IIST and UNU - UNU-IIST - United Nations University

UNU/IIST 

International Institute for 

Software Technology 

From Durational Specifications to TLA 

Designs of Timed Automata 

Yifeng Chen and Zhiming Liu 

UNU-IIST Report No. 301 

R

UNU-IIST and UNU-IIST Reports 

UNU-IIST (United Nations University International Institute for Software Technology) is a Research and 

Training Centre of the United Nations University (UNU). It is based in Macau, and was founded in 

1991. It started operations in July 1992. UNU-IIST is jointly funded by the Governor of Macau and 

the governments of the People’s Republic of China and Portugal through a contribution to the UNU 

Endownment Fund. As well as providing two-thirds of the endownment fund, the Macau authorities also 

supply UNU-IIST with its office premises and furniture and subsidise fellow accommodation. 

The mission of UNU-IIST is to assist developing countries in the application and development of software 

technology. 

UNU-IIST contributes through its programmatic activities: 

1. Advanced development projects, in which software techniques supported by tools are applied, 

2. Research projects, in which new techniques for software development are investigated, 

3. Curriculum development projects, in which courses of software technology for universities in developing 

countries are developed, 

4. University development projects, which complement the curriculum development projects by aiming 

to strengthen all aspects of computer science teaching in universities in developing countries, 

5. Schools and Courses, which typically teach advanced software development techniques, 

6. Events, in which conferences and workshops are organised or supported by UNU-IIST, and 

7. Dissemination, in which UNU-IIST regularly distributes to developing countries information on 

international progress of software technology. 

Fellows, who are young scientists and engineers from developing countries, are invited to actively participate 

in all these projects. By doing the projects they are trained. 

At present, the technical focus of UNU-IIST is on formal methods for software development. UNU-IIST 

is an internationally recognised center in the area of formal methods. However, no software technique is 

universally applicable. We are prepared to choose complementary techniques for our projects, if necessary. 

UNU-IIST produces a report series. Reports are either Research R , Technical T , Compendia C or 

Administrative A . They are records of UNU-IIST activities and research and development achievements. 

Many of the reports are also published in conference proceedings and journals. 

Please write to UNU-IIST at P.O. Box 3058, Macau or visit UNU-IIST’s home page: http://www.iist.unu.edu, 

if you would like to know more about UNU-IIST and its report series. 

Chris George, Acting Director

UNU/IIST 

International Institute for 

Software Technology 

P.O. Box 3058 

Macau 

From Durational Specifications to TLA 

Designs of Timed Automata 

Yifeng Chen and Zhiming Liu 

Abstract 

Different temporal logics tend to emphasise different aspects of a hybrid system. In this paper, 

we study the predicative interpretation of Duration Calculus (DC) and Temporal Logic 

of Actions (TLA) and the link between them. A notation called generic composition is used 

to simplify the manipulation of predicates. The modalities of possibility and necessity become 

generic composition and its inverse of converse respectively. The transformation between different 

temporal logics is also characterised as such modalities. The formalism provides a framework 

in which human experience about hybrid system development can be formalised as refinement 

laws. A high-level durational specification can be decomposed to two durational specifications 

driven by an automaton. In such a stepwise design process, durational features are reduced 

while automaton features increase gradually. The application of the technique is demonstrated 

in the case study of the gas burner problem.

Yifeng Chen is a lecturer of the Department of computer Science at the University of Leicester. 

His research interest includes logics of computer science, programming and specification 

language designs, and formal specification. E-mail: Y.Chen@cs.le.ac.uk 

Zhiming Liu is a research fellow at UNU/IIST, on leave from Department of Computer Science 

at the University of Liecester, Liecester, England where he is a lecturer in computer science. 

His research interests include theory of computing systems, including sound methods for specification, 

verification and refinement of fault-tolerant, real-time and concurrent systems, and 

formal techniques for OO development. His teaching interests are Communication and Concurrency, 

Concurrent and Distributed Programming, Internet Security, Software Engineering, 

Formal specification and Design of Computer Systems. E-mail: Z.Liu@iis.unu.edu. 

Copyright c○ 2004 by UNU-IIST, Yifeng Chen and Zhiming Liu

Contents 

i 

Contents 

1 Introduction 1 

2 Predicative semantics of modal logics 2 

3 Temporal logic of resource cumulation 6 

4 Linking Duration Calculus and TLA 10 

5 Case study: the Gas Burner 16 

6 Conclusions 18 

Report No. 301, 

UNU-IIST, P.O. Box 3058, Macau

Introduction 1 

1 Introduction 

An embedding system consists of both continuous components that observe continuous physical 

laws and discrete components that execute digital instructions. Hybrid systems inevitably 

involve time as an observable and can be naturally specified using temporal logics. Different temporal 

logics tend to emphasise different aspects of an embedding system. For example, interval 

logics such as Duration Calculus (DC) [17], emphasising properties over intervals, are more suitable 

for describing high-level continuous properties and hence closer to the continuous aspects 

of embedding systems. On the other hand, Linear Temporal Logics (LTL) [11], emphasising 

the properties of states at discrete time points, are more suitable for modelling discrete aspects 

of embedding systems and can be easily verified as a timed automaton [12]. A straightforward 

specification in one logic may become less intuitive in another logic. In the past, all aspects of 

an embedding system are normally specified in one logic [8, 18]. Traditional method of combining 

logics is to collect syntactical constructs together and identify the axioms of the system. 

This usually results in a complicated axiomatic system difficult to handle. For example, the 

design of an embedding system may involve an abstract specification of the requirements in DC 

and a concrete LTL specification that describes the behaviour of the system of implementation. 

Existing development techniques do not support such refinement. A more natural approach is 

to unify the different logics at a common semantic level. 

Predicative interpretation is a standard technique in modal logic [1, 15]. A proposition with 

modal operators can be interpreted as a predicate. The modality of possibility (or necessity) 

is represented as an existential (or universal) quantifier. Predicates are also used in semantic 

modelling of programming languages. This approach is often known as predicative semantics [5, 

7]. 

We use a notation called generic composition [2] to simplify the manipulation of predicates. A 

generic composition is a relational composition with a designated interface consisting of several 

logical variables. Generic composition has an inverse operator. With the help of the two operators, 

we no longer need the existential and universal quantifiers. The modality of possibility 

then becomes a generic composition, while the modality of necessity becomes its inverse of converse 

[4]. Temporal logics have been characterised algebraically using Galois connections [16]. 

In our approach, the accessibility relation of modal logics is directly parameterised. The link 

between two specifications in different temporal logics is characterised as a pointwise relation 

between the possible observations of the specifications. Such a pointwise relation also determines 

a pair of modalities and can be defined with a generic composition and its inverse. 

For unification, we model different temporal domains such as real time, traces, timed traces, 

forests (for branching time) and intervals under a notion called resource cumulator [3]. A cumulator 

is a quintuple compromising a monoid, a corresponding partial order and a volume function 

that measures the amount of resources. A cumulator provides the “type” for a logical variable 

of a particular temporal domain. The integration of different temporal logics will not be useful 

unless we provide the knowledge about how specifications in one logic can be approximated or 

refined by specifications in another logic. Such knowledge can be formalised as the refinement 



Predicative semantics of modal logics 2 

laws of modalities. Identifying these laws can make the design process more systematic. 

In this paper, we will demonstrate this by studying the refinement from DC specifications to 

TLA implementations. An automaton with two states can be readily specified in TLA. A highlevel 

durational specification can be decomposed to two durational specifications “driven” by 

an automaton. Such decomposition can be repeated several times and create a hierarchical 

structure of two-state automata. The rest of the design is to combine the automata in a single 

flat one. The advantage of this approach is that implemental features are introduced step by 

step gradually. This allows each development step to preserve more nondeterminism from the 

original specification and thus keep more flexibility in the following design steps. 

In previous works, Schenke and Olderog [14] studied the direct refinement transformation from 

DC to a language similar to CSP [6]. Since the gap between DC and TLA specifications is 

smaller than that between DC and a real programming language, our approach yields stronger 

algebraic properties. The result TLA implementations can be verified with model-checking tools. 

Section 2 studies the predicative semantics of modal logic using the notation of generic composition 

and its inverse. Section 3 unifies different temporal domains under the notion of resource 

cumulator and defines the predicative semantics of temporal logic in general and discusses several 

temporal logics including DC and TLA. The relationship between DC and TLA is studied 

in Section 4. The refinement laws identified in Section 4 are then applied to the case study in 

Section 5. 

2 Predicative semantics of modal logics 

Manipulating predicates 

We assume that there are two types of logical variables: non-overlined variables such as x, y, z, · · · 

and overlined variables such as x, y, z, · · · . Overlining is only used to associate corresponding 

logical variables syntactically. We use a notation called generic composition [2] to manipulate 

predicates. A generic composition is a relational composition with a designated interface of 

non-overlined variables. 

Def 1 P : x R ̂= ∃x 0 · P [x 0 /x] ∧ R[x 0 /x] . 

A ‘fresh’ variable x 0 is used to connect x of P and x of R and hidden by the existential 

quantifier. Generic composition is a restricted form of relational composition. It relates two 

predicates on only some of their logical variables. For example, the following composition relates 

two predicates on only x (and x ): 

(x = 10 ∧ y = 20) : x (x x ∧ z = 30) = (10 x ∧ y = 20 ∧ z = 30). 




The existential quantifier ∃x· P is simply represented as P : x true , and variable substitution 

P [e/x] as P : x (x = e) . An interface x may split into several variables, e.g. (y, z) . For example, 

the generic composition P : (y, z) true is the same as the predicate ∃y∃z · P . If the vector is 

empty, a generic composition becomes a conjunction: P : R = P ∧ R . 

Generic composition has an inverse operator denoted by P / x R, which is the weakest predicate 

X such that (X : x R) ⊆ P . It can be defined by a Galois connection: 

Def 2 X ⊆ P / x R iff X : x R ⊆ P for any predicate X . 

Generic composition and its inverse satisfy a property: 

P / x R = ¬ (¬ P : x ˜R) = ∀x0 · (R[x 0 /x, x/x] ⇒ P [x 0 /x]) 

where ˜R ̂= R[x/x, x/x] is the converse of R for the variable x . Universal quantifier ∀x· P 

can then be written as P / x true . Negation ¬ P becomes false / P whose interface is empty. 

Implication P ⇒ Q becomes Q / P with an empty interface. Disjunction P ∨ Q is a trivial 

combination of negation and implication. Thus all connectives, substitution and quantifiers 

become special cases of generic composition and its inverse [2]. 

Theorem 1 Generic composition and its inverse are complete in the sense that any predicate 

that does not contain overlined free variables can be written in terms of generic composition and 

its inverse using only the constant predicates and predicate letters. 

The theorem shows the expressiveness of generic composition for predicate manipulation. Generic 

composition and its inverse form a Galois connection and satisfy the algebraic laws of strictness, 

distributivity and associativity. 

Law 1 

(1) A ⊆ (A : x R) / x R 

(3) false : x R = false 

(5) A : x (R ∨ S) = (A : x R) ∨ (A : x S) 

(7) A / x (R ∨ S) = (A / x R) ∧ (A / x S) 

(9) (A : x R) : x S = A : x (R : x S) 

(2) (A / x R) : x R ⊆ A 

(4) true / x R = true 

(6) (A ∨ B) : x R = (A : x R) ∨ (A : x R) 

(8) (A ∧ B) / x R = (A / x R) ∧ (A / x R) 

(10) (A / x R) / x S = A / x (S : x R) . 

The notation is especially useful when the interfaces of the operators in a predicate are not 

identical. For example, in the following law we assume that x , y and z are three different 

logical variables, A = ∃z · A (independence of the variable z ) and C = ∃y · C (independence of 

the variable y ). 




Law 2 

(A : (y,x) B) : (x,z) C = A : (y,x) (B : (x,z) C). 

Generic composition and its inverse can be used to define modalities. These properties make 

the composition a useful technical tool for linking temporal logics. Generic composition has also 

been applied to define a variety of healthiness conditions and parallel compositions. The above 

laws and a series of other laws can be found in [2]. 

Interpreting modalities 

Under Kripke semantics [1], modal logics are logical systems of relations (called “accessibility 

relations”). Here, we represent a specification as a predicate on a modal variable (e.g. x) and 

an auxiliary variable (e.g. y). The modal variable records the observable aspect related to the 

accessibility of the modalities, while the auxiliary variable records the unrelated observable 

aspect. For now, the variables are left untyped. These logical variables will later be typed 

in temporal logics. A logical variable may split into several ones, and its type becomes the 

product of several types. The semantic space is the set of all such specifications (e.g. denoted 

by A ). An accessibility relation R = R(x, x) is denoted by a predicate on two variables: the 

modal variable x and the overlined modal variable x . Overlined variables only appear in the 

accessibility relations. Each accessibility relation determines a pair of modalities. 

Def 3 ♦ A P ̂= P : x ˜R and A P ̂= P / x R . 

The operator ♦ A P informally means that “the predicate P may be true” and is defined as a 

generic composition of the specification P and the converse relation ˜R ; its dual modality A P 

informally means that “the predicate P must be true” is defined with an inverse operator. 

If we replace the accessibility relation with its converse, we will obtain a pair of converse modalities. 

Def 4 ˜♦A P ̂= P : x R and ˜ A P ̂= P / x ˜R . 

Generic composition and its inverse can be regarded as parameterised modal operators. They 

have a designated interface and are more convenient than traditional relational composition in 

this context for two reasons. Firstly, the abservable aspects (described by the auxiliary variable) 

unrelated to the accessibility relation can be excluded from the interface of the relational composition. 

Secondly, the predicate on the left-hand side of a generic composition (or its inverse) can 

be either a specification (without overlined variables) or an accessibility relation (with overlined 

variables). Thus the operators can be directly used to represent the composition of accessibility 

relations (i.e. the composition of modalities). 




The converse/inverse relationships between these modalities are illustrated in a diagram (see 

Figure 1). The four modalities form two Galois connections. 

A P 

Converse 

˜A P 

Inverse 

Inverse 

˜ A P 

Converse 

A P 

Figure 1: Diagram of converse/inverse relationships 

Law 3 ♦ A P ⊆ Q iff P ⊆ ˜ A Q for any P ∈ A and Q ∈ B 

˜♦ A P ⊆ Q iff P ⊆ A Q for any P ∈ A and Q ∈ B . 

Transformer modalities 

The transformation between two temporal logics also becomes modalities. Let A (or B ) be a 

semantic space of specifications, each of which is a predicate on modal variable x (or x ′ ) and 

auxiliary variable y (or y ′ ). The transformation from A to B is characterised as a transformation 

predicate T = T (x, y, x ′ , y ′ ) on four variables. The predicate determines a transformer 

modality ♦ A→B from A to B and a corresponding inverse transformer B→A from B to A . 

In the following definition, we assume that P = P (x, y) and Q = Q(x ′ , y ′ ) . 

Def 5 ♦ A→B P ̂= P : (x,y) T 

B→A Q ̂= Q / (x ′ ,y ′ ) T . 

Note that ♦ A→B and B→A form just one pair of transformers based on the predicate T . 

Other transformers between the two logics can be denoted as ♦ A→ ′ B and ♦ A→ ′′ B etc. Let 

♦ A→B and ♦ B→C be two transformers. Their composition ♦ A→B ♦ B→C is also a transformer 

(from A to C ), so is the composition of their inverses. 

If the modal variable and the auxiliary variable are untyped, the above predicative semantics is 

contained in predicate calculus and hence complete. A well-formed formula is always true if and 

only if it can be proved using the laws of generic composition and its inverse (or equivalently, 

the axioms of predicate calculus). 



Temporal logic of resource cumulation 6 

3 Temporal logic of resource cumulation 

Resource cumulation 

Many aspects of computing can be modelled as the cumulation of resources. In real-time computing, 

time is a kind of resource. A process “consumes” a non-negative amount of time. A 

computation may also produce resources. For example, a reactive process generates an increasingly 

longer sequence of intermediate states called a trace. Resource cumulation can be 

formalized as a quintuple called a cumulator: (X, ; 0, ⌢ ; | · |) , which consists of three 

parts: a well-founded partial order (X, ) in which each element is called a cumulation and 

the greatest lower bound exists for any non-empty subset, a monoid (0, ⌢ ) in which 0 , or 

zero cumulation is the least cumulation, and a monotonic and associative binary operation concatenation 

⌢ corresponds to the addition of cumulations, and a monotonic and strict volume 

function | · | : X → [0, ∞] : We assume that the partial order and the monoid are consistent: 

a b ⇔ ∃c∈X · a ⌢ c = b . The unusual part of a cumulator is the volume function. A volume 

function measures the amount of resource cumulated. With such additional information we can 

then reason about the dynamics of resource cumulation. For example, a resource is exhausted 

when its volume reaches infinity ∞ . The use of volume functions can substantially simplify the 

reasoning of limit points, continuity, and other topological properties. Such modelling is aimed 

at avoiding complicated domain construction and has reflected our pragmatic view on resources. 

For a more complete account of resource cumulation, please refer to [3]. 

Example: The amount of time that a computation consumes can be modelled as a cumulator: 

RTime ̂= ([0, ∞], ; 0, + ; id) where + is addition. id is the identity function. 

Example: In some applications, we are interested in temporal properties over a period of time 

and thus need to reason about temporal intervals. Intervals form a cumulator Interval ̂= (I, 

; ∅, ⌢ ; | · |) where I denotes the set of intervals, each of which is a convex subset i of the 

real domain [0, ∞] (such that for any t 1 , t 2 ∈ i and t 3 ∈ T , t 1 t 3 t 2 implies t 3 ∈ i ). For 

example, [1, 2] , [1, 2) , (1, 2] , (1, 2) and the empty set ∅ are intervals. Let I denote the set of 

all intervals. a ⌢ b ̂= a ∪ b if a ∩ b = ∅ , ⊔a = ⊓b and a ∪ b ∈ I . The volume of a non-empty 

interval is its length: |a| ̂= ⊔a − ⊓a where ⊔a and ⊓a denote the lub and glb of the interval 

a respectively. The volume of the empty set is zero |∅| = 0 . The orders a b means that b is 

a right-hand extension of a , i.e. ∃c ∈ I · a ⌢ c = b . 

Example: Finite and infinite traces form a typical cumulator: Trace(X) ̂= (X † , ; 〈〉, ∧ ; |· 

|) where X is the type of each element, and X † the set of all sequences of elements (including 

the infinite ones). For two sequences a, b ∈ X † , a ∧ b denotes their concatenation. If a is an 

infinite sequence, then for any b, a ∧ b = a . a b iff a is a prefix (i.e. pre-cumulation) of b . |a| 

denotes the length of a . For exampe, the length of the empty sequence 〈〉 is 0. a i denotes the 

i -th element of the sequence where 1 i |a| . 




Example: A timed trace is a trace with non-decreasing time stamps. The sequence 〈(1, p), (2, q), (4, p)〉 

is one example. In general, a timed trace is a trace of pairs in the form 〈(t 1 , s 1 ), (t 2 , s 2 ), · · · , (t n , s n ), · · ·〉 . 

Timed traces form a cumulator: TimedTrace(X) ̂= (T (X), ; 〈〉, ∧ ; | · |) where 

T (X) ̂= 

{ 

} 

tr ∈ ([0, ∞] × X) † | ∀i, j < |tr|· (i j ⇒ t i t j ) . 

Temporal logic of resource cumulation 

Temporal logic of resource cumulation is a modal logic. Let (X, ; 0, ⌢ ; | · |) be a cumulator. 

A general cumulative specification is a predicate on a modal variable x ∈ X whose type is a 

cumulator and an untyped auxiliary variable y . We let R denote the semantic space of such 

specifications. The general cumulator gives rise to a number of accessibility relations, each of 

which determines two pairs of modalities. A common accessibility relation corresponds to the 

left-hand contractions: R ̂= ∃z ∈ X · (x = z ⌢ x) . 

The modality ♦ R P informally means that “the predicate P becomes true after some precumulation 

of resources”. More precisely, the behaviours of ♦ R P are the behaviours of P 

extended with arbitrary cumulations on the left-hand side. The modality R P , instead, means 

that “the predicate P is true for any left-hand extensions of the behaviours of P . The pair of 

converse modalities ˜♦ R P and ˜ R P are actually the corresponding “past-tense” modalities. 

All properties of general modalities are inherited. 

There exists a dual accessibility relation for right-hand contractions: 

R ′ ̂= ∃z ∈ X · (x = x ⌢ z) . Again, it determines two pairs of modalities ♦ R ′ P , R ′P , ˜♦R ′ P 

and ˜ R ′ P . The modalities of left-hand and right-hand extensions/contractions commute with 

each other respectively. Their respective compositions (e.g. ♦ R ♦ R ′ P ) becomes a bi-directional 

contractions/extensions. 

The most commonly used temporal operator ♦ P in LTL means that “the predicate P eventually 

becomes true in finite steps”. Its dual operator P means that “the predicate P is always true 

after finite steps”. They correspond to ♦ |L|


Examples of temporal logics 

The amount of time that a computation consumes corresponds to the cumulator RTime. A 

real-time specification is a predicate on a typed modal variable t ∈ [0, ∞] that denotes time and 

an untyped auxiliary variable s that denotes the system’s state at the time. We let T denote 

the space of such specifications. Since addition is commutative i.e. a + b = b + a, it makes no 

difference whether time is extended from the left-hand side or the right-hand side. For example, 

e t = x described a system’s temporature growing exponentially over time. 

Intervals within a time domain form the cumulator Interval . A specification on intervals is 

a predicate on a variable i ∈ I that denotes the interval and an auxiliary variable x that denotes 

some system feature related to the interval. We let I denote the space of all temporal 

specifications on intervals. An interval can be extended from either left-hand side or right-hand 

side. 

Traces of elements of X form a cumulator Trace(X) . A trace specification is a predicate on 

a single variable tr ∈ X † . We let S denote the space of trace specifications. For example, the 

specification |S|


another state satisfying ¬p in some time t ∈ U and then moves back to a state satisfying p in 

some time t ∈ V where U, V ⊆ [0, ∞] . The two-state automaton can be formalised as follows: 

(2) 

Automaton(p, U, V ) ̂= 

K [(p(s) ∧ ¬p(s ′ ) ∧ t ′ −t ∈ U) ∨ (¬p(s) ∧ p(s ′ ) ∧ t ′ −t ∈ V )] (s,t) . 

Figure 2: Automaton with two states 

Duration calculus (DC) is a special interval logic. A durational specification is a predicate on a 

variable i ∈ I that denotes the interval and an auxiliary variable x : [0, ∞] → S that denotes a 

real-time Boolean function. We use a boolean function p : S → {0, 1} to denote whether a state 

x(t) at the time t satisfies the predicate p(·) . The space of durational specifications is denoted 

by D. 

Again, we may introduce some dependent variables. For example, instead of specifying the 

relation (i.e. a predicate) between the interval and the real-time function, we may specify the 

relation between the length of the interval and the integral of the real function in the interval. 

Although not all computation can be specified in such a restricted way, it has been expressive 

enough for most applications and covers most common design patterns [13]. The following table 

lists the primitives of DC: 

P (l, ∫ p) general pattern 

⌈p⌉ lift 

D P modality of sub-interval closure 

P Q chop operation 

P ∨ Q logical disjunction 

¬P negation 

For example, the Gas Burner problem [13] includes a requirement that gas leak is bounded by 

4 for any interval no longer than 30. This can be formalised as a specification in DC: 

(3) 

D (|i| 30 ⇒ ∫ i 

Leak(x(t)) dt 4) 



Linking Duration Calculus and TLA 10 

where Leak is a predicate denoting whether there is leaking in a state. For simplicity, we rewrite 

the specification using standard abbreviations: 

D (l 30 ⇒ ∫ Leak 4) 

where l ̂= |i| and ∫ Leak ̂= ∫ i 

Leak(x(t)) dt . 

The following two concrete DC specifications form a common design implementing the above 

abstract specification: 

(4) 

D (⌈Leak⌉⇒ |i| 4) and D (⌈Leak⌉ ⌈¬Leak⌉ ⌈Leak⌉ ⇒ |i| 26) 

where the real-time function x(t) records the state at the time point t , the specification 

⌈Leak⌉ ̂= ( ∫ Leak = l) describes a period with gas leak (at “most” time points of in the period 

[17]), and ⌈¬Leak⌉ ̂= ( ∫ Leak = l) describes a period almost without leak. The first 

specification requires any leaking period to be bounded by 4 seconds; the second specification 

states that, during any interval, the period of non-leak between two periods of leak should be 

no less than 26 seconds. The sequential composition (also known as the chop operation) is 

the pointwise concatenation of the intervals of specifications: 

P Q ̂= ∃i 1 i 2 · (P [i 1 /i] ∧ Q[i 2 /i] ∧ i = i ⌢ 1 i 2) . 

The similarity between the TLA specification (1) and the DC design (4) is obvious. They 

essentially describe the same controlling strategy. Their link will be captured by a transformer 

between the two logics. 

4 Linking Duration Calculus and TLA 

The transformer from TLA to DC 

We now study a technique to link DC specifications with TLA designs. Indeed each timed trace 

of 0s and 1s determines some real-time Boolean function in [0, ∞] → {0, 1} . For example, the 

timed trace 〈(1.0, 0), (2.0, 1), (4.0, 0)〉 corresponds to a Boolean real-time function whose value 

is 0 from time 1.0 to time 2.0 when the value becomes 1 until time 4.0 . The state between 

any two consecutive time points is constant. For example, the DC abstract specification (3) can 

be implemented with a TLA specification of timed traces (1). The TLA design is arguably more 

intuitive than (3) in DC alone. Such interpretation of a timed trace also directly corresponds to 

a timed automaton. 




The link between timed-trace TLA and durational calculus can be characterised as a predicate 

of weak inverse on timed trace tr , interval i and real-time function x(l) : 

T (tr, i, x) ̂= ∧ k (l= ∫ (x= s k ) / i (i ⊆ [t k , t k+1 ] ∩ i)). 

Each timed trace determines a real-time function whose value may only change at the time 

points of the trace. The value between two consecutive time points is “stable” in the sense that 

the values at “most” time point (except for isolated ones not affecting the integral) during the 

period are the same. The transformer requires that in any sub-interval segment of the timed 

trace, the real-time function x matches the stable states generated by the timed trace. 

A timed trace may contain arbitrarily-many consecutive state transitions at a single time point. 

Since the above transformer allows nondeterminism at isolated time points, such zero-time transitions 

cause no difficulty. 

Def 6 ♦ K→D P ̂= P : tr T and D→K P ̂= P / tr T . 

It is easy to show that any DC specification transformed from a TLA specification is always 

sub-interval closed. 

Law 4 D ♦ K→D P = ♦ K→D P . 

An automaton can be easily specified using a TLA formula (2). We introduce a notation for 

DC-specified automata in which U, V ⊆ [0, ∞] are two closed non-empty sets of time points 

such that the lub and glb of any of their non-empty subsets are contained in them. For example, 

they can be closed intervals like [0, 1] . 

Def 7 〈 U ↑ p ↓ V 〉 ̂= ♦ K→D Automaton(p, U, V ). 

An automaton is symmetric and monotonic in the sense that reducing the range of timing 

restrictions leads to the reduction of nondeterminism. 

Law 5 (1) 〈 U ↑ p ↓ V 〉 = 〈 V ↑ ¬p ↓ U 〉 

(2) 〈 U ↑ p ↓ V 〉 ⊇ 〈 U ′ ↑ p ↓ V ′ 〉 (U ⊇ U ′ , V ⊇ V ′ ). 

We use ∞ to denote the singleton range [∞, ∞] . Lift and chop operators can then be expressed 

with special automata. Note that the chop operation implies a certain synchronisation between 

the system and the observer: the chopping point must always fall in the interval of observation. 

This is achieved by eliminating the possibility that the chopping point falls out of the observation 

interval. 




Law 6 (1) ⌈p⌉ = 〈 ∞ ↑ p ↓ [0, 0] 〉 

(2) 〈 ∞ ↑ p ↓ ∞ 〉 = ⌈p⌉ ∨ ⌈¬p⌉ 

(3) ⌈p⌉ ⌈¬p⌉ = 〈 [0, ∞] ↑ p ↓ ∞ 〉 ∧ ¬〈 ∞ ↑ p ↓ ∞ 〉 . 

We use an abbreviation P ⊳ p ⊲ Q of choice to denote that two durational specifications P and 

Q are controlled by a boolean p : during any interval in which p is always true, P must hold; 

during any interval in which ¬p is always true, Q must hold. There is no restriction for those 

intervals in which p is sometimes true and sometimes not true. 

Def 8 P ⊳ p ⊲ Q ̂= ⌈p⌉ ⇒ P ∧ ⌈¬p⌉ ⇒ Q . 

The following law shows that the chop composition of any two durational specifications can 

be implemented as a choice between the specifications, and the change of the choice is made 

sometime during an interval. If p is independent of P and Q and becomes hidden, the two 

sides will be equal. 

Law 7 P Q ⊇ P ⊳ p ⊲ Q ∧ 〈 [0, ∞] ↑ p ↓ ∞ 〉 ∧ ¬〈 ∞ ↑ p ↓ ∞ 〉. 

General patterns of specifications and their refinement 

A durational specification is a predicate P (i, x) on the interval i and the real-time function 

x : [0, ∞] → S . A common durational specification is a predicate P (l, ∫ p) on the length l ̂= |i| 

of the interval and the integral of a boolean function p during the interval. This reflects the fact 

that the controlling of a system is normally independent of the starting time and insensitive to 

state changes at isolated time points. 

A durational specification D 

∫ 

p f(l) requires the total time of the state satisfying p in 

any interval with length l to be bounded by a characteristic function f(l). For example, the 

specification D (l 30 ⇒ ∫ leak 4) is a special case of this pattern with the characteristic 

function f(l) ̂= 4 ⊳ l ∈ [4, 30] ⊲ l where we use a ⊳ b ⊲ c to denote the value a if b is true, or 

the value c otherwise. The dual pattern D 

∫ 

p g(l) is equal to D 

∫ 

¬p (l−f(l)). 

The following law shows that two specifications with different characteristic functions may describe 

the same requirement. 

Law 8 D 

∫ 

p f(l) = D 

∫ 

p f ′ (l) , if any of the following condition is satisfied ( l, l 0 , l 1 0 ): 

1. f ′ (l) = min(l, f(l)) , 

2. f ′ (l) = min {f(l ′ ) | l ′ l} , 

3. or f ′ (l) = min {f(l 0 ) + f(l 1 ) | l 0 + l 1 = l} . 




Refinement of general patterns 

The durational specification 〈 U ↑ p ↓ V 〉 describes an automaton with two composite states 

satisfying p and ¬p , respectively. A common durational specification may be implemented with 

an automaton, if the timed transitions are determined properly. For example, the durational 

specification of gas burner[13] can be implemented as follows: 

D (l 30 ⇒ ∫ leak 4) ⊇ 〈 [0, 4] ↑ leak ↓ [26, ∞] 〉. 

In each cycle of the automaton, the designed system must stay in a state satisfying p in no 

more than 4 seconds and then must stay in a state satisfying ¬p in no less than 26 seconds. 

Note that the above implementation is not unique. We may easily replace it with an automaton 

〈 [0, 2] ↑ leak ↓ [13, ∞] 〉 twice as fast. 

The fact that general durational specifications may have different implementations reveals the 

considerable gap between DC and TLA. The former is more suitable for higher-level specification 

on continuous properties expressible with integrals, while the latter naturally describes the 

properties of automata. Not every non-zero durational specification can be implemented as a 

non-trivial automaton. For example, the specification D 

∫ 

p = l/2 describes a system whose 

density of states satisfying p is 0.5 everywhere. However, it can not be implemented with any 

automaton as it does not allow the state to be stable in any short period of time. 

The different natures of the two formalisms suggest that we should incorporate both in most parts 

of the system development. A design process starts from an abstract durational specification, 

which is refined in a number of steps. In each step, transitional features will be enriched, 

with durational features reduced. The design process eventually reaches an automaton system 

without durational features. 

A durational specification in the common pattern can be decomposed into two such specifications 

“driven” by an automaton: 

(5) 

D 

∫ 

p f(l) ⊇ (D 

∫ 

p g(l) ⊳ q ⊲ D 

∫ 

p h(l)) ∧ 〈 U ↑ q ↓ V 〉. 

The automaton 〈 U ↑ q ↓ V 〉 switches between q and ¬q according to the time restrictions 

∫ 

U 

and V . If the automaton is in a state satisfying 

∫ 

q , the system behaves like D p g(l) ; 

or if it is in ¬q , the system behaves like D p h(l) . Note that the above refinement only 

holds when the characteristic functions f, g, h and the sets U, V of time points satisfy some 

constraints, which can now be identified in seperate laws. 

We first consider the most general case of refinement. If an automaton switches between two 

states in exactly a and c seconds respectively, the maximum number of full segments contained 




in an interval of length l is identified as follows: 

segnum(l, a, c) ̂= max {m + n | ma + nc < l, |m−n| 1}. 

Since a slower automaton can only produce less segments in an interval, the number 

segnum(l, inf U, inf V ) has provided the maximum number of segments for a general automaton 

〈 U ↑ q ↓ V 〉 . Note that we assume (inf U + inf V ) > 0 and consider only non-Zeno automata. 

Besides full segments, an interval may include partial segments on both ends. Their lengths are 

bounded by sup U or sup V , depending on the state. This is why according to the definition, 

we have segnum(a + c, a, c) = 1 so that the last segment on either end can be regarded as a 

partial segment. The purpose is to enumerate all possibilities for each interval and ensure that 

in every case, the right-hand side of (5) refines the left-hand side. In the following laws, we use 

a ⊳ b ⊲ c to denote the value a if b = 1 , or the value c if b = 0 . 

Def 9 A characteristic function f can be decomposed as two functions g and h under the restrictions 

of U and V , if (inf U + inf V ) > 0 and for any t 0 and any n segnum(t, inf U, inf V ) 

and any t 0 , t 1 , · · · , t n+1 and t ′ 0 , t′ 1 , · · · , t′ n+1 such that t 0, t n+1 sup U, t ′ 0 , t′ n+1 sup V , t 1, · · · , t n ∈ U 

and t ′ 1 , · · · , t′ n ∈ V , we have: if ∑ n+1 

k=0 (t k ⊳ 2 | k ⊲ t ′ k ) = t then ∑ n+1 

k=0 (g(t k) ⊳ 2 | k ⊲ h(t ′ k )) 

f(t); and if ∑ n+1 

k=0 (t′ k ⊳ 2 | k ⊲ t k) = t then ∑ n+1 

k=0 (h(t′ k ) ⊳ 2 | k ⊲ g(t k)) f(t) . 

Law 9 If the function f can be decomposed as g and h under the restrictions of U and V , 

the law (5) holds. 

The following theorem reveals that if g and h are maximally minimised (see Law 8), then Law 9 

is complete. 

Theorem 2 (Completeness) If (5) holds but the function f cannot be decomposed as g and 

h under the restrictions of U and V , then there exist g ′ and h ′ ∫ 

∫ 

such that D p g(l) = 

D p g ′ ∫ ∫ 

(l) and D p h(l) = D p h ′ ∫ ∫ 

∫ 

(l) and D p f(l) ⊇ (D p g ′ (l) ⊳ q ⊲ 

D p h ′ (l)) ∧ 〈 U ↑ q ↓ V 〉 , and f can be decomposed as g ′ and h ′ under the restrictions of 

U and V . 

Unfortunately the precondition of the complete law is too complicated to check in practice. We 

must consider its useful special cases. If the abstract specification is related to only intervals 

no longer than the sum of the minimum lengths of the two phases, then the precondition of the 

decomposition can be reduced to a constraint on at most three segments. 

Law 10 If a + c > 0 , U = [a, b] , V = [c, d] , t f(t) for any t > a + c , and for any t, we have 

g(t 0 ) + g(t 1 ) + h(t 2 ) f(t) for any t 0 , t 1 ∈ [a, b] and t 2 ∈ [c, d] such that t 0 + t 1 + t 2 = t , and 

h(t 0 ) + h(t 1 ) + g(t 2 ) f(t) for any t 0 , t 1 ∈ [c, d] and t 2 ∈ [a, b] such that t 0 + t 1 + t 2 = t , then 

the law (5) holds. 




If the abstract specification is related to only intervals no longer than any phase, then the 

precondition can be reduced to a constraint on at most two segments. 

Law 11 If a, c > 0 , U = [a, b] , V = [c, d] , t f(t) for any t > min(b, c) , and for any t, we 

have g(t 0 ) + h(t 1 ) f(t) for any t 0 ∈ [a, b] and t 1 ∈ [c, d] or t 0 ∈ [c, d] and t 1 ∈ [a, b] such that 

t 0 + t 1 = t , then the law (5) holds. 

The above laws introduce an automaton as the structure of refinement and leave the parameters 

to be decided later. System developers need to determine the parameters according to their own 

design strategy. 

Refinement of basic patterns 

If the driven specifications are the extreme ones either almost true or almost not true, the 

refinement laws can be further simplified. For example, the durational specification 

(6) 

D (l A ⇒ ∫ p B) 

requires a system not to stay in the a state satisfying p longer than B during any period no 

longer than A . This is illustrated in Figure 3 (a) as sets of coordinates (t, s) where t denotes 

l and s denotes ∫ p. We assume that s t . 

10 

9 

s 

10 

9 

s 

8 

8 

7 

7 

6 

6 

5 

5 

4 

4 

3 

2 

(A,B) 

3 

2 

(A,B) 

1 

0 

0 1 2 3 4 5 6 7 8 9 10 

(a) 

t 

1 

0 

0 1 2 3 4 5 6 7 8 9 10 

(b) 

t 

Figure 3: The basic pattern and its refinement (b = B/2) 

Such a durational specification is directly implemented with an automaton, instead of being 

decomposed to a mixture of intermediate specifications. 

Law 12 

If 0 and c A−B 

⌊B/b⌋ , then D (l A ⇒ ∫ p B) ⊇ 〈 [0, b] ↑ p ↓ [c, ∞] 〉 . 



Case study: the Gas Burner 16 

Figure 3(b) illustrates the refinement of the basic patterns. The grey area indicates the requirements, 

while the dark area (contained in the grey area) illustrates the TLA design. 

The following law is a generalisation of Law 12 for general functional restrictions. 

Law 13 If l f(l) for any l b , f(l) > b for any l > b , and c sup l>b 

l−f(l) 

⌊f(l)/b⌋ , then 

D 

∫ 

p f(l) ⊇ 〈 [0, b] ↑ p ↓ [c, ∞] 〉 . 

5 Case study: the Gas Burner 

The Gas Burner problem was first stated in [13] and has been a standard example of hybrid 

system design. A gas burner can be in any state of being idle, purging (waiting the leaked gas 

to disperse), attempting to ignite, monitoring flame when igniting, or burning after successful 

ignition. There is no leak in idling or purging, but there is always leak in any attempt of ignition 

before burning. In this paper, we consider a challenging version of the example in which the 

burning phase may have some leak due to the possibility of disturbance from the environment 

(see [10]). 

The main requirement is to ensure that the total gas leak in every 30 seconds does not exceed 

4 seconds. This can be neatly specified in Duration Calculus as follows: 

D (l 30 ⇒ ∫ Leak 4) . 

Our treatment of this problem consists of several steps of automata decomposition hierarchically. 

This process may be viewed as “refinement”, as each step corresponds to a reduction of 

nondeterminism. On the other hand, if the target automaton is constructed and model-checked 

first, the reversed process can be used to establish the link between the checked model and the 

original specification for verification purposes. 

We first decompose the original requirement into burning and non-burning phases generated 

by a cyclic automaton. For simplicity, we intend to use the 2-segment refinement Law 11 and 

thus need to construct a slow automaton that takes at least 30 seconds to change state. Since 

the original specification is in a special form, we need to consider only intervals of length 30 

and choose g(·) and h(·) (to characterise the amount of leak) such that for any t 0 and t 1 , 

if t 0 + t 1 = 30 g(t 0 ) + h(t 1 ) 4 . For convenience, we choose g(t) ̂= B 1 ⊳ t ∈ [B 1 , 30] ⊲ l and 

h(t) ̂= B 2 ⊳ t ∈ [B 2 , 30] ⊲ l . We now obtain our first refinement (illustrated in Figure 5). 

D (l 30 ⇒ ∫ Leak 4) 

⊇ 

D (l 30 ⇒ ∫ Leak B 1 ) ⊳ Burn ⊲ D (l 30 ⇒ ∫ Leak B 2 ) 

∧ 〈 [a, ∞] ↑ Burn ↓ [b, ∞] 〉 



Case study: the Gas Burner 17 

where the parameters satisfy the following condition: 

Restriction 1 a 30 , b 30 and B 1 + B 2 4 . 

Figure 4: Design of automata 

According to Law 12, the non-burning phase D (l 30 ⇒ ∫ Leak B 2 ) can be further decomposed 

to another automaton driven by the first one with leaking and non-leaking phases 

(illustrated in Figure 5): 

D (l 30 ⇒ ∫ Leak B 2 ) ⊇ 〈 [0, c] ↑ Leak ↓ [d, ∞] 〉 . 

where the parameters satisfy the following condition: 

Restriction 2 0 < c B 2 and d 30−B 2 

⌊B 2 /c⌋ . 

The two automata run independently. The second automaton only takes effect when the system 

is not burning. Further refinement of the non-burning phase can be done using standard 

automaton techniques. For example, the two automata can be combined in one in Figure5. 

Figure 5: Combined design 

Restriction 3 e B 2 , e + d b and f B 2 . 



Conclusions 18 

There are many possible solutions to the restrictions. We take the following combination: 

a = b = 30, B 1 = B 2 = 2, c = 2, d = 30, e = 0, f = 2 . Note that we could let d be 28 and then 

e = f = 2 , but that means the control of the ignition must be exactly in 2 seconds — a requirement 

difficult to meet in practice. By extending the purging phase, we allow more flexibility for 

the ignition. Once an automaton is obtained, the transition restrictions can be strengthened to 

reduce nondeterminism. For example, the restriction [d, ∞] can be replaced with [30, 30 + ε] 

where ε indicates a tolerantable timing inaccuracy. 

In the final step, we split the state of non-leaking into idling and purging and the state of leaking 

into two states of ignition, and restrict the timing nondeterminism to obtain a reasonable design. 

Again the verification of this step can be conducted in TLA. 

Figure 6: Combined design 

In the above design, the state of burning must be no less than 30 seconds. This additional 

requirement is introduced by Law 11 and can be avoided if we decided to use Law 10 instead, 

although this alternative design would generate more complicated restrictions for the parameters. 

6 Conclusions 

This paper studies a formal framework in which our knowledge about the relationships between 

different temporal logics can be formalised in the form of algebraic or refinement laws. In the case 

study on DC and TLA, we have identified refinement laws for several design patterns. Some of 

the laws are general and cover most types of refinement with a particular target implementation. 

More specific laws are introduced for the most common patterns, and their parameters can be 

more readily determined. The technique is applied to the design of gas burner problem. It is 

not a trivial task to identify general but at the same time practically useful laws. However once 

such laws are identified, they genuinely make the design process more systematic, especially on 

the determination of parameters. 

The formalism of the framework was first presented at IFM’04. The main focus of this paper 

is, however, on the relationship between DC and TLA. In particular, the decomposition of 

durational specifications (into automata) is the main new contribution. 



References 19 

References 

[1] P. Blackburn, M. de Rijke, and Y. Venema. Modal Logic. Cambridge University Press, 

2001. 

[2] Y. Chen. Generic composition. Formal Aspects of Computing, 14(2):108–122, 2002. 

[3] Y. Chen. Cumulative computing. In 19th Conference on the Mathematical Foundations of 

Programming Semantics, volume 38 of Electronic Notes in Theoretical Computer Science. 

Elsevier, 2004. 

[4] Y. Chen and Z. Liu. Integrating temporal logics. In 4nd International Conference on 

Integrated Formal Methods, volume 2999 of LNCS, pages 402–420. Springer-Verlag, 2004. 

[5] E.C.R. Hehner. Predicative programming I, II. Communications of ACM, 27(2):134–151, 

1984. 

[6] C. A. R. Hoare. Communicating Sequential Processes. Prentice Hall, 1985. 

[7] C. A. R. Hoare and J. He. Unifying Theories of Programming. Prentice Hall, 1998. 

[8] L. Lamport. Hybrid systems in TLA+. In Hybrid Systems, volume 736 of LNCS, pages 

77–102. Springer-Verlag, 1993. 

[9] L. Lamport. A temporal logic of actions. ACM Transctions on Programming Languages 

and Systems, 16(3):872–923, 1994. 

[10] Z. Liu, A. P. Ravn, and X. Li. Unifying proof methodologies of duration calculus and linear 

temporal logic. Technical Report 1999/14, Department of Maths and Computer Science, 

University of Leicester, July 1999. To appear in Formal Aspects of Computing (19 pages). 

[11] A. Pnueli. The temporal semantics of concurrent programs. Theoretical Computer Science, 

13:45–60, 1981. 

[12] A. Pnueli and E. Harel. Applications of temporal logic to the specification of real-time 

systems. In M. Joseph, editor, Formal Techniques in Real-Time and Fault-Tolerant Systems, 

Lecture Notes in Computer Science 331, pages 84–98. Springer-Verlag, 1988. 

[13] A.P. Ravn, H. Rischel, and K.M. Hansen. Specifying and verifying requirements of real-time 

systems. IEEE Transactions on Software Engineering, 19(1):41–55, 1993. 

[14] M. Schenke and E. Olderog. Transformational design of real-time systems part i: From 

requirements to program specifications. Acta Informatica, 36(1):1–65, 1999. 

[15] H. Shalqvist. Completeness and correspondence in the first and second order semantics 

for modal logic. In Proceedings of the third Scandinavian logic symposium, pages 110–143. 

North Holland, 1975. 

[16] B. von Karger. A calculational approach to reactive systems. Science of Computer Programming, 

37:139–161, 2000. 



References 20 

[17] C. Zhou, C. A. R. Hoare, and A. P. Ravn. A calculus of durations. Information Processing 

Letters, 40(5):269–276, 1991. 

[18] C.C. Zhou, A.P. Ravn, and M.R. Hansen. An extended duration calculus for hybrid realtime 

systems. In R.L. Grossman, A. Nerode, A.P. Ravn, and H. Rischel, editors, Hybrid 

Systems, Lecture Notes in Computer Science 736, pages 36–59. Springer-Verlag, 1993.

IIST and UNU - UNU-IIST - United Nations University

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?