
Formal Software Development 
Techniques 
The objectives of this chapter are to explore process models and strategies in software 
development, introduce formal approaches for the development of critical systems and 
state the rationale for the choice of Interval Temporal Logic (ITL) as the basis for my 
work. 
2.1 Software Development - Process Models and Strategies 
2.1.1 Software Development Process Model 
The goal of any development effort is to produce a product. A development process 
is a set of activities, together with an ordering relationship between activities, which, 
if performed in a manner that satisfies this ordering, will produce the desired product. 
A process model is an abstract representation of a development process. The goal in a 
software development effort is to produce high "quality" software. The software devel-
opment process is, therefore, the sequence of activities that will produce high quality 
software. The basic activities in a software development process include requirements 
analysis, specification, design, coding and testing which are further broken down into 
distinct activities. 
4 
Ph.D. Thesis 2.1 Software Development - Process Models and Strategies 
The following discusses some of the process models [129] : 
• Waterfall model 
The oldest and widely used process model is the wateifall model which states 
that the phases are organised in a linear order. A simple form of the waterfall 








Figure 2.1: A Simple Form of the Waterfall Model 
Testing 
A limitation of the waterfall model is that it assumes that the requirements of the 
system can be frozen before the rest of the process begins. 
• Prototyping based model 
In this model, instead of freezing the requirements before the other phases, a 
throwaway prototype is built to help understand the requirements. The client can 
get an "actual feel" of the system since the interactions with the prototype can 
enable the client to better understand the requirements of the desired system. 
5 
Ph.D. Thesis 2.1 Software Development - Process Models and Strategies 
Requirements Analysis 
Design 
Design Code Test 
Code 
Test 
Figure 2.2: The Prototyping Model 
The prototyping model is illustrated in Figure 2.2. 
The cost involved in this build-it-twice approach is usually a major disadvantage. 
• Iterative enhancement model 
The iterative enhancement model tries to combine the benefits of both the pro-
totyping and the waterfall model. The basic idea is that the software should be 
developed in increments, each increment adding some functional capability to 
the system. An advantage of this approach is that it can result in better testing as 
testing each increment is likely to be easier. Also, the increments provide feed-
back to the client and hence, it helps in determining the final requirements of the 
system. 
The iterative enhancement model is illustrated in Figure 2.3. 
Design-O Design-! Design-n 
Implement-O Implement-! Implement-n 
Analysis-O Analysis-! Analysis-n 
Figure 2.3: The Iterative Enhancement Model 
• Spiral model 
6 
Ph.D. Thesis 2.1 Software Development - Process Models and Strategies 
Review 
This is a model proposed by Boehm [17] where the activities are organised like 
a spiral. The spiral has many cycles. The radial dimension represents the cu-
mulative cost incurred in accomplishing the steps done so far, and the angular 
dimension represents the progress made in completing each cycle of the spiral. 
The model is shown in Figure 2.4. 
Determine objectiVes, 
.hern.liv .... eonstraiDts 
Commhment 
P.rtltlon 
Plan next pb_ 
Cumulalive coot 
PrOlP'''' throuKb step. 
Develop, verify 
next·level product 
Figure 2.4: The Spiral Model 
• The transform model 
This is another model that Boehm has identified as being significant. It is based 
upon the automatic conversion of a software specification into a program that 
satisfies the specification. Little practical progress has been made in this area. 
Limited versions of this model offer more scope for real progress [54] . 
• V-diagram 
7 
Ph.D. Thesis 2.1 Software Development - Process Models and Strategies 
The V-diagram [36] is a life-cycle model for software development that empha-
sises the relationship between the design, integration and testing processes. One 
such V-diagram is shown in Figure 2.5. 













Figure 2.5: The V Diagram 
In the V-diagram, the level of detail increases down the page. The left leg of the 
"V" shows the design and building of the system. The right leg shows the cross-
checking and integration of the system. The diagram particularly emphasises 
the relationship between the phase of integration and the phase of design which 
provides the source of information for cross-checking. This is shown by the 
dotted lines. 
A key issue for most systems, especially safety-critical systems, is the approach 
taken to demonstrate that the system will operate when it is delivered. The V-
diagram approach divides the responsibilities for correctness into the two follow-
ing forms: 
- The progressive demonstration of consistency of the deliverables on the left 
leg of the "V", known as verification. Methods such as prototyping, proof 
of properties and reviewing are used here. 
- Cross-checking during the integration phases of development, on the right-
leg of the "V", establish that the delivered system meets the requirements 
8 
Ph.D. Thesis 2.1 Software Development· Process Models and Strategies 
established at the corresponding phase on the left leg of the "V". Methods 
such as testing are used here. 
2.1.2 Software Development Strategy 
We will use the term "Software Development Strategy" to mean an elaborate and sys-
tematic plan of the activities involved in the software development process. This strat-
egy mayor may not involve formal methods. 
We classify strategies for development as follows: 
• Structured method strategy 
This is a strategy for development involving systematic methods for the analysis 
and design of complex systems. These methods can be contrasted with more ad 
hoc approaches, which are largely based on the designer's experience and intu-
ition. There are many types of structured analysis. Most of these are semiformal, 
operational notations closely related to data flow diagrams (DFDs), a graphical 
notation used to describe the structure of an information system. 
The systematic software design methods make use of graphical representation 
forms, supported by varying degrees of structured text and free text. One problem 
with most of these notations is that they generally lack any rigorous syntactic and 
semantic foundations, and so it is difficult to reason about them in any 'formal 
manner'. Jackson's Structure Diagrams [36, 85], which are used to show both 
program and data structures, have a well-defined syntax but only some semantic 
content while Statecharts and Petrinets are more rigorous. 
The problem with this lack of firm-syntax and well-defined semantics for many 
of the diagrammatical notations used in systematic design practices is that no 
design verification is possible. So, it will become virtually impossible to make 
a comparison between the eventual design and the initial requirement. Hence a 
development strategy incorporating formal methods offers advantages. 
9 
Ph.D. Thesis 2.1 Software Development - Process Models and Strategies 
• Formal method strategy 
This is a development strategy incorporating a set of techniques and tools based 
on mathematical models that are used to specify and verify requirements and de-
signs for computer systems and software [120, 53, 95]. Such mathematical tech-
niques and tools constitute Formal Methods. They employ formal specification 
languages based on mathematical structures. The use of such formal languages 
permits the application of mathematical techniques in reasoning about a design 
and its properties. 
Although a number of formal methods are well developed, their industrial use 
has been limited so far but is undoubtedly growing. Some of the reasons for the 
slow adoption of formal methods are the conservative approach of many project 
managers, the reluctance of customers to accept 'unfamiliar' techniques and no-
tations, the need for familiarity with logic and discrete mathematics and the lack 
of adequate tool support. 
• Lean formal method strategy 
This is a development strategy where formal methods are involved in such a way 
that it accommodates a wide spectrum of users. Hence, Lean Formal Meth-
ods are Formal Methods which are more accommodative to a wider spectrum 
of users. The strategy aims to make users conveniently use and/or understand 
formal methods as explained below. Central to this strategy is the provision of 
means to more comprehensible and user-friendly formal specifications and an 
associated development technique within a single framework encompassing re-
finement}, abstraction2 and animation of specifications3. It is important to note 
that the lean approach does not compromise on fonnality ; it maintains the pre-
ciseness involved in a formal approach but incorporates new techniques to bring 
1 see chapter 5 
2see chapter 5 
3see section 4.3 
10 
Ph.D. Thesis 2.2 Specification 
the formal approach closer to the user. Such lean techniques could involve au-
tomation to perform several analyses on specifications, like proving desired prop-
erties, the use of visual languages and so on, to enable better accessibility. This 
approach is in contrast to approaches where researchers try to give a formal se-
mantics to a visual modelling framework like STATEMATE [69], Stateftow [11] 
or the Unified Process involving UML [33]. 
2.2 Specification 
System specification is the most crucial activity in software projects. Quite often, mas-
sive overruns in budget and project duration are due to errors in describing the required 
system behaviour [82]. Understandably therefore, this activity, amongst all the ac-
tivities in a software project, has been receiving the most attention over the last two 
decades. 
Developing a complex software product requires the developer to carry out sev-
eral software activities including system specification, system design and programming 
apart from testing and verification activities. System specification is the process of de-
scribing what a system is supposed to do. In order to develop the system specification, 
the developer is provided by the user with an informal statement of requirements. 
System design is the process of using the software specification and developing an 
architecture expressed in terms of their modules and their interfaces. The objective in 
system design is to develop a description of how the system should operate rather than 
describe what is required. We can note here, again, that describing what behaviour 
is required to be exhibited by the system is the objective of the system specification. 
Programming is the process of translating a system design into program code. 
A number of reasons make the task of specifying a system difficult [82]. Firstly, 
the informal statement of requirements given to the developer suffers from a number 
of deficiencies. In general, such statements are contradictory; incomplete; ambiguous; 
sometimes over-ambitious; and sometimes under-ambitious. They contain descriptions 
11 
Ph.D. Thesis 2.2 Specification 
of functionality at different levels intermixed together. Although these deficiencies are 
normally associated with the user's statement of requirements, many of them crop up 
in system specifications. The second reason for the specification task being difficult is 
the nature of the notations used to express system functionality. English has been used 
widely as a language for system specification. However, English, or any other natural 
language, is an excellent medium for activities such as writing poems where ambiguity 
is regarded as the norm. This property of ambiguity leads to many problems when such 
natural languages are used for specifying systems. The seemingly innocuous sentences 
in such descriptions in natural language could be interpreted by the system designer in a 
manner completely different from that which the customer intended. Another problem 
with system specification is the size of the documentation generated. The specifica-
tion of a simple stock control system for a retailer can occupy hundreds of pages of 
text, while the specification of a conventional engineered product, say a bridge, might 
occupy only two or three pages of text. 
Until the late sixties, developers produced programs as though the process was more 
of an art than science and engineering. The early specifications were expressed in En-
glish and, although this was an improvement over not writing down system function-
ality at all, it lead to the problems described above. Graphical notations for system 
specification, after a slow start, have now picked up in software projects. Notations 
associated with structured development methods such as Yourdon Structured Design 
[152], SSADM [43,5] etc. have gained widespread popularity for large-scale software 
development. At the most extreme end of the spectrum of specification notation is 
mathematics. It represents a radical change from current approaches. Mathematics has 
had a mixed impact on software projects, and has the longest history as a specification 
notation. In 1948, the English computer scientist Alan Turing used logic, the mathe-
matics of true and false statements, to define the action of an assembler subroutine [82]. 
In the late 1960s, a large amount of research was carried out into program proving, in-
stigated by the English computer scientist Tony Hoare [82, 80] and the Dutch researcher 
Edsger Dijkstra [82, 80]. The aim in program proving is to describe the function of a 
12 
Ph.D. Thesis 2.2 Specification 
piece of program code using mathematics. The aim was to write the program and then 
prove - without testing - that the program meets its mathematical specification. In the 
1960s, testing was a more difficult process than it is now4 as there were virtually no 
debuggers, no dynamic analysis tools, and no facilities to store and rerun tests. Conse-
quently, any alternative to testing - particularly one that required no testing effort at all 
- was treated very seriously. Unfortunately, a number of problems were discovered in 
program proving. The major one was that the process of proving that a program meets 
its specification was long and tedious and, more often than not, gave rise to proofs 
which were textually very much longer than the program itself. In order to overcome 
this problem, researchers attempted to develop automatic program provers : software 
tools which processed a mathematical specification and a program, and decided, with 
little human intervention, whether the program was correct. The search for an efficient 
program prover has been unsuccessful. Although the failure of automatic program 
proving lead to a diminution of research into fonnal methods of software development, 
the early eighties saw a dramatic resuscitation for two reasons. One reason was an 
increasing dissatisfaction with development performance on medium to large software 
projects. The other was a programme called the Alvey programme [82] whose software 
engineering component was, largely, concerned with fonnal methods of software devel-
opment. What the Alvey programme indicated was a subtle shift in emphasis. Program 
proving was concerned with developing a specification and a program independently, 
and then showing that there was a match between them. The fonnal methods envisaged 
by the Alvey programme tended to concentrate on the specification first. Once a math-
ematical specification had been developed, the program would be constructed using the 
specification as a guide. The program development was carried out in small chunks, say 
a subroutine at a time, so that the complexity associated with program proving would 
be eliminated. This process, called rejinemenf, will be illustrated in chapter 5. 
4Today, testing is still difficult because effective test cases have to be designed, a lot of time has to be 
spent on testing besides managing tests more conveniently 
5'Refinement' can be thought of as the process of elaborating on what is specified abstractly towards 
a specification that is executable. 
13 
Ph.D. Thesis 2.2 Specification 
Among the formal methods of software development currently being used on real 
projects are VDM (Vienna Development Method) [16] and Z [83]. The developer who 
uses VDM first identifies the objects and operations that occur in the application to 
be computerised. For example, in an air traffic control system typical objects would 
be planes and radars. Typical operations would be the creation of an aircraft when 
it came within radar range, the deletion of an aircraft when it landed and the reading 
of a radar signal from a particular radar installation. Once the objects and operations 
are identified, they are specified. Specification in VDM consists of defining the objects 
using a branch of mathematics called set theory which deals with collections of objects. 
Once the objects have been defined, the effect of operations is clarified. The effect is 
specified by means of a pre-condition and a post-condition. The former describes what 
must be true before an operation is executed ; the latter describes what must be true 
after an operation has been executed. Both these conditions are expressed using first 
order logic, to deal with the truth and falseness of statements. 
Another popular formal method is Z. Currently Z is just a specification notation 
rather than a development method. It is semi-graphical in that it consists of mathemat-
ics enclosed in boxes known as schemas. Each box describes some stored data and the 
effect of operations on that stored data. Its advantage, compared with VDM, is that it 
provides a much more modular description of a system. This enables staff concerned 
with design, and with requirements analysis, to enable only those parts of the specifi-
cation with which they were concerned. The disadvantage of Z, as compared to YDM, 
is that it lags behind in terms of facilities for transforming the notation into program 
code. 
There are a number of reasons for the resistance encountered to the attempts of 
formal methods to gain a widespread usage. Despite their need, especially for safety-
critical systems, there does not exist an integrated suite of software tools and tech-
niques, formal or non-formal, that can be used during the various stages of system 
development. There is a growing need for systems that are provably correct, especially 
if the systems are real-time and safety-critical, and for such systems, the development 
14 
Ph.D. Thesis 2.3 Real-Time Safety-Critical Systems (RT-SC) Systems 
of an integrated suite of tools and techniques together with an associated strategy is 
essential. 
2.3 Real-Time Safety-Critical Systems (RT-SC) Systems 
A Real-Time System is defined as a system which is capable of reacting to external 
events as they happen [101, 91]. Therefore, the computations of a real-time system 
not only depends upon the logical correctness of the computation but also upon the 
time at which the result is produced. Therefore, if the timing constraints of the system 
are not met, system failure is said to have occurred. Common examples of real-time 
systems include flight control programs, air traffic control systems, control systems for 
power plants, patient monitoring systems, weapons systems, and military command 
and control systems. To be acceptable, such systems must not only be functionally 
correct but also be temporally correct. Before we develop any program/system, we 
would have to start with a description of its intended behaviouli. Such a description of 
the program/system is nothing but a 'specification' as described already and we noted 
that a natural language like English, though convenient, is very imprecise. Therefore, 
logic, which can lead to an unambiguous description of the requirements, becomes 
most suitable. In order to specify systems with timing constraints, a logic which has 
temporal constructs is the most suitable one. Such a logic is called 'temporal logic'. 
Among other methods to specify and reason about real-time systems are state machine 
models and models that extend process algebra. Most logics designed to reason about 
real-time systems are either first-order logics or temporal logics. 
A system is safety-critical if the occurrence of unintended events could result in 
death, injury, illness, or damage to, or loss of, property. To avoid entering an unsafe 
state, a safety-critical system must often perform a given action by a specified deadline. 
Most (if not all) safety-critical systems are also real-time systems. For example, an air 
6The 'behaviour' of a system is the development of states and state transitions generated by actions 
of the system during the time interval in which it is studied. 
15 
Ph.D. Thesis 2.4 Specification Methods for Real-Time Safety-Critical Systems 
traffic control system is a real-time system with many stringent timing requirements 
and since the failure of such a system to act in time can have disastrous consequences, 
it is a safety-critical system also. Such systems are often complex with behaviours that 
depend on inter-relationships among the timing of the events of the system. Often, 
testing of such systems is inadequate as the sole means for ensuring their correctness. 
2.4 Specification Methods for Real-Time Safety-Critical Systems 
This section introduces specification methods for real-time, safety-critical systems. 
2.4.1 A Note on Different Levels of Formality 
Many methods have both formal and informal components. Therefore, it is quite com-
mon to talk about semiformal methods, that is, methods that are only partially defined 
in a precise, mathematical way. Some aspects of the method are left undefined; under-
standing these aspects requires intuition and common sense. In many cases, semiformal 
methods define the syntax of a given notation rigorously but leave the notation's seman-
tics undefined. 
2.4.2 Models Based on Logic 
Some historical perspective on logics 
Early work on logic-based program verification includes work by R.W.floyd [50] 
in 1967 and C.A.R.Hoare [77] in 1969. General surveys on the role of temporal logic in 
computer science include Pnueli [126], Goldblatt [60] and Emerson [44]. A temporal-
like calculus for the specification and reasoning about concurrent programs was first 
proposed by Pnueli [127], and a temporal semantics for reactive programs was also 
proposed by Pnueli [128]. Some of the earlier applications of temporal logic for the 
specification and verification of concurrent programs are reported by Hailpem [65], 
Hailpem and Owicki [66], Owicki and Lamport [123], and Lamport [99]. More details 
and references can be found in [107]. 
16 
Ph.D. Thesis 2.4 Specification Methods for Real-Time Safety-Critical Systems 
Using logic, one can describe and reason about the behaviour of a system without 
building the system first. Such reasoning could be based on correctness proofs and/or 
aided by prototyping if the logic specification is executable. 
The most widely known logic is first-order logic. For specifying a power production 
plant, in a first order theory, the plant and its properties can be described as follows. 
Variables such as Temp for temperature, Pres for pressure and PowerRequested for the 
amount of power requested are used to express all relevant system quantities. The 
variable t is used to represent the critical system component of time. Predicates are 
used to specify system properties and constraints. For example, the following predicate 
PowerProduced::; PowerRequested states that the power produced cannot exceed the 
requested power. The predicate can be rewritten to show the time dependence of the 
variables as : 
V(t)PowerProduced(t) ::; PowerRequested(t) 
In the power production plant example mentioned above, if we require a signal 
ModerateDanger to be raised when the temperature and pressure have been continu-
ously above the limits TTTUJX and PTTUJX respectively for 0 time units, then we can use the 
following: 
VtlT/t', t - D ::; t' < t : Pres(t') > PTTUJX 1\ Temp(t') > TTTUJX -+ ModerateDanger(t)]. 
Using such formulas, we can describe the required behaviour of the power plant 
completely. For example, requirements such as the following can be specified: 
• The system must be shut down within h time units after the HighDanger alarm 
sounds. 
• The amount of coolant injected into the plant is proportional to the product of 
the difference between the actual temperature and the ideal temperature times the 
difference between the actual pressure and ideal pressure. However, if there is no 
more coolant in the tank, the HighDanger alarm sounds immediately. 
The logic notation, unlike the SAIRT notation, can describe the above requirements 
and similar functional, control, or timing requirements completely and precisely. 
17 
Ph.D. Thesis 2.4 Specification Methods for Real-Time Safety-Critical Systems 
The logical approach can be used to formalise basic system properties as axioms, 
i.e., fundamental facts that by assumption are guaranteed, and to derive additional prop-
erties as theorems, consequences that follow from the basic assumptions. As an exam-
ple, suppose the following two axioms are assumed: 
1. Once the plant is turned off, temperature and pressure decrease with time accord-
ing to some given mathematical function. 
2. As soon as temperature and pressure are again within safety limits, the plant is 
immediately restarted. 
Using these axioms, we can prove as a theorem that the plant will never be off for 
more than some maximum time. 
Since first-order logic is a basic mathematical formalism, it is not well suited for 
describing real-world complexities. Thus, in practical systems, logic is most useful 
for proving critical system properties rather than proving properties about the whole 
system. Another complication in the practical application of first-order logic is that 
sufficiently general theories are undecidable; that is, no algorithm exists that can deter-
mine whether a given property can be proven as a theorem. 
Although time, in principle, can be incorporated into a logic in the same way as 
other system variables, many researchers advocate a special role for time and have 
introduced new logics for reasoning about time. Some are first-order logics whereas 
others are temporal logics. A detailed discussion of one such temporal logic called ITL 
will follow in chapter 4. 
Some examples of first-order logics designed for reasoning about real-time are 
Real-Time Logic or RTL [88], TRIO [57] and ASTRAL [35]. A special feature of 
TRIO is that a special interpreter makes specifications in TRIO executable. ASTRAL, 
another logic-based language, combines the timing features of TRIO with the structur-
ing mechanisms of ASLAN [6], an earlier language for describing non-real-time sys-
tems. ASTRAL specifications describe a system in a fairly operational style by defining 
18 
Ph.D. Thesis 2.4 Specification Methods for Real-Time Safety-Critical Systems 
its states and state transitions. Proof obligations are built to drive the formal analysis of 
the specification in a deductive style. The system specifications are treated as a set of 
axioms, from which the system properties are derived as theorems. Though presently 
no tools are available to support ASTRAL proofs, in principle, semiautomatic tools that 
generate proof obligations from a given specification could support formal analysis in 
a manner similar to that previously demonstrated for ASLAN. 
Most real-time logics describe systems in terms of events, points in time when 
something significant happens. In contrast, a few others called interval logics, focus 
on conditions (e.g., states) that hold for some nonzero time interval. Allen describes a 
classical example of an interval logic. The Duration Calculus [153, 154], a real-time 
formalism, is a special case of interval logic. Section 2.6 explains the rationale behind 
the choice of Interval Temporal Logic for this work. 
2.4.3 State Machine Models 
A state machine is a mathematical model of a system with input and output. A finite 
state machine (FSM) is a state machine with a finite number of states only. Formally, a 
finite automaton can be defined as a five tuple (Q, 1:,0, A, qo, F) where 
Q is a finite set of states, 
1: is the input alphabet, 
qo E Q is the initial state, 
F ~ Q is the set of final states 
o : Q x 1: ~ Q is the transition function. 
Section 3.1.6 gives additional information on the state machine. 
Timed Automaton Model 
This model [106. 110] is based on dense time. It allows infinitely many states unlike 
the classical state machine model which has a finite number of states. The model de-
scribes a system as a collection of automata (Le., state machines) interacting by means 
of common actions. Important actions in the model are input and output actions, both 
19 
Ph.D. Thesis 2.4 Specification Methods for Real-Time Safety-Critical Systems 
of which are visible outside the system. Time is added to the model through a special 
time passage action. 
The state transitions are described by specifying the "preconditions" under which 
each action can occur and the "effect" of each action. 
To add time to the model, time bounds are associated with each action. With this 
technique, variables as well as constraints may be used to represent timing information. 
Representing time with variables allows constraints on variables to be derived later on 
from other information in the specifications. 
The timed automaton model overcomes the limitations of the classical state machine 
as time is built into the state. Also, general logic formulas may be used to specify 
transitions. 
To solve a problem using the timed automaton model, two system descriptions are 
developed, one specifying the problem, the other the solution. Proofs are constructed to 
show a "simulation mapping" between the two descriptions. If every behaviour of one 
description is a behaviour of the other, then the simulation mapping between the two 
descriptions holds. The two specifications are equivalent if the two sets of behaviours 
are equal. 
Esterel family 
Esterel is the most widely known member of a family of languages that uses the 
state machine model to describe real-time systems. The Esterel family is based on 
the synchrony hypothesis, which states that each system's response to a set of inputs 
is instantaneous. At the practical level, this means that the system must complete all 
computations before the next input from the environment arrives. The website [46] is a 
good reference for obtaining the compiler, related tools and additional information. 
The Esterel family places emphasis on the later phases of the software life cycle 
unlike many other real-time formalisms. Compilers are available which automatically 
produce running code from specifications written in the language of some family mem-
ber. 
Esterel and other members of the family have been applied to many industrial 
20 
Ph.D. Thesis 2.5 Analysis Techniques for Real-Time Safety-Critical Systems 
projects, mainly in the fields of nuclear safety and avionics. 
A comprehensive description of the synchronous approach and the Esterel family 
oflanguages is given in references [14,67]. 
2.4.4 Process Algebras 
CCS [78], CSP [111], and ACP [13] are process algebras originally developed to spec-
ify and analyse concurrent systems without the notion of time. A process algebra has 
a concise language, a precisely defined semantics, a notion of equivalence or preorder, 
and a set of algebraic laws allowing syntactic manipulation. The language is based on 
a small set of operators and a few syntactic rules for constructing a complex process 
from simpler processes. The semantics describe the possible execution steps a process 
can take. Two processes are equivalent when they have the same behaviour, that is, 
when every execution step of one process is also an execution step of the other process 
and vice versa. A preorder between two processes exists when the behaviour of one 
process is a subset of the behaviour of another. To verify a system using a process 
algebra, one writes a specification as an abstract process and an implementation as a 
detailed process. To prove correctness, the two processes are shown to be equivalent or 
a preorder between the processes is shown. The proof of correctness is accomplished 
by syntactically manipulating the algebraic laws. 
A number of timed algebras have been proposed recently. These include ACSR 
[22, 100], which adds time to CCS ; Timed CSP [132], a timed version ofCSP ; Timed 
LOTOS [18], a timed version of the ISO standard LOTOS, which is also based on CSP 
and has already been applied to several industrial projects ; and a timed version of ACP. 
2.5 Analysis Techniques for Real-Time Safety-Critical Systems 
Simulation, model-theoretic and proof-theoretic reasoning are major classes of tech-
niques developed for formally reasoning about real-time systems. 
21 
Ph.D. Thesis 2.5 Analysis Techniques for Real-Time Safety-Critical Systems 
2.5.1 SimuiatinglExecuting Specifications 
Many formal methods researchers underestimate the value of simulation in exposing 
defects in specifications. Using simulation, the user can ensure that the behaviour 
specified satisfies hislher intent. Unlike consistency checking, model checking, and 
mechanical theorem proving, which formally check the specification for properties of 
interest, simulation provides a means of validating a specification. In [72], Heitmeyer, 
c., mentions that a powerful, customisable simulation capability is very much neces-
sary in the formal development process. In running scenarios through the simulator, the 
user can also use the simulator to check properties of interest. Another use of simula-
tion is in conjunction with model checking; counter-examples obtained from a model 
checker can be fed to a simulator to demonstrate and validate them. 
2.5.2 Model-theoretic Reasoning 
A number of algorithms have been developed in recent years to verify properties of sys-
tems modelled as state machines. One class of algorithms, called model checkers, were 
invented by Clarke and Emerson in 1981 [34, 80] to verify properties of untimed speci-
fications. These algorithms take a finite state machine model of a system and a temporal 
logic formula and determine if the formula is true of the model. While design errors in 
practical systems have been detected using model-theoretic reasoning, the errors were 
in untimed specifications. The application of these techniques to timed specifications 
is a significant area of current research. Scale is a problem in the verification of spec-
ifications of real-time systems as the addition of time to system specification produces 
a model which is usually too large to analyse. 
For example, the Modechart verifier [89] is designed to analyse real-time specifica-
tions using model-based techniques. This tool builds a computation graph to represent 
all possible states that a system can enter. Various approaches are used to prune un-
reachable nodes in the graph and to combine duplicate nodes. If the number of states 
and the timing constants in the model become very large, the computation graph be-
22 
Ph.D. Thesis 2.5 Analysis Techniques for Real-Time Safety-Critical Systems 
comes too large to build and analyse. Therefore, the Modechart verifier and similar 
tools can only verify small real-time models. 
Techniques to handle dense time also exist. One promising approach uses approxi-
mations to avoid dealing with timing information in a specification until it is needed. 
This method is more practical compared to the proof-theoretic reasoning because 
of its "push-button" nature. However, the proof-based methods can be made more 
practical by automating the process as much as possible and by providing built-in proof 
strategies. 
2.5.3 Proof-theoretic Reasoning 
In this technique, a theory about the system of interest has to be developed based on 
some logic. System properties are represented by formulas in the logic. Logical deduc-
tive techniques are applied to construct required proofs about the system. This requires 
mathematical maturity and theorem proving skills. 
Developing proofs will require a lot of effort and time. However, the deductive 
approach has some advantages over model-theoretic reasoning. First, the user will gain 
a deep understanding of the system specification and its properties while developing 
the proofs. Second, more abstract models can be handled in proof-theoretic techniques 
and hence, more general results produced. Further, deductive reasoning can be applied 
to any mathematical model unlike model checking and other similar techniques. 
A number of mechanical proof systems have been developed in recent years to 
support deductive reasoning. These include the Boyer-Moore theorem prover [21], -
EYES [98], and the Larch Prover [64], all based on first order logic, as well as HOL 
[63] and PYS [124], which are based on Higher Order Logic. Such systems can do 
some proofs automatically. Most nontrivial proofs, however, require user guidance ; 
the user must develop the overall proof strategy. Mechanical proof systems can be very 
useful in checking such hand proofs. For safety-critical systems, a proof system that 
validates each step in the formal reasoning is very important as it would lead to an 
23 
Ph.D. Thesis 2.6 On the Choice of ITL for this Work 
increase in the proof's validity as compared to a more informal proof which was not 
checked mechanically. 
2.6 On the Choice of ITL for this Work 
In the previous sections, we have explored various kinds of formalisms. This work is 
based on a logic-based formalism called Interval Temporal Logic (ITL) [84, 116]. 
ITL is a flexible notation for both propositional and first-order reasoning about peri-
ods of time found in descriptions of hardware and software systems. It can handle both 
sequential and parallel composition unlike most temporal logics. It offers powerful and 
extensible specification and proof techniques for reasoning about properties involving 
safety, liveness and projected time. Tempura provides an executable framework for 
developing and experimenting with suitable ITL specifications. Hence, this work uses 
ITL as its formalism and aims to explore approaches which may enhance its uptake by 
a wider spectrum of users. 
2.7 Drawbacks of Formal Methods 
There are many formal methods, each having their own notation and varied degree of 
learning curves. This fragmentation and lack of standards further hinders their uptake. 
This is particularly so when the current software development practices do not involve 
formal notations. Real world projects tend to be large in scale, which raises the is-
sues of scalability and communication of the chosen development technique. Formal 
methods neither support scalability nor ease of communication amongst members of a 
large team. Current work on compositional issues, which help in scalability, are still 
in their infancy. In addition, there is often a need for integrating many formalisms. 
For example, process algebraic styles of notation may be suitable for describing system 
interaction but they fail to describe the internal behaviour of a system. When many 
formalisms are involved in a development process, the user gets confronted with many 
24 
Ph.D. Thesis 2.7 Drawbacks of Formal Methods 
learning curves. 
The popularity of structured methodologies is often attributed to their associated 
graphical notation. What is required is a compositional formal method which enjoys 
both the preciseness of mathematical arguments and ease of communication associated 
with structured methodologies. 
Towards that goal, various strands of development have taken place. Integrating 
formal methods such as Z [86] with structured techniques such as SSADM [5, 23, 43] 
have been attempted but with little success. This is mainly due to lack of scalability 
and the continuing presence of formal notation. In addition, various formal notations 
have been integrated, for example CSP and Temporal Logic. This type of integration 
did not alleviate the limitation of formal methods. Instead, the developers were faced 
with learning various fonnal notations each with their own semantics domain and veri-
fication style. 
Another strand of development was directed towards executable/animatable spec-
ifications. This has met with some success as now fonnal notations look like a pro-
gramming language with which developers are more familiar. However, issues such as 
scalability, learnability and being industry-strength remain unsolved. 
It is therefore believed that a lean formal approach which combines a composi-
tional graphical notation, animation and a development process within a single fonnal 
framework will overcome some of the fundamental problems associated with the use of 
current fonnal methods. Such an approach, by integrating various activities that consti-
tute a development process in one single framework, would eliminate the burden of the 
user in terms of the "learning curve for formal methods" that he/she has to go through. 
In other words, this approach brings the fonnalism closer to the user and thereby en-
courages the user to adopt a fonnal development strategy in systems development. 
25 
Ph.D. Thesis 2.8 Summary 
2.8 Summary 
In this chapter, we first explored software development process models i.e., Water-
fall model, Prototyping based model, Iterative enhancement model, Spiral model, V-
diagram model and the Transform model. We then used the term "Software Devel-
opment Strategy" to mean an elaborate and systematic plan of the activities involved 
in the software development process and distinguished between three possibilities i.e., 
Structured method strategy, Formal method strategy and Lean formal method strategy. 
It was noted that structured methods had the advantages of being graphical in nature 
but lacked the advantages of being a formal notation. Formal methods, on the other 
hand, were very precise but had accessibility problems. A lean formal method strategy 
was defined as a strategy where the Formal Methods involved are more accommoda-
tive to a wider spectrum of users. Central to this strategy is the provision of means to 
more comprehensible and user-friendly formal specifications and an associated devel-
opment technique within a single framework encompassing refinement7, abstraction8 
and animation of specifications9 . It is important to note that the lean approach does not 
compromise on formality; it maintains the preciseness involved in a formal approach 
but incorporates new techniques to bring the formal approach closer to the user. Such 
lean techniques could involve automation to perform several analyses on specifications 
like proving desired properties, the use of visual languages and so on to enable better 
accessibility. We then looked at what a specification is and why it is a crucial step in the 
software development process. We then examined specification methods for real-time 
safety-critical systems i.e., models based on logic, state machine models and process 
algebras. Analysis techniques like executing specifications, model-theoretic and proof-
theoretic reasoning were explained. We stated the rationale for the choice of Interval 
Temporal Logic (ITL) as the formalism for this work. We also stated the drawbacks 
of formal methods, in general, and how a lean approach attempts to overcome these 
7 see chapter 5 
8 see chapter 5 
9see section 4.3 
26 
Ph.D. Thesis 2.8 Summary 
hurdles to wider accessibility. 
In the following chapter, we shall explore the nature of visualisation and its role 
in this work in the context of increasing the uptake of ITL as a formal development 




Visualisation, Visual Languages and 
their Design Rationale 
The main objective of this chapter is to see how visualisation helps in various domains 
in making information, languages and technology accessible. 
3.1 The "What and Whys" of Visualisation 
Visualisation provides a tool for achieving a clear mental image of the object under 
study. Whether it is an abstract mathematical transformation, census data or a nicely 
rendered Computer Aided Design part, graphics allows us to see the object of our in-
terest more clearly than we could by other techniques. Graphics provides tools for 
visualisation and hence understanding of objects of interest. 
Visualisation provides enhanced communication at the human/machine interface. 
The following examples illustrate the power of communication through visual images. 
3.1.1 Public Signs 
Figure 3.1 shows several iconic signs that are becoming fairly standardised in interna-
tional usage, along with their meaning in English. The signs convey information in a 
language-free mode. The eyes are instinctively drawn to the iconic symbols first and 
28 
Ph.D. Thesis 3.1 The "What and Whys" of Visualisation 
only later begin to browse the natural language interpretation. The iconic symbols re-
quire low-level cognitive processing. Alphanumeric symbols, however, are compound 
symbols, made up of sentences and words comprising of stJings of more elementary 
symbols (letters) that require a higher level of processing to extract their meaning. 
In summary, it can be noted that intuitive iconic signs convey information to people 
across barriers such as language, culture and levels of literacy. 






Men at work 
Figure 3.1: Iconic Public Signs 
29 
Ph.D. Thesis 3.1 The "What and Whys" of Visualisation 
3.1.2 Operating Systems and Programming Environments 
This provides an example of the extremes possible on the textuaUvisual spectrum. Tra-
ditional command-line languages such as MS-DOS and Unix fall at the textual end 
whereas Windows/IconslMenus/Pointer (WIMP) interfaces, exemplified by the Macin-
tosh operating system and Microsoft Windows on MS-DOS systems, fall at the visual 
end. 
A main advantage of textual operating systems is the power and flexibility they pro-
vide in performing any conceivable task. However, the price one pays for this power is 
the effort required in mastering arcane commands usually over a period of one or more 
years. Alan Kay [93] and his colleagues at the Xerox Palo Alto Research Centre con-
ceived the basic windows/icons/menuslpointer concepts which form part of the WIMP 
paradigm. Its basic principles are : 
• Windows associated with several user tasks are visible simultaneously 
• Switching between task windows requires only a mouse button push 
• Information is not lost in the process of switching 
• Screen space can be used economically 
The operations of the WIMP operating systems may be summarised by the follow-
ing three simple rules : 
1. Single click to select an object 
2. Double click to open an object 
3. When in doubt, scan the menu for the appropriate function or help. 
The knowledge of how to interact with and operate such systems is an intrinsic 
part of the system itself. In conventional command-line operating systems, however, 
this knowledge is archived in huge reference manuals. A WIMP system user does not 
30 
Ph.D. Thesis 3.1 The "What and Whys" of Visualisation 
have to painfully memorise or reference any manual, the system can provide such help 
on-line. People unfamiliar with computers can learn to operate and become produc-
tive with WIMP systems in a matter of hours or days compared to weeks or months 
of training required for the more conventional command-line systems. Experienced 
WIMP users often take great pride in exploiting the full capabilities of a totally unfa-
miliar software system without either memorising arcane mnemonics like "copy a: *. * 
c:" or opening a user manual. The combination of an intuitive, easy-to-visualise desk-
top environment has resulted in a dramatic decrease in training times and costs with 
a corresponding increase in productivity. These practical, "bottom-line" results have 
led to a rout of command-line operating systems as evident in the rush towards GUI 
environments like Microsoft Windows, X Windows and so on. 
One example is the GNOME which is an acronym for the GNU Network Object 
Model Environment. It is a user-friendly desktop environment that enables users to 
easily use and configure their computers. GNOME includes a panel (for starting appli-
cations and displaying status), a desktop (where data and applications can be placed), 
a set of standard desktop tools and applications, and a set of conventions that make it 
easy for applications to cooperate and be consistent with each other. Users of other op-
erating systems or environments should feel right at home using the powerful graphics-
driven environment GNOME provides. GNOME has a number of advantages for users. 
GNOME makes it easy to use and configure applications using a simple yet powerful 
graphical interface. GNOME is highly configurable, enabling the user to set the desk-
top the way he or she wants it to look and feel. More details on GNOME can be found 
in [59]. 
KDE is a powerful graphical desktop environment for Unix workstations. It com-
bines ease of use, contemporary functionality and outstanding graphical design with 
the technological superiority of the Unix operating system. More details are available 
at [94]. 
The Common Desktop Environment (CDE) is a commercial graphical user interface 
for Unix in its various flavours (AIX, Digital Unix, HPIUX, Solaris etc.). It is built on 
31 
Ph.D. Thesis 3.1 The "What and Whys" of Visualisation 
existing technologies from several Unix vendors (HP, Sun, 1MB, Novell) and the Open 
Software Foundation Inc. (OSF). Based on Motif and XII, it is visually appealing 
and offers many productivity features. The CDE was created by this group of Unix 
vendors to consolidate all the Unix desktop interfaces and define a consistent user and 
development environment. Standardising the user interface enables general users and 
system managers to work more effectively on systems from all vendors that provide 
CDE. 
To summarise, it can be stated that the use of user-friendly graphical environments 
have facilitated the interaction with and use of computer systems. A wide spectrum of 
users can be allowed accessibility with the use of such powerful visual environments. 
Such convenience to the user, particularly in terms of hiding the user from knowing 
intricate details of textual commands, helps in wider acceptance of such systems. 
3.1.3 Visual Programming and Program Visualisation 
The success of the visual paradigm for operating systems has also encouraged its ap-
plication to programming languages. A special issue of IEEE Computer on "Visual-
isation in Computing" [147] details progress in this area. Visualisation with respect 
to programming languages and environments can be subdivided into two areas which 
are, Visual Programming and Program Visualisation. Myers [119] states that program 
visualisation is where a "program is specified in a conventional textual manner, and 
graphics are used to illustrate some aspect of the program or its runtime execution". 
He describes visual programming as the ability "to specify a program in a two or more 
dimensional fashion". Visual Basic is one example of a graphical programming lan-
guage. PictID [58] is an example of a graphical programming environment where icons 
are used for visual programming. The user can compose simple programs for numeri-
cal computations using the subsystems represented such as programming (a flowchart 
metaphor), erase (a hand holding an eraser), icon editor (a hand holding a pen) and a 
user library (a shelf of books). The user can program an icon, edit it, or run its asso-
32 
Ph.D. Thesis 3.1 The "What and Whys" of Visualisation 
ciated program. The resultant program can be denoted by a new icon, created by the 
user with the icon editor, and stored in the library for future use. Further references to 
additional information on visual languages can be found in [31] and [139]. 
3.1.4 Computer Simulations 
Computer simulations are valuable as research tools for modelling physical system 
properties that are too difficult, dangerous or expensive to measure. They are also of 
tremendous value to engineers in modelling mechanical, thermal, and electromagnetic 
systems by the techniques of Finite Element Analysis (FEA). 
Once simulations are performed, good computer graphics and high speed 3-D pro-
cessing are a necessity for post-processing. The ability to read selected results from 
analysis output database files is essential. 
Another interesting area where visualisation plays a central role in engineering de-
sign is Computer Aided Design (CAD). CAD has been a major influential force in the 
development of sophisticated computer graphics techniques. CAD systems are now 
essential tools for the design of integrated circuits (ICs), manufactured parts, complex 
mechanical systems, and architectural plans. Advanced CAD systems permit the direct 
connection of the CAD design phase to the Computer Aided Manufacturing (CAM) 
phase. Design parameters from the CAD program are directly used for the numeric 
control of machine tools. This eliminates the stage of hardcopy blueprints and thereby 
contributes to an increase in productivity. 
Specification Diagrams 
Structured Analysis/Real Time (SAlRT), State Transition Diagrams, Statecharts, 
Statechart-like notations such as Modechart and Timed-Transition Models, Petri Nets, 
Graphical Interval Logic (GIL), Ladder Logic Diagrams and UML Diagrams are graph-
ical notations for the specification of systems. 
33 
Ph.D. Thesis 3.1 The "What and Whys" of Visualisation 
3.1.5 Structured Analysis 
Before considering structured analysis, it is worth noting that "flowcharts" were one of 
the earliest methods of showing programs in picture form. Figure 3.2 shows some of 
the main symbols used in a flowchart and a simple example of a flowchart. A major crit-
icism of the flowchart is that it mainly describes a solution in terms of the operations of 
the underlying machine, rather than in terms of the problem and its structures. It closely 
resembles the final program code in structure and hence is not much more abstract than 
the implementation. It also does not support structured design methods and hence was 
gradually replaced by design methods involving structured methods. Structured Anal-
ysis is a general term used to describe systematic methods for the analysis and design 
of complex software systems. These methods can be contrasted with more ad hoc ap-
proaches, which are largely based on the designer's experience and intuition. There are 
many types of structured analysis. Most of these are semiformal, operational notations 
closely related to data flow diagrams (DFDs), a graphical notation used to describe 
the structure of an information system. SAIRT (Structured Analysis/Real Time) is an 
enhancement of structured analysis designed to model real-time systems. Major con-
structs of SAIRT are Transformation Schemata (TS), an extension oftraditional DFDs. 
SAIRT provides refinement mechanisms useful in building large, well-structured 
specifications. Teamwork and Software Through Pictures are among commercial tools 
compatible with SAIRT. Such tools however are mainly documentation tools and cannot 
support semantic analysis. However, they prove useful for many industrial projects. 
Recently, object-oriented versions of structured analysis methods have been pro-
posed. Some of these are Shlaer and Mellor [138], HOORA [45] and ROOM [137] and 
are meant for developing real-time systems. 
3.1.6 State Transition Diagrams 
State transition diagrams originate from the theory of automata. A finite automaton is 
a mathematical model of a system with discrete inputs and outputs. The system is in 
34 
Ph.D. Thesis 3.1 The "What and Whys" of Visualisation 
some symbols 
process 
A simple example 
Increase n by 1 
No 
y := square(n) 
Figure 3.2: Flowchart 
only a finite number of states. Such a state contains enough information over previous 
input to determine the behaviour of the system on the next input. The control system 
for an elevator can be represented as a state transition diagram, for example, in which 
not all requests are remembered but only the current floor, the direction of movement 
i.e, up or down and the not yet handled requests. Human brains can also be similarly 
described. However, these systems have such a huge number of states that treating them 
as finite state systems will serve no purpose. An example state transition diagram for 
an automaton is given in Figure 3.3. The automaton shown is in state qO to start with 
35 
Ph.D. Thesis 3.1 The "What and Whys9J of Visualisation 
and then transitions to other states qt, q2 and q3 based on the input it receives as shown. 





Figure 3.3: An Example State Transition Diagram for an Automaton 
3.1.7 Statecharts 
Statecharts [68], a graphical language for specifying real-time systems, exploits the 
naturalness and simplicity of the classical finite state machine. This notation also over-
comes, to a large extent, the state machine's major shortcomings; the most important 
is the combinatorial explosion in the number of states. A system which combines two 
machines, one with h states and another with k states, has a state space of h x k states, 
that is, the Cartesian product of the original ones. AND and OR composition are two 
constructs used in statecharts to overcome this problem. The AND composition is de-
scribed below. 
The AND of two component machines fonnalises the composition of two concur-
rent subsystems into a single aggregate machine. Let us consider a railroad crossing 
example to illustrate the AND composition. Let Out, P and I be the states representing 
the location of the train with respect to the crossing i.e., the location of the gate, where 
the state Out is to mean that the train is far away from the crossing, state P is to mean 
that the train is near the crossing and state I is to mean that the train is in the crossing. 
36 
Ph.D. Thesis 3.1 The "What and Whys" of Visualisation 
Let Up and Down represent the states for the gate at the crossing. 
The set of states in the composition of the two machines contains all possible com-
binations of the individual states, i.e., < Out, Down>, < Out, Up>, < P, Down>, < 
P, Up >, < [,Down> and < I, Up >. The transitions between states are combined sim-
ilarly : the set of possible transitions is the union of the original sets. In statecharts, the 
concurrent composition of the component machines is left implicit but formally defined 
through the AND construct, which composes the two components into a single, larger 





Figure 3.4: Statecharts Specification showing AND-composition of Train and Gate 
machine because when the system is in a state in one of the smaller machines, it cannot 
enter a specified state in the second machine. One way to model the coordination of the 
two smaller machines is to label a transition with a formula. The transition can only be 
taken if the formula is true. For example, in Figure 3.4, attaching the formula "not in I" 
to the transition MoveUp specifies that the gate cannot be raised if a train remains in I. 
Figure 3.4 above illustrates some important limitations of the classical state machine 
model for describing real-time systems: 
• Time-dependent behaviour, e.g., "The gate must be down within 10 seconds after 
a train enters P", cannot be expressed. 
37 
Ph.D. Thesis 3.1 The "What and Whys" of Visualisation 
• The figure captures only a small fraction of the required systems behaviour. For 
example, labelling MoveUp as described above prevents this transition when a 
train is in I but does not guarantee that the gate will be down whenever a train 
is in I because the gate could move up and remain there. More information is 
needed to describe the system in detail, such as when the gate must start moving 
down once a train has entered R. 
• If, in a generalisation of the system, several trains can be in R simultaneously, 
then, in the classical model, each train must be described separately. As the 
number of trains grows, the model becomes unwieldy. Also, the model cannot 
handle an unbounded number of trains. 
Statecharts have addressed these problems, at least in part. First, two simple classes 
of time-dependent behaviour can be expressed in Statecharts: a timeout event, an event 
scheduled to occur a fixed number of time units after another event, and a scheduled 
action, an operation (e.g., fire a missile) scheduled to occur a fixed number of time units 
after the current time. In addition, State charts allows parameterised states (e.g., "the ith 
train enters R") and the attachment of generalised formulas to transitions. 
The commercial version of Statecharts, called STATEMATE [81, 68, 69], offers 
these features as well as others. STATEMATE has had considerable success in indus-
try because it has a user-friendly interface that complements the intuitive appeal of 
the classical state machine formalism. Moreover, STATEMATE offers two forms of 
analysis: 
• The user can run STATEMATE's simulator to analyse the behaviour of a "system 
model" in scenarios of interest. 
• STATEMATE's Dynamic Tests tool can do reachability analysis. From the State-
charts specification, the tool builds a reachability graph containing possible states 
the system can be in. Using this graph, the tool can check for deadlock, nonde-
terminism and race conditions. It can also search for a reachable state in which a 
38 
Ph.D. Thesis 3.1 The "What and Whys" of Visualisation 
condition is true. 
Like semiformal approaches, Statecharts provides documentation support but, un-
like them, Statecharts also supports some semantic analysis. However, compared to 
some of the newer formal methods (e.g., model checking techniques), Statecharts' 
analysis capability, which is confined to using reachability analysis to check a small 
set of properties, is quite limited. Moreover, the ability to specify and reason about 
a system's timing behaviour using Statecharts is also quite limited. Quite recently, a 
model-checker for Statecharts has been developed [39]. 
We note again that Statecharts overcomes the limitations of state transition diagrams 
in an intuitive way with depth represented by the use of substates i.e., having a nesting 
of states, orthogonality represented by the partitioning feature using a dotted line and 
the use of broadcast communication. 
3.1.8 Statechart-Iike Notations 
Modechart [89] and Timed Transition Model [121, 122] borrow heavily from Stat-
echarts but are more expressive than Statecharts for describing and reasoning about 
timing properties . 
• Modechart 
Important constructs in Modechart include modes, which correspond to states in 
Statecharts, and actions, which assign values to data variables. A third Modechart 
construct is the event. Different types of events are external events, which rep-
resent changes in the system environment (e.g., the operator pushing the START 
button); mode entry and mode exit events, which mark entry into or exit from a 
mode; and start and stop events, which mark the beginning and end of an action. 
Deadlines and delays, upper and lower bounds on the time interval from mode 
entry to mode exit, allow the specification of the time that a system can remain 
in a mode. Modechart uses a discrete time model ; so, its delays and deadlines 
39 
Ph.D. Thesis 3.1 The "What and Whys" of Visualisation 
are represented as non-negative integers. In Modechart, events are instantaneous, 
whereas actions require at least one time unit to complete. 
In Modecharts, modes may be serial or parallel. Modechart's notion of serial and 
parallel modes corresponds to OR and AND composition in Statecharts. If M is 
a serial mode with child modes M I and M2, then at a given time the system is in 
exactly one of MI and M2. IfM is a parallel mode with child modes MI and M2, 
then when the system is in M, it is simultaneously in both modes MI and M2. 
Modechart's semantics are defined in terms of the real-time logic RTL [89]. 
• Timed Transition Models 
The activity variables (or activities) in a Timed Transition Model (TTM) specifi-
cation correspond to states in Statecharts. A group of subactivities may be com-
posed into an activity using the Statecharts notions of AND and OR composition. 
Other major components of a TTM specification are events and integer variables. 
TIM supports both the usual relational operators and integer arithmetic in con-
trast to Modechart which does not support arithmetic. As in Modechart, time in 
the TTM framework is discrete, and timing constraints are represented as lower 
and upper bounds on transitions between activities. 
3.1.9 Stateftow Diagrams 
Stateflow diagrams, like statecharts, also use a variant of the finite state machine [68]. 
A stateflow diagram is a graphical representation of a finite state machine where states 
and transitions form the basic building blocks of the system. Apart from these, a state-
flow diagram also enables the representation of hierarchy, parallelism and history. One 
important feature of a state flow diagram is that its execution is dependent on the geom-
etry of the diagram. For example, if there are conflicts to resolve regarding transitions, 
they are resolved based on the geometry of the outgoing transitions as depicted in an 
example in Figure 3.5. In other words, non-determinism is resolved by resorting to 
geometrical considerations. This resolution based on geometry applies to transitions 
40 





The three transitions are evaluated In a clockwise progression 
starting at the upper, left comer of state 51. 
If the condition "c1=I" holds, then the transition to slls taken. 
Only If that condition does not hold Is the condition on the the transition 
to s3 checked and so on. 
Figure 3.5: An Example of Resolving Non-determinism in Stateftow 
which are equivalent with respect to their labels i.e., what the transitions are annotated 
with among the four following possibilities given in the order of priority. 
1. Events and Conditions 
2. Events 
3. Conditions 
4. No label 
In Figure 3.5, the transitions were all equivalent as they all had only conditions. The 
non-determinism among those equivalent transitions was resolved by geometry. In 
stateftow, parallel states are depicted using rounded boxes unlike STATEMATE. For 
additional details regarding stateftow, the reader is referred to [143]. 
41 
Ph.D. Thesis 3.1 The "What and Whys" of Visualisation 
3.1.10 Petri Nets 
A Petri Net [125] consists of a set of places, usually denoted as circles, and a set of 
transitions, usually denoted as bars. Arrows connect places to transitions and transitions 
to places. A place is called an input of a transition (a transition is called an input of a 
place) if there is an arrow going from the place to the transition (from the transition to 
the place). A similar definition holds for output places and transitions. The Figure 3.6 




Figure 3.6: Example Petri Net 
notion of a state and its evolution. The state of a Petri net is represented graphically as 
a marking of its places with an assignment of a nonnegative number of tokens to each 
place. The evolution of a Petri net occurs according to the following rules : 
42 
Ph.D. Thesis 3.1 The "What and Whys" of Visualisation 
• A transition is enabled in a given marking if all of its input places are marked. 
i.e., each has at least one token. 
• An enabled transition may fire. This means that one token is removed from each 
input place of the transition and one token is put into each output place thereof. 
Thus the firing of a transition produces a new marking. 
Some of the problems that need to be addressed before Petri nets can be used ef-
fectively in designing real-time systems are given below followed by a summary of 
approaches that have been proposed over the years to solve these problems. 
• Because basic Petri nets are designed to describe concurrency rather than the 
passage of time, they cannot express timeouts and durations. 
• Petri nets lack abstraction mechanisms and thus become large and unmanageable 
when one moves from small examples to practical applications. 
• Petri nets only model a systems's control features, not its data dependencies. Be-
cause tokens are "anonymous". dependencies between control and data cannot be 
modelled. For example. a rule, such as "uncorrupted message must be forwarded 
through channell. whereas damaged ones must be sent back through channel 2", 
cannot be described formally. 
A number of approaches. some with tool support. have been proposed to solve these 
problems. Some of them are : 
• Time has been added to Petri nets in many different ways. One of the most 
general extensions associates a minimum and a maximum firing time with each 
transition [109]. Once enabled. a transition cannot fire before the minimum time 
and must fire by the maximum time. unless previously disabled by the firing of a 
conflicting transition. 
43 
Ph.D. Thesis 3.1 The "What and Whys" of Visualisation 
• Several abstraction and modularisation mechanisms, essential in modelling real-
world systems, have been proposed to support the construction of hierarchical, 
well-structured Petri nets. Recently, such mechanisms have exploited the object-
oriented paradigm. 
• Tokens may have associated values: the firing of transitions can depend on these 
values. 
Many tools are available to support the development of real-time systems using 
Petri nets, including editors, tools for analysing system properties, and, often, tools that 
help drive the system implementation through the lower level phases of the life cycle. 
Among the available tools are Artifex, Cabernet and DesignlCPN. Some have already 
been applied successfully in industrial projects. For instance, Artifex has been used for 
about a decade by several Italian and other European companies, largely in automobile 
manufacturing. 
The significant properties of Petri nets are either intractable or undecidable and 
this is an unfortunate difficulty in modelling with Petri nets. Therefore, simulation is 
used, in most cases, for analysing properties of interest. An important exception is 
the Berthomieu-Diaz algorithm [15] for analysing a timed Petri net for reachability. 
The reachability problem for Petri nets is to determine whether a marking m
l 
can be 
reached from another marking m through a suitable firing sequence. In some sense, this 
is the fundamental problem for Petri nets, since many other problems can be reduced 
to it. Under some reasonably general conditions, this analysis can be completed in 
polynomial time. 
3.1.11 GIL 
Graphical Interval Logic (GIL) is a visual temporal logic in which formulas resemble 
the informal timing diagrams used by system designers. It has a formal model-theoretic 
semantics and can express all properties that can be expressed using linear temporal 
44 
Ph.D. Thesis 3.1 The "What and Whys" of Visualisation 
logic with the until operator [41] . It is a linear-time temporal logic that models a com-
putation as a linear sequence of states. The logic allows the user to construct arbitrary 
intervals of time and to express properties that apply to those intervals. It helps to visu-
alise the relative temporal ordering of states in the system with the horizontal dimension 
used to indicate the passage of time. The interval operator limits the scope of properties 
to the interval on which they must hold. The vertical dimension shows the composition 
of formulas using logical connectives and interval operators. It allows intervals to be 
nested arbitrarily deeply to express complex temporal relations . 
The syntax and semantics of GIL is explained below with some example formulas 
used to specify the operation of a simple system. The system consists of two concurrent 
processes that requests the exclusive use of a shared resource. In Figure 3.7, sigl/sig 





[ ) fig. (b) 
turnl 
-.turn2 









Figure 3.7: GIL Specifications 
45 
Ph.D. Thesis 3.1 The "What and Whys" of Visualisation 
resource. The formula cs l/cs2 denotes that process l/process 2 has exclusive permis-
sion to use the resource, i.e., it may enter the critical section. The formula tum lIturn 2 
denotes that process l/process 2 has higher priority than process 2/process 1. 
The Figure 3.7(a) asserts that sigl and sig2 are false at the beginning of the opera-
tion. The interval symbol here denotes the entire computation and the formula placed 
left-justified below it is deemed to hold at the first state of the interval. The formula is 
formed by the vertical concatenation of two other formulas which indicates their logical 
conjunction. 
The Figure 3.7(b) illustrates how a property can be asserted to be an invariant over 
an interval. The formula is placed below the interval and indented to the right to indicate 
that it holds at every state within the interval. Here the formula states that if process I 
has priority, then process 2 does not, and vice versa. 
The Figure 3.7(c) expresses the property that, if the process that currently has higher 
priority requests the resource, it must be granted permission to access the resource 
before it cancels the request. 
3.1.12 Ladder Logic Diagrams 
Ladder Logic Diagrams are used to describe the logic of electronic control systems. 
They are the primary programming language for programmable logic controllers (PLCs). 
Ladder logic programming is a graphical representation of the program designed to 
look like relay logic. This convention goes back to the early days of PLCs when elec-
tricians and technicians were trained in relay logic and expected to troubleshoot these 
new devices as well. 
The Ladder logic consists of expressions R that are defined inductively as follows: 
A set of variables, with a typical element x, is assumed. 
-[x]- represents the variable x. 
-[/x]- represents -,x. 
R-[x]- represents the conjunction R II X. 
46 
Ph.D. Thesis 3.1 The "What and Whys" of Visualisation 
R-[/x]- represents the conjunction R /\ -'x. 
RI -+- R2 - represents the disjunction RI V R2. 
Since each formula is equivalent to a formula in disjunctive normal form, it is easy 
to see that each formula can be described by means of an expression R. 
A ladder logic diagram consists of a vertical list of assignments of the form 
RI : Xl R2 : X2 : : Rn: Xn meaning that the variable Xi, called a coil, is assigned the 
truth value of Ri for i = 1, .. ,n. Each expression Ri : Xi is called a rung. 
A ladder logic diagram consists of 5 types of variables : 
• Input Variable: Its value is determined by the environment (Le., the logistic layer 
and the infrastructure). 
• Output variable : Its value is computed by means of the ladder logic diagram, 
and passed on to the environment. 
• Latch: 
Its value is computed by means of the ladder logic diagram, and not passed on to 
the environment, but only used in the computation of values of other variables. 
• Timer: 
This variable is either on or off, which is determined by the value of its trigger. 
If it is off, then its value is O. If it is on, then its value is increased by one with 
every cycle, until it reaches a preset duration, after which its trigger is switched 
off (Le., is assigned the value 0). 
• Trigger: 
This indicates whether a certain timer operation is on or off. 
Input variables, output variables, latches and triggers have Boolean values (ie., 0 
or 1), while the values of timers are natural numbers. Each output variable, latch or 
trigger X is the coil of exactly one assignment R : X in the ladder logic diagram. Input 
47 
Ph.D. Thesis 3.1 The "What and Whys" of Visualisation 
variables and timers are not allowed as coils. Only input variables, latches and triggers 
are allowed to occur in the left-hand side of rungs. 
[51] reports work related to the conversion of a ladder logic diagram into a Boolean 
formula, so that the validity of these dependencies in the control tables can be verified 
using a theorem prover. 
3.1.13 Z Schema 
Z [86] is a typed formal specification language based on set theory and first order predi-
cate logic. It has been developed at Oxford University since the late 1970's by members 
of the Programming Research Group (PRG). The problems with large specifications 
using set theory and logic is that specifications become unreadable and unmanageable. 
Therefore, a schema notation was introduced to aid the structuring of specifications in 
Z. This provides the framework for textual combinations of sections of mathematics 
known as schema using schema operators. 
A Z schema 1 is presented graphically to highlight its contents within a specification. 
It normally has two areas: a signature part and a predicate part as shown in Figure 3.8. 
The signature part contains a declaration of the variables to be used in the schema. The 
predicate part shows relationships between the variables declared in the signature. The 
signature part is above the middle dividing line. The predicate part may be omitted in 
which case there will be no middle line. 
The example in Figure 3.8 denotes a Z schema named "S" which introduces a vari-
able of type "N' that can only take values satisfying the predicate "P". 
3.1.14 Specification Diagrams in UML 
The Unified Modelling Language (UML) [140] is a language that unifies the industry's 
best engineering practices for modelling systems. It is a language, not simply a nota-
tion, for capturing knowledge about a subject and expressing knowledge regarding the 
1 "Schema" is not in the plural sense of a scheme; it is called a "schema" by convention 
48 
Ph.D. Thesis 3.1 The "What and Whys" of Visualisation 








Figure 3.8: A Z Schema 
subject for the purpose of communication. It is used for specifying, visualising, con-
structing, and documenting systems. Figure 3.9 shows the scope of UML. Its goals are 
to :-
• Be a ready-to-use expressive visual modelling language that is simple and exten-
sible. 
• Have extensibility and specialisation mechanisms for extending, rather than mod-
ifying, core concepts. 
• Allow adding new concepts and notations beyond the core. 
• Allow variant interpretations of existing concepts when there is no clear consen-
sus. 
49 
Ph.D. Thesis 3.1 The "What and Whys" of Visualisation 
The UML Scope 
}-------i _ The UML Goa .. 
VIouaUze Dowment 
Figure 3.9: The Scope of UML 
• Allow specialisation of concepts, notations, and constraints for particular do-
mains. 
• Be implementation independent. 
• Be process independent. 
• Encourage the growth of the object-oriented tools market. 
• Support higher-level concepts (collaborations, frameworks, patterns and compo-
nents). 
• Address recurring architectural complexity problems (physical distribution and 
distributed systems, concurrency and concurrent systems, replication, security, 
load balancing, and fault tolerance) using component technology, visual pro-
gramming, patterns, and frameworks. 
• Be scalable. 
• Be widely acceptable (general purpose and powerful) and usable (simple, widely 
accepted, and evolutionary). 
• Integrate the best engineering practices. 
50 
Ph.D. Thesis 3.2 Important Design Features for Visual Representations 
The UML defines nine types of diagrams which are class, object, use case, se-
quence, collaboration, statechart, activity, component and deployment diagrams. 
All of these diagrams are based on the principle that concepts are depicted as sym-
bols and relationships among concepts are depicted as paths (lines) connecting symbols, 
where both of these types of elements may be named. 
Additional information on these diagrams can be obtained in [140]. 
In summary, one of the important reasons for UML's widespread acceptance is that 
it has placed a lot of emphasis on diagrams for modelling systems. 
3.2 Important Design Features for Visual Representations 
Based on a study of visual representations in various areas, the following were identi-
fied as key features that should be taken into account while designing a visual language. 
• Simplicity 
This is one of the most important features of a good visual notation. The simpler 
the diagram, the easier and quicker it is to extract the meaning from it. 
• Intuitiveness 
The diagram should draw the attention of the reader quickly to the suggested 
meaning. 
• Unambiguity 
The diagram should not be causing any confusion in interpretation. 
• Readability 
The diagram should have text put at suitable locations to enhance readability 
without overcrowding the diagram. 
• Communicativeness 
51 
Ph.D. Thesis 3.3 Chapter Summary 
It should be possible to communicate with other people using the diagram. In 
other words, it should be possible to suitably abstract the diagram, when nec-
essary, and see the new diagram clearly. It should be possible to navigate the 
diagram contents with ease. 
• Manipulatability 
It should be possible to manipulate the diagram to suitable equivalent forms. The 
meaning of any manipulation should be clear. 
• Composability 
It should be possible to suitably compose two diagrams. 
• Customisability 
It should be possible to customise the basic notation in some restricted ways for 
which guidelines should be provided. 
• Realisability 
It should be possible to realize the visual language conveniently in a suitable tool. 
• Scalability 
It should be possible to deal with huge descriptions nearly as conveniently as 
smaller ones. 
• Expressivity 
It should have enough expressivity in terms of available language constructs so 
that expressing anything in context can be done directly rather than by round-
about methods. 
3.3 Chapter Summary 
We have seen how visualisation helps in various domains in fostering increased accessi-
bility of information, languages and technology through various means including better 
52 
Ph.D. Thesis 3.3 Chapter Summary 
communication and ease of use. We noted that the use of a user-friendly graphical envi-
ronment facilitated the interaction with and use of computer systems. A wide spectrum 
of users can be allowed accessibility with the use of such powerful visual environments. 
Such convenience to the user, particularly in terms of hiding the user from knowing in-
tricate details of textual commands, helps in wider acceptance of such systems. We saw 
how computer simulations are valuable as research tools for modelling physical system 
properties that are too difficult, dangerous or expensive to measure. We saw that the 
success of the visual paradigm for operating systems also encouraged its application 
to programming languages. PictID [58] is an example of a graphical programming 
environment where icons are used for visual programming. We also examined spec-
ification diagrams like Structured Analysis/Real Time (SAlRT), State Transition Dia-
grams, Statecharts, Statechart-like notations such as Modechart and Timed-Transition 
Models, Petri Nets, Graphical Interval Logic (GIL), Ladder Logic Diagrams and UML 
Diagrams. We explained in section 3.2 the important design features to be taken into 
account while designing a visual language. The application of visualisation aids to an 
ITL-based formal method will be examined. Before that, the following chapter intro-
duces ITL in detail and highlights some of the difficulties that have to be tackled to 
increase its uptake by a wider spectrum of users. Having done that, it details the design 




The main objective of this chapter is to design a visual notation for the chosen logic-
based fonnalism i.e., ITL [116, 29], based on the design principles identified in the 
previous chapter. Therefore, this chapter begins with the syntax and semantics of ITL 
followed by some examples. The current limitations of ITL are also discussed. In 
a following section, the executable subset of ITL i.e, Tempura, is discussed. After 
providing this background, a visual notation for ITL is designed and discussed with 
some examples. 
4.1 Interval Temporal Logic (ITL) 
An interval <1 is defined as a (in)finite sequence of states <10, <11, <12, .. where <1j is a 
mapping from the set of variables 'Var' to the set of values 'Val'. The length of (J is 
one less than the number of states in the interval. 
In ITL, there are the conventional logical operators such as 1\ and -, and the pred-
icates. There are temporal operators like 0 and 0 extending the conventional logic to 
temporal reasoning. Additionally, in ITL, there are temporal operators like ";", "*" and 
"skip". 
54 
Ph.D. Thesis 4.2 Syntax of the Logic 
4.2 Syntax of the Logic 
The syntax of ITL is defined in fig.4.1 where J-l is an integer value, a is a static variable 
(doesn't change within an interval), A is a state variable (can change within an interval), 
v is a static or state variable, g is a function symbol and p is a predicate symbol. 
I Expressions 
I Formulae 
Figure 4.1: Syntax of ITL 
Details of the syntax are explained with some examples below and in section 4.2.2. 
1. Syntax of expressions 
Expressions are built inductively as follows: 
• Constants: J-l 
Constants are denoted by letters of the form J-l. 
Examples: J.lO, J-ll etc. to denote values like 0, 3, and so on. 
• Individual variables: A, B, C, .. ,a, b, c, .. , v, .. 
By convention, capital letters are used to denote state variables which are 
variables whose values can change within an interval and small letters to de-
note static variables which are variables whose values do not change within 
an interval. Letters of the form v are used to denote a variable which can 
either be a static or a state variable. 
• Functions: g(eo,eI,e2, .. ,ek) where k ~ ° and eO,eI,e2, .. ,ek are expres-
sions. + and mod are among common functions used. Constants (such as 0, 
1 etc.) are treated as zero-place functions. 
Examples include: A + B, a - b, A + a, v mod C and so on. 
• la: f : choose a value of a such that f holds. If there is no such a, then la: f 
takes an arbitrary value from a's range. 
55 
Ph.D. Thesis 4.2 Syntax of the Logic 
An example of the usage of such an expression is given below : 
o exp = ta: 0 (exp = a) 
Some examples of syntactically legal expressions are given below: 
.1+(OJ)+2 
This expression adds the value of I in the current state, the value of J in the 
next state and the constant "2". 
• I + (OJ) - 00 (I) 
This expression adds the value of I in the current state to the value of J in 
the next state and subtracts the value of I in the next to next state from the 
result. 
2. Syntax of fonnulae 
Formulas are built inductively as follows: 
• Predicates: p(eo,el,e2, .. ,ek), where k ~ 0 and eo,el,e2, .. ,ek are expres-
sions. For example, ~ is a predicate. 
Examples include: eo ~ e7, e3 < eo and so on. 
• Logical connectives: -,f and II I\h, where f,fl and h are formulas. 
• Universal Quantifier: 'Vv. f 
• skip means a unit interval i.e., an interval of length 1 
• chop: lI;h holds if the interval can be decomposed ("chopped") into a 
prefix and suffix interval, such that II holds over the prefix and h over the 
suffix, or if the interval is infinite and fl holds for that interval. 
• chop-star: f* holds if the interval is decomposable into a finite number of 
intervals such that for each of them f holds, or if the interval is infinite and 
can be decomposed into an infinite number of finite intervals for which f 
holds. 
56 
Ph.D. Thesis 4.2 Syntax of the Logic 
Some examples of syntactically legal fonnulas are given below: 
• (J=2)1\0(K=4) 
This fonnula states that the value of J is "2" in the current states and the 
value of K is "4" in the next state . 
• 0(0[1 = 2] 1\ 0 0 [J = 2]) 
This formula states what fonnula will be true in the next state ; from the 
next state, 1 would always be equal to "2" and the value of J in the next to 
next state would be "2". 
Apart from the basic syntax, additional operators are defined in terms of the basic 
ones as abbreviations. Frequently used abbreviations are listed in tables 4.1-4.4. 
Table 4.1: Frequently used Non-temporal Abbreviations 
true :;::: 0 = 0 true value 
lalse :;::: ...,true false value 
II v 12 :;::: ""(""/1 1\ ""12) or 
II :::> h :;::: ...,/1 V 12 implies 
/I == 12 :;::: (fl :J h) /I. (12 ::> II) equivalent 
3v • I :;::: ...,Vv • ""1 exists 
Table 4.2: Frequently used Temporal Abbreviations 
01 :;::: skip ;f next 
more :;::: Otrue non-empty interval 
empty::: ...,more empty interval 
inl ::: true ;Ialse infinite interval 
finite ::: ...,inl finite interval 
01 ::: finite; I sometimes 
of ::: ...,O...,f always 
®f ::: ...,O...,f weak next 
~ I ::: finite; I; true some subinterval 
r!JI :;::: ...,( ~""/) all subintervals 
57 
Ph.D. Thesis 4.2 Syntax of the Logic 
Table 4.3: Frequently used Concrete Abbreviations 
if 10 then II ~ if 10 then II else empty 
fin I ~ o(empty :) I) 
halt I ~ o( empty == I) 
keep I ~ (!](skip :) I) 
while 10 do II ~ (fa ,,/!)* "fin -'10 
repeat 10 until /! ~ 10; (while -'11 do 10) 
if then 
final state 
tenninate interval when 
all unit subintervals 
while loop 
repeat loop 
Table 4.4: Frequently used Abbreviations related to Expressions 
Oexp ~ Ia:O(exp = a) 
finexp ~la:fin(exp=a) 
A := exp ~ OA = exp 
eXPI +- exp2 ~ finite" (fin eXPI) = exp2 








~ exp gets exp stability 
~ 31 • (I = 0) " (I gets I + I) "I +- exp interval length 
4.2.1 Model 
A model is a triple (D, 1:, M) containing a data domain D, a set of states 1: and an 
interpretation M giving meaning to every function and predicate symbol. For the dis-
cussion here, let the data domain D be the set of integers. A state is a function mapping 
variables to values in D. Let 1: be the set of all such functions. For a state s in 1:, let seA] 
denote A's value. Each k-place function symbol g has an interpretation M[g] which is 
a function mapping k elements in D to a single value which is written mathematically 
as : M[g] E (IJk --t D). Interpretations of predicate symbols map to truth values: 
M[f] E (IJk --t {true, false}). It is assumed that M gives standard interpretations to 
operators such as + and <. The semantics given here keep the interpretations of func-
tions and predicate symbols independent of intervals. They can however be generalised 
to allow for functions and predicates that take into account the dynamic behaviour of 
parameters. Using the states in 1:, intervals can be constructed from 1:+. the set of all 
non-empty, (in)finite sequences of states. If s, t and u are states in 1:, then the following 
are possible intervals: < s >, < sttssust >, < uuu > . An interval should contain at 
least one state. The following introduces a basic notation for manipulating intervals. 
58 
Ph.D. Thesis 4.2 Syntax of the Logic 
Let I denote the set of all intervals. For the sake of discussion here, let I be the set 1:+. 
For an interval C'J in I, let IC'JI denote the length of C'J. By convention, an interval's length 
is one less than the number of states. The individual states of an interval are denoted 
by C'Jo, C'Jl , ..... ,C'Jlal. For example, if the variable A has the value 5 in C'J's final state, then, 
the following is true : C'Jlal = 5. In the above model, even though time is viewed as 
being discrete, it provides a sound basis for reasoning about many interesting dynamic 
phenomena involving time-dependent and functional behaviour. A discrete time view 
of the world corresponds, often, to our mental model of digital systems and computer 
programs. In any case, the granularity of time can be made arbitrarily fine. 
The following is a small example regarding the model explained above. Let the data 
domain D be the set of integers. Let us consider an interval 1: consisting of states C'Jo, 
C'Jl, and C'J2. Let a be some static variable i.e, variable whose value cannot change within 
an interval. Let A be some state variable. Then, we give the following interpretation: 
C'Jo(A) = Valueo, 
C'Jl (A) = Valuel and 
C'J2(A) = Value2 
where Valueo, Valuel and Valuel are the values in the data domain D for the state 
variable A. For the static variable a, since its value in the data domain has to be the 
same throughout the interval, we give the following interpretation: 
O'o(a) = vala, 
O'l(a) = vala and 
0'2(a) = vala 
where vala is the value in the data domain D for the static variable a. In other words, 
the value of a is the same throughout the interval 1:. 
4.2.2 Basic ITL Terminology 
The basic terminology of ITL is introduced with the help of examples. 
59 
Ph.D. Thesis 4.2 Syntax of the Logic 
Operators 
chop: The operator ";" is called chop. A formula 11;12 is true on an interval a iffl 
there is at least one way to split a into two subintervals such that the formula II is true 
on the left subinterval and the formula 12 is true on the right subinterval. That is, 
Mo[/I;f2] = true iff for some i:::; lal, M<oo, ... ,o;>[Jd = true and M<o;, ... ,Olal> [12] = true. 
It can be noted here that aj is a common state for the left and right subintervals. 
In case the interval is infinite, then, it has to be true on a. 
empty and more: The formula empty is true on an interval iff the interval has length 
zero. The formula more is just the opposite being true on an interval iff the interval has 
nonzero length. 
next and weak next: In order for the construct next viz., 0 to be true on an inter-
val a, the length of a must be at least one. Therefore, this operator is referred to as 
strong next. The related construct weak next viz., (!)is true on an interval a if either 
a has length zero or the subformula w is true on < al· .alol >. So, we can express 
the weak next in terms of strong next as : 81 - empty V 01 where (next w) means 
(strong next w), by default. This way, the weak next provides a concise and natural 
way to express a construct as a conjunction of its immediate effect and future effect. 
The operator 0 The construct 0 I is true on an interval a if there is some suffix 
subinterval on which the formula I is true : 
Mo[O/] = true iff for some i:::; lal,M<o;, .. ,o,a,>[/] = true and i f. 00. 
In other words. it means that I is true sometime in the interval. It can be defined in 
terms of the chop operator as : 01 -de f f init e ; f 
The operators halt and lin This operator can be used. in the form halt I. to specify 
that a formula f becomes true only at the end of an interval. 
1 iff is the usual abbreviation for "if and only if' used in mathematics 
60 
Ph.D. Thesis 4.2 Syntax of the Logic 
halt f = O(j = empty). 
For example, halt (I > to) is true on cr iff the value of the variable I exceeds 10 in 
exactly the last state of cr. 
The formula fin f is true on an interval cr iff the formula f is itself true on the final 
subinterval (crlal) i.e., the last state of cr. 
fin f -de! o (empty :::> f)· 
Temporal equality The construct el ~ e2 is called temporal equality. It is true iff the 
expressions el and e2 are always equal : 
el ~ e2 =de! o(el = e2). 
Length The formula len(e) is true on an interval having length exactly e. 
Ma[/en(e)] = true iff Ma[e] = Icrl· 
The length of cr can also be denoted as Icrl. 
Existential quantifier: Let us consider the states viz., s, t and u, and the values of 
variables 'M' and 'N' in those states as in table 4.5. 
M N 
s 2 4 
t 0 4 
u 2 3 
Table 4.5: Example for Existential Quantification 
Now, the formula (3/) • O(N = 2 * J) is intuitively true on any interval on which 
we can construct an 'I' such that 'N' always equals twice of 'I' and the length of the 
interval is the same as that to which the formula corresponds which is 2 here (because 
there are 3 states under consideration here). In other words, 'N' should always be even 
on such an interval of length 2. The interval < ttt > satisfies the formula. So does 
< sss >. There are many such intervals which satisfy the formula. < U >, < stut > and 
< uuu > are some intervals that do not satisfy the formula. 
61 
Ph.D. Thesis 4.2 Syntax of the Logic 
Bounded universaVexistential quantifier Formulas of the following form are re-
ferred to as bounded universal quantification: 
'Vv ::; e. f, where v is a static variable, e is an expression and f is a formula. 
'Vv::; e.f -de! 'VV. v::; e :> f· 
Formulas of the following form are referred to as bounded existential quantification: 
:Iv ::; e. f, where v is a static variable, e is an expression and f is a formula. 
:Iv::; e. f =de! :Iv. v::; e 1\ f· 
Of course, the ranges in the above formulas could be v < e, el < v::; e2 etc .. 
assignment and gets: An assignment simply gives the value of the expression in the 
next state. For example, el := e2 means that the value of el in the next state will be e2. 
To say that one expression, say el. equals another expression, say e2 with a one-unit 
time delay, the gets construct is used to say, el gets e2. So, in the whole of the interval. 
at any state, if el is true, then e2 will be true in the next state, if there is one. 
Temporal assignment The formula e2 f- el is true for an interval if the initial value 
of the expression el equals the final value of the expression e2· 
We define this as follows : 
e2 f- el -de! 3a: [(a = el) I\fin(e2 = a) 1\ finite] 
4.2.3 Interpretation of Expressions and Formulas 
The interpretation M can be extended, as follows, to give meaning to expressions and 
formulas on intervals. The constructs M<r[e] and M<r[fl are defined to be equal to the 
value, in D, ofthe expression e and the formula f, respectively, on the interval o. 
Let X be a choice function which maps any non-empty set to some element in the 
I • 
set. We write 0 "'v 0 if the intervals 0 and 0 are identical with the possible exception 
of their mappings for the variable v. 
The following list defines some basic operators . 
• M<r[v] = 00 [v] • where v is a variable 
62 
Ph.D. Thesis 4.2 Syntax of the Logic 
This means that a variable's value on an interval is its value in the interval's initial 
state. 
• Ma[g(el' .. , ek)] = M[g](Ma[etJ, .. , Ma[ek)). 
• Ma[la:f] = { 
X(u) ifut-O 
X(Vala) otherwise 
where u = {cr' (a) I cr "'a cr' /\ Ma' [J] = true}. 
• Ma[...,f] = true iff Ma[f] = false. 
• Ma[J1 /\12] = true iff Ma[JI] = true and Ma[J2] = true. 
• Ma['v'v. f) = true iff for all cr' s.t. cr "'v cr', Ma' [f) =true. 
• Ma[skip] = true iff Icrl = 1. 
• Ma[Jl;h] = true iff 
(exists a k, s.t. Mao, .. ,ak[fd = true) and 
((cr is infinite and Mak,..[h] = true) or 
(cr is finite and k :S Icrl and Mak. .. ,alal [h) = true») 
or (cr is infinite and Ma[Jd)· 
• MaLt*] = true iff 
if cr is infinite then 
(exist 10, ... , In s.t. 10 = 0 and 
Ma/n, .. Lt] = true and 
for all 0 :S ; < n, I; < 1;+1 and Ma/i, .. ,a/i+1 [f] = true) 
or 
(exist an infinite number of I; s.t. 10 = 0 and 
for all 0 :S i, I; < I;+! and Ma/i, .. ,a/i+l [J] = true) 
else 
63 
Ph.D. Thesis 4.2 Syntax of the Logic 
(exist 10, ... ,In s.t. 10 = 0 and In = 10'1 and 
for all 0 :::; i < n, Ii < [HI and MG1j' .. ,G1HI [/] = true). 
4.2.4 Validity and Satisfiability 
Interpretation of a formula 
Let s, t and u be states in which the variables T and '1' have the values as shown in 
table 4.6. 
I J 
s 1 2 
t 3 4 
u 3 1 
Table 4.6: Values of I and J in 3 Different States 
The formula (1=2) /\ 0 (1=3) is true on an interval 0' iff 10'1 ~ 1, the value of '1' 
in the first state i.e., 0'0 is 2 and the value of 'I' in the next state i.e., 0'1 is 3. Thus the 
formula is true on the interval < stu >. On the other hand, the formula is false on the 
interval < ttu > because the initial value of 'J' on this interval is 4 instead of 2. 
Validity of a formula 
Consider the following formula: 0(1 = 1) /\ 0(1 = 2). This formula is true on an 
interval 0' if 101 ~ 1, the variable 'I' always equals 1 and in the state 0'1, 'I' equals 2. 
No interval can have all of these characteristics. Therefore, the formula is false on all 
intervals and its negation is always true and hence valid. It is written as follows: 
F= .(0(/= 1) /\ 0(1=2)). 
The F= stands for "is valid". 
4.2.5 Proof System for ITL 
A proof system is required in any logic so that reasoning can be performed by applying 
appropriate rules. As an example of a rule in propositional logic, let us consider the 
simple rule of double negation. It simply states that there is no difference between cp 
and •• cp which is intuitively true. Applying this rule to the sentence "It is not true that 
64 
Ph.D. Thesis 4.2 Syntax of the Logic 
it does not rain.", we can infer the sentence "It rains". Books on logic will show several 
such rules in propositional logic and predicate logic and how they can be applied to 
infer conclusions from premises. [SO] is one such good reference. 
Similarly, for ITL, there are several rules in its proof system. Soundness and Com-
pleteness are important issues with respect to such a proof system. For example, the 
soundness of propositional logic is useful in ensuring the non-existence of a proof for 
a given conclusion from a given set of premises. In other words, soundness will let 
us know if a formula cannot be inferred from a set of other given formulas. Without 
knowing this bit of information, a failure in establishing a proof will not let us know 
whether it is due to our lack of skill or whether such a proof cannot be constructed at 
all. Completeness of a proof system implies that any true formula in that logic can be 
proved true using some set of proof rules in the system. 
The following table 4.7 gives the propositional rules and axioms for ITL. 
Table 4.7: Propositional Axioms and Rules for ITL. 
ChopAssoc I- (fo;/d;h - 10; (fl;h) 
OrChopImp I- (fo v Id;h ~ (fO;/2) v (fl ;12) 
ChopOrImp I- 10;(JI v h) ~ (fo;/l) v (fo;h) 
EmptyChop I- empty; II - II 
ChopEmpty I- II;empty - II 
NextlmpNotNextNot I- 010 ~ -,0-,/0 
BoxInduct I- 101\ D(fo ~ ®/o) ~ 0/0 
InfChop I- (fo 1\ in/) ; II - (fo 1\ inj) 
ChopStarEqv I- 10 - (empty v ((fo 1\ more) ;10)) 
MP I- 10 :J II, I- 10 :::} l- II 
BoxGen I- 10 :::} I- 0/0 
Some axioms for the first order case are shown in table 4.S where v refers to both 
static and state variables, and I: denotes that in the formula f, expression e is substi-
tuted for variable v. For example, in the SubstAxiom axiom in table 4.S, in formula f, 
the state variable B is substituted for A. 
[117] and [lIS] are references for work on completeness of the ITL proof system. 
The following paragraphs briefly explain some of the above proof rules. 
65 
Ph.D. Thesis 4.2 Syntax of the Logic 









r- "Iv • I :J IS, 
where the expression e has the same data and tem-
poral type as the variable v and is free for v in I. 
r- "Iv· (fl :J h) :J (fl :J "Iv· h), 
where v doesn't occur freely in fl. 
r- o(A = B) :J I == Ii. 
r- w:J ®W, 
where w only contains static variables. 
r- :Iv· (fl ;12) :J (:Iv. II );12, 
where v doesn't occur freely in h. 
r- :Iv· (fl ;12) ::) fl; (:Iv. 12), 
where v doesn't occur freely in fl. 
r- (:Iv· f) " (tv:/) = v :J I, 
where v is a static variable. 
r- I ~ r- "Iv • I, 
for any variable v. 
The rule "ChopAssoc" states that the chop operator of ITL is associative just as the 
name of the rule implies. So, for example, if you can "chop" an interval such that fo ; fl 
is true in the left subinterval and h is true in the right subinterval, then, you can also 
chop the same interval into a left subinterval where fo is true and a right subinterval 
where fl ; h is true. In other words, the chop operator is associative. 
The "ChopEmpty" is a rule stating that any formula followed by the chop operator 
and empty is equivalent to the formula itself. This simply follows from the definition 
of "chop" and "empty" operators. 
The "BoxInduct" states if fo is true in the initial state and always fo being true 
implies the formula efo, then, always fo is true can be inferred. 
The "InfChop" rule simply states that if fo is true and the interval is infinite in the 
left subinterval of a "chop", then, the right hand side formula is immaterial. 
The definitions of the ITL constructs can be used to understand the above axioms 
and rules for ITL. It is important to note that there is a proof system for ITL that can 
help in performing deductive reasoning in ITL. 
The importance of these rules lie in the fact that required, important properties of an 
66 
Ph.D. Thesis 4.2 Syntax of the Logic 
ITL specification can be formulated in ITL themselves and then proved to be satisfied 
by the specification (or otherwise) using the proof system for ITL. At present, the proof 
system of ITL has been embedded in the Prototype Verification System (PVS) proof 
tool [84] to enable computer-assisted proof construction. It is worth noting here that 
a lot of guidance is needed to perform proof tasks and hence only experts in theorem 
proving who are experienced in such tasks can do it. Further work in this area will 
involve the creation of proof strategies to assist non-experts in performing ITL proofs. 
With such proof strategies being offered to inexperienced users, the users would be 
able to select a proof strategy and let the computer automatically perform the proof 
tasks involved in sequence. 
4.2.6 Examples using the ITL Constructs 
1. Tree summation [116] 
Let us consider a binary tree such as either of the ones shown in the linearly 
represented list structures : 
(((1,2), (3,4)), ((5,6), (7,8))) and ((1, (2,3)), (4,5)). 
Let the function leaf -sum(tree) determine the sum of a tree's leaves: 
leaf -sum(tree) --
if iSJnteger(tree) then tree 
else leaf -sum (treeo) + leaf -sum(treet}. 
The predicate is-integer is true when the parameter tree is an integer(Le., a leat) 
and false when tree is a pair. 
Let us now consider the task of designing an algorithm to reduce a tree-in-place 
to a single value indicated by leaf -sum. If the variable Tree initially equals such 
a binary tree, we can specify the problem as : 
Tree ~ leaf Jum(Tree). 




if is-integer(Tree) then empty 
else( 
sum~ubt ree (T ree, 0) ; 
sum~ubtree(Tree, 1); 
skip 1\ (Tree f- Treeo + Tree}) 
) 
) . 
sumJubtree(Tree, i) ~ 
serial~umJree(Treei) 
/\ stable Treel-i· 
The following may be noted: 
4.2 Syntax of the Logic 
• If the tree is already an integer-valued leaf. serialJumJree terminates. Oth-
erwise. the predicate sum~ubtree is used to reduce the left subtree first and 
then the right subtree. 
• skip /\ (Tree f- Treeo + Treed is used to finally reduce the tree to a single 
value. 
• The tree is initialised and serial~umJree is invoked by a formula of the 
following form : 
Tree = () 
/\ seriaIJumJree(Tree) /\ Odisplay(Tree). 
The following are predicates for a parallel solution: 
68 
Ph.D. Thesis 
par ...sumJree(Tree) -. 
if is.integer(Tree) then empty 
else( 
3Done: ( 
(Done ~ [isJnteger(Treeo) 1\ isJnteger(Tree.)]) 
1\ halt Done 
1\ sum...subJree_process(Done, Treeo) 
I\sumJree_process(Done, Tree.) 
); 
skip 1\ (Tree +- Treeo + Treed 
) 
). 





1\ stable Tree 
) 
). 
The following may be noted: 
4.2 Syntax of the Logic 
• The predicate par ...sumJree is similar to serial...sumJree except that it re-
cursively reduces each half of a pair in parallel rather than sequentially. 
• The variable Done is used to monitor the progress of the two subtrees. It 
equals true when they are both finally integers. 
69 
Ph.D. Thesis 4.2 Syntax of the Logic 
• The subordinate predicate sumJree_process(Done, Tree) reduces its tree 
parameter and keeps the Tree stable until the flag Done becomes true. This 
ensures that the two parallel invocations of sumJree_process finish at the 
same time. 
2. An example of an automobile cruise control system 
Let us consider an automobile cruise control system. A cruise control system 
sets the speed of a vehicle with the touch of a finger. Once the system is set, 
unintended speeding is avoided. The system constantly measures the changes 
in engine loading and vehicle speed. Functions on the steering wheel allow for 
slowing down or accelerating without touching the accelerator (gas pedal). So, 
a cruise control system increases comfort by reducing fatigue and prevents fuel 
wastage from unintended speeding. 
The state space of the system is represented by the following variables and their 
constraints: 
• Driver Input 
Driver initiated inputs are represented by EngineState, BrakeState, GasState 
and CruiseVaI. The possible values for the variables are given by the sets 
below: 
EngineState = {off, on} 
BrakeState = {off, on} 
GasState = {off, on} 
CruiseVal = {constant, neutral, off, resume} 
• CarSpeed 
Information on car speed is represented by SpeedVaI and SpeedState. Ad-
ditionally, DesiredSpeedSetting can be set to any real value from Zero to 
Max, indicating the speed to be attained by the cruise control system. 
70 
Ph.D. Thesis 
SpeedVal = {Zero .. Max} 
SpeedState = {Const, Up, Down} 
DesiredSpeedSetting = {Zero .. Max} 
• Car Internal States 
4.2 Syntax of the Logic 
The internal state of the car is modelled by the state variable Carlnternal-
State. It takes values from the following set: 
CarInternalState = {Idle, Manual, Accelerating, Cruising, Resuming} 
We can now specify a constraint on the state space as below: 
(a) If the value of the speed is either Zero or Max., then, SpeedS tate is 
going to be constant 
Implicit in this constraint is the fact that the SpeedState mayor may not be 
constant when the SpeedVal is neither Zero or Max. 
Its ITL specification is : 
SpeedVal = Zero V SpeedVal = Max ::> SpeedState = Const 
The Initial State Specification 
We can define a formula, FInitial, for initial states of the cruise control system. 
The initial states include, say, the engine being off, the cruise lever set to off, the 
car speed being zero, the internal state being idle and the desired speed not being 
set yet. 
Its ITL specification is : 
FInitial ...... CarInternalState = Idle /I CruiseVal = off /I SpeedVal = Zero /I 
EngineState = on 
Safety and Liveness Specification 
If the engine is off, then, the car will eventually stop 
Turning off the engine implies that eventually the speed will become zero. 
71 
Ph.D. Thesis 4.2 Syntax of the Logic 
Its ITL specification is : 
EngineState = off ::> OSpeedVal = Zero 
If the lever of cruise const is applied, and the brake is off at that time, the 
desired speed, DesiredSpeedSetting, will eventually be set, whether it has 
been set previously or not. 
Its ITL specifications is : 
BrakeState = off 1\ CruiseVal = constant::> OSpeedVal = DesiredSpeedSetting 
Examples with real time constraints : 
Let us first make some assumptions and introduce certain constants. Let CAccel-
eration denote the magnitude of a constant value of both acceleration and deceler-
ation rates. The maximum value for the car speed has already been introduced as 
Max. Hence the maximum time required for a car to achieve its maximum speed, 
say CMaxTime, will be MaxlCAcceleration. Let CInfinity denote an arbitrary 
large number for time greater than CMaxTime. 
Now we can introduce some example specifications with real-time constraints. 
If the current speed is below the desired speed, and if the car increases its 
speed continuously for a period longer than CMaxTime, then the speed of 
the car will eventually reach the desired speed. 
Its ITL specification is : 
SpeedVal < DesiredSpeedSetting 1\ SpeedS tate = Up 
::> t 2: CMaxTime 1\ t < Clnfinity 1\ OSpeedVal = DesiredSpeedSetting 
Once again, it can be noted that textual specifications are monotonous in their ap-
pearance in that they are full of text and symbols. The structuring of the specifications 
in intuitive graphical notations will be one big step forward in attempts to increase the 
accessibility of ITL specifications. 
72 
Ph.D. Thesis 4.2 Syntax of the Logic 
4.2.7 Limitations in the usage of ITL 
The following explains the limitations in the usage of ITL. 
• Readability of the specifications has to be enhanced. In this context, we have 
already seen the use of abbreviations which were defined in terms of the basic 
constructs. This is not enough as ITL is a mathematical approach involving many 
symbols. This is especially a problem when large specifications are considered. 
Moreover, this hinders wider accessibility. 
• In order to address schedulability and resource allocation problems, ITL has to 
be integrated with another suitable formalism. An approach along the lines of 
[26], which has an example where the formalism Temporal Agent Model (TAM) 
[105, 135, 136] was given ITL semantics and used to specify a robot control 
system, is required. 
• In order to prove properties about the system specification in ITL, a user-friendly 
proof tool has to be integrated with ITL. ITL has been embedded in the Prototype 
Verification System (PVS) thus enabling ITL proofs to be worked out. However, 
a model-checker is necessary so that the state space based on an automata rep-
resentation for an ITL formula can be explored to check for required properties. 
[117] describes some work in this direction. 
• Some benchmark case-studies have to considered to demonstrate the suitability 
of ITL for the specification of real-time safety critical systems. The following 
case-studies are good case-studies for such benchmarking: The mine pump con-
trol system [91], a robot control system for a robot exhibiting some specified 
behaviour which is more complicated than in [26] and railroad crossing systems 
[74]. These case-studies would also demonstrate the scalability potential of ITL. 
Apart from this, new case-studies including new domains have to be considered 
in order to test these techniques as well as increase confidence in them. This will 
go a long way in increasing their accessibility to industrial users. 
73 
Ph.D. Thesis 4.3 Execution of Specifications 
• Software tool support that enables a user to either write specifications in some 
graphical language or ITL specifications directly and, if necessary, convert to 
the other form would help ITL become more accessible. This tool would help 
inexperienced users to specify using the more convenient graphical language and, 
if interested, learn ITL using this tool. The resulting ITL specification could be 
linked with other tools for simulation or proving properties. The experienced 
ITL user could always write ITL specifications directly. Even for such a user, 
visual ising the ITL specification would be possible if the ITL specification is 
convertible to a graphical form. 
• Refinement and proofs performed on ITL specifications will further burden the 
user in terms of formal methods and hence, if they are performed on intuitive 
graphical ITL specifications, various levels of users can be accommodated in 
such processes which are particularly important while developing safety-critical 
systems. 
4.3 Execution of Specifications 
4.3.1 Executable Specifications 
Specifications playa central role in systems development in more than one way. They 
define all the required characteristics of the system to be implemented. To define the 
required characteristics precisely and concisely, specifications must be written in for-
mal and highly expressive languages [151]. For an immediate reflection of the con-
sequences of the specifications, and for an early validation, it has been suggested that 
specifications should, furthermore, be executable [2]. Hayes and Jones [70], however, 
argue that the demands of high expressiveness and executability are mutually exclu-
sive. Norbert E. Fuchs [55] argues that high expressiveness and executability need not 
exclude each other if specifications are written in declarative languages. The following 
summarises the arguments for the use of executable specifications written in declarative 
74 
Ph.D. Thesis 4.3 Execution of Specifications 
languages [55]. 
• Executable specifications allow us to demonstrate the behaviour of a system be-
fore it is actually implemented. This has the following positive consequences for 
systems development. 
- Executable components are available much earlier than in the traditional 
life-cycle. Therefore, validation errors can be corrected immediately, with-
out incurring costly development. 
- Requirements that are initially unclear can be clarified and completed by 
hands-on experience with the executable specifications. 
- Execution of the specification supplements inspection and reasoning as means 
for validation. This is especially important for the validation of non-functional 
behaviour. 
Declarative languages, especially logic languages, combine high expressiveness 
with executability. They allow us to write both property-oriented and model-
oriented executable specifications on the required level of abstraction. Logic 
specification languages permit us to express non-determinism in a natural way. 
• Executable specifications are constructive i.e., they not only demand the exis-
tence of a solution, but also, actually construct it. 
• As long as there is an executable subset in the specification language, the non-
executable specification can be transfonned by the process of refinement (and the 
incorporation of appropriate design decisions) into an executable specification. 
This executable specification may either be at almost the same level of abstraction 
as the non-executable one or at a very different level of abstraction. 
• Executable specifications do not constrain the choice of possible implementa-
tions because only minimal design and implementation decisions are necessary 
to obtain executability. In addition, these decisions are revisable. 
75 
Ph.D. Thesis 4.3 Execution of Specifications 
• Verification of an implementation against the specification becomes superfluous 
if we use the transfonnational approach. This is because transformations per-
fonned using correctness-preserving sound rules result in verification automati-
cally being done in each of the transfonnation steps. This is not the case when 
one starts with a specification and end up with an implementation without any 
fonnal transfonnations. In such a case, verification is necessary to show that the 
implementation is a correct refinement of the specification. 
Executable Temporal Logics 
The development of executable temporal logics is becoming increasingly important 
while a variety of verification systems based upon temporal logic, particularly involv-
ing model-checking techniques, have been produced. An introduction to five temporal 
logic-based programming languages: Chronolog, F-LIMETTE, Concurrent METATEM, 
Tempura and Tokio can be found in [49]. These languages can be classified depend-
ing on the type of logic upon which they are based, their execution schemes and their 
applicability. Chronolog and Concurrent METATEM use Linear-Time Temporal Logic 
(LTTL); Tempura and Tokio use Interval Temporal Logic (ITL); and F-LIMETTE uses 
Metric Temporal Logic (FMTL). Concurrent METATEM and Tempura use determinis-
tic execution schemes suitable for practical programming languages while others fea-
ture backtracking mechanisms. Concurrent METATEM is naturally applicable to con-
current object-based (and agent-based) systems, while the others are intended for single 
object implementation. Thus, together, these languages cover much of the range of el-
ements being actively explored throughout the field of executable temporal logics. 
The following are some useful WWW sites: 
• http://www.csl.sri.comllucidlintense for InTense, a language which includes the 
original Chronolog as a subset. 
• http://www.cse.dmu.ac.ulUcaulitlhomepagelindex.html for Tempura. 
76 
Ph.D. Thesis 4.3 Execution of Specifications 
4.3.2 Introduction to Tempura 
Tempura provides an executable framework for developing and experimenting with 
suitable ITL specifications. It is a programming language based on ITL and, hence, 
is an executable subset of ITL. In what follows, we discuss Tempura and outline its 
limitations. For more discussion, we refer the reader to [116, 84]. 
4.3.3 Syntax of Tempura 
The syntax of Tempura corresponds to the syntax of the executable subset of ITL. The 
basic statements of Tempura include the more, empty, A = exp, true, false, if then else, 
while, repeat constructs, the ITL!I /\ 12 represented as !I and 12, <> represented as 
sometimes and 0 represented as always. Further details can be obtained from [116]. 
4.3.4 Tempura Interpreter 
Let us consider the following Tempura program: «(next)(next)empty) and (1=0) and 
(I gets (1+1) and always(1=2.I». This program is simple enough to make a mental 
calculation and corne to the conclusion that this is true on intervals of length 2 in which 
'I' assumes the value 0, 1 and 2 while '1' simultaneously assumes the values 0, 2 
and 4. One way to execute such a formula is to transform it to a logically equivalent 
conjunction of two formulas as (present-state and (weak next)what-remains) where 
the formula present-state consists of assignments to the program variables and also 
indicates whether or not the interval is finished while the formula what Jemains is what 
is executed in subsequent states if the interval does indeed continue on. For the formula 
under consideration, present...state has the value, ( (1=0) and (1=0) and more). The 
value of what-remains is the formula, «(next)empty) and (1=1) and (I gets(l+ 1» and 
always(1=2.I». A detailed account of the transformation of the formula is given in 
Figure 4.2. 
The operation of the Tempura interpreter is based on the technique just described. 
For details on the variables used by the interpreter and the basic execution algorithm, 
77 
Ph.D. Thesis 4.3 Execution of Specifications 
Before state 0: «next)(next) empty and (1=0) and (I gets (1+ 1» and always(1=2.1» 
After state 0 : [(1=0) and (1=0) and more] and 
(weak next)[ (next empty) and (1=1) and (I gets (1+1) and always(J=2.1)] 
Before state 1: (next empty) and (1=1) and (I gets (1+1» and always(1=2.1) 
After state 1: [(1=1) and (1=2) and more] and 
(weak next)(empty and (1=2) and (I gets (1+ 1) and always(J=2.1)] 
Before state 2 : empty and (1:=2) and (I gets (1+ 1» and always(J=2.1) 
After state 2: [(1=2) and (1=4) and empty] and 
(weak next)[false and (I gets (1+ 1) and always(J=2.1)] 
Figure 4.2: Transformation of the Formula by the Interpreter 
we refer to [116]. The various constructs of Tempura are implemented by using re-write 
rules [116]. 
4.3.5 Examples in Tempura 
1. The following is a very simple example. 
Problem description : There are three system variables, X, Y, and Z. The user 
inputs the initial values of X and Y. The value of X in subsequent states is to be 
incremented by a constant value of 10 and the value of Y in subsequent states is 
to be decremented by a constant value of 1. Z should take the sum of the values 
in X and Y. This should continue for an interval length of n to be specified by 
the user. When the final state is reached, the square of Z is to be displayed. 
A sample Tempura program : 
define mainO = { 
exists X, Y,Z,n : { 
define first(n) = { 
{empty and input X and input Y and input n}; 
78 
Ph.D. Thesis 4.3 Execution of Specifications 
{X gets X+lO and Y gets Y-1 and Z gets X+Y and len(n)} ; 
{empty and output X and output Y and output Z*Z} 
} 
and 
define secondO ={ 
always { 
format("X = %tY = %tZ = %t/ n",X,Y,Z) } 
} 
and 




Tempura 12> load "mono1". 
[Reading file /exportlhomeO/users/arunc/tempu..eX/oklmono 1.t] 
Tempura 13> run mainO. 
StateO:> X =?lO. 
StateO:> Y =?100. 
Stat eO :> n =?3. 
Stat eO : X = 10 Y = 100 Z =? 
State1:X=20 Y=99 Z= 110 
State2:X=30 Y=98 Z= 119 
State3 : X = 40 
State3 : Y = 97 
State3: (Z *Z) = 16384 
State3 : X = 40 Y = 97 Z = 128 
79 
Ph.D. Thesis 
Done! Computation length: 3. Total Passes: 7. 
Total Reductions: 175 (150 successful). 
Maximum reduction depth: 10. 
4.3 Execution of Specifications 
Comments : It must be noted that Z is shown undefined in the initial state and 
is in accordance with the specification. The value of Z in state 1 is 110 as shown 
and not 119 as one might expect by mistake. If 119 was actually required in 
the system, then the statement Z = X + Y would have to be used instead of 
Z gets X + Y. The specification in this case would have "Z should take the 
sum of the values in X and Y in the current state". This is a simple example 
where simulation results can help in communication between the customer and 
the developer at an early stage in the development cycle and get things right. 
It can also be noted that the statement exists in the program which is used to de-
clare variables is not very good for readability. There is. in fact. a lot of syntactic 
additions to be done in Tempura. 
4.3.6 Non-executability in Tempura 
• 1 gets (1+ 1), is a non-executable statement since the initial value of 'I' is undefined 
in the above statement. «1=0) and (I gets (1+ 1) has an initial value for 'I' but the 
execution will not terminate. (next(l=l) or next(I=2» is non-executable because the 
value of 'I' in the next state is non-deterministic. The use of 'sometimes' also can 
cause a problem as can be seen in the following example: «1=0) and (I gets (1+ 1) and 
halt(l=2) and sometimes(I=3») where haltw means that the formula w becomes true 
only at the end of the interval under consideration. Therefore, the program is supposed 
to stop execution when 'I' gets the value '2' apart from '1', in some state. having had 
the value of '3', which is clearly not going to be the case. So, one has to be cautious 
while writing programs in Tempura. 
Here are some example programs and the corresponding outputs: 
80 
Ph.D. Thesis 4.3 Execution of Specifications 
• Tempura program with undefined initial value: 
define mainO = { 
exists X: { 
define firstO = { 
{(X gets X + I)} 
} 
and 
define secondO = { 
always{ 
format ("x=%tI n",X)} 
} 
and 
secondO and firstO } 
}. 
Tempura 9> load "nonexec". 
[Reading file lexportlhomeDlusers/arunc/tempu...exlok!nonexec.t] 
Tempura 10> run mainO. 
StateD: X =? 
* * *Tempura error: state #0 (pass#3) is not completely defined. 
Evaluating: X gets (X + ... ) 
Undefined: {empty}{}{X}{}{} 
Abort (a). Break (b) or Continue (c)? 
• Tempura program with Sometimes 
define mainO = { 
exists X: { 
define firstO = { 
81 
Ph.D. Thesis 4.3 Execution of Specifications 
{ (X=O) and (X gets X + 1) and halt(X=9) and sometimes(X= 10) } 
} 
and 
define secondO = { 
always { 
format("X = %t / n'''X) } 
} 
and 
secondO and firstO 
} 
}. 
Tempura 11> load "sometime". 
[Reading file lexport!homeO/users/arunc/tempu...exloklsometime.t] 
Tempura 12> run mainO· 
StateO: X = 0 
Statel:X = 1 
State2: X = 2 
State3: X = 3 
State4:X =4 
State5: X = 5 
State6: X = 6 
State7: X = 7 
StateS: X = S 
* * * Tempura error: attempt to re-assign interval length. 
Evaluating: next sometimes (X = 10) 
Abort (a), Break (b) or Continue (c)? 
82 
Ph.D. Thesis 4.3 Execution of Specifications 
4.3.7 Limitations of Tempura 
Increasing Readability of Specifications : 
Constructs could be added in Tempura in order to increase readability. While shared 
variables could be used for synchronisation between processes, having explicit channel 
communication constructs in ITLffempura would be better. To be able to deal with 
deadlines for computations or delay, we could use constructs which mean these by 
virtue of their names and this will lead to more readable specifications. 
Improvements to User-interface: 
There is no doubt that a helpful and "user-friendly" interface is required in order for 
these software techniques to become popular. If such a user-interface is easy to learn, 
simple to use, straightforward, and forgiving, the user will be inclined to make good 
use of these techniques. In order to achieve this, amongst many other things, it would 
be necessary to insulate the user from the intricacies that are of no consequence to the 
user and provide only useful information for effective interaction and hence a proper 
and efficient usage of these software techniques. Therefore validating user inputs, han-
dling errors and displaying appropriate error messages would be very important. Also, 
features like' on-line help' and giving useful examples and possibly even allowing the 
user to customise the interface will all go a long way towards enabling more people to 
become aware of the usefulness of these techniques. 
Integration with Other Toolsffechniques : 
With the help of Tempura, we can write a specification as has already been discussed. 
Executing the specification and then experimenting with the specification will give us 
a lot of insight into the system/program that we hope to develop. In order to have 
confidence in what we hope to develop, which is especially crucial if the applications 
are safety-critical, we would need to mathematically prove that certain properties are 
satisfied by the specification. For this task of proving properties, there are some excel-
83 
Ph.D. Thesis 4.3 Execution of Specifications 
lent tools already available. Prototype Verification System (PVS) is such a tool [131]. 
Though they are excellent from the performance point-of-view, these tools are suited 
only for experienced users. In our proposed lean approach, we aim to get over these 
problems and provide better accessibility to proof techniques. Ultimately, we aim to 
have such an integrated set of tools to be able to do all the various possible things with 
a specification before actually developing the safety-critical systems. Also, there are 
possibilities for improving upon the techniques used by Tempura and these have to be 
examined. For example, Tempura does not keep track of the information in past states 
and hence it cannot use backtracking techniques. Therefore, it is very deterministic at 
the moment. 
Automatic Code Generation : 
This would involve converting the final specification into Ada or C code. Of course, 
the use of the above tools and techniques will help in ensuring that after each step of 
refinement from the first specification to the final one, the specification continues to 
satisfy the desired properties. Since the final code in Ada/C would be extracted from a 
Tempura program about which we would be more confident, it will lead to systems that 
can be more confidently deployed in safety-critical applications. 
A step further would be to either have the compiler from Tempura to Ada/C val-
idated or to have the process of translation from Tempura carried out through some 
defined correctness-preserving refinement laws. 
A Note on Case Studies : 
These techniques are yet to be tested on industrially-relevant case studies. Such an 
effort can lead to improvements that can make these techniques popular with industry. 
Many case studies like those relating to control systems for a robot used for bomb 
disposal or control systems for a nuclear reactor or timing problems in mobile phone 
84 
Ph.D. Thesis 4.4 Summary of the Sections on ITL 
communication systems can be considered to test and demonstrate these techniques. 
4.4 Summary of the Sections on ITL 
In the above sections, Interval Temporal Logic (lTL) has been introduced in detail. Ex-
ample specifications are given highlighting some of the problems with textual ITL. An 
introduction to Tempura, an executable subset of ITL, is also given with some exam-
ples. The following section details possible visualisation approaches in ITL as a means 
of increasing the uptake of ITL as a fonnal method. 
4.5 VisITL 
In chapter 3, we examined ways in which visualisation helps in various domains. 
Possible approaches to visualisation in ITL include: 
• Graphical output for simulation through Tempura 
4.3 introduced Tempura, an executable framework for developing and experi-
menting with suitable ITL specifications. For such simulations through Tempura, 
a graphical output is now possible due to the work of Cau [84]. If a graphical out-
put is desired, then, a Tempura file has to be provided with a Tclffk file to define 
the graphics accordingly. This helps in visualising the simulation output and thus 
provides an insight into the ITL specification. 
• Automata representation 
[117] and [118] describe work on representing ITL fonnulas as an automaton. 
As we have seen before, a finite automaton can be represented as a state tran-
sition diagram which is a directed graph wherein the nodes correspond to the 
states and the edges correspond to the transition as indicated by the transition 
function. Briefly. the so-called Chop-automaton for ITL is defined as a quintuple 
(V, K, qO, 0, "C) for which V is a possibly empty finite set of boolean and numerical 
85 
Ph.D. Thesis 4.6 Design Rationale for a Visual Notation for ITL 
state variables, K is a nonempty finite set of automaton states, qo E K is the initial 
state, B is the transition function mapping K x K to quantifier-free state formulas 
over variables in V, t is the termination function mapping K to quantifier-free 
state fonnulas over variables in V. 
• Graphical Notation For ITL 
This is one interesting possibility with respect to visualisation for ITL which 
has been previously unexplored and which fonns the basis of this work. The 
following sections detail the design rationale and the visual notation itself. I wish 
to clarify here that the visual language is designed with the purpose that the user 
shall only be required to learn the visual language and not be required to know 
the notations of textual ITL. An implementation would be able to take care of 
this translation; such an implementation is described in chapter 7. 
4.6 Design Rationale for a Visual Notation for ITL 
In section 3.2, key features of various representations were described and summarised. 
Let us now look at how the development of a visual notation for ITL commenced. 
4.6.1 Key Requirements for a Visual Notation for ITL 
In the development of a visual language for ITL, a textual, formal logic based lan-
guage, the following were identified as major requirements and hence were the primary 












4.6.2 Experiences in the Process of Design of such a Visual Notation 
[n the process of designing a visual language for [TL, there are several issues that 
gradually emerged. At first, a simple boxed notation for formulas and a circled no-
tation for expressions was chosen. This was reported in [30]. The primary idea was 
to keep the notation simple and intuitive and experiment with an implementation of 
it. Another intention was obviously not to introduce any notation that can mislead 
the reader/user with his knowledge of any other visual language (formal/non-formal 
specification/programming language). The visual notation reported in the paper is re-
produced below in Figure 4.3 and Figure 4.4 : 
where· = /J I a I A 
w:! 
Figure 4.3: First Visual Notation for ITL Expressions 
While an attempt was made to somehow have expressions in visual form, it did not 
tum out to be a feasible one. The expressions got complicated and introduced unneces-
sary processing of graphical information in an implementation without contributing to 
any gain in its understanding. Therefore, it was decided to introduce visual notations 











Figure 4.4: First Visual Notation for ITL Fonnulae 
The primary considerations were therefore to keep the notation simple and intuitive 
and experiment with them. 
Some of the visual notations for more frequently used ITL abbreviations are repro-
duced in Figure 4.5 from [30]. 
Some of the salient features of the above visual notation for ITL are : 
1. The visual notation for the' and composition' is the same as in Statecharts. 
2. The visual notations for 'and' and 'chop' are simple and intuitive. 
3. The visual notations for other constructs like sometime, always, next and so on, 
follow the same format as not, len, chopstar (*) in the figure thus aiding readabil-
ity and adding simplicity to the formal specification. 
4.6.3 Further Design Considerations 
Any arbitrary visual notation could be chosen and given ITL semantics. An arbitrary 
notation can mean anything insensible also. Even among sensible notations, there can 
88 
Ph.D. Thesis 4.6 Design Rationale for a Visual Notation for ITL 
f. v h Of 
not sometime 





of (whilefo do f.) 
not 
sometime while 
not fo II It 
f ~ 
fin 
I not I -
to 
Figure 4.5: First Visual Notations for some Frequently used ITL Abbreviations 
exist many possibilities. For example, [52] has several visualisations that various stu-
dents suggested for representing an integer variable within the context of a program 
fragment. Figure 4.6 shows some of them. Many students, just like many program-
(8) (b) (c) (d) (e) (f) 
Figure 4.6: Various Ways of Representing "int i" 
ming text books, came up with figures similar to (a). Those who chose (b) wanted to 
show that a value could go into and come out of an open box. Students who chose (c) 
programmed the lid to open to receive a value or pass a copy out and the lid was always 
shown slightly ajar to show that the value could change any time. Variable identifiers 
were mostly placed as shown in (a), (b) and (c) but also above, below, and to the right 
of the variable box. A minority of students chose to tie the identifier to the variable box 
as in (d), (e) and (0. For more details on the animations that were being tried in this 
context. the interested reader is referred to [52]. So. coming back to visual notations for 
ITL. as already mentioned. one could invent any notation. However, since the visual 
89 
Ph.D. Thesis 4.6 Design Rationale for a Visual Notation for ITL 
notation was being designed for ITL, a formal language, it was realized that there are 
fine points that could be addressed in order to make such a visual language more robust. 
In other words, in addition to being simple, intuitive and readable, we have to ensure 
that the semantics of the diagrammatic representations are uniquely defined with re-
spect to any transformations on the diagram. We also have to specify how the diagram 
can be modified by operations like addition etc.. This is important to make sure that 
there are no confusions with respect to seemingly different visual representations of the 
same textual ITL formula. For example, a diagram on rotation should not only have the 
same semantics but also not lose its intuitive appeal. 
Before these points are discussed further and addressed, a related problem with the 
notational format for temporal operators etc. above is now discussed. 
The notation for operators like always, sometime, length, chopstar etc. were all 
represented in a rectangular box with a horizontal line separating the formula in the 
box with a text at the top indicating the operator as shown in Figure 4.4 and Figure 
4.5. While this notation is simple and readable, an objection to this was that it would 
be difficult to distinguish the textual formula in the box from the textual name of the 
operator. This was not a problem in implementation as the top portion had a text which 
had to be the operator name and the portion demarcated for the formula had the textual 
formula. Another criticism was how one would read such a formula if the box and its 
contents are inverted (except the text, of course), for example. Therefore, the following 
additional requirements for a visual notation for ITL had to be addressed: 
• No confusions with regard to simple transformations of the diagram 
• Semantics of operations like addition and deletion to a diagram had to be defined 
A rounded box within the rectangular box was introduced to contain the operator 
information. When this is done as shown in Figure 4.7, the problem of giving a unique 
semantics to the notation is taken care of, if a transformation like rotation was per-
formed, for example. The text within the rounded box inside the rectangular box is the 
90 
Ph.D. Thesis 4.6 Design Rationale for a Visual Notation for ITL 
operator while the text inside the rectangular box but outside the rounded box is the 
textual formula. For a simple formula with no operator like always etc., we can leave 
out the rounded box altogether to make the diagram look simpler. We call the text in 






Figure 4.7: The New Format for the Formula 
Coming to the basic ITL constructs, just as we decided to do away with circled 
notation for expressions, we decided to write predicates, just as they are, in a rectangu-
lar box. At this point, however, it is necessary like to draw the attention of the reader 
to another interesting way of representing predicates. [130] describes work on visual 
notations which use visual cues to make the structuring of logical expressions more 
intuitive. The authors have used one of the more successful graphical metaphors in 
mathematics, the set inclusion, combined with other well known methods of represent-
ing relations graphically, like the graph formalism to reduce undue difficulties of use 
and interpretation of existing textual notations in the Hom clauses subset2 of First Or-
280m formulas are practically important subclasses of formulas which have efficient ways of decid-
91 
Ph.D. Thesis 4.6 Design Rationale for a Visual Notation for ITL 
der Logic (FOL). In their visual logic, there are two different types ofterms: FOL terms 
- defined as usual in FOL - that represent elements, and a new type of terms called set 
terms that represent sets of elements that satisfy a given predicate. The following is the 
textual definition of this new type of terms : 
Definition (Set Terms in the Visual Logic of [130]) 
• A unary predicate p is a set term. 
• A predicate application p(SI, .. ,Sn-l) is a set term, where p is a n-ary predicate 
symbol (p,q,r, .. of arity n ~ 2) and SI, ",Sn are either FOL terms, set terms or 
set terms prefixed by an asterisk, '*s'. 
• Given two set terms, SI and S2, SI n S2 and S1 U S2 are also set terms. 
• Given a set term s, S is a set term. 
• Nothing else is a set term. 
Figure 4.8 shows examples of terms in their visual logic. A predicate is represented 
as a square box with the predicate symbol on a comer, while a function is represented by 
a rounded box, also with the function symbol on a comer. Variables are represented as 
circles whereas constants are represented in a rounded box with the constant symbol, 
for example a, in Figure 4.8, on a comer. The difference between a function and a 
constant is that there are no arrows leading to the rounded box for a constant. Only 
arrows can originate from a rounded box for a constant. A double arrow is used where 
the textual form contains an asterisk, '*s'. It can be seen that the visual representation 
for likes (*man) i.e., "likes every man", contains a double arrow, whereas intersecting 
boxes are used to depict intersection as in "likes some tall men". For additional details, 
the reader is referred to [130]. 
ing their satisfiability. 'Hom' is derived from the logician A.Hom's last name 
92 
Ph.D. Thesis 4.6 Design Rationale for a Visual Notation for ITL 
While it is a very interesting way to represent predicates, we still stick to represent-
ing them textually within a rectangular box in order to avoid the proliferation of many 
graphical primitives. 
likes(*man) 
(Ukes every man) 
f(x, g(x,a), y) 
taU 
Iikes(man" tall) 
(likes some tall men) 
p(*q(a,x), x, f(a,y» 
Figure 4.8: Examples of Terms in the Visual Logic of [130] 
The discussion of other changes in visual notations for ITL is given below. 
The negation has to involve, either the label "not", or some substitute for it. One 
possibility is to cross out the whole box indicating negation. Another is to use a cross 
in the label portion of the rectangular box. The latter is preferable as it follows the 
format being used and keeps the formula clean and readable as shown in Figure 4.9. 
An intuitive way to represent "chop" would be to have two boxes, one corresponding to 
the resulting left sub-interval, and another corresponding to the right sub-interval with 
an arrow from the former box to the latter as shown if Figure 4.10. The direction of 
the arrow indicates that the formula enclosed by the box on which the arrow originates 
corresponds to the formula that is true on the left sub-interval. Since chopstar should 
93 
Ph.D. Thesis 4.6 Design Rationale for a Visual Notation for ITL 
[Xl 
f 
Figure 4.9: Negation of a Formula 
, 
Figure 4.10: The Chop 
suggest that a formula repeats i.e., loops in a way according to its definition, Figure 
4.11 is a good, intuitive choice for it. 
r 
Figure 4.11: The Chopstar 
4.6.4 The Syntax 
The previous sections discussed some of the ideas that influenced the choice of our vi-
sual notations. In the definition of a visual language, the choice of an appropriate visual 
syntax is very important. Figure 4.12 summarises the syntax of our visual notation for 
primitive ITL constructs. In the previous section, the rationale for the visual notation 
94 
Ph.D. Thesis 4.6 Design Rationale for a Visual Notation for ITL 
has already been covered. The salient features of the notation can be summarised below 
as follows: 
D Fonnula f Negation 
And composition 
Universal Quantifier 
I skip I skip 
------, 
) chopstar Chop 
f 
Figure 4.12: Final version of the Visual Notation for Primitive ITL Formulae 
• Expressions are written as in textual ITL. 
• A formula is enclosed in a rectangular box which also contains a rounded rect-
angular box for holding any operator information ; the rounded rectangular box 
maybe omitted if there is no operator involved. 
• The "And composition" has dotted lines between the components in the formula. 
• The negation has a cross mark in the label portion of the rectangular box. 
• The existential quantifier also follows the labelled rectangular box format. 
• The chop has a directed arrow between the two rectangular boxes containing the 
formulae for the left and right subintervals respectively. 
95 
Ph.D. Thesis 4.6 Design Rationale for a Visual Notation for ITL 
• The chopstar has a directed arrow from the rectangular box to itself indicating a 
looping construct. 
4.6.5 Visual Notations for Frequently used Abbreviations 
So far, visual notations have been introduced for the primitive constructs. Now the other 
constructs of ITL can be expressed visually using the basic primitive visual constructs 
in Figure 4.12. This is done for the convenience of the user. In other words, we have 
a meta visual language layer above the primitive visual language layer primarily for 
user convenience and visual appeal. As an additional possibility, we will allow the user 
to define his/her own convenient visual representations for any constructs (or parts of 
specifications) and thereby customise the visual notation. Such customisation will be 
allowed, however, with specified guidelines so that the language conforms to our design 
principles. 
Using the visual syntax for a formula with a label, we can define the temporal con-
structs "sometime" and "always" as in Figure 4.13 and Figure 4.14 respectively. The 
( Sometime) 
f 
Figure 4.13: Sometime 
( AlWays) 
f 
Figure 4.14: Always 
96 
Ph.D. Thesis 4.6 Design Rationale for a Visual Notation for ITL 
"Or" is defined as in Figure 4.15 because the branches coming out from a filled circle 
in the box indicate, intuitively, that one of them is to be selected (as "true"). Figure 
Figure 4.15: Or 
4.16 shows the construct for implication. One of the arguments is shown in a shaded 
box "sort-of suggesting" something more detailed. By enclosing the left argument of 
It ~ h in a shaded box, we mean that /1 is a more detailed formula. 
Figure 4.16: Implication 
Figure 4.17 summarises some frequently used visual ITL abbreviations. 
4.6.6 Visual Notations for Concrete Constructs 
The "While" concrete construct could be defined as in Figure 4.18 as the label suggests 
a "while" and the user visualises two arguments to it, one to keep "repeating" while the 
other is true. The box in the left portion of the "double line separation" contains the 
first argument to check while the box in the right portion is the second argument. An 
explicit arrow could also be added in the double line portion to suggest the direction of 
reading as in Figure 4.19. An explicit arrow was chosen as this removes any chance for 
misinterpretation even when the figure is turned upside down, for example. Instead of 
the straight arrow we used, we could have other possibilities as shown in Figure 4.20 
to suggest that it is a looping construct. However, I prefer to have as few graphical 
97 
Ph.D. Thesis 4.6 Design Rationale for a Visual Notation for ITL 
I ( ~7Y') I (sometime) Sometime Always 
f 
'1 GJ GJ 
~ 
Or Implication 
Figure 4.17: Summary of the Visual Notation for Some Abbreviations 
primitives as possible for the visual construct in order not to crowd it for the reader 
as well as for the tool that implements it. So, the notation in Figure 4.19 is chosen. 
Also, we annotate the arrow optionally as shown with [1m] to depict the execution time 
for the body of the while loop. Omitting this annotation means an execution time of 
1. However, we could explicitly add [1] for unit execution time. Instead of the straight 
arrow we used, we could have used other possibilities as shown in Figure 4.20. 
Figure 4.21 shows the visual constructs for the concrete "If..then" constructs. 
( Whire ) 
I '. " " I 
Figure 4.18: While 
98 
Ph.D. Thesis 4.6 Design Rationale for a Visual Notation for ITL 
( While ) 
I '. ~ '1 I 
Figure 4.19: While2 
( While ) 
I '. 1')1 '1 I 
( While ) 
'. IY '1 
~ .-/' 
Figure 4.20: While3 
[90] is a good reference to demonstrate the flow of control notations with respect 
to pancode and boxchart notations which are visually-oriented programming language 
templates. The dynamic mental images evoked by the Boxchart notation and the Pan-
code notation make program behaviour easy to understand. 
Also, we optionally include a diamond box inside the visual fonnula to indicate that 
the formula is expandable for details. A "+" inside the diamond indicates that zoom-in 
is possible whereas a "-" indicates that zoom-out is the only possibility. The default 
case is where there is nothing to zoom into, in which case the diamond box is omitted. 
This is illustrated in Figure 4.22. 
99 
Ph.D. Thesis 4.6 Design Rationale for a Visual Notation for ITL 
( 1I .. then ) 
" I, 
" r- I, 
'z I z 




Figure 4.21: If Then Concrete Statements 
• ~ 
I 
f. I f. 
I 
f , 
l f1 I 
denotes that r can be zoomed Into 
the resulting formula for r could be this one. for example 
this formula can be now zoomed-out to r 
Figure 4.22: Denoting Zoom 
4.6.7 Additional Concrete Constructs for Timing constraints, Resource Alloca-
tion and Concurrency 
In [27]. shortcomings of ITL as a formalism in dealing with explicit expressibility of 
timing constraints, resources and concurrency were identified. These were addressed 
in [29] by providing a timed-communication model allowing explicit representation of 
concurrency. resources and timing. This model is very closely related to that of the 
Temporal Agent Model (TAM) [135] which is a well-established formalism for the 
development of real-time safety-critical systems [105]. For a description of the timed 
communication model, the reader is directed to appendix A. 
There follows an example of the TAM concrete constructs. 
100 
Ph.D. Thesis 4.6 Design Rationale for a Visual Notation for ITL 
• Channel communication 
Synchronous communication links are called channels where read and write oc-
cur at the same time. 
Channel C in P introduces a new channel within P. 
C!e denotes an output agent that sends the value of expression e over C. 
c?x denotes an input agent that stores the value received over C in x. 
C.X denotes the value of x in C. 
Figure 4.23 presents the TAM constructs using the visual notation for channel 
communication with informal semantics. The textual formulae involves "!", "1" 
I Channel C In P Introduces a new c1l1lDnel C In P 
Cle denotes l1li output lIKent that sends the v.lue or expr_lon e over C 
C?x 
denotes l1li Input lIKent that stores tbe value received over C In x 
C.x denotes the value or x In C 
Figure 4.23: Channel Communication Constructs 
and "." and the current visual notation merely encloses formulae containing those 
in boxes. I think, we could do more, especially during implementation, by util-
ising the possibility of using the optional label within the fonnula box. Within 
101 
Ph.D. Thesis 4.6 Design Rationale for a Visual Notation for ITL 
the label, we could use a suitable icon to introduce visual cues regarding these 
symbols. The fact that we can do more to a visual language during implementa-
tion is one additional advantage over a purely textual notation. Figure 4.24 shows 





output agent that sends the value 
ore over C 
input agent that stores value received 
overC in x 
denotes the value or x in C 
Figure 4.24: Channel Communication Constructs with Icons in Labels 
feature of the tool implementing VisITL. 
• Shunt communication 
Shunts are defined as asynchronous communication links in appendix A. 
Variables s represent shunts whose values are tuples (t, v) where t is a stamp and 
v is the value written. The stamp value of s is denoted by ,;s and the value stored 
in s by read(s). 
102 
Ph.D. Thesis 4.6 Design Rationale for a Visual Notation for ITL 
The agent Shunt s in P introduces a new shunt s within P. 
The agent (x,y) ~ s performs an input from shunt s storing the value in y and 
the timestamp in x. 
The agent v --t s writes the current value of expression v to shunt s, increasing 
the stamp by one. 
Figure 4.25 presents the TAM constructs for shunt communication with informal 
semantics. 
Shunts in P ( exists shunt: s ) introduces a new shunt s in P 
p 
stamp(s) gives the stamp or shunt s 
wrlte(v,s) value v Is written to shunt s 
read(s) 
gives the value stored in shunt s 
Figure 4.25: Shunt Communication Constructs 
• Delay and timeout 
delaYn describes an agent which first holds up for n time units and then termi-
nates with all global variables untouched. 
The notation P :::ld Q denotes an agent which behaves like P if P is executed 
within d time units, and like Q otherwise. Figure 4.26 presents the TAM con-
structs for delay and timeout. 
103 
Ph.D. Thesis 4.6 Design Rationale for a Visual Notation for ITL 
delay n 
( timeout) 
p f4 Q I 
Figure 4.26: Delay and Timeout Constructs 
• Resource Allocation 
request (v, res) denotes an agent that requests v units of resource res. If these v 
units are unavailable, the agent waits for them. release ( v, res) denotes the agent 
that releases v units of resource res. Figure 4.27 presents the TAM constructs for 
resource allocation with informal semantics. 
request(v, res) 
release( v, res) 
denotes the agent that 
requests v units or resource res 
denotes the agent that 
releases v units or resource res 
Figure 4.27: Resource Allocation Constructs 
4.6.8 Geometrical Guidelines on Constructing VisITL Specifications 
As far as operations like addition, deletion etc. are concerned, we give rules/guidelines 
as to what constitutes a meaningful visual specification. Some of them are enumerated 
below: 
1. No box can be added such that it overlaps another. 
104 
Ph.D. Thesis 4.7 Summary on the Choice of Visual Notation 
2. Deletion of the rounded box within the rectangular box is allowed, and recom-
mended, if the label portion is empty. 
3. For the chop construct, there are two boxes on each end of the directed arrow; 
none of them can be independently deleted leaving a dangling directed arrow. 
4. There cannot exist any bits and pieces of formulae that are not connected to each 
other through the "And" composition or the "chop" primitives unless at the meta 
level layer, they are connected through some abbreviations like the "Or" operator. 
Hence any additions or deletions performed should conform to this constraint in 
the final complete diagram. 
4.7 Summary on the Choice of Visual Notation 
The choice of the visual notation has been influenced by various factors as seen in 
section 4.6. These influences were a direct result of the the important design features 
identified for visual representations from section 3.2. The following paragraph sum-
marises some key points. 
In section 3.1.11, we saw how an Interval Logic, namely GIL [41], depicted for-
mulae in the logic visually. It is dependent on constructing different sub-intervals and 
then depicting the predicates that are true in such subintervals. Hence, it needed dif-
ferent kinds of graphical primitives like a solid line to represent strong intervals i.e., 
non-empty intervals, a double solid line to depict a weak interval, a single arrowhead 
to indicate a weak search while an interval is constructed, a double arrowhead to indi-
cate a strong search and so on apart from using temporal operator symbols in the visual 
representation. Also, the placement of the predicate relative to the line depicting the 
interval has a meaning; for example, if it is the middle of the interval, then, it is an 
invariant as in Figure 3.7(b). In the context ofVisITL language, a much simpler, more 
intuitive and readable language was needed which also integrated TAM for concrete 
communication constructs. 
105 
Ph.D. Thesis 4.7 Summary on the Choice of Visual Notation 
It was also considered in section 4.6.3 how predicates were depicted using set theory 
concepts in a visual logic in [130]. This logic, being based on set theory, has graphical 
primitives like overlapping boxes which are unnecessary in VisITL, and circles for 
variables and constants additionally which we found unnecessary as it over-crowds the 
visual representation as well as leads to unnecessarily complicating the implementation. 
Moreover, this visual logic is not a temporal logic. 
We also saw in chapter 3 how parallel states were depicted in statecharts-based for-
malisms. The same "dotted-Iine"representation was chosen for the "and-composition" 
in VislTL so that no new notation is introduced for similar concepts in other languages. 
This would help avoid any confusion for users previously accustomed to other lan-
guages. 
For the ITL "chop", a line with arrow was chosen to represent the meaning of chop 
i.e .• sequential composition. For "chopstar". a loop was depicted around the box. The 
label in the box was used for readability. The concrete constructs like "While". "If 
Then" etc. also followed a similar format. This is true for the TAM communication 
constructs as well. Hence, VisITI was not only made simple. intuitive, readable and 
unambiguous but also one that integrated abstract constructs and concrete constructs in 
similar notations. This aids communicativeness between users at all abstraction levels. 
The geometrical guidelines for constructing VislTL specifications show how a spec-
ification can be manipulated and composed. The VisITL abbreviations allow us to 
manipulate diagrams to suitable equivalent forms. In a similar way, the user can add 
new abbreviations as a way of extending the syntax and thus customise the notation. 
Chapter 6 demonstrates the scalability of this approach. Chapter 7 will demonstrate the 
realisability of this approach. The VisITL language derives its expressivity from ITL. 
The salient features of the visual notation can be summarised as follows: 
The visual notations for Negation. Chop and Chopstar use simple intuitive concepts 
to depict the meaning of the formula. The "And-composition" uses dotted lines similar 
to statecharts-based formalisms. The abstract and concrete constructs both follow the 
box-format. A label within the box aids readability. To be more visual, the label could 
106 
Ph.D. Thesis 4.8 Collection of Visual Constructs Introduced 
also hold icons as in the case of TAM constructs. All these constructs, as we saw, 
adhere to our design principles identified in section 3.2. 
4.8 Collection of Visual Constructs Introduced 
This section simply presents the already introduced visual constructs in one place for 
the convenience of the reader. 
[J Formula r ~ NepUon 








Figure 4.28: Primitive Visual ITL Formulae 
107 
Ph.D. Thesis 4.8 Collection of Visual Constructs Introduced 
I [-~~) I SmaeliJn. 
f 
I(""~)I AI-f' r 
Or 
Figure 4.29: Frequently used Visual Abbreviations 
( While] 
I " M " I 
Figure 4.30: The Concrete Visual Construct for While 
108 
Ph.D. Thesis 4.8 Collection of Visual Constructs Introduced 
( Ir .. then ) 
r. I. 
r, I-- I, 
r2 12 
[ U .. then •. elae ) 
r. I. 
I, 
Figure 4.31: The Concrere Visual Constructs for If Then, If Then Else 




( esiIII diann .. : C 
P 
Introduces a Dew chaDDel C In P 
deDotes an output ageDt that sends lbe value of expressloD e over C 
denotes aD Input ageDt that stores the value received over C ID x 
denotes the value of x ID C 
Figure 4.32: The Visual Channel Communication Constructs 
109 
Ph.D. Thesis 4.8 Collection of Visual Constructs Introduced 
Shunts in P = ( exists shunt: s ) introduces a new shunt s in P 
p 
stamp(s) gives the stamp of shunt s 
wrlte(v,s) 
value v Is written to shunt s 
read(s) 
gives the value stored in shunt s 
Figure 4.33: The Visual Shunt Communication Constructs 
delay n 
( timeout) 
p 14 Q 





4.9 Examples in Visual Notation 
denotes the agent that 
requests v units of resource res 
denotes the agent that 
releases v units of resource res 
Figure 4.35: The Concrete Resource Allocation Constructs 
4.9 Examples in Visual Notation 
In this section, simple examples are given. The Automobile Cruise Control System 
introduced in section 4.2.6 is also re-worked using the VisITL notation. 
4.9.1 Some Abstract Examples 
Figure 4.36: Simple Examples 
Figure 4.36 is equivalent to (/ = 4). Figure 4.37 (a) is equivalent to 0(/ = 4). This 
means that / takes the value of 4 in the next state. Figure 4.37 (b) means that / takes 
the value of 4 in all the states of the interval. Its ITL equivalent is 0(/ = 4). Figure 
4.37 (c) means that 1 takes the value of 4 in some one/more states in the interval. Its 
ITL equivalent is 0(/ = 4). Figure 4.37 (d) means that 1 takes the value of 4 in the 
next state if there is one. Its ITL equivalent is €{I = 4). Figure 4.38 (a) is equivalent 
to the ITL fonnula (I = 1) 1\ 0(1 = 0). Figure 4.38 (b) is equivalent to the ITL fonnula 
(J = 1) 1\ 0(1 = 0). Figure 4.39 (a) is satisfied by an interval if (1=0) is true in the left 
subinterval and (1= 1) is true in the right subinterval. Its ITL equivalent is / = 0; / = 1. 
111 
Ph.D. Thesis 4.9 Examples in Visual Notation 
( next) [ alWays) 
1=4 1=4 
(a) (b) 
[sometime) [ weaknext) 
1=4 1=4 
(c) (d) 
Figure 4.37: Simple Examples with Different Formula Labels 
I 
Bi~next )
I 1 .. 0 
I 
(a) 
1,...------., B: [someu_) 
I 1.0 
(b) 
Figure 4.38: Simple Examples using Parallel Composition 
1=0 
1=1 
Figure 4.39: Simple Example using Chop 
112 
Ph.D. Thesis 4.9 Examples In Visual Notation 
4.9.2 An Example of An Automobile Cruise Control System 
Let us consider the automobile cruise control system again. 
We can now specify a constraint on the state space as below: 
If the value of the speed is either Zero or Max., then, SpeedS tate is going to be 
constant 
This is specified in Figure 4.40. 
Implicit in this constraint is the fact that the SpeedState mayor may not be constant 




Figure 4.40: Constraint3 
The Initial State Specification 
We can define a formula. Flnitial, for initial states of the cruise control system. The 
initial states include, say, the engine being off, the cruise lever set to off, the car speed 
being zero, the internal state being idle and the desired speed not yet being set. This 
can be specified in VisITL as in Figure 4.41. 
Safety and Liveness Specification 
If the engine is otT, then, the car will eventually stop 
Turning off the engine implies that eventually, the speed will become zero. 
The spec. is given in Figure 4.42. 
If the lever of cruise const is applied, and the brake Is ott at that time, the 
113 
Ph.D. Thesis 4.9 Examples in Visual Notation 
I INITIALST ATE: FInitla. ] 
CarInternalState = Idle 
~------------------
Cruise V aI = OtT 
~------------------
Speed Val = Zero 
~------------------
EngineState = Oft' 
Figure 4.41: Initial State 
(Sometime) 
Speed Val = Zero 
Figure 4.42: Liveness 1 
desired speed, DesiredSpeedSetting, will eventually be set, whether it has been set 
previously or not. 
The spec. is given in Figure 4.43. 
Examples with real time constraints : 
Let us first make some assumptions and introduce certain constants. Let CAccel-
eration denote the magnitude of a constant value of both acceleration and deceleration 
rate. The maximum value for the car speed was already introduced as Max. Hence the 
maximum time required for a car to achieve its maximum speed, say CMaxTime. will 
be MaxfCAcceleration. Let CInfinity denote an arbitrary large number for time greater 
114 
Ph.D. Thesis 4.9 Examples in Visual Notation 
BrakeState = OtT 
( sometime) 
Cruise Val = Const 
SpeedVal = DesiredSpeedSettlng 
Figure 4.43: Liveness2 
than CMaxTime. 
Now we can introduce an example specification as in Figure 4.44 with real-time 
constraints. 
lethe current speed is below the desired speed, and if the car increases its speed 
continuously for a period longer than CMaxTime, then the speed of the car will 
eventually reach the desired speed. 
t >= CMaxTime 
~--------------
SpeedS tate = Up 
t < CInftnity 
~--------------
Speed Val < DeslredSpeedSetting 
( Sometime) 
SpeedVal = DeslredSpeedSettlng 
Figure 4.44: RealI 
115 
Ph.D. Thesis 4.10 Chapter Summary 
4.10 Chapter Summary 
In this chapter, we have introduced ITL with example specifications highlighting some 
of the problems with textual ITL. A visual notation for ITL has been introduced after 
elaborating on the design rationale. Several example specifications have been shown 
visually. However, just having a formal and visual language is not enough for formal 
development. There is a development method needed to derive an implementation from 
the VisITL specification. A development method should also support the derivation of a 
high-level specification from an existing implementation. Therefore, we need a Visual 
Framework for formal systems development that not only consists of a formal and 
visual language but also rules for transforming VisITL specifications suitably to either 
make it more concrete or more abstract depending on whether the user wishes to derive 
an implementation or a high-level abstract specification. In the next chapter, we shall 
explore how the development process in VislTL is made possible. 
116 
Chapter 5 
A Visual Framework for VisITL 
The main objective of this chapter is to introduce the Visual Framework for VisITL. 
5.1 The Visual Framework 
In chapter 4, the VisITL language was introduced with examples. Although this visual 
language captures the requirements formally, there is a need for a development process 
in which an implementation can be derived formally. Moreover, in order to redevelop 
or understand already existing implementations, there is a need to extract a high-level 
specification from the implementation. In other words, the Development Process aims 
to incorporate the possibility of Redevelopment of existing implementations. Therefore, 
we need a suitable formal framework. This is defined as the Visual Framework for 
Fonnal Systems Development using Interval Temporal Logic or simply the Visual 
Framework for VisITL. As explained below, it consists of the following components: 
• The VisITL visual and formal language 
• Visual Refinement Rules for deriving an implementation 
• Visual Abstraction Rules for deriving a high-level specification from an existing 
implementation 
117 
Ph.D. Thesis 5.1 The Visual Framework 
The Figure 5.1 depicts the development process using VisITL. In this Visual Frame-
work, apart from the VisITL language, there are visual refinement rules and abstrac-
The Development Process In a VIsITL Framework 
Valldale Requiremenb Abstract 





VIsITL spec:lftcatlo, ...... ---"* 
I 
more reftnements I 
~ 




VIsITL speclftcatlo ...... _--.... 
reftne abstract 
Concrete 
VIsITL speclftcatlorfoo .... --...... ~ 
I.e., Implementation 
Code &enerator Abstraction via CSL 
Implementation 
In C, Ada etc. 
Simulation O8ln& 
Tempura to check 
behaviour orthe system 
as speclfted In VIsITL 
Ian&UB&e 
Figure 5.1: The Development Process in a Visual Framework using VisITL 
tion rules for systems development using VisITL specifications. Initially, with a VisITL 
specification capturing requirements, the user could perform validation using the proof 
system of ITL. Also, the user would be able to simulate the system behaviour at any 
abstraction level using Tempura. To allow the user to seamlessly go forward from the 
abstract VisITL specification, we need to provide sound visual refinement rules in the 
framework. In other words, just having a VisITL specification capturing requirements 
is not enough. To derive an implementation i.e., forward engineer the specification, we 
need visual refinement rules in the framework. Similarly, in order for the user to per-
form reverse engineering [103], i.e. derive a high-level specification from an existing 
implementation, we need to provide sound abstraction rules in the VisITL framework. 
118 
Ph.D. Thesis S.2 Refinement 
This chapter is therefore devoted to the development of visual refinement and abstrac-
tion rules. As the Figure 5.1 depicts, a concrete VisITL specification could be translated 
into an implementation in a suitable language like Ada, C etc .. In reverse engineering, 
the source code in C or Ada etc. is first translated into a Common Structural Language 
(CSL) [103] and then into a Concrete VisITL specification. 
5.2 Refinement 
This section will introduce refinement and visual refinement rules. 
S.2.1 An Overview of Refinement 
The term refinement is used in several related but subtly different ways in technical 
contexts [87]. One usage which is relevant to us is it being used as a relation on speci-
fications and treating an implementation as a special case of a specification. In simple 
informal terms, we could view the process of refinement as adding some detail or im-
provement to a specification to obtain a new specification. This way, implementations 
can be derived from specifications incrementally in a stepwise manner. 
For untimed systems, a refinement calculus was developed by Back [7]. It extends 
Dijkstra's weakest precondition semantics for total correctness of programs between 
program statements. The refinement calculus was extended to provide a framework 
for total correctness for parallel systems in [8, 9]. Morgan's work [112] details how 
refinement calculus could be applied in practical program derivations. 
For real-time systems, a number of refinement calculi exist. They include one for 
PLtime [76], a real-time language with eSP-like syntax with extensions for real time. 
[105] describes refinement of complex systems based on the Temporal Agent Model 
and its associated calculus. 
119 
Ph.D. Thesis 5.2 Refinement 
5.2.2 Refinement in ITL 
A refinement calculus for ITL, which is based on the TAM refinement calculus, is read-
ilyavailable [29]. In this technique, we distinguish between two levels of representa-
tion. The first is "abstract" and the second is "concrete". At the first level, systems are 
specified at their highest level of abstraction where design and implementation issues 
are ignored. These issues are only considered during the transition from the abstract 
level to the concrete level. This transition is performed using correctness preserving 
refinement laws. Using such a calculus, an ITL formula could be refined into concrete 
code written in languages such as Ada or C. 
The development technique using VisITL specifications is based on refinement. We 
define the refinement relation ~ in the normal way as : 
Since refinement is defined in terms of "implication", we use the visual notation 
for "implication" to denote refinement. So, Figure 5.2 denotes refinement visually. It 
suggests intuitively that h contains more details than /1 because of the shaded box. 
Figure 5.2: Visual refinement 
The process of refinement is the same as that of program derivation. When a pro-
gram is derived by the application of sound refinement rules, we can derive a proof of 
correctness for the statement that the program implies the specification, by tracing the 
steps from the program back to the specification. The process of refinement follows a 
common pattern for refinement calculus developments. Ordinary laws are used, first, 
120 
Ph.D. Thesis 5.2 Refinement 
to transform the formula until it matches the left hand side of a refinement law. Then, 
the matching refinement law is used to replace the formula with the right hand side part 
of the refinement law. Doing this successively, the formulas are replaced by program 
code. 
This common pattern for refinement calculus developments presents us with a pos-
sibility to abstract a wide variety of users from the depth of mathematics involved in 
the underlying formalism. 
For refining ITL specifications, one has to apply the rules defined in ITL. In par-
ticular, for refinement on VisITL specifications, we require "Visual Refinement Rules" 
which are defined in the following section. For each rule in VisITL, the corresponding 
textual ITL rule is also given for reference. We can quickly ascertain the meaning of 
the rule depicted visually as compared to the equivalent textual rule loaded with many 
notations. Also, the shaded box always quickly guides us to the meaning that what it 
contains is "more detailed" or "refined". 
5.2.3 Visual Refinement Rules 
In order to refine VisITL specifications visually, we define several visual refinement 
rules below. This repository of rules is extendable by the user with additional rules 
provided they are proved to be sound. 
In our visual framework, we can view this as a replacement of one picture (or dia-
gram) by another picture according to the rules of the logic. Correct refinement is thus 
viewed as replacing pictures with other pictures according to sound visual rules. In this 
way, we try to give the user a feeling that he/she is doing nothing more than a normal 
task which is far removed from mathematics and formal logic ! 
In software tools supporting this framework, annotations about the rules, i.e. an 
informal description of the rules, could be incorporated into the visual depiction of the 
rules. Such support in a visual framework will help users in feeling comfortable in a 
formal approach to the development of systems. 
121 
Ph.D. Thesis 5.2 Refinement 
We classify the visual refinement rules into the following categories based on the 
purpose for which they are used. 
• Visual Refinement Rules 
I. General The rules enable us to refine specifications on the same logical 
level. 
2. Concrete These rules enable us to introduce more concrete constructs dur-
ing the process of refinement. 
The following are some Visual Refinement Rules. 
1. General Visual Refinement Rules : 
• Transitivity Rule (General Visual Refinement Rule 1) 
Textually, the rule is : 
(ITL ~ -1) (fo ~ lI)and(f1 ~ 12)implies(fo ~ h) 
In VisITL, this is shown as in Figure 5.3 
Figure 5.3: General Visual Refinement Rule 1 
This rule states that if II is a refinement of fo and h is a refinement of f1' 
then, 12 is a refinement of fo. 
• General Visual Refinement Rule 2 
Textually, the rule is : 
122 
Ph.D. Thesis S.2 Refinement 
(ITL ~ -2) (fo ~ ft) and(h ~ /3) implies (fo 1\ f2) ~ (f1 1\ /3) 
In VisITL, this is shown as in Figure 5.4 
Figure 5.4: General Visual Refinement Rule 2 
This rule states that if fo is refined by !I and h is refined by /3, then, the 
"and-composition" of fo and h is refined by the "and-composition" of fl 
and/3. 
• General Visual Refinement Rule 3 
Textually, the rule is : 
(ITL ~ -3) (fo ~ ft) and(h ~ /3) implies (fo V h) ~ (fl V /3) 
In VisITL, this is shown as in Figure 5.5 
4 <ffi 
Figure 5.5: General Visual Refinement Rule 3 
This rule states that if fo is refined by f1 and h is refined by f3, then, the 
123 
Ph.D. Thesis 5.2 Refinement 
disjunction of fa and 12 is refined by the disjunction of It and h . 
• Chop Monotonicity Rule (General Visual Refinement Rule 4) 
Textually, the rule is : 
(ITL !; -4) (fl !; h) implies (fa ; ft) !; (fa; h) 
In VisITL, this is shown as in Figure 5.6 
KJm 
~ ~ 
Figure 5.6: General Visual Refinement Rule 4 
This rule states that if II is refined by 12, then, fa; fl is refined by fa ; h. 
• General Visual Refinement Rule 5 
Textually, the rule is : 
(ITL !; -5) (fa !; ft> implies (fa)* !; (fd* 
In VisITL, this is shown as in Figure 5.7 
This rule states that if fa is refined by fl' then, (fa) * is refined by (fl)·. 
2. Concrete Visual Refinement Rules : 
• Assignment Rule (Concrete Visual Refinement Rule 1) 
Textually, the rule is : 
(ITL := -1) Ox = exp !; x:= exp 
In VisITL, this is shown as in Figure 5.8 
This rule states that the ITL statement 0 x = e is refined by the assignment 
statementx := e. 
124 
Ph.D. Thesis 
Figure 5.7: General Visual Refinement Rule 5 
Figure 5.8: Concrete Visual Refinement Rule 1 
• If.1 (Concrete Visual Refinement Rule 2) 
Textually, the rule is : 
5.2 Refinement 
(ITL if - 1) (fo II ft) V (12 II /3) C if fo then fl 012 then /3 fi 
In VisITL, this is shown as in Figure 5.9 
This rule states that the logic statement (fo 1\ It) V (12 1\ /3) is refined by 
the "if .. then" concrete construct in the shaded box which simply means that 
if fo holds, then, fl holds and, otherwise i.e., if 12 holds, then, /3 holds . 
• While· I (Concrete Visual Refinement Rule 3) 
125 
Ph.D. Thesis S.2 Refinement 
Figure 5.9: Concrete Visual Refinement Rule 2 
Textually, the rule is : 
(ITL while - 1) (fo 1\ ft)* 1\ fin ( -,fo) ~ while fo do f1 
In VisITL, this is shown as in Figure 5.10 
, 
~i at) lrnl'lD 
: to 
Figure 5.10: Concrete Visual Refinement Rule 3 
This rule introduces a "while loop" concrete statement for a corresponding 
abstract VisITL formula . 
• While-2 (Concrete Visual Refinement Rule 4) 
(ITL while - 2) (it)* ~ while true do it 
In VisITL, this is shown as in Figure 5.11 
( while) 
Figure 5.11: Concrete Visual Refinement Rule 4 
This rule states that the logic statement (fI) * • representing a non-terminating 




• Var-1 (Concrete Visual Refinement Rule 5) 
Textually, the rule is : 
(IT L var - I) 3 x • f ~ var x in f 
In VisITL, this is shown as in Figure 5.12 
exists: X varX in 
f f 
Figure 5.12: Concrete Visual Refinement Rule 5 
This rule is for the introduction of local variables . 
• Execution-t (Concrete Visual Refinement Rule 6) 
Textually, the rule could be represented in ITL as : 
(/TL Execution - t) f ~ f 1\ (len = t) 
In VisITL, this is shown as in Figure 5.13 (a). 
5.2 Refinement 
Figure 5.13 (b) shows how it is depicted on a while loop when we choose 
an execution time of t steps for the body of the while loop. 
127 
Ph.D. Thesis S.2 Refinement 
(a) 
(b) 
Figure 5.13: Concrete Visual Refinement Rule 6 
128 
Ph.D. Thesis S.2 Refinement 
S.2.4 Some Examples using Visual Refinement Rules 
1. Usage of the Transitivity Rule 
As shown in Figure 5.14, if 0 < x < 10 refines x > 0 and 5 < x < 7 refines 0 < 
x < 10, then applying the General Visual Refinement Rule i.e., the Transitivity 
Rule, we obtain 5 < x < 7 as a refinement for x > O. 
BB 
Figure 5.14: Usage of the Transitivity Rule 
2. Usage of the General Visual Refinement Rule 2 
As shown in Figure 5.15, if 0 < x < 10 refines x > 0 and y < -5 refines y < 0, then 
applying the General Visual Refinement Rule 2, we obtain 0 < x < 10 1\ Y < -5 
as refinement for the specification x > 01\ Y < O. 
BB II~ 13 I 
I 
s>o 1<8 • < x < 10: J <.5 
I 
Figure 5.15: Usage of the General Visual Refinement Rule 2 
129 
Ph.D. Thesis 5.3 Abstraction 
3. Usage of the Assignment Rule 
As shown in Figure 5.16, if in the next state x gets incremented by 1, then, we 
can introduce the assignment statement x := x + 1 using the Assignment Rule. 
Figure 5.16: Usage of the Assignment Rule 
5.3 Abstraction 
This section will introduce abstraction and visual abstraction rules. 
5.3.1 Introduction 
Abstraction is a process of generalisation, removing restrictions, eliminating details 
and removing inessential information [149]. Unlike transformations, which keep the 
semantics unchanged, abstraction endeavours to weaken the original semantics of the 
system implementation. Thus abstractions cannot be applied without a clear idea of 
which information contained in the program refers simply to the implementation, and 
not to the function of the program [102]. A crucial aspect in the field of reverse engi-
neering is this notion of abstraction since the implementation, design and specification 
are at different levels of abstraction. 
An abstraction relation t is defined [103] as a function relating two agents. If an 
agent 11 is an abstraction of 10, it is written as 10 tR 11 = R(fo,/1) (read as 11 
is an abstraction of /0 in respect of R) where R is defined as bending to the type of 
abstraction. 
Abstractions can be classified as follows : 
130 
Ph.D. Thesis 
• Weakening Abstraction 
/0 !::WA /1 = /0 :::> /1 
5.3 Abstraction 
Weakening abstraction refers to semantics weakening of representations (specifi-
cation or code), during abstraction. In other words, if some information is taken 
out of the original representation and the semantics of the original representa-
tion implies the new one, then, the new representation is said to be a weakening 
abstraction of the original one. 
• Hiding Abstraction 
/0 !::HA /1 - HA(fo'/.) 
means that B is a hiding abstraction of A on the condition that a part of A is 
hidden. This is a special case of Weakening Abstraction, where a part of the 
agent's data space is considered as irrelevant. Hiding Abstraction is often used to 
get rid of local variables and internal communication channels. 
• Temporal Abstraction 
If the duration of A is denoted as T(A) and defined as T(A) = {x E t I A /\ len = 
x}, then, 
/0 trA It = (/0 ::> /1) /\ Rr(T(A),T(8)) 
is the formal definition of temporal abstraction. 
Rr(T(A), T(8)) is a relation between the execution times of A and B. In temporal 
abstraction, the execution time of the new representation can either be speeded 
up or slowed down compared to that of the original representation. 
• Structural Abstraction 
Structural Abstraction is concerned with making structural simplification in sys-
tem representation. With structural abstraction, sequential and parallel compo-
sition structures are reduced and their effects recorded in a more abstract rep-
resentation. Two basic conditions which determine whether a change in system 
131 
Ph.D. Thesis 5.3 Abstraction 
representation is a structural abstraction are firstly. whether any sequential or par-
allel composition is reduced in the new representation and secondly. whether the 
semantics of the new representation is a weakening of the original. 
Structural abstraction on sequential composition. for example. is defined as fol-
lows: 
fo tSA it = (fo :) ft} 1\ #seq - op(fo) > #seq - op(ft} 
where #seq - op(fo) and #seq - op(fl) represent the number of sequential com-
position operators in fo and it respectively. 
• Data Abstraction 
It is a general technique by which the state space can be changed. So. one can 
change the original data types to higher level data types. In data abstraction. 
a data abstraction relation must be defined first. which maps the original data 
structures to new data structures and therefore the original data states to new 
data states. The condition of data abstraction is that the semantics of the new 
representation must be a weakening abstraction of the original one. 
The formal data definition of data abstraction is as follows: 
Assuming fo and fl are two representations. r is a data abstraction relation: 
r={(x,y): xEX,yEY,X={statesof fo},Y={statesof f.}}. 
Therefore. fo is data abstracted to it on relation r. is defined as : 
fo tDA it = r(fo) :) fl 
The above definition means that fl is a data abstraction of fo on relation r on the 
condition that. if the states of fo are mapped to those of it. then. the semantics 
of fl is a weakening of the mapped semantics of fo. 
5.3.2 Abstraction Rules 
It has been already mentioned that in order to reverse engineer an implementation to 
extract a specification. one has to cross several levels of abstraction. To do this. there is 
132 
Ph.D. Thesis 5.3 Abstraction 
a repository of abstraction rules. [103] classifies abstraction rules into two categories: 
• Elementary abstraction rules 
These are rules to abstract source statements into logic formulae which may be 
redundant and specific. These are further classified as : 
1. Primitive abstraction rules 
2. Compound abstraction rules 
• Further abstraction rules 
These rules abstract a more concise and abstract specification from the formulae 
through composition and semantics weakening. 
It is beyond the scope of this thesis to cover the whole topic of abstraction in detail. 
However, many of the rules mentioned in [103] will be covered and examples in the 
context of how abstraction can benefit from visual ITL specifications and visual rules 
of abstraction given. 
In this context, only the elementary abstraction rules which include primitive and 
compound abstraction rules will be covered. 
5.3.3 Visual Abstraction Rules 
The abstraction rules are covered below in accordance with the VisITL syntax. These 
rules are by no means exhaustive. 
The visual abstraction rules are classified as follows : 
• Visual Abstraction Rules 
1. Elementary primitive These are simple rules that enable us to abstract 
source code statements which may be redundant and specific into logic for-
mulae. 
133 
Ph.D. Thesis 5.3 Abstraction 
2. Elementary compound These are less simple rules that enable us to ab-
stract source code statements which may be redundant and specific into 
logic formulae. 
1. Visual Elementary Primitive Abstraction Rules : 
• Assignment (Visual Primitive Abstraction Rule 1) 
This rule extracts a logic formula from an assignment statement which as-
signs the value of expression e to variable x. 
Textually, the rule is: x := e t Ox = e. 
This could be shown in VisITL framework as in Figure 5.17 
Figure 5.17: Visual Primitive Abstraction Rule 1 : Assignment 
This is same as the refinement rule for introducing assignment except that 
the shaded box appears on the left. This change in position is just to indi-
cate that the rule is going to be used in replacing the concrete shaded box 
on the left with the abstract box on the right. Otherwise, the abstraction rule 
formula is the same as the refinement rule formula. However, this introduc-
tion of a "new rule" which is only slightly different from the corresponding 
visual refinement rule could confuse the user. A better idea would be not 
to associate any meaning to left and right positions. As a result, one rule 
could be used either for refinement or for abstraction. In other words, dur-
ing refinement, if the contents of the specification matched the un shaded 
134 
Ph.D. Thesis S.3 Abstraction 
box in the rule, then, we could use the transformation rule for refinement. 
During the process of abstraction, we look for a match between the VisITL 
specification and the contents of the shaded box in the transformation rule 
to determine if it could be applied for abstraction. In this manner, a vi-
sual transformation rule incorporates both refinement and abstraction. This 
simplifies the repository of visual rules too. I emphasise again that a vi-
sual transformation rule within the VisITL framework has one shaded box 
and one unshaded box to indicate the relation between the two formulae in-
volved i.e., that the former box contains a formula that is more refined than 
the formula in the unshaded box. Therefore, the visual transformation rules 
could have these shaded and unshaded boxes in any positions relative to one 
another. The user simply has to think about the contents of the shaded and 
un shaded boxes and not worry about their positions. 
• Input Statement (Visual Primitive Abstraction Rule 2) 
This rule extracts a logic formula from the assignment statement which 
reads the value in shunts (see section 4.6.7) to var y and stores the timestamp 
in x. 
Textually, the rule is : 
(x,y) +- s t x = ..; S 1\ Y = read(s) 
This is shown in visITL as in Figure 5.18 
Figure 5.18: Visual Primitive Abstraction Rule 2: Input Statement 
• Output Statement (Visual Primitive Abstraction Rule 3) 
This rule extracts a logic formula from the output statement which writes the 
135 
Ph.D. Thesis 5.3 Abstraction 
value of the variable or expression x to shunt s, and changes the timestamp 
of s to the time when the last write operation occurred. 
Textually, the rule is : 
x -+ s t skip 1\ Os = (Js+ I,x) 
This is shown in visITL as in Figure 5.19 
I 
I 
Ikip I 0 ... (.(1+ I,ll) 
I 
I 
Figure 5.19: Visual Primitive Abstraction Rule 3: Output Statement 
• Type Definition (Visual Primitive Abstraction Rule 4) 
This rule abstracts a declaration statement declaring a variable x of type T 
by a logic formula which states that ''there exists a variable x which has 
features of type T". 
Textually, the rule is : 
x : T ?: Type(x, T) 
This is shown in visITL as in Figure 5.20 
Type(x,T) 
Figure 5.20: Visual Primitive Abstraction Rule 4: Type Definition 
• Delay (Visual Primitive Abstraction Rule 5) 
This abstracts a delay statement using the "len" operator in ITL. 
Textually, the rule is: 
delay n t len = n 
136 
Ph.D. Thesis S.3 Abstraction 
This is shown in VisITL as in Figure 5.21. 
...... _d_e_la_y_n_.... I len = n 
Figure 5.21: Visual Primitive Abstraction Rule 5 : Delay 
• Sequential (Visual Primitive Abstraction Rule 6) 
This abstracts a sequential composition formula into an "and-composition". 
This is because the sequential composition is one of two possible refine-
ments to an "and", the other being parallel composition. 
The rule is applicable iff 10 ; 11 is of the form (/0 1\ empty) ; 11. This con-
dition is to be satisfied so that the abstraction is sound. So, if this soundness 
condition is satisfied, then, applying this abstraction would then allow a 
later refinement to parallel composition if desired by the user. These sound-
ness criteria for rule application could be signalled to the user when he/she 
attempts to apply a rule manually. If it is an automatic application of the 
rule, then, this condition has to be checked by the tool automatically. 
Textually, the rule is : 
10 ; 11 t: 10 1\ It 
This is shown in VisITL as in Figure 5.22. 
Figure 5.22: Visual Primitive Abstraction Rule 6: Sequential 
137 
Ph.D. Thesis 5.3 Abstraction 
The soundness criteria for applying this abstraction rule is given by Figure 
5.23. 
~ I empty 
I 
I 
Figure 5.23: Soundness Criteria for Visual Primitive Abstraction Rule 6 
2. Visual Compound Abstraction Rules 
• Sequential Composition (Visual Compound Abstraction Rule 1) 
/0 t h 
/1 t /3 
/0 ;/1 t h;/3 
If two representation fragments have a sequential relation, they can be ab-
stracted separately, and the resultant representation composed with a se-
quential operator. 
This is shown in visITL as in Figure 5.24 
Figure 5.24: Visual Compound Abstraction Rule 1 : Sequential Composition 
• Iteration Statement (Visual Compound Abstraction Rule 2) 
138 
Ph.D. Thesis 5.3 Abstraction 
This rule extracts a logic formula from an iteration statement. The iteration 
is mapped into "chopstar" formula in ITL while the iteration body can be 
abstracted separately and then joined into the chopstar structure. 
Textually, the rule is : 
fo ~ it 
while g do fo ~ (g /\ fl)* /\ fin(-,g) 
In VisITL, the rule is represented as in Figure 5.25 . 
Figure 5.25 : Visual Compound Abstraction Rule 3 : Iteration Statement 
• Parallel (Visual Compound Abstraction Rule 3) 
This rule states that two concurrent or parallel representations can be ab-
stracted separately and the results composed through the conjunction oper-
atar. 
Textually, the rule is : 
fo ~ 12, fl ~ 13 
fo II fl ~ (/2 /\ 13) 
In VisITL, the rule is represented as : 
139 
Ph.D. Thesis 5.4 Summary 
Figure 5.26: Visual Compound Abstraction Rule 3 : Parallel 
5.4 Summary 
This chapter introduced the development process in VisITL as a supporting framework 
to the VisITL language developed in Chapter 4. Initially, with a VisITL specification 
capturing requirements, the user could perform validation using the proof system of 
ITL. Also, the user would be able to simulate the system behaviour at any abstraction 
level using Tempura. To allow the user to seamlessly go forward from the abstract Vis-
ITL specification, sound visual refinement rules in the framework are needed. In other 
words, just having a VisITL specification capturing requirements is not enough. To de-
rive an implementation Le., forward engineer the specification, visual refinement rules 
are needed in the framework. Similarly, in order for the user to perform reverse engi-
neering [103], i.e. derive a high-level specification from an existing implementation, 
we needed to provide sound abstraction rules in the VisITL framework. For refinement 
of VisITL specifications in a visual framework, visual refinement rules were introduced 
with some illustrative examples. This framework now enables users to simply use ap-
propriate visual rules incorporated into the repository and refine VisITL specifications. 
Also, abstraction rules were introduced to facilitate the re-engineering process in a vi-




Case Studies in VisITL 
In chapter 4, a simple notation for VisITL was introduced along with examples in Vis-
ITL. In this chapter, we shall look at a case-study in VisITL specification considering 
the development technique of refinement introduced in the previous chapter. In addi-
tion, we shall, briefly, consider an example where abstraction is performed within the 
visual framework to obtain an abstract VisITL specification. 
6.1 A Robot Control System 
This case study is an application involving multiple processes [26] for a robot control 
system. An informal description of the system is given below: 
"The tele-operated robot is a tracked device which was originally developed for mil-
itary use. The carriage can easily traverse over rough terrain. The vehicle schematic 
is shown in Figure 6.1. The vehicle has on-board a manipulator arm that has three 
degrees of freedom controlled by hydraulic actuators. The electric drive motors, ma-
nipulator actuators and on-board lamps are controlled manually by the operator via a 
control box that is linked to the vehicle. Currently one controller caters for the main 
control, one for the infrared sensor interfacing and processing, and a third for the on-
board camera control. 
The actual vehicle is driven by two motors, left and right, indicated as L and R in 
141 
Ph.D. Thesis 6.1 A Robot Control System 
Figure 6.1. Both of these motors can move forwards and in reverse. The vehicle is 
steered by moving one motor faster than the other. 
From a control point of view, commands are issued to the motors via a operator 
joystick (L and R of the operator console in Figure 6.1 which issues integer values in 
the range 0 ... 127 for forward motion and 0 ... -128for reverse motion. It is possible to 
drive only one motor at a time, in such a case, the robot will turn. The speed of the 
motors is directly proportional to the value written to them. 
The robot is equipped with 8 infra red sensors. These return an integer value in 
the range 0 ... 255 depending on whether an obstacle is present or not. 0 indicates no 
obstacle, 255 indicates obstacle very near. We normally operate with a threshold of 
around 100, above which we take notice of the sensor readings, i.e., an obstacle is of 
interest. At this point, reactive control takes over from the manual control by moving the 
vehicle away from the obstacle until the 100 threshold is not set. The sensor positions 
are as follows : N, NE, E, SE, S, Sw, W and Nw, covering the body of the robot as 
shown in Figure 6.1." 
The following presents the specification and the design of the driving part of the 
robot control system. 
The specification can be divided into 3 parts, one each for motor control, infra-red 
control and operator control. The specification for the robot control system is given by 
Figure 6.2. The ITL formula for it is : 
ROBOT CONTROL SYSTEM = 
(MOTOR CONTROL SYSTEM) /\ (INFRA-RED CONTROL SYSTEM) /\ (OPERA-
TOR CONTROL SYSTEM) 
We can, now, separately consider each of the three components for specification 
and refinement. 
142 
Ph.D. Thesis 6.1 A Robot Control System 
NW N NE 
= = 
W E ®~® 
L R II 
000 
OPERATOR CONSOLE 
SW S SE 
ROBOT 
Figure 6.1: A Schematic of the Robot Control System 
MOTOR CONTROL SYSTEM 
ROBOT CONTROL SYSTEM . 
IINFRA.RED CONTROL SYSTEM I 
I OPERATOR CONTROL SYSTEM I 
Figure 6.2 : VisITL specification of the Robot Control System 
143 
Ph.D. Thesis 6.1 A Robot Control System 
1. Motor Control : 
If the sensor detects an object, then the control system takes over control ; oth-
erwise, if the operator requests a new movement, then it is actioned. Let l-i-c 
and r-i-c denote respectively the left and right motor commands issued by the 
infra-red control. Let i-act denote the presence/absence of an object. Let l-o-c 
and r-o-c denote the left and right motor command issued by the operator and let 
o-act denote an active operator request. Let move(l,r) denote the sending of left I 
and right r motor commands to the two motors. 
The motor control system (MCS) is formally specified as in Figure 6.3. Applying 
i-act = 1 move(l-i-c, r-i-c) 
o-act = 1 move(l-o-c, roo-c) 
i-act = 0 o-act = 0 
Figure 6.3: VisITL specification of the Motor Control System 
the refinement rule "Concrete Visual Refinement Rule 4 (VisRetRule : While2)" 
as in Figure 6.4, we obtain Figure 6.5. 
144 
Ph.D. Thesis 6.1 A Robot Control System 
( while) 
Figure 6.4: The While-2 Refinement Rule 
i-act = 1 move(l-i-c, r-i-c) 
o-act = 1 move(I-o-c, roo-c) 
true 
i-act = 0 o-act= 0 
Figure 6.5: VisITL MCS specification after Applying the While-2 Refinement Rule 
145 
Ph.D. Thesis 6.1 A Robot Control System 
Introducing the "If then" with the "Concrete Visual Refinement Rule 2 (VisRe-
fRule : In" as shown in Figure 6.6, we obtain Figure 6.7. Now, the decision to 
Figure 6.6: The If-I Refinement Rule 
( "bUe) 
( If" then ) 
I .. ct-l 
IDOve(l·I-c:. r·I-c:) 
f-true o-act-l - move(I-o-c:. r-o-c:l I 
I 
l .. ct_O I o-act.o true 
I 
Figure 6.7: VisITL MCS specification after Applying the If-l Refinement Rule 
be taken for the issuing of the move commands is not deterministic in case both 
infrared and operator are active. Let us say that we want to design the control in 
such a way that the operator is given precedence. We can state this in the form 
of a design decision rule as shown in Figure 6.8. Applying this design decision 
rule, we obtain the specification in Figure 6.9. The design rules could be imple-
mented as general rules as in Figure 6.10 and during the development process, 
the parameters 'f' and 'g' could be mapped to the parameters desired. This is a 
way forward in aiding the user with Visual design decision rules. 
146 
Ph.D. Thesis 6.1 A Robot Control System 
B I I l.ad=1 I o.ac:t-O I I 
Figure 6.8: Refinement of i-act due to our Design Decision 
( while) 
( II .. then ) 
I 
load .. 1 I 04c:t- 0 move(l.k:, r·k:) 
I 
true - o-ac:t -1 I- move(l-o<, r-o<) 
I 
I 
load- 0 I o-act- 0 true 
I 
Figure 6.9: VisITL MCS specification after Applying the Design Decision 
o I 
Figure 6.10: Visual Refinement Rule - General Design Decision 1 
147 
Ph.D. Thesis 6.1 A Robot Control System 
Now, applying the Concrete Visual Refinement Rule 6 (Execution-t Rule) for 
choosing a specific execution time of 'f steps for the body of the while loop, we 
obtain the specification in Figure 6.11. 
( whUe) 
( If •• then ) 
I 
I 
I .. ct-I I o-ad_O move(l-l-c. r-I-c) 
It] I 
true f--. 
o-act-I I--- move(l-o-c. r-o-c) 
I 
I 
I .. ct-O I o-act.O true 
I 
Figure 6.11: VisITL MCS specification for an Execution Time of t Steps 
The following is the refinement in textual ITL for comparison in sect. 6.2. 
MOTOR CONTROL Sf ST EM 
( 
( (i - act = 1) /\ move (1- i - c, r - i - c)) v 
( (0 - act = 1) /\ move (1- 0 - c, r - 0 - c)) v 
( (i - act = 0) /\ (0 - act = 0)) 
)* 
Applying the ITL C while-2, we obtain: 
while true ( 
( (i - act = 1) /\ move (1- i - c, r - i - c)) v 
( (0 - act = 1) 1\ move (1- 0 - c, r - 0 - c)) v 
((i-act = 0) 1\ (o-act = 0)) 
) 
Strengthening the guard of the infra-red move as before, by applying the 
148 
Ph.D. Thesis 6.1 A Robot Control System 
design decision rule: (i - act = 1) ~ (i - act = 1) 1\ (0 - act = 0). 
we obtain 
while true ( 
((i-act = 1) 1\ (o-act = 0) 1\ move(l-i-c,r-i-c» v 
((o-act = 1) 1\ move(l-o-c,r-o-c» v 
( (i - act = 0) 1\ (0 - act = 0» 
) 
Applying the ITL ~ if-l rule. we obtain: 
while true ( 
if ((i - act = 1) 1\ (0 - act = 0» then move (1- i - c, r - i - c) 
o (o-act = l)thenmove(l-o-c,r-o-c) 
o ((i - act = 0) 1\ (0 - act = 0» then true) 
fi) 
2. Infra-red Control: 
The sensors are to be read and for each sensor reading that is greater than the 
threshold of 100, the motor commands are to be adjusted accordingly. 
Let ir - c(i) denote the sensor i(N: i=O, NE: i=l, E: i=2. SE : i=3, S: i=4. SW : 
i=5. W: i=6, NW : i=7). Let mvJ(i) and mvr(i) denote respectively the left and 
right steering commands corresponding to sensor i. Also. let us denote the sum 
of all mvl (i) values by sum( mvl (i» and the sum of all mvr( i) by sum( mvr( i) ). In 
our example. the sum function could be defined as : 
sum(X) = (if ir - c(O) > 100 then X (0) else 0) + 
(ifir-c(l) > 100thenX(1) else 0) + 
(if ir - c(2) > 100 then X (2) else 0) + 
( ...... ) + 
(if ir - c(7) > 100 then X (7) else 0) 
This function adds up the values corresponding to the 8 sensors. Each sensor 
149 
Ph.D. Thesis 6.1 A Robot Control System 
contributes a value only if it is above the given threshold of 100. 
Here, we note that the function implementation is not given a visual representa-
tion. However, we could extend our visual framework with a graphical way of 
depicting functions. In this context, it is interesting to note how it could be done 
similar to the graphical functions within the stateftow formalism [143]. Such a 
graphical function integrated into the VisITL framework would look like in Fig-




Figure 6.12: A Graphical Depiction for Computing the Sum of Sensor Contributions 
action, if any, in flower brackets. 
The specification for ICS is given formally by the VisITL specification in Figure 
6.13. Using rule Vis-while2, we obtain the specification in Figure 6.14. 
150 
Ph.D. Thesis 6.1 A Robot Control System 
( r_ ..... ) 
( .... : 0<_101) • 1 .... c(1) > 108 ... .. 1 
l-1d_O 
Figure 6.13: VisITL Specification for the Infra-red Control System 
( _I. ) 
( If.1ben ) 
(_:0"" ... 7) .... «1» 100 '-1-1 
1 ... 1_0 
--------------------------
true ~ I·k • 8IIm(D1"I(I» 
~--------------------------
r-k. _(D1vr(l)) 
Figure 6.14: VisITL ICS Specification after Applying Vis-while2 
151 
Ph.D. Thesis 6.1 A Robot Control System 
Applying the Concrete Visual Refinement Rule 6 (Execution-t Rule) for choosing 
an execution time of "t" steps for the body of the while loop would result in Figure 
6.15. So, for an execution time of t, the specification can be shown in refined form 
[ W1U~ ) 
( If .• !beD ) 




true .. 1·1..., • sum(mvl(l) 
--------------------------
r-loe:. sum(mvr(l) 
Figure 6.15: VisITL ICS Specification for an Execution Time of t Steps 
as in Figures 6.16 and 6.17. This will sample the sensors at the beginning of the 
execution interval, set i-act accordingly and disable i-act during the rest of 
the execution interval. 
152 







I I-i-e = sum(mvl(i) I 
~------------------
I r-i-e .. sum(mvr(l) I 
Figure 6.16: The VisITL ICS Specification with Zoom-in for infra-red active 
I ( If.A_ ) 
I 
I 
I (_, ... 1<-7) ..... (I».ee .... _I 
tmpty • 
I 




I *'p I 
~ 
II ~ .• 
. 
I : .... 1e(1o.a) : ".1·2 I I , 
I *'P I 
Figure 6.17: The Zoomed-in infra-red active for Execution Time of t 
153 
Ph.D. Thesis 6.1 A Robot Control System 
If we choose an execution time of 1 i.e., one time step, then, the specification 
would be represented as in Figure 6.18. 
( If_lboa ) 
( ...... :Oc-l.a.'7) .11' .• (1» 100 I..:t-l 
1_1.0 
--------------------------
lnIe - I-I-c. sum(mvl(l» --------------------------
r-I-c • sum(mvr(l» 
Figure 6.18: Final Refined ICS for the Special Case of Unit Execution Time 
3. Operator Control: 
If the operator requests some changes, then, these are to be processed. 
Let ll- 0 - c and Ir - 0 - c denote respectively the last left and last right steering 
commands received from the operator. 
The specification of the OCS is given by Figure 6.l9. Using rule Vis-varl, we 
can introduce local variables and obtain the specification Figure 6.20. Using 
rule Vis-while2, we can obtain the specification in Figure 6.21. The assignment 
statements can be introduced using Visual Refinement Rule 6 to obtain Figure 
6.22. 
154 
Ph.D. Thesis 6.1 A Robot Control System 
( exists: U-o-c, Ir-o-c ) 
II-o-c = 0 Ir-o-c = 0 
( 1'.!beD ) 





I ) O(II-o-c) = l-o-c i O(lr-o-c) = r-o-c 1 i 
Figure 6.19: VisITL Operator Control System Specification 
( var IJ-o-c, Ir-o-c in ) 
II-o-c = 0 Ir-o-c = 0 
---------------------------------





I ) O(II-o-c) = l-o-c I O(lr-o-c) = r-o-c I I 
Figure 6.20: VisITL OCS Specification after Applying Vis-var! 
155 
Ph.D. Thesis 6.1 A Robot Control System 
( var II-o-c, Ir-o-c in ) 
I 










I O(II-o-c)=I-o-c • O(lr-o-c)=r-o-c I • 
Figure 6.21: VisITL DeS Specification after Applying Vis-while2 
( var II-o-c, Ir-o-c in ) 
i 
I I II-o-c = 0 I Ir-o-c = 0 I 
----------------------------------1 
(While) 
[If_III •• ) 







I I Ir-o-c := r-o-c O-o-c:=I-o-c • • 
Figure 6.22: VisITL OCS Specification after Introducing the Assignment Statements 
156 
Ph.D. Thesis 6.1 A Robot Control System 
Finally, applying the Execution-t Rule for choosing an execution time of "t" steps 
for the body of the while loop results in the concrete code in Figure 6.23. So, 
( var II-o-c, Ir-o-c in ) 
I 
I II-o-c = 0 I Ir-o-c =0 I I 
~----------------------------------. 
( While ) 
( IfHlben] 






I I Ir-o-c := r-o-c II-o-c := l-o-c I I 
Figure 6.23: VisITL oes Specification for an Execution Time of t Steps 
for an execution time of t, the specification can be shown in refined form as in 
Figures 6.24 and 6.25. This will sample the operator signals at the beginning of 
the execution interval, set 0 - act accordingly and disable 0 - act during the rest 
of the execution interval. 
157 
Ph.D. Thesis 6.1 A Robot Control System 
( var II-o-c, Ir-o-c in ) 
I 
I 













Ir-o-c := r-o-c I 
I 
Figure 6.24: VisITL OCS Specification with Zoom-in for operator-active 
1 ~ I I 
I I I 
I (a.cOI+c)V(~<>1I'-+oc) .--1 empty skip I ii-o-e :- i-o-c I ir-o-c :_ r-o-c 




r .kip I 
• 
ro-Kl " ° I ltable(o-Kl) I Ien=I·Z I I I m stable(lioc) I stable(lroc) I len-t·1 1 I 
Figure 6.25: Operator-active for an Execution Time oft Steps 
158 
Ph.D. Thesis 6.2 Comments on the Two Approaches 
If we choose an execution time of 1 i.e., one time step, then, the specification 
would be represented as in Figure 6.26. 
( var II-o-c, Ir-o-c in ) 
I 
I II-o-c = 0 I Ir-o-c =0 I I 
-----------------------------------
( While ) 
( it_die.) 






I I Ir-o-c := r-o-c U-o-c:=I-o-c I I 
Figure 6.26: Final Refined OCS for the Special Case of Unit Execution Time 
6.2 Comments on the Two Approaches 
It is easy to see that the transformations on purely textual ITL specifications are not 
that easy to keep track of despite good indenting. There are not many visual cues to 
rely on, despite good indentation of the textual specification. This is a crucial point in 
dealing with even larger specifications on which we might end up applying numerous 
transformations. This adds further strain, especially on a user who is not dealing with 
mathematical specifications on a regular basis. Even formalists would be hard-pressed 
to keep track of the development process especially when automated tools are being 
used on ITL specifications. One advantage however with textual specifications is that 
they are very concise. The refinement of MCS in textual ITL fits on a single page unlike 
the refinement in VislTL which takes several pages. Also, one could manage to write 
down textual specifications using "pen and paper" despite their inevitable dependency 
159 
Ph.D. Thesis 6.2 Comments on the Two Approaches 
on "not-so-easy-to write" mathematical symbols whereas visual specifications are more 
suited for use with an appropriate software tool. In this context, it is interesting to 
mention that the ancient Egyptian Hieroglyphic script is a writing system that employs 
characters in the form of pictures and dates back to the end of 4th millennium S.C .. 
In [19] the interested reader has a nice "self-learning" reference to learn how to write 
using "complicated pictures" without being too much of an artist! 
In contrast, in the visual framework. it was easy to see what happened to the spec-
ification on application of a refinement rule. It was possible to see that the contents 
of boxes were being moved around as depicted by the visual refinement rule adding to 
the confidence of the user that the process was progressing as specified. The user gains 
better control of the formal development process with such visual cues. 
Hence, sacrificing the conciseness of textual specifications for wider accessibility 
of the formal approach is a worthy compromise indeed. In any case, one could always 
translate a VisITL specification to its concise ITL form for the experienced formalist. 
Another interesting point to mention here is that a visual specification provides a 
possible benefit in resolving non-determinism. In the above example. we removed the 
non-determinism that existed by applying a design decision rule to strengthen the guard 
of the infra-red move. However, we could incorporate some geometry rules in order to 
automatically resolve non-determinisms. Maybe. as a default, we could apply some 
geometry rules to resolve non-determinism which could be over-ridden by the user, if 
required, through appropriate design rules. 
Let us consider the specification for motor control system as shown in Figure 6.27. 
Here, the guards are put on the outgoing lines ofthe visual "Or" construct. This is a 
possible new special notation for the "or". We could have a default rule to consider the 
guards in a particular order. If we consider the guards from a 12 '0' clock position on 
the node at which the "or" lines originate in a clockwise manner as depicted in Figure 
6.29, then, the guard i-act gets the first priority. In this case, we ignore the guards 
o - act and (..., i-act 1\ -, 0 - act). If i-act is not satisfied, then, we check 0 - act 
and so on. In this way, we assign the guard i-act the highest priority. This approach is 
160 
Ph.D. Thesis 6.2 Comments on the Two Approaches 
move(I-I-c, r-I-c) 
move(l-o-c, r-o-c) 
Figure 6.27: The i-act Component of the Visual-Or has Higher Priority. 
similar to the approach used within the stateflow visual formalism [143] for resolving 
non-determinism based on geometry. 
For the operator to be able to override infrared control as we did using a design 
decision rule, we have to re-order the boxes as shown in Figure 6.28. 
move(l-o-c, r-o-c) 
move(l-i-c, r-i-c) 
Figure 6.28: The Box Positions are now changed to give the Operator Higher Priority. 
Alternately, it may be a good idea not to attach any meaning to the geometry so that 
non-determinism might be resolved only by the user using some design decision rule. 
In my examples, I have not attached any meaning to the geometry of the "or" lines 
in the Visual "Or" construct. 
161 
Ph.D. Thesis 
12 '0' clock 
" I I 
~ 
6.3 A Mine Pump Control System 
Figure 6.29: Guard rule using Geometry for Resolving Non-determinism 
6.3 A Mine Pump Control System 
In the previous example, a case study in VisITL involving refinement was considered. 
In the re-engineering of systems, extracting an ITL specification from an existing im-
plementation becomes important. For this purpose, the techniques of abstraction in ITL 
described in [102, 103] are of utmost importance. The following case study demon-
strates how abstraction in ITL can be incorporated in our visual framework. 
This is a commonly occurring case study in formal methods literature. An elab-
orate description of the problem can be found in [24]. An informal specification of 
the problem is reproduced from [91] below with a schematic diagram shown in Figure 
6.30: "Water percolating into a mine is collected in a sump to be pumped out of the 
mine. The water level sensors D and E detect when water is above a high and low level 
respectively. A pump controller switches the pump on when the water reaches the high 
water level and off when it goes below the low water level. If, due to a failure of the 
pump, the water cannot be pumped out, the mine must be evacuated within one hour. 
The mine has other sensors (A, B, C) to monitor the carbon monoxide, methane and 
airfloW levels. An alarm must be raised and the operator informed within one second 
of any of these levels becoming critical so that the mine can be evacuated within one 
















6.3 A Mine Pump Control System 
Environment 
... ont M loring Station , 
Pump I- --~ Log 
Controlling Station - - - > Operator 
A COselUOr 
8 Methllne selllor 
- - C Airflow MlUOr 
D High wllter levellelUOr 
E Low wllter level Mnmr 
F Wllter now MlUOr 
Figure 6.30: A Mine Pump Control System 
level is below a criticallevel. 
Human operators can also control the operation of the pump, but within limits. An 
operator can switch the pump on or off if the water is between the low and high water 
levels. A special operator, the supervisor, can switch the pump on or off without this 
restriction. In all cases, the methane level must be below its critical level if the pump is 
to be operated. Readings from the sensors, and a record of the operation of the pump, 
must be loggedfor later analysis. 
The main safety requirement is that the pump should not be operated when the level 
of methane gas in the mine reaches a high value due to the risk of explosion. 
For demonstrating an application in abstraction, an implementation of the above 
requirements in ADA which was subsequently translated into a Common Structural 
Language (CSL)l in [103] is chosen as the basis. This case study demonstrates abstrac-
tion using VisITL specifications. 
lCSL was developed [103] to enrich statements in Time Guarded Command Language and make 
Reengineering Wide Spectrum Language (RWSL) compatible to WSL in Maintainer's Assistant tool 
163 
Ph.D. Thesis 6.3 A Mine Pump Control System 
One module called the "pump module" is selected from the CSL code and trans-
lated it into Tempura code. The Tempura code is given below : 
define Motor-unsafe() = { 
if (Motor-status On) 
Sw := Off 
Motor-status := Off i 
format (' 'motor-stopped \n ") 
} i 
Motor-condition := Disabled 
format("motor-unsafe \n") 
and 
define Motor-safe() = { 
if (Motor-status = Off) 
Sw := On ; 
Motor-status := On i 
format("motor-started \n") 
} i 
Motor-condition := Enabled 
format (' 'motor-safe \n ' ') 
and 
define set-pump (Pump-status) { 
if (Pump-status = On) { 
if (Motor-status = Off) 
if (Motor-condition = Disabled) 
format("pump-not-safe \n") 
if (Ch4-status = Motor-safe) 
Motor-status := On ; 
Sw:=Oni 
164 
Ph.D. Thesis 6.3 A Mine Pump Control System 
} i 
format (' 'motor-started \n' ') 
else format("pump-not-safe \n") 
else if (Motor-status = On) { 
Motor-status := Off 
if (Motor-condition = Enabled) { 
Sw := Off; 
format("motor-stopped \n") 
Let us take each of the above 3 procedures one by one for abstraction. 
• The motor-unsafe procedure : 
Figure 6.31 is the procedure for motor-unsafeO written using the visual notation. 
Transforming the Visual "If Then" construct using the "if-I" rule for abstraction2• 
we get the transfonned specification in Figure 6.32. 
2Using a rule for abstraction means that we consider the transformation rule for the purpose of ab-
straction. As we saw in chapter 5, we could use any transformation rule for both refinement and abstrac-
tion as loog as it is applicable. 
165 
Ph.D. Thesis 6.3 A Mine Pump Control System 
( if •• then ) 
I Sw, .. Off I 
j 
Motor •• tatus = On .. I Motor .. tatua I" Off I 
j 
I rormat("motoMtopped In") I , 
Motor-condition 1= Disabled 
• 
rormat("motor·ulllBl'e In") 
Figure 6.31: The Procedure as it is in Tempura 
: I sw:.orr I 
I I 
Motor.status .. 00 : I Motor .. tatus :. orr I 
I I 
I I rormat("motor-stopped \DOl) J 
I 
Motor-CODdidoD ... Dlubled 
lormat("motor'WIIIIleln ") 
Figure 6.32: After Visual Abstraction using if-l 
166 
Ph.D. Thesis 6.3 A Mine Pump Control System 
Some "chop" operators could be replaced by logic conjunction using VisPA Rule 
6 resulting in further logic composition. The rule is reproduced below from chap-
ter 5. 
Figure 6.33: Visual Primitive Abstraction Rule 6 : Sequential 
Applying this rule, we obtain Figure 6.34. 
I Sw:_ Oft' 
I , 
I 
Motor-status = On I Motor-status :- orr 
I ----------
I lormat("motor-stopped \II") 
I 
! 
Motor-coaditlon := Disabled 
---------------------
lormat("motor-unaare \II") 
Figure 6.34: After Logic Composition 
There are quite a lot of exception test and handling details in the specification 
which need to be abstracted away. After doing this, we obtain Figure 6.35. After 
applying the Visual Primitive Abstraction Rule 1 which extracts a logic formula 
from an assignment statement, we obtain Figure 6.36. 
167 
Ph.D. Thesis 6.3 A Mine Pump Control System 
I 
I I Sw:- Oft' 
I , 
I 
Motor-status = On I 
I I Motor-status :- Oft' 
I 
I 
Motor-condition :- Disabled 
Figure 6.35: After leaving out Unnecessary Details 
I 
I o (Sw)-otr 
I , 
I 




o (Motor-condiUon) '" Disabled 
Figure 6.36: After applying the Visual Primitive Abstraction Rule 1 
168 
Ph.D. Thesis 6.3 A Mine Pump Control System 
• motor-safeD procedure 
Figure 6.37 is the procedure for motor-safeD written using the visual notation. 
Transforming the Visual "If Then" construct using the "if-I" rule. we get the 
( if •• then ) 
I Sw:.On I 
1 
Motor-status = Off .. I Motor-status :- On I 
J 
I forJl1llt("motor·.tarted In"> 1 , 
Motor-coodition :- Enabled , 
fonnat("motor ... re \n") 
Figure 6.37: The Procedure as it is in Tempura 
transformed specification in Figure 6.38. Some "chop" operators could be re-
placed by logic conjunction using VisPA Rule 6 resulting in further logic compo-
sition. 
Applying this rule. we obtain Figure 6.39. 
169 
Ph.D. Thesis 6.3 A Mine Pump Control System 
• 
I L Sw:=On I 
I 1 
I 
1 I Motor-status = Off I Motor-status :. On 
I 1 
I L format("motor-started \0") I 
I 
Motor-condition := Enabled , 
formatC"motor-..re \0 ") 
Figure 6.38: After Visual Abstraction using if-l 
I 
I Sw:_On 
I J I 
Motor-status ,. Off I Motor-status :- On 
I -----------
I format("motor-started \0") 
I 
! 
Motor-colldltion :. Enabled 
~--------------------
format("motor-safe \0") 
Figure 6.39: After Logic Composition 
170 
Ph.D. Thesis 6.3 A Mine Pump Control System 
There are quite a lot of exception test and handling details in the specification 
which need to be abstracted away. After doing this, we obtain Figure 6.40. After 
I 
I I S",:-On 
I l I 
Motor-status = Off I I Motor-status :- On I 
I 
I 
Motor-condition :a Enabled 
Figure 6.40: After leaving out unnecessary details 
applying the Visual Primitive Abstraction Rule 1 which extracts a logic formula 
from an assignment statement, we obtain Figure 6.41. 
171 
Ph.D. Thesis 6.3 A Mine Pump Control System 
T 
I o (Sw) .On 
I , 
I 




o (Motor-condltlon) == Enabled 
Figure 6.41: After applying the Visual Primitive Abstraction Rule I 
• set-pumpO procedure 
Figure 6.42 represents the procedure using the visual notation. The zoomable 
portions in it are given by Figures 6.43 and 6.44. 
The abstractions performed lead to the following specifications, Figures 6.45, 
6.47 and 6.48. The final abstracted specification is shown in Figure 6.49. The 
explanations are provided in the captions associated with the specification fig-
ures. 
172 
Ph.D. Thesis 6.3 A Mine Pump Control System 
( 1I •• then ) 
~ 
<) 
Pump_stalus = On Motor«alul • orr I- r 
CiLiW 
Pump_stalus = Off I-·~ ~ ~I II 
Figure 6.42: The Procedure in Visual Notation 
[if .. lhcal 
I Motor-coaditlo. z Dbabled 8 ' ........ t( .. pump-IIO .. ..r.1a .. ) I 
~ 
I M ............ Iua:.O. I 
t 
I 5.:.0. J c ...... ta .... z MoCor-taf. 
t 
I ron-t( ......... 1I1arted Ia") J 
ron-t( .. pum,.-.r. Ia") 
Figure 6.43: The Zoomable part 'f' 
173 
Ph.D. Thesis 6.3 A Mine Pump Control System 
Motor .. ta ... ,. 0Ir 
1 Sw,-OIr J 
Motor-concUlion • Enabled I-
t formal("lIIOIor-Iloppecllll") I 
Figure 6.44: The Zoo mabie part 'g' 
I 
<) I I 
I Motor.status .. orr I Pump_status = On 
I I r. 
/ I I 
I~ I 
4> \ I I I Motor-tlttltus .. On I Pump_status .. orr I I I. 
I I 
Figure 6.45: The Procedure Abstracted using if-I 
174 
Ph.D. Thesis 6.3 A Mine Pump Control System 
CLiiW , , , , 
J Motor·eondldon • DlI8bled rorm.l(npum ... ~*"', \an) , , 
, , 
~ 
I MoloJ'.elalUa ,. O. J 
t 
I 8w;.0. J ClJ4.IIaIua .. Moto,....,. , t , 
I fol'llllll(nmo,.(lfrled \an) J . , 
, , , , , ' rOl'llllll(n~ot-..r. \an) , , , , , 
Figure 6.46: The Zoomable part 'f' with Unnecessary Details marked with Crosses 
Motor_lUI := Oa 
Cb4_1Ua = Motor·safe 
8w: .. Oa 
Figure 6.47: The Zoomable part 'f' after Dropping Unnecessary Details and using if-l 
Motor-status := Ott 
I 
Motor-condition = Enabled I Sw:=OtT 
I 
Figure 6.48: The Zoomable part 'g' after Dropping Unnecessary Details and using if-l 
175 
Ph.D. Thesis 6.3 A Mine Pump Control System 
f 
I I : I I I M ............ l.O' ... ,_ ..... -0.: M ............ OII' I c .......... M.........,. I 1 
J 
I : I h,.o- I I I 
~ 
\ I I I .............. 1.01( I I I I "'p~ ..... onl ,.. ........... 0. I 
I I 
I M __ ._ : h •• on I 
I I 
I I 
Figure 6.49: The Composed Abstracted Visual Specification for set-pump 
We can now abstract assignment statements by applying the Visual Primitive 
Abstraction Rule 1 on this composed specification. 
I I : I O(M_,·o.l I I / ..... ___ .0.: MIIIoMIa_ = Oft I c ............ ,....,...,. I I I : I 0(").0- 1 I 
~ 
\ I I I O(M_I·OIr I I I ,..,_ ....... 0«. M ........... ·O'I I 
I I fM---- O(h'.on 1 
I I 
I I 
Figure 6.50: The Composed set-pump Specification after Abstracting Assignments 
176 
Ph.D. Thesis 6.4 Comments on Visual Abstraction 
6.4 Comments on Visual Abstraction 
In this section, we saw how visual abstraction could also be performed in our visual 
framework to obtain a VisITL specification. The starting point was from a translation 
ofthe implementation (Le., CSL code in our example) to a VisITL form (rather its exe-
cutable equivalent). Using the visual transformation rules for abstraction, we obtained 
a VisITL specification. The first step of translating an implementation (in CSL or ADA, 
C etc.) to Tempura requires some experience in these languages. After this step, the 
abstraction is possible within our VisITL framework. 
We used the zoom feature to manage the specification by abstracting bits of specifi-
cations using rules and then composing them. In other words, the approach is scalable 
to large specifications. 
6.S Summary 
In this chapter, we saw how both refinement and abstraction in ITL are performed in 
a visual framework involving VisITL specifications. This framework facilitates a con-
trolled development of systems either in forward or reverse engineering. It was easy to 
see that the refinements on purely textual ITL specifications are not that easy to keep 
track of despite good indenting. There were not many visual cues to rely on, despite 
good indentation of the textual specification. This is a crucial point in dealing with 
even larger specifications on which we might end up applying numerous transforma-
tions. This adds further strain, especially on a user who is not dealing with mathemat-
ical specifications on a regular basis. Even formalists would be hard-pressed to keep 
track of the development process especially when automated tools are being used on 
ITL specifications. We also saw how visual abstraction could also be performed in the 
visual framework to obtain a VisITL specification. The starting point was from a trans-
lation of the implementation (i.e., CSL code in our example) to a VisITL form (rather 
its executable equivalent). Using the visual transformation rules for abstraction, we ob-
177 
Ph.D. Thesis 6.5 Summary 
tained a VislTL specification. The first step of translating an implementation (in CSL 
or ADA, C etc.) to Tempura requires some experience in these languages. After this 
step. the abstraction is possible within our VislTL framework. We also saw additional 
benefits of a visual framework for a formal method like ITL including scalability. In 
the following chapter, I will give an account of the implementation of the VislTL tool 




7.1 The Visual Tool 
This chapter gives details of the VisITL tool implemented during the course of the 
development of the visual language, VisITL. Also given is an insight into the experience 
gained and the feedback obtained for the development of the visual language. 
7.1.1 Block Diagram of the VISITL Tool 
The VisITL tool has been implemented in Tclffk. Figure 7.1 gives a block diagram of 
the tool implementation. The VisITL tool has all the standard drawing tool features 
of the tkpaint tool. Apart from this, it also provides special buttons on the tool menu 
for several VisITL constructs so that they could be drawn on the canvas by drag-and-
drop. Once VisITL specifications are constructed, they could be transformed using the 
VisITL-Funcs menu. As depicted in Figure 7.1, these functions include refinement in 
the visual framework. abstraction in the visual framework 1, the possibility to convert a 
VisITL specification to its ITL equivalent as well as pretty-printing2 a VisITL specifica-
tion. The VisITL-Help menu provides help on VisITL constructs, informal semantics 
of constructs, help on refinement and so on. 
Inot implemented in the current version 
2In this context, meaning that the diagram is made neat by centering formulas in boxes etc. 
179 
Ph.D. Thesis 
VIsITL TOOL MENU 
Transformations on Visual speclftcatlon 
Variou ...... 
flVlllTL --... 




LIak \0 ITL blip oa 
Ibowebp .... 
Helpoa RoII __ 
Help features 
Figure 7.1: A Block Diagram of the VislTL Tool 
The Figure 7.2 shows a screen dump of the tool. The drawing portion of the tool is 
an extended version of the tkpaint tool [146] freely available. tkpaint is a graphics 
program based on the canvas widget of the tool command language. TcUTk. It runs 
on several platforms including Linux. Windows 95, NT and Solaris. It is very easy to 
learn and use. Hence, it was decided to base the drawing feature of the VlsITL tool 
on it. Developing another drawing tool itself would not not have been possible due to 
time constraints apart from the fact that it would have amounted to "re-inventing the 
wheel". In other words. the tkpaint tool was an "off-the-shelf' component for these 
research purposes. I could therefore start implementing VislTL constructs rather than 
worry about implementing graphical primitives like lines. rectangles and so on. 
7.1.2 Features of the VisITL Tool 
The following is a description of the features of the tool implemented. 
• Draw visual ITL specifications easily by selecting the visual constructs on 
the tool bar/menu 
180 
Ph.D. Thesis 7.1 The Visual Tool 
file Shape Line image Fill Edit yroup Ielet Grid Zoom 100"10 Y1sITL-Funcs SRec-examples H"lp 
o I 0 I 0 _ O_...J __ [!,----...ll C\. I S i c, I ""\ 1~~.ffJ.!J 
T in I It;b o Cl I ca I e I IlID I ~.::~L~:~J~!JI 
chopstll' I_"n_d_--,I next 
more I empty I Infinite 




I.non I for.1I l e"/sts I 
J ;> , '''' .. '''' 
f 
/ 




INULL IHel yeti ca [101 ISTRL. De Itmtfort Uni Yersi ty 
Figure 7.2: The Visualisation Tool forITL 
The buttons shown on the VisITL tool could be clicked and then, using the mouse, 
the construct could be automatically drawn by first clicking (the left-mouse but-
ton) on the canvas to select the left-top comer for the box and then dragging the 
mouse and releasing it at the position for the right-bottom comer for the box. This 
way, the size of the box could be adjusted. The buttons for VisITL constructs are 
provided to speed up the process of constructing a specification . 
• Convert the visual ITL specification to a textual form by the click of a button 
The VisITL specification created could be converted to its equivalent textuallTL 
form by choosing an option in the menu button VisITL-Funcs on the toolbar. 
This would enable other tools in the workbench to be integrated in this visual 
framework. Also, the feature could be used to automatically generate a docu-
mentation with textual specifications. The Figure 7.3 shows the options availab le 
in the VisITL-Funcs menu. The Convert to option allows conversion to ITL in 
the current version. A future option could allow a direct conversion to Tempura 
181 





Figure 7.3 : The Visualisation Tool VisITL-Funcs Menu 
if the VisITL specification is executable. Otherwise, the user has to refine the 
VisITL specification using the following feature of refinement in Vis lTL. 
• Refine a visual ITL specification 
An option in the VisITL-Funcs menu allows the user to refine a VisITL specifi-
cation choosing a refinement rule from a rule repository. 
• Help feature for VisITL tool 
This provides information on visual ITL constructs together with informal se-
mantics in a visual form. This will aid the user in learning more about the for-
malism apart from providing help during the development process. 
• Sample VisITL specifications 
This provides some simple example specifications in VislTL for the user. 
7.1.3 Some Core Procedures of the VisITL Tool 
This section gives a brief insight into some of the key procedures of the VisITL tool. 
Since some of the procedures are inter-dependent, they are explained with dependency 
graphs. 
• The drawing procedures 
182 
Pb.D. Thesis 7.1 The Visual Tool 




ltanMore{} startEmpty{} startFlniteO 
startChop_llne{} 
startAnd-comp{} , 
Figure 7.4: The Dependencies of some Drawing Procedures 
Figure 7.4 shows a dependency graph of some of the drawing procedures. The 
procedure proc startFormula~nhancer{ qualifier} implements the feature of au-
tomatically creating VisITL constructs on the drawing canvas by using the but-
tons provided on the toolbar. The "qualifier" is the argument which gets sup-
plied automatically by clicking the menu button. For example, clicking on the 
"Always" button provides "Always" as the qualifier to the procedure to allow 
it to draw this construct automatically. As the dependency graph shows, the 
procedures for "Chopstar", "Next", "Always" and "Sometime" depend on proc 
startFormul~nhancer{ qualifier}. This procedure sets parameters for primitive 
constructs like line, rectangle and text involved in the creation ofthese visual con-
structs3 and also notes the starting x-y co-ordinates selected on the canvas. This 
3Note : The implementation is not based on using labels but on the earlier visual notation which used 
a separator line between the formula and the qualifier. 
183 
Ph.D. Thesis 7.1 The Visual Tool 
procedure then passes the co-ordinates of the positions at which the mouse was 
released to the makeformula-.enhancer{ x y} which completes the drawing of the 
figure. Depending on the qualifier passed as argument, one could change settings 
for the fonts or colour for the visual construct. The proc startPlain_formula { argF} 
implements the drawing of simpler formulas like "empty", "finite" etc. which are 
just text enclosed in boxes. 
• Procedures for conversion to textual ITL 
These procedures are required so that the user can produce the textual form of 
ITL and derive the benefit of existing tools in the ITL-workbench like Tempura, 
PVS and so on which depend on textual ITL input. This way the user can benefit 
from all current and any future support tools for textual ITL without knowing ITL 
syntax but by just using visual ITL in the graphical VisITL tool conveniently. 
Figure 7.5 shows the dependency of procedures implementing this feature. Proc 
convertlITL{} 
/1 ~ 
sort-boxes{} visual2latex{supplied} write-tex {arg.ror-Iatex} 
I 
make-ustor.boxesO 
Figure 7.5: The Procedures for Converting to Textual ITL 
convert2ITL{} converts the VisITL formula to a equivalent textual ITL form. It 
depends on procedures proc sort-boxes{}, proc visual2Iatex{supplied} and proc 
write-tex { arg_for .latex}. Proc sort -boxes {} ensures that the textual formula gen-
erated is correct irrespective of the order in which the boxes were drawn (inner 
boxes first or outer boxes first or in some mixed order). This was necessary as 
184 
Ph.D. Thesis 7.1 The Visual Tool 
the implementation of the tkpaint tool keeps information of primitive items in 
the order they were drawn. Hence, a new list of primitive items had to be gen-
erated according to the semantics of the VisITL language. Also since constructs 
like "chop" could be drawn by the user in any of the ways shown in Figure 7.6 
which are all legal in this framework, this generated list had to be appropriately 
modified. Thus, the semantics of the VisITL language comes into considera-
Figure 7.6: Using Chop in Several Forms 
tion. Such processing in done in this procedure. The current VisITL tool allows 
"chop" in all the above forms i.e., with horizontal and vertical arrows, as well 
as with slanted arrows. The proc visual2latex { supplied} brackets this listing ob-
tained in terms of the number of arguments expected for each visual construct. 
In other words, this list is transformed into a flattened tree-structure correspond-
ing to the equivalent textual ITL formula. This is passed as arg_for Jatex to the 
procedure proc write-tex{arg-for-Iatex} which generates a latex program. This 
program could be used to obtain the textual ITL specification in postscript form. 
The current implementation automatically generates the postscript and displays 
it to the user. 
• Procedures for refinement 
Figure 7.7 shows some procedures for refinement and their dependencies. As 
refinement rules could be visualised as moving sub-formulas around into newer 
locations within possibly different visual constructs, they depend on procedures 
like proc sub-ITLformula-in{xA yA xB yB} which was written to find out sub-
formulas in given locations, proc visualizejn {xA y A xB yB treejnfo} which 
was written to re-draw the sub-formula in the new location. Other drawing pro-
cedures could also be called during refinement as, for example, a chopstar would 
185 
Ph.D. Thesis 7.2 Lessons Learnt and Problems Encountered 
sub-ITLfonnula-in{xA yA xB yB} 
One or more drawing procedures 
Figure 7.7: The Dependencies of Some Procedures for Refinement 
get refined to a while construct and so on. 
Further details on these procedures are given in Appendix B. 
7.2 Lessons Learnt and Problems Encountered 
As already mentioned in chapter 4. expressions were found to be better written as in 
textual form in order not to introduce too many graphical primitives. Formulae in boxes 
with a separator line for the qualifiers were sometimes found to be confusing when dis-
tinguishing the formula text and the qualifier text. It was decided to incorporate labels 
into the VisITL language. During implementation. as many constructs as possible were 
based on a similar format. But. for the sake of intuitiveness. the visual language had to 
have more appropriate visual constructs for "chopstar", for example. Hence, there was 
always a compromise that had to be made. Moreover, for some constructs like "while", 
I chose a simpler form of visual construct so as not to overload the picture with many 
graphical primitives. 
As the visual language for ITL was non-existent at the start of my research. it was 
186 
Ph.D. Thesis 7.3 Future Work 
difficult to design an implementation. In other words, there was no specification on 
which to base the implementation. As a result, the aim of my implementation was to in-
vestigate and obtain valuable insight into the evolving visual language itself. Therefore, 
the current version of the implementation uses some older form of visual notations as 
already mentioned. Modifying the visual constructs implemented to match the current 
visual language would not be that difficult now but it would have its effect on all other 
functionality of the tool. Based on the current level of development of the language, 
better implementations could be designed. One could even go for implementations that 
abstract away the exact form of the visual notation itself. This focus could not have 
been entirely implementation as the visual language was evolving. In order to explore 
many more different implementation algorithms and designs, one could first develop a 
library of some core functions which could be utilised by all the implementations. This 
would enable some new implementations to be explored as future work in this area. 
As already mentioned in an earlier section, conversion of a VisITL formula to its 
equivalent textual ITL formula had to consider an algorithm based on all primitive 
objects on the canvas in terms of the VisITL constructs they constituted and not on the 
order in which they were drawn. Also, as mentioned earlier, "chop" could be drawn 
in several ways and hence, the ordering was not purely based on co-ordinates of boxes 
but sometimes had to be adjusted. The current version of the VisITL tool, as mentioned 
earlier, allows the drawing of chop in any form i.e., horizontal, vertical or slanted arrow. 
7.3 Future Work 
A textual ITL formula could now be visualised based on the VisITL language. Such a 
procedure would need an argument which encodes a tree structure for the formula. This 
procedure would be similar to proc visual21atex{supplied} which constructed a tree 
structure for the VisITL formula drawn on the canvas. This way, one could incorporate 
already existing textual ITL specifications into this framework. 
Further work could also be done on incorporating restrictions on the attempted Vis-
187 
Ph.D. Thesis 7.4 Chapter Summary 
ITL specifications through appropriate warnings generated by the implementation. 
Also, one could create a library of VisITL specifications or specification-chunks 
which could be dragged and dropped on the canvas to have ready-made blocks of spec-
ifications. Then, the general parameters could be mapped to specific identifiers to re-
alize the VisITL specification. This would speed-up the specification process further 
and hence enable further accessibility of the formal method. One more possibility with 
implementation, now that no practical distinction between transformation rules for re-
finement and abstraction are made, is that we could just have one set of transformation 
rules and use any rule either for refinement or abstraction based on a user selection on 
a radio-button. In other words, the user could select one rule from a list and apply it on 
the VisITL specification to either refine or abstract. 
With regard to executions of concrete VisITL specifications, further work needs to 
concentrate on integrating Tempura into the framework to allow the user to visualise 
simulations graphically. 
7.4 Chapter Summary 
Details of a tool developed for the VisITL language were given. The features of the 
VisITL tool i.e., drawing, conversion to textual ITL and refinement were explained. 
Also, with the help feature on the tool, a user could learn VisITL syntax and semantics 
with examples. Lessons learnt and problems encountered during implementation are 
explained in order to benefit future work in this area. Conversion of a VisITL formula 
to its equivalent textual ITL formula had to consider an algorithm based on all primitive 
objects on the canvas in terms of the VisITL constructs they constituted and not on the 
order in which they were drawn. Also, as mentioned earlier, "chop" could be drawn 
in several ways i.e., horizontal, vertical or slanted arrow and hence, the ordering was 
not purely based on co-ordinates of boxes but sometimes had to be adjusted. Core 





Chapter 1 contains the background and motivation for the work and an outline of the 
thesis. 
In chapter 2, process models and strategies in software development were explored 
and various formal approaches for the development of real-time, safety-critical systems 
introduced. While formal approaches were found to have benefits in development espe-
cially for safety-critical systems, they have many drawbacks to overcome especially for 
enabling them to be more suitable for widespread use. Mentioning the rationale for the 
choice of Interval Temporal Logic (ITL) as the formalism for the work, the objective 
of this thesis is to contribute to the development of ITL as a lean formal method i.e., a 
formal method that is more accessible. 
In chapter 3, we saw how visualisation helps in various domains in fostering in-
creased accessibility of information, languages and technology through various means 
including better communication and ease of use. We examined how we could apply 
visualisation aids to an ITL-based formal method. Specifically in order to design a 
visual language for ITL, a design rationale was developed and key requirements to be 
satisfied by such a visual language identified. To recapitulate, these requirements are 
briefly summarised here : 
189 
Ph.D. Thesis 8.1 Summary 
Based on a study of visual representations in various areas, the following were 
identified as key features that should be taken into account while designing a visual 
language. 
• Simplicity 
This is one of the most important features of a good visual notation. The simpler 
the diagram, the easier and quicker it is to extract the meaning from it. 
• Intuitiveness 
The diagram should draw the attention of the reader quickly to the suggested 
meaning. 
• Unambiguity 
The diagram should not be causing any confusion in interpretation. 
• Readability 
The diagram should have text put at suitable locations to enhance readability 
without overcrowding the diagram. 
• Communicativeness 
It should be possible to communicate with other people using the diagram. In 
other words, it should be possible to suitably abstract the diagram, when nec-
essary, and see the new diagram clearly. It should be possible to navigate the 
diagram contents with ease. 
• Manipulatability 
It should be possible to manipulate the diagram to suitable equivalent forms. The 
meaning of any manipulation should be clear. 
• Composability 
It should be possible to suitably compose two diagrams. 
190 
Ph.D. Thesis 8.1 Summary 
• Extensibility 
The visual notation should support extensions to the basic language with mecha-
nisms/suggestions on how to do so. 
• Customisability 
It should be possible to customise the basic notation in some restricted ways for 
which guidelines should be provided. 
• Realisability 
It should be possible to realize the visual language conveniently in a suitable tool. 
• Scalability 
It should be possible to deal with huge descriptions nearly as conveniently as 
smaller ones. 
• Expressivity 
It should have enough expressivity in terms of available language constructs so 
that expressing anything in context can be done directly rather than by round-
about methods. 
In chapter 4 • we then explored ITL in detail with example specifications highlight-
ing some of the problems with textual ITL. We examined how we could apply visuali-
sation aids to an ITL-based formal method. The approaches until then concentrated on 
graphical output for simulation through Tempura and work on automata representations 
for ITL formulae. An interesting possibility as yet unexplored. was the development 
of a visual language for ITL. Hence a visual language for ITL was developed adhering 
to the requirements of a good visual language identified earlier. The visual notation is 
summarised in Figure 8.1 and Figure 8.2 below. 
The salient features of the notation can be summarised as follows : 
• Expressions are written as in textual ITL. 
191 
Ph.D. Thesis 8.1 Summary 
, 
[J Fonnula f ~ Negation 
[ili] And composition I (r~,,) I Universal Quantlfter 
I skip I skip 
'1 
) chopstar ,r Chop , 
-..... - '2 
Figure 8.1: Summary of the Visual Notation for Primitive ITL Fonnulae 
• A Formula is enclosed in a rectangular box which also contains a rounded rect-
angular box for holding any operator infonnation ; the rounded rectangular box 
maybe omitted if there is no operator involved. 
• The "And composition" has dotted lines between the components in the fonnula. 
• The negation has a cross mark in the label portion of the rectangular box. 
• The existential quantifier also follows the labelled rectangular box fonnat. 
• The chop has a directed arrow between the two rectangular boxes containing the 
formulae for the left and right subintervals respectively. 
• The chopstar has a directed arrow from the rectangular box to itself indicating a 
looping construct. 
192 
Ph.D. Thesis 8.1 Summary 
I r-rti- 1 I Sometime I C oJwr·Y' I I Alway. 
GJGJ 
Or Implk:atloD 
Figure 8.2: Summary of the Visual Notation for Some Abbreviations 
The choice of the visual notation has been influenced by various factors as seen in 
section 4.6. These influences were a direct result of the the important design features 
identified for visual representations from sectionSect:KeyVis. The following paragraph 
summarises some key points. 
In section 3.1.11, we saw how an Interval Logic, namely GIL [41], visually depicted 
fonnulae in the logic. It is dependent on constructing different sub-intervals and then 
depicting the predicates that are true in such subintervals. Hence, it needed different 
kinds of graphical primitives like a solid line to represent strong intervals, i.e. non-
empty intervals, a double solid line to depict a weak interval, a single arrowhead to 
indicate a weak: search while an interval is constructed, a double arrowhead to indicate 
a strong search and so on apart from using temporal operator symbols in the visual 
representation. Also, the placement of the predicate relative to the line depicting the 
interval has a meaning; for example, if it is the middle of the interval, then, it is an 
193 
Ph.D. Thesis 8.1 Summary 
invariant as in Figure 3.7(b). In the context ofVislTL language, a much simpler, more 
intuitive and readable language was needed which also integrated TAM for concrete 
communication constructs. 
It was also considered in section 4.6.3 how predicates were depicted using set theory 
concepts in a visual logic in [130]. This logic, being based on set theory, has graphical 
primitives like overlapping boxes which are unnecessary in VisITL, and circles for 
variables and constants additionally which we found unnecessary as it over-crowds 
the visual representation as well as unnecessarily complicating the implementation. 
Moreover, this visual logic is not a temporal logic. 
We also saw in chapter 3 how parallel states were depicted in statecharts-based for-
malisms. The same "dotted-line"representation was chosen for the "and-composition" 
in VisITL so that no new notation is introduced for similar concepts in other languages. 
This would help avoid any confusion for users previously accustomed to other lan-
guages. 
For the ITL "chop", a line with arrow was chosen to represent the meaning of chop 
i.e., sequential composition. For "chopstar", a loop was depicted around the box. The 
label in the box was used for readability. The concrete constructs like "While", "If 
Then" etc. also followed a similar format. This is true for the TAM communication 
constructs as well. Hence, Vism was not only made simple, intuitive, readable and 
unambiguous but also one that integrated abstract constructs and concrete constructs in 
similar notations. This aids communicativeness between users at all abstraction levels. 
The geometrical guidelines for constructing VislTL specifications show how a spec-
ification can be manipulated and composed. The VislTL abbreviations allow us to 
manipulate diagrams to suitable equivalent forms. In a similar way, the user can add 
new abbreviations as a way of extending the syntax and thus customise the notation. 
Chapter 6 demonstrates the scalability of this approach. Chapter 7 demonstrates the 
realisability of this approach. The VisITL language derives its expressivity from ITL. 
ITL examples given earlier were re-worked using the VislTL language constructs. 
Although with VislTL, we had a graphical notation for ITL, we still lacked a visual 
194 
Ph.D. Thesis 8.1 Summary 
framework in which formal development could take place in an accessible manner. 
In chapter 5, in order to facilitate the development process using the VisITL lan-
guage, visual refinement and abstraction rules were introduced with examples. Thus a 
visual framework for both forward and reverse engineering in a formal visual frame-
work supporting both convenience and accessibility are developed. The notation for 
visual refinement and abstraction is summarised below: 
Figure 8.3 denotes a transformation (which can be either refinement or abstraction) 
visually. It suggests intuitively that h contains more details than /1 because of the 
shaded box. The rule could be applied either during forward or reverse engineering. 
Figure 8.3: Visual Refinement 
In chapter 6, case studies showing how the visual framework supported both refine-
ment and abstraction were developed. Also an additional possibility with respect to 
the visual notation while developing the case studies were explored, like for example. 
resolving non-determinism through geometrical considerations. Currently, in the vi-
sual framework, it was decided to use design decision rules to resolve non-determinism 
rather than attach meaning to geometrical features in VisITL. This lets the user be in 
control rather than automatically resolving conflicts which the user may fail to notice. 
In chapter 7, the experimental VisITL tool that was built and used in the process 
was described in detail giving directions for further implementation efforts. 
To summarise, we state that a simple, intuitive and readable visual language has 
been designed which enjoys the benefits of being a formal language. The supporting 
viSual framework of refinement and abstraction enables easy manipulatability as well 
as communicativeness. The visual notations for abstract VisITL specifications as well 
195 
Ph.D. Thesis 8.2 Review of Work Done and Comparisons to Related Work 
as the concrete ITL and TAM constructs are integrated in a similar fonnat. The Vis-
ITL tool demonstrates realisability. Extensibility, customisability, composability and 
scalability are demonstrated through examples and case-studies. 
8.2 Review of Work Done and Comparisons to Related Work 
This work aimed to contribute to the development of ITL as fonnal method for the de-
velopment of critical systems. Towards that goal, the research explored visualisation 
approaches for increasing the accessibility of the formal method. The visual framework 
that has evolved is an exciting way forward in this direction. A valuable foundation has 
been laid by designing a visual language as well as evolving a framework in which 
development can be carried out. This approach insulates the user from as many for-
mal notations and difficulties as possible in a user-friendly manner. Valuable feedback 
obtained from the tool that was developed for experimentation is passed on to guide 
further explorations for implementation and development of the visual language itself. 
Related work done by others include the Visual Logic of [130], Graphical Interval 
Logic (GIL) [41] and statecharts-based fonnalisms such as those supported by Statem-
ate and Stateflow. 
The Visual Logic of [130] aimed to make fonnal specifications accessible to non-
programmers by using familiar notions of set theory, such as set inclusions and their 
graphical representations. They have made attempts to link their visual logic specifi-
cations to executable specifications in Prolog. VisITL is a similar effort based on ITL 
though not following the concepts of set theory. VisITL uses simpler intuitive visual 
notations suitable to ITL syntax and semantics. In VisITL, the number of graphical 
primitives is deliberately optimised keeping implementation issues in mind. Therefore, 
it is a much more practical approach and more suitable to ITL syntax. 
The Graphical Interval Logic, on the other hand, is intuitive but uses a different 
approach, one that depicts intervals as horizontal lines. This approach is unsuitable to 
VisITL as one of the aims was to seamlessly merge VisITL with its executable subset 
196 
Ph.D. Thesis 8.2 Review of Work Done and Comparisons to Related Work 
i.e., Tempura. Further, integration with the Temporal Agent Model (TAM), allowed us 
to incorporate concrete communication constructs in the same framework. With both 
forward and reverse engineering supported by the visual refinement and abstraction 
rules developed in this work, a unified visual framework has now resulted in which for-
mal development of systems is possible in a intuitive and accessible manner as demon-
strated through examples and case-studies. 
Statecharts-based formalisms, like those supported by Statemate and Stateftow, are 
supported with verification capabilities through model-checkers. This model-checking 
capability is lacking today in the VisITL framework. When this capability is realized. 
this framework will have the benefit of the model specified in VisITL checked against 
a property also specified in the same language. This is unlike in statecharts-based for-
malisms where the properties are specified in a temporal-logic based language while 
the model is statecharts-based. Also, in stateftow, non-determinism is resolved through 
geometrical considerations in the stateftow diagram whereas no such automatic reso-
lution of non-determinism is provided in the VisITL framework. This is deliberately 
done so in VisITL to avoid the user getting confused by any unintended semantics be-
ing automatically given to the resulting implementation. The user is given the choice 
of applying his own design decision rules instead. 
The VisITL framework is therefore not just a visual language for ITL, but is sup-
ported by a development process encompassing both forward and reverse engineering 
through visual refinement and abstraction rules. The user need not know the notations 
of ITL but can use the more intuitive VisITL language in the convenient VisITL tool 
and derive the benefit of all the support tools in the ITL-workbench. Therefore, the 
VlSITL specifications can be validated using the ITL proof system. The executable 
specifications obtained by using refinement rules, could be explored by simulation us-
ing Tempura. Hence the VisITL framework which has been developed is a powerful 
way of fonnally and visually capturing requirements, validating them, exploring them 
by simulation as well forward or reverse engineering them in an accessible way. 
197 
Ph.D. Thesis 8.3 A Final Note on the Visual Notation and the Visual Framework 
8.3 A Final Note on the Visual Notation and the Visual Framework 
The visual notations for Negation, Chop and Chopstar use simple intuitive concepts to 
depict the meaning of the formula. The "And-composition" uses dotted lines similar 
to statecharts-based formalisms. The abstract and concrete constructs both follow the 
box-format. A label within the box aids readability. The label could also hold icons 
as in the case of TAM constructs to be more visual. All these constructs adhere to the 
design principles identified in section 3.2. For refinement in the visual framework, we 
depicted the refinement of a formula intuitively using a shaded box. Through examples 
and case studies, we saw how the visual framework for formal systems development 
using ITL can be done in an accessible manner. The implementation of the VisITL tool 
demonstrated realisability. 
8.4 Further Work 
Refinement strategies could be built-into the VisITL tool to aid the user in perform-
ing refinement. Work regarding more advanced features like integration with a proof 
tool like PVS for constructing proofs could also be carried out. Also, in order to per-
form verification tasks on VisITL specifications, a model checker for ITL is necessary 
for integration into the VisITL framework. Work in this area is currently underway 
[117, 118]. A model checker would provide counter-examples if the property is found 
to be violated by the model in which case, the user could be shown the scenario leading 
to property violation through animation in Tempura. Further development with regard 
to implementation should be carried out with more case-studies supported by industry. 
This will test the visual language and the framework which has been developed with 
real users. An investigation should be carried out with a carefully prepared question-
naire to obtain feedback from such users to enable further development and appropriate 
customisation of the VisITL tool. This would help us build on the initial encouraging 
results for its evaluation. This would also aid, in general, further development of the 
198 
Ph.D. Thesis 8.5 Conclusions 
formalism and associated tools in the workbench in a direction towards more accessi-
bility. 
8.S Conclusions 
It is hoped that this thesis has made a useful contribution to enable ITL to be used by a 
wider spectrum of users. It is also hoped that further developments in the area of ITL. 
and particularly VisITL. will see a growing number and a wider spectrum of users. 
199 
References 
1. Abadi, M. and Manna, Z., ''Temporal logic programming", 10urnal of Symbolic Compu-
tation, 8(3), pages 277-295. 
2. Agresti, W.W., "New paradigms in software development", IEEE Computer Society Press. 
1986. 
3. Alur, R., Courcobetis, C. and Dill. D.L., "Model checking in dense real time". Information 
and Computation. 104(1):2-34. 1993. 
4. Anscombe, FJ .• "Graphs in Statistical Analysis", American Statistician 27, pp.17-21, 
February (1973). 
5. Ashworth, C.M., "Structured Systems Analysis and Design Method (SSADM)", Informa-
tion and Software Technology, 1983,30(3), 153-63. 
6. Auermeier, B., Kemmerer, R., "RT-ASLAN : a specification language for real-time sys-
tems", IEEE Trans. on Software Eng., 12(9):879-889, September 1986. 
7. Back, RJ.R., "A calculus of refinements for program derivations", Acta Informatica, 
25:593-624, 1988. 
8. Back, RJ.R., "Refinement calculus, part II : Parallel and reactive programs". In de Baker, 
de Rover, and Rozenberg, editors, Stepwise Refinement of Distributed Systems. volume 
430 of LNCS, Springer Verlag, 1989. 
9. Back, R.J.R. and Wright, 1., "Refinement concepts formalised in HOL", Formal Aspects 
of Computing, 3(4). 1990. 
200 
Ph.D. Thesis 8.5 Conclusions 
10. Baudinet, M., "Logic Programming Semantics : Techniques and Applications", Ph.D. 
Thesis, Computer Science Dept., Stanford University, Stanford, C.A .. 
11. Beek, M. von der, "A comparison of stateftow variants", In L.de Roever and 1. Vytopil, 
editors, Fonnal techniques in real-time and fault tolerant systems", volume 863 of LNCS, 
pages 128-148, Springer-Verlag, 1994. 
12. Bengtsson, 1., Larsen, K.G., Larsson, F., Pettersson, P., And Yi, Wang, "Uppaal - a Tool 
suite for Automatic Verification of Real-Time Systems", In Hybrid Systems III, volume 
1066 of LNCS, pages 232-243, Springer Verlag, 1996. 
13. Bergstra, J. and Klop, 1., "Algebra of communicating processes with abstraction", Journal 
of Theoretical Computer Science, 37:77-121, 1985. 
14. Berry, G., "Another look at real-time programming", Proceedings of the IEEE, 1991,79. 
15. Berthomieu, B., and Diaz, M., "Modelling and Verification of Time Dependent Systems 
using Timed Petri Nets", IEEE Transactions on Software Engineering, 17(3):259-273, 
March 1991. 
16. Bjorner, D. and Jones, C.M, "The Vienna Development Method: The Meta-Language", 
published by Springer-Verlag as part of the series Lecture Notes in Computer Science, 
Vo1.61, 1978. 
17. Boehm, B., "A spiral model of software development and enhancement", IEEE Computer, 
May 1988, pages 61-72. 
18. Bolognesi, T., Brinksma, E., "Introduction to the ISO specification language LarOS", 
Computer Networks ISDN systems, 14(1987), pages 25-59. 
19. Bonewitz, Ronald L., ''TEACH YOURSELF - The complete guide to understanding and 
writing hieroglyphics", First Edition, 2001, Hodder and Stoughton Ltd., UK. 
20. Bowen, Jonathan P. and Hinchey, Michael G., "Seven More Myths of Fonnal Methods", 
IEEE Software, Vo1.12, No.4, July 1995. 
21. Boyer, R. and Moore, 1., "A Computational Logic Handbook", Academic Press, New 
York,1988. 
201 
Pb.D. Thesis 8.S Conclusions 
22. Bremond-Gregoire, P., Choi, J. Y. and Lee, I.. ''The soundness and completeness of 
ACSR", Technical Report MS-CIS-93-59, Univ. of Pennsylvania, June 1993. 
23. Budgen, David "Software Design", Addison Wesley publication company, 1995. 
24. Bums, A., and Wellings, A., "HRT-HOOD : A Structured Design Method for Hard Real-
Time Systems", Elsevier, 1995. 
25. Biissow, Robert, Gieser, Robert and KIar, Marcus, "Specifying Safety-Critical Embedded 
Systems with Statecharts and Z : A Case Study", in Egidiano Astesiano, editor, Proceed-
ings of the 1st International Conference on Fundamental Approaches to Software Engi-
neering - FASE '98, vol. 1382 of LNCS, pages 71-87 , Springer-Verlag, 1998. 
26. Cau, A., Czarnecki, C., Zedan, H., "Designing a Provably Correct Robot Control System 
using a 'Lean' Formal Method", In the proceedings of the 5th International Symposium, 
FTRTFT'98, Lyngby, Denmark, September 1998, volume 1486 of Lecture Notes in Com-
puter Science, pages 123-132. 
27. Cau, A., Zedan, H., Coleman, N., Moszkowski, B., "Using ITL and Tempura for large-
scale specification and simulation", In proceedings of Fourth Euromicro Workshop on 
Parallel and Distributed Processing, IEEE Computer Society Press, pages 493-500, Braga, 
Portugal, 1996. 
28. Cau, A., Moszkowski, Ben, "Interval Temporal Logic Proof Checker", Technical Report 
available from ''http://www.cse.dmu.ac.uklSTRL''. 
29. Cau, Antonio, and Zedan, Hussein, "Refining Interval Temporal Logic Specifications", 
In proceedings of the fourth AMAST Workshop on Real-Time Systems, Concurrent, and 
Distributed Software (ARTS'97), LNCS 1231, p. 79-94, Mallorca, Spain, May 21-23, 
1997. 
30. Chakrapani Rao, Arun, Cau, Antonio and Zedan, Hussein, "Visualization of Interval Tem-
poral Logic", Proceedings of the Fifth International Conference on Computer Science and 
Informatics, New Jersey, USA, Feb-Mar, 2000. 
202 
Ph.D. Thesis 8.5 Conclusions 
31. Chang, S.K. "Visual Languages: A Tutorial and Survey", IEEE Software, 4(l):pages 
29-39, January 1987. 
32. Chen, Z., "Formal methods for object-oriented paradigm applied to the engineering of 
real-time systems: A review", Research Monograph 5, School of Computing Sciences, 
De Montfort University, Leicester, 1997. 
33. Clark, Tony and Evans, Andy, "Foundations of the Unified Modeling Language", In Pro-
ceedings of the 2nd BCS-FACS Northern Formal Methods Workshop, Springer, 1998. 
34. Clarke, E.M., and Emerson, E.A., "Synthesis and synchronization skeletons for branching 
time temporal logic", In D. Kozen, editor, Logic of Programs Workshop, number 131 in 
LNCS, Springer Verlag, 1981. 
35. Coen-Porisini, A., Kemmerer, R., and Mandrioli, D., "A formal framework for ASTRAL 
intralevel proof obligations", IEEE Trans. on Software Eng., 20(8):548-561, August 1994. 
36. Cooling, J.E., "Real-Time Software Systems' : An Introduction to Structured and Object-
Oriented Design", International Thomson Computer Press, January 1997. 
37. Damm, W., Josko, B. and Schlor, R., "Specification and verification of VHDL-based 
system-level hardware designs", In E.Borger, editor, Specification and Validation Meth-
ods, Oxford University Press, 1995. 
38. Daws, c., Olivero, A., Tripakis, S. and Yovine, S., "The tool Kronos", In Hybrid Systems 
fi, volume 1066 ofLNCS, pages 208-219, Springer-Verlag, 1996. 
39. Day, Nancy, "A Model Checker for Statecharts", Technical Report No. TR-93-35, Dept. 
of Computer Science, University of British Columbia, 1993. 
40. Dierks, Henning, "PLC-Automata : A New Class of Implementable Real-Time Au-
tomata", In ARTS'97, LNCS, Springer Verlag, May 1997. 
41. Dillon, L.K., Kutty, G., Moser, L.E., Melliar-Smith, P.M., and Ramakrishna, Y.S., "Graph-
ical specifications for concurrent software systems", Proc. of the 14th International Conf. 
Software Engineering, Melbourne, Australia, pp.214-224, May 1992. 
203 
Ph.D. Thesis 8.S Conclusions 
42. Douglass, Bruce Powell, "UML Statecharts", A White Paper in Embedded Systems Pro-
gramming, January 1999. 
43. Downs, E., Clare, P., and Coe, I., "Structured Systems Analysis and Design Method", 
Prentice-Hall publishers, 215 papges, 1988. 
44. Emerson, E.A., ''Temporal and modal logic" , Handbook of Theoretical Computer Science, 
van Leeuwen, l(editor), Noth-Holland, Amsterdam, pages 995-1072. 
45. ESA, "HOORA : Hierarchial Object-Oriented Requirement Analysis", 1993, ESA report 
E2S/OORAlWPIIMETH. 
46. Esterel webpage at http://www.inria.fr/meijelestereV. 
47. Feyerabend, Konrad and Josko, Bernhard, "A visual formalism for real time requirement 
specification. In Transformation-Based Reactive System Development", number 1231 in 
LNCS, pages 156-168, Springer Verlag, 1997. 
48. Feyerabend, Konrad and Schlor, "Hardware synthesis from requirement specifications", 
In Proceedings EURO-DAC with EURO-VHDL 96, IEEE Computer Society Press, 1996. 
49. Fisher, M., Kono, S. and Orgun, M.A., Editors, "Editorial: Executable Temporal Logics", 
J.Symbolic Computation(I996), Vo1.22, pages 721-735. 
SO. Floyd, R.W., "Assigning meanings to programs" in Mathematical Aspects of Computer 
Science(editor Schwartz, J.T.), Proceedings of Symposia in Applied Mathematics 19, 
(American Mathematical Society), Providence, Rhode Island, U.S.A., pages 19-32, 1967. 
S1. Fokkink, Wan and Hollingshead, Paul, "Verification of Interlockings : from Control Ta-
bles to Ladder Logic Diagrams", CSR 15-98, Computer Science Report Series, 1998, 
University of Wales, Swansea, UK. 
S2. Ford, Lindsey, "How programmers visualize programs", In processings of the Fifth Work-
shop on Empirical Studies of Programmers, 1993. 
53. Formal Methods WWW virtual library at .. http://www.afm.sbu.ac.uklfm ... 
204 
Ph.D. Thesis 8.5 Conclusions 
54. Friel G. and Budgen, D. "Design transformation and abstract design prototyping", Infor-
mation and Software Technology, 31(9), 707-19. 
55. Fuchs, Norbert E., "Specifications are (preferably) executable, Software Engineering Jour-
nal, September 1992, pages 323-334. 
56. Fujita, M., Kono, S., Tanaka, H. and Moto-oka, T., ''Tokio: logic programming language 
based on temporal logic", Proc. of 3rd Int. Congo Logic Prog., E.Shapiro(editor), Lecture 
Notes in Computer Science 225, Springer-Verlag, 695-709. 
57. Ghezzi, C., Mandrioli, D., and Morzenti, A., "TRIO, a logic language for executable 
specifications of real-time systems", Journal of Systems and Software, 12(2):107-123, 
May 1990. 
58. Glinert, E.P. and Tanimoto, S.L., "Pict : An Interactive Graphical Programming Environ-
ment", Computer, Vol.17, No. 11, Nov. 1984, pages 7-25. 
59. GNOME website at ''http://www.gnome.orgf' 
60. Goldblatt, R, "Logics of time and computation", CSLI Lecture Notes 7, CSLI, Stanford 
University, Stanford. 
61. Golsen, S., "State Machine Design Techniques for Verilog and VHDL", Synopsys Journal 
of High Level design, September 1994. 
62. Gordon, M.1.C., "LCF-LSM: A system for specifying and verifying hardware", Computer 
Laboratory, University of Cambridge, Technical Report, 41, 1983. 
63. Gordon, M., "Mechanizing programming logics in higher order logic", Technical Report 
145, Univ. of Cambridge, Cambridge, UK, 1988. 
64. Guttag, J.V., and Horning, J.1., "Larch: Languages and Tools for Formal Specification", 
Springer-Verlag, 1993. 
65. Hailpern, B.T., "Verifying Concurrent Processes Using Temporal Logic", Lecture Notes 
in Computer Science, 129, Springer-Verlag, Berlin. 
205 
Ph.D. Thesis 8.S Conclusions 
66. Hailpern, B.T. and Owicki, S.S, "Modular verification of computer communication proto-
cols", IEEE Transactions on Comm., COM-31, 1:56-58. 
67. Halbwachs, N., "Synchronous programming of reactive systems", Kluwer Academic Pub-
lishers, 1993. 
68. Harel, D., "Statecharts : a visual formalism for complex systems", Science of Computer 
Programming, 8(1):231-274, 1987. 
69. Harel, D., and Naamad, Amnon, ''The STATEMATE Semantics of Statecharts", ACM 
Transactions on Software Engineering Method, October 1996. 
70. Hayes, I.J., Jones, C.B., "Specifications are not (necessarily) executable", Software Engi-
neering Journal, 1989,4, (6), pages 330-338. 
71. Heimdahl, M.P.E., Leveson, N., "Completeness and consistency analysis in hierarchial 
state-based requirements.", IEEE Trans. on Software Eng. SE-22(6), June 1996, pages 
363-377. 
72. Heitmeyer, C., "On the Need for Practical Formal Methods", In the proceedings of the 
5th International Symposium, FTRTFT'98, Lyngby, Denmark, September 1998, volume 
1486 of Lecture Notes in Computer Science, pages 18-26. 
73. Heitmeyer, C., Jeffords, R., and Labaw, B., "Automated consistency checking of require-
ments specifications.", ACM Trans. Software Eng. and Method. 5(3), 1996. 
74. Heitmeyer, C., Jeffords, R., and Labaw, B., "Comparing different approaches for spec-
ifying and verifying real-time systems", In Proc. Tenth IEEE Workshop on Real-Time 
Operating Systems and Software, pages 122-129, New York, May 1993. 
75. Henzinger, T.A., Nicollin, X., Sifalds, 1., and Yovine, S., "Symbolic model checking for 
real-time systems", Information and Computation, 111(2): 193-244, 1994. 
76. He, Jifeng, "Specification oriented semantics for ProCoS programming language PL,tme, 
Oxford University, 1991, PRG-OU-HJF-71. 
77. Hoare, C.A.R., "An axiomatic basis for computer programming", Comm. ACM, 12(10), 
pages 576-580. 
206 
Ph.D. Thesis 8.S Conclusions 
78. Hoare, C.A.R., "Communicating Sequential Processes", Prentice-Hall, New York, 1985. 
79. Hopcroft, John E., and Ullman, Jeffery, D., "Introduction to automata theory, languages, 
and computation", Addison-Wesley, 1980. 
80. Huth, Michael R.A., Ryan, Mark D. "Logic in Computer Science - Modelling and reason-
ing about systems" 
81. I-Logix product information at .. http://www.ilogix.com ... 
82. Ince, Darrel, "Set Piece", "System and Software Requirements Engineering", IEEE Com-
puter Society Press Tutorial, Edited by Richard H. Thayer and Merlin Dorfman, 1990. 
83. Ince, Darrel C., "An Introduction to Discrete Mathematics and Formal System Specifi-
cation", Oxford Applied Mathematics and Computing Science Series, Clarendon Press. 
1988, Chapter 9 onwards. 
84. ITL homepage on the internet ... http://www.cse.dmu.ac.ukf.caulitlhomepagelindex.html ... 
85. Jackson, M.A .• "Principles of Program Design". 1975, Academic Press Inc., New York. 
86. Jacky, Jonathan, ''The Way of Z : Practical Programming With Formal Methods", June 
1997, paperback, Cambridge University Press. 
87. Jacob, Jeremy, ''The Varieties of Refinement", J.M.Morris and R.C. Shaw. eels •• Proceed-
ings of the 4th BCS-FACS Refinement Workshop. Cambridge. pp9-11, Springer Verlag. 
Januaray 1991. 
88. Jahanian, E and Mok. A.K .• "Safety analysis of timing properties in real-time systems", 
IEEE Trans. on Software Eng., 12(9):890-904, September, 1986. 
89. Jahanian. E. and Mok, A.K .• "Modechart : A specification language for real-time sys-
tems", IEEE Trans. on Software Eng .• 20(10):879-889, October 1994. 
90. Johnson, D., ''The ftow of control notations Pancode and Boxcharts", SIGPLAN Notices, 
25, August, 106-119. 
207 
Ph.D. Thesis 8.S Conclusions 
91. Joseph, Mathai, Editor, "Chapter 1 : Time and Real Time by Joseph, Mathai", "Real-time 
Systems - Specification, Verification and Analysis", Prentice Hall International(UK) Ltd, 
1996. 
92. Jullig, Richard and Srinivas, Y.V., "Diagrams for Software Synthesis", In proceedings 
of The Eighth Annual Knowledge-Based Software Engineering Conference" held in 
Chicago. The paper is available from ''http://www.kestre1.edu''. 
93. Goldberg, A and Kay, Alan, "Smalltalk 72 Instruction Manual", Xerox Pare, Palo Alto, 
California, 1976. 
94. KDE website ''http://www.kde.org/'' 
95. Knight, John c., "Challenges in the Utilization of Formal Methods", In the proceedings 
of the 5th International Symposium, FTRTFT'98, Lyngby, Denmark, September 1998, 
volume 1486 of Lecture Notes in Computer Science. pages 1-17. 
96. Korf, F. and Schlor, R., "Interface controller synthesis from requirement specifications". 
In Proceedings, The Europen Conference on Design Automation, pages 385-394, Paris, 
France, February 1994, IEEE Computer Society Press. 
97. Krieg-Bruckner, B., Peleska, J, Olderog, E.-R., et al., "UniForM - Universal Formal 
Methods Workbench". In Status seminar des BMBF Softwaretechnologie, pages 357-378, 
BMBF, Berlin. 1996. 
98. Kromodimoeljo, S., Pase, W .• Saaltink, M., Craigen, D., and Meisels, I., "A tutorial on 
EVES", Technical Report. Odyssey Research Associates, Ottawa, Ont.. 1993. 
99. Lamport. L., "What good is temporal logic". In Proc. IFIP 9th World Congress, 
R.E.A.Mason(editor), North-Holland, pages 657-668. 
100. Lee, I., Bremond-Gregoire, and Gerber, R., "A Process Algebraic Approach to the Speci-
fication and Analysis of Resource-Bound Real-Time Systems", Proceedings of the IEEE, 
pages 158-171. Jan. 1994. 
101. Leigh, A.W., "Real Time Software for Small Systems", Published in UK by Sigma Press, 
Wilms low, First Edition. 1988. 
208 
Ph.D. Thesis 8.S Conclusions 
102. Liu, Xiadong, Yang, Hongji and Zedan, Hussein, "Speed and Scale Up Software Reengi-
neering with Abstraction Patterns and Rules", In proceedings of the International Confer-
ence on Software Maintenance (ICSM) 2000, San Jose, California. 
103. Liu, Xiadong, "Abstraction: A notion for reverse engineering", Ph.D. Thesis, De Monfort 
University, Leicester, UK, September 1999. 
104. Liith Karsten, ''The ICOS Synthesis Environment", In the proceedings of the 5th Inter-
national Symposium, FTRTFT'98, Lyngby, Denmark, September 1998, volume 1486 of 
Lecture Notes in Computer Science, pages 294-297. 
105. Lowe, G. and Zedan, H., "Refinement of complex systems: a case study", The Computer 
Journal, 38, No. 10, 1995. 
106. Lynch, N. and Vandraager, F., "Forward and backward simulations for timing-based sys-
tems", In proceedings of REX workshop "Real-Time: Theory in Practice", volume 600 
ofLNCS, pages 397-446, Mook, The Netherlands, June 1991, Springer-Verlag. 
107. Manna, Z., Pnueli, A., ''The Temporal Logic of Reactive and Concurrent Systems - Spec-
ification", Springer-Verlag, New York, Inc., 1992. 
108. McCarthy, J., ''Towards a mathematical science of computation", In proceedings, IFIP, 
1961, pages 21-28. 
109. Merlin, P. and Farber, D., "Recoverability of communication protocols"" IEEE Trans. on 
Communications, 24(9):1036-1043, September 1976. 
110. Merritt, M., Modugno, F., and Tuttle, M., ''Time constrained automata", In Baeten, lC.M. 
and Goote, IF., editors, CONCUR'91 : 2nd International Conference on Concurrency 
Theory, volume 527 of LNCS, pages 408-423, Amsterdam, The Netherlands, August 
1991, Springer-Verlag. 
111. Milner, R., "Communication and Concurrency", Prentice-Hall, New York, 1985. 
112. Morgan, Carroll, "Programming from Specifications", Prentice Hall International, 1990. 
209 
Ph.D. Thesis 8.S Conclusions 
113. Moser, L.E., Ramakrishna, Y.S., Kutty, G., Melliar-Smith, P.M. and Dillon, L.K., "A 
Grnphical Environment for the Design of Concurrent Real-Time Systems", ACM Trnns-
actions on Software engineering and Methodology, 6(1):31-79, 1997. 
114. Moszkowski, B.C., "Reasoning about Digital Circuits", Ph.D. Thesis, Stanford University 
Technical Report STAN-CS-83-970. 
115. Moszkowski, B.C., "Compositional Reasoning using Interval Temporal Logic and Tem-
purn", LNCS, Vol. 1536, pp 0439-. 
116. Moszkowski, Ben, "Executing Tempoml Logic Progmms", Cambridge Uni-
versity Press, 1986. An online version of the book is available from 
.. http://www.cse.dmu.ac.u.krcaU/itlhomepageJnode2.html ... 
117. Moszkowski, Ben, "An Automata-Theoretic Completeness Proof for Interval Tempornl 
Logic (Extended Abstmct)", In Proceedings of the 27th International Colloquium on Au-
tomata, Languages and Progmmming (ICALP 2(00), editors: U go Montanari, Jose Rolim 
and Emo Welzl, Geneva, Switzerland, July 9-15,2000. LNCS, vo1.1853, Springer-Verlag, 
pages 223-234. 
118. Moszkowski, Ben, "A Complete Axiomatization of Interval Tempoml Logic with Infinite 
Time (Extended Abstract)", In Proceedings of the Fifteenth Annual IEEE Symposium on 
Logic in Computer Science (UCS 2(00), June 26-29, 2000, Santa Barbara, California, 
USA, IEEE Computer Society Press, pages 242-251. 
119. Myers, B.A., "Taxonomies of visual progmmming and program visualization", Journal of 
Visual Languages and Computing, 1(1):97-123, 1990. 
120. Formal Methods Specification and Verification Guidebook for Software and Computer 
Systems, Volume I : Planning and Technology Insertion", produced by Office of Safety 
and Mission Assumnce, National Aeronautics and Space Administration (NASA), NASA-
GB-002-95, Release 1.0, July 1995. 
121. Ostroff, 1., ''Tempoml Logic for Real-Time Systems", Research Studies Press LTD., 
Taunton, Somerset, England, 1989. 
210 
Ph.D. Thesis 8.S Conclusions 
122. Ostroff, J., "Visual tools for verifying real-time systems", In Rus, T. and Rattray, C .• 
editors, Theories and Experiences for Real-Time System Development, AMAST Series in 
Computing. Volume 2. pages 83-101, Singapore, 1994, World Scientific Publishing Co .. 
123. Owicki. S. and Lamport, L., "Proving livenes properties of concurrent programs". ACM 
Transactions on Programming Languages and Systems. 4(3), pages 455-495. 
124. Owre, S., Shankar. N., and Rushby, N .• "User guide for the PVS specification and ver-
ification system(draft)", Technical Report, Compo Sci. Lab., SRI Intl., Menlo Park. CA. 
1993. 
125. Peterson. J.L., "Petri Net Theory and Modeling of Systems". Prentice-Hall. Englewood 
Cliffs, New Jersey, 1981. 
126. Poueli, A., "Applications of temporal logic to the specification and verification of re-
active systems : A survey of current trends", Current Trends in Concurrency, Bakker. 
J.W.de, Roever, W.P.de and Rozenberg, G.(editors), Lecture Notes in Computer Science 
224, Springer-Verlag, Berlin. pages 510-584. 
127. PoueH. A., ''The temporal logic of programs", Proc. 18th IEEE Symposium on Founda-
tions of Computer Science, pages 46-57. 
128. PoueH, A., ''The temporal semantics of concurrent programs", Theoretical Computer Sci-
ence, 13. pages 1-20. 
129. Pressman. R.S., "Software Engineering - A Practitioner's approach", Third edition, Mc-
Graw Hill, Inc., International edition 1992. 
130. Puigsegur i Figueras, Jordi and Agusti i Cullell, Jaume, "Using a Visual Syntax in Logic 
Programming" Technical Report IDA 96-2, Institut d'Investigacio en Intel-ligencia Arti-
ficial, Bellaterra, Catalonia, March 1996. 
131. PVS homepage on the internet, .. http://www.csl.sri.comlpvs.html ... 
132. Reed, G. and Roscoe, A., ''Metric spaces as models for real-time concurrency", In Pr0-
ceedings, Mathematical Foundations of Computer Science, LNCS, volume 298. New 
York, 1987, Springer-Verlag. 
211 
Ph.D. Thesis 8.5 Conclusions 
133. Richardson, Debra J., "Modeling Automobile Cruise Control System Using Graphical 
Interval Logic", from ''http://www.ics.ucLedurdjrf' 
134. Ruiz, Marrero, Suarez, Alvaro, "A tool for visualizing LorOS Behavioural Specifica-
tions", 4th FfRTFf, LNCS 1135, pages 475-478, Sept. 1996. 
135. Scholefield, D.J., Zedan, H. and He, J., "Real-time refinement: semantics and applica-
tion", LNCS, 711, pages 693-701, 1993. 
136. Scholefield, OJ., Zedan, H. and He, 1., "A specification oriented semantics for the refine-
ment of real-time systems", Theoretical Computer Science, 130, August 1994. 
137. Selic, B., Gullekson, G., and Ward, P., "Real-Time Object Modeling", John Wiley, 1994. 
138. Shlaer, S. and Mellor, S., "Object oriented system analysis: Modeling the world in data", 
Prentice-Hall, Englewood Cliffs, New Jersey, 1988. 
139. Shu, N.C., "Visual Programming Languages: A Perspective and a Dimensional Anal-
ysis", In Visual Languages, editors Chang, S.K., Ichikawa, T., and Ligomenides, P.A., 
pages 11-34, Plenum, New York, 1986. 
140. Sinan Si Alhir,"UML in a Nutshell- A Desktop Quick Reference", O'Reilly & Associates, 
Inc., First Edition, September 1998. 
141. Skakkebaek, 1., Shankar, Natarajan, "Towards a Duration Calculus proof assistant in 
PVS", In Third International Symposium on Formal Techniques in Real-Time and FauIt-
Tolerant Systems, volume 863 of Lecture Notes in Computer Science, 1994, pages 660-
679. 
142. SPIN webpage for the model checker at http://netlib.bell-
labs.comlnetlib/spinlwhatispin.html 
143. "Stateftow User's Guide", The MathWorks, Inc., 3 Apple Hill Drive, Natick, MA 01760-
2098. 
144. Tapken, Josef, "Interactive and Compilative Simulation of PLC-Automata", In W.Hahn 
and A.Lehmann, editors, Simulation in Industry, ESS'97, pages 552-556, SCS, 1991 
212 
Ph.D. Thesis 8.S Conclusions 
145. Thomas, Wolfgang, "On the synthesis of strategies in infinite games", In E.W.Meyer and 
C.Puech, editors, Symposium on Theoretical Aspects of Computer Science(STACS 95), 
volume 900 of Lecture Notes in Computer Science, pages 1-13, Springer-Verlag, March 
1995. 
146. Tkpaint homepage at http://www.netanya.ac.iIrsamy/tkpaint.htrnl 
147. "Visualization in Computing", A special issue, IEEE Computer 22, No. 10, pp.9-65, Oc-
tober(1989)". 
148. Ward, P.T. and Mellor, S.1., "Structured Development for Real-Time Systems", Yourdon 
Press, New York, 1985. 
149. Ward, M., "A definition of abstraction", Technical report, Durham University, 1992. 
ISO. Welch, Brent B., "Practical Programming in Tel and Tk", second edition, Prentice-Hall, 
Inc., 1997. 
I( 
151. Wing, I.M., "A specifier's introduction to formal methods", Computer, 1990,7, (5), pages 
8-24. 
152. Yourdon, E., and Constantine, L.L., "Structured Design", Yourdon Press, 1979. 
153. Zhou, Chaochen, Hoare, C.A.R., and Ravn, A.P, "A calculus of durations" Information 
Proc. Lettters, 40(5), December 1991. 
154. Zhou, Chaochen, "Duration Calculi: An overview", In D.Bjorner, Bray, M., and Pottosin, 
I. V., editors, Proc. Formal Methods in Programming and Their Application, volume 735 
ofLNCS, pages 256-266, Springer-Verlag, 1993. 
213 
Appendix A 
Temporal Agent Model 
A.1 Computational Model 
A model of computation defines mathematically an abstract architecture upon which 
applications will execute. A system is a collection of agents (which is our unit of 
computation), possibly executing concurrently and communicating synchronously or 
asynchronously via communication links. Systems can themselves be viewed as sin-
gle agents and composed into larger systems. Systems have timing constraints im-
posed at three levels; system wide communication deadlines, agent deadlines and sub-
computation deadlines (within the computation of an individual agent). Deadlines are 
all considered to be hard. A system has a static configuration, and it must have at most 
a finite number of communication links and agents. At any instant in time. a system 
can be thought of as having a unique state. The system state is defined by the values 
in the communication links and the state variables of the system. the so-called frame. 
This frame defines the variables that can possibly change during system execution. the 
variables outside this frame will certainly not change. Computation is defined to be a 
sequence of system states, i.e. an interval of states. ITL enables us to describe these 
sets of computations in an eloquent way. An agent is described by a computation which 
may transform a local data-space and may read read and write to communication links 
during execution. The local data-space for the agent is created when the agent star 
214 
Ph.D. Thesis A.I Computational Model 
ecution and is destroyed when the agent tenninates. No agent may read or write another 
agent's local data-space. The computation may have both minimum and maximum ex-
ecution times imposed. An agent may perform both computation and communication. 
Only an agent which performs no computation or communication may terminate in-
stantaneously. Such an agent is called an empty agent. An agent may start execution as 
a result of either a condition of the current time or a write event occurring on a specific 
communication link. 
An agent may write to at most a finite number of communication links and read from 
at most a finite number of them. Synchronous communication links are called channels 
where read and write occurs at the same time. Asynchronous communication links are 
called shunts. Synchronous communication links modelled by a shared variable which 
contains three values: the first one indicates if there is an agent willing to read from 
the channel, the second one if there is an agent willing to write to the channel and the 
third is the value transmitted over the channel. Asynchronous communication links are 
modelled by a shared variable which contains two values: the first one is a stamp which 
is increased by one each time a new write to the shunt takes place, and the second one is 
the value which was most recently written. Shunt writing is destructive, shunt reading 
is not. 
Communication link readership may be restricted to a set of agents. These agents 
can then be considered as a subsystem where communication links which are read or 
written by the agents within the subsystem define the subsystem's boundary. Sub-
systems may not overlap. The stamps within the shunts enable the reading agents to 
compute according to the freshness of the data. The need for stamps in shunts is a di-
rect consequence of the decision to use non-destructive asynchronous communication. 
When an agent performs two consecutive inputs from a shunt and reads the same data 
item twice, it may need to know if each value is a result of two different writes or a 
single write. 
For a detailed treatment of the syntax and semantics of TAM, the reader is referred 
to [135. 105. 29]. The following gives. in more detail, the concrete constructs intro-
215 
Ph.D. Thesis A.I Computational Model 
duced in chapter 4. 
TAM concrete constructs 
This following introduces the concrete constructs for reasoning about communica-
tion, timing and resource allocation. 
• Channel communication: 
Let C be a channel then channel C E P denotes that a new channel is introduced. 
C!e denotes an output agent that sends the value of expression e over C. C?x 
denotes an input agent that stores the value received over C in x. 




-. nl(C) = true 
C! 
-. n2(C) = true 
C.X 
-. n3(C) = x 1\ C? 1\ C! 
C!e 
-. 
(..,C? 1\ C! 1\ stable (C) ; skip) v empty; C.e 
C?x 
-. (..,C! 1\ C? 1\ stable (C) ; skip) vempty;C.x 
TIj is the projection function that for i = 1 gives the "willing to read" value. for 
i = 2 gives the "willing to write" value and for i = 3 the actual value in the 
channel. In the first interval the agent is waiting for its partner and in the second 
interval communication takes place. 
Let d E TIME. The notation C!de (C?dX) specifies an agent which is willing to 
perfonn the communication at time d. However. the agent will be held up forever 
if the environment fails to react promptly. 
C!de -. C!e 1\ (finite :> len = d) 
C? dX -. C?x 1\ (finite :> len = d) 
• Shunt communication: 
216 
Ph.D. Thesis A.I Computational Model 
Let s be a shunt then shunt s in P denotes that a new shunt s is introduced. 
write ( v, s) denotes that value v is written to shunt s. read (s) gives the value stored 




shunts in P 
...... 3s.y's=O"P 





where ni is the projection function that for i = 1 gives the stamp and for i = 2 
gives the value stored in the shunt. 
Let dE Time - {O}. The notation writed(v,s) specifies an agent that writes value 
v to shunt s at time d. 
write d (v, s) ...... len = d - 1 ; skip" Os = (y' s + 1, v) 
Note: the value of the stamp is defined to be the value of the stamp in the previous 
state plus 1. 
If one wants a version of write d which remains stable except in the last state of 
the interval one can take pwrite d (v, s) which is defined as 
pwrited(v,s) ...... writed(V,S) "padded(s) 
• Delay and timeout: 
Let d E TIMEU {oo}. The notation delaYd describes an agent which first holds 
up for d time units and then terminates with all global variables untouched. Its 
execution does not claim any resource time 
delaYd ...... len = d 
Let dE TIME U {oo}. The notation P Sld Q defines an agent which behaves like 
P if P is executed within d time units. otherwise it behaves like agent Q. 
P Sld Q ...... if (P :) finite" len ~ d) then P else Q 
217 
Ph.D. Thesis A.1 Computational Model 
• Resource allocation : 
Let res be a resource then request (v, res) is the agent that requests v units of 
resource res. If these v units are not available it waits for them. release ( v, res) is 
the agent that releases v units of resource res. 
request ( v, res) ..... if res ~ v then res := res - v else C( request ( v, res) ) 
release (v, res) ..... Ores = res + v 
218 
AppendixB 
Core Tcl-Tk procedures for the VisITL 
tool 
B.l Core Drawing Procedures for VisITL Constructs 
The following procedure is used in the drawing of VisITL constructs like "Next". "Al-
ways", "Sometime" etc .. when the user selects a VisITL construct on the tool-bar and 
starts drawing on the canvas. 
proc start Formula_enhancer {qualifier} 
global Formula_enhancer Graphics 
global enhancer_line Graphics 
global enhancer_text Graphics 
global textstr 
set Formula_enhancer(shape) Formula_enhancer 
set enhancer_line (shape) enhancer_line 
set enhancer_text(shape) enhancer_text 
set textstr $qualifier 
bind .c <Button-I> { 
global xl yl x2 y2 
219 
Ph.D. Thesis B.1 Core Drawing Procedures for VisITL Constructs 
set x [.c canvasx %x $Graphics(grid,snap)] 
set y [.c canvasy %y $Graphics(grid,snap)] 
set xl $x 
set yl $y 
set Formula_enhancer (coords) "$x $y $x $y" 
set Formula_enhancer (options) [list \ 
-width 4 \ 
-outline blue \ 
-stipple $Graphics(fill,style) \ 
-tags {Formula_enhancer obj} \ 
set enhancer_line (options) [list \ 
-width 2 \ 
-tags {enhancer_line obj} \ 
-fill black 
set enhancer_text (options) [list \ 
-tags {enhancer_text obj} \ 
-text $textstr \ 
-font {-size 15 -weight bold -slant italic} \ 
} 
bind .c <Bl-Motion> { 
global xl y1 x2 y2 
set x [.c canvasx tx $Graphics(grid,snap)] 
set y [.c canvasy %y $Graphics(grid,snap)) 
makeformula_enhancer $x $y 
bind .c <Bl-ButtonRelease> { 
220 
Ph.D. Thesis B.1 Core Drawing Procedures for VIsITL Constructs 
global xl y1 x2 y2 yline Formula_enhancer enhancer line 
if ! [info exists Formula_enhancer(id)] {return} 
set utag [Utag assign $Formula_enhancer(id)] 
set x2 [ . c canvasx %xl 
set y2 [. c canvasy ty] 
set yline [expr ($y1 + O.25*($y2 - $y1))] 
set x3 [expr ($x1 + O.50*($x2-$x1))] 
set enhancer_line (id) [eval . c create line $x1 $yline $x2 \ 
$yline $enhancer_line(options)] 
#if ! [info exists Formula_enhancer(id)] {return} 
# set utag [Utag assign $Formula_enhancer(id)] 
# .c addtag $utag closest $x3 $yline 
# The "exists" part was shifted above the lines for the creation of 
# the enhancer line so that a mouse click and release at the same point 
# does not end up creating a line (at the same point) thereby entering 
# an additional line in the .pic file ............ 12 August 1999 
.c addtag $utag withtag [eval set tag_line [Utag assign \ 
$enhancer_line(id)]] 
set ytext [expr $yline - 5] 
set fillcolor black 
if {$textstr == "always"} 
set fillcolor red 
else if {$textstr == "next"} 
set fillcolor blue 
else { set fillcolor black 
if {$textstr == "chopstar"} { 
set fillcolor DodgerBlue 
set enhancer_text (id) [eval . c create text $x3 $ytext \ 
221 
Ph.D. Thesis B.1 Core Drawing Procedures for VisITL Constructs 
$enhancer_text(optionsl -fill $fillcolorl 
.c addtag $utag withtag [eval set tag_tex [Utag assign \ 
$enhancer_text(idlll 
set taginfo [.c itemcget $ Formul a_enhancer (id) -tags] 
# puts $taginfo 
set taginfo [.c itemcget $enhancer_line(id) -tagsl 
# puts $taginfo 
set taginfo [.c itemcget $enhancer_text(idl -tagsl 
# puts $taginfo 
} 
History add [getObjectCommand $utag 1] 
Undo add ".C delete $utag" 
unset enhancer text 
unset enhancer line 
unset Formula enhancer 
Message "Found any bugs?" 
The following procedure was called in the previous procedure. It completes the 
drawing of the VisITL construct at the point the user releases the left mouse-button. 
proc makeformula_enhancer {x y} { 
global Formula_enhancer xl y1 yline 
set Formula_enhancer (coordsl [lreplace $ Formula_enhancer (coordsl \ 
2 3 $x $y] 
catch {.c delete $Formula_enhancer(idl} 
set Formula_enhancer (idl \ 
[eval .c create rectangle $Formula_enhancer(coordsl \ 
222 
Ph.D. Thesis B.1 Core Drawing Procedures for VisITL Constructs 
$Formula_enhancer(options) 
###### END OF FORMULA ENHANCER SECTION 
The following procedure is used when the VisITL construct is to be created in a 
specific location (as is required by refinement rules). 
###### FORMULA ENHANCER SECTION GIVEN COORDS 
proc startFormula_enhancer-with {xl yl x2 y2 qualifier} 
global Formula_enhancer Graphics 
global enhancer_line Graphics 
global enhancer_text Graphics 
global textstr 
set textstr $qualifier 
set Formula_enhancer (coords) "$xl $yl $x2 $y2" 
set Formula_enhancer (options) [list \ 
-width 3 \ 
-outline brown \ 
-stipple $Graphics(fill,style) \ 
-tags {Formula_enhancer obj} \ 
set enhancer_line (options) [list \ 
-width 2 \ 
-tags {enhancer_line obj} \ 
-fill black 
set enhancer_text(options) [list \ 
-tags {enhancer_text obj} \ 
223 
Ph.D. Thesis B.1 Core Drawing Procedures for VisITL Constructs 
-text $textstr \ 
-font {-size 15 -weight bold -slant italic} \ 
makeformula_enhancer $x2 $y2 
if ! [info exists Formula_enhancer(id)] {return} 
set utag [Utag assign $Formula_enhancer(id)] 
History add [getObjectCommand $utag 1] 
Undo add ".c delete $utag" 
unset Formula_enhancer 
set yline [expr ($y1 + O.25*($y2 - $y1))] 
set enhancer_line (id) [eval .c create line $x1 $yline $x2 \ 
$yline $enhancer_line(options)] 
if ! [info exists enhancer_line(id)] {return} 
.c addtag $utag withtag [eval set tag_line [Utag assign \ 
$enhancer_line(id)]] 
set ytext [expr $yline - 5] 
History add [getObjectCommand $utag 1] 
Undo add ".c delete $utag" 
unset enhancer_line 
set fillcolor black 
if {$textstr == "always"} 
set fillcolor red 
} else if {$textstr == "next"} 
set fillcolor blue 
else { set fillcolor black 
} 
if {$textstr == "chopstar"} 
set fillcolor DodgerBlue 
set x3 [expr ($x1 + O.50*($x2-$x1))] 
set enhancer_text (id) [eval .c create text $x3 $ytext \ 
224 
Ph.D. Thesis B.2 Procedures for Conversion to Textual ITL 
} 
$enhancer_text(optionsl -fill $fillcolor) 
if ! [info exists enhancer_text(idl] {return} 
.c addtag $utag withtag [eval set tag_tex [Utag assign \ 
$enhancer_text(idl)) 
History add [getObjectCommand $utag 1] 
Undo add ".c delete $utag" 
unset enhancer text 
iiii## END FORMULA ENHANCER SECTION GIVEN COORDS 
B.2 Procedures for Conversion to Textual ITL 
The following procedure is called when the user selects the menu button for converting 
a VisITL formula to textual ITL. The procedures it calls are given below it. 
proc convert2ITL {} { 
global Graphics Canv utagCounter TextInfo Image Zoom fileID line 
global order enhancer_id ordered_boxinfo 
sort-boxes 
# calls make-listof-boxes 
set arg_for_latex [visual2latex $ordered_boxinfo) 
write-tex $arg_for_latex 
proc sort-boxes {} { 
global enhancer_infolist list_enhancer_coords 
global and_infolist list_and_coords num_enhancers num and 
global plain_formula_infolist list-plain_coords num-plain 
225 
Ph.D. Thesis D.2 Procedures for Conversion to Textual ITL 
global or_infolist list_or_coords num_or 
global anon_infolist list_anon_coords num_anon 
global while_infolist list_while_coords num_while 
global quantifier_infolist list_quan_coords num_quan 
global sortedOnX IDfor chopFrom chopTo 
global enhancer textval 
global boxtype ordered_boxinfo formulatext andltext and2text 
global formula_is_text argl_is_text arg2_is_text 
global orl_is_text or2_is_text orl_text or2_text 
global anonl_is_text anon2_is_text anonl_text anon2 text 
global whilel_is_text while2_is_text whilel_text while2_text 
global quantext quan_is_text quantifier_name quantifier_var 
global coords_for_or_rectl coords_for_or_rect2 
global coords_for_or_rect3 coords_for_or_rect4 
global treel tree2 tree3 tree4 In_Or plain_text val t only text 
set ordered_boxinfo "" 
make-listof-boxes 
if {$t == l} { 
set ordered_boxinfo only text 
set ordered_boxinfo [concat $ordered_boxinfo $onlytextl 
} else { 
set this_list [concat $list_enhancer_coords $list_and_coords \ 
$list-plain_coords $list_or_coords $list_anon_coords \ 
$list_while_coords $list_quan_coordsl 
set sortedOnX [lsort -command listCompare $this_listl 
set total [llength $this_listl 
set orderedIDs "" 
for {set counter a} {$counter < $total} {incr counter} { 
226 
Ph.D. Thesis D.2 Procedures for Conversion to Textual ITL 
set a [lindex $sortedOnX $eounter] 
lappend orderedIDs $IDfor($a) 
for {set k 1} {$k < [expr $num_or + 1]} finer k} { 
puts "Or info. : $or_infolist ($k) II 
foreaeh id [.c find withtag chop_line] 
set eoords_ehopline [.e eoords Sid] 
set chopX1 [lindex $eoords_chopline 0] 
set chopY1 [lindex $eoords_chopline 1] 
set chopX2 [lindex $coords_ehopline 2] 
set ehopY2 [lindex $coords_chopline 3] 
for {set i o} {$i < $total + 1} finer i} 
set currBoxCoords [lindex $sortedOnX $i] 
set boxX1 [lindex [lindex $sortedOnX $i] 01 
set boxY1 [lindex [lindex $sortedOnX $i] 1] 
set bOxX2 [lindex [lindex $sortedOnX $i] 21 
set boxY2 [lindex [lindex $sortedOnX $i] 3] 
if {$chopX1 > $boxXl} { 
if {$ehopX1 < $boxX2} { 
if {$chopY1 > $boxYl} { 
if {$ehopYl < $boxY2} { 
set chopFrom($id) $IDfor($eurrBoxCoords) 
} 
} 
if {$chopX2 > $boxXl} { 
if {$chopX2 < $boxX2} { 
if {$chopY2 > $boxYl} { 
227 





if {$chopY2 < $boxY2} { 
set chopTo($id) $IDfor($currBoxCoords) 
puts "chop Sid is from box: $chopFrom($id)" 
puts "chop Sid is to box: $chopTo($id)" 
set lower [lsearch $orderedIDs $chopFrom($id)) 
set higher [lsearch $orderedIDs $chopTo($id)) 
if {Slower > $higher} { 
# These were swapping i I will now change the algo -> insert just before 
# set fullyorderedIDs [lreplace $orderedIDs Slower Slower $chopTo($id)) 
# set fullyorderedIDs [lreplace $fullyorderedIDs $higher \ 
# $higher $chopFrom($id)) 
# So, I will insert .. 
set fullyorderedIDs [linsert $orderedIDs $higher $chopFrom($id)) 
set newlower [expr Slower + 1) 
set fullyorderedIDs [lreplace $fullyorderedIDs $newlower \ 
$newlower] 
set orderedIDs $fullyorderedIDs 
# So, I have overwritten on orderedIDs 
puts "The orderedIDs after considering chops a $orderedIDs" 
# Added 11 May 00 -> start 
foreach id [.c find withtag Or) 
set xl [lindex $coords_for_or_rect1($id) 0) 
set y1 [lindex $coords_for_or_rect1($id) 1) 
228 
Ph.D. Thesis Bol Procedures for Conversion to Textual ITL 
} 
set x2 [lindex $coords_for_or_rectl($id) 21 
set y2 [lindex $coords_for_or_rectl($id) 3] 
puts "rectl : $xl $yl $x2 $y2" 
foreach idee [.c find enclosed $xl $yl $x2 $y21 { 
set In_Or ($idee) yes 
set tags [.c gettags $idee] 
puts "$idee : Stags : $In_Or($idee)" 
set xl [lindex $coords_for_or_rect2($id) 0] 
set y1 [lindex $coords_for_or_rect2($id) 1] 
set x2 [lindex $coords_for_or_rect2($id) 2] 
set y2 [lindex $coords_for_or_rect2($id) 3] 
foreach idee [.c find enclosed $x1 $yl $x2 $y2] 
set In_Or ($idee) yes 
set xl [lindex $coords_for_or_rect3($id) 0] 
set y1 [lindex $coords_for_or_rect3($id) 1] 
set x2 [lindex $coords_for_or_rect3($id) 2] 
set y2 [lindex $coords_for_or_rect3($id) 3] 
foreach idee [.c find enclosed $xl $y1 $x2 $y2] 
set In_Or ($idee) yes 
set xl [lindex $coords_for_or_rect4($id) 0] 
set yl [lindex $coords_for_or_rect4($id) 1] 
set x2 [lindex $coords_for_or_rect4($id) 2] 
set y2 [lindex $coords_for_or_rect4($id) 3] 
foreach idee [.c find enclosed $x1 $y1 $x2 $y2] 
set In_Or ($idee) yes 
229 
Ph.D. Thesis B.2 Procedures for Conversion to Textual ITL 
# 11 May 00 end 
# 16 May 00 I have to use a different 1 for the for loop below .. which 
# includes the sum of all ids. of boxes in orderedIDs which are NOT in 
# any or box 
set 1 [llength $orderedIDs] 
set orderedIDs notinor "" 
for {set i o} {$i < [expr $l]} {incr i} { 
set id [lindex $orderedIDs $i] 
if {$In_Or($id) == "no"} { 
set orderedIDs notinor [concat $orderedIDs_notinor Sid] 
puts "The orderedIDs_notinor $orderedIDs_notinor" 
# set 1 [llength $orderedIDs] 
set 1 [llength $orderedIDs_notinor] 
for {set i o} {$i < [expr $l]} {incr i} 
set thisID [lindex $orderedIDs $i] 
foreach id [.c find withtag chop_line] 
if {[string compare $chopFrom($id) $thisID] == o} { 
set ordered_boxinfo [concat $ordered_boxinfo chop] 
if {$boxtype($thisID) == o} { 
set textval $enhancer_textval($thisID) 
if {$formula_is_text($thisIDl == 1} { 
set textval [concat $textval $formulatext($thisIDl] 
elseif {$boxtype($thisID) == 1} { 
set textval and 
if {$argl_is_text($thisIDl == 1} { 
230 
Ph.D. Thesis D.2 Procedures for Conversion to Textual ITL 
set textval [concat $textval $andltext($thisIDl) 
if {$arg2_is_text($thisIDl ==l} 
set textval [concat $textval $and2text($thisIDl) 
elseif {$boxtype($thisIDl == 2} { 
if {$In_Or($thisIDl == "noll} 
puts "NOTI''l"tI"I"tr'l'TI'TT in Or" 
set textval $plain_textval($thisIDl 
elseif {$boxtype($thisIDl == 3} { 
set textval or 
if {$orl_is_text($thisIDl == l} { 
set textval [concat $textval $orl_text($thisIDl) 
if {$or2_is_text($thisIDl ==l} { 
set textval [concat $textval $or2_text($thisIDl] 
} 
elseif {$boxtype($thisIDl == 4} { 
set textval anon 
if {$anonl_is_text($thisIDl == l} { 
set textval [concat $textval $anonl_text($thisIDl) 
if {$anon2_is_text($thisIDl ==l} { 
set textval [concat $textval $anon2_text($thisIDl] 
} elseif {$boxtype($thisIDl == 5} { 
231 
Ph.D. Thesis B.2 Procedures for Conversion to Textual ITL 
# 
} 
set text val while 
if {$whilel_is_text($thisID) l} { 
set textval [concat $textval $whilel_text($thisID)] 
if {$while2_is_text($thisID) ==l} { 
set textval [concat $textval $while2_text($thisID)] 
elseif {$boxtype($thisID) == 6} { 
set textval $quantifier_name($thisID) 
set textval [concat $textval $quantifier_var($thisID)] 
if {$quan_is_text($thisID) a= l} { 
set textval [concat $textval $quantext($thisID)) 
elseif {$boxtype($thisID) 7} { 
set textval or 
set textval [concat $textval orargl $treel ($thisID) ] 
set textval [concat $textval orarg2 $tree2 ($thisID)) 
set textval [concat $textval orarg3 $tree3 ($thisID)] 
set textval [concat $textval orarg4 $tree4 ($thisID)] 
set ordered_boxinfo [concat $ordered_boxinfo $textval] 
set ordered_boxinfo [concat $ordered_boxinfo $textval] 
puts "Finally, the order of IDs = $orderedIDs" 
puts "The ordered info. translates to : $ordered_boxinfo" 
# NOW the ordered_boxinfo could be bracketed nicely as a tree 
# going thro' it in reverse order 
232 
Ph.D. Thesis B.2 Procedures for Conversion to Textual ITL 
} 
The following procedure is too long to be included here. The source code in STRL 
could be referred to for further infonnation. This procedure makes a list of all items on 
the canvas (in terms of various VisITL constructs and orders it based on co-ordinates). 
The sort-boxes procedure does further re-ordering based on different possibilities of 
having the chop construct. 
proc make-listof-boxes {} { 
# please refer to source code in STRL if interested in details. 
The following procedure does bracketing of the expression supplied according to 
the number of arguments expected for each construct. The expression supplied would 
be correct in accordance with VisITL semantics if procedure sort-boxes{} was called 
before this. 
proc visual2latex {supplied} { 
set len [llength $supplied1 
set resultant "" 
for {set i [expr $len - Il} {$i > -I} {incr i-I} { 
set Lb n {" 
set Rb "}" 
set str [lindex $supplied $il 
switch -exact -- $str { 
next { set argl [lindex $resultant 0] ; 
set currLen [llength $resultantl; 







B.2 Procedures for Conversion to Textual ITL 
set resultant [concat $Lb \\Next $Lb $arg1 $Rb \ 
$Rb $Lb $theRest $Rb]} 
set arg1 [lindex $resultant 0] ; 
set currLen [llength $resultantl ; 
set theRest [lreplace $resultant 0 0]; 
set resultant [concat $Lb \\Always $Lb $arg1 $Rb \ 
$Rb $Lb $theRest $Rb]} 
set arg1 [lindex $resultant 0] 
set currLen [llength $resultant] ; 
set theRest [lreplace $resultant 0 0]; 
set resultant [concat $Lb \\Chopstar $Lb $arg1 \ 
$Rb $Rb $Lb $theRest $Rb]} 
set arg1 [lindex $resultant 0] 
set currLen [llength $resultant] i 
set theRest [lreplace $resultant 0 0] i 
set resultant [concat $Lb \\Sometime $Lb $arg1 \ 
$Rb $Rb $Lb $theRest $Rb]} 
set arg1 [lindex $resultant 0] 
set currLen [llength $resultant] i 
set theRest [lreplace $resultant 0 0]; 
set resultant [concat $Lb \\Not $Lb $arg1 $Rb \ 
$Rb $Lb $theRest $Rb]} 
and set argl [lindex $resultant 0] 
orarg1 
set arg2 [lindex $resultant 1] 
puts "resultant now: $resultant" 
set currLen [llength $resultant] i 
set theRest [lreplace $resultant 0 1] i 
set resultant [concat $Lb \\And $Lb $arg1 $Rb \ 










B.2 Procedures for Conversion to Textual ITL 
set or_argl [lindex $resultant 0]; 
set theRest [lreplace $resultant 0 0] ; 
set resultant $theRest 
set or_arg2 [lindex $resultant 0]; 
set theRest [lreplace $resultant 0 0] ; 
set resultant $theRest 
set or_arg3 [lindex $resultant 0]; 
set theRest [lreplace $resultant 0 0] ; 
set resultant $theRest 
set or_arg4 [lindex $resultant 0]; 
set theRest [lreplace $resultant 0 0] ; 
set resultant $theRest 
puts "resultant now: $resultant" 
set currLen [llength $resultant]; 
set theRest [lreplace $theRest 0 0]; 
set resultant [concat $Lb "Or $Lb $or_argl $Rb , 
$Lb $or_arg2 $Rb $Lb $or_arg3 $Rb $Lb $or_arg4 , 
$Rb $Rb $theRest] 
set anonl [lindex $resultant 0] 
set anon2 [lindex $resultant 1] 
235 
Ph.D. Thesis B.2 Procedures for Conversion to TextuallTL 
set eurrLen [llength $resultant] ; 
set theRest [lreplaee $resultant 0 11 ; 
set resultant [eoneat $Lb \\Dese $Lb $anon1 $Rb \ 
$Lb $anon2 $Rb $Rb $theRest] 
while set whilel [lindex $resultant 0] 
set while2 [lindex $resultant 1] 
set eurrLen [llength $resultantl ; 
set theRest [lreplaee $resultant 0 1] ; 
set resultant [concat $Lb \\While $Lb $whilel \ 
$Rb $Lb $while2 $Rb $Rb $theRest] 
chop set argl [lindex $resultant 01 
set arg2 [lindex $resultant II 
set eurrLen [llength $resultant] ; 
forall 
exists 
set theRest [lreplace $resultant 0 II ; 
set resultant [coneat $Lb \\Chop $Lb $argl $Rb \ 
$Lb $arg2 $Rb $Rb $theRestl } 
set arg1 [lindex $resultant 0] 
set arg2 [lindex $resultant 1] 
set eurrLen [llength $resultant] ; 
set theRest [lreplaee $resultant 0 1] ; 
set resultant [coneat $Lb \\Forall $Lb $argl $Rb \ 
$Lb $arg2 $Rb $Rb $theRest] } 
set argl [lindex $resultant 0] 
set arg2 [lindex $resultant II 
set eurrLen [llength $resultant] ; 
set theRest [lreplaee $resultant 0 1] ; 
set resultant [coneat $Lb \\Exists $Lb $arg1 $Rb \ 
$Lb $arg2 $Rb $Rb $theRest] 
only text { set arg1 [lindex $resultant 0] ; 
set theRest [lreplaee $resultant 0 0] ; 
236 
Ph.D. Thesis B.2 Procedures for Conversion to Textual ITL 
set resultant [concat $Lb \\Onlytext $Lb $argl \ 
$Rb $Rb $theRestl} 
default { set resultant [concat $Lb $str $Rb $resultantl} 
} 
return $resultant 
proc write-tex {arg_for_latex} { 
########### FILE OPERATIONS 
set fileID [open /export/homeO/users/pub/arun/visual/program/ \ 
test_tex/testing.tex w 06001 
puts $fileID "\\documentclass\[12pt,a4paper\1 {report}" 
puts $fileID "\\usepackage{latexsym,amssymb,times}" 
puts $fileID "\\usepackage\ [dvips, final\J {graphicx} " 
puts $fileID "\\paperwidth 597.50787pt" 
puts $fileID "\\paperheight 845.04684pt" 
puts $fileID "\\textwidth 416.83289pt" 
puts $fileID "\\textheight 670.50687pt" 
puts $fileID "\\oddsidemargin 18.0675pt" 
puts $fileID "\\evensidemargin 18.0675pt" 
puts $fileID "\\topmargin O.Opt" 
puts $fileID "\\heaciheight O.Opt" 
puts $fileID "\\headsep O.Opt" 
puts $fileID "\\footskip 30.0pt" 
puts $fileID "\ \hoffset O. Opt" 
puts $fileID "\\voffset O.Opt" 
puts $fileID "\\newcomrnand{\\Always}\[l\J{\\Box \[#l\J}" 
237 
Ph.D. Thesis D.2 Procedures for Conversion to Textual ITL 
puts $fileID "\\newconunand{\\Sometime} \ [1 \1 {\\Diamond \ [#1 \1 }" 
puts $fileID "\\newconunand{\\Not}\[l\I{\\neg \[#l\l}n 
puts $fileID n\\newconunand{ \\And} \ [2\1 {\ [#1 \1 \\mathrel {\\scriptstyle \ 
\\wedge}\[#2\1}n 
puts $fileID n\\newconunand{\\Or} \ [4\1 {\[#1\1 \\mathrel{\\scriptstyle \ 
\\vee} \[#2\1 \\mathrel{\\scriptstyle\\vee} \[#3\1 \ 
\\mathrel{\\scriptstyle\\vee} \[#4\1}" 
puts $fileID n\\newconunand{\\Equiv}{\\quad\\equiv\\quad}n 
puts $fileID n\\newconunand{\\desc}{\\mathord{\\imath}}" 
puts $fileID n\\newconunand{\\Desc} \ [2\1 {{\\mathord{\\imath} #1} \ 
\\colon #2}n 
puts $fileID n\\newconunand{\\Nextsym}{\\raise O.20em\\hbox{$\\ \ 
scriptstyle \\bigcirc\\mskip -2.Smu$}}" 
puts $fileID n\\newconunand{ \\Next} \ [1 \1 {\\mathop{\\Nextsym} \ [#1 \1 }" 
puts $fileID n\\newconunand{\\Chop} \ [2\J{\ [#1 \1 \\mathbin{;} \ [#2\1 }" 
puts $HleID n\\newconunand{ \\Chopstar} \ [1 \J{ \ [#1 \1 ~ *} n 
# puts $fileID "\\newcommand{\\While1}{\\tempop{\\sf while}}" 
# puts $fileID "\\newcommand{\\Do}{\\temprel{\\sf do}}n 
# puts $fileID n\\newcommand{\\While} \ [2\1 {\\While1 \[#1\1 \\00 \[#2\1}n 
puts $fileID n\\newconunand{\\While}\ [2\J{While \ [#1\1 do \ [#2\J}n 
puts $HleID n\\newconunand{\\Onlytext}\[1\1 {\[#1\1}" 
puts $fileID n\\newconunand{ \\Forall} \ [2\J{ \\forall \ [#1 \J \\colon \ 
\[#2\1}n 
puts $fileID n\\newconunand{\\Exists} \ [2\1 {\\exists \[#1\] \\colon \ 
\ [#2\J} " 
puts $fileID "\\begin{document}n 
puts $fileID "The following is the equivalent textual ITL formula :\\\\n 
puts -nonewline $fileID n$n 
238 
Ph.D. Thesis 
puts -nonewline $fileID $arg_for_latex 
puts $fileID "$" 
puts $fileID "\\end\ {document \}" 
close $fileID 
B.3 Refinement-related Procedures 
exec latex /export/homeO/users/pub/arun/visual/program \ 
/test_tex/testing.tex 
exec mv testing.dvi .. /test_tex 
exec xdvi .. /test_tex/testing.dvi 
B.3 Refinement-related Procedures 
The following procedure refines a VisITL construct using the while-l rule. 
proc ref_whilel {} { 
# uses visualize_in 
global While_repeat Graphics latex_arg sub_tree_info 
set ref_text (options) [list \ 
-tags {result ref whilel obj} \ 
-font {-size 15 -weight bold -slant italic} \ 
foreach id [.c find withtag While_repeat] 
set coordinates [.c coords Sid] 
set next1 [getObjectAbove Sid] 
set next2 [getObjectAbove $next1J 
set xl [lindex $coordinates 0] 
239 
Ph.D. Thesis 
set y1 [lindex $coordinates 1] 
set x2 [lindex $coordinates 2] 
set y2 [lindex $coordinates 3] 
B.3 Refinement-related Procedures 
set encl [.c find enclosed $x1 $y1 $x2 $y2] 
#These will be deleted later 
set y3 [expr $y1 + O.25*($y2 - $y1)] 
set x3 [expr $x1 + O.50*($x2 - $x1)] 
set next [.c find enclosed $x1 $y1 $x2 $y3] 
set required_txt "" 
eval lappend required_txt [getObjectOptions $next 1] 
set position [lsearch $required_txt -text] 
set texposn [expr $position + 1] 
set text en [lindex $required_txt $texposn] 
if {$text_en == "while"} { 
puts "I should refine now !!" 
set xO [expr $x2 - $x1] 
set yO [expr $y2 - $y1] 
set xlandl [expr $xl - 1.5*$xO] 
set y1and1 [expr $y1 - O.5*$yO] 
set x2and1 [expr $x2 + 1.5*$xO] 
set y2and1 [expr $y2 + O.5*$yO] 
startAnd-comp-with $x1and1 $yland1 $x2and1 $y2and1 
set x1fe1 [expr $x1 - 1.25*$xO] 
set y1fe1 [expr $y1 - O.25*$yO] 
set x2fe1 [expr $x1 + O.25*$xO] 
set y2fe1 [expr $yl + 1.25*$yO] 
startFormula_enhancer-with $x1fe1 $y1fe1 $x2fe1 $y2fel chops tar 
set xlfe2 [expr $xl + O. 75*$xO] 
set ylfe2 [expr $yl - O.25*$yO] 
set x2fe2 [expr $x1 + 2.25*$xO] 
240 
Ph.D. Thesis B.3 Refinement-related Procedures 
set y2fe2 [expr $yl + 1.25*$yO] 
startFormula_enhancer-with $xlfe2 $ylfe2 $x2fe2 $y2fe2 fin 
set xlfe3 [expr $xl + $xO] 
set ylfe3 [expr $yl + 0.125*$yO] 
set x2fe3 [expr $xl + 2*$xO] 
set y2fe3 [expr $yl + 1.125*$yO] 
startFormula_enhancer-with $xlfe3 $ylfe3 $x2fe3 $y2fe3 not 
set xland2 [expr $xl - $xO] 
set yland2 [expr $yl + O.125*$yO] 
set x2and2 [expr $xl] 
set y2and2 [expr $yl + 1.125*$yO] 
startAnd-comp-with $xland2 $yland2 $x2and2 $y2and2 
set xand [expr 0.5* ($xland2 + $x2and2)] 
sub-ITLformula-in $xl $y3 $x3 $y2 
puts "xly3x3y2 => $sub_tree_info" 
set ylfe3p [expr $ylfe3 + 0.25*($y2fe3 - $ylfe3)] 
visualize_in $xlfe3 $ylfe3p $x2fe3 $y2fe3 $sub_tree_info 
set xand-2 [expr $xland2 + 0.5*($x2and2 - $xland2)] 
visualize_in $xland2 $yland2 $xand-2 $y2and2 $sub_tree_info 
sub-ITLformula-in $x3 $y3 $x2 $y2 
puts "x3y3x2y2 => $sub_tree_info" 
visualize_in $xand-2 $yland2 $x2and2 $y2and2 $sub_tree_info 
241 
Ph.D. Thesis 
foreach item $encl 
.c delete $item 
.c delete Sid 
set alltags [.c find all] 
set total [llength $alltags] 
D.3 Refinement-related Procedures 
for {set i o} {$i < [expr $total]} {incr i} { 
set itemid [lindex $alltags $i] 
set itemtag [.c gettags $itemid] 
.c addtag result ref whilel withtag $itemid 
set z 0.50 
Zoom $z 
The following procedure finds the equivalent sub-ITL formula in a given region of 
the canvas. It is too long to be included here. 
proc sub-ITLformula-in {xA yA xB yB} { 
# please refer to the source code at STRL for additional details. 
###### Proc. to DRAW A VIS-ITL given textual ITL in tree form 
proc visualize_in {xl yl x2 y2 tree_info} { 
set current 0 
242 
Ph.D. Thesis B.3 Refinement-related Procedures 
set prey 0 
set prev-of-prev 0 
set total and 0 
set total fe 0 
set total txt 0 
set length [llength $tree_infoJ 
for {set i [expr $length - I]} {$i > -I} {incr i-I} { 
set arg [lindex $tree_info $i] 
switch -exact -- $arg { 
and set total and [expr $total_and + 1] 
next set total fe [expr $total_fe + IJ 
sometimes set total fe [expr $total_fe + 1] 
always set total fe [expr $total_fe + 1] 
chopstar set total fe [expr $total_fe + 1] 
not { set total fe [expr $total_fe + IJ 
onlytext {} 
default { set total txt [expr $total_txt + 1] 
puts "Details in tree_info :" 
set total_boxes_to_vis [expr $total_and + $total_fe] 
set xO [expr $x2 -$xl] 
set yO [expr $y2 - $yl] 
set cx [expr 0.5*($xl + $x2l] 
set cy [expr O.5*($yl + $y2l] 
} 
for {set i l} {$i < [expr $total_boxes_to_vis + 11} {incr i} { 
set xxO ($il [expr $xO * 0.9* pow (0.7, [expr \ 
$total_boxes_to_vis -Sill] 
set yyO($i) [expr $yO* 0.9* pow(0.7, [expr \ 
$total_boxes_to_vis -Sill] 
243 
Ph.D. Thesis B.3 Refinement-related Procedures 
set box count 0 
for {set i [expr $length - Il} {$i > -I} {incr i-I} { 
set arg [lindex $tree_info $il 
puts "arg $i : = $arg" 
switch -exact -- $arg 
next {set current 3; puts "$i $arg -> $current"; 
incr box count 
set xfactor [expr 0.5* ($xxO ($box_count) ) 1 
set yfactor [expr 0.5* ($yyO ($box_count) )] 
set ax [expr $cx - $xfactorl 
set ay [expr $cy - $yfactor] 
set bx [expr $cx + $xfactorl 
set by [expr $cy + $yfactor] 
startFormula_enhancer-with Sax Say $bx $by next 
} 
set prev-of-prev $prev ; 
set prey 3 
sometimes {set current 3; puts "$i $arg -) $current"; 
incr box count 
set xfactor [expr 0.5* ($xxO($box_count))] 
set yfactor [expr 0.5* ($yyO($box_count))] 
set ax [expr $cx - $xfactor] 
set ay [expr $cy - $yfactor] 
set bx [expr $cx + $xfactorj 
set by [expr $cy + $yfactor] 
startFormula_enhancer-with Sax Say $bx $by sometimes 
set prev-of-prev $prev ; 
set prey 3 
244 
Ph.D. Thesis B.3 Refinement-related Procedures 
always {set current 3; puts !I$i $arg -> $current!l; 
not 
incr box count 
set xfactor [expr 0.5* ($xxO ($box _ count) ) ] 
set yfactor [expr 0.5* ($yyO ($box _count) ) ] 
set ax [expr $cx - $xfactor] 
set ay [expr $cy - $yfactor] 
set bx [expr $cx + $xfactorl 
set by [expr $cy + $yfactor] 
startFormula enhancer-with Sax Say $bx $by always 
set prev-of-prev $prev ; 
set prev 3 
{set current 3; puts "$i $arg -> $current"; 
incr box count 
set xfactor [expr 0.5* ($xxO ($box_ count) ) ] 
set yfactor [expr 0.5* ($yyO ($box_count))] 
set ax [expr $cx - $xfactor] 
set ay [expr $cy - $yfactor] 
set bx [expr $cx + $xfactorl 
set by [expr $cy + $yfactor] 
start Formula enhancer-with Sax Say $bx $by not 
set prev-of-prev $prev ; 
set prev 3 
chopstar {set current 3; puts "$i $arg -> $current"; 
incr box count 
set xfactor [expr 0.5* ($xxO($box_count))] 
set yfactor [expr 0.5* ($yyO($box_count))] 
set ax [expr $cx - $xfactorl 




B.3 Refinement-related Procedures 
set bx [expr $cx + $xfactorl 
set by [expr $cy + $yfactor] 
startFormula enhancer-with Sax Say $bx $by chopstar 
set prev-of-prev $prev ; 
set prey 3 
{set current 2; puts "$i : $arg -> $current"; 
set xfactor [expr 0.5* ($xxO ($box_count))] 
set yfactor [expr 0.5* ($yyO ($box_count))] 
set ax [expr $cx - $xfactor] 
set ay [expr $cy - $yfactor) 
set bx [expr $cx + $xfactor] 
set by [expr $cy + $yfactor) 
startAnd-comp-with Sax Say $bx $by 
set prev-of-prev $prev 
set prey 2 
only text 
default {set current 1; puts "$i: $arg -> $current"; 
set delta 25; 
set xtext [expr 0.5*($xl + $x2)] 
set ytext [expr 0.5*($yl + $y2) 1 
if {$prev == I} { 
set xtext [expr $xtext + $deltal 
set ytext [expr $ytext + $delta] 
} ; 
set texid [eval .c create text $xtext $ytext -text \ 
$arg -tag obj] 
246 
Ph.D. Thesis 
set prev-of-prev $prev 
set prev 1 
247 
B.3 Refinement-related Procedures 
