IIST and UNU - UNU-IIST - United Nations University

More documents

Recommendations

Info

Linking Duration Calculus and TLA 12 Law 6 (1) ⌈p⌉ = 〈 ∞ ↑ p ↓ [0, 0] 〉 (2) 〈 ∞ ↑ p ↓ ∞ 〉 = ⌈p⌉ ∨ ⌈¬p⌉ (3) ⌈p⌉ ⌈¬p⌉ = 〈 [0, ∞] ↑ p ↓ ∞ 〉 ∧ ¬〈 ∞ ↑ p ↓ ∞ 〉 . We use an abbreviation P ⊳ p ⊲ Q of choice to denote that two durational specifications P and Q are controlled by a boolean p : during any interval in which p is always true, P must hold; during any interval in which ¬p is always true, Q must hold. There is no restriction for those intervals in which p is sometimes true and sometimes not true. Def 8 P ⊳ p ⊲ Q ̂= ⌈p⌉ ⇒ P ∧ ⌈¬p⌉ ⇒ Q . The following law shows that the chop composition of any two durational specifications can be implemented as a choice between the specifications, and the change of the choice is made sometime during an interval. If p is independent of P and Q and becomes hidden, the two sides will be equal. Law 7 P Q ⊇ P ⊳ p ⊲ Q ∧ 〈 [0, ∞] ↑ p ↓ ∞ 〉 ∧ ¬〈 ∞ ↑ p ↓ ∞ 〉. General patterns of specifications and their refinement A durational specification is a predicate P (i, x) on the interval i and the real-time function x : [0, ∞] → S . A common durational specification is a predicate P (l, ∫ p) on the length l ̂= |i| of the interval and the integral of a boolean function p during the interval. This reflects the fact that the controlling of a system is normally independent of the starting time and insensitive to state changes at isolated time points. A durational specification D ∫ p f(l) requires the total time of the state satisfying p in any interval with length l to be bounded by a characteristic function f(l). For example, the specification D (l 30 ⇒ ∫ leak 4) is a special case of this pattern with the characteristic function f(l) ̂= 4 ⊳ l ∈ [4, 30] ⊲ l where we use a ⊳ b ⊲ c to denote the value a if b is true, or the value c otherwise. The dual pattern D ∫ p g(l) is equal to D ∫ ¬p (l−f(l)). The following law shows that two specifications with different characteristic functions may describe the same requirement. Law 8 D ∫ p f(l) = D ∫ p f ′ (l) , if any of the following condition is satisfied ( l, l 0 , l 1 0 ): 1. f ′ (l) = min(l, f(l)) , 2. f ′ (l) = min {f(l ′ ) | l ′ l} , 3. or f ′ (l) = min {f(l 0 ) + f(l 1 ) | l 0 + l 1 = l} . Report No. 301, UNU-IIST, P.O. Box 3058, Macau
Linking Duration Calculus and TLA 13 Refinement of general patterns The durational specification 〈 U ↑ p ↓ V 〉 describes an automaton with two composite states satisfying p and ¬p , respectively. A common durational specification may be implemented with an automaton, if the timed transitions are determined properly. For example, the durational specification of gas burner[13] can be implemented as follows: D (l 30 ⇒ ∫ leak 4) ⊇ 〈 [0, 4] ↑ leak ↓ [26, ∞] 〉. In each cycle of the automaton, the designed system must stay in a state satisfying p in no more than 4 seconds and then must stay in a state satisfying ¬p in no less than 26 seconds. Note that the above implementation is not unique. We may easily replace it with an automaton 〈 [0, 2] ↑ leak ↓ [13, ∞] 〉 twice as fast. The fact that general durational specifications may have different implementations reveals the considerable gap between DC and TLA. The former is more suitable for higher-level specification on continuous properties expressible with integrals, while the latter naturally describes the properties of automata. Not every non-zero durational specification can be implemented as a non-trivial automaton. For example, the specification D ∫ p = l/2 describes a system whose density of states satisfying p is 0.5 everywhere. However, it can not be implemented with any automaton as it does not allow the state to be stable in any short period of time. The different natures of the two formalisms suggest that we should incorporate both in most parts of the system development. A design process starts from an abstract durational specification, which is refined in a number of steps. In each step, transitional features will be enriched, with durational features reduced. The design process eventually reaches an automaton system without durational features. A durational specification in the common pattern can be decomposed into two such specifications “driven” by an automaton: (5) D ∫ p f(l) ⊇ (D ∫ p g(l) ⊳ q ⊲ D ∫ p h(l)) ∧ 〈 U ↑ q ↓ V 〉. The automaton 〈 U ↑ q ↓ V 〉 switches between q and ¬q according to the time restrictions ∫ U and V . If the automaton is in a state satisfying ∫ q , the system behaves like D p g(l) ; or if it is in ¬q , the system behaves like D p h(l) . Note that the above refinement only holds when the characteristic functions f, g, h and the sets U, V of time points satisfy some constraints, which can now be identified in seperate laws. We first consider the most general case of refinement. If an automaton switches between two states in exactly a and c seconds respectively, the maximum number of full segments contained Report No. 301, UNU-IIST, P.O. Box 3058, Macau
Page 1 and 2: UNU/IIST International Institute fo
Page 3 and 4: UNU/IIST International Institute fo
Page 5: Contents i Contents 1 Introduction
Page 8 and 9: Predicative semantics of modal logi
Page 10 and 11: Predicative semantics of modal logi
Page 12 and 13: Temporal logic of resource cumulati
Page 14 and 15: Temporal logic of resource cumulati
Page 16 and 17: Linking Duration Calculus and TLA 1
Page 20 and 21: Linking Duration Calculus and TLA 1
Page 22 and 23: Case study: the Gas Burner 16 Figur
Page 24 and 25: Conclusions 18 There are many possi
Page 26: References 20 [17] C. Zhou, C. A. R

IIST and UNU - UNU-IIST - United Nations University

Create successful ePaper yourself

Delete template?

Save as template?