






















Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners 
and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. 
 
• Users may download and print one copy of any publication from the public portal for the purpose of private study or research. 
• You may not further distribute the material or use it for any profit-making activity or commercial gain 
• You may freely distribute the URL identifying the publication in the public portal  
 
If you believe that this document breaches copyright please contact us providing details, and we will remove access to the work immediately 
and investigate your claim. 
   
 
Downloaded from orbit.dtu.dk on: Dec 17, 2017
Interface models
Ravn, Anders P.; Staunstrup, Jørgen
Published in:
Proceedings of the Third International Workshop on Hardware/Software Codesign





Publisher's PDF, also known as Version of record
Link back to DTU Orbit
Citation (APA):
Ravn, A. P., & Staunstrup, J. (1994). Interface models. In Proceedings of the Third International Workshop on
Hardware/Software Codesign (pp. 157-164). IEEE. DOI: 10.1109/HSC.1994.336711
Interface Models 
Anders P. Ravn and Jprrgen Staunstrup 
Department of Computer Science, 
Technical University of Denmark, 
DK-2800 Lyngby, Denmark 
e-mail: {apr,jst}@id.dtu.dk 
Abstract 
This paper proposes a model for specihing inter- 
faces between concurrently ezecuting modules of a 
Computing system. The model does not prescribe a 
particular type of communication protocol and is aimed 
at describing interfaces between both software and 
hardware modules or a combination of the two. The 
model describes both functional and timing properties 
of an interface. 
1 Motivation 
The design of non-trivial computing systems re- 
quires a module concept to structure the design into 
manageable subparts. Modules can be newly created 
for a specific purpose, but often they are general pur- 
pose off-the-shelf components. In both cases it is im- 
portant that the interface to the module is simple and 
well documented. This paper describes a model for 
defining module interfaces covering both off-the-shelf 
components and new components. 
In a design of a sequential program, a module is 
characterized by a signature that introduces names 
for constants, datatypes, operations, etc. A database 
module may for example have an interface like 
MODULE database; 
TYPE 
Key = 1. .MaxKey 
Elem = RECORD k: Key; ... END 
Answer = ... 
DB = ... 
... 
OPERAT I ON 
insert: DB x Key x E l e m  -> DB x Ansuer 
find: DB x Key -> Answer 
END 
Such a concept is present in modular or object ori- 
ented programming languages, in specification lan- 
guages like VDM [4] or Z [15], and also in hardware de- 
scription languages like VHDL [8] etc. In some of the 
languages, the signature is extended with constraints 
that specify how the operations are related and what 
results can be expected. There are many syntactical 
variations of this module concept, but a common goal 
is to structure a system into manageable parts. 
However, there are very few computing systems 
that can be described as one run of a single sequential 
program. Most systems are reactive, the operations 
are performed in some order determined by communi- 
cations with an environment. Thus, each module may 
specify constraints on the order of operations. This 
paper thus focuses on fundamental concepts that al- 
lows module specifications with a succinct description 
of the communication interface. 
The notions of module and computing systems are 
interpreted in a very general sense encompassing com- 
binations of hardware and software and models on 
different levels of abstraction from primitive building 
blocks to complex sub-systems. 
A common source of errors and delays in design and 
development projects is misunderstanding caused by 
ambiguous interface descriptions. At the same time it 
is unrealistic (at least in the foreseeable future) to in- 
sist that designers give complete formal specifications 
of all aspects of a module. Our attitude is to leave it to 
the designer what to specify rigorously, but to provide 
a model where a wide variety of different aspects of an 
interface can be studied unambiguously in particular 
the timing aspects. 
Even a superficial analysis of existing interfaces re- 
veals a large variation. Therefore, the proposed model 
does not prescribe a particular communication disci- 
pline, instead it allows a variety of disciplines to be 
described rigorously. Examples of existing disciplines 
are the synchronous message passing dictated by (soft- 
157 
0-8186-6315-4/94 $04.00 0 19!34 IEEE 
Authorized licensed use limited to: Danmarks Tekniske Informationscenter. Downloaded on July 08,2010 at 08:49:29 UTC from IEEE Xplore.  Restrictions apply. 
ware) models such as CSP [7], CCS [ll], LOTOS [l], 
etc., and the signaling disciplines of (hardware) models 
in VHDL. Such specialized disciplines have significant 
advantages later in a design process where they permit 
various forms of analysis and optimization. However, 
we think that the variation found in module interfaces 
makes it unrealistic to prescribe a particular rigid dis- 
cipline during development and specification of a sys- 
tem. 
2 The model 
This section proposes an interface model following 
the guidelines discussed in the introduction. A mod- 
ule encapsulates a part of a computation. For the 
purposes of this paper, it is not necessary to go into 
the details of the computational model of a module, 
it is assumed to be a state machine where the state 
is represented by a number of state variables. A state 
variable may denote a simple boolean or a composite 
value like the database mentioned earlier. A state is 
changed by applying given operations, e.g., find or 
in se r t  on the state variables. 
We would like to stress that an interface specifica- 
tion is not intended as a complete specification of all 
aspects of a module. Specification of types and oper- 
ations may be left open. 
The interface of a module consists of one or more 
state variables that are shared with other modules. 
In addition there can be local (hidden) state variables 
in each module. Sharing implies that the value of the 
state variables in the interface may be changed both by 
local computations and computations by other mod- 
ules. A state based model is used here in contrast 
to the message passing approach found in CSP [7] 
and CCS [ll], but in agreement with UNITY [2] and 
TLA [lo]. We have found a state based model useful 
for a wide variety of purposes [16] on different levels 
of abstraction ranging from circuits to computer net- 
works. 
A state variable x is modeled by a function from 
Time to its range of values, e.g., if z is boolean, we 
write 
x : Time -+ Bool 
and if x is the database mentioned in the introduction 
x : Time -+ DB 
The Time domain is taken to  be the non-negative re- 
als. 
Example: a simple database server 
Consider an application where the database is placed 
in a server. A simple protocol defines how a client can 
request that an operation is performed on the database 
and how the server answers the request. 
For simplicity, we consider only one client and 
request-answer messages without data. This interface 
is modeled by two state variables 
reg : Time -+ Bool 
ans : Time -+ Bool 
An extension to multiple clients could be modeled by 
indexing the variables, and data is modeled by substi- 
tuting a composite type for the simple type Bool. 
The server interface uses a simple (four-phase) pro- 
tocol where the values of the interface variables change 
in the following sequence: 
req . . . ans . .  . ~ r e q  . . . l a m . ,  . reg. .  . 
It is important that the client module referencing the 
interface obey the same protocol. It is therefore im- 
portant to enable designers to document/specify pro- 
tocols in a rigorous manner. However, just giving the 
sequencing above leaves many open questions, e.g., 
e Does an ans always follow a req? 
How long time is the am enabled? 
To answer such questions one must specify the proto- 
col by a predicate on the interface. The interpretation 
of this predicate is that modules referencing an inter- 
face may assume that the associated predicate holds, 
on the other hand any module changing the values of 
state variables in the interface are obliged to ensure 
that the resulting values satisfy the predicate. At this 
point the notation for specifying such interface pred- 
icates is not defined. It will at least include propo- 
sitional logic over relations formed by operations on 
state variables (for the variables above boolean ex- 
pressions using operators such as A, V, -7 ,  etc). This 
would allow the specification of time invariant prop- 
erties. 
The idea to model states as functions of continu- 
ous time is well known in most fields of engineering 
and science. However, it is associated with the theory 
of dynamic systems which uses differential or differ- 
ence equations to express properties of systems. Such 
equations give deterministic specifications (functions) 
while we want to  preserve some choices for the design- 
ers. Therefore, in section 3, we introduce a notation 
158 
Authorized licensed use limited to: Danmarks Tekniske Informationscenter. Downloaded on July 08,2010 at 08:49:29 UTC from IEEE Xplore.  Restrictions apply. 
allowing the designer to state a large variety of prop- 
erties including timing constraints and other dynamic 
properties in a constraint oriented manner. 
Before going into specification of dynamic proper- 
ties, another important aspect of an interface protocol 
is discussed. 
2.1 Definedness 
In any non-trivial interface, the values of state vari- 
ables change; however, these changes may not always 
be atomic transitions from one well-defined state to 
another. It is often the case that a state change goes 
through some intermediate values that should be ig- 
nored. At a low level, digital signals do not change 
instantaneously from one binary value to another. A 
similar phenomenon can be observed at higher levels 
where composite values (integers, vectors, records, a 
database, etc.) may change in a piecewise fashion, and 
hence go through some values where the interpretation 
is not defined. In order to model this, we assume that 
there is a predicate defx associated with every state 
variable, 2, of an interface. The intended interpreta- 
tion is that defx holds whenever 2 has a well-defined 
value, whereas no assumptions can be made about x 
when defx does not hold. 
In many cases, definedness involves timing. For ex- 
ample, in a typical digital circuit, it is only meaningful 
to inspect the values of state variables during some 
phases of the global clock signal. However, the def 
predicate can be illustrated without involving timing 
aspects. 
Example: a simple server (continued) 
Consider a lower level model of the server where the 
interface is modeled with signals which may change 
continuously within some range: [Z..h]. This could, 
for example, model a voltage level. 
req', ansf  : Time --t [l..h] 
Furthermore, assume that, signal values less than a 
certain threshold value 1 7 ~  are interpreted as the 
boolean value false and signal values larger than an- 
other threshold value V T ,  ( VT > V F )  are interpreted 
as the boolean value true,  i.e.. 
t rue (v )  w > VT and faZse(w) = v < VF 
Any client using the server is obliged to ensure that 
defansl holds whenever the value of a n d  is used. No 
assumptions can be made about the behavior of ans' 
when defanst is false. 
end of example 
To summarize, interfaces are documented with pro- 
tocols and definedness predicates. The protocols spec- 
ify constraints that must be met both by the module 
and by the environment. Definedness describes when 
it is safe to interpret the state variables of the inter- 
face. When the definedness predicate does not hold, 
the state variables are allowed to be in inconsistent 
with a protocol. For example, when a physical sig- 
nal represented by a voltage level is changing it might 
temporarily have values that cannot consistently be 
interpreted as high or low. Definedness is used to fil- 
ter out such intermediate values of interface variables. 
3 Timing 
There are many proposals for specifying timing 
properties of protocols. Some advocate the use of ex- 
plicit states that model time or local clocks, others 
incorporate it into a temporal logic, and yet others ex- 
tend process algebras with timing constructs. For an 
introduction, we recommend the proceedings [5, 171. 
However, if we look at practice, protocols are almost 
exclusively defined by timing diagrams. For that rea- 
son we prefer to use an interval logic, Duration Calcu- 
lus [3] that is a symbolic notation for reasoning about 
timing properties. It has been used to reason suc- 
cessfully about phases of computations in the design 
of real-time systems [14], in hybrid systems [HI, in 
circuits [6] and it has been embedded into the Z spec- 
ification language [9]. 
Example: a simple server (cont.) 
Part of the protocol specification for the server might 
be: 
If the request signal is maintained for 10 t ime 
units then answer will come. 
The def predicate for the interface variable ans' is This is illustrated by the following timing diagram: 
defans, true(ans')  V false(ans') 
159 
Authorized licensed use limited to: Danmarks Tekniske Informationscenter. Downloaded on July 08,2010 at 08:49:29 UTC from IEEE Xplore.  Restrictions apply. 
where t ,  t‘ are positive reals. 
The inference rule has a formula above the line stat- 
ing an assumption, that is sufficient to ensure the con- 
clusion, which is the formula occurring below the line. 
In the conclusion the subformula, r.1 A C = t + t‘ 
characterizes an interval of length t + t’ where x holds 
almost everywhere. The other subformula, 





b m m’ e 
We will write this part of a protocol as 
PI : ([reql A C = 10) + [ansl 
This formula is interpreted over the state and an inter- 
val [ b ,  e] of Time. The symbol + is a “followed-by” 
operator which means that if the interval can be split 
into an initial subinterval [b ,  m3 where the precondi- 
tion [re41 A C = 10 holds then the interval [m, e]  will 
have an initial subinterval [m, m’] where the postcon- 
dition [ a m ]  holds. 
The formula [reql holds on an interval exactly when 
the state rep holds almost everywhere in the interval 
(this formulation avoids stating anything about the 
value of reg in individual points of a dense time do- 
main, e.g., at the end points of the interval). The 
formula C = 10 holds when the interval has a length 
of 10, and conjunction A has its conventional mean- 
ing. Informally, the formula, P I ,  reads: “If req holds 
for an interval of length 10 then it is followed by ans 
holding”. Note that nothing is said about ans if req 
holds in a shorter interval, this means that ans may 
or may not hold for such an interval. 
3.1 Reasoning about protocols 
A formula, such as the protocol stated above, is no 
more than a symbolic representation of a timing dia- 
gram. A particular formula holds for a given collection 
of state variables, just when it holds for any subinter- 
val of Time. This corresponds with the intuition that 
a timing diagram is a snapshot of the state trajectory. 
One reason for using a formalism, rather than the 
intuitive diagrams, is that the formulas allow us to cal- 
culate consequences of a given protocol. The Duration 
Calculus has a number of general rules for doing such 
calculations. The appendix gives a brief overview of 
the Duration Calculus. As an example, we will calcu- 
late the assumptions needed to ensure that ans holds 
for at least 5 time units. For this we need an inference 
rule[l3] 
uses the chop-operator: “; ”. This formula holds of an 
interval [ b ,  e] just when it can be split into an interval 
[ b ,  m] where C = t holds and an interval [m, e] where 
[ y l  A e =  t + t’ holds. 
The general inference rule can be instantiated to a 
particular case, for example, by replacing x with req, 
y with ans, t‘ with 5, and t with 10. This means that 
when the protocol PI is assumed then 
([reql A .! = 15) + (C = 10 ; (runs1 A C = 5)) 
In other words, if req holds for 15 time units, then ans 
is sure to hold for the last 5 time units. 
Note that the protocol specification does not pre- 
scribe any particular behavior if req is held for less 
than 10 time units. The server is then free to ignore 
it or act upon it. 
Example: a simple server (cont.) 
A protocol may also include stability constraints, for 
instance to ensure that a definedness predicate can be 
checked or a value can be moved to a local state. An 
example is: 
If the ans signal is set, then it is stable 
for at least 10 time units. 
illustrated by the following timing diagram: 
-... ans 
0 
‘ I - - -+---  4 ,  
m m’ e b 
or as a formula 
The subformula [ ~ a n s l  ; runs1 characterizes an in- 
terval where ans is set, i.e., changes from false to true. 
160 
Authorized licensed use limited to: Danmarks Tekniske Informationscenter. Downloaded on July 08,2010 at 08:49:29 UTC from IEEE Xplore.  Restrictions apply. 
The formula thus reads: “If ans is set within an in- 
terval of length less than 10 then it continues to be 
set”. 
Another example is that, the server for some reason 
stabilizes the period before an answer. This is ex- 
pressed by a stability formula stating that ans is first 
set after 5 time units of req 
end of example 
A protocol is in general specified by a conjunction of 
progress formulas like P1 and stability formulas like SI 
and Sz. The protocol constrains the state trajectories 
of the system. A state trajectory that for any point 
of time satisfies the protocol, i.e., where the protocol 
formulas hold for any subinterval, is acceptable. 
4 Composition and feasibility 
Specification of a protocol by conjoining formulas 
requires some care. The result should be feasible, that 
is, the combined protocol should have at least one tra- 
jectory which is consistent with all formulas. This 
is not always the case when protocols are pieced to- 
gether. Infeasibility often occurs when one module 
with a feasible protocol is composed with another with 
a different feasible protocol. The result might very 
well be an infeasible protocol. 
Example: composition with a server (cont.) 
Consider the composition of the the server MI with a 
client M2. 
Assume that the client for some reason insists on re- 
leasing the answer after 2 time units. 
P2 : ([-real A ! = 2)  --+ [Tans]  
An initial state trajectory for the server could be char- 
acterized by 
[-real ; ([reql A ! = 10) ; (r lreql  A L‘ = 5) 
We can then use the server request protocol PI and 
its two stability protocols Sl and S2 to calculate that 
for this trajectory it is also the case that 
! > 10 ; ( [ l r e q  A ansl A ! = 5) 
The client release protocol Pz would allow us to cal- 
culate that for the same trajectory it is the case that 
The conjunction of the two formulas specify a trajec- 
tory with a final subinterval of length 3 where both 
ans and T a n s  holds. This is obviously impossible. 
end of example 
During the design and development of a modular sys- 
tem, the modules are considered separately and while 
developing a particular module, the designer formu- 
lates protocols characterizing the interface. Later, the 
separately developed modules are combined and at 
this point the consistency of the associated protocols 
must be ensured. Formally, this is done by checking 
the feasibility of composing the protocols. 
4.1 Feasibility 
This section states general results on feasibility 
which can be used to check that the composition of 
protocols remain feasible. 
Feasibility can be ensured by inspecting the initial 
and goal conditions of “followed-by” formulas that are 
conjoined. This gives rise to the following three suffi- 
cient conditions for feasibility. They are stated as the- 
orems (the proofs are given in [13] but omitted here 
for brevity). 
The first theorem ensures that mutually exclusive 
progress properties can be combined: 
Theorem 1 A conjunction 
defines a feasible system when each goal Pi is point- 
wise satisfiable, and the collection of initial conditions 
(Pi, i = 0 , .  . . , m) are mutually disjoint. 
The condition that the goal must be satisfiable is nec- 
essary to exclude strange protocols like 
[re41 --+ [ v e q  A rea1 
This theorem ensures that the composition of the re- 
lease protocol P2 and the request protocol PI is feasi- 
ble, because the predicates req and -req are disjoint. 
161 
Authorized licensed use limited to: Danmarks Tekniske Informationscenter. Downloaded on July 08,2010 at 08:49:29 UTC from IEEE Xplore.  Restrictions apply. 
If the initial conditions are non exclusive, feasible 
progress properties must either cooperate on the goals 
or there must be a winner in a race. This is expressed 
in the second theorem. 
Theorem 2 A conjunction of progress commitments 
( ( [ P I 1  
( ( [ P z l  A e = tz) --+ [el) = t l )  + rp:l) A 
with tl 5 t2, defines a feasible system when each goal 
Pi is satisfiable and when either Pi A P; is satisfiable 
or Pi * -Pz. 
The condition PI + 7P2 ensures that the PI wins 
over Pz when they are simultaneously enabled. 
The second theorem is important if req has a side 
effect on some new state variable, say 
([reql A f? = 4) + [busy] 
or if we go for automatic release after 5 time units 
([req A ansl A f? = 5) --+ [lreql  
There is a similar result linking stability and 
progress formulas. Essentially, they agree (compos- 
ing them is feasible) when either the initial conditions 
are exclusive, the goals cooperate, or the progress time 
is not smaller than the stability time. 
These theorems are stated to sketch the possibilities 
offered by the Duration Calculus. There is work in 
progress on automating this calculus (at least with 
suitable assumptions about the time domain) and this 
will hopefully enable us to provide tools which can be 
used for checking the consistency of interfaces. 
5 Conclusion 
This paper discusses the importance of interface 
specifications which are rigorous but incomplete spec- 
ifications of a module. Two important aspects of such 
interface specifications are protocols and definedness 
predicates. Furthermore, timing is an important part 
of an interface, and it has been shown how to for- 
malize the well known timing diagrams and use this 
formalization for specifying an interface. 
Acknowledgment 
We would like to thank Jens Ulrik Skakkebaek, 
Zhiming Liu, and Michael R. Hansen for their com- 
ments to an earlier version of this paper. 
This work is partially supported by the Commis- 
sion of the European Communities (CEC) under the 
ESPRIT programme in the field of Basic Research Ac- 
tion proj. no. 7071: “ProCoS 11”, and by the Danish 
Technical Research Council under the “Codesign” pro- 
gramme. 
References 
[l] E. Brinksma. On the Design of Extended LOTOS.  
Technical University Twente, Holland, 1988. Dis- 
sert at ion. 
[2] K.  Mani Chandy and Jajadev Misra. Parallel 
Program Design: A Foundation. Addison-Wesley, 
1988. 
[3] Zhou Chaochen, C. A. R. Hoare, and A. P. Ravn. 
A calculus of durations. Information PTOC. Let- 
ters, 40(5), December 1991. 
[4] J. Dawes. The VDM-SL reference guide. Pit- 
mann, 1991. 
[5] J. W. de Bakker, C. Huizing, W.-P. de Roever, 
and G. Rozenberg, editors. Real- Time: Theory in 
Practice, REX Workshop, volume 600 of LNCS. 
1992. 
[SI M.R. Hansen, Z. Chaochen, and .J. Staunstrup. 
A real-time duration semantics for circuits. In 
Proceedings T A  U 1992 ACM/SIG’DA Workshop 
on Timing Issues in Specification and Synthesis 
of Digital Systems, 1992. Princeton, NJ,  March 
18-20, 1992. 
[7] C.A.R. Hoare. Communicating sequential pro- 
cesses. Communications of the ACM,  21(8):666- 
677, August 1978. 
[8] IEEE, New York. VHDL Language Reference 
Manual, std 1076-1987 edition, 1988. 
[9] R. Inal. Modular specification of real-time sys- 
tems. In Pmc. 6th Euromicro Workshop on Real- 
Time Systems. IEEE Computer Society Press, 
1994. 
[lo] L. Lamport. The temporal logic of actions. Tech- 
nical report, Digital Systems Research Center, 
130 Lytton Avenue, Palo Alto, California 94301, 
USA, 25 December 1991. 
[ll] R. Milner. Communication and Concurrency. Se- 
ries in Computing Science. Prentice-Hall, 1989. 
162 
Authorized licensed use limited to: Danmarks Tekniske Informationscenter. Downloaded on July 08,2010 at 08:49:29 UTC from IEEE Xplore.  Restrictions apply. 
[12] B. Moszkowski. A temporal logic for multi- 
level reasoning about hardware. IEEE Computer, 
18(2):10-19, 1985. 
[13] A. P. Ravn. Design of‘ embedded real-time com- 
puting systems. Manuscript, May 1994. 
[14] A.P. Ravn, H. Rischel., and K. M. Hansen. Spec- 
ifying and verifying requirements of real-time 
systems. IEEE Trans. Software Engineering, 
19(1):41-55, Jan. 1993. 
[15] J.  M. Spivey. The Z Notation. Prentice-Hall, 
1989. 
State expressions and state assertions 
The set of state expressions is generated by 
1. every constant, rigid variable, or state variable is 
a state expression, 
2. any type of correct expression op(S1,.  . . , S,,) 
formed from an operator symbol op and state ex- 
pressions SI,. . . , S,, is a state expression. 
A state assertion is a state expression with type Bool. 
Durations and duration terms 
[16] Jorgen Staunstrup. A F o m a l  Approach to Hard- 
ware Design. Kluwer Academic Publishers, 1994. 
[17] J. Vytopil, editor. proceedings symp. on pomal 
Techniques in Real- Time and Fault- Tolerant Sys- 
For any State assertion P ,  S P  is a duration. A dura- 
tion term is Of type and is generated 
1. durations, real constants and rigid variables are 
duration terms, 
tems, volume 571 of L.NCS. 1991. Nijmegen 6-10 
Jan. 1992. 
2. if op is an n-ary operator symbol Over R and 
rl ,  . . . , r,, are duration terms, then op(r1 , .. . , rn) 
1181 Chaochen Zhou, A. P. Ravn, and M. R. Hansen. is a duration term. 
~~ 
An extended duration calculus for hybrid real- 
time systems. In R. L. Grossman, A. Nerode, 
A. P. Ravn, and H. Rischel, editors, Hybrid Sys- 
The symbol .! is used as an abbreviation for the dura- 
tion term Strue.  
tems, volume 736 of LNCS,  pages 36-59, 1993. 
Duration formulas 
Appendix: 
Overview of Duration Calculus 
A system is described by a collection of named state 
variables which are functions of Time, modeled by the 
real numbers. Properties of systems are expressed by 
constraining the state variables over time. We wish 
to express requirements and design without explicit 
mentioning of particular time instants, and introduce 
a notation which is a real-time, interval logic based on 
state durations. 
Syntax 
We assume the names of stsate variables X ,  . . . to- 
gether with their value domains Typex,  . . . given by 
declarations in a suitable specification language. The 
language should comprise names for constants and op- 
erators. The type R of real numbers should be avail- 
able with the usual operators and so should the type 
Bool of boolean values with the usual propositional 
operators. We use lower case names a, b ,  x ,  . . . t o  de- 
note r ig id  variables of any type in the language. Rigid 
variables denote time-independent entities. 
If A is any n-ary predicate symbol on R and TI,. . . , r, 
are duration terms, then A(r1,. ..,r,,) is an atomic 
duration formula. A duration formula is of type Bool 
and generated by 
1. atomic duration formulas and the symbols true 
and f a k e  are duration formulas, 
2. if ?)I and D2 are duration formulas, so are ( ~ D I ) ,  
(271 V D z ) ,  (D1 ; Dz) ,  and (Vz)D1 where x is a 
rigid variable.’ 
We use standard abbreviation A, +, @ for both state 
assertions and duration formulas, and we introduce 
abbreviations for commonly used duration formulas 
Abbrev. Formula Legend 
e = o  point 




ov true ; V ; true somewhere V 
ov l (01V)  always D 
v -+ -o(v ; r1p1) P foiiows D 
for state assertion P and duration formula 2). 
‘In [3] the “chop”-operator ‘I; ” [12] is denoted by “-”.I 
163 
Authorized licensed use limited to: Danmarks Tekniske Informationscenter. Downloaded on July 08,2010 at 08:49:29 UTC from IEEE Xplore.  Restrictions apply. 
For duration formulas, the following rules of prece- 
dence are used 
first: 1, 0, 0 
second: v, A, ; 
third: *, --+ 
The logical operators are overloaded: They are used 
for state assertions as well as duration formulas; but 
the meaning can be inferred from the type of the 
operands, e.g., “V” denote disjunction for state as- 
sertions in “[PI V P21” and disjunction for duration 
formulas in “[Pll v [P2]”. 
Semantics 
A (particular) behavior B of a system assigns a 
meaning to each state variable X as a function 
x : [O,Oo) + Qpex 
giving the state as function of time from the start time 
t = 0. 
For a given behavior, we select a value U( x) for each 
rigid variable x. Each state expression then denotes 
a function on [O,m] (where the value is obtained by 
evaluating the expression for each point of time, and 
where each rigid variable denotes a constant function 
with value V ( x ) ) .  
An observation interval is a closed and bounded 
interval [ b ,  e] C [O,m). For a given interval, the dura- 
tion J P of a state assertion P denotes the real number 
J,“( if P ( t )  := tt then 1 else 0)dt 
which is the measure of the set of points in [ b ,  e] where 
P is true. For any interval [ b ,  e ] ,  duration terms and 
atomic duration formulas denote real and boolean Val- 
ues. 
The values of composite duration formulas TV, 
VI V V Z  and ( V x ) V  on [ b ,  e ]  are obtained by the usual 
interpretation of the logical operators and quantifica- 
tion. The value of a “chop” formula VI ; V2 is true 
if and only if the interval [ b ,  e] can be divided into two 
parts [ b ,  m] and [m, e] (with b 5 m 5 e )  such that VI 
is true on [ b ,  m] and V2 is true on [m, e]). 
A duration formula 2) holds on the interval [ b ,  e] for 
the behavior B just when V is true on [ b ,  e] with any 
assignment U of values to the rigid variables. 
The formula V holds from start on the behavior B 
just when it holds on any interval of the form [0, TI 
for the behavior B .  
A duration formula V is valid (a tautology) just 
when it holds for every interval [ b ,  e]. It is sufficient 
for a formula to be valid that it holds from start for 
every behavior B .  
Finite variability 
The interpretation of a state variable X may be con- 
fined to certain classes of functions, e.g., continuous or 
differentiable functions. For a state variable X with 
a discrete value domain Q p e x  it is reasonable to de- 
mand finite variability: Any interval [ a ,  e ]  can be di- 
vided into finitely many subintervals with X constant 
on each (open) subinterval. 
164 
Authorized licensed use limited to: Danmarks Tekniske Informationscenter. Downloaded on July 08,2010 at 08:49:29 UTC from IEEE Xplore.  Restrictions apply. 
