berichte - Semantic Scholar

BERICHTE AUS DEM DEPARTMENT FÜR INFORMATIK der Fakultät II - Informatik, Wirtschafts- und Rechtswissenschaften

Herausgeber: Die Professorinnen und Professoren des Departments für Informatik

Specification and Verification of Mobile Real-Time Systems

Andreas Schäfer

Dissertation

Nummer 01/07 – Dezember 2006 ISSN 0946-2910

Gutachter:

Prof. Dr. E.-R. Olderog (Uni Oldenburg) Prof. Dr. M. R. Hansen (DTU Lyngby)

eingereicht: 9.10.2006 Tag des Vortrages: 20.12.2006

© 2007 by the author Author´s address: Andreas Schäfer Fakultät II, Department für Informatik Abteilung „Entwicklung korrekter Systeme“ 26111 Oldenburg Germany E-mail:

[email protected]

Fakultät II – Informatik, Wirtschafts- und Rechtswissenschaften Department f¨ ur Informatik

Specification and Verification of Mobile Real-Time Systems Dissertation zur Erlangung des Grades eines Doktors der Naturwissenschaften

Dipl.-Inform. Andreas Sch¨ afer

Gutachter: Prof. Dr. Ernst-R¨ udiger Olderog Prof. Dr. Michael Reichhardt Hansen

Tag der Disputation: 20. Dezember 2006

ii

Abstract Formal methods for the verification of safety-critical systems are an area of active research. In this thesis we investigate systems involving mobility and real-time constraints. For the description of many mobile real-time systems both spatial and temporal aspects need to be considered. There are several well-understood methods for the formal treatment of real-time aspects among them the Duration Calculus. However, spatial properties, e.g. that an autonomous robot does not leave a certain area, cannot be described directly with these methods. On the other hand, there are several methods for describing spatial aspects but neglecting real-time properties. So both approaches fall short when dealing with systems in which safety depends on spatial and temporal properties. We propose a spatio-temporal logic – called Shape Calculus – for the specification of mobile real-time systems and the formalisation of safety requirements for this class of systems. It considers time and space quantitatively. The Shape Calculus is extending the interval logic Duration Calculus developed for reasoning about real-time systems and properties. Thereby, it integrates smoothly with an established method for real-time systems. To enhance its usability in practice, we develop a set of patterns for the specification of common properties. The applicability of the Shape Calculus and the patterns is demonstrated with three case studies. The first case study “Generalised Railroad Crossing” is chosen for comparison with a benchmark example for real-time systems. We show that the treatment in Shape Calculus is a conservative extension of the treatment in the realtime formalism Duration Calculus. The second case study stems from the Berkeley PATH Project and demonstrates the modelling of distributed mobile systems exemplified by modelling manoeuvres of car platoons. A third case study puts emphasis on the spatial properties. It considers a mobile and autonomous robot. We investigate fundamental properties of the new logic and prove undecidability and non-axiomatisability in the general case and even when

iii

considering discrete domains for time and space. We show that under certain assumptions the logic can be recursively axiomatised relative to a multi-dimensional interval logic. Furthermore, we identify two decidable subsets. The first one restricts spatial domains to be finite. The second one imposes a restriction on the syntax by disallowing the alternation of the interval splitting chop operation. Additionally to establishing a logic automaton connection which we exploit for proving decidability, we provide a translation of a subset of Shape Calculus into the decidable Weak SecondOrder Logic with one successor predicate. This led to the development of an automatic model checking tool for verifying validity and satisfiability of Shape Calculus specifications. The tool and the restricted subset is evaluated by conducting two additional case studies.

iv

Zusammenfassung F¨ ur die Beschreibung vieler moderner sicherheitskritischer Systeme spielen sowohl Mobilit¨ at als auch Realzeitanforderungen eine Rolle. F¨ ur die formale Beschreibung der Realzeitaspekte existieren eine Reihe von gut untersuchten Formalismen, darunter auch der Duration Calculus. Räumliche Anforderungen an Systeme wie z.B. das Einhalten räumlicher Grenzen durch einen autonomen Roboter k¨ onnen mit diesen Methoden jedoch nicht direkt beschrieben werden. Auf der anderen Seite existieren eine Reihe von Methoden zur Beschreibung r¨ aumlicher Eigenschaften, die jedoch Realzeit nicht ber¨ ucksichtigen. In dieser Arbeit wird eine Logik – der Shape Calculus – vorgestellt, mit der sowohl mobile Realzeitsysteme genauso wie geforderte Sicherheitseigenschaften ad¨ aquat beschrieben werden k¨ onnen. Hierbei können räumliche und zeitliche Aspekte quantitativ behandelt werden. Der Shape Calculus ist als Erweiterung der Intervall-Logik Duration Calculus konzipiert, die f¨ ur die Beschreibung von Realzeitsystemen konzipiert wurde. Als solche Erweiterung erm¨ oglicht der Shape Calculus eine reibungslose Integration mit bew¨ ahrten Methoden f¨ ur Realzeitsysteme. Um den praktischen Einsatz der neuen Logik zu erleichtern, werden nach der Vorstellung des Formalismus eine Reihe von Spezifikations-Mustern osungen f¨ ur h¨ aufig auftretende Spezifikaentwickelt. Diese Muster geben L¨ tionsprobleme, wie etwa die Beschreibung einer kontinuierlichen Bewegung oder die Anforderung eines minimalen Abstandes zwischen zwei mobilen Objekten. Der Einsatz des Shape Calculus sowie der entwickelten Muster wird anhand von drei Fallstudien demonstriert. Die erste Fallstudie dient dem direkten Vergleich des Shape Calculus mit etablierten Methoden f¨ ur Realzeitsysteme. Es handelt sich hierbei um die “Generalised Railroad Crossing”Fallstudie. Es zeigt sich hier, dass der Shape Calculus den Duration Calculus auf nat¨ urliche Weise erweitert. Die zweite Fallstudie stammt aus dem Berkeley PATH Projekt und demonstriert die Modellierung mehrerer Fahrzeug-Kolonnen und m¨ oglicher Fahrmanöver. Die dritte Fallstudie

v

schließlich hat ihren Schwerpunkt noch mehr auf räumlichen Systemeigenschaften und betrachtet und verifiziert die Sicherheit eines autonomen mobilen Roboters. Im Anschluss werden grundlegende Eigenschaften des neuen Formalismus untersucht. Es wird gezeigt, dass der Shape Calculus im Allgemeinen ein unentscheidbares Erf¨ ullbarkeitsproblem besitzt und nicht rekursiv axiomatisiert werden kann. Dies gilt auch f¨ ur die Einschränkung auf diskrete r¨ aumliche und zeitliche Datenbereiche. Es ist jedoch möglich, f¨ ur eine eingeschr¨ ankte Teilklasse eine vollst¨ andige Axiomatisierung relative zu einer mehrdimensionalen Intervall-Logik anzugeben. Dies wird ebenfalls gezeigt. Dar¨ uber hinaus werden zwei weitere Teilklassen diskutiert, f¨ ur die das Erf¨ ullbarkeitsproblem sogar entscheidbar ist. Die erste Teilklasse wird gewonnen durch Einschr¨ ankung der Modelle auf einen endlichen Datenbereich f¨ ur den Raum bei Beibehaltung eines unendlichen Bereichs f¨ ur die Zeit. Die zweite Teilklasse erreicht die Entscheidbarkeit durch Einschränkung in der Syntax und das Verbot von Alternierungen des intervallteilenden “chop” Operators. Diese Entscheidbarkeitsresultate werden jeweils durch Herstellung einer Automaten-Logik-Verbindung und Reduktion des Erf¨ ullbarkeitsproblems auf ein entscheidbares automatentheoretisches Problem bewiesen. F¨ ur die praktische Entwicklung eines Model-Checking Werkzeugs wird ¨ außerdem eine Ubersetzung einer Teilklasse des Shape Calculus in die entscheidbare monadische Logik zweiter Stufe mit einem Nachfolgeprädi¨ kat entwickelt. Diese Ubersetzung f¨ uhrte auch zur Implementierung eines Werkzeugs. Das Werkzeug und die eingeschr¨ ankte Teilklasse werden anhand zweier Fallstudien demonstriert und evaluiert.

vi

Acknowledgements I gratefully acknowledge my supervisor Ernst-R¨ udiger Olderog, for giving me the opportunity to start a PhD and a position in his group. Working there for the last years, he always succeeded in creating a great, friendly, and inspiring atmosphere at work, being open for questions, giving important advice and support. I could not have wished for a better coach and supervisor. Furthermore, I would like to thank Michael Reichhardt Hansen for being my second referee and making all the way from Copenhagen to Oldenburg for my PhD defence. I also thank Anders Ravn for giving important pointers in the early stages of this work and proposing the name of the formalism which is the subject in this thesis. For introducing me in the field of formal methods and real-time systems, I thank Heike Wehrheim and Henning Dierks, whom I also owe the case study and many helpful hints concerning the daily work in research. Many helpful hints were also given by Eike Best and Annegret Habel heading the two other groups in the Theory Division. For many fruitful discussions I thank my colleagues and former colleagues: Ingo Br¨ uckner, Johannes Faber, Hans Fleischhack, Holger Rasch, Margarethe Muhle, Elke Wilkeit, and especially André Platzer my officemate for two years, Roland Meyer for taking care of my mentees in the future, Michael M¨ oller for being the graphics expert reviewing every transparency I have created during my time in this group concerning style and graphics, and Jochen Hoenicke for an uncountable number of discussions until the late evenings or nights on all kinds of topics in theoretical computer science. Furthermore, I thank Johan van Benthem and Marco Aiello for giving me access to the preliminary version of the Handbook of Spatial Reasoning. Special thanks go to two students, Jan-David Quesel and Sven Linker, for showing interest in this work and contributing by writing their BSc. theses in this area. In addition to support at work, private life is very important. Therefore, I am deeply indebted to my close friends Nicole Detering, Monika

vii

Ewen, Jochen Hoenicke, Iris Menge, Mahboubeh Pakdaman, Petra Pirok, Johannes Rieken, Limiaa Salih, and Michael Weers for their support during difficult times and all the parties and other events I enjoyed in Germany, the Netherlands, and New Zealand. Thank you for being good friends during the last and hopefully also in the upcoming years. Especially, I thank my father, Werner Karl Schäfer, for his constant support and encouragement.

viii

Contents

List of Figures

xiii

List of Tables

xv

1 Introduction 1.1 Ad-hoc Approaches . . . . . . . . . . . . . . 1.2 Contribution . . . . . . . . . . . . . . . . . 1.3 Technical context . . . . . . . . . . . . . . . 1.3.1 Real-Time Systems and Tools. . . . 1.3.2 Process Calculi. . . . . . . . . . . . . 1.3.3 Spatial and Spatio-Temporal Logics.

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

1 3 4 5 5 7 9

2 Shape Calculus 2.1 Starting Point: Duration Calculus . . . . . . . . . . 2.1.1 Syntax and Semantics . . . . . . . . . . . . . 2.1.2 Axiomatisability and Decidability . . . . . . . 2.2 Syntax and Semantics of Shape Calculus . . . . . . . 2.2.1 Abbreviations . . . . . . . . . . . . . . . . . . 2.3 Properties . . . . . . . . . . . . . . . . . . . . . . . . 2.3.1 Conservative Extension of Duration Calculus 2.3.2 Algebraic Properties . . . . . . . . . . . . . . 2.3.3 Hierarchies . . . . . . . . . . . . . . . . . . . 2.4 Relating SC to the modal logic S4 . . . . . . . . . . 2.4.1 Fusions of modal logics . . . . . . . . . . . . 2.4.2 Products of modal logics . . . . . . . . . . . . 2.5 Relating SC to the Region Connection Calculus . . . 2.5.1 Semantics . . . . . . . . . . . . . . . . . . . . 2.5.2 Embedding RCC-8 in SC . . . . . . . . . . . 2.6 Integration in System Development Processes . . . . 2.6.1 Refinement . . . . . . . . . . . . . . . . . . . 2.6.2 Model Checking . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

13 14 15 19 19 36 41 42 46 51 63 65 65 66 66 69 73 73 76

. . . . . .

. . . . . .

. . . . . .

. . . . . .

ix

Contents 3 Patterns and Lightweight Rules 3.1 Temporal Bounds . . . . . . . . 3.2 Position and Movement . . . . 3.2.1 The position-pattern . . 3.2.2 The cartesian2D-pattern 3.2.3 The distance-pattern . . 3.2.4 The cont-move-pattern . 3.3 Shape Pattern . . . . . . . . . . 3.3.1 The rectangle-pattern . 3.3.2 The circle-pattern . . . . 3.4 Rules . . . . . . . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

79 80 83 83 85 87 89 91 91 93 95

4 Case Studies 4.1 Generalised Railroad Crossing . . . . 4.1.1 Parameters . . . . . . . . . . 4.1.2 SC Modelling . . . . . . . . . 4.1.3 Verification . . . . . . . . . . 4.2 Car Platooning . . . . . . . . . . . . 4.2.1 Informal Description . . . . . 4.2.2 Modelling cars and roles . . . 4.2.3 Movement of individual cars . 4.2.4 Distance . . . . . . . . . . . . 4.2.5 Merging . . . . . . . . . . . . 4.3 Road Runner . . . . . . . . . . . . . 4.3.1 Informal Description . . . . . 4.3.2 Modelling the Controller . . . 4.3.3 Modelling the Environment . 4.3.4 Modelling the Road Runner . 4.3.5 Revealing Unsafety . . . . . . 4.3.6 Modification of the Design . . 4.3.7 Verifying Safety . . . . . . . .

. . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

101 102 103 103 108 111 111 112 112 112 113 114 114 114 116 117 121 122 126

5 Axiomatisability 5.1 Tiling Systems . . . . . . . . . . . . . 5.2 Non-Axiomatisability . . . . . . . . . . 5.3 Relative Axiomatisation . . . . . . . . 5.3.1 Interval Temporal Logic (ITL) 5.3.2 Axiomatisation . . . . . . . . . 5.3.3 From Shape Calculus to ITLn .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

139 141 142 147 148 149 150

x

. . . . . . . . . .

. . . . . . . . . .

Contents

5.4 5.5

5.3.4 Proving Relative Completeness . . . . . . . . . . . . 156 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . 156 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

6 Decidable Subsets 6.1 Models with Finite Space and Infinite Time 6.2 From Discrete to Dense Domains . . . . . . 6.3 Formulae without Chop Alternation . . . . 6.4 Related Work . . . . . . . . . . . . . . . . . 6.5 Conclusion . . . . . . . . . . . . . . . . . .

. . . . .

. . . . .

. . . . .

159 160 168 169 184 184

7 Automatic Verification 7.1 From Shape Calculus to WS1S . . . . . . . . . . . . . . 7.1.1 Weak S1S . . . . . . . . . . . . . . . . . . . . . . 7.1.2 MONA . . . . . . . . . . . . . . . . . . . . . . . 7.1.3 Encoding Shape Calculus in WS1S . . . . . . . . 7.1.4 Proof of Correctness . . . . . . . . . . . . . . . . 7.2 Automatic Verification of Shape Calculus Specifications 7.2.1 The tool MoDiShCa . . . . . . . . . . . . . . . 7.2.2 Using SC for modelling the Railroad Crossing . . 7.2.3 The Extended Generalised Railroad Crossing . . 7.2.4 The Single-Track Line Segment Case Study . . . 7.3 Related Work . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . .

. . . . . . . . . . .

187 188 188 189 189 193 198 199 199 202 203 210

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

8 Conclusion 211 8.1 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211 8.2 Perspectives . . . . . . . . . . . . . . . . . . . . . . . . . . . 212 Bibliography

215

Index

229

Technical Reports

235

xi

xii

List of Figures

1.1 1.2

The Road Runner robot. . . . . . . . . . . . . . . . . . . . . Fischer’s Mutex Protocol . . . . . . . . . . . . . . . . . . .

2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 2.9 2.10 2.11 2.12 2.13 2.14 2.15 2.16 2.17

Interpretation of Gas ∧ ¬Flame . . . . . . . . . . . . . . . . Observables in DC and SC . . . . . . . . . . . . . . . . . . . Stepwise illustration of the integration operation . . . . . . Stepwise illustration of the integration operation . . . . . . Stepwise illustration of the integration operation . . . . . . Stepwise illustration of the integration operation . . . . . . Stepwise illustration of the integration operation . . . . . . The moving robot. . . . . . . . . . . . . . . . . . . . . . . . Chopping polyhedra . . . . . . . . . . . . . . . . . . . . . . The chop operation. . . . . . . . . . . . . . . . . . . . . . . Generalising transformations . . . . . . . . . . . . . . . . . Commutativity of chop . . . . . . . . . . . . . . . . . . . . . Commutativity of ♦ . . . . . . . . . . . . . . . . . . . . . . The 8 relations of RCC-8 . . . . . . . . . . . . . . . . . . . Refining Shape-Calculus Specifications into Program-Code . PLC-Automaton specifying the Road Runner . . . . . . . . Combining Shape-Calculus Specifications and Model Checking

14 20 27 28 29 30 30 31 32 34 42 50 52 68 74 76 77

3.1 3.2 3.3 3.4 3.5 3.6 3.7 3.8

Counterexample for de ∨ (dπe h~et i true) ∨ (d¬πe h~et i true) The position-pattern . . . . . . . . . . . . . . . . . . . . . The cartesian2D-pattern . . . . . . . . . . . . . . . . . . . The distance-pattern . . . . . . . . . . . . . . . . . . . . . The cont-move-pattern . . . . . . . . . . . . . . . . . . . . The rectangle-pattern . . . . . . . . . . . . . . . . . . . . . Alternative rectangle-pattern . . . . . . . . . . . . . . . . The circle-pattern . . . . . . . . . . . . . . . . . . . . . . .

81 84 86 87 89 92 94 95

4.1

Generalised Railroad Crossing . . . . . . . . . . . . . . . . . 102

. . . . . . . .

2 6

xiii

List of Figures

xiv

4.2 4.3 4.4 4.5 4.6 4.7 4.8 4.9

Shape Calculus modelling of GRC . . . . . . . . . The Road Runner (Unsafe Design) . . . . . . . . . Road Runner: spatial parameters . . . . . . . . . . Representing the Road Runner . . . . . . . . . . . Road Runner unsafe . . . . . . . . . . . . . . . . . Road Runner: Enhanced Design . . . . . . . . . . The Road Runner (Revised Design) . . . . . . . . Chopping according to the premises of Lemma 4.3

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

104 115 117 118 122 123 124 130

5.1 5.2

A Tiling using four different tiles. . . . . . . . . . . . . . . . 141 Sample encoding of tilings in a grid structure . . . . . . . . 143

6.1 6.2 6.3

Representing spatial configurations . . . . . . . . . . . . . . 161 Dovetailing . . . . . . . . . . . . . . . . . . . . . . . . . . . 170 Dovetailing SC . . . . . . . . . . . . . . . . . . . . . . . . . 182

7.1 7.2 7.3

Szenario of the SLS Case Study . . . . . . . . . . . . . . . . 204 Two Trams in the critical segment . . . . . . . . . . . . . . 205 Example computed by MoDiShCa / MONA . . . . . . . . . 209

List of Tables

1.1

Summary Comparing Related Work . . . . . . . . . . . . .

11

2.1 2.2

Derived relations in RCC (Names) . . . . . . . . . . . . . . Derived relations in RCC (Definitions) . . . . . . . . . . . .

66 67

4.1

Parameters of the Road Runner . . . . . . . . . . . . . . . . 127

7.1 7.2 7.3

MoDiShCa formula syntax . . . . . . . . . . . . . . . . . . . 198 MoDiShCa declaration part . . . . . . . . . . . . . . . . . . 199 Experimental results for checking safety in GRC. . . . . . . 204

xv

xvi

Chapter 1 Introduction The use of embedded computers for controlling devices is increasing. More and more electronic devices replace mechanical ones to control the system behaviour. In cars, for example, steer-by-wire replaces the direct mechanical link between steering wheel and wheels. Concerning railways, collision avoidance on track segments is no longer managed by the use of static track segments and light signals. The new ETCS [ECS99] standard employs radio block controllers, and intelligent on board devices regulate the access to dynamically adjusted track segments that are much smaller than traditional segments. In the Berkeley PATH project [PAT], platooning of cars on highways is investigated. Instead of steering the cars individually by human drivers, groups of up to 20 cars proceed simultaneously in a platoon with small headways in between. To allow for the small headways, driving in platoons is automatically controlled. In all these examples the correct system behaviour does not only depend on the correct real-time behaviour of a single unit, i.e., car or train, but also on spatial properties that need to be clearly stated. This includes for example minimal distances of trains or cars. For specifying and verifying the real-time aspects of system behaviour, there are several sophisticated formalisms, like Timed Automata [AD94] as an operational model or the real-time logic Duration Calculus [HZ04]. For some of them tool support is readily available, for example the model checker Uppaal [BDL04, BY03] for the verification of Timed Automata. However, these approaches concentrate on the temporal behaviour and abstract from spatial properties. On the other hand, formalisms for mobility like the π-calculus [Mil99] or the spatial logic proposed by Caires and Cardelli [CC04] concentrate on spatial aspects of mobility and do not consider real-time. So both approaches fall short if system safety depends on spatial and temporal aspects. Let us look at two other examples, which will be treated in more detail in

1

Chapter 1 Introduction

Figure 1.1: The Road Runner robot.

subsequent chapters in this thesis. Consider a system consisting of a simple robot equipped with two sensors which has only one task, to move on a table safely1 . As this behaviour resembles the cartoon character Road Runner which runs at full speed on high plateaus but always manages to stop in time to avoid falling down steep cliffs, the robot is called Road Runner . Specifying the real-time behaviour of a robot including reaction times is possible using techniques for real-time systems like PLC-Automata [Die00, Die99], which can also be used for automatic code generation. However, when it comes to formal verification that the system is safe, the standard technique is to generate some model of the environment. If this model abstracts from the spatial properties, the verification result is completely useless because the safety requirement is spatial property. Another example stems from the UniForM project [KBPOB99] in cooperation with the industrial partner Elpro was the development of a con1 This

example is due to Henning Dierks; it was used in a practical course on formal methods for real-time systems [DPS+ 01].

2

1.1 Ad-hoc Approaches trol for a single-track line segment (SLS) for tramways. The problem is to ensure the safety of trams if only one track is available and this track is passed in both directions and occupied by up to two trams simultaneously as long as they head into the same direction. A controller has been derived, simulated, and partially verified using techniques for real-time systems, namely PLC-Automata. However, the main safety requirement, i.e., mutual exclusion of trams with opposite directions on the critical section, is a spatio-temporal property which cannot be expressed in purely timedependent models like PLC-Automata [Die99].

1.1 Ad-hoc Approaches Mathematics, in particular standard geometry, linear algebra, and calculus provide a suitable framework for describing system behaviour, movement, and position of objects as well as the temporal evolution over time. Consider two moving robots. During the movement, each robot occupies a certain amount of space, i.e., a subset R ∈ PR2 of the Euclidean plane. So the position is determined by two functions posi : R≥0 → PR2 , i ∈ {1, 2}, one for each robot. As in reality the robots are no singular points in space, specifying the distance is more complicated than it seems as it requires to determine the infimum. The distance of two robots is given as the infimum of the Euclidean distance of the points. ( R≥0 → R≥0 df d(t) = t 7→ inf{|~ p2 − p~1 | | p~2 ∈ pos1 (t) ∧ p~1 ∈ pos2 (t)} The safety requirement of a minimal distance can be expressed as follows: ∀t ∈ R : inf{|~ p2 − p~1 | | p~2 ∈ pos1 (t) ∧ p~1 ∈ pos2 (t)} ≥ d. However, the use of the infimum over an uncountable set makes this description difficult to handle, even with tools like Maple or Mathematica. Removing the infimum and moving to First-Order Logic, the requirement becomes the following first-order formula: ∀t ∈ R : ∀~ p1 : ∀~ p2 : p~1 ∈ pos1 (t) ∧ p~2 ∈ pos2 (t) → (d ≤ |~ p2 − p~1 |) This approach has an additional drawback. The functions pos1 and pos2 need to be explicitly defined, i.e., the exact set of points in the Euclidean

3

Chapter 1 Introduction plane that are occupied for each moment in time are to be specified. Otherwise, tools like Mathematica and Maple cannot not help in this case. A new formalism is justified, if 1. the representation of these problems gets more readable, appealing, and easier to handle, or 2. the new formalism is restricted in such a way that tool support and automatic model checking is enabled. For standard mathematics the generic tool support provided by tools like Mathematica or Maple requires a lot of user interaction and work by hand. Both points are addressed by our Shape Calculus, as we will discuss in this thesis. In fact this is the same argument as for real-valued variables versus real-time temporal logics.

1.2 Contribution The contribution of this thesis is firstly the development of the Shape Calculus, a formal method for specifying and reasoning about spatial and temporal properties of mobile real-time systems. This formalism enables quantitative reasoning about space as well as time. It is designed as an extension of the well accepted Duration Calculus. This makes Shape Calculus easy to use for people with previous knowledge in formal methods for real-time systems. We present an investigation of logical and algebraic properties and compare them with results for Duration Calculus. Embedding the spatial logic RCC-8 [RCC92] demonstrates the expressiveness of Shape Calculus. Secondly, for practical use, we develop a set of patterns for specifying spatial and spatio-temporal properties of systems and provide lightweight rules for formula manipulation. Thirdly, we show that Shape Calculus is neither decidable nor recursively axiomatisable, even not under the assumption of a discrete spatio-temporal domain. This is a difference to the Duration Calculus. Nevertheless, we provide a complete axiomatisation relative to a multi-dimensional extension of Interval Temporal Logic. Fourthly, we elaborate two decidable subsets. The first one is obtained by restricting the models to have a finite spatial domain while preserving infinite discrete time domain. The second subset is obtained by restricting the class of formulae. Both decidability results are obtained by establishing a logic-automaton connection, constructing a finite automaton for each Shape Calculus formula accepting an encoding of all models. The

4

1.3 Technical context constructions are proven to be correct. Concerning tool support, our fifth contribution is a translation of Shape Calculus for finite space and infinite discrete time to Weak Second Order Logic with one successor predicate. This logic is known to be decidable and tool support for checking satisfiability and validity is readily available. A prototypical model checker exploiting this translation and using the Monadic Second-Order Logic tool MONA as a backend has been implemented by J-.D. Quesel [Que05] as a minor thesis. We demonstrate the applicability of the formalism by several case studies. To allow for a comparison with formal methods for real-time systems, we firstly show that the benchmark case study Generalised Railroad Crossing can be handled by the Shape Calculus explicitly considering space. Secondly, we demonstrate how modelling of car platooning as considered in the Berkeley PATH project can be performed in Shape Calculus. Finally, a more complex example considering arbitrary movements of a robot in a two-dimensional space is presented. For illustrating the decidable subsets and the tool support, we conduct two separate case studies, the Generalised Railroad Crossing and the SLS case study from the UniForM project in a discrete setting.

1.3 Technical context In the following, we review the technical context of our contribution, discuss different approaches to the modelling of mobile systems or real-time systems, and point out why they fall short in cases where spatial and temporal properties must be considered. 1.3.1 Real-Time Systems and Tools. Timed Automata Timed Automata [AD94] have been introduced by Alur and Dill in 1994 as an operational model for real-time systems. The key idea of their contribution is to extend finite automata by real-valued clocks. There are uncountably many different clock valuations and henceforth uncountably many configurations. However, Alur and Dill show in their seminal paper that instead of considering all configurations only finitely many equivalence classes need to be explored to determine reachability. This is called the region construction. However, the region construction suffers from an exponential blow-up in the state space. In practical implementations clock zones are used to represent sets of equivalence classes instead of

5

Chapter 1 Introduction

id == 0, x := 0 s

id := 0

req x≤k

x > k ∧ id! = pid, x := 0

x ≤ k, x := 0, id := pid

x > k ∧ id == pid, x := 0 cs

wait

Figure 1.2: Fischer’s Mutex Protocol the original region construction [BY03]. This is implemented in tools like Uppaal [BDL04, BY03] and Kronos [BDM+ 98]. The verification problem for timed automata considers the question whether the behaviour of an implementation is in a set of allowed behaviours, the specification, that is language inclusion. Although the emptiness problem is decidable, language inclusion for timed automata is highly undecidable, i.e., Π11 -complete. Example 1.1 (Fischer’s Protocol). Figure 1.2 displays a Timed Automaton modelling a process in Fischer’s mutual exclusion protocol. It starts in state s. Before moving from s to req the process tests if the shared variable id has the value zero indicating that the critical section is not occupied. Furthermore, it resets the clock x. The state req has invariant x ≤ k forcing the request state to be left after at most k time units. When moving from req to wait the clock x is reset and the shared variable id is assigned the own process identifier pid. In state wait the process is forced by the transition guards x > k to wait at least k time units. If no other process has requested to enter the critical section after this period, i.e. the share variable id is still equal to the own process identifier, the critical section is entered. Otherwise the process initiates another request. This guarantees mutual exclusion. Hybrid Automata [Hen96] extend Timed Automata by replacing clocks with variables which evolution is guarded by differential equations. Although the emptiness and reachability problems become undecidable by allowing variable with two different rates there are semi-decision procedures. A detailed discussion of decidability results can be found in [HKPV98].

6

1.3 Technical context Logics for Real-Time Systems The temporal logics Duration Calculus (DC for short) [ZHR91, HZ04], TCTL [HNSY92], and TPTL [AH94] provide the possibility to specify and reason about real-time behaviour. The R distinguishing feature of Duration Calculus is the integration operator for measuring the duration of system states. Duration Calculus is discussed in detail in a subsequent section. An extension of Duration Calculus for reasoning about hybrid systems is proposed by Hansen, Ravn and Zhou in [ZRH93]. As the continuous evolution in hybrid systems is often given by differential equations, this formalism employs the differentiation operator instead of integration, which is defined as derived operation from differentiation. More related to our approach is a two dimensional extension proposed by Pandya and Van Hung in [PH98] introducing weakly monotonic or super dense time. It considers one dimension modelling the real-time with continuous domain and one discrete dimension, the step time, to impose an ordering on events that occur at the same moment in real-time. However, this approach is not intended for describing spatial properties. The tool DCValid [Pan00] is able to verify a restricted subset of Duration Calculus using the second-order model checker MONA [KM01] as backend. TPTL uses freeze quantification [AH94] to bind variables to moments in time. For example, the formula x. ♦ y.(y ≤ x + δ ∧ p) expresses that the current time stamp is bound to x and there is a time y in the future that is at most δ time units ahead of x and satisfies p. Adding bounds directly to the temporal operator is another approach which is discussed in [Koy90]. The above requirement becomes ♦≤δ p in this formalism. However, both formalisms, Timed Automata and logics for real-time systems, do not provide support for specifying and verifying spatial properties. 1.3.2 Process Calculi. There are several process algebraic approaches to model aspects of mobility. π-Calculus Different to our view of mobility, the π-calculus proposed by Milner [Mil99] considers concurrent processes. In the π-calculus mobility

7

Chapter 1 Introduction stems from the change of links between processes. In the following system definition each client process shares a channel with the server process (s1 and s2 , respectively), but initially both client processes do not share a channel among themselves prohibiting direct communication. df

Client2 = s2 (c2 )c2 hdatai.Client02

df

System = Client1 |Client1 |Server

Client1 = s1 (c1 )c1 (data).Client01 Server = νc s1 hci.s2 hci

df

df

The server process generates a new channel via the νc construct and propagates this channel to both clients via the channels s1 and s2 . This channel name is bound to the variables c1 and c2 such that both clients finally share a common channel permitting the transmission of data. A spatial logic for the π calculus is proposed by Caires and Cardelli in [CC03]. This logic integrates support for reasoning about behaviour and structure of systems of concurrent π-calculus processes. A model checker for a subset of this logic and a restricted version of the π-calculus is implemented in the “spatial logics model-checker” [VC05].

Ambient Calculus Inspired by the π calculus, the Ambient Calculus proposed by Cardelli and Gordon in [CG00b] considers processes that are executed in hierarchically nested environments (called ambients) and that may move from one ambient to another. For grasping the structure of the nested ambients and the process behaviour in [MWZ03] a spatial logic for the Ambient Calculus based on TLA is proposed. Similarly to the spatial logic for the π-calculus [CC03], an ambient logic based on modal logic has been introduced earlier by Caires and Gordon in [CG00a]. The model checking problem of the full logic against ambient calculus processes is undecidable and for finite processes (without replication) still PSPACE hard [CDZG+ 03]. A compositional approach is proposed in [FMdR04]. It investigates the combination of logics via fusion and product. The notion of location and space is covered by a hybrid logic using nominals [BS95] whereas the temporal properties are expressed in a temporal logic. The combined logic is used to describe the overall system behaviour. However, all these approaches do not facilitate quantitative measuring, neither of time nor of space. For example, it is impossible to express an upper bound on the reaction time or a minimal distance of two robots that needs to be kept.

8

1.3 Technical context Real Space Process Algebra Considering space and time as physical dimensions, J. C. M. Baeten and J. A. Bergstra introduce a real space process algebra in [BB91]. In this algebra the atomic actions are parametrised by three or four dimensional coordinates to express that the action occurs at a given point in space and moment in time. A set of axioms is developed first for classical Newtonian mechanics and later extended to relativistic space-time. A non-relativistic spatio-temporal process algebra is presented by the same authors in [BB92]. This approach uses asynchronous communication and is intended for modelling the communication of processes moving in space like communication with a satellite. 1.3.3 Spatial and Spatio-Temporal Logics. Region Connection Calculus The Region Connection Calculus (RCC) [RCC92] constitutes a spatial logic having regions as basic entities. Thereby, it permits qualitative reasoning about relations, e.g., part-of-relation or tangentiallity. Its main area of application is in AI. As there is no notion of time in RCC, it has been extended in [Gal95] to a spatio-temporal formalism for describing motion qualitatively. As we will show in section 2.5, it is possible to embed the subset RCC-8 [Ben96] of the Region Connection Calculus in the Shape Calculus. There are extensions of RCC proposed by numerous authors, we will just discuss a few. Extending the Region Connection Calculus [Mul98] by a temporal logic using a temporal relation < and a temporal operator >< which reads as temporally connected, Muller proposes another spatio-temporal formalism for describing motion qualitatively. A similar approach is taken by Galton in [Gal95] representing temporal connections by Allan’s interval logic and using flexible variables (called fluents) and RCC relations. In [Gal95] he does not provide a formal semantics of his approach but elaborates and compares definitions of movement using intervals for representing time and RCC relations for representing space. A different approach for describing motion qualitatively is given by Bennet, Cohn, Torrini, and Hazarika in [BCTH00b] using Region-Based Geometry [BCTH00a]. This approach starts with a primitive of parthood and a sphere predicate. Spatial Logics based on S4 or S5 Bennet and Cohn advocate the use of multi-modal logic based on the modal logic S5 as a general framework for knowledge representation in AI [BCWZ02b]. However, this approach does not consider time or space qualitatively.

9

Chapter 1 Introduction Aiello und van Benthem investigate modal logics for topological, metric, and vector spaces in [AvB01, Aie02]. They consider expressivity and complexity of enriched modal logics starting with the topological semantics of S4. They show the practical applicability of the developed theory to image retrieval. Spatial-Temporal Logics Extending [WZ03], Wolter and Zakharyaschev propose in [WZ05] a logic for general metric spaces and topologies induced by the metric. They combine qualitative operators for the interior operation denoted by with quantitative operators for expressing “somewhere in the sphere of distance r” denoted by ∃≤r . It is suggested as a common denominator of more specialised logics. The authors argue that interpreted on the real line it is suitable for specifying and verifying real-time systems. The formula τ1 t ∃≤a τ2 6= ⊥ expresses that there is a point in τ1 that is in distance of at most a of a point in τ2 . This declares an upper bound on the minimal distance of two sets. However, being designed for general metric spaces as a general denominator theory, the language has no means for distinguishing space and time. Therefore it cannot be used to specify for example movement. Reif and Sistla [RS85] propose a multi-modal spatio-temporal logic for describing multiprocess networks. They represent time in LTL using operators nexttime, eventually, hereafter , and until , and space by operators somewhere and everywhere. The semantics is given for networks of processes assigning to each process an ω sequence of states. They show that the formalism is highly undecidable. Comparing this approach to our work, this formalism has no means for measuring time or space quantitatively. A similar combination is proposed by Nerode, Artemov, Couldhard and Davoren for application to hybrid systems [CD04]. Extending the ideas in [ADN97], they use a combination of linear time temporal logic for describing the temporal evolution and the topological interpretation of S4 to describe the state space. The logic is interpreted over flows that assign to each moment in time a topological space. However, this framework also lacks the ability to reason about space and time quantitatively. Many-Dimensional Logics and Combinations of Modal Logics A general framework for the combination of modal logics is presented in detail in [Gab99, GKWZ03] by Gabbay, Kurucz, Wolter and Zakharyaschev. They

10

Time Time quantitatively Real-Time Space Space quantitatively Measure-Operator Model Checking π-Calculus mobility

V V V V V V V X

V V V X X V V X

X X X (V) X X V V

[C C 03 [B ] C W [A Z0 vB 2a 01 ] ]

C

X X X V X X (V) X

π

R C

SC D C

1.3 Technical context

X X X (V) X X X V

V X X V X X X X

X X X V (V) X X X

Table 1.1: Summary Comparing Related Work investigate fusions and products of modal logics. Using this approach they investigate under which circumstances decidability and axiomatisability are inherited by the product or fusion. The fusion is a loose combination of the logics which preserves decidability, whereas the product is a tighter integration of the participating modal logics ending up in high undecidability classes easily. For example, the product of the modal logics characterised by frames having the discrete line N as states and the ordering < as accessibility relation is already undecidable. A positive axiomatisability result is obtained by Venema [Ven94] for a two-dimensional temporal logic TAL when considering flat models, that are models where the valuation depends only on the first coordinate. A brief summary comparing the most widespread formalisms with Shape Calculus is given in table 1.1. An entry V indicates support, an entry X indicates no support at all and (V) is in between. For example, the π-calculus considers space but only as the linking of processes. This is expressed with the (V) mark.

11

12

Chapter 2 Shape Calculus

Contents 2.1

2.2 2.3

2.4

2.5

2.6

Starting Point: Duration Calculus . . . . . . . . . . 2.1.1 Syntax and Semantics . . . . . . . . . . . . . 2.1.2 Axiomatisability and Decidability . . . . . . . Syntax and Semantics of Shape Calculus . . . . . . 2.2.1 Abbreviations . . . . . . . . . . . . . . . . . . Properties . . . . . . . . . . . . . . . . . . . . . . . 2.3.1 Conservative Extension of Duration Calculus 2.3.2 Algebraic Properties . . . . . . . . . . . . . . 2.3.3 Hierarchies . . . . . . . . . . . . . . . . . . . Relating SC to the modal logic S4 . . . . . . . . . 2.4.1 Fusions of modal logics . . . . . . . . . . . . 2.4.2 Products of modal logics . . . . . . . . . . . . Relating SC to the Region Connection Calculus . . 2.5.1 Semantics . . . . . . . . . . . . . . . . . . . . 2.5.2 Embedding RCC-8 in SC . . . . . . . . . . . Integration in System Development Processes . . . 2.6.1 Refinement . . . . . . . . . . . . . . . . . . . 2.6.2 Model Checking . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

14 15 19 19 36 41 42 46 51 63 65 65 66 66 69 73 73 76

In the introduction we have motivated the need for formal methods considering space and time quantitatively. In this chapter we provide a formal definition of the Shape Calculus. As the Shape Calculus is an extention of the Duration Calculus, we shortly review Duration Calculus. After its formal definition, we point out similarities and differences between the Shape Calculus and the Duration Calculus. Beyond the formal definition we investigate algebraic properties of the operators. Considering the expressive

13

Chapter 2 Shape Calculus I[[(Gas ∧ ¬Flame)]]

1 0 0

10

20

30

40

50

60

70

80

90

T

R Figure 2.1: Interpretation I satisfying ` > 60 ⇒ (Gas∧¬Flame) < 0.05` power, we compare the Shape Calculus with the modal logic S4 and the Region Connection Calculus and show that both logics can be embedded in the Shape Calculus.

2.1 Starting Point: Duration Calculus Duration Calculus (DC for short) [HZ04] is an interval temporal logic introduced by Zhou, Hoare and Ravn [ZHR91] in the context of the ProCoS [JHF+ 94] project. The most distinguishing feature of the logic is the possibility to specify and reason about the duration of states. In [ZHR91], the authors analyse a control device for a gas burner. Before igniting the gas, there is an unavoidable period of time during which gas is leaking. Due to safety requirements calculated by an engineer, the accumulated amount of time in which gas is leaking without a flame being ignited should not exceed 5 % in every interval of 60 seconds. This requirement is specified by the following Duration Calculus formula R (` > 60 ⇒ (Gas ∧ ¬Flame) < 0.05 `). The modality reads as for all intervals and the whole formula expresses that for every interval whose length ` exceeds 60 seconds, the accumuR lated leaking time (Gas ∧ ¬Flame) is less than 0.05 of the length of the interval. An interpretation satisfying this safety requirement is sketched in Figure 2.1. Duration Calculus can be interpreted using either a continuous or a discrete time domain. The first case permits a more natural modelling without facing the problem of discretisation, whereas the latter permits automatic verification by model checking techniques and is closer to computational devices.

14

2.1 Starting Point: Duration Calculus 2.1.1 Syntax and Semantics of Duration Calculus We recall the definition of syntax and semantics of Duration Calculus. The signature of Duration Calculus contains the following kinds of symbols: •

Var a set of global rigid variables denoted by lower case letters x, y, z. The notion rigid refers to the fact that the value of the variable is independent of the point in time and given by a valuation function V as usual in First-Order Logic.

•

Obs a set of time dependent variables called observables and denoted by upper case letters X, Y, Z or expressions printed in sans-serif. The value of an observable X is determined by a trajectory I : T → range(X), mapping each point in time to a data value in the range of the observable. The temporal domain T may either be continuous, i.e., the set of real numbers R≥0 , or discrete, i.e., the set of natural numbers N. In the continuous case the interpretation function must possess the finite variablity property, that in each finite interval the interpretation changes its value only finitely often. For the discrete case, the finite variability is already a consequence of the discrete domain.

•

Func a set of function symbols usually denoted by f, g, h. For convenience we assume the existence of the usual arithmetical functions +, ·, . . . and assume they are always interpreted as usual.

•

Pred a set of predicate symbols denoted by p, q. We always assume this set to contain equality = with the usual interpretation.

The syntax definition of Duration Calculus consists of state expressions, DC terms and DC formulae. A state expression characterises the system state for a single point in time, e.g., that the valve is open but the flame not ignited. Definition 2.1 (Syntax of DC state expressions). State expressions are denoted by denoted by πDC . The set SDC of all state expressions is built from the following grammar 0 00 πDC ::= X = d | ¬πDC | πDC ∧ πDC

15

Chapter 2 Shape Calculus where X ∈ Obs is an observable and d is in the range of X. If X is an observable of Boolean type, we will abbreviate X = 1 by X and X = 0 by ¬X like in (Gas ∧ ¬Flame) in the gas burner example. The remaining Boolean 0 00 0 00 operators πDC ∨ πDC , πDC ⇒ πDC , etc. are obtained as abbreviations as usual. The semantics of state expressions is obtained by extending the trajectories to Boolean combinations. Definition 2.2 (Semantics of DC state expressions). The semantics of a state expression with respect to an interpretation I of the observables is a function I[[π]] : T → {0, 1} defined by structural induction as follows: df

I[[X = d]](t) = I[[X]](t) = d df

I[[¬πDC ]](t) = 1 − I[[πDC ]](t) df

0 00 0 00 I[[πDC ∧ πDC ]](t) = I[[πDC ]] · I[[πDC ]](t)

The accumulated time of a system being in a certain state is characterised R by duration terms built by applying the integration operator to a state expression. Duration terms accompanied by global variables and function application constitute the terms in Duration Calculus. Definition 2.3 (Syntax of Duration Calculus terms). Duration Calculus terms are denoted by θDC and generated by the following grammar. R 1 k θDC ::= πDC | ` | x | f (θDC , . . . , θDC ) where πDC is a state expression, x ∈ Vars is a global variable, f ∈ Func 1 k is a n-ary function symbols, and θDC , . . . , θDC are DC terms. The special symbol ` denotes the length of the interval under consideration. DC terms are interpreted on intervals. The interpretation yields elements from the temporal domain, i.e., a real number or a natural number, as given in the following definition. Definition 2.4 (Semantics of Duration Calculus terms). The semantics of a DC term θDC is given by a function I[[θDC ]] : (V al × Int) → T

16

2.1 Starting Point: Duration Calculus df

where Int = {[a, b]|a, b ∈ T} is the set of all closed and finite intervals over T and V al the set of valuations of the rigid global variables. It is inductively defined by R df I[[ π]](V, [a, b]) =

Z

b

I[[π]](t)dt a

df

I[[`]](V, [a, b]) = b − a df

I[[x]](V, [a, b]) = V(x) df

1 k 1 k I[[f (θDC , . . . , θDC )]](V, [a, b]) = fˆ(I[[θDC ]](V, [a, b]), . . . , I[[θDC ]](V, [a, b]))

where fˆ is the interpretation of the function symbol f . Instead of defining the semantics of ` directly, it can also be introduced as an abbreviation R by ` = 1. Note that the finite variability of the interpretation of each observable guarantees the integrability. As the value of an observable at a certain point in time cannot be referenced directly but only by means of integration, Duration Calculus cannot distinguish two interpretations that differ only for a set of points having the measure zero. Different from First-Order Logic, Duration Calculus is interpreted over intervals. Therefore it additionally incorporates a modality “;” called “chop” for splitting the interval under consideration. Definition 2.5 (Syntax of Duration Calculus formulae). Duration Calculus formulae are denoted by FDC , GDC , . . . and are generated by the following grammar. 1 k FDC ::= p(θDC , . . . , θDC ) | FDC ; GDC | ¬FDC | FDC ∧ GDC | ∃x : FDC 1 k where p ∈ P red is an n-ary predicate symbol, θDC , . . . , θDC are DC terms and ; is the chop operation. The Boolean constants true and false as well as the other Boolean connectives ∨, ⇒, ⇐⇒ and the universal quantification ∀x : FDC are defined as the usual abbreviations. Instead of “;” the symbol “_” is also common for denoting the chop operator.

Definition 2.6 (Semantics of Duration Calculus formulae). For a DC formula FDC , the semantics I[[F ]](V, [a, b]) with respect to a valuation V and interval [a, b] is given by a function I[[FDC ]] : V al × Int → B defined inductively

17

Chapter 2 Shape Calculus by the following scheme. df

1 k 1 k I[[p(θDC , . . . , θDC )]](V, [a, b]) =ˆ p(I[[θDC , . . . , θDC ]])(V, [a, b])) df

I[[FDC ; GDC ]](V, [a, b]) = true iff there is an m ∈ [a, b] such that I[[FDC ]](V, [a, m]) = true and I[[GDC ]](V, [m, b]) = true df

I[[¬FDC ]](V, [a, b]) =true iff I[[FDC ]](V, [a, b]) = false df

I[[FDC ∧ GDC ]](V, [a, b]) = true iff I[[FDC ]](V, [a, b]) = true and I[[GDC ]](V, [a, b]) = true df

I[[∃x : FDC ]](V, [a, b]) =true iff there is an x ∈ T such that I[[FDC ]](V ⊕ {x 7→ x}}, [a, b]) = true The predicate pˆ denotes the interpretation of the predicate symbol p. The Z-notation V ⊕ {x 7→ x} defines a valuation that coincides with V for all variables not equal to x and assigns x to variable x. A formula F is said to be satisfiable iff there is an interpretation I, valuation V and interval [a, b] such that I[[F ]](V, [a, b]) = true, also denoted by I, V, [a, b] |=DC F . A formula F is valid, if it evaluates to true for every interpretation, valuation and interval. This is denoted by |=DC F . To lift a state expression to a formula the following abbreviations are commonly used. df

de = ` = 0 df R dπDC e = πDC = ` ∧ ` > 0 The first is another notation for the point interval and the second expresses that the state assertion πDC is true almost everywhere in the interval. Using the chop operation, the modalities ♦ and are derived by df

♦ FDC = true; FDC ; true df

FDC = ¬ ♦ ¬FDC Theses modalities ♦ and express that the formula holds on some subinterval, respectively on every subinterval.

18

2.2 Syntax and Semantics of Shape Calculus 2.1.2 Axiomatisability and Decidability of Duration Calculus A drawback is the undecidablity of the validity problem for continuous time Duration Calculus as investigated in [ZHS93, HZ97, HZ04]. Even simple subsets of Duration Calculus, e.g., the fragment built from d·e and ` = r, are proven to have an undecidable validity problem. The model checking problem for DC formulae and timed automata is investigated in [Frä04] yielding several decidable subsets. It is possible to give a complete axiomatisation relative to interval temporal logic as shown in [HZ97, HZ04]. A complete axiomatisation of interval temporal logic for classes of abstract temporal domains is given in [Dut95]. For the standard temporal domain R a complete axiomatisation is impossible as compactness fails in this case as mentioned in [Gue98]. A sequent calculus and natural deduction calculus for signed interval logic is presented in [Ras02]. However, tool support is rare; an embedding into the PVS theorem prover is presented in [SS94] and an automatic model checking approach by translating Duration Calculus into the intermediate operational model of Phase Automata is presented in [Tap01]. Considering the discrete time domain, the restricted Duration Calculus (RDC) built from dπe expressions as atomic DC formula has a decidable validity problem, which led to the development of the model checking tool DCValid [Pan00].

2.2 Syntax and Semantics of Shape Calculus In this section we extend the Duration Calculus presented in the previous section to a spatio-temporal logic called Shape Calculus1 . We give a definition of syntax and semantics, first introducing the minimal syntax and subsequently deriving convenient notations as abbreviations. As for Duration Calculus, we consider discrete and continuous domains. It is possible to use different domains to represent space and time. However, to give a more concise presentation, we choose to treat space and time uniformly and use the same domain to represent the spatial dimension and the temdf poral dimension. This domain is denoted by S and we assume S = R, i.e., the set of reals in the continuous case. Alternatively, Shape Calculus can be interpreted with the domain N, i.e., the set of natural numbers, for the discrete case. As presented in the previous section, in Duration Calculus 1 The

name Shape Calculus has been proposed by Anders P. Ravn during a presentation of early ideas for this formalism.

19

Chapter 2 Shape Calculus gas

1 0

a)

0

1

2

3

4

5

6

7

8

9

time

Bool 1.0

1. 0

1.0

2. 0

2.0

3. 0

3.0

4. 0

4.0

5. 0

5.0

6. 0

6.0

7. 0

7.0

8. 0

time

9. 0

space

b) Figure 2.2: Observables for system modelling in a) Duration Calculus and b) Shape Calculus the behaviour of a system is modelled by a set of time-dependent variables whose values change in time. The semantics is given by trajectory for the observables. The domain of each observable is time. In Shape Calculus this approach is extended by using observables that are interpreted over space and time, as illustrated in Figure 2.2. They associate to each point in space and time a value of the range of the observable. Shape Calculus does neither limit the number of spatial nor of temporal dimensions a priori, instead it is parametrised by a number n of spatial and temporal dimensions. Example 2.7. As sketched in Figure 2.2, trajectories can be used to characterise the position and movement of objects. The position of the object is given by a trajectory that assigns true to every point in space that is covered by the object for the moment in time. The Shape Calculus uses terms of different types. Expressions of scalar type are used for measuring lengths, diameters and volumes, expressions of

20

2.2 Syntax and Semantics of Shape Calculus vector types are used to specify directions and expressions yielding matrices are used for the definition of projections and other transformations. Types are called sorts in logics and we employ sorts to distinguish scalars, vectors and matrices of different types. Furthermore we use different types for vectors and matrices of different size. To each term a unique sort will be assigned. To give a concise presentation of the sorting, we identify scalars with 1×1 matrices and p-dimensional vectors with p×1 matrices. In doing so, we can define the set of sorts S by S = {Sp×q | 1 ≤ p, q ≤ n} to be the set of all possible matrix types. As sorts are only names for domains, in First-Order Logic the interpretation of these names is normally given by algebras that assign to each sort a carrier set. However, a distinction between the sorts and the carriers would be artificial here, so we identify the sorts and the carriers. The signature of Shape Calculus consists of the following kinds of symbols: •

For every sort S, we consider a set Vars that contains all global rigid variables xs of that sort s. We assume a typing function type() mapping each variable xs to its sort s. The sort of a variable or a term is also called type. The semantics of a variable is determined by a valuation function V mapping a variable of type Sp×q to a matrix in Sp×q . The set of all valuations is denoted by Val .

•

Obs a set of time dependent variables called observables and denoted by capital letters X, Y, Z or expressions printed in sans-serif fonts. The value of an observable is determined by a trajectory I : Sn → range(X), mapping each point in space and time onto a data value in the range of the observable.

•

Func a set of function symbols usually denoted by f, g, h respecting the sorting. Functions of arity zero are also called constants. The interpretation of the function symbol f will be denoted by fˆ as usual. For convenience, the distinction between f and fˆ will be dropped if it is clear from the context. To enhance the readability, we use the following conventions for constants: –

Matrices of type 1 × 1 are identified with scalar values.

21

Chapter 2 Shape Calculus – –

Matrices of type n × 1 are identified with vectors and denoted ~ by d. Matrices of type p × q for p 6= 1 and q 6= 1 will be denoted by capital letters or letters in Fraktur printing , e.g., m.

We assume the existence of the usual arithmetical functions +, ·, . . . and assume they are interpreted as usual. Furthermore, we denote the i-th unit vector of Rn by ~ein . For convenience, we will omit the dimension n and write ~ei if n is clear from the context and also use the notation ~ex , ~ey , ~ez for the spatial unit vectors in a 3-dimensional space and ~et for the unit vector associated to the temporal dimension. The n-dimensional unit matrix will be denoted by In as usual.   1 0   .. In =   . 0 •

1

P red a set of predicate symbols denoted by p, q and respecting the sorting. Like for function symbols we use pˆ for the interpretation and drop the distinction, if it clear from the context. We always assume this set to contain equality = equipped with the usual meaning.

Note 2.8 (Integrability). As we will use the integral measure, we require all these functions I[[X]] to be Riemann-integrable. To obtain certain properties like axiomatisability, we will need to impose more restrictions on the set of trajectories in subsequent chapters. Example 2.9 (Modelling the Road Runner). We illustrate each part of the definition of the Shape Calculus using a running example that is subsequently enriched. To model the Road Runner robot presented in the introduction, we employ two spatial dimensions to specify the position and one temporal dimension for the evolution of the system. So we fix the number of dimensions to n = 3. We introduce two observables, R for the robot and A for the table area. The observable R is true for a point in space and time if and only if the robot occupies this point in space at the given moment in time. Similarly, the bounded safe area is modelled by the observable A. State Expressions The system under investigation can comprise different observables, each describing some aspect of the system behaviour. In state expressions (also

22

2.2 Syntax and Semantics of Shape Calculus called state assertions) Boolean connectives are used to express more complex details. Definition 2.10 (Syntax of State Expressions). The set Π of state expressions expressing properties of a point in space and in time are built from comparisons of observables with data values and Boolean connectors, i.e., Π is generated by the following EBNF. π ::= X = d | ¬π1 | π1 ∧ π2 where d is in the range of the observable X. In the following, we will use the letter π to denote a state expression. If the observable X is of Boolean type, we will also write X instead of X = 1. The semantics of state expressions is the homomorphic continuation of the trajectories of observables to state expressions as expressed by the following definition. Definition 2.11 (Semantics of State Expressions). The semantics of state expressions is a function I[[π]] : Sn → {0, 1} which is defined inductively by ( 1 if I[[X]](~z) = d I[[X = d]](~z) = 0 otherwise df

df

I[[¬π]](~z) = 1 − I[[π]](~z) df

I[[π1 ∧ π2 ]](~z) = I[[π1 ]](~z) · I[[π2 ]](~z) The Boolean constants and remaining Boolean connectives of state assertions can be defined as the usual abbreviations. Using the Boolean connectives, it is possible to specify set operations on the points that satisfy a state expression. For example, if a state expression A ⇒ B is true for all points then the set of points satisfying A is a subset of the set of points satisfying B. Remark 2.12. This definition coincides exactly with that for Duration Calculus for n = 1.

23

Chapter 2 Shape Calculus Example 2.13 (State Expression). The state expression R ∧ ¬A is true for all the points in space-time where the Road Runner robot is outside its restricted area. Terms Interval temporal logic assigns a real value to every interval and Duration Calculus introduces the integral operator to measure the duration of a certain state in a given interval. In Shape Calculus this is extended in two ways. Firstly, instead of intervals we interpret terms over bounded convex n-dimensional polyhedra. Secondly, according to our sorting introduced for variables, interpreted terms yield matrices of values of the temporal domain, in which the number of rows and columns are less or equal to the number n of dimensions. Again, scalar values are identified with 1 × 1 matrices and n-dimensional vectors with n × 1 matrices. Like in Duration Calculus, we use the integration operation, but here for spatial and temporal measures of state assertions. It is either possible to determine the measure of all spatio-temporal points satisfying a state expression or to apply transformations like projections beforehand. The measure of all spatio-temporal points is, e.g., used to express that a state expression is true throughout time and space in the polyhedron under consideration. Projections are needed to specify spatial or temporal aspects of system behaviour. For example, if it is important how much of a vehicle is outside its working area instead of the spatio-temporal volume, we need integration for the spatial part. On the other hand, being interested in the amount of time the system is moving requires pure temporal integration. To this end, we permit using linear transformations by matrices m – specified by terms of the appropriate sort – of the function I[[X]] before applying the integral. Using these transformations, we can for example achieve projections onto all axes or onto hyperplanes. The projection onto the x-axis is given by the 1 × n matrix (~ex )T , the transposed first unit vector. The projection onto the x − y-plane is defined by the matrix [~ex , ~ey ]T using both unit vectors and transposing (·T ) the result. For n = 3 these matrices are 1 0 0 (~ex3 )T = 1 0 0 and [~ex3 , ~ey3 ]T = . 0 1 0

24

2.2 Syntax and Semantics of Shape Calculus To ensure freedom from side-effects, we require the terms used for the transformation to be rigid, i.e., their semantics to be independent of the polyhedron under consideration. In any case, the application of integration to state assertions – with or without transformations – yields a value of scalar type that is represented as 1 × 1 matrix in the sorting. After the informal explanation, we will now define syntax and semantics formally. In the definition, the set of n-dimensional bounded,closed, and convex polyhedra in Sn will be used and denoted by Pn . A special case are one-dimensional polyhedra, which are intervals. We will usually denote polyhedra by upper case letters in script printing, e.g., M. Definition 2.14 (Syntax of Shape Calculus terms). Let n denote the number of dimensions under consideration. We define the sorted family {(Θn )s }s∈S of sorted n-dimensional Shape Calculus terms with elements denoted by θ to be the smallest set such that R • θπ ∈ (Θn )S for θ ∈ (Θn )Sp×n if π Ris a state state expression and θ is rigid, i.e., θ does not contain the operator, •

x ∈ (Θn )s iff x has type s, i.e., type(x) = s.

f (θ1 , . . . , θk ) ∈ (Θn )s iff f has type s1 × . . . × sk → s and every term in the parameters is type correct, i.e., θi ∈ (Θn )si . R The n-dimensional identity matrix In in expressions In π is usually omitted. •

Definition 2.15 (Semantics of Shape Calculus Terms). The semantics of an n-dimensional Shape Calculus term of sort Sp×q is a function I[[θ]] : V al × Pn → Sp×q defined inductively on the term structure. Let in the following V ∈ V al be a valuation and M ∈ Pn ⊆ Sn be a bounded, closed and convex convex polyhedron. The value of variables is given by the valuation V. df

I[[x]](V, M) = V(x) ∈ Sp×q if type(x) = Sp×q

25

Chapter 2 Shape Calculus Function application is defined as usual. df

I[[f (θ1 , . . . , θk )]](V, M) = fˆ(I[[θ1 ]](V, M), . . . , I[[θk ]](V, M)) where fˆ is the interpretation of the function symbol f . We will drop the distinction between the function symbol f and the function fˆ if the readability is increased by the omission. If type(f ) = s1 × . . . × sk → Sp×q and type(θi ) = si for all i, the value of I[[f (θ1 , . . . , θk )]](V, M) is in Sp×q . The semantics of the integration operator is obtained by collecting the set I[[π]]−1 (1) of all points satisfying π, transforming and measuring the resulting set using the characteristic function χ for this set. For better readability, we write m to denote the result of evaluating the term θ describing the transformation, i.e., m = I[[θ]](V, M). Z R df I[[ θπ]](V, M) = χm(M∩I[[π]]−1 (1)) m·M

R The value of I[[ θπ]](V, M) is in S1×1 , which identified with S. The characteristic function χ is defined by  p  S →(B df χm(M∩I[[π]]−1 (1)) = 1 if ∃~x0 ∈ M : ~x = m~x0 ∧ I[[π]](~x0 ) = 1  ~x 7→ 0 otherwise. A term that does neither contain the integration operator nor the length operator, which will be defined as an abbreviation later, is called rigid. For rigid terms the semantics does not depend on the polyhedron under consideration. We illustrate the intuition of the definition of the integration operation. This is sketched in Figures 2.3 to 2.7 for evaluating the expression Z (1, 0, 0)T R.

Remark 2.16 (Measures in discrete Rdomains). In the discrete P setting, the instead of the semantics of the integral operator is given by the sum integral.

26

2.2 Syntax and Semantics of Shape Calculus time 4.0 3.0 2.0 1.0

b b

b b

1. 0

1.0

2. 0

2.0

3. 0

3.0

4. 0

b 4.0 b 5.0

5. 0

b

6. 0

b

6.0

7. 0

7.0

8. 0

y

9. 0

x

Figure 2.3: Function I[[R]] modelling a the movement of a robot. Notation 2.17. For a matrix m we will denote the variable in the cell in the i-th row and j-th column by mi,j which is according to the following abbreviation: df mi,j = (~ei )T m~ej . Similarly, we define df ~ = θ.i (~ei )T θ~

~ denotes the i-th component of the vector given by θ. ~ So θ.i For the one-dimensional case, the linear transformation m reduces to R R scaling and mπ = m π holds. Thus in this case the transformation does not add expressive power and we still have the Duration Calculus. R Example 2.18 (Terms). The term R ∧ ¬A is the measure of all points violating the requirement as sketched in Figure 2.8. The definition of the transformation and integration fits well into the framework of standard analysis as it allows to compute the value of the integration after the transformation using the determinant of the transformation, if the matrix is non-singular.

27

Chapter 2 Shape Calculus time 4.0

M

3.0 2.0 1.0

1. 0

1.0

2. 0

2.0

3. 0

3.0

4. 0

4.0

5. 0

5.0

6. 0

6.0

7. 0

7.0

8. 0

y

9. 0

x

Figure 2.4: The set of points in space and time in the polyhedron under consideration and satisfying the state expression π, i.e., the set M ∩ I[[R]]−1 (1)) Lemma 2.19 (Transformations). Let θ be evaluated to a matrix with nonsingular determinant, i.e., det θ 6= 0. Then the following holds for every interpretation I, valuation V, polyhedron M, and state expression π. R R I[[ θπ]](V, M) = | det I[[θ]](V, M)| I[[ π]](V, M) Proof. The proof uses the “Change of Variables Theorem” known from analysis. It can be found in standard textbooks on this subject like [DK04] and [Zor03]. We briefly recall the theorem. Theorem 2.20 (Change of Variables Theorem). Assume that g is continuous and injective on an open set G ⊆ Rn with continuous derivative g 0 such that | det g 0 (t)| is either always positive or always negative. Let furthermore T be a compact Jordan measurable subset of G and f continuous on g(T ). Then g(T ) is Jordan measurable and f on g(T ) Riemann integrable with Z Z f (x)dx = f (g(t))| det g 0 (t)|dt. g(T )

28

T

2.2 Syntax and Semantics of Shape Calculus time 4.0 3.0 2.0 1.0

1. 0

1.0

2. 0

2.0

3. 0

3.0

4. 0

4.0

M

5. 0

5.0

6. 0

6.0

7. 0

7.0

8. 0

y

9. 0

x

Figure 2.5: The set of points in space and time after the application of the projection onto the x-axis given by the transformation matrix m = (~ex )T = (1, 0, 0), i.e., m(M ∩ I[[R]]−1 (1)). Using this theorem, the lemma is proven as follows. Let I be an interpretation, V a valuation, and M a polyhedron. As θ is assumed to be rigid, let furthermore m = I[[θ]](V, M) be the evaluation of θ. In our case the function g is linear with g(t) = m · t and the derivative of the linear function defined by the matrix m is the matrix m itself, i.e., g 0 (t) = m. Z R χm(I[[π]]−1 ∩M) xdx I[[ θπ]](V, M) = mM

{By the change of variables theorem} Z | det m|χm(I[[π]]−1 ∩M) (mt)dt = M Z = | det m| χ(I[[π]]−1 ∩M) (t)dt M R = | det I[[θ]](V, M)| I[[ π]](V, M)

29

Chapter 2 Shape Calculus B

1 0 0

1

2

3

4

5

6

7

8

9

x

Figure 2.6: The characteristic function χm(M∩I[[R]]−1 (1)) . B

1 0 0

1

2

3

4

5

Figure 2.7: The expression

6

R

7

8

9

x

χm(M∩I[[R]]−1 (1)) .

Formulae The special feature of interval temporal logic is the introduction of the “chop” modality, which is used to chop the interval under consideration into a lefthand and a righthand subinterval. In the multi-dimensional case of Shape Calculus, the direction of this splitting operation is to be specified. ~ with a vector d. ~ This To this end, we parametrise the chop operator hdi vector can be determined by a rigid term of suitable type. The operation splits the polyhedron along a hyperplane defined by the vector d~ and some point in the polyhedron and yields two new sub-polyhedra. This idea results in the following definition of the chop operation. Notation 2.21 (Chopping polyhedra). Let M be a n-dimensional polyhedron, m ~ a point in the n-dimensional space and d~ an n-dimensional vector. The point m ~ and vector d~ uniquely define an (n−1)-dimensional hyperplane. We define the following two operations yielding all points below this hyperplane and above this hyperplane, respectively. The intuition of this definition is

30

2.2 Syntax and Semantics of Shape Calculus

Space R ∧ ¬A

Ro

bo

tR

R

Area A

Time Figure 2.8: The moving robot. sketched in Figure 2.9. ~ df ~ ≤ 0} M dm x ∈ M | h~x − m, ~ di ~ = {~ ~ df ~ ≥ 0} M dm x ∈ M | h~x − m, ~ di ~ = {~

~ is the usual notation for the scalar product of ~x − m Here h~x − m, ~ di ~ and ~ which is proportional to the cosine of the angle α between these vectors d, [Lan97]. Thus, it is negative iff α is greater than 90 degrees, i.e., the point ~x is below the hyperplane and positive otherwise. Note that the scalar product is bilinear. So scaling the vector d~ with positive reals does not ~ m ~ change M dm ~ or M d~ . This definition will be used in the following to define the semantics of the chop operation. Definition 2.22 (Syntax of Shape Calculus Formulae). Fixing a number n of dimensions, the set SCn of n-dimensional Shape Calculus formulae is given

31

Chapter 2 Shape Calculus time 4.0 3.0 2.0 1.0

b

1. 0

d~ 2. 0

m ~

1.0 2.0

3. 0

3.0

4. 0

4.0

5. 0 6. 0 7. 0 8. 0 9. 0

x

~ M ↾m ~ d

~ M ⇂m ~ d

5.0 6.0 7.0

y

Figure 2.9: Chopping polyhedra by ~ F2 | p(θ1 , . . . , θk ) | ¬F1 | F1 ∧ F2 | ∃xs : F1 F ::= F1 hθi where p is a predicate symbol of type s1 ×. . .×sk → s and every term in the parameters is type correct, i.e., θi ∈ (Θn )si . The expression θ~ ∈ (Θn )n×1 denotes a rigid term of sort n × 1 that is evaluated to an n-dimensional vector and x is a rigid variable of the sort s ∈ S. The definition of the semantics coincides with First-Order Logic for most ~ G is valid if and operators except for the ternary chop. A formula F hθi ~ such that only if there is a hyperplane orthogonal to the vector d~ = I[[θ]] the polyhedron M is split by this hyperplane into two polyhedra M1 and M2 which fulfil F and G, respectively. This is illustrated in Figure 2.10. Note that the number of dimensions under consideration is used to ensure type safety for the chop operator. Definition 2.23 (Semantics of Shape Calculus Formulae). For an n-dimensional SCn formula F , the semantics is a function I[[F ]] : V al × Pn → B.

32

2.2 Syntax and Semantics of Shape Calculus inductively defined as follows. df

I[[p(θ1 , . . . , θk )]](V, M) = pˆ(I[[θ1 ]](V, M), . . . I[[θ1 ]](V, M)) where pˆ is the interpretation of the predicate symbol p in the structure I. Subsequently, we assume that the comparison symbols are always interpreted as usual. df ~ F2 ]](V, M) = I[[F1 hθi true

iff there exists a m ~ ∈ M such that m ~ I[[F1 ]](V, M I[[ ) = true and ~ θ]](V,M) m ~ I[[F2 ]](V, M I[[ ) = true ~ θ]](V,M) df

I[[¬F1 ]](V, M) = true iff I[[F1 ]](V, M) = false. df

I[[F1 ∧ F2 ]](V, M) = true iff I[[F1 ]](V, M) = true and I[[F2 ]](V, M) = true df

I[[∃x : F1 ]](V, M) = true iff type(x) = Sp×q and there is an x ∈ Sp×q such that I[[F1 ]](V ⊕ {x 7→ x}, M) = true. A formula that does neither contain non-rigid terms nor the chop operation is called rigid . Hence, the semantics of a rigid formula does not depend on the polyhedron under consideration. In the one-dimensional case, when the vector used for the chop operation has only one dimension, there are only three different cases possible as scaling with positive reals does not change the resulting polyhedra. Each case can be modelled in Duration Calculus using the DC chop operator “;” and conjunction: F h1i G ⇐⇒ F ; G F h0i G ⇐⇒ F ∧ G F h−1i G ⇐⇒ G; F.

33

Chapter 2 Shape Calculus time 4.0 3.0 2.0 1.0

b

1. 0

d~ 2. 0

m ~

1.0 2.0

3. 0

3.0

4. 0

4.0

5. 0

5.0

6. 0 7. 0

F

8. 0 9. 0

x

G

6.0 7.0

y

Figure 2.10: The chop operation. Example 2.24 (Formulae). The following formula specifies that the Road Runner robot R never leaves the table A. R ¬(true h~et i (R ∧ ¬A) > 0 h~et i true) The formula reads as follows. It is impossible to split the current observation polyhedron twice in the temporal direction such that for the resulting polyhedron in the middle the following holds: The measure of the points that satisfy R and not A exceeds zero. Using this semantics, we define the truth relation |=n , validity, and satisfiability. Considering satisfiability there are mainly two possible definitions. A formula can be considered satisfiable if there is a convex polyhedron or an n-dimensional interval (n-hypercube) on which the formula is evaluated to true. For the investigation of general properties of Shape Calculus, considering arbitrary convex polyhedra is more general and natural. As the subsets discussed in subsequent chapters will only consider chops along the coordinate axes, in these cases considering n-dimensional intervals are to be considered. Therefore we define two notions of satisfiability and validity

34

2.2 Syntax and Semantics of Shape Calculus and provide the algebraic results for the more general case and use later on the more specialised notion. Definition 2.25 (Truth relation, validity, and satisfiability). The truth relation |=n for n-dimensional shape calculus is defined by I, V, M |=n F iff I[[F ]](V, M) = true where F ∈ SCn , V a valuation and M an n-dimensional convex polyhedron. A Shape Calculus formula F ∈ SCn is I-satisfiable iff there is an interpretation I, a valuation V, and an n-dimensional interval M such that I, V, M |=n F. A formula is P -satisfiable iff there is an interpretation I, a valuation V, and an n-dimensional convex polyhedron M such that I, V, M |=n F. A formula F is I-valid , written as |=nI F iff for all interpretations I, valuations V, and n-dimensional intervals M I, V, M |=n F. A formula F is P -valid , written as |=nP F , iff for all interpretations I, valuations V, and n-dimensional convex polyhedra M I, V, M |=n F. Note that P -validity entails I-validity and I-satisfiability entails P -satisfiability but the converse is not true. The formula R R R 1 = ( (~e1 )T 1) · ( (~e2 )T 1) is an I-valid two-dimensional Shape Calculus formula. However, it is not P -valid. Definition 2.26 (Equivalence). Two n-dimensional formulae F, G ∈ SCn are I-equivalent, written as F ≡I G if and only if |=nI F ⇐⇒ G. They are P -equivalent, written as F ≡P G if and only if |=nP F ⇐⇒ G. Remark 2.27. For the rest of this chapter, we will use P -validity as the standard notion of validity if not stated otherwise and write |=n instead of |=nP . A valid formula is also called a tautology.

35

Chapter 2 Shape Calculus Definition 2.28 (Operator Precedence). To avoid too many parentheses, we use the following precedence rules, starting with highest precedence. 1. ¬, , ♦, ∀, ∃ 2. ∧, ∨ 3. h·i 4. ⇒, ⇐⇒ 2.2.1 Abbreviations The abbreviations defined for Duration Calculus can be directly adopted for Shape Calculus. n-dimensional Volumes df R `= 1

df R `θ = (θ)T 1

The symbol ` denotes the n-dimensional volume of the polyhedron under consideration. The symbol `θ performs a transformation using the transposition θT of θ before applying the integration operation. This can be used in order to determine diameters of the polyhedron or sizes of other subspaces. We denote by ~ex and ~et the unit vectors for the x- respectively df R time dimension write `~et defined by `~et = (~et )T 1 to measure the temporal df R length and `~ex = (~ex )T 1 for the diameter along the x-axis. Modalities written

Like in Duration Calculus, the chop along the time-axis is df

F ; G = F h~et i G. The everywhere operator dπe expresses that a state assertion π holds almost everywhere in the polyhedron. It can be augmented by a transformation term θ. R R R R df R df R dπe = π = 1 ∧ 1 > 0 dπeθ = θπ = θ1 ∧ θ1 > 0 . A polyhedron of a diameter zero in direction θ is also denoted by df

deθ = `θ = 0.

36

2.2 Syntax and Semantics of Shape Calculus The somewhere operator ♦θ~ F allows the polyhedron to be chopped twice in the same direction such that in the middle polyhedron F holds. df ~ F hθi)true ~ ♦θ~ F = (true hθi

The globally operator is the dual of ♦. df

θ~ = ¬ ♦θ~ ¬F. We will write ♦ F instead of ♦~e1 . . . ♦~en F and F instead of ~e1 . . . ~e1 F to denote the quantification over all dimensions. Remark 2.29. Note that ♦ F ≡ 6 ♦( 1 ) F but ♦~e1 ♦~e2 F ≡ ♦~e2 ♦~e1 F as will 1 be shown in subsequent sections. Investigating the algebraic properties in subsequent sections will yield general commutativity of ♦ and . Considering these derived modalities, they guarantee the Necessity-Rule known from modal logic. F F If a formula is valid, then F is also valid. In this sense, the operator mimics the definition of I-validity. However, as P -validity entails I-validity the Necessity-Rule still holds. An operator that mimics P -validity can be defined as follows: ∞ _ ∃d~1 , . . . , d~k ♦d~1 . . . ♦d~k F and F = ¬¬F. F = k=1

To define the requirement that F holds on some convex subpolyhedron, an arbitrary number of chops is needed. This cannot be expressed directly in Shape Calculus and therefore cannot be defined in the standard syntax of Shape Calculus. Example 2.30 (Modalities). Using these modalities, the requirement in Example 2.24 can be weakened by R T ~et (`~et = 1 ⇒ [~ex , ~ey ] (R ∧ ¬A) ≤ 1). because this formula reads as follows: During every interval of length of one time unit the accumulated space that a robot R leaves the table A is less than one square space unit.

37

Chapter 2 Shape Calculus Generalising Matrix-Transformations The definition of Shape Calculus restricts the use of matrix transformations to the integration level. However, it is possible to “lift” matrix transformations to formula level if the transformation matrix does not depend on the polyhedron under consideration. This turns out to be useful for the description of rotations. Definition 2.31 (Generalised Matrix Transformation). Let θn×n ∈ Sn×n be a rigid term of type n × n matrix and F ∈ SCn an n-dimensional Shape Calculus formula. The application (θn×n )F of θn×n to F is defined as an abbreviation inductively by the following principle. df

(θn×n )x = x df

(θn×n )f (θ1 , . . . , θn ) = f ((θn×n )θ1 , . . . , (θn×n )θn ) R df R (θn×n ) θπ = θθn×n π

(2.1)

df

(θn×n )(¬F ) = ¬(θn×n )F df

(θn×n )(F ∧ G) = (θn×n )F ∧ (θn×n )G df

~ G) = (θn×n )F hθn×n θi ~ (θn×n )G (θn×n )(F hθi

(2.2)

df

(θn×n )(∃xs F ) = ∃xs (θn×n )F The transformation θn×n is applied on the points in the Sn . Therefore in equation (2.1) the matrix is applied to all points satisfying π and it is applied before the transformation θ. The chopping direction is to transformed in the same way as the points satisfying π. For this reason, the matrix θn×n must be applied to θ~ in (2.2) and not vice versa. This definition directly carries over to the everywhere notation. R R R (θn×n )dπe = (θn×n )( dπe = 1 ∧ 1 > 0) R R R = ( (θn×n )dπe = (θn×n )1 ∧ (θn×n )1 > 0) = dπeθn×n and R R R (θn×n )dπeθ = (θn×n )( θdπe = θ1 ∧ θ1 > 0) R R R = ( θ(θn×n )dπe = (θθn×n )1 ∧ (θθn×n )1 > 0) = dπeθθn×n

38

2.2 Syntax and Semantics of Shape Calculus Furthermore, the generalisation gives rise to the following proof rule relating a valid formula and its transformation. A sufficient condition on the transformation is that it does respect relative angles and distances. This can be expressed nicely as condition on the transformation. Lemma 2.32. Let F ∈ SCn a P -valid n-dimensional Shape Calculus formula involving only rigid transformations with non-zero determinant and let θn×n be a rigid n × n matrix-term evaluating to an orthogonal matrix m, i.e, a matrix satisfying mmT = I. Then θn×n F is also P -valid. Proof. An orthogonal matrix m is always invertible, having m−1 = mT . Furthermore, orthogonal matrices preserve angles and lengths as they do not affect the scalar product,i.e., they satisfy hm~a, m~bi = h~a, ~bi. Additionally, the determinant is equal to 1 or −1 and the set of orthogonal matrices form a group, i.e., they are invertible and the matrix product of orthogonal matrices is orthogonal. Obviously, the transposed matrix mT of an orthogonal matrix is also orthogonal. It is easy to see that for arbitrary matrices validity does not carry over. The formula ¬(dπe ∧ d¬πe) is valid, but ¬(dπe~ex ∧ d¬πe~ex ) is not. As an example consider the interpretation in Figure 3.1. For the proof we proceed by induction on the structure of the formula F . Let I be an interpretation, V a valuation and M be a polyhedron violating θn×n F . As the matrix m = I[[θn×n ]](V, M) has an inverse m−1 , df

we can construct I 0 by I 0 (X)(~x) = I(X)(m~x) for all observables X and M0 = m−1 M. This interpretation, valuation and polyhedron I 0 , V, M0 violates F . For the proof we show I[[θn×n F ]](V, M) = I 0 [[F ]](V, M0 ). Case: x: As the valuation is independent of the current polyhedron, there is nothing to show. R Case: θ0 π: R I[[ θ0 θn×n π]](V, M) R {Lemma 2.19 } =| det(m0 m)|I[[ π]](V, M) R {det(AB) = (det A)(det B)} =|(det m0 )(det m)|I[[ π]](V, M) R {m is orth., i.e., | det m| = 1} =|(det m0 )|I[[ π]](V, M) Z =|(det m0 )| χM∩I[[π]]−1 (1) (x)dx ZM {Def. of M0 } =|(det m0 )| χmM0 ∩I[[π]]−1 (1) (x)dx mM0

39


0

Z

{Theorem 2.20 and | det m| = 1} =|(det m )|

χmM0 ∩I[[π]]−1 (1) (mt)dt 0

{Def. of I 0 , M0 } =|(det m0 )|

ZM

χM0 ∩I 0 [[π]]−1 (1) (t)dt M0 R 0

=|(det m0 )|I [[ π]](V, M0 ) R =I 0 [[ θ0 π]](V, M0 ) Case: F hθ~0 i G: At first we show that chopping a transformed polyhedron ~ and ~x is equivalent to transforming a chopped polyhedron. Let m, ~ d, be arbitrary n-dimensional vectors, m an orthogonal matrix, and M a polyhedron. Then −1

m ~ m−1 (M m ) = (m−1 M) dm ~ d~

m ~

(2.3)

Proof. m ~ ~x ∈ m−1 (M m ) d~

~ ≤0 iff ~x = m−1 ~y , ~y ∈ M and h~y − m, ~ mdi ~ ≤0 iff ~x = m−1 ~y , ~y ∈ M and hmm−1 (~y − m), ~ mdi ~ ≤0 iff ~x = m−1 ~y , ~y ∈ M and hm(m−1 ~y − m−1 m), ~ mdi {m is orthogonal hm~a, m~bi = h~a, ~bi} ~ ≤0 iff ~x = m−1 ~y , ~y ∈ M and hm−1 ~y − m−1 m, ~ di ~ ≤0 iff ~x = m−1 ~y , ~y ∈ M and h~x − m−1 m, ~ di −1

iff ~x ∈ (m−1 M) m d~

m ~

m ~ The same argument proves the proposition for M m ). d~

Like in the previous case, the term θ~0 is rigid. So there is a value d~0 given by d~0 = I[[θ0 ]](V, M) = I 0 [[θ0 ]](V, M), which is independent of the polyhedron M. I 0 [[F hθ0 i G]](V, M0 ) = true ~ 0 = m−1 m iff there is an m ~ ∈ M0 = m−1 M such that ~0

I 0 [[F ]](V, (m−1 M) m ) = true and d~ ~0

I 0 [[G]](V, (m−1 M) m ) = true d~

40

2.3 Properties {by Equation (2.3)} iff there is an m ~ ∈ M such that m ~ I 0 [[F ]](V, m−1 (M m )) = true and d~ m ~ I 0 [[G]](V, m−1 (M m )) = true d~

{by (IH)} iff there is an m ~ ∈ M such that m ~ I[[θn×n F ]](V, M m ) = true and d~ m ~ I[[θn×n G]](V, M m ) = true d~

iff I[[θn×n F hθn×n θ0 i θn×n G]](V, M) = true iff I[[θn×n (F hθ0 i G)]](V, M) = true other cases: All other cases follow directly from the induction hypothesis.

Note that rotations in the x − y plane of angle matrix  cos α − sin α df rα =  sin α cos α 0 0

α are defined by a rotation  0 0  1

and this matrix is orthogonal. The application is sketched in Figure 2.11. The proof of Lemma 2.32 shows that the definition coincides with the intuition as an interpretation satisfying rα F can be rotated such that the rotation satisfies F .

2.3 Properties After providing the formal definition of Shape Calculus, we investigate basic properties of this formalism, i.e., the relationship to classical Duration Calculus, algebraic properties of the multi-dimensional chop-operation and relationship of instances using a different number of dimensions. The interpretation of terms in chop-operations could have been defined in a more general way allowing arbitrary non-rigid terms for chopping directions. In this case the semantics would have been dependent on the polyhedron under consideration. However, fixing the terms to non-rigid

41


~ex ⌈P ⌉ h~ex i ⌈Q⌉ Q

P

~e x r 300

P

(⌈P r 300

Q

~e xi ⌉h ⌉) ⌈Q

Figure 2.11: Rotation using the transformation matrix r300 . values yields important algebraic properties. The sameRholds for the transformations under the integral operator in expressions θπ. 2.3.1 Conservative Extension of Duration Calculus Shape Calculus is intended as a multi-dimensional extension of Duration Calculus [ZHR91, HZ04]. Therefore, it is desirable, that Duration Calculus and Shape Calculus using only one dimension have the same expressive power. This is the result of the first lemma in this section. We show that the proposed extension of Duration Calculus is conservative in the sense that the semantics coincide if we consider only one spatio-temporal dimension. In this case there is only one sort. Lemma 2.33. Let θ ∈ Θ1 be a one-dimensional Shape Calculus term Rand R θDC be obtained from θ by replacing every occurrence of θ0 π by θ0 π. Interpretations for one-dimensional Shape Calculus and Duration Calculus are identical, one-dimensional polyhedra are intervals and Shape Calculus

42

2.3 Properties semantics and Duration Calculus semantics coincide, i.e., I[[θ]](V, M) = I[[θDC ]]DC (V, M). Proof. We proceed by induction on the term structure and consider only the integral operator since all other definitions are equal in Duration Calculus and Shape Calculus. At first we derive an explicit definition of the characteristic function χ, i.e., χm([a,b]∩I[[π]]−1 (1)) (m · t) = I[[π]](t) for t ∈ [a, b] and m 6= 0. Note that in m are 1 × 1 and therefore scalars. ( 1 χm([a,b]∩I[[π]]−1 (1)) (m · t) = 0 ( 1 = 0 ( 1 = 0 ( 1 = 0

(2.4)

the one-dimensional case all matrices if m · t ∈ m([a, b] ∩ I[[π]]−1 (1)) otherwise if t ∈ ([a, b] ∩ I[[π]]−1 (1)) otherwise if t ∈ I[[π]]−1 (1) otherwise if I[[π]](t) = 1 otherwise

= I[[π]](t) For the following proof, we use the one-dimensional version of the Change of Variables Theorem, which we briefly recall here. It can be found for example in [Zor04]. Theorem 2.34 (Change of Variables Theorem (One-Dimensional Case)). Assume g : [α, β] → [a, b] to be a continuous, strictly monotonic mapping of the closed interval α ≤ t ≤ β into the closed interval a ≤ x ≤ b with the correspondence g(α) = a and g(β) = b or g(α) = b and g(β) = a. Then for any function f that is integrable on [a, b] the function f (g(t))g 0 (t) is integrable on [α, β] and Z

g(β)

Z

β

f (x)dx = g(α)

f (g(t))g 0 (t)dt.

α

43

Chapter 2 Shape Calculus The mapping g mentioned in the theorem is mt in this case and for m 6= 0 this mapping is continuous and strictly monotonic. Using the equality in Equation (2.4) and the Change of Variables Theorem, we can prove the claim as follows: R I[[ θπ]](V, [a, b]) | {z } Z

df

SC semantics mb

{SC-semantics and m = I[[θ]](V, M)} =

χm([a,b]∩I[[π]]−1 (1))(t)dt ma Z b

{Theorem 2.34} =

m · χm([a,b]∩I[[π]]−1 (1)) (m · t)dt a

Z

b

{(2.4)} =

m · I[[π]]dt R {DC-semantics and m = I[[θ]](V, M)} = I[[θ · π]](V, [a, b])DC | {z } a

DC semantics

For m = 0 the claim is trivial. Having shown the equivalence for terms, we can establish the main result in this section. Lemma 2.35. Let F ∈ SC1 be a one-dimensional Shape Calculus formula R R and FDC be obtained from θ by replacing every occurrence of θπ by θ π and every occurrence of F hθi G by (θ > 0 ∧ F ; G) ∨ (θ = 0 ∧ F ∧ G) ∨ (θ < 0 ∧ G; F ). Then I[[F ]](V, [a, b]) = I[[FDC ]]DC (V, [a, b]). Proof. We proceed by structural induction. We denote by FDC the Duration Calculus formula obtained from the Shape Calculus formula F by the replacement defined above. case p(θ1 , . . . , θn ): I[[p(θ1 , . . . , θn )]](V, [a, b]) = pI (I[[θ1 ]](V, [a, b]), . . . , I[[θn ]](V, [a, b])) {by Lemma 2.33} = pI (I[[θ1DC ]]DC (V, [a, b]), . . . , I[[θnDC ]]DC (V, [a, b])) = I[[p(θ1DC , . . . , θnDC )]]DC (V, [a, b])

44

2.3 Properties cases ¬F , F ∧ G, ∃x F : The semantics is the same in Shape Calculus and Duration Calculus. case F hθi G: In the one-dimensional case the scalar product reduces to the ordinary product, therefore we obtain: I[[F hθi G]](V, [a, b]) = true iff exists m ∈ [a, b] M1 = {x ∈ [a, b] | (x − m) · I[[θ]](V, M) ≤ 0} M2 = {x ∈ [a, b] | (x − m) · I[[θ]](V, M) ≥ 0} I[[F ]](V, M1 ) = I[[G]](V, M2 ) = true case I[[θ]](V, M) > 0 iff exists m ∈ [a, b] M1 = {x ∈ [a, b] | (x − m) ≤ 0} = [a, m] M2 = {x ∈ [a, b] | (x − m) ≥ 0} = [m, e] I[[F ]](V, M1 ) = I[[G]](V, M2 ) = true {by (IH)} iff exists m ∈ [a, b] I[[FDC ]]DC (V, [a, m]) = I[[GDC ]]DC (V, [m, b]) = true iff I[[θDC > 0 ∧ (FDC ; GDC )]]DC (V, [a, b]) = true case I[[θ]](V, M) = 0 iff exists m ∈ [a, b] M1 = {x ∈ [a, b] | (x − m) · 0 ≤ 0} = [a, b] M2 = {x ∈ [a, b] | (x − m) · 0 ≥ 0} = [a, b] I[[F ]](V, M1 ) = I[[G]](V, M2 ) = true {by (IH)} iff exists m ∈ [a, b] I[[FDC ]]DC (V, [a, b]) = I[[GDC ]](V, [a, b]) = true iff I[[θDC = 0 ∧ FDC ∧ GDC ]]DC (V, [a, b]) = true

45

Chapter 2 Shape Calculus case I[[θ]](V, M) < 0 iff exists m ∈ [a, b] M1 = {x ∈ [a, b] | −(x − m) ≤ 0} = [m, b] M2 = {x ∈ [a, b] | −(x − m) ≥ 0} = [a, m] I[[F ]](V, M1 ) = I[[G]](V, M2 ) = true {by (IH)} iff exists m ∈ [a, b] I[[FDC ]]DC (V, [m, b]) = I[[GDC ]](V, [a, m]) = true iff I[[θDC < 0 ∧ (GDC ; FDC )]]DC (V, [a, b]) = true Using Lemma 2.33 establishes I[[θ]](V, M) = I[[θDC ]]DC (V, M) and this proves the case F hθi G and hence the whole claim.

2.3.2 Algebraic Properties As the chop-operation is pivotal in Shape Calculus, we investigate associativity and commutativity of chop and the derived operations somewhere and globally. It turns out, that the associativity of chop as known from classical Duration Calculus fails in general, but is preserved for chops in the same direction. Lemma 2.36 (Associativity of chop). For the chop operation, there is no associativity in general unless the two direction vectors involved are colinear related by a positive coefficient, i.e., |= (F hθ~1 i G) hθ~2 i H ⇐⇒ F hθ~1 i (G hθ~2 i H) if λI[[θ~1 ]] = I[[θ~2 ]] for some λ > 0 but in general 6 F hθ~1 i (G hθ~2 i H). (F hθ~1 i G) hθ~2 i H ⇐⇒ Proof. It is easy that associativity does not hold in general. For the co-linear case we first prove an auxiliary lemma for scalar products and co-linear vectors d~2 and d~1 related by a positive coefficient namely h~x − m ~ 2 , d~2 i ≥ 0 and hm ~1−m ~ 2 , d~2 i ≤ 0 implies h~x − m ~ 1 , d~1 i ≥ 0.

46

2.3 Properties h~x − m ~ 2 , d~2 i ≥ 0 ⇒ h~x, d~2 i ≥ hm ~ 2 , d~2 i ⇒ h~x, λd~1 i ≥ hm ~ 2 , λd~1 i ⇒ λh~x, d~1 i ≥ λhm ~ 2 , d~1 i ⇒ h~x, d~1 i ≥ hm ~ 2 , d~1 i hm ~1−m ~ 2 , d~2 i ≤ 0 ⇒ hm ~ 1 , d~2 i ≤ hm ~ 2 , d~2 i ⇒ hm ~ 1 , λd~1 i ≤ hm ~ 2 , λd~1 i ⇒ hm ~ 1 , d~1 i ≤ hm ~ 2 , d~1 i {by transitivity of ≤} ⇒ hm ~ 1 , d~1 i ≤ h~x, d~1 i ⇒ h~x − m ~ 1 , d~1 i ≥ 0. This lemma states that if ~x is above the hyperplane defined by m ~ 2 and the normal vector d~2 and the point m ~ 1 is is below this hyperplane, then the point x is also above the hyperplane defined by the point m ~ 1 and the normal vector d~1 that is assumed to be co-linear to d~2 . Using this auxiliary lemma, we are ready to prove the main lemma. Let I be an interpretation, V a valuation, and M a polyhedron such that I, V, M |=n (F hθ~1 i G) hθ~2 i H. I, V, M |=n (F hθ~1 i G) hθ~2 i H df iff exists m ~ 2 ∈ M such that with d~i = I[[θ~i ]](V, M) for i ∈ {1, 2} M1 = {~x | ~x ∈ M ∧ (~x − m ~ 2 ) · d~2 ≤ 0}

M2 = {~x | ~x ∈ M ∧ (~x − m ~ 2 ) · d~2 ≥ 0} I, V, M1 |=n (F hd~1 i G) and I, V, M2 |=n H iff exists m ~1, m ~ 2 ∈ M such that ~ hm ~1−m ~ 2 , d2 i ≤ 0 M1,1 = {~x | ~x ∈ M ∧ h~x − m ~ 1 , d~1 i ≤ 0 ∧ h~x − m ~ 2 , d~2 i ≤ 0} M1,2 = {~x | ~x ∈ M ∧ h~x − m ~ 1 , d~1 i ≥ 0 ∧ h~x − m ~ 2 , d~2 i ≤ 0} M2 = {~x | ~x ∈ M ∧ h~x − m ~ 2 , d~2 i ≥ 0} I, V, M1,1 |=n F and I, V, M1,2 |=n G and I, V, M2 |=n H

47

Chapter 2 Shape Calculus By the auxiliary lemma and the linearity of the scalar product we obtain iff exists m ~1, m ~ 2 ∈ M such that hm ~1−m ~ 2 , d~2 i ≤ 0 M1,1 = {~x | ~x ∈ M ∧ h~x − m ~ 1 , d~1 i ≤ 0 ∧ h~x − m ~ 2 , d~2 i ≤ 0} M1,2 = {~x | ~x ∈ M ∧ h~x − m ~ 1 , d~1 i ≥ 0 ∧ h~x − m ~ 2 , d~2 i ≤ 0} M2 = {~x | ~x ∈ M ∧ h~x − m ~ 2 , d~2 i ≥ 0 ∧ h~x − m ~ 1 , d~1 i ≥ 0} I, V, M1,1 |=n F and I, V, M1,2 |=n G and I, V, M2 |=n H iff exists m ~1, m ~ 2 ∈ M such that hm ~1−m ~ 2 , d~2 i ≤ 0 M1,1 = {~x | ~x ∈ M ∧ h~x − m ~ 1 , d~1 i ≤ 0 ∧ h~x − m ~ 2 , d~2 i ≤ 0} M1,2 = {~x | ~x ∈ M ∧ h~x − m ~ 1 , d~1 i ≥ 0 ∧ h~x − m ~ 2 , d~2 i ≤ 0} M2 = {~x | ~x ∈ M ∧ h~x − m ~ 2 , d~2 i ≥ 0 ∧ h~x − m ~ 1 , d~1 i ≥ 0} I, V, M1,1 |=n F and I, V, M1,2 ∪ M2 |=n G hθ~2 i H iff I, V, M |=n F hθ~1 i (G hθ~2 i H)

A formula is said to be rigid if the evaluation of the truth value is independent of the polyhedron under consideration, this holds for formula R neither involving the integration operator nor the special symbol `. If chopping a polyhedron twice in arbitrary directions involves only one nonrigid formula, the order of the chops is not important. This idea is sketched in Figure 2.12 and formalised in the following lemma. Lemma 2.37 (Commutativity of chops involving rigid formulae). The chop operation is commutative if all subformulae apart from one are rigid, e.g., if all but one are equal to true. Let G, H be two rigid formulae and F an arbitrary formula, then the following three equivalences hold. (α) |= (F hθ~1 i G) hθ~2 i H ⇐⇒ (F hθ~2 i G) hθ~1 i H (β) |= H hd~1 i (G hθ~2 i F ) ⇐⇒ H hθ~2 i (G hθ~1 i F ) (γ) |= (G hθ~1 i F ) hθ~2 i H ⇐⇒ H hθ~1 i (F hθ~2 i G)

48

2.3 Properties Proof. At first we prove α as sketched in Figure 2.12. We just consider one implication as the other implication is obtained by swapping θ~1 and θ~2 . Let I be an interpretation, V a valuation, and M a polyhedron satisfying I, V, M |= (F hθ~1 i G) hθ~2 i H. Unravelling the definition yields two chopping points m ~ 1 and m ~ 2 and two vectors d~1 = I[[θ~1 ]](V, M) and d~2 = I[[θ~2 ]](V, M) defining the three polyhedra ~2 M m x−m ~ 2 , d~2 i ≤ 0} ~ = {x ∈ M | h~

M

d2 ~2 m d~2

= {x ∈ M | h~x − m ~ 2 , d~2 i ≥ 0}

~2 m ~1 m ~2 M m x−m ~ 1 , d~1 i ≤ 0} ~ ~ = {x ∈ M ~ | h~ d2

d1

d2

= {x ∈ M | h~x − m ~ 1 , d~1 i ≤ 0 ∧ h~x − m ~ 2 , d~2 i ≤ 0} ~1 = {x ∈ M m | h~x − m ~ 2 , d~2 i ≤ 0} =M

d~1 m ~1 m ~2 ~ ~ d1 d2

such that ~2 m ~1 m ~2 m ~1 m ~2 I, V, M m ~ ~ |= F, I, V, M ~ ~ |= G, and I, V, M ~ |= H. d2

d1

d2

d1

d2

~2 m ~1 m ~1 m ~2 By the chain of equalities M m ~ ~ = M ~ ~ and therefore also d2

d1

d1

d2

~1 m ~2 I, V, M m ~ ~ |= F. d1

d2

Due to the rigidity of G and H, their truth values do not depend on the polyhedron and we obtain additionally ~1 I, V, M m ~ |= H d1

~1 m ~2 I, V, M m ~ ~ |= G d1

d2

and therefore altogether I, V, M |= (F hθ~2 i G) hθ~1 i H. ~ G ⇐⇒ G h−θi ~ F proves the Using this result and the property F hθi

49


~d 1

~d 1 ~1 M ↾dm ~

~2 m ~1 M ⇂dm ~ ↾d~

1

2

F

F ~1 m ~2 M ⇂dm ~ ↾d~

~1 m ~2 M ⇂dm ~ ⇂d~

1

2

(a)

1

2

d~2

2

~2 M ↾dm ~

~2 m ~1 M ⇂dm ~ ⇂d~

2

d~2

1

1

(b) Figure 2.12: Commutativity of chop

claims (β) and (γ). H hθ~1 i (G hθ~2 i F ) ⇐⇒ (F h−θ~2 i G) h−θ~1 i H {(α)} ⇐⇒ (F h−θ~1 i G) h−θ~2 i H ⇐⇒ H hθ~2 i (G hθ~1 i F ) (G hθ~1 i F ) hθ~2 i H ⇐⇒ (F h−θ~1 i G) hθ~2 i H {(α)} ⇐⇒ (F hθ~2 i G) h−θ~1 i H ⇐⇒ H hθ~1 i (F hθ~2 i G)

As true is a rigid formula, this result can be used to prove the commutativity of somewhere and globally. Lemma 2.38 (Commutativity of somewhere and globally). The somewhere and globally operator are commutative, i.e., |= ♦θ~1 ♦θ~2 F ⇐⇒ ♦θ~2 ♦θ~1 F and |= θ~1 θ~2 F ⇐⇒ θ~2 θ~1 F.

50

2.3 Properties Proof. The idea is illustrated for the two-dimensional case in Figure 2.13. The proof is done using the previously established commutativity and associativity results as follows: ♦θ~1 ♦θ~2 F ⇐⇒ true hθ~1 i (true hθ~2 i F ) hθ~2 i true hθ~1 i true {Lem. 2.36} ⇐⇒ true hθ~1 i true hθ~2 i (F hθ~2 i true) hθ~1 i true {Lem. 2.37 (β)} ⇐⇒ true hθ~2 i true hθ~1 i (F hθ~2 i true) hθ~1 i true {Lem. 2.37 (γ)} ⇐⇒ true hθ~2 i (true hθ~1 i F ) hθ~2 i true hθ~1 i true {Lem. 2.37 (γ)} ⇐⇒ true hθ~2 i (true hθ~1 i F ) hθ~2 i true hθ~1 i true {Lem. 2.37 (α)} ⇐⇒ true hθ~2 i (true hθ~1 i F ) hθ~1 i true hθ~2 i true {Lem. 2.36} ⇐⇒ true hθ~2 i (true hθ~1 i F ) hθ~1 i true hθ~2 i true ⇐⇒ ♦θ~2 ♦θ~1 F. Using this result, commutativity of the globally operator is obtained as follows: θ~1 θ~1 F ≡ ¬ ♦θ~1 ¬¬ ♦θ~1 ¬F ≡ ¬ ♦θ~1 ♦θ~1 ¬F ≡ ¬ ♦θ~2 ♦θ~2 ¬F ≡ θ~2 θ~1 F.

2.3.3 Hierarchies This section sheds light on the relation of Shape Calculus formulae for different dimensions. If a formula F is valid for n-dimensional Shape Calculus it is in general neither valid for more nor for less dimensions. Consider the formula df Ind = dP e h~e1 i true ∨ d¬P e h~e1 i true ∨ de which is a known tautology for Duration Calculus and therefore also a tautology for the one-dimensional Shape Calculus. However, Ind is not

51


~d 1 ~d 1

F

F

d~2

d~2

(a)

(b) Figure 2.13: Commutativity of ♦: a) ♦d~1 ♦d~2 F and b) ♦d~2 ♦d~1 F

valid for more than one dimension as will be discussed in Section 3.1. See Figure 6.1 for an counterexample.

Validity inheritance downwards We start top down with a valid n2 -dimensional Shape Calculus formula F and construct a valid n1 (for n1 ≤ n2 ) formula. The idea of this construction isR to erase the last n2 − n1 rows in every matrix that is used in a measure θπ and in every vector parametrising a chop operation. We need to impose two side-conditions to obtain validity of the resulting formula. The first is that every transformation θ occurring in expresR sions θπ in F has a non-zero determinant. This ensures that it can be distributed outside the integral operator using the Change of Variables Theorem. Secondly, every chop must not be in direction of the highest dimension, which are to be erased, i.e., the last n2 − n1 rows are required to be all zero. A formal definition of the erasing transformation (·) is given subsequently.

Definition 2.39 (erasing (·) -transformation). Let θ ∈ Θn2 and F ∈ SCn2 be an n2 -dimensional term or formula, respectively. We define the erasing (·) -transformation yielding n1 -dimensional terms and formulae inductively

52

2.3 Properties as follows: R

θπ

R df = | det θ| · π

df

(x) = x df

df

(f (θ1 , . . . , θk )) = f ((θ1 ) , . . . , (θk ) ) (p(θ1 , . . . θk )) = p((θ1 ) , . . . , (θk ) ). In chops the last n2 − n1 , which are required to be zero, are erased by the matrix [~e1n2 , . . . , ~enn12 ]T .

~ G F hθi

df

~ (G) = (F ) h[~e1n2 , . . . , ~enn12 ]T θi

df

(¬F ) = ¬ (F ) df

(F ∧ G) = (F ) ∧ (G) df

(∃xF ) = ∃x (F )

n1 Lemma 2.40. For n1 ≤ n2 and |=n2 F implies R |= 0 (F ) if all transformations θ occurring in expressions of the form θF in the formula F have a non-zero determinant and for every vector occurring as the chopping direction the last n2 − n1 components are equal to zero.

Proof. We prove that every formula that is satisfiable in n1 dimensions is satisfiable in n2 dimensions. We will need Fubini’s Theorem [KF70], which we briefly recall before proceeding with the main proof. Theorem 2.41 (Fubini’s Theorem). Let Ix and Iy be compact p-dimensional and q-dimensional intervals respectively. Let furthermore I be the compact (p + q)-dimensional interval of Ix and Iy . If the function f is integrable on I and the function Z g(y) :=

f (x, y)dx Ix

exist for each fixed y ∈ Iy . Then g is on Iy integrable and ! Z Z Z f (x, y)d(x, y) = I

f (x, y)dx dy Ix

Iy

53

Chapter 2 Shape Calculus We now continue with main proof. Let F ∈ SCn2 be an n2 -dimensional formula, I an n-dimensional interpretation, V a valuation, and M an n1 dimensional polyhedron such that

I, V, M |=n1 (F ) . For the proof, we need an n2 -dimensional interpretation satisfying F . Define the n2 -dimensional interpretation I n1 →n2 by df

I n1 →n2 (X)(x1 , . . . , xn1 , . . . , xn2 ) = I(X)(x1 , . . . , xn1 ) for all observables X and points (x1 , . . . , xn1 , . . . xn2 ) ∈ Sn2 . Let θ ∈ Θn1 be an n1 -dimensional term. We prove by structural induction:

I n1 →n2 [[θ]](V, M × [0, 1]n2 −n1 ) = I[[(θ) ]](V, M).

(2.5)

R Case θπ: As the value of θ does not depend on the polyhedron under consideration, we can define m = I[[θ]](V, M) = I n1 →n2 [[θ]](V, M × [0, 1]n2 −n1 9} to be the matrix resulting from evaluating θ. R I n1 →n2 [[ θπ]](V, M × [0, 1]n2 −n1 ) Z = χm((M×[0,1]n2 −n1 )∩I n1 →n2 [[π]]−1 (1)) (~x) m(M×[0,1]n2 −n1 )

{By the Change of Variables Theorem [Zor03]} Z = χm((M×[0,1]n2 −n1 )∩I n1 →n2 [[π]]−1 (1)) (m~x)| det m| M×[0,1]n2 −n1

{By the definition of χ and det m 6= 0 } Z = χ(M×[0,1]n2 −n1 )∩I n1 →n2 [[π]]−1 (1) (~x)| det m| M×[0,1]n2 −n1

{By Fubini’s Theorem [KF70] } Z Z = χ(M×[0,1]n2 −n1 )∩I n1 →n2 [[π]]−1 (1)) (~x)| det m| M

54

[0,1]n2 −n1

2.3 Properties  By definition of I n1 →n2     χ(M×[0,1]n2 −n1 )∩I n1 →n2 [[π]]−1 (1) (x1 , . . . , xn2 )   = χM∩I[[π]]−1 (1) (x1 , . . . , xn1 )  

        

Z

Z χ(M×[0,1]n2 −n1 )∩I[[π]]−1 (1) (x1 , . . . xn1 )| det m| 1 M [0,1]n2 −n1 Z = | det m| χ(M×[0,1]n2 −n1 )∩I[[π]]−1 (1) (x1 , . . . xn1 ) M R = | det m|I[[ π]](V, M) R = I[[| det θ| · π]](V, M) R = I[[ θπ ]](V, M) =

Other cases: All other cases are clear, as the definition of the semantics does not depend on the number of dimensions under consideration. Now, we proceed by induction on the structure of the set of formulae and prove

I n1 →n2 [[F ]](V, M × [0, 1]n2 −n1 ) = I[[(F ) ]](V, M).

Case p(θ1 , . . . θk ): This is clear from the argument in Equation (2.5) above. ~ G: Like for transformations, the semantics of θ~ does not deCase F hθi pend on the polyhedron and again we can define ~ d~ = I[[[~e1 , . . . , ~en1 ]T θ]](V, M) and ~ d~0 = I n1 →n2 [[θ]](V, M × [0, 1]n2 −n1 ). Both vectors coincide on the first n1 rows and the last n2 − n1 rows of d~0 are all equal to zero by the assumption. This entails ~0

~ n2 −n1 M dm = (M × [0, 1]n2 −n1 ) dm ~ ×[0, 1] ~0

(2.6)

55

Chapter 2 Shape Calculus and ~0

~ n2 −n1 M dm = (M × [0, 1]n2 −n1 ) dm ~ ×[0, 1] ~0

(2.7)

~ 0 is obtained from m if m ~ by adding n2 − n1 zero rows. We prove this claim before continuing with the main proof. ~ n2 −n1 (x1 , . . . , xn2 ) ∈ M dm ~ ×[0, 1]

~ ≤ 0, iff (x1 , . . . , xn1 ) ∈ M, h(x1 , . . . , xn1 ) − m, ~ di and (xn1 +1 , . . . , xn2 ) ∈ [0, 1]n2 −n1 n1 X iff (x1 , . . . , xn1 ) ∈ M, (xi − mi ) · di ≤ 0, i=1

and (xn1 +1 , . . . , xn2 ) ∈ [0, 1]n2 −n1 { d0i = di for 1 ≤ i ≤ n1 and d0i = 0 for n1 < i ≤ n2 } iff (x1 , . . . , xn2 ) ∈ M × [0, 1]n2 −n1 and

n2 X

(xi − mi ) · d0i ≤ 0

i=1 n2 −n1

iff (x1 , . . . , xn2 ) ∈ (M × [0, 1]

)

~0 m d~0

The proof of the second claim is similar. Using the argument above, we proceed with the main proof.

~ (G) ]](V, M) = true I[[(F ) h[~e1 , . . . , ~en1 ]T θi iff there exists a m ~ ∈ M such that

~ I[[(F ) ]](V, M dm ~ )) = true and

~ I[[(G) ]](V, M dm ~ )) = true

{By the induction hypothesis} iff there exists a m ~ ∈ M such that ~ n2 −n1 I n1 →n2 [[F ]](V, M dm ) = true and ~ ×[0, 1] ~ n2 −n1 I n1 →n2 [[G]](V, M dm ) = true ~ ×[0, 1]

56

2.3 Properties {By Equations (2.6) and (2.7)} iff there exists a m ~ ∈ M × [0, 1]n2 −n1 such that ~ I n1 →n2 [[F ]](V, M × [0, 1]n2 −n1 dm ~0 )) = true and ~ I n1 →n2 [[G]](V, M × [0, 1]n2 −n1 dm ~0 )) = true

iff I n1 →n2 [[F hθi G]](V, M × [0, 1]n2 −n1 ) = true. Other cases: Like for terms, all other cases are clear as the definition of the semantics does not depend on the number of dimensions under consideration.

Remark 2.42. The condition on the chopping directions is necessary. Consider the formula df 1 Fdiag = (dP e h( 11 )i d¬P e) ∧ dP e h −1 i d¬P e , which is not satisfiable in two-dimensional Shape Calculus. However, the erasing transformation ε

(Fdiag ) = (dP e h1i d¬P e) ∧ (dP e h1i d¬P e) is a satisfiable one-dimensional formula. Validity inheritance upwards When reasoning about mobile systems, not every property depends on the physical position in space. In these cases spatial dimensions can be omitted and reasoning in pure Duration Calculus is more convenient. The following results shall permit “lifting” to the spatio-temporal case. However, such a lifting is only possible under the assumption that the interpretation of all observables occurring in the formula are constant in the last argument, i.e., their value does not depend on the last dimensions. In this section we consider the general question. Given an n-dimensional formula F ∈ SCn , we provide two transformations to an (n + 1)-dimensional formula F 0 ∈ SCn+1 such that F and F 0 have the same semantics if the condition on the interpretation is met. The natural inverse of the erasing transformation that erases the last rows is to inflate the matrices and vectors by adding columns in order to

57

Chapter 2 Shape Calculus obtain well-formed higher-dimensional formulae. By adding a zero column to a transformation matrix, the formula becomes a well-formed (n + 1)dimensional formula which projects the (n + 1)-dimensional space onto the n-dimensional subspace. In contrast, an n-dimensional chopping vector is to be extended to an (n + 1)-dimensional vector by adding a row with entry zero. The projection onto the n-dimensional subspace is achieved by multiplying with the matrix   1 0 0    ..  n rows .. [In 0] =  . .   0 1 0 {z } | n+1 columns

obtained from the n×n unit matrix In by adding a zero column. The transposed [In 0]T of this matrix is used to add a a zero entry to the chopping directions. Definition 2.43 (inflating (ι)-transformation). Let F ∈ SCn be an n-diι mensional formula. We define the transformation (·) yielding an (n + 1)ι dimensional formula (F ) inductively as follows. R ι df R θπ = θ[In 0]π ι df

(x) = x ι df

ι

ι

ι df

ι

ι

ι df

ι

(f (θ1 , . . . , θk )) = f ((θ1 ) , . . . , (θk ) ) (p(θ1 , . . . θk )) = p((θ1 ) , . . . , (θk ) ) ι df ι ~ G = ~ (G)ι F hdi (F ) h[In 0]T θi (¬F ) = ¬ (F ) ι df

ι

ι

(F ∧ G) = (F ) ∧ (G) ι df

ι

(∃xF ) = ∃x (F )

The second transformation relates the measures in the (n + 1)-dimensional case to the measures in the n-dimensional case. To this end, we require all transformations to have a non-zero determinant so that we can apply the Change of Variables Theorem and Lemma 2.19. Thereby, the transformations can be distributed outside the integral. For the remaining integral

58

2.3 Properties R

π the value in (n + 1)-dimensional space is the product of the basis and the diameter `n+1 of the polyhedron in the n + 1-dimension. Definition 2.44 (cylindric (ζ)-transformation). Let F ∈ SCn be an n-dimensional formula not incorporating non-injective transformations, i.e., det θ is equal to zero, under integral expressions. We define the transformation ζ ζ (·) yielding an (n + 1)-dimensional formula (F ) inductively as follows. R

θπ

ζ

df

=

| det θ| R π `~en+1

ζ df

(x) = x ζ df

ζ

ζ

ζ df

ζ

ζ

ζ df

ζ

(f (θ1 , . . . , θk )) = f ((θ1 ) , . . . , (θk ) ) (p(θ1 , . . . θk )) = p((θ1 ) , . . . , (θk ) ) ζ df ζ ~ G = ~ (G)ζ F hθi (F ) h[In 0]T θi (¬F ) = ¬ (F ) ζ df

ζ

ζ

(F ∧ G) = (F ) ∧ (G) ζ df

ζ

(∃xF ) = ∃x (F )

The following lemma states that if a transformed formula is satisfied by an (n + 1)-dimensional interpretation then the canonical projection to an n-dimensional interpretation satisfies the original formula. Lemma 2.45. Let F ∈ SCn be an n-dimensional formula, M be an ndimensional polyhedron and I an (n + 1)-dimensional interpretation that is constant in the last argument, i.e., I[[X]](x1 , . . . , xn , xn+1 ) = I[[X]](x1 , . . . , xn , x0n+1 ) for all values of x1 , . . . , xn , xn+1 , x0n+1 . Define I 0 to be the projection of I on the first n arguments, i.e., df

I 0 [[X]](x1 , . . . xn ) = I[[X]](x1 , . . . xn , 0). Then for arbitrary a ≤ b ι

I 0 [[F ]](V, M) = I[[(F ) ]](V, M × [a, b]).

59

Chapter 2 Shape Calculus If F does not include non-injective transformations in integral expressions, we obtain the same result for the ζ-transformation. ζ

I 0 [[F ]](V, M) = I[[(F ) ]](V, M × [a, b]). Proof. As the ι-transformation R and the ζ-transformation coincide for all cases except for the measure θπ, we prove both claims in parallel by induction on the structure of formulae. R Case θπ (ι-transformation): At first, let m = I[[θ]](V, M) = I 0 [[θ]](V, M × [a, b]) be the result of evaluating θ. Having this definition, we can derive [In 0](M × [a, b]) = M

(2.8)

[In 0](M × [a, b] ∩ I[[π]]−1 (1)) = M ∩ I 0 [[π]]−1 (1).

(2.9)

and

The first claim is trivial, we only prove the second claim. (x1 , . . . , xn ) ∈ [In 0](M × [a, b] ∩ I[[π]]−1 (1)) ⇐⇒ (x1 , . . . , xn , xn+1 ) ∈ (M × [a, b] ∩ I[[π]]−1 (1)) for some xn+1 ∈ [a, b] ⇐⇒ (x1 , . . . , xn ) ∈ M and (x1 , . . . , xn , xn+1 ) ∈ I[[π]]−1 (1) for some xn+1 ∈ [a, b] ⇐⇒ (x1 , . . . , xn ) ∈ M and I[[π]](x1 , . . . , xn , xn+1 ) = true for some xn+1 ∈ [a, b] {I is constant in the last argument.} ⇐⇒ (x1 , . . . , xn ) ∈ M and I[[π]](x1 , . . . , xn , 0) = true {Definition of I 0 } ⇐⇒ (x1 , . . . , xn ) ∈ M and I 0 [[π]](x1 , . . . , xn ) = true ⇐⇒ (x1 , . . . , xn ) ∈ M ∩ I 0 [[π]]−1 (1)

60

2.3 Properties Using both equalities, we proceed in proving the case. R I 0 [[ θπ]](V, M) Z = χm(M∩I 0 [[π]]−1 (1)) mM

{Equations (2.8) and (2.9)} Z =

χIn 0(M×[a,b]∩I[[π]]−1 (1)) m[In 0](M×[a,b])

R =I[[ θ[In 0]π]](V, M × [a, b]) R ι =I[[ θπ ]](V, M × [a, b]) Case

R

θπ (ζ-transformation): R ι I[[ π ]](V, M × [a, b]) 1 R =I[[ mπ]](V, M × [a, b]) `~en+1 Z 1 −1 = χ b − a M×[a,b] M×[a,b]∩I[[π]] (1)

{By Fubini’s theorem [KF70]} =

1 b−a

Z

Z χM×[a,b]∩I[[π]]−1 (1)

M

[a,b]

{The characteristic function is constant in the last argument.} Z Z 1 0 −1 = 1 χ b − a M M∩I [[π]] (1) [a,b] Z = χM∩I 0 [[π]]−1 (1) M R =I 0 [[ π]](V, M) Case F hθi G: As the definition for the inflating and cylindric transformations coincide, we can proof this case for both transformations at once. Define d~ = I[[θ]](V, M) to be vector resulting from the evaluation

61

Chapter 2 Shape Calculus of the term θ and the vector d~0 = I 0 [[[1n 0]θ]](V, M) resulting from [1n 0]θ respectively. Then by definition d~ and d~0 coincide on the first n entries and the last entry of d~0 is equal to zero. I[[F hθi G]](V, M) = true ⇐⇒ there is an m ~ ∈ M such that ~ I[[F ]](V, M dm ~ ) = true and ~ I[[G]](V, M dm ~ ) = true

{induction hypothesis} ⇐⇒ there is an m ~ ∈ M such that ~ I 0 [[F ]](V, M dm ~ ×[a, b]) = true and ~ I 0 [[G]](V, M dm ~ ×[a, b]) = true

{definition of · ·· and · ·· } ⇐⇒ there is an m ~ 0 ∈ M × [a, b] such that 0

~ I 0 [[F ]](V, (M × [a, b]) dm ~0 ) = true and 0

~ I 0 [[G]](V, (M × [a, b]) dm ~0 ) = true

⇐⇒ I 0 [[F hθi G]](V, M × [a, b]) = true Other cases: Clear from the definition and application of the induction hypothesis.

Note 2.46 (Projections). Requiring the interpretations to be constant in the last argument is a necessary condition as ¬dP e~e1 ∧ d¬P e~e1 is valid in the one-dimensional case but not valid in the two-dimensional case if the interpretation is not constant in the second argument. From both lemmata, we derive the following corollary, which proves to be very useful for the practical use as shown in the case studies.

62

2.4 Relating SC to the modal logic S4 Corollary 2.47 (Up-And-Down-Equivalence). Let F be an n-dimensional Shape Calculus formula built from the following EBNF dπe | dπe[~e n ,...~e n ]T | ¬F | F ∧ G | F h~ein i G | ∃x : F | `~e n = c i ik i1 where π is a state expression, ~ein an n-dimensional unit vector, and c a constant. Let m ≥ n and let I be an interpretation that is constant in the last argument m − n arguments, i.e., I[[X]](x1 , . . . , xn , xn+1 , . . . xm ) = I[[X]](x1 , . . . , xn , x0n+1 , . . . x0m ) for all values of x1 , . . . , xn , xm , x0n+1 . . . x0m . Define I 0 to be the projection of I on the last argument, i.e., df

I 0 [[X]](x1 , . . . xn ) = I[[X]](x1 , . . . xn , 0, . . . , 0). Then I 0 [[F ]](V, M) = I[[F 0 ]](V, M × [a1 , b1 ] × . . . × [am−n , bm−n ]). if F 0 is obtained from F by replacing the n-dimensional unit-vectors ~ein by the corresponding m-dimensional unit vectors ~eim . By abuse of notation, we can omit the superscript n in the unit vector. Then the formula F is not changed at all. Hence, the corollary yields compositionality in proofs and specifications. Consider a railroad-crossing with three kinds of parameters: the position of a train, the angle of the gate and time. The movement of the train can be specified using the temporal and the spatial track-dimension, whereas the behaviour of the gate can be specified using the temporal and the angle-dimension. The above corollary guarantees that we can do the reasoning for the whole system in the threedimensional space (track, angle and time) but can forget to consider the angle when reasoning about the train and forget about the track when reasoning about the gate.

2.4 Relating SC to the modal logic S4 A propositional modal logic is an extension of propositional logic with two additional modal operators and ♦. Depending on the area of application,

63

Chapter 2 Shape Calculus the operator can be read as ‘it is necessary’, ‘it is provable’ or ‘it is permitted’. Each of these intuitive meanings of the modal operator can be formalised by different sets of axioms added to the axioms of propositional logics, yielding a variety of modal logics. A famous modal logic is called S4 [CZ97, HC96], which is characterised by the following axioms: F F

(RN ) (4)

(K) (T )

F ⇒ F

(F ⇒ G) ⇒ ( F ⇒ G) F ⇒ F

In [HZ97] Duration Calculus is proven to be an extension of the modal logic S4, as it satisfies all four defining axioms. It is easy to see that Shape Calculus extends S4 in the same way. The axioms are satisfied for every instance of d~ in d~ and for the generalised operation F = ~e1 . . . ~en F . We only show that the Axiom (4) is satisfied by showing the contrapositive ♦θ ♦θ F ⇒ ♦θ F Proof. Let I be an interpretation, V a valuation, M a polyhedron, and d~ = I[[θ]](V, M) the valuation of the term θ. I[[♦θ ♦θ F ]](V, M) = true { By definition} ~1 ⇐⇒ there are m ~ 1 ∈ M, m ~ 1 0 ∈ M m ~ , d

~0 ~1 m m ~ 2 ∈ M m ~ 1 , and m ~ 02 ∈ ~ d d ~0 ~2 m ~0 ~1 m I[[F ]](V, M m ~ 1 m ~ 2) ~ ~ d d d d m ~0 d d

m ~0 d

m ~0 d d

~1 ~2 1 m M m such that ~ ~ ~ d

m ~0 d

~1 ~2 m ~2 1 m 2 2 {M m ~ ~ ~ ~ = M ~ ~ } d

d

~2 ⇒there are m ~ 2 ∈ M, and m ~ 02 ∈ M m such that ~ d

I[[F ]](V, M

~0 ~2 m m ~ 2) ~ d d

⇒I[[♦θ F ]](V, M) = true

64

2.4 Relating SC to the modal logic S4 Using this result, we can prove Axiom (4) for the generalised operator.

{Definition}

⇒

{Lemma 2.38}

⇒

♦♦F ♦~e1 . . . ♦~en ♦~e1 . . . ♦~en F ♦~e1 ♦~e1 . . . ♦~en ♦~en F

{(4) for ♦~ei }

⇒ ⇒

♦~e1 . . . ♦~en F ♦F

Remark 2.48. All rules of S4 hold if we consider I-validity or and as the modalities. 2.4.1 Fusions of modal logics In recent years, the combination of modal logics has been investigated intensively, for example in [Gab99] and [GKWZ03]. The simplest approach of combining two modal logics with disjoint modal operators 1 and 2 is to join the set of axioms for both logics. This is called the fusion of L1 and L2 and is denoted by L1 ⊗ L2 . In this sense, the n-dimensional Shape Calculus with the operators ~e1 . . . ~en is an extension of the fusion S4n = S4 ⊗ . . . ⊗ S4. | {z } n

2.4.2 Products of modal logics In contrast to fusions, the product of two modal logics allows both modalities to interact more closely. Different from fusions the product is defined semantically. For a modal logic L the set of frames FrL is the set of all Kripke structures that satisfy all valid formulae of L. Vice versa, the set of all formulae that are valid for a class C of Kripke structures is denoted by LogC. If a modal logic L is determined by a class of Kripke models, i.e., L = LogFrL holds, it is called Kripke complete. The logic S4 is Kripke complete and determined by the class of all reflexive and transitive Kripke structures. The product of modal logics is defined as the set of all formulae that are valid in the class of products of Kripke structures that characterise each logic, i.e., L1 × · · · × Ln = Log(FrL1 × · · · × FrLn ).

65

Chapter 2 Shape Calculus DC(X, Y ) P(X, Y ) EQ(X, Y ) O(X, Y ) PO(X, Y ) EC(X, Y ) PP(X, Y ) TPP(X, Y ) NTPP(X, Y )

X X X X X X X X X

and Y are disconnected is part of Y is identical with Y overlaps Y partially overlaps Y is externally connected with Y is proper part of Y is tangential proper part of Y is non-tangential proper part of Y

Table 2.1: Derived relations in RCC (Names) The modal logic S42 = S4 × S4 is axiomatised by the union of the axioms for S4 once using ♦1 and once using ♦2 and axioms describing the commutativity of ♦1 and ♦2 and the one axiom formalising the Church-Rosser property. However, for n ≥ 3 the product S4n is not axiomatisable.

2.5 Relating SC to the Region Connection Calculus The Region Connection Calculus (RCC) [RCC92] was introduced by Randell, Cui and Cohn in 1992. It is a first-order formalism for qualitative reasoning about spatial relations especially in artificial intelligence and geographic information systems. The RCC contains only one binary predicate C(X, Y ) which is read as X is connected with Y ; the individual variables range over regions. Using this single predicate, other relations between region can be defined as indicated in table 2.1. However, the full RCC is known to be undecidable [GKWZ03] in general. A 0-order (quantifier-free) subset called RCC-8 has been proposed by Bennet in [Ben96] for which the satisfiability problem is proven to be NP-hard in [RN97]. It does not permit quantification and uses 8 mutually disjoint relations on regions considered primitive (see Figure 2.14). 2.5.1 Semantics The semantics of RCC is defined for topological spaces. A topological space is a pair T = (U, I) where U is a non-empty universe and I is the interior function, assigning to each subset of U its interior. There are several equivalent definitions of topological spaces, see for example [Jän94] for a

66

2.5 Relating SC to the Region Connection Calculus

df

DC(X, Y ) = ¬C(X, Y ) df

P(X, Y ) = ∀Z(C(Z, X) → C(Z, Y ) df

EQ(X, Y ) = P(X, Y ) ∧ P(Y, X) df

O(X, Y ) = ∃Z(P(Z, X) ∧ P(Z, Y )) df

PO(X, Y ) = O(X, Y ) ∧ ¬P(X, Y ) ∧ ¬P(Y, X) df

EC(X, Y ) = C(X, Y ) ∧ ¬O(X, Y ) df

PP(X, Y ) = P(X, Y ) ∧ ¬P(Y, X) df

TPP(X, Y ) = PP(X, Y ) ∧ ∃Z(EC(Z, X) ∧ EC(Z, Y )) df

NTPP(X, Y ) = PP(X, Y ) ∧ ¬∃Z(EC(Z, X) ∧ EC(Z, Y )) Table 2.2: Derived relations in RCC (Definitions)

textbook on this subject. The function I is required to satisfy the following axioms: I(X ∩ Y ) = IX ∩ IY. IX ⊆ II(X), IX ⊆ X, IU = U. The interior IX of a set X is the set of all points that have a neighbourhood in X. Dual to the interior operator is the closure operator C defined by CX = U \ I(U \ X). This definition is equivalent to the definition using a system of open sets and requiring the system to be closed under finite intersection and arbitrary union. A subset X of U is called a regular closed set iff X = CIX. Assuming a map a that assigns a regular closed set to each variable, the

67


X

X

X Y

Y

Y DC(X, Y )

EC(X, Y )

TPP(X, Y )

Y X TPP−1 (X, Y )

X XY

X Y

Y X

Y PO(X, Y )

EQ(X, Y )

NTPP(X, Y ) NTPP−1(X, Y )

Figure 2.14: The 8 relations of RCC-8 truth relation |=a for atomic RCC-8 formulae is given by T |=a DC(X, Y ) iff ¬∃x x ∈ a(X) ∩ a(Y ) T |=a EQ(X, Y ) iff ∀x (x ∈ a(X) ⇐⇒ x ∈ a(Y )) T |=a PO(X, Y ) iff ∃x x ∈ Ia(X) ∩ Ia(Y ) ∧ ∃x x ∈ a(X) ∩ (U \ a(Y )) ∧ ∃x x ∈ a(Y ) ∩ (U \ a(X)) a

T |= EC(X, Y ) iff ∃x x ∈ a(X) ∩ a(Y ) ∧ ¬∃x x ∈ a(X) ∩ Ia(Y ) ∧ ¬∃x x ∈ a(Y ) ∩ Ia(X) a

T |= TPP(X, Y ) iff ∀x x ∈ (U \ a(X)) ∪ a(Y ) ∧ ∃x x ∈ a(X) ∩ a(Y ) ∩ (U \ Ia(Y )) ∧ ∃x x ∈ (U \ a(X)) ∩ a(Y ) T |=a NTPP(X, Y ) iff ∀x x ∈ (U \ a(X)) ∪ Ia(Y ) ∧ ∃x x ∈ (U \ a(X)) ∩ a(Y ) The definition of C — not primitive in RCC-8 — is formalised as follows: T |=a C(X, Y ) iff ∃x x ∈ a(X) ∩ a(Y )

68

2.5 Relating SC to the Region Connection Calculus 2.5.2 Embedding RCC-8 in SC Many of the relations described in Figure 2.14 have a natural correspondence in Shape Calculus. However, due to the integration operation, properties of single points cannot be expressed directly. Therefore the translation of properties involving points on the border require extra attentions. We consider the translation of the most general C relation of RCC at first although it is not one of the basic relations of RCC-8. We show that this relation can be expressed for the topological space R2 with the topology induced by the standard Euclidean metric. This depends on the fact that the regions in RCC-8 are regular closed sets, which rules out singular points. Although we demonstrate the correspondence only for the Euclidean plane, the results easily generalise to Rn . The embedding is related to embedding Allen’s Interval Logic [All83] in Duration Calculus. To define the connectsto relation C, we first introduce an auxiliary lemma relating single points and its environments for regular closed sets. Lemma 2.49. Let T = (U, I) be the topological space on Rn induced by the distance metric and X a regular closed set. Then the following propositions are equivalent. (α) x ∈ X (β) In every neighbourhood W of x there is an ε-neighbourhood V (ε > 0) not necessarily being a neighbourhood of x such that V ⊆ X. Proof. (α) ⇒ (β): case x ∈ IX: As the ε-neighbourhoods are bases, there is an ε-neighbourhood V of x such that V ⊆ X. case x 6∈ IX: Due to regularity CIX = X and x ∈ CIX = U \I(U −IX). Therefore x 6∈ I(U − IX). Hence, there can be no ε-neighbourhood of x that does not contain an interior point of IX. So a neighbourhood W must contain such a point y ∈ IX. As y is an interior point of X, there is an ε-neighbourhood V ⊆ X as required. (β) ⇒ (α): Assume x 6∈ X. By IX ⊆ X we obtain x 6∈ IX, so x ∈ U \IX. case x ∈ I(U \ IX): In this case there is an neighbourhood W of x that is completely contained in U \ X not containing an interior point of X and therefore no ε-neighbourhood V ⊆ X can be in W contradicting (β).

69

Chapter 2 Shape Calculus case x 6∈ I(U \ IX): In this case x ∈ U \ (I(U \ IX)) = CIX. Due to regularity X = CIX and therefore x ∈ X. To show that the basic relations of RCC-8 can be expressed in Shape Calculus, we associate to each RCC-8 variable X a Shape Calculus variable of the same name and for the mapping a we construct an interpretation I by ( 1 if x ∈ a(X) I(X)(x) = 0 otherwise to be the characteristic function of a. The condition (β) derived in Lemma 2.49 can be encoded in Shape Calculus. Thereby, we obtain an encoding of the C relation in Shape Calculus formalised in the following lemma for the two-dimensional case but easily generalised to Rn . Lemma 2.50. Let a be a valuation of RCC-8 variables in the standard topological space T given by R2 and the distance metric. Let further I be an interpretation as constructed above, V a valuation, and M a polyhedron containing all regions in the range of a. Then T |=a C(X, Y ) iff I, V, M |=n ∃ x, y : x < `~ex ∧ y < `~ey ∧ ∀x1 , x2 , y1 , y2 : x1 < x < x1 + x2 ∧ y1 < y < y1 + y2 ⇒ (`~ex = x1 h~ex i (`~ey = y1 h~ey i ♦dXe ∧ ♦dY e ∧ `~ex = x2 ∧ `~ey = y2 h~ey i true) h~ex i true) If two regions are connected, then there is a common point in both regions. The Cartesian coordinates yield the values for x and y. The remaining formula states that in every rectangular environment of the point (x, y) given by [x1 , x1 + x2 ] × [y1 , y1 + y2 ] there is an neighbourhood satisfying dXe and a neighbourhood satisfying dY e. By Lemma 2.49 this is equivalent to (x, y) ∈ X and (x, y) ∈ Y . Proof. It is to be shown that there is a point a in a(X) ∩ a(Y ) iff and only if the Shape Calculus formula is satisfied.

70

2.5 Relating SC to the Region Connection Calculus “only if”: By definition of C there is an a ∈ a(X) ∩ a(Y ). As a(X) and a(Y ) – but not necessarily a(X) ∩ a(Y ) – are regular closed sets, we can apply Lemma 2.49. We fix the variables x and y to the Cartesian coordinates of a. All valuations of the variables x1 , x2 and y1 , y2 define a neighbourhood of a, and by Lemma 2.49 every neighbourhood contains neighbourhoods Vx ⊆ a(X) and Vy ⊆ a(Y ). By construction of I these neighbourhood satisfy ♦dXe and ♦dY e. This concludes the proof. “if”: Define the point a ∈ R2 to be defined by the values of x and y as Cartesian coordinates. Let U be some environment of a, then it contains an rectangular environment of a. The coordinates of this rectangular environment define the values for x1 , x2 , y1 and y2 . Then the environment satisfies ♦dXe and ♦dY e which yields two rectangular neighbourhoods that satisfy X respectively Y . These rectangular neighbourhoods contain ε-neighbourhoods Vx ⊆ a(X) and Vy ⊆ a(Y ) and therefore by Lemma 2.49 a ∈ a(X) ∩ a(Y ).

After defining the most basic relation, we can provide a representation of SC the other RCC-8 relations in Shape Calculus. We write (A) for the Shape Calculus formula representing the RCC-8 relation A.

The relation DC is the propositional complement of C and therefore represented by: SC

(DC(X, Y ))

SC

= ¬ (C(X, Y ))

The relation EC is satisfisied if the regions are connected but do not share an interior point. As sharing an interior point results in sharing an neighbourhood, it is equivalent to a non-zero measure expressed in the following representation: SC

(EC(X, Y ))

SC

= (C(X, Y ))

R ∧ (X ∧ Y ) = 0

71

Chapter 2 Shape Calculus Three different aspects constitute the relation TPP(X, Y ). The containment aspect of X in Y is expressed by dX ⇒ Y e. The property that the containment is proper by ¬dY ⇒ Xe and the fact that both regions touch ~ dX ∧ Y e ~) at a border by ∃d~ : ♦d~(d¬X ∧ ¬Y e hdi d SC

(TPP(X, Y ))

= dX ⇒ Y e ∧ ¬dY ⇒ Xe ∧ ~ dX ∧ Y e ~) ∃d~ : ♦d~(d¬X ∧ ¬Y e hdi d

As TPPi is derived from TPPi by swapping the parameters, it has the same representation as TPP after exchanging X and Y . SC

(TPPi(X, Y ))

SC

= (TPP(Y, X))

Like TPP, PO is also composed of three conditions. The condition that both share an interior point is ♦dX ∧ Y e and the requirements that there are interior points in each set that are not contained in the other is expressed by ♦dX ∧ ¬Y e ∧ ♦d¬X ∧ Y e. SC

(PO(X, Y ))

= ♦dX ∧ Y e ∧ ♦dX ∧ ¬Y e ∧ ♦d¬X ∧ Y e

Due to regularity, two sets are equal if the set of interior points is equal. This is expressed in Shape Calculus by SC

(EQ(X, Y ))

= dX ⇐⇒ Y e.

The realisation for NTPP is derived from the realisation of TPP and negating the tangentially condition. SC

(NTPP(X, Y ))

= dX ⇒ Y e ∧ ¬dY ⇒ Xe ∧ ~ dX ∧ Y e ~) ¬∃d~ : ♦d~(d¬X ∧ ¬Y e hdi d

The inverse relation NTPPi is obtained from NTPP by swapping the parameter. SC

(NTPPi(X, Y ))

72

SC

= (NTPP(Y, X))

2.6 Integration in System Development Processes

2.6 Integration in System Development Processes Integration of Shape Calculus in System Development Processes As we have discussed in the introduction, formal methods concentrating only on realtime aspects fall short of reasoning about systems where safety depends on spatial properties. However, a significant advantage of Shape Calculus is that it extends a sophisticated formal method for real-time systems. Therefore it integrates seamlessly with system development approaches for real-time systems. Thus it benefits from theoretical results and tool development in this field. In this section we illustrate how Shape Calculus can be integrated in development processes for real-time systems. 2.6.1 Refinement The transformational approach, e.g., [JHF+ 94], to real-time system design starts with a system specification on an highly abstract level and iteratively refines the specification towards the implementation level. The pivotal notion is refinement. A concrete specification refines an abstract specification if all systems that satisfy the requirements on the concrete level also satisfy the requirements on the abstract level, in this sense the concrete specification is more deterministic. In logics, refinement is often captured by an implication using an additional formula to establish a link between system behaviour on different levels of abstraction. Definition 2.51 (Refinement). Let A, C and L(A, C) be Shape Calculus formulae, then C refines A iff |= C ∧ L(A, C) ⇒ A. The formula L(A, C) can be used to establish a link between observables on the abstract and concrete level. To make sense, it is necessary that L(A, C) is satisfiable as otherwise the refinement relation is always satisfied. As Shape Calculus provides a conservative extension of Duration Calculus, it directly embeds into the refinement hierarchy as sketched in Figure 2.15. This process proceeds as follows. Starting with a Shape Calculus specification, temporal requirements in Duration Calculus of each component are elaborated. It is shown that if the components guarantee the real-time requirements, then the overall system requirements on the Shape Calculus level are met. If these requirements can be given as DC-Implementables they can be used to automatically synthesise a PLCAutomaton. Finally, the PLC-Automaton can be compiled into program

73


Shape-Calculus

Abstract spatio-temporal specification for systems and environment

Duration Calculus

Abstract temporal specification for systems and environment

DC-Implementables

Specification of controllers for individual systems Existing framework

PLC-Automata

Operational model for cyclic real-time systems

Program-Code

Implementation in C code

Figure 2.15: Refining Shape-Calculus Specifications into Program-Code code. The transformation from DC Implementable via PLC-Automata into C Code is a well established approach, elaborated and proven correct in [Die99, Die05]. This approach is exemplified for the Road Runner case study in Chapter 4. Subsequently, we briefly review DC-Implementables and PLC-Automata. DC-Implementables Anders Ravn proposed in [Rav95] a subset of Duration Calculus called Implementables for the specification of real-time controllers. This subset can specify state transitions of control along with synchronisation and realtime requirements for each transition. For defining the implementables, we introduce the leads-to operator −→DC . df

F −→DC dπe = ¬ ♦(F ; d¬πeDC )

74

2.6 Integration in System Development Processes ∼t

df

F −→DC dπe = ¬ ♦((F ∧ ` ∼ t); d¬πeDC ) The initialisation implementable specifies that a system has to start in a certain state π. deDC ∨ dπeDC ; true The sequencing implementable encodes that a system in state π can either evolve to state π 0 or remain in π. dπeDC −→DC dπ ∨ π 0 eDC =¬ ♦(dπeDC ; d¬(π ∨ π 0 )e) The unbounded stability implementable specifies that a system in state π under the condition that also ϕ holds, can either stay in π or evolve in a state given by π 0 . d¬πeDC ; dπ ∧ ϕeDC −→DC dπ ∨ π 0 eDC =¬ ♦(d¬πeDC ; dπ ∧ ϕeDC ; d¬(π ∨ π 0 )eDC ) The bounded stability implementable guarantees stability of a state for a fixed amount of time t. ≤t

d¬πeDC ; dπ ∧ ϕeDC −→DC dπ ∨ π 0 eDC =¬ ♦(d¬πeDC ; dπ ∧ ϕeDC ∧ ` ≤ t; d¬(π ∨ π 0 )e) Progress and synchronisation constraints are both expressed by the synchronisation implementable, specifying that a system in π must leave the state if the synchronisation expression ϕ is true for t time units. =t

dπ ∧ ϕeDC −→DC d¬πeDC =¬ ♦(dπ ∧ ϕeDC ∧ ` ≥ t; dπe) PLC-Automata The development of PLC-Automata in the UniForM project was motivated by the goal to verify program code for programmable logic controllers (PLCs). They were introduced by H. Dierks in [Die99] and recently revisited in [Die05] and provide an operational formal model for PLCs. The semantics is given in terms of Duration Calculus as well as in terms of timed

75


Macro_LTHR LEFT_OUT=sensor_left < 35

Macro_RTHR RIGHT_OUT=sensor_right < 35

Input sensor_left : {0..100} init 35

Input sensor_right : {0..100} init 35

Output motor_left : {-1..1} init 1

Output motor_right : {-1..1} init 1

Macro_dice REDICE=dice:=(97*dice + 71) % 257

Local dice : {0..256} init 97

true motor_left := 1; recover_left left_offtable motor_right := -1 200 200 all LEFT_OUT all motor_left := 0; LEFT_OUT | !LEFT_OUT & !RIGHT_OUT motor_right := 0 RIGHT_OUT motor_left := 1; motor_left := 0; check_left motor_right := 1 motor_right := 0 500 !LEFT_OUT & !RIGHT_OUT idle !LEFT_OUT & !RIGHT_OUT 0 !LEFT_OUT & !RIGHT_OUT all check_right 500 LEFT_OUT | !LEFT_OUT & !RIGHT_OUT RIGHT_OUT !LEFT_OUT & !RIGHT_OUT RIGHT_OUT & !LEFT_OUT motor_left := 0; motor_left := 1; motor_left := 0; motor_right := 0 motor_right := 1 motor_right := 0 right_offtable recover_right true motor_left := -1; 200 200 motor_right := 1 all all

Figure 2.16: PLC-Automaton specifying the Road Runner automata [AD94], permitting the use of timed automata model checker like Uppaal [BBD+ 02, BDL04]. PLCs exhibit a cyclic behaviour, each cycle consists of three phases, first polling the inputs, then computing the next state and finally updating the outputs. PLC-Automata can be synthesised from DC-Implementables and in contrast to Timed Automata, they can be compiled into program code, like ST code for PLCs or C code for Lego Mindstorms. 2.6.2 Model Checking The model checking approach was introduced by Clarke and Emerson [CE81, CES86] and Quielle and Sifakis [QS82]. See also [CGP00] for a survey on this topic. All possible computations of a system, represented as a finite state system, are explored and checked if the computations satisfy a property specified for example in a temporal logic. A model checking

76

2.6 Integration in System Development Processes

Shape-Calculus

Abstract spatio-temporal requirements for systems and environment

Constraint Diagrams

Real-time requirements

√ Timed Automata

Verification with Uppaal Existing framework

PLC-Automata

Operational model for cyclic real-time systems

Program-Code

Implementation in C code

Figure 2.17: Combining Shape-Calculus Specifications and Model Checking approach for real-time systems proposed in [DL02] starts with an implementation of a system given in terms of PLC-Automata. PLC-Automata do not only possess a Duration Calculus but also a Timed Automata semantics. Thus a translation of PLC-Automata and enables the use of tools like Uppaal [BDL04], which is probably the most advanced tool for model checking real-time systems. Constraint Diagrams introduced in [Die96a] represent a subset of Duration Calculus together with a graphical notation. Lettrari and Dierks provide in [DL02] a method for model checking PLC-Automata against specifications given in terms of Constraint Diagrams [Die96a, Kle00] by translating both into Timed Automata. Shape Calculus can be integrated in this approach as follows. The initial Shape Calculus requirement needs to be refined into a specification which consists of two parts: a system description considering only temporal properties and assumptions on the environment considering spatial and temporal properties. As one-dimensional Shape Calculus coincides with Duration Calculus, the specification considering only temporal properties can be further refined into the subset of Constraint Diagrams. This is reasonable as both formalisms have the Duration Calculus as a common interface. Identifying

77

Chapter 2 Shape Calculus a subset of Shape Calculus that can be refined into Constrained Diagrams and the development of refinement rules are left for future work. Decomposing Shape Calculus specifications into spatio-temporal assumptions and temporal requirements for individual agents is exemplified in the “Road Runner” and “Generalised Railroad Crossing” case study in Chapter 4.

78

Chapter 3 Patterns and Lightweight Rules

Contents 3.1 3.2

3.3

3.4

Temporal Bounds . . . . . . . . . . . . . . . . . . . .

80

Position and Movement . . . . . . . . . . . . . . . .

83

3.2.1

The position-pattern . . . . . . . . . . . . . . .

83

3.2.2

The cartesian2D-pattern . . . . . . . . . . . . .

85

3.2.3

The distance-pattern . . . . . . . . . . . . . . .

87

3.2.4

The cont-move-pattern . . . . . . . . . . . . . .

89

Shape Pattern . . . . . . . . . . . . . . . . . . . . .

91

3.3.1

The rectangle-pattern

. . . . . . . . . . . . . .

91

3.3.2

The circle-pattern . . . . . . . . . . . . . . . . .

93

Rules . . . . . . . . . . . . . . . . . . . . . . . . . .

95

In this chapter we present a solution to the problem how to use the formalism in practise. Specifying system properties in temporal logic is often a tedious and error-prone work [Hei98] and requires in-depth knowledge of the formalism used to ensure that the formal specification coincides with the informal intention. As Shape Calculus specifications talk about spatial and temporal system properties, the formulae tend to become large. To solve these problems, we utilise the Design Pattern idea from the software engineering world and provide pattern for the “design” of a formal specification in Shape Calculus. This idea has been adjusted for the design of time-triggered embedded systems on hardware-level in [Pon01]. In the first part it tackles hardware problems, i.e., which kind of microprocessor, timer, memory etc. to use for a certain problems before presenting software patterns, like the implementation of timers and watchdogs and discussing different scheduling patterns in the second part. In the context of the SafeRail project Bitsch [Bit01] presents a pattern approach for spec-

79

Chapter 3 Patterns and Lightweight Rules ifying temporal safety requirements without directly relating the pattern to a formal method like ITL or CTL. Design Patterns [GHJV95] were introduced in software engineering by Gamma et al. in 1993 [GHJV93] and provide standard solutions to recurring problems in the software engineering process. A Design Pattern comprises not only a solution but is always equipped with detailed explanations of the pattern, its application conditions and consequences. Subsequently, we provide a catalogue of patters for specifying system behaviour arising frequently. Hereby, we put emphasis on the specification of aspects related to physical mobility. For each pattern we describe the intention, give a formal definition, provide an informal explanation, discuss application conditions for this pattern, and illustrate its use on example instances. After defining the patterns, we present lightweight proof rules. These rules are not intended to be establish a complete proof system, but to enable a non-expert user to manipulate formulae containing instances of this pattern more easily. They are lightweight in this sense and the collection presented in this thesis just serves as a small example how such rules can look like. For the remainder of this chapter, we assume a three-dimensional space, two spatial dimensions x and y, and one temporal dimension t.

3.1 Temporal Bounds In Duration Calculus upper bounds on the duration of states π are usually specified by a formula ¬ ♦(dπeDC ∧ ` > τupper ) expressing that there is no interval of length greater that τupper satisfying π. The specification of lower bounds is slightly more complicated: ¬ ♦(d¬πeDC ; dπeDC ∧ ` < τlower ; d¬πeDC ). In this formula the beginning and end of the phase satisfying π are fixed by the chopping points given by d¬πeDC ; dπeDC and dπeDC ; d¬πeDC respectively. This relies on the fact that in Duration Calculus every non-empty interval can be chopped such that the beginning either satisfies π or ¬π for every state expression π. The formula deDC ∨ (dπeDC ; true) ∨ (d¬πeDC ; true)

80

(DC-2)

3.1 Temporal Bounds

x

π

t Figure 3.1: Counterexample for de ∨ (dπe h~et i true) ∨ (d¬πe h~et i true) is tautology in Duration Calculus. However, this does no longer hold in the multi-dimensional setting. The corresponding formula de ∨ (dπe h~et i true) ∨ (d¬πe h~et i true) is not valid in two-dimensional Shape Calculus. An interpretation violating this condition is depicted in Figure 3.1. Every rectangle starting at the origin of the coordinate system has either measure zero or contains points satisfying π as well as points satisfying ¬π. However, the following weaker formula still holds in the multi-dimensional Shape Calculus. de ∨ ¬(dπe h~et i true) ∨ ¬(d¬πe h~et i true) The interpretation depicted in Figure 3.1 satisfies ¬(dπe h~et i true) as well as ¬(d¬πe h~et i true), so these conditions are not mutual exclusive. This observation can be used to specify lower bounds in Shape Calculus. Specifying a lower bound constraint on intervals satisfying π everywhere

81

Chapter 3 Patterns and Lightweight Rules can be expressed using double negation. In the formula ~ ¬(dπe hdi ~ true). dπe hdi the chopping bound is exactly the maximal position such that π is true throughout the first interval and not throughout the second subinterval. A region satisfying ¬π must be directly connected to the hyperplane given by the chopping point and direction vector. Hence, a lower bound on diameters and durations can be specified by ¬ ♦~et (¬(true h~et i dπe) h~et i dπe ∧ `~et > t h~et i ¬(dπe h~et i true)). This formula expresses that it is impossible to split the observation interval into three parts such that 1. π is false somewhere in the first subinterval and a region satisfying d¬πe is connected to the chopping hyperplane, i.e., the hyperplane is uniquely determined, 2. π is true throughout the second subinterval, 3. π is false somewhere in the third subinterval and similar to the first subinterval the hyperplane is also uniquely determined. The specification of upper bounds is simpler and corresponds to Duration Calculus ¬ ♦~et (dπe ∧ `~et > t). The DC-Implementables discussed in Section 2.6.1 constitute design patterns for the specification of real-time controller. As Shape Calculus is a conservative extension of Duration Calculus they can be directly used to specify controllers for individual systems if we assume the control state to depend only on the point in time and be independent of the spatial position as shown in Corollary 2.47. Additionally, the leads-to operator can be extended for Shape Calculus by adding an index denoting the chopping direction. df ~ ¬G) F −→d~ G = ¬ ♦d~ (F hdi ∼t

df

~ ¬G) F −→d~ G = ¬ ♦d~ ((F ∧ `d~ ∼ t) hdi where ∼∈ {=, ≤}.

82

3.2 Position and Movement

3.2 Position and Movement In this section we introduce several patterns for the specification of system behaviour. Hereby, we concentrate on the specification of mobility aspects. Starting with a pattern that is able to determine the position of an object, we provide patterns for continuous movement and measuring distances, which are all built up onto the initially defined pattern yielding the object position. 3.2.1 The position-pattern Intention Describing the position of an object in a two-dimensional space defined by a state expression π in the current polyhedron. Parameters π

The state expression to be located in the polyhedron.

d~ The direction-vector used for determining the position. x The variable to be bound to the position. Definition

We define a weak and a strong version of this pattern.

df ~ x) = ~ position-W(π, d, de~et ⇒ ((d¬πe[~e 3 ,~e 3 ]T ∨ `d~ = 0) ∧ `d~ = x) hdi x

y

~ true) ∧ ¬(d¬πe[~e 3 ,~e 3 ]T hdi x

y

~ ¬de~et ⇒ ((d¬πe ∨ `d~ = 0) ∧ `d~ = x) hdi ~ true) ¬(d¬πe hdi df

~ x) = de~e ⇒ ((d¬πe 3 3 ∨ ` ~ = 0) ∧ ` ~ = x) hdi ~ position(π, d, t d d [~ e ,~e ]T x

y

~ true) ∧ ` ~ > 0) ∧ (¬(d¬πe[~e 3 ,~e 3 ]T hdi d x

y

~ ¬de~et ⇒ ((d¬πe ∨ `d~ = 0) ∧ `d~ = x) hdi ~ true) ∧ ` ~ > 0) ¬(d¬πe hdi d

83

3 ]T

hd~ it

ru e)

d~


π⌉ [~e 3 x ,~e y ⌈¬

d

ℓ~

3 ]T

¬(

⌈¬

π⌉ [~e 3 x ,~e y

π

Figure 3.2: The position-pattern Explanation The position-pattern determines the distance of an object characterised by the state expression π from the border of the polyhedron under consideration. To this end, it considers two different cases, depending on whether the pattern is evaluated on a polyhedron of zero or non-zero temporal diameter. In the first case, it determines the exact position of the ~ In the latter case, nearest object satisfying π according to the direction d. it yields the minimal position over time of the nearest object satisfying π. At first, we discuss the case that it is evaluated on an polyhedron of zero temporal diameter. As Shape Calculus employs the integral operation, it is necessary to perform a projection onto the spatial plane, omitting the temporal dimension in order to permit statements about a polyhedron of zero temporal diameter. Henceforth, the temporal information is abstracted by projecting onto the spatial plane using the matrix 1 0 0 [~ex3 , ~ey3 ]T = 0 1 0 in which the last column is zero. As sketched in Figure 3.2 the position of the object is the maximal length of an interval not being occupied by the object. The maximality is ensured by the condition that the remaining part cannot be chopped further such that the first part does not contain a region satisfying π. The weak formalisation position-W does not require

84

3.2 Position and Movement the object specified by π to be contained in the observation polyhedron at all. If the whole polyhedron satisfies d¬πe the formula is satisfied if the parameter x is bound to the diameter of the polyhedron. In this case the stronger form position is not satisfied. This pattern requires the object to occur in the polyhedron. If the pattern is evaluated on a polyhedron of non-zero temporal diameter, the only difference is that projection on the spatial plane is not used. This is inevitable as the formula d¬πe[~e 3 ,~e 3 ]T x

y

does not specify that π is false throughout the polyhedron, but just that for every spatial point there is a point in time on which π is false. Therefore the formula dπe[~e 3 ,~e 3 ]T ∧ d¬πe[~e 3 ,~e 3 ]T x

y

x

y

is satisfiable for a polyhedron on non-zero temporal diameter. Applicability Due to the case distinction, the weak pattern does not impose any restriction on the polyhedron or the interpretation and is always satisfiable for a suitable binding of the variable. The strong pattern does not impose a restriction on the polyhedron either, but evaluates to false if state expression π is unsatisfied throughout the polyhedron. If Shape Calculus is restricted to chops along the coordinate axes, this pattern is also restricted to measure distances in direction of the coordinate axes. Example Assume the behaviour of a mobile robot is specified by an observable R. To specify the requirement that the position of the robot is never less than 4 spatial units, the position-pattern can be used as follows: ¬ ♦~et (`~ex > 10 ∧ position(R, ~ex , x) ∧ x < 4) Additionally, we have specified that the robot is always present in the observation interval. This fundamental pattern is used for the definition of various other patterns. The first application is the determination of the Cartesian coordinates. 3.2.2 The cartesian2D-pattern Intention Describing the Cartesian coordinates of an object defined by a state expression π in the current polyhedron.

85


π

position(π, ~ey , y)

position(π, ~ex, x)

Figure 3.3: The cartesian2D-pattern Parameters π

The state expression to be located in the polyhedron.

x The variable to be bound to the x-coordinate. y

The variable to be bound to the y-coordinate.

Definition df

cartesian2D(π, x, y) = position(π, ~ex , x) ∧ position(π, ~ey , y) Explanation The position-pattern is used to determine the Cartesian coordinates of an object characterised by a state assertion π. To this end, the position-pattern is used twice, once having the direction instantiated by the first unit vector ~ex and once to instantiated by the second unit vector ~ey . This is sketched in Figure 3.3. Applicability This pattern has the same applicability conditions as the position-pattern.

86

3.2 Position and Movement

d

ℓ~

π2

~d

~ true ¬(⌈¬π2⌉[~e 3,~e 3 ]T hdi x

y

π1 ⌈¬π1 ∧ ¬π2⌉[~e 3,~e 3]T x

y

~ ⌈¬π1⌉ 3 3 ¬(true hdi [~ e ,~e ]T x

y

Figure 3.4: The distance-pattern Example To specify a constraint on the spatial position of a robot defined by an observable R, we can use the cartesian2D in the following context. ¬ ♦~et (`~ex > 10 ∧ `~ey > 10 ∧ cartesian2D(R, x, y)∧ (x < 2 ∨ x > 10 ∨ y < 1 ∨ y > 9)) This formula specifies that the spatial position is in the rectangle [2, 10] × [1, 9]. However, it does not take the size of the robot into account as the position yields the position of the lower left corner of the surrounding rectangle. 3.2.3 The distance-pattern When describing physically mobile systems, a minimal distance of two objects is often required. Intention Describing the distance of two objects. Parameters π1

The state expression describing the first object.

87

Chapter 3 Patterns and Lightweight Rules π2

The state expression describing the second object.

d~ The direction used to determine the distance. x The variable to be bound to the distance. Definition df ~ ~ x) = ~ d¬π1 e 3 3 ) hdi distance(π1 , π2 , d, ¬(true hdi [~ e ,~e ]T x

y

~ (d¬π1 ∧ ¬π2 e[~e 3 ,~e 3 ]T ∧ `d~ = x) hdi x

y

~ true) ¬(d¬π2 e[~e 3 ,~e 3 ]T hdi x

y

Explanation The distance-pattern is constructed using the same approach as the position-pattern. As sketched in Figure 3.4, the distance in the direction of the parameter d~ is determined by measuring the diameter of the largest subpolyhedron that does neither contain π1 not π2 . The projection is employed to enable the pattern to be used for polyhedra having a temporal diameter of zero. Applicability This pattern can be used for polyhedra of zero temporal diameter to determine the exact distance of two objects. The vector d~ specifying the direction should have a zero entry for the temporal dimension and reside in the spatial plane. Alternative Definitions Instead of using the double negation, one can use projection onto the straight line given by d~ and end up with df ~ ~ x) = ~ dπ1 e ~T hdi distance0 (π1 , π2 , d, true hdi d

~ (d¬π1 ∧ ¬π2 e[~e 3 ,~e 3 ]T ∧ `d~ = x) hdi x

y

~ true. dπ2 ed~T hdi Example The requirement that the minimal distance of two Robots R1 and R2 is never less than 5 spatial units can be specified by ~ x) ∧ x < 5). ¬∃ d~ : ♦~et (de~et ∧ distance(R1 , R2 , [~ex3 , ~ey3 , 0]d,

88

3.2 Position and Movement time 4.0 3.0

p os

i

~ex , (π, n o ti

2.0

x2 )

1.0

2. 0

π

1. 0

1.0

3. 0 4. 0

π

5. 0 6. 0

ℓ~et

i p os

(π, ti o n

x1 ~ex ,

)

2.0 3.0 4.0 5.0 6.0

7. 0

7.0

8. 0

y

9. 0

x

Figure 3.5: The cont-move-pattern The quantification ∃ d~ considers arbitrary vectors. To ensure the vector to have a zero entry for the temporal dimension, we employ a transformation using the matrix   1 0 0 [~ex3 , ~ey3 , 0] =  0 1 0  . 0 0 0 3.2.4 The cont-move-pattern Intention Specifying an object to be continuously moving. Parameters π

The state expression describing the moving object.

d~ The direction under consideration. ν

~ The velocity of the object in direction d.

89

Chapter 3 Patterns and Lightweight Rules Definition df

~ ν) = ~e ∃x1 , x2 : (position(π, d, ~ x1 ) ∧ de~e h~et i cont-move(π, d, t t `~et = t h~et i ~ x2 ) ∧ de~e ) position(π, d, t ⇒ x2 − x1 = t · ν

Explanation The intention of this pattern is captured in Figure 3.5. For all temporal subintervals, if we take two snapshots and determine the position of the object using the position-pattern the difference between both positions is given by the movement equation, i.e., is the product of velocity and time. However, this pattern only specifies that the velocity in direction d~ is ν and does not say anything about the velocity in other directions. For example a robot can satisfy cont-move(π, ~ex , 5) by moving in x-direction with velocity 5 and in y-direction with velocity 10. To avoid this, one needs to specify the velocity of orthogonal directions to be equal to zero. Applicability Duration Calculus does not facilitate to reason about single points in time, i.e., intervals of zero length. On the contrary, due to the projections, Shape Calculus is able to express properties of polyhedra, having zero diameter, as long as the polyhedron does not reduce to a single point. Alternative Definitions Continuous movement can also be specified without using projection and considering polyhedra of temporal diameter zero. The instance for non-zero (NZ) is given by the following definition. df

~ ν) = ~e ∃x1 , x2 : (position(π, d, ~ x1 ) h~et i cont-move-NZ(π, d, t `~et = t h~et i ~ x2 )) position(π, d, ⇒ x2 − x1 = t · ν In this case the position pattern yields the position of the object which is minimal for all points in time. Therefore the pattern compares two minimal distances and is therefore equivalent to the original pattern. Instead

90

3.3 Shape Pattern of using the position it is possible to use the cartesian2D for the specification of continuous movement. The advantage of this approach is that the movement is uniquely determined as it specified in both orthogonal directions. df

cont-move-cart(π, νx , νy ) = ~ x1 , y1 ) ∧ de~e h~et i ~et ∃x1 , x2 : (cartesian2D(π, d, t `~et = t h~et i ~ x2 , y2 ) ∧ de~e ) cartesian2D(π, d, t ⇒ x2 − x1 = t · νx ∧ y2 − y1 = t · νy

Example Specifying that a robot determined by the observable R is moving with velocity 5 in x-direction can be accomplished by using the contmove-cart-pattern and requiring cont-move-cart(R, 5, 0). The velocity for the y-direction is set explicitly to 0.

3.3 Shape Pattern Apart from movement requirements, the physical shape of objects can influence the overall system behaviour. In this section we demonstrate how the shape of objects can be specified in Shape Calculus. 3.3.1 The rectangle-pattern Intention Defining an object specified by a state assertion π to be rectangular. Parameters π

The state expression characterising the object.

δx

The width of the object

δy

The height of the object.

91


time 4.0 3.0

δx

δy

2.0 1.0

1. 0

1.0

2. 0

2.0

3. 0

3.0

4. 0

4.0

5. 0

5.0

6. 0

6.0

π

7. 0

7.0

8. 0

y

9. 0

x

Figure 3.6: The rectangle-pattern Definition df

rectangle(π, δx , δy ) = d¬πe ∨ de h~ex i d¬πe ∨ de h~ey i dπe ∧ `~ex = δx ∧ `~ey = δy h~ey i d¬πe ∨ de h~ex i d¬πe ∨ de Explanation The rectangle-pattern is used to specify an object characterised by a state assertion π to be rectangular. Furthermore, it allows the user to specify the size of the object in x and y direction. As depicted in Figure 3.6, the formula chops the spatio-temporal observation interval twice in x and y direction and requires the interior interval to satisfy the state assertion specifying π. Additionally, the size of the interior is restricted to δx and δy .

92

3.3 Shape Pattern Applicability This pattern in the above form has two application conditions. First, the rectangle must be aligned to the x-axis and y-axis, respectively. Second, the object must remain immobile throughout the temporal observation interval. The pattern cannot be applied directly to intervals of zero temporal length. Hence, this pattern is to be combined with a suitable transformation. Such transformation can for example project on the spatial plane or perform rotations. In case the object under consideration has a more complex structure the pattern can be nested. Alternative Definitions As discussed in the applicability section, the standard form requires to object to be immobile. An alternative is, to consider snapshots and require for each temporal snapshot the rectangular shape. This is sketched in Figure 3.7. df rectangle-SN(π, δx , δy ) = ~et de~et ⇒ d¬πe[~e 3 ,~e 3 ]T ∨ de[~e 3 ,~e 3 ]T h~ex i x

x

y

y

d¬πe[~e 3 ,~e 3 ]T ∨ de[~e 3 ,~e 3 ]T h~ey i x

y

x

y

dπe[~e 3 ,~e 3 ]T ∧ `~ex = δx ∧ `~ey = δy h~ey i x y d¬πe[~e 3 ,~e 3 ]T ∨ de[~e 3 ,~e 3 ]T h~ex i x y x y d¬πe ∨ de[~e 3 ,~e 3 ]T x

y

Example To specify that a robot characterised by the observable R has a 3 × 4 rectangular shape and is always present in the observation interval, we can employ the following formula: rectangle-SN(R, 3, 4). 3.3.2 The circle-pattern Intention Defining an object specified by a state assertion π to be a full circle.

93


time 4.0 3.0 2.0

δx

1.0

1. 0

1.0

2. 0

2.0

3. 0

3.0

4. 0

4.0

5. 0

5.0

6. 0

δy

6.0

π

7. 0

7.0

8. 0

y

9. 0

x Figure 3.7: Alternative rectangle-pattern Parameters π

The state expression charactering the circular object.

δ

The diameter of the object

Definition df

~ = 0 ∧ d~ 6= 0 ⇒ circle(π, δ) = ∀d~ (d.t ~ dπe ~ ∧ ` ~ = δ hdi ~ (d¬πe ∨ de)) (d¬πe ∨ de) hdi d d Explanation The circle-pattern is used to specify an object characterised by a state assertion π to be a circle with a given diameter. The formula requires that the object has the same size in every direction. This ensures circularity.

94

3.4 Rules

time 4.0 3.0

δ

2.0 1.0

1.0

1. 0

2.0

3.0

2. 0

4.0

4. 0

π

3. 0

5.0

6.0

7.0

5. 0

y

6. 0 7. 0 8. 0 9. 0

x

Figure 3.8: The circle-pattern Applicability Due to the use of the everywhere operation without projection, this pattern cannot be applied to spatio-temporal intervals of zero temporal diameter. However, this pattern can be modified analogously to the rectangle-SN to use temporal snapshots.

3.4 Rules We derive several rules for formula manipulation. Throughout his section we assume for all rules the application condition that the direction vector d~ is non-zero, i.e., d~ 6= 0. Applicability of position The first pattern states that it is always possible to determine the position of an object in a polyhedron. ~ x) ∃x position-W(π, d,

where d~ 6= 0

(R-position-1)

Proof. Let I be an interpretation, V a valuation, and M a polyhedron.

95

Chapter 3 Patterns and Lightweight Rules case de~et : Assume that the temporal diameter of M is zero. If π is false for all points M then d¬πe[~e 3 ,~e 3 ]T is true on M. Defining V 0 by x

y

( I[[`d~]](V, M) if x = y 0 V (y) = V(y) otherwise yields the satisfaction of the whole formula. If π is not false throughout M, due to Riemann-integrability of I there is rectangular subset M0 ⊆ M of non-zero Riemann-measure such that I is true throughout M0 and the distance of M0 to the border of the polyhedron M is minimal ~ This rectangle is not uniquely defined but this according to direction d. does not matter for the rest of the proof. Let m ~ ∈ M0 be a point 0 ~ ~ Then M m in M having minimal distance according to direction d. d~ satisfies d¬πe[~e 3 ,~e 3 ]T due to the minimality of M0 and m. ~ As M0 is a x

y

rectangular subset of non-zero Riemann-measure satisfying π, a subset ~0 m ~ of non-zero measure is contained in every subset (M dm ~ ) d~ obtained ~ ~ Therefore the measure of from M m by chopping again in direction d. d~

~0

~0

m m ~ m ~ ¬π in (M dm ~ ) d~ is strictly less than the size of (M d~ ) d~ . Hence, it ~0 ~ ~ 0 such that d¬πe is satisfied on (M m . So, defining ) m there is no m d~ d~ V 0 by ( ~ I[[`d~]](V, M dm 0 ~ ) if x = y V (y) = V (y) otherwise

yields ~ I, M, V 0 |= ((d¬πe[~e 3 ,~e 3 ]T ∨ `d~ = 0) ∧ `d~ = x) hdi x

y

~ true) ¬(d¬πe[~e 3 ,~e 3 ]T hdi x

y

as required. case ¬de~et : The case that the temporal diameter of M is non-zero is proven similarly.

Relating the Strong and the Weak position-pattern The second rule establishes a connection between the strong and weak version of the position-pattern. If the state expression π characterising the object is true

96

3.4 Rules somewhere in the polyhedron, then the strong and weak version of the pattern coincide. We present two rules expressing this relationship, one for polyhedra of zero temporal diameter ~ x) ⇒ position(π, d, ~ x) ) de~et ∧ ♦dπe[~e 3 ,~e 3 ]T ∧ position-W(π, d, x

y

(R-position-2) and one for non-zero temporal diameter. ~ x) ⇒ position(π, d, ~ x) ♦dπe ∧ position-W(π, d,

(R-position-3)

Proof. Let I, be an interpretation, V a valuation, and M a polyhedron such that ~ x). I, V, M |= de~et ∧ ♦dπe[~e 3 ,~e 3 ]T ∧ position-W(π, d, x

y

Assuming ~ x) I, V, M 6|= position(π, d, implies I, V, M |= x = `d~ and therefore I, V, M |= d¬πe[~e 3 ,~e 3 ]T x

y

contradicting the assumption. The proof of the second rule is similar. Taking Temporal Snapshots The next two rules are a convenient combination of the first rule and the rule F ⇐⇒ F ; ` = 0 known from Duration Calculus. This rule allows to take temporal snapshots of objects and determine their position for single moment in time. Their proof is straightforward and omitted here. ~ x) ∧ de~e h~et i true ∃x position-W(π, d, t

(R-position-4)

~ x) ∧ de~e true h~et i ∃x position-W(π, d, t

(R-position-5)

97

Chapter 3 Patterns and Lightweight Rules The position-Pattern in Non-Singular Temporal Intervals. The next pattern establishes formally that the position yields the minimal distance of an object over time. (d¬πe ⇒ ~et d¬πe[~e 3 ,~e 3 ]T ) x

y

~ x) h~et i true) ∧ position-W(π, d, ~ y) ⇒ y ≤ x (true h~et i position-W(π, d, (R-position-6) Proof. Let I be an interpretation, V a valuation, and M a polyhedron such that I, V, M |= (d¬πe ⇒ ~et d¬πe[~e 3 ,~e 3 ]T ) x

and

(3.1)

y

~ x) h~et i true) I, V, M |= (true h~et i position-W(π, d, ~ y) I, V, M |= position-W(π, d,

(3.2) (3.3)

In case M has zero temporal diameter, chopping in equation (3.2) does ~ x) and position-W(π, d, ~ y) not change anything, therefore position-W(π, d, are evaluated on the very same polyhedron and therefore x = y is clear. So, we assume M to have non-zero temporal diameter. By (3.3) there is a point m ~ such that ~ I, V, M dm ~ |= d¬πe ∧ `d~ = y

(3.4)

Decomposing the definition in Equation (3.2) yields two temporal chopping points ~t1 , ~t2 and one chopping point m ~ 0 in direction d~ such that either of two following cases is true. case ~t1 = 6 ~t2 : In this case, we obtain ~

0

~

~ I, V, M ~et1t ~et2t dm ~ |= d¬πe ∧ `d~ = x and ~ ~ ~0 ~ I, V, M ~et1t ~et2t dm ~ |= ¬(d¬πe hdi true).

(3.5)

~ ~ ~ Chopping the interval M dm ~ in Equation (3.4) likewise at t1 and t2 in temporal direction yields ~

~

~ t1 t2 I, V, M dm ~ ~ et ~ et |= d¬πe ∧ `d~ = y

and by changing the order of the chopping operations as in Lemma 2.37 ~

~

~ I, V, M ~et1t ~et2t dm ~ |= d¬πe ∧ `d~ = y

98

3.4 Rules ~

~

~ Assuming V(y) > V(x) yields the possibility to chop M ~et1t ~e2t2 dm ~ at a point m ~ 0 such that ~

~

0

~

~

0

~ I, V, M ~et1t ~et2t dm ~ |= d¬πe ∧ `d~ = x and ~ I, V, M ~et1t ~et2t dm ~ |= d¬πe ∧ `d~ = y − x

This contradicts Equation (3.5). case ~t1 = ~t2 : This case is similar, but requires the assumption (3.1) to deduce from (3.4) that ~

~

~ I, V, M ~et1t ~et2t dm ~ |= d¬πe[~ e 3 ,~e 3 ]T ∧ `d~ = y x

y

in order to derive the contradiction.

99

100

Chapter 4 Case Studies

Contents 4.1

Generalised Railroad Crossing . . . . . . . . 4.1.1 Parameters . . . . . . . . . . . . . . . 4.1.2 SC Modelling . . . . . . . . . . . . . . 4.1.3 Verification . . . . . . . . . . . . . . . 4.2 Car Platooning . . . . . . . . . . . . . . . . 4.2.1 Informal Description . . . . . . . . . . 4.2.2 Modelling cars and roles . . . . . . . . 4.2.3 Movement of individual cars . . . . . . 4.2.4 Distance . . . . . . . . . . . . . . . . . 4.2.5 Merging . . . . . . . . . . . . . . . . . 4.3 Road Runner . . . . . . . . . . . . . . . . . 4.3.1 Informal Description . . . . . . . . . . 4.3.2 Modelling the Controller . . . . . . . . 4.3.3 Modelling the Environment . . . . . . 4.3.4 Modelling the Road Runner . . . . . . 4.3.5 Revealing Unsafety . . . . . . . . . . . 4.3.6 Modification of the Design . . . . . . . 4.3.7 Verifying Safety . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . .

102 103 103 108 111 111 112 112 112 113 114 114 114 116 117 121 122 126

In this chapter we demonstrate the applicability of Shape Calculus by presenting different case studies. The first is the benchmark case study Generalised Railroad Crossing [HL94]. As it is a benchmark case study that has been investigated using several different formal methods, it allows to compare our approach directly with formalisms for real-time systems, see e.g., [ORS96, DD97] for a treatment of this example with Duration Calculus. The second case study is a modelling of car platooning manoeuvres

101

Chapter 4 Case Studies in the context of the California PATH [HESV91] project. We present how to model car platoons and the merging manoeuvre in Shape Calculus. The Road Runner case study considers the movement of robot in the Euclidean plane. The safety requirement and the overall system safety depend on a combination of the spatial position as well as on timing constraints. We first discuss an unsafe design, point out the problems, and then present a safe design. However, both designs share the same specification of the real-time controller. This shows that a formal model neglecting the spatial aspects would be inadequate.

4.1 Generalised Railroad Crossing The Generalised Railroad Crossing (GRC) was introduced by C. Heitmeyer et al. in [CHLR93] and has been investigated for example by C. Heitmeyer and N. Lynch in [HL94]. It is a benchmark example for real-time formalisms. This example has been investigated with numerous real-time formalisms [ORS96, DD97, YPD94]. Most work only considers the realtime aspects of this system although the position of the trains and gates are spatial properties. We demonstrate how these properties can be handled in SC.

Train gate

crossing 0

approaching λ1

empty

x

λ2

Figure 4.1: Generalised Railroad Crossing The scenario is sketched in Figure 4.1. A set of trains travel through a railroad crossing and a gate controller has to ensure that the gates are closed during each occupancy interval. This is the safety requirement. Additionally, the controller has to ensure a utility requirement that the gates are open if the crossing is not occupied for certain amount of time. The

102

4.1 Generalised Railroad Crossing model and verification is fully parameterised, i.e., we proceed symbolically and do not use fix values for velocities and distances.

4.1.1 Parameters A train can be detected by the gate-controller if its distance to the crossing is less or equal to λ2 and the gate has to be closed if distance is less or equal to λ1 . We assume a maximal speed of the train of νmax and an angle rate of ψ for the gate. We further assume a minimal speed νmin for the slowest possible train. We elaborate an SC model of the system, give a proof of the safety property and derive the necessary conditions on the parameters νmax , ψ and λ1 and λ2 . If we assume a discrete temporal and spatial domain, a simpler and non-parametric instance of the GRC problem can be handled by model checking techniques as demonstrated in [QS06, Que05].

4.1.2 SC Modelling To model the of the track, we introduce one spatial dimension called x and an observable T to model that the track at the current position is occupied by a train. The current angle of the gate is modelled by a spatial dimension ϑ and an observable G. We assume that the gate is closed if it is at position 0 and open in position 90. Furthermore, we assume that the value of observable T does not depend on the angle, i.e., the interpretation is always constant in the ϑ argument. This is sketched in Figure 4.2. Similarly, we assume that G is independent of the spatial position, i.e., the x argument. The advantage of this postulate is that we can apply Corollary 2.47 and reason compositional. In proofs we can completely ignore dimension ϑ when considering T and ignore dimension x when considering G. For the definition of the train behaviour, we employ the position-pattern elaborated in Chapter 3. We use a modified version, considering one-dimensional space only and not using projection. ~ x) Definition 4.1 (Position-Pattern). We define the formula pattern dist(π, d, as an abbreviation to be true if the minimum distance of observable π in direction d~ equals the expression x. This definition is a special case of the

103


¬(⌈¬T ⌉hxitrue)

time

λ1

◦ 20

⌈¬T ⌉

◦ 10

◦ 30

◦

◦

◦ 40

50

60

◦ 80

◦ 70

ϑ

dist(T, x)

λ2

x

Figure 4.2: Shape Calculus modelling of GRC

position defined in Chapter 3. df

~ x) = de~e ⇒ ((d¬πe[~e ,~e ]T ∨ ` ~ = 0) ∧ ` ~ = x) hdi ~ dist(π, d, t x ϑ d d ~ true) ∧ ¬(d¬πe[~e ,~e ]T hdi x

ϑ

~ ¬de~et ⇒ ((d¬πe ∨ `d~ = 0) ∧ `d~ = x) hdi ~ true) ¬(d¬πe hdi

(dist-def)

The position of π equals x iff we chop the observation interval in direction d~ such that π is false everywhere on the first part and the second part cannot be chopped again in this direction, such that π is false at the beginning again to ensure the maximality. This idea is depicted in Figure 4.2 for the distance of the nearest train T . If there is no initial spatial subinterval fulfilling d¬πe then x is set to zero. In Chapter 3 we have derived a rule for the position expressing that the pattern returns the position that is minimal according to the temporal evolution. Analogue to this rule, for

104

4.1 Generalised Railroad Crossing dist the following holds: ~ r) h~et i true) ⇒ dist(π, d, ~ r0 ) ∧ r0 ≤ r. (true h~et i dist(π, d,

(dist-min)

This rule reads as follows: if the minimal distance of an object is r on some subinterval, then the minimal distance is smaller on the whole interval. Track We use three formulae as abbreviations to characterise the occupancy state of the track. •

The track is empty iff there is no train up to position λ2 . df

empty = d¬T e ∧ `~ex ≥ λ2 •

As the dist-pattern characterises the minimal distance in the temporal observation interval, at least one train is approaching iff for all temporal subintervals the distance of the nearest train is between λ1 and λ2 , that is df

appr = ~et (dist(T, ~ex , r) ∧ λ1 ≤ r < λ2 ) •

(appr-def)

The definition of crossing is similar. df

cross = ~et (dist(T, ~ex , r) ∧ r < λ1 ) •

(empty-def)

(cross-def)

To rule out systems that have a train on the crossing right from the beginning, we require the track to be empty initially. `~et > 0 ⇒ (empty h~et i true)

(empty-init)

Train The movement of the nearest train should be continuous and bound by its minimal and maximal velocity. •

The velocity of the nearest train is always less than its maximal velocity νmax . ¬ ♦~et ♦~ex ((d¬T e ∧ r1 = `~ex ) ∨ dist(T, ~ex , r1 ) h~et i dist(T, ~ex , r2 ) ∧ r2 < r1 − `~et · νmax )

(maxSpeed-req)

105

Chapter 4 Case Studies This formula reads as follows. If we can chop the interval in temporal direction and the minimum position of the nearest train is r1 in the first part and r2 in the second, the difference between both positions must be below `~et · νmax . The term `~et · νmax is the maximal distance the train can have covered in the second interval. If there is no train at the temporal beginning of the interval, its position r1 is above the length of the observation interval `x and the assumption r1 = `~ex is a safe abstraction. •

Thus far, continuity of the movement is not required. To prevent trains from arbitrary appearing, disappearing and moving more slowly than νmin and moving backwards, we require ¬ ♦~et ♦~ex (dist(T, ~ex , r1 ) ∧ r1 > 0 h~et i dist(T, ~ex , r2 ) ∧ (¬(r1 − `~et · νmin ≥ r2 ≥ r1 − `~et · νmax ) ∨ d¬T e)). (continuity-req) This formula states the following: If the position of the train is r1 and above zero, then in every temporally-adjacent interval the position of the train must be within the spatial interval [r1 − `~et · νmin , r1 − `~et · νmax ]. It can be at position r1 − `~et · νmin if the train is moving with minimal speed, and at position r1 − `t · νmax if it is moving with full speed. Actually, this requirement is not needed for the proof of the safety property. If the train disappears after being in the approaching phase the gates does not need to be closed and in this interval the minimal distance of a train is again greater than λ2 . If a train actually reaches the crossing, the requirement (maxSpeed-req) specifies that the train has been in the approaching phase beforehand. If it enters directly from beyond λ2 , it would be too fast. Nevertheless, the property is needed to prove the utility requirement.

Gate We use the same approach for modelling the behaviour of the gate. We use a second spatial dimension to model the angle of the gate. In doing so, we demonstrate how non-spatial properties can be mapped onto spatial properties. We denote this dimension by ϑ and specify the following assumptions on the gate behaviour. The current position of the gate is modelled by an observable G such that the point at which G becomes true for the first time indicates the current angle. The gate has four states, g-open, g-closed, g-opening and g-closing which are defined as follows:

106

4.1 Generalised Railroad Crossing •

In state g-closing, the gate is closing with an angular rate of ψ. As G is required by gate-range-assm to be always true somewhere, this requirement is simpler than the one for the train. df

g-closing =¬ ♦~et (dist(G, ~eϑ , α) h~et i (dist(G, ~eϑ , α0 ) ∧

(4.1)

0

α 6= max(0, α − (ψ · `~et )))) (gate-closing-def) •

In state g-opening the gate opens with angular rate ψ, i.e., df

g-opening =`~eϑ > 90 ⇒ ~et (dist(G, ~eϑ , α) h~et i dist(G, min(90, α + (ψ · `~et ))) •

(4.2)

In states g-open and g-closed the angle is constant 90 and 0 respectively. df

g-open =`~eϑ > 90 ⇒ ~et dist(G, ~eϑ , 90) df

g-closed =`~eϑ > 90 ⇒ ~et dist(G, ~eϑ , 0)

(4.3) (4.4)

These definitions serve only as abbreviations. The behaviour of the gate is grasped by the subsequent requirements. •

The position of the gate is always between 0 and 90. ~et (`~eϑ > 90 ⇒ ♦~eϑ dGe)

•

(gate-range-assm)

If the track is non-empty, i.e., a train is approaching or crossing, the gate controller is in state g-closing or g-closed. ~et ((~et (¬ empty)) ⇒ (g-closing ∨ g-closed ∨(g-closing h~et i g-closed)))

•

(react-assm)

If the track is empty, the controller is in state g-opening or g-open. ~et (empty ⇒ g-opening ∨ g-open ∨(g-open h~et i g-open)) (open-assm)

107

Chapter 4 Case Studies 4.1.3 Verification It is to verify that the system is safe, that is, the gates are closed when the crossing is occupied by a train. Upper bound for closing time At first we derive an upper bound δ for the closing time of the gate. We verify for a time bound δ = 90 ψ that after an approaching period of δ the gates a closed, i.e., ~et (((~et ¬ empty) ∧ `~et > δ) ⇒ (true h~et i g-closed))

(closeDur-assm)

Proof. ~et ¬ empty ∧`t > δ {By (react-assm)} ⇒(g-closing ∨ g-closed ∨(g-closing h~et i g-closed) ∧ `~et > δ.) For the second and third case of the disjunction the proof is finished. So we prove the remaining case. g-closing ∧`~et > δ. {By (gate-closing-def)} ⇒dist(G, ~eϑ , α) h~et i (dist(G, ~eϑ , α0 ) ∧ α0 = max(0, α − (ψ · `~et )) ∧ `~et = δ) ∧ α0 ≤ 90 ⇒true h~et i (dist(G, ~eϑ , α0 ) ∧ α0 = max(0, α − (ψ · δ))) ⇒(true h~et i (dist(G, ~eϑ , α0 ) ∧ α0 = max(0, α − (90)))) {By (gate-range-assm) } ⇒(true h~et i dist(G, 0)) ⇒(true h~et i g-closed)

108

4.1 Generalised Railroad Crossing Establishing a lower temporal bound on the approaching phase In pure temporal modelling [ORS96, DD97], there is a lower bound axiomatically specifying that the fastest train must spend in the approaching phase. This requirement is obtained as a natural consequence if the modelling considers space. It is formally given by the following formula. ¬ ♦~et (empty h~et i `~et < h~et i cross).

(t-fast)

In our spatio-temporal modelling this lower bound corresponds to the time a train moving at the maximal velocity νmax takes to cover the approaching zone of length λ2 − λ1 . So is given by =

λ2 − λ1 . νmax

(eps-def)

Proof. We prove Formula t-fast by contradiction. ♦~et (empty h~et i `~et < h~et i cross) {By Definition empty-def and cross-def} ⇒ ♦~et (d¬T e ∧ `~ex ≥ λ2 h~et i `~et < h~et i ~et (dist(T, ~ex , r2 ) ∧ r2 < λ1 )) {By Definition dist-def} ⇒ ♦~et (dist(T, ~ex , r1 ) ∧ r1 ≥ λ2 h~et i `~et < h~et i ~et (dist(T, ~ex , r2 ) ∧ r2 < λ1 )) {By dist-min} ⇒ ♦~et (dist(T, ~ex , r1 ) ∧ r1 ≥ λ2 h~et i (~et (dist(T, ~ex , r20 ) ∧ r20 < λ1 ) ∧ `~et < )) { By Equation (eps-def)} ⇒ ♦~et (dist(T, ~ex , r1 ) ∧ r1 ≥ λ2 h~et i (~et (dist(T, ~ex , r20 ) ∧ r20 < λ1 ) ∧ νmax `~et < λ2 − λ1 ))

109

Chapter 4 Case Studies { By transitivity of < and ≤ and definition of ~et } ⇒ ♦~et (dist(T, ~ex , r1 ) h~et i (dist(T, ~ex , r20 ) ∧ νmax `~et < λ2 − λ1 ∧ λ2 − λ1 < r1 − r2 )) This is a contradiction to maxSpeed-req.

Verification of the safety property main safety requirement

Using the previous properties, the

~et (cross ⇒ g-closed)

(safety)

can be proven. The proof is a purely temporal, as the spatial-properties have been successfully refined to temporal properties. The chain of arguments is similar to [ORS96]. Proof. We prove the safety property by contradiction. true h~et i cross ∧¬ g-closed h~et i true {By (empty-init) } ⇒true h~et i empty h~et i true h~et i cross ∧¬ g-closed h~et i true {empty and cross are contradicting } ⇒true h~et i empty h~et i ~et ¬ empty h~et i cross ∧¬ g-closed h~et i true {By (t-fast) } ⇒true h~et i empty h~et i ~et ¬ empty ∧`~et > h~et i cross ∧¬ g-closed h~et i true {By δ < and (closeDur-assm) } ⇒true h~et i ~et ¬ empty ∧`~et > h~et i cross ∧¬ g-closed ∧ g-closed h~et i true

110

4.2 Car Platooning Verification of the Utility Property The utility property can be proven similarly. We can first derive a minimal time ξ1 =

90 ψ

for the gate to open. Secondly, we derive an upper bound on the time ξ2 =

λ2 − λ1 νmin

a train uses to cross the approaching segment using the assumption on the minimal velocity νmin . These properties can be derived in the same way as for the safety requirement. Having established this, we can prove the utility requirement (¬ cross ∧`~et > ξ1 + ξ2 ⇒ (`~et = ξ2 h~et i g-open h~et i `~et = ξ1 )) using a proof similar to the ones given in [DD97, ORS96].

4.2 Car Platooning Secondly, we outline an application of Shape Calculus on parts of a larger real-world case study involving numerous concurrent and autonomous moving agents. We model car platooning on highways. Each car itself constitutes a mobile real-time agent. The individual behaviour for each can be specified by means of standard techniques for real-time systems, e.g., PLC-Automata. However, the safety and operation of the overall system crucially depends on the spatial configurations of the whole system. We demonstrate that the spatial properties in this case study can be modelled naturally in Shape Calculus. We consider movement of cars and merging of platoons. In [HESV91] these manoeuvres are modelled by automata specifying assumptions on the environment. 4.2.1 Informal Description The Car Platooning [HESV91] case study stems from the the Program on Advanced Technology for the Highway (PATH) of the University of California [PAT]. The aim is to increase the highway capacity and simultaneously decrease travel time without building new roads. An Intelligent Vehicle/Highway System (IVHS) is proposed organising the traffic on the

111

Chapter 4 Case Studies highway in platoons of closely spaced vehicles. Platoons may consists of 20 vehicles, the headway within a platoon is 1m and the headway between platoons is 60m. To ensure the safety under these conditions, the vehicles in each platoon are under automatic control. The controllers provide platoon manoeuvres for merging and splitting platoons and changing lanes for single cars (so called free agents). Each platoon consists of one leader, that is the first car in the platoon and a number of followers. 4.2.2 Modelling cars and roles In [HESV91] each car possesses a hardwired identifier. Hence, we employ an observable car with range {0 . . . maxCar} reflecting the car identifier. We assume that 0 is not used as a car identifier and use it to mark the empty segment. We abbreviate car = 0 by E (for empty) and car > 0 by C. Each car may either be a leader, a follower, or a free agent. This is represented by an observable role with range {Leader, F ollower, F reeAgent, N oCar}. We will abbreviate role = Leader by L, role = F ollower by F and role = F reeAgent by FA. To express that each car has one of the roles defined above, we require maxCar ^

~et ~ex (dcar = ide ⇒ (dF e ∨ dLe ∨ dFAe) h~et i true).

id=1

In every spatio-temporal subinterval that is occupied by the car with identifier id this car is initially either a follower, a leader, or a free agent. Subsequently, we show that movement of cars and merging of platoons can be specified concisely in Shape Calculus. 4.2.3 Movement of individual cars The continuous movement of individual cars can be specified using the cont-move-pattern introduced in the Chapter 3. 4.2.4 Distance We can use the distance pattern to specify the headways within platoons as the distance between followers and between followers and leaders. The

112

4.2 Car Platooning headways between platoons is the distance between leaders and followers. 4.2.5 Merging If the longitudinal sensor of a leader detects a car ahead in a distance less than 60m, the leader may request to merge both platoons, accelerate, and become a follower. This is specified as follows. ~et ~ex `~et > τreact ∧ ((¬(true h~ex i d¬Le) h~ex i dEe ∧ `~ex ≤ 60 h~ex i ¬(d¬Ee h~ex i true)) h~et i true) ⇒ (`~et = τreact h~et i (¬(true h~ex i d¬(L ∨ F )e) h~ex i dEe h~ex i ¬(d¬Ee h~ex i true) h~et i true)) . This specification is expressed in Shape Calculus in an assumption-commitment style. The assumption is that the observation interval can be chopped in temporal direction such that at first the distance between platoon leader and last car of the platoon ahead is less than or equal to 60 meters. The commitment is that after a reaction time of τreact the leader may become a follower. On the other hand, if there is no other platoon ahead, a leader may not become a follower. This is expressed by ~et ~ex `~et > τreact ∧ ((¬(true h~ex i d¬Le) h~ex i dEe ∧ `~ex > 60 h~ex i true) h~et i true) ⇒ (`~et = τreact h~et i (¬(true h~ex i d¬Le) h~ex i dEe h~ex i true) h~et i true) . So we have shown that the basic manoeuvres considered in the car platooning case study can be modelled in Shape Calculus. Instead of specifying assumptions on the interaction of the physical environment with the car controller, we can present a direct and more natural modelling compared with [HESV91].

113


4.3 Road Runner 4.3.1 Informal Description The Road Runner1 is a mobile robot that moves on a table with maximal speed, randomly changing its direction. It has a sensor attached to its front which is used to locate the boundary. We abstract from a concrete mission of the robot and concentrate on the safe movement of the robot. The controller has to ensure the movement of the robot but prevent the robot from falling off the table. This case study demonstrates that a formal modelling neglecting spatial aspects is insufficient. Additionally, this case study is generic in the sense that real autonomous robots have similar safety requirements. At first we demonstrate that a modelling of the system that considers only the real-time aspects falls short in this case. Afterwards, we show how to specify the assumptions on the environment and the physical design of the robot that are needed to proof the safety requirement. Finally, we derive a formal proof of the safety property. 4.3.2 Modelling the Controller At first we specify the behaviour of the controller. This is done in pure Duration Calculus using the subset DC Implementables [Rav95] as no spatial requirements arise here. The controller of the Road Runner has two states run and turn. In state run the robot drives both wheels with the same constant velocity ν. In state turn the left wheel is driven forward while the right wheel is driven backwards, which in result turns the robot in place to the right. We use an observable state with two possible values run and turn to model the internal state of the controller. The environment interacts with the controller by activating the sensor. This is modelled using an observable sensor with two values signal – signalling the edge of the table – and idle. The formal specification of this system is given by the following DC formulae. Initially the robot is in state run. (drune; true) ∨ de 1 This

(Init)

case study stems from an advanced practical course on real-time systems under the supervision of H. Dierks [DPS+ 01].

114

4.3 Road Runner

Figure 4.3: The Road Runner (Unsafe Design) The state run can only be followed by turn and vice versa. drune −→ drun ∨ turne

(Seq-1)

dturne −→ drun ∨ turne

(Seq-2)

When the robot is in state run and the sensor signals an edge, in at most ε time units the robot changes its state. ε

drun ∧ signale −→ d¬rune

(Sync)

The state turn may not be left as long as the sensor signals an edge. dturn ∧ signale −→ dturne

(Stab)

The control mode of the system does only depend on the moment in time and not on a position in space. This is expressed by the requirement that

115

Chapter 4 Case Studies for every moment in time, the control mode is constant for all points in space, i.e., ~et (de~et ⇒ drune[~e 3 ,~e 3 ]T ∨ dturne[~e 3 ,~e 3 ]T ). x

y

x

(mode-indep)

y

This specification can be synthesised into PLC-Automata which in turn can be translated into C code for BrickOS on Lego Mindstorms. If we can guarantee a reaction time ε < 0.1·length , the distance ν · ε that is ν covered during the reaction time ε is only 10% of the length length of the robot. This seems safe because by inspection of the hardware, the robot’s wheels remain on the table when their distance does not exceed 10% of the length. However, a robot implemented this way is not safe and will fall off the table eventually. This problem cannot be formally investigated without considering the spatial position. 4.3.3 Modelling the Environment To specify the safety requirement of the Road Runner, we need to model the environment, namely the table. We use the observable A to model the area the robot is allowed to occupy, i.e., the table in our case. The lower ta ta ta left corner of the table is positioned at (λta x , λy ) and has a size of δx × δy . This is specified in the following assumption: d¬Ae ∧ `~ex = λta ex i x h~ (d¬Ae ∧ `~ey = λta ey i dAe ∧ `~ex = δxta ∧ `~ey = δyta h~ey i d¬Ae) h~ex i y h~ d¬Ae

(table)

This formula also guarantees the following. •

The table is immobile.

•

The table does not disappear at some moment in time.

•

The table does neither shrink nor grow.

•

The table is a rectangle. In particular, it is convex.

Additionally, we require that the robot is initially positioned on the table. dR ⇒ Ae h~et i true

116

(init-pos)

4.3 Road Runner δxr ̺3 ̺4

̺5 λty + δyt

wheel

sensor

̺1

δyr λty

̺2 ̺1

a)

wheel

b)

λtx

λtx + δxt

Figure 4.4: Spatial parameters of a) the robot and b) the table.

This shows that there are several reasonable assumptions on the environment that are required in order to guarantee the safety. In Shape Calculus these assumptions are to be stated clearly and formally. In a pure temporal approach such assumptions are only present implicitly. It is needed that all participants in the system development process are aware of these assumptions. 4.3.4 Modelling the Road Runner In this section we present a formal Shape Calculus modelling of the Road Runner with unsafe design as shown in Figure 4.3 and Figure 4.4 a). The formal model shall then exhibit the unsafe behaviour of the system. We employ two observables to specify the spatial position of the robot and the table. Specifying Shape Employing the ideas developed in the Design Pattern chapter, we specify the shape of the Road Runner. As depicted in Figure 4.5 a) we use the observable R for the Road Runner, the observable S for the edge detection sensor of the Road Runner, and the observable W for wheels. We need to specify that the Sensor S and the wheels W are only true

117


ℓ~ex = ̺3 wheel W

y

R

S

sensor S

W

S

¬S

W a)

wheel W

x

b)

Figure 4.5: a) Representing the Road Runner robot by observables b) Specifying the sensor positions by chops inside the robot R by d(S ∨ W ) ⇒ Re.

(inside)

Interior and Dimension The robot has a width of δxr and a height of δyr as specified in Figure 4.4. The position of sensors and wheels are defined by separate formulae r-sensor-pos and r-wheel-pos but are required to be in the interior of the Road Runner. Therefore concerning only the robot, this is specified by the following formula. df

r-interior = dRe ∧ r-sensor-pos ∧ r-wheel-pos ∧ `~ex = δxr ∧ `~ey = δyr This requirement states that the interior satisfies dRe, i.e., the observable used for the robot, the assumption on wheel and sensor position, width and height. Position of the Sensor We now specify the position of the sensors according to the Figures 4.4. Figure 4.5 b) illustrates that the interior is a first chopped in x direction and then chopped twice in y direction. For better readability only one measure is indicated in the Figure. So, the position of the sensor is expressed by the following formula asserting the respective

118

4.3 Road Runner sizes on each interval. df

r-sensor-pos =d¬Se ∧ `~ex = %3 h~ex i (d¬Se`~ey = %2 h~ey i dSe ∧ `~ex = δxr − %3 ∧ `~ey = δyr − 2%2 ) h~ey i d¬Se) Position of the Wheels The position of both wheels is specified similarly by repeated chops. df

r-wheel-pos =d¬W e ∧ `~ex = %4 h~ex i (dW e`~ey = %1 h~ey i d¬W e h~ey i dW e`~ey = %1 ) h~ex i d¬W e Integration into the Environment So far, we have derived a specification of the single robot. In order to specify movement, we need to consider larger spatial observation intervals. Hence, we require for these larger intervals that the robot as specified above is always present somewhere in the observation interval. At first, we do not consider a possible rotation of the robot and require that the observation interval can be split twice in x direction and twice in y direction such that the middle part satisfies the specification of the shape of the robot. df

r-shape = d¬Re h~ex i (d¬Re h~ey i r-interior h~ey i d¬Re) h~ex i d¬Re To handle rotations, we use a rotation matrix. The rotation of points by an angle α in the x-y plane is specified by transformation matrix mα . cos α − sin α 0 mα = sin α cos α 0 As time is the third dimension under consideration and we project onto the x-y plane, the transformation matrix needs to be 2 × 3, omitting the last,

119

Chapter 4 Case Studies i.e., temporal, dimension. Using this transformation matrix and the generalised transformation introduced in 2.2.1 this yields the following specification of a rotated robot somewhere in the observation interval. df

r-rotate(α) = de~et ∧ (mα ) r-shape This formula is parametrised by the rotation angle α such that it can be used to specify that the Road Runner robot is always present somewhere employing quantification of the angle. ~et (de~et ⇒ ∃α : r-rotate(α))

(r-occur)

Specifying Behaviour According to the specification of the controller, the robot has two operational modes, turning and driving. We describe the dependency of the operational mode and the spatial position.

Turning We now formally specify the rotation phase assuming a constant angle velocity of ψ: df

turn-phase = ~et (de~et ∧ r-rotate(α1 ) h~et i `~et = t h~et i de~et ∧ r-rotate(α2 )) ⇒ α2 = α1 + ψ · t mod 360) ∧ ~ 0) ∀d~ cont-move(R, d, This formula reads as follows: For all temporal subintervals, if the rotation angle is equal to α1 at the beginning and α2 at the end and in between t time units have passed, then the condition α2 = α1 + ψt needs to be met. Additionally, the position of the robot may not change, which is expressed with the help of the cont-move pattern determining the Cartesian coordinates.

120

4.3 Road Runner Driving The running mode is specified using the cartesian2D and prohibiting turning of the robot. df run-phase =∃ α : (~et (de~et ⇒ r-rotate(α)) ∧ (4.5a) ∀ x1 , y1 , x2 , y2 , : ~et (de~et ∧ cartesian2D(R, x1 , y1 ) h~et i (4.5b) `~et = t h~et i

(4.5c)

de~et ∧ cartesian2D(R, x2 , y2 ))

(4.5d)

⇒ x2 = x1 + (t · ν) cos(α)

(4.5e)

∧ y2 = y1 + (t · ν) sin(α)

(4.5f)

In (4.5a) the formula requires that the rotation angle α remains constant. The movement is forward, thus in direction given by α. This is expressed by determining the Cartesian coordinates of R at the beginning in 4.5b, waiting for t time units in (4.5c) before determining the coordinates again in (4.5d). The condition in (4.5f) ensures that the robot moves with velocity ν in direction α. Connecting the Controller and Physical Behaviour We can now augment the non-spatial specification from the previous section by a spatial specification using the following link: ~et (drune ⇒ run-phase∧ dturne ⇒ turn-phase)

(movement)

Vice versa, we have to specify that the sensor signal is activated if and only if the sensor is no longer detecting the table. ~et (dsignale ⇐⇒ ♦~ex ♦~ey dS ∧ ¬Ae)

(sensor-sig)

4.3.5 Revealing Unsafety In trying to prove the safety of the overall system, one starts with the assumption ♦dW ∧ ¬Ae, i.e., a wheel is in an unsafe state and tries to derive a contradiction. However, if we assume a wheel to be off the table, we cannot even conclude that the sensor is triggered, as there is an interpretation depicted in Figure 4.6 satisfying all assumptions and yielding an unsafe situations.

121


time 4.0 3.0 2.0 1.0

1. 0

1.0

2. 0

2.0

3. 0

3.0

4. 0

4.0

y

x

Figure 4.6: Road Runner in unsafe position 4.3.6 Modification of the Design Software Modification As it is often impossible to enhance the system safety by adding new hardware features, we first consider a solution that ensures safety of the system by modifying the control software. We impose the additional requirement that the robot may only turn by exactly 90 degrees and require a starting position along the x-axis. To this end, we modify the stability condition to ensure that the turn phase holds for at least 90 ψ time units. ≤ 90 ψ

d¬turne h~et i dturne −→ dturne

(Stab’)

We add a progress condition ensuring that the turn phase does not hold for more than 90 ψ + time units for some small timing variance . 90 ψ +

dturne −→ d¬turne

(Prog’)

However, this approach is not promising, as the timing is not exact enough to ensure that the robot always turns by 90 degrees. Hardware Modification To overcome the difficulties, we add an additional sensor in front and change the design as sketched in Figure 4.7 a). To ensure that the sen-

122

4.3 Road Runner δxr ̺3 ̺4

̺5 sensor

wheel

wheel ̺′2

R

rotation circle S1

a)

sensor

̺′1 δyr

wheel

sensors

wheels

W1

C

W2

̺′2

b) wheel

S2

Figure 4.7: Road Runner: a) The enhanced design b) Observables used for modelling sors are triggered if the wheel leaves the table, they are attached outside beyond the wheels. This leads to a modification of the formula describing the interior of the robot using the additional observables S1 and S2 for the sensors and W1 and W2 to distinguish the wheels. We will use S and W as abbreviations for the expressions S1 ∨ S2 and W1 ∨ W2 respectively. The formula describing the sensor position uses one chop in the x direction and two chops in the y direction. df

r-sensor-pos’ = d¬S1 ∧ ¬S2 e ∧ `~ex = %3 h~ex i (dS1 ∧ ¬S2 e ∧ `~ey = %02 h~ey i d¬S1 ∧ ¬S2 e ∧ `~ex = δxr − %3 ∧ `~ey = δyr − 2%02 h~ey i d¬S1 ∧ S2 e) ∧ `~ey = %02 ) The observable R is modelling the surrounding rectangle and as the sensors are outside beyond the wheels the specification of the wheels is changed to the following formula: df

r-wheel-pos’ = d¬W1 ∧ ¬W2 e ∧ `~ex = %4 h~ex i `~ex = δxr − %4 − %5 ∧

123


Figure 4.8: The Road Runner (Revised Design) (d¬W1 ∧ ¬W2 e`~ey = %02 h~ey i 1 dW1 ∧ ¬W2 e ∧ `~ey = (δyr − %01 − 2%02 ) h~ey i 2 d¬W1 ∧ ¬W2 e ∧ `~ey = %01 h~ey i 1 d¬W1 ∧ W2 e ∧ `~ey = (δyr − %01 − 2%02 ) h~ey i 2 d¬W1 ∧ ¬W2 e ∧ `~ey = %02 ) h~ex i d¬W1 ∧ ¬W2 e.

Turning in place By construction, the robot is capable of turning in place. This is modelled by an observable marking the imaginary circle of the robot that remains unchanged during turning. We introduce an auxiliary oberservable C defining the circle the wheels of the robot go along when it is turning. This is indicated in the Figure 4.7.

124

4.3 Road Runner We use a declarative approach and specify all properties of C needed for the proof without giving a precise specification of the circle. We assume that the imaginary rotation circle C is contained in the robot dC ⇒ Re

(circle-in-robot)

and that the wheels are contained in the rotation circle dW1 ∨ W2 ⇒ Ce

(wheel-in-robot)

Furthermore, we modify the interior requirement by adding the following condition ensuring a distance of µ between the imaginary rotation circle and sensors. d¬C ∧ ¬S1 ∧ ¬S2 e h~ex i ♦dCe ∧ d¬S1 ∧ ¬S2 e h~ex id¬C ∧ ¬S1 ∧ ¬S2 e ∧ `~ex = µ h~ex i ♦dS1 e ∧ ♦dS2 e ∧ d¬Ce

(stopping-dist)

The distance µ is to be chosen to be greater than or equal to the stopping distance of the robot when moving with velocity ν. Thereby, it is guaranteed that the robot comes to a stop early enough that turning the robot will keep all wheels safely on the table. To ensure that C is a circle, we require that there is no direction d~ such that the diameter of C is not equal to r, this is the circle-pattern. ~ d¬Ce))) ~ = 0) ∧ (de~e ∧ (d¬Ce hdi ~ dCe ~ ∧ ` ~ 6= r hdi ∀ d~ : ¬ ♦((d~ 6= 0 ∧ d.t t d d (C-circle) To specify that C is the imaginary rotation circle, we modify the definition of the turning phase and require the Cartesian coordinates of the circle to remain unchanged while the robot is turning. df

turn-phase’ = ∀x1 , x2 , y1 , y2 ~et de~et ∧ r-rotate(α1 ) ∧ cartesian2D(C, x1 , y1 ) h~et i `~et = t h~et i de~et ∧ r-rotate(α2 ) ∧ cartesian2D(C, x2 , y2 ) ⇒ α2 = α1 + ψ · t mod 360 ∧ x1 = x2 ∧ y1 = y2

125

Chapter 4 Case Studies Furthermore, the robot may not perform instantaneous jumps when changing from mode turn to run and vice versa. This is specified by the following requirement. It determines the Cartesian coordinates at the end of the turn phase and compares them with the coordinates at the beginning of the subsequent run phase, and vice versa. ¬ ♦ dturne ∧ (true h~et i de~et ∧ cartesian2D(C, x1 , y1 )) h~et i drune ∧ (de~et ∧ cartesian2D(C, x1 , y1 ) h~et i true) ∧ (x1 6= x2 ∨ y1 6= y2 ) (mode-change-1) ¬ ♦ drune ∧ (true h~et i de~et ∧ cartesian2D(C, x1 , y1 )) h~et i dturne ∧ (de~et ∧ cartesian2D(C, x1 , y1 ) h~et i true) ∧ (x1 6= x2 ∨ y1 6= y2 ) (mode-change-2)

4.3.7 Verifying Safety Proof Outline The verification of the Road Runner proceeds as follows. At first, we proof that turning is a safe operation, that is, if the robot is safe before it starts turning, then it remains safe. More precisely, the rotation circle will not leave the table while the robot is turning. Subsequently, we show that when the robot is in mode run a sensor must be activated if the robot evolves to an unsafe state, i.e., leaves the table. This has to take the direction of the movement into account. From the design of the robot we derive a minimal time it takes for the robot running at maximum speed to move the rotation circle off the table after activating the sensors. Finally, from this we derive a contradiction to the specified reaction time. In Table 4.1 we have summarised the relevant parameters for the Road Runner case study. Turning is Safe The main property of the imaginary rotation circle is that it remains at the same position during the turn phase. Hence, if the rotation circle is completely on the table, then it remains on the table during the turn phase. Lemma 4.2. If the robot is turning and in a safe position, then it remains safe, i.e., ¬ ♦~et (dturne ∧ d¬C ∨ Ae h~et i ♦~ex ♦~ey dC ∧ ¬Ae)

126

4.3 Road Runner Parameter δxta δyta λta x λta y δxr δyr ν µ

Description The width of the table. The height of the table. The horizontal position of the table. The vertical position of the table. The width of the robot. The height of the robot. The velocity of the robot. The minimal distance between rotation circle C and sensors.

Table 4.1: Parameters relevant for the verification of the Road Runner. Proof. The idea is to take two temporal snapshots, the first satisfying d¬C ∨ Ae[~e 3 ,~e 3 ]T ∧ de~et , x

y

i.e., describing a safe situation where the circle C rests completely on the table A, and the second describing an unsafe situation where this is not the case, i.e., which satisfies dC ∧ ¬Ae[~e 3 ,~e 3 ]T ∧ de~et . x

y

By the specification of the turn phase and the assumption mode-change1, the Cartesian coordinates of the rotation circle C must agree for both snapshots. As the rotation circle is required to have a constant diameter r this yields a contradiction since the table A remains at a constant position over time. The formal proof is by contradiction, assuming the converse, i.e., an interpretation, valuation and polyhedron satisfying ♦~et (dturne ∧ d¬C ∨ Ae h~et i ♦~ex ♦~ey dC ∧ ¬Ae)   We take two snapshots inside the intervals using the rule       dπe ⇒ dπe ∧ de . ♦ 3 3 ~ e ~ et t   [~ ex ,~ey ]T     ⇒ ♦~et dturne ∧ d¬C ∨ Ae[~e 3 ,~e 3 ]T ∧ de~et h~et i true x

y

127

Chapter 4 Case Studies h~et i (♦~ex ♦~ey dC ∧ ¬Ae[~e 3 ,~e 3 ]T ) ∧ de~et ) x

y

{We identify the spatial positions using the cartesian2D pattern.} ⇒∃ x1 , x2 , y1 , y2 : ♦~et dturne ∧ d¬C ∨ Ae[~e 3 ,~e 3 ]T ∧ de~et x y ∧ cartesian2D(C, x1 , y1 ) h~et i true h~et i (♦~ex ♦~ey dC ∧ ¬Ae[~e 3 ,~e 3 ]T ) ∧ de~et x y ∧ cartesian2D(C, x2 , y2 ) {turn-phase’ and (mode-change-1)} ⇒∃ x, y : ♦~et dturne ∧ d¬C ∨ Ae[~e 3 ,~e 3 ]T ∧ de~et x y ∧ cartesian2D(C, x, y) h~et i true h~et i (♦~ex ♦~ey dC ∧ ¬Ae[~e 3 ,~e 3 ]T ) ∧ de~et x y ∧ cartesian2D(C, x, y) {table and (C-circle) and cartesian2D} ⇒∃ x, y : ♦~et d¬C ∨ Ae[~e 3 ,~e 3 ]T ∧ de~et ∧ cartesian2D(C, x, y) ∧ x

y

ta ta λta x ≤ x ≤ x + r ≤ λx + δx ∧ ta ta λta et i true h~et i et h~ y ≤ y ≤ y + r ≤ λy + δy ) ∧ de~

(♦~ex ♦~ey dC ∧ ¬Ae)[~e 3 ,~e 3 ]T ∧ de~et ) ∧ cartesian2D(C, x, y) ∧ λta x λta y

≥x∨x+r ≥

x y ta λta x + δx

≥y∨y+r ≥

λta y

+

δyta

∨

This yields the contradiction and finishes the proof. Running After having shown that turning does not violate the safety requirement, we now consider the running phase. To this end, we first establish a relation of the Cartesian coordinates of the robot as used in the formula specifying the running phase and the positions of sensors and wheels. The following lemma relates the Cartesian coordinates of lower left corner of the surrounding rectangle of the robot as determined by the determined by the cartesian2D to

128

4.3 Road Runner 1. the upper right corner of the surrounding rectangle 2. the upper right corner of the surrounding rectangle of the sensors and 3. the upper right corner of the surrounding rectangle of the rotation circle. Lemma 4.3. cartesian2D(R, x1 , y1 ) ∧ de~et ∧ r-rotation(α) ∧ 0 ≤ α ≤ 90 0

(4.6a)

∧ (true h~ex i ¬d¬Re[~e 3 ,~e 3 ]T ) ∧ `~ex = x h~ex i d¬Re[~e 3 ,~e 3 ]T

(4.6b)

∧ (true h~ey i ¬d¬Re[~e 3 ,~e 3 ]T ) ∧ `~ey = y 0 h~ey i d¬Re[~e 3 ,~e 3 ]T

(4.6c)

∧ (true h~ex i ¬d¬Se[~e 3 ,~e 3 ]T ) ∧ `~ex = x00 h~ex i d¬Se[~e 3 ,~e 3 ]T

(4.6d)

∧ (true h~ey i ¬d¬Se[~e 3 ,~e 3 ]T ) ∧ `~ey = y 00 h~ey i d¬Se[~e 3 ,~e 3 ]T

x

x

x

x

x

y

y

x

y

y

x

y

y

x

y

(4.6e)

y

∧ (true h~ex i ¬d¬Ce[~e 3 ,~e 3 ]T ) ∧ `~ex = x000 h~ex i d¬Ce[~e 3 ,~e 3 ]T

(4.6f)

∧ (true h~ey i ¬d¬Ce[~e 3 ,~e 3 ]T ) ∧ `~ey = y 000 h~ey i d¬Ce[~e 3 ,~e 3 ]T

(4.6g)

x

x

x

y

x

y

⇒ x0 = x00 = x1 + δxr cos(α) + δyr sin(α) 00

000

=

000

=

x1 + (δxr − µ) cos(α) + δyr sin(α) y1 + (δxr − µ) sin(α) + δyr cos(α)

∧ y = y = y1 + ∧x ∧y

sin(α) +

δyr

y

(4.6h)

0

δxr

y

cos(α)

(4.6i) (4.6j) (4.6k)

In (4.6a) the variables x1 and y1 are bound to the lower left corner of the rectangle surrounding R by the cartesian2D pattern, the variable α is bound to the rotation angle and it is assumed that the angle is between zero a 90 degrees. In (4.6b) the variable x0 is bound to the x coordinate of the upper right corner of the rectangle for R and in (4.6c) y 0 is bound similarly. In (4.6d) and (4.6e) the variables x00 and y 00 are bound to the coordinates of the rectangle surrounding the sensors. Similarly in (4.6f) (4.6g) the variables x000 and y 000 are bound to the coordinates of the rotation circle. Finally, in (4.6h) up to (4.6k) the coordinates are related. Proof. Figure 4.9 depicts the results of applying the chop-operations on the polyhedron as specified by the premises. Geometry immediately yields xa = δyr sin(α),

xb = δxr cos(α),

ya = δxr sin(α),

yb = δyr cos(α)

129

Chapter 4 Case Studies y

y ′ = y ′′ yb α

y ′′′ ya α α

y2

xa

xb

µ α x x1

x

′′′

′

x =x

′′

Figure 4.9: Chopping according to the premises of Lemma 4.3 from which the conclusion follows directly. This lemma is used to verify that a sensor is activated when the robot leaves the table. Lemma 4.4. The robot can only evolve from a completely safe position where it rests completely on the table to an unsafe position in running mode by activating a sensor. ¬ ♦~et drun ∧ ¬Se ∧ (d¬R ∨ Ae h~et i true h~et i ♦~ex ♦~ey dR ∧ ¬Ae) Proof. In this proof we integrate linear algebraic reasoning into the spatiotemporal deduction. We assume the converse and derive a contradiction. ♦~et drun ∧ ¬Se ∧ (d¬R ∨ Ae h~et i true h~et i ♦~ex ♦~ey dR ∧ ¬Ae) ⇒{Taking two snapshots similar to the previous proof.} ♦~et drun ∧ ¬Se ∧ (d¬R ∨ Ae[~e 3 ,~e 3 ]T ∧ de~et h~et i x

y

true h~et i ♦~et ♦~ex ♦~ey dR ∧ ¬Ae[~e 3 ,~e 3 ]T ) x

130

y

4.3 Road Runner ⇒{Determining rotation and position.} ∃ α, x1 , x2 , y1 , y2 , t ♦~et drun ∧ ¬Se ∧ d¬R ∨ Ae[~e 3 ,~e 3 ]T ∧ de~et ∧ r-rotation(α) ∧ cartesian2D(R, x1 , y1 ) h~et i x

y

`~et = t h~et i ♦~ex ♦~ey dR ∧ ¬Ae[~e 3 ,~e 3 ]T ∧ r-rotation(α) ∧ cartesian2D(R, x2 , y2 ) x

y

⇒{By definition of run} ∃ α, x1 , x2 , y1 , y2 , t ♦~et drun ∧ ¬Se ∧ (d¬R ∨ Ae[~e 3 ,~e 3 ]T ∧ de~et ∧ r-rotation(α) ∧ cartesian2D(R, x1 , y1 ) h~et i x

y

`~et = t h~et i ♦~ex ♦~ey dR ∧ ¬Ae[~e 3 ,~e 3 ]T ∧ r-rotation(α) ∧ cartesian2D(R, x2 , y2 ) x y ∧ x2 = x1 + (t · ν) cos(α) ∧ y2 = y1 + (t · ν) sin(α)

Case: 0 ≤ α ≤ 90: As the first snapshot satisfies d¬R ∨ Ae, using the definition of table and Lemma 4.3 yield the following condition on x1 and y1 . ⇒∃ α, x1 , x2 , y1 , y2 , t ♦~et drun ∧ ¬Se ∧ (d¬R ∨ Ae[~e 3 ,~e 3 ]T ∧ de~et ∧ r-rotation(α) ∧ cartesian2D(R, x1 , y1 ) x

y

ta ∧ x1 > λta x ∧ y1 > λy ta ∧ x1 + δxr sin(α) + δyr cos(α) < λta x + δx ta ∧ y1 + δxr cos(α) + δyr sin(α) < λta et i y + δy h~

`~et = t h~et i ♦~ex ♦~ey dR ∧ ¬Ae[~e 3 ,~e 3 ]T ∧ r-rotation(α) ∧ cartesian2D(R, x2 , y2 ) x y ∧ x2 = x1 + (t · ν) cos(α) ∧ y2 = y1 + (t · ν) sin(α)

131

Chapter 4 Case Studies As the second snapshot represents an unsafe situation the same argument yields the the negated condition on x2 and y2 . ⇒∃ α, x1 , x2 , y1 , y2 , t ♦~et drun ∧ ¬Se ∧ (d¬R ∨ Ae[~e 3 ,~e 3 ]T ∧ de~et ∧ r-rotation(α) ∧ cartesian2D(R, x1 , y1 ) x

y



y

∧ x2 = x1 + (t · ν) cos(α) ∧ y2 = y1 + (t · ν) sin(α) ta ∧ ¬(x2 > λta x ∧ y2 > λy ta ∧ x2 + δxr sin(α) + δyr cos(α) < λta x + δx

ta ∧ y2 + δxr cos(α) + δyr sin(α) < λta y + δy ) For α ∈ [0, 90] the values of sin(α) and cos(α) are non-negative and therefore x2 ≥ x1 and y2 ≥ y1 . ⇒∃ α, x1 , x2 , y1 , y2 , t ♦~et drun ∧ ¬Se ∧ d¬R ∨ Ae[~e 3 ,~e 3 ]T ∧ de~et ∧ r-rotation(α) ∧ cartesian2D(R, x1 , y1 ) x

y



y

∧ x2 = x1 + (t · ν) cos(α) ∧ y2 = y1 + (t · ν) sin(α) ta ∧ x2 > λta x ∧ y2 > λy ta ∧ ¬(x2 + δxr sin(α) + δyr cos(α) < λta x + δx

ta ∧ y2 + δxr cos(α) + δyr sin(α) < λta + δ ) y y

132

4.3 Road Runner By the definition of r-interior and Lemma 4.3 a sensor must be activated. ⇒∃ α, x1 , x2 , y1 , y2 , t ♦~et drun ∧ ¬Se ∧ d¬R ∨ Ae[~e 3 ,~e 3 ]T ∧ de~et ∧ r-rotation(α) ∧ cartesian2D(R, x1 , y1 ) x

y



y

∧ x2 = x1 + (t · ν) cos(α) ∧ y2 = y1 + (t · ν) sin(α) ta ∧ x2 > λta x ∧ y2 > λy ta ∧ ¬(x2 + δxr sin(α) + δy cos(α) < λta x + δx ta ∧ y2 + δxr cos(α) + δyr sin(α) < λta y + δy ) ∧ ♦~ex ♦~ey d(S1 ∨ S2 ) ∧ ¬Ae[~e 3 ,~e 3 ]T x y

Other cases: These are proven similarly.

After having established that a sensor is activated when the robot leaves the table, it remains to show that there is enough time for the robot to stop after having detected a sensor. Lemma 4.5. Due to the maximal velocity of the robot, there is a lower bound on the time the robot takes to move from a safe to a unsafe position running mode. This lower bound is the quotient of the minimal distance µ between the sensors and the rotation circle and the maximal velocity ν. ¬ ♦(d¬R ∨ Ae h~et i `~et
λx + δx

r r ta ta ∧ y2 ≥ λta y ∧ y2 + δy cos(α) + (δx − µ) sin(α) > λy + δy ) ⇒ {By definition of run and maximal velocity ν.} ∃α, x1 , x2 , y1 , y2 ♦ drune ∧ d¬R ∨ Ae[~e 3 ,~e 3 ]T ∧ de~et ∧ r-rotation(α) ∧ cartesian2D(R, x1 , y1 ) h~et i x

y

µ `~et = t < h~et i ν (♦~ex ♦~ey dC ∧ ¬Ae[~e 3 ,~e 3 ]T ) ∧ de~et x

y

∧ r-rotation(α) ∧ cartesian2D(R, x2 , y2 ) r r ta ta ∧ x1 ≥ λta x ∧ x1 + δy sin(α) + δx cos(α) ≤ λx + δx r r ta ta ∧ y1 ≥ λta y ∧ y1 + δy cos(α) + δx sin(α) ≤ λy + δy r r ta ta ∧ ¬(x2 ≥ λta x ∧ x2 + δy sin(α) + (δx − µ) cos(α) > λx + δx r r ta ta ∧ y2 ≥ λta y ∧ y2 + δx cos(α) + (δx − µ) sin(α) > λy + δy )

∧ x2 = x1 + tν cos(α) ∧ y2 = y1 + tν sin(α) As 0 ≤ α ≤ 90, cos(α) and sin(α) are positive and x2 ≥ x1 and ⇒ y2 ≥ y1 . µ ∃α, x1 , x2 , y1 , y2 t < ∧ x1 ≥ λta x ν ta ∧ x1 + δyr sin(α) + δxr cos(α) ≤ λta x + δx

135

Chapter 4 Case Studies r r ta ta ∧ y1 ≥ λta y ∧ y1 + δy cos(α) + δx sin(α) ≤ λy + δy ta ∧ (x2 + δyr sin(α) + (δxr − µ) cos(α) > λta x + δx ∨ ta y2 + δyr cos(α) + (δxr − µ) sin(α) > λta y + δy )

∧ x2 = x1 + tν cos(α) ∧ y2 = y1 + tν sin(α) ⇒ {Substituting x2 and y2 .} µ ∃α, x1 , x2 , y1 , y2 , t t < ν r ta ∧ x1 ≥ λta ∧ x + δ sin(α) + δxr cos(α) ≤ λta 1 x y x + δx r r ta ta ∧ y1 ≥ λta y ∧ y1 + δy cos(α) + δx sin(α) ≤ λy + δy ta ∧ (x1 + tν cos(α) + δyr sin(α) + (δxr − µ) cos(α) > λta x + δx ∨ ta y1 + tν sin(α) + δxr cos(α) + (δxr − µ) sin(α) > λta y + δy )

⇒ {Rearranging the equations} µ ∃α, x1 , x2 , y1 , y2 , t t < ν r ta ∧ x1 ≥ λta ∧ x + δ sin(α) + δxr cos(α) ≤ λta 1 x y x + δx r r ta ta ∧ y1 ≥ λta y ∧ y1 + δy cos(α) + δx sin(α) ≤ λy + δy ta ∧ (x1 + tν cos(α) + δyr sin(α) + δxr cos(α) − µ cos(α) > λta x + δx ∨ ta y1 + tν sin(α) + δyr cos(α) + δxr sin(α) − µ sin(α) > λta y + δy ) µ ⇒∃α, x1 , x2 , y1 , y2 , t t < ∧ x1 ≥ λta x ν ta ∧ x1 + δxr sin(α) + δxr cos(α) ≤ λta x + δx r r ta ta ∧ y1 ≥ λta y ∧ y1 + δx cos(α) + δx sin(α) ≤ λy + δy

∧ (tν cos(α) > µ cos(α) ∨ tν sin(α) > µ sin(α)) ⇒ {weakening to show the contradiction} ∃α, x1 , y1 , t t
∨ ν ν cos(α)

t>

µ sin(α) ) ν sin(α)

This yields the required contradiction. The other cases are proven similarly.

Using these lemmas, we can now prove the main safety requirement.

136

4.3 Road Runner Lemma 4.6 (Safety). The Road Runner robot will not fall off the table as its wheels will always remain on the table. Formally, ¬ ♦dC ∧ ¬Ae Proof. We assume the converse. ♦dC ∧ ¬Ae ⇒{There is an earliest point in time, when the property is violated.} (de~et ∨ d¬C ∨ Ae) h~et i ♦~ex ♦~ey dC ∧ ¬Ae ⇒{init-condition} (de~et ∨ d¬C ∨ Ae) h~et i ♦~ex ♦~ey dC ∧ ¬Ae ∧ (d¬R ∨ Ae h~et i true) ⇒{As C ⇒ R} d¬R ∨ Ae h~et i d¬C ∨ Ae) h~et i ♦~ex ♦~ey dC ∧ ¬Ae ⇒{By Lemma 4.2, the robot remains safe in mode turn.} d¬R ∨ Ae h~et i d¬C ∨ Ae) ∧ drune h~et i ♦~ex ♦~ey dC ∧ ¬Ae ∧ drune ⇒{By Lemma 4.4, the sensor is activated.} d¬R ∨ Ae h~et i d¬C ∨ Ae) ∧ drune ∧ dSense h~et i ♦~ex ♦~ey dC ∧ ¬Ae ∧ drune ∧ dSense ⇒{By Lemma 4.5.} d¬R ∨ Ae h~et i d¬C ∨ Ae) ∧ drune ∧ dSense ∧ `~et >

µ h~et i ν

♦~ex ♦~ey dC ∧ ¬Ae ∧ drune ∧ dSense This is a violation of the reaction-time requirement.

137

138

Chapter 5 Axiomatisability Contents 5.1 5.2 5.3

Tiling Systems . . . . . . . . . . . . . . . . Non-Axiomatisability . . . . . . . . . . . . . Relative Axiomatisation . . . . . . . . . . . 5.3.1 Interval Temporal Logic (ITL) . . . . 5.3.2 Axiomatisation . . . . . . . . . . . . . 5.3.3 From Shape Calculus to ITLn . . . . . 5.3.4 Proving Relative Completeness . . . . 5.4 Related Work . . . . . . . . . . . . . . . . . 5.5 Conclusion . . . . . . . . . . . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

141 142 147 148 149 150 156 156 158

Fundamental properties of logics are decidability and axiomatisability. These properties are not only interesting from the theoretical point of view but also motivated by practical needs. Decidability of logic considers the question whether a given formula is a tautology. If a formalism happens to posses this property, it allows for fully automatic verification. However, decision procedures are often limited to small scale systems due to the high complexity of the decision procedure. Monadic Second-Order Logic [Tho97] interpreted over finite or infinite word is an example of a decidable logic. A decision procedure is implemented in the MONA [HJJ+ 95, KM01] tool. Axiomatisability is the question whether there is a set of axioms and rules such that every valid formula can be inferred from the axioms by applying these rules. In the first part of this chapter, we show that validity for Shape Calculus is undecidable and even not recursively enumerable. By Craig’s Theorem [Cra53] therefore Shape Calculus is not recursively axiomatisable. In the second part of the chapter, we provide a complete axiomatisation relative

139

Chapter 5 Axiomatisability to an n-dimensional interval temporal logic, a result similar to the axiomatisation of Duration Calculus. These results are partly published in [Sch05a, Sch07]. In [HZ04] it is shown that a fragment of Duration Calculus is decidable for a discrete time domain and the formula restricted to phase expressions d·e, chop, and Boolean operators. This result does not transfer to Shape Calculus when considering more than one dimension. Since one-dimensional Shape Calculus and Duration Calculus coincide, for onedimensional discrete Shape Calculus and this restricted subset validity is still decidable. We will prove the following theorem in Section 5.2. Theorem 5.1 (Undecidability). For two dimensions and above, the set of valid SC formulae is not recursively enumerable, neither interpreted in the continuous nor in the discrete domain. By Craig’s Theorem [Cra53], a theory is recursively axiomatisable if and only if the set of valid formulae is recursively enumerable. Therefore from the above theorem, we obtain the following corollary. Corollary 5.2 (Axiomatisability). There is no sound and complete proof system for SC . Extending the undecidability proof in [Sch05b], we provide a reduction from a non recursively enumerable tiling problem. For this proof we can even restrict ourselves to the set of formulae given by the following definition. Definition 5.3 (Restricted Shape Calculus). The subset defined by the following EBNF grammar F ::= dπe | F ∧ G | ¬F | F h~ei i G where 0 ≤ i ≤ n is called Restricted n-dimensional Shape Calculus (RSC). The corresponding subset of Duration Calculus is called Restricted Duration Calculus (RDC) and known to be decidable [HZ04] when interpreted in discrete or continuous time domain. For the rest of this chapter, we consider the restricted 2-dimensional Shape Calculus. Additionally, we will allow in the following the expression `~ei = r

140

5.1 Tiling Systems

Figure 5.1: A Tiling using four different tiles. for some fixed r, e.g., r = 1. Adding the analogue expression ` = r to the Restricted Duration Calculus yields undecidability in the continuous case. For the discrete case, this expression does not add expressive power, as it df can be defined by the abbreviation (` = 1) = (d1e ∧ ¬(d1e; d1e)). Similarly, the expression `~ei = r can be defined in RSC as an abbreviation if discrete spatial domains are considered. So this does not add any expressive power in the discrete case.

5.1 Tiling Systems We shortly recall some results for tiling systems that will be used for the reduction. The following problem seems to be very simple. You start with a set of types of coloured tiles and for each type you have infinitely many tiles. Is it possible to tile the whole Euclidean plane with these tiles in a way that adjacent borders of two tiles have the same colour? For simple sets of tiles this is possible as illustrated in Figure 5.1. However the problem whether it is possible to tile the Euclidean plain is undecidable. The problem whether there is a tiling of the Euclidean plain such that a specific tile occurs infinitely often is even Σ11 complete. Compare

141

Chapter 5 Axiomatisability [Har83] and [Har86] for a detailed discussion of decidability results for tiling systems. For the proof of undecidability and non-axiomatisability we use a problem from the theory of two-dimensional (also called picture) languages extending the theory of formal string languages. We shortly review the main definitions and results. from [GR97]. We fix an alphabet Σ and a special boundary character #. A twodimensional string (picture) over Σ is a two-dimensional rectangular matrix of elements of Σ such that the boundary is marked by a fresh symbol #. A tile p is a 2 × 2 matrix with elements in Σ ∪ # and a tiling system Θ is a finite set of tiles. The local language L(Θ) for a tiling system Θ is the set of all n × m matrices such that each 2 × 2 block is in Θ and the boundaries of the matrix consist only of # and # does not occur in the interior. Giammarresi and Restivo show in [GR97] that the emptiness problem Given a tiling system Θ, is L(Θ) = ∅ ? is undecidable. This problem can be reformulated as follows: There is no n × m matrix for n, m ∈ N such that every 2 × 2 submatrix is contained in the set Θ and the boundaries of the matrix consist only of # and # does not occur in the interior. They provide a reduction constructing a Tiling System θ for a Turing machine A such that A has no successful computation iff L(Θ) is empty. With this reduction to the termination problem of Turing machines, the emptiness problem for tiling systems is not recursively enumerable. Both problems are co-recursively enumerable.

5.2 Non-Axiomatisability We provide a reduction of the emptiness problem for tiling systems as described above to the validity problem of Shape Calculus. For a set of tiles Θ = {p1 , . . . , pk } we define a formula FΘ in SC, such that L(Θ) 6= ∅ iff FΘ is satisfiable which is equivalent to L(Θ) = ∅ iff ¬FΘ is valid. We present an encoding which does not rely on continuous or discrete time and space domain. Therefore, to avoid chopping at arbitrary positions, we impose a chess-board marking by a fresh observable F as a region marker to clearly identify 2 × 2 blocks in the continuous case. We specify

142

5.2 Non-Axiomatisability

5 ⋆∧#

#

⋆∧#

#

⋆∧#

#

⋆∧ a

b

⋆∧ a

#

⋆∧#

c

⋆∧ a

b

⋆∧#

#

⋆∧ a

b

⋆∧ a

#

4

3

2

1 ⋆∧#

#

⋆∧#

#

a b # #

⋆∧#

0 0

1

2

3

4

5

Figure 5.2: Sample encoding of tilings in a grid structure the grid by a formula Fgrid as follows: df

Fgrid =`~e1 ≥ 2 ∧ `~e2 ≥ 2 ∧

(5.1a)

dF ⇐⇒ (F1 ⇐⇒ F2 )e ∧

(5.1b)

~e1 ((dF1 e h~e1 i `~e1 = 1 ⇒ dF1 e h~e1 i d¬F1 e) ∧ (d¬F1 e h~e1 i `~e1 = 1 ⇒ d¬F1 e h~e1 i dF1 e) ∧

(5.1c) (5.1d)

`~e1 ≥ 1 ⇒ (dF1 e ∧ `~e1 = 1 h~e1 i true) ∧

(5.1e)

~e2 ((dF2 e h~e2 i `~e2 = 1 ⇒ dF2 e h~e2 i d¬F2 e) ∧ (d¬F2 e h~e2 i `~e2 = 1 ⇒ d¬F2 e h~e2 i dF2 e) ∧

(5.1f) (5.1g)

`~e2 ≥ 1 ⇒ (dF2 e ∧ `~e2 = 1 h~e2 i true)

(5.1h)

We use two auxiliary observables F1 and F2 . The observable F1 is true on intervals [i, i + 1] × [a, b] and false on [i + 1, i + 2] × [a, b] when i is even and a, b are arbitrary. The same holds for F2 and intervals [a, b] × [i, i + 1] and [a, b] × [i + 1, i + 2] respectively. This fact can be easily proven by induction on i. The quantified subformulae (5.1c), (5.1d) and (5.1f),(5.1g)

143

Chapter 5 Axiomatisability specify that a dFi e slice is succeeded by a d¬Fi e slice and vice versa. The initial condition that the first slice has a size of 1 and satisfies dF1 e, respectively dF2 e, is specified separately by (5.1e) and (5.1h), respectively. The chessboard marking by F is obtained using the equivalence operation on F1 and F2 in (5.1b). This idea is formalised in the following lemma. Lemma 5.4. Let I be an interpretation and k ∈ N, a, b ∈ T. Then I, [0, k]× [a, b] |= Fgrid if and only if k ≥ 2, b − a ≥ 2, and for all i ∈ N, i ≤ k and arbitrary [a0 , b0 ] ⊆ [a, b] the following holds. ( dF1 e if i is even α) I, [i, i + 1] × [a0 , b0 ] |= d¬F1 e otherwise ( dF2 e if i is even 0 0 β) I, [a , b ] × [i, i + 1] |= d¬F2 e otherwise ( dFe if i, j are both even or both odd γ) I, [i, i + 1] × [j, j + 1] |= d¬Fe otherwise Proof. “only if”

To prove α), we proceed by induction on i.

i = 0 This case is clear by (5.1a). i

i + 1 Without loss of generality, assume i is even, the other case is similar. {By (IH)} I, [i − 1, i] × [a0 , b0 ] |= d¬F1 e ⇒

I, [i − 1, i + 1] × [a0 , b0 ] |= d¬F1 e h~e1 i `~e1 = 1

⇒

{Fgrid (5.1d)} I, [i − 1, i + 1] × [a0 , b0 ] |= d¬F1 e h~e1 i dF1 e {F1 ∧ ¬F1 ≡ false}

⇒

I, [i, i + 1] × [a0 , b0 ] |= dF1 e

Case β) is analogous to case α). For case γ) assume without loss of generality i and j to be even, the other cases are similar. {By α) and β)} {(5.1b)} ⇒

144

I, [i − 1, i] × [j, j + 1] |= dF1 e ∧ dF2 e I, [i − 1, i] × [j, j + 1] |= dFe

5.2 Non-Axiomatisability “if”

The condition (5.1a) follows from the assumption on the interval and conditions (5.1b), (5.1e) and (5.1h) are direct consequences of α), β), and γ). To prove (5.1c) assume I, [a1 , b1 ] × [a, b] |= dF1 e h~e1 i `~e1 = 1. ⇒

I, [a1 , b1 − 1] × [a, b] |= dF1 e ∃i ∈ N : i ≤ a1 ≤ b1 − 1 ≤ i + 1

⇒

I, [a1 , i + 1] × [a, b] |= dF1 e

⇒

{α)} I, [i + 1, i + 2] × [a, b] |= d¬F1 e {b1 ≤ i + 2}

⇒

I, [i + 1, b1 ] × [a, b] |= d¬F1 e

⇒

I, [a1 , b1 ] × [a, b] |= dF1 e h~e1 i d¬F1 e

The other cases are proven similarly. To describe a 2×2 block in this grid satisfying the observables P1 , P2 , P3 , P4 in its four cells starting with P1 in the lower left corner, we use the pattern df

F2×2 (P1 , P2 , P3 , P4 ) =((dF ∧ P1 e) h~e1 i (d¬F ∧ P2 e) h~e2 i (d¬F ∧ P3 e) h~e1 i (dF ∧ P4 e)) ∨ ((d¬F ∧ P1 e) h~e1 i (dF ∧ P2 e) h~e2 i (dF ∧ P3 e) h~e1 i (d¬F ∧ P4 e)) df Using this pattern, we assign to every tile pi = ac db a formula Fpi = F2×2 (a, b, c, d). With these sub-formulae we define FΘ to be df

FΘ =Fgrid ∧ ~e1 ~e2 (F2×2 (true, true, true, true) ⇒

(5.2) k _

Fpi )

(5.3)

i=1

∧ d#e h~e1 i (d#e h~e2 i d¬#e h~e2 i d#e) h~e1 i d#e ^ ∧d s ⇒ ¬s0 e

(5.4) (5.5)

s,s0 ∈Σ,s6=s0

145

Chapter 5 Axiomatisability The second conjunct (5.3) states that each 2×2 block in the grid defined by (5.2) must be in Θ, whereas the third conjunct (5.4) states that the picture must be framed by # and # does not occur in the interior, as sketched in Figure 5.2. The last conjunct (5.5) ensures mutual exclusion of symbols. This definition provides the required reduction as stated in the following lemma. Lemma 5.5. With the above definition, FΘ is satisfiable if and only if the local language L(Θ) is not empty, so ¬FΘ is valid if and only if the local language L(Θ) is empty. Proof. “only if” Let I be a satisfying interpretation and [0, k1 ] × [0, k2 ] an interval such that I, [0, k1 ] × [0, k2 ] |= FΘ . Note that by definition of the grid and FΘ a satisfying interval must have integer bounds. Let (pi,j )i,j be the matrix defined by pi,j = a ⇐⇒ I, [i, i + 1] × [j, j + 1] |= dae for a ∈ Σ ∪ {#}. By (5.5) there is at most one observable a ∈ Σ ∪ # satisfied on [i, i + 1] × [j, j + 1] and by (5.3) there is at least one observable satisfied. Therefore (pi,j )i,j is well-defined. By (5.3) each interval of size 2 × 2 satisfies some Fpi . Therefore by construction each 2 × 2 submatrix in (pi,j )i,j is in Θ. Furthermore, since the boundary satisfies d#e the matrix boundaries of (pi,j )i,j consists of #. So, (pi,j )i,j ∈ L(Θ). “if”

Let (pi,j )i,j ∈ L(Θ). Define an interpretation I for the observables a ∈ Σ ∪ {#} by ( 1 if pi,j = a ∧ x ∈ [i, i + 1], y ∈ [j, j + 1] I[[a]](x, y) = 0 otherwise and for the auxiliary ( 1 I[[F1 ]](x, y) = 0 ( 1 I[[F2 ]](x, y) = 0 ( 1 I[[F]](x, y) = 0

146

observables by if there is an even i such that x ∈ [i, i + 1] otherwise if there is an even i such that y ∈ [i, i + 1] otherwise if I[[F1 ]](x, y) ⇐⇒ I[[F2 ]](x, y) otherwise

5.3 Relative Axiomatisation It is straightforward to see that I, [0, i + 1] × [0, j + 1] |= FΘ .

We haven proven so far that satisfiability corresponds to non-emptiness of local picture languages for tiling systems. Therefore validity corresponds to language emptiness, which is known to be undecidable and not recursively enumerable. By Craig’s Theorem [Cra53], this proves Theorem 5.1 and Corollary 5.2.

5.3 Relative Axiomatisation In the previous section, we have demonstrated that Shape Calculus is not axiomatisable. Despite this negative result, it is still possible to give a complete axiomatisation relative to a an n-dimensional extension of Interval Temporal Logic (ITLn ). We assume an inference system for ITLn , i.e, a set of inference rules such that every valid ITLn formula can be derived by finitely many applications of the inference rules. The inference relation is denoted by ÌTLn . Assuming the existence of this inference system for ITLn , we derive a system for the Shape Calculus such that every valid Shape Calculus formula can be derived. Therefore, this system is called complete relative to ITLn . Thereby, we extend the axiomatisation result for Duration Calculus presented in [HZ97] to Shape Calculus. Duration Calculus itself allows an axiomatisation relatively to Interval Temporal Logic (ITL). Finite Variability Assumption For the definition of Shape Calculus, we used the weak requirement that the functions must be Riemann-integrable. However, considering axiomatisation for arbitrary Riemann-integrable functions, would require an axiomatisation of the integral calculus which is out of scope for this thesis. A treatment of this topic can be found in [Wei00]. Therefore, we require a stronger assumption: finite variability requiring that every finite n-dimensional interval can be partitioned into finitely many sub-intervals of non-zero measure such that the interpretation I of the observables is constant on each sub-interval. The axiomatisation result for Duration Calculus presented in [HZ97, HZ04] relies on the same finite variability requirement. Our proof follows the lines of [HZ97, HZ04]. It considers only the 2-dimensional case, but it can easily be generalised to more dimensions.

147

Chapter 5 Axiomatisability Consequences of Finite Variability We have omitted projection in the definition of the Restricted Shape Calculus. However, under the stronger finite variability assumption given above, the projection can be obtained as an abbreviation if we restrict ourselves to projections parallel to the coordinate axes. The following equivalences hold: dπe~eTx ∧ ` > 0 ≡ ~ex ¬d¬πe dπe[~ex ,~ey ]T ∧ ` > 0 ≡ ~ex ~ey ¬d¬πe

The modalities are derived from the chop operator and therefore included in the subset under consideration. 5.3.1 Interval Temporal Logic (ITL) We shortly introduce the n-dimensional ITL. One-dimensional ITL is discussed in [Dut95, HZ04]. ITLn does not use state assertions nor the integral operator but instead uses flexible variables v whose values depend on the interval under consideration. Furthermore, it incorporates rigid variables x and the lengths symbols `~ei as terms. n

n

n

θITL ::= x | v | `~ei | f (θ1ITL , . . . , θkITL ) The semantics of flexible variables is given by an interpretation IITLn that assigns a real number to each n-dimensional interval. This is extended to terms as follows: df

IITLn [[x]](V, M) = V(x) df

IITLn [[v]](V, M) = I(v)(M) df

IITLn [[`~ei ]](V, M) = bi − ai n

n

df

n

IITLn [[f (θ1ITL , . . . , θkITL )]](V, M) = fIITLn (IITLn [θ1ITL ]](V, M), n

. . . , IITLn [θkITL ]](V, M)) Like in Shape Calculus V is a valuation of the rigid variables, i.e., variables that do not change over time, and M = [a1 , b1 ] × . . . × [an , bn ] is an ndf

dimensional interval. Furthermore, we define the abbreviation ` = `~e1 · `~e2

148

5.3 Relative Axiomatisation to measure the 2-dimensional area. For the set of formulae, ITLn incorporates Boolean combinations, chop and quantification like SC. Formally, it is given by the following BNF. n

n

n

n

n

n

n

n

F ITL ::=F1ITL h~ei i F2ITL | p(θ1ITL , . . . , θkITL ) | ¬F1ITL | F1ITL ∧ F2ITL | n

∃x : F ITL

The semantics of the Boolean connectives and quantifiers is the same as in first order logic. The semantics of the chop operator is the same as in Shape Calculus. 5.3.2 Axiomatisation We present the main theorem of this section and give a short proof sketch. To make the presentation more concise, we introduce negated unit vectors df and define F h−~ei i G = G h~ei i F Theorem 5.6. 2-dimensional SC is axiomatised relative to ITL2 following axioms. R 0=0 R 1=` R π≥0 R R R R π1 + π2 = (π1 ∨ π2 ) + (π1 ∧ π2 ) R R R π = x h~ei i π = y ⇒ π = x + y R R π1 = π2 iff π1 ≡ π2

by the

(SC-1) (SC-2) (SC-3) (SC-4) (SC-5) (SC-6)

de ∨ ((dπe ∨ d¬πe h~e1 i true) h~e2 i true)

(FV1)

de ∨ ((dπe ∨ d¬πe h~e1 i true) h−~e2 i true)

(FV2)

de ∨ ((dπe ∨ d¬πe h−~e1 i true) h~e2 i true)

(FV3)

de ∨ ((dπe ∨ d¬πe h−~e1 i true) h−~e2 i true)

(FV4)

The set of axioms can be separated into two groups. The first group (SC-1) up to (SC-5) specifies properties of the integral calculus needed for piecewise constant functions. Axiom (SC-6) requires the integral to be equal for state expression that are equivalent in propositional logic. The second group (FV1)-(FV4) specifies finite variability, by demanding that for every point we can find 4 rectangles to the lower left, lower right, upper

149

Chapter 5 Axiomatisability left and upper right respectively such that the value of a state expression is constant on these rectangles. The proof of relative completeness proceeds as follows. For a valid SC formula F we have to construct a derivation using the set of axioms defined previously. To this end, we construct a valid ITLn formula. As we consider relative completeness, we can assume an ITLn deduction of this formula. This deduction is lifted to a Shape Calculus deduction of F . 5.3.3 From Shape Calculus to ITLn For a given valid Shape Calculus formula F , we first elaborate an encoding of all Shape Calculus axioms that are possibly needed for the proof of F into one ITLn formula. Encoding the Axioms in ITLn Let F be an arbitrary valid SC formula and let X1 , . . . Xl be the set of Boolean observables occurring in F and S the set of all state expressions built from these observables. Note that, since state expressions are formulae of propositional logic, only finitely many state expressions can be nonequivalent. Let df

[π] = {π 0 | π 0 ≡ π} denote such an equivalence class and S≡ = {[π]|π ∈ S} denote the set of equivalence classes. For every equivalence class [π] we introduce an ITLn flexible variable v[π] with the intuition that v[π] models the the value of R π. The axiom (SC-6) justifies this idea. We encode the SC axioms by the following finite sets of ITLn formulae. df

H1 = {v[0] = 0} df

H2 = {v[1] = `} df

H3 = {v[π] ≥ 0 | [π] ∈ S≡ } df

H4 = {(v[π1 ] + v[π2 ] ) = (v[π1 ∨π2 ] + v[π1 ∧π2 ] ) | [π1 ], [π2 ] ∈ S≡ } df

H5 = {(v[π] = x h~ei i v[π] = y) ⇒ (v[π] = x + y) | [π] ∈ S≡ } df H6 = {de ∨ ((dv[π] e ∨ dv[¬π] e hd~1 i true) hd~2 i true) |

[π] ∈ S≡ , di ∈ {~ei , −~ei }}

150

5.3 Relative Axiomatisation df

df

where dv[π] e = (v[π] = ` ∧ ` > 0) and de = (`1 = 0 ∨ `2 = 0). We define HFI to be the conjunction of all formulae in H1 to H6 and F IR to be the ITLn formula obtained from F by replacing every occurrence of π by v[π] . Note, that the formula HFI depends on F . We will now show, that an ITLn interpretation IITLn and a valuation V that satisfy the axioms encoded in HFI can already be used to derive a Shape Calculus interpretation. We will use such interpretations, valuations and intervals frequently in the follows, so we aggregate them in triples. Definition 5.7 (H-Triple). A triple (IITLn , V, [a1 , b1 ] × [a2 , b2 ]) is called an H-triple if IITLn , V, [a1 , b1 ] × [a2 , b2 ] |=ITLn ~e1 ~e2 HFI , i.e., HFI holds for every subrectangle of [a1 , b1 ] × [a2 , b2 ]. Using this definition and the axioms, we derive some properties of HTriples that will be used in the completeness proof. A complete proof of this lemma can be found in [HZ04]. Lemma 5.8. Let (IITLn , V, [a1 , b1 ] × [a2 , b2 ]) be an H-Triple. Then the following holds: 1. IITLn , V, [a1 , b1 ] × [a2 , b2 ] |=ITLn v[π] + v[¬π] = ` 2. IITLn , V, [a1 , b1 ] × [a2 , b2 ] |=ITLn v[π] ≤ ` 3. IITLn , V, [a1 , b1 ] × [a2 , b2 ] |=ITLn v[π1 ] ≤ v[π1 ∨π2 ] 4. IITLn , V, [a1 , b1 ] × [a2 , b2 ] |=ITLn dv[π] e implies IITLn , V, [c1 , d1 ] × [c2 , d2 ] |=ITLn dv[π] e for [ck , dk ] ⊆ [ak , bk ], k = 1, 2. Deriving the piecewise constant property As we require Shape Calculus interpretations to be piecewise constant, i.e., that there is a partition of time and space into intervals such that the interpretation of observables is constant on each interval, we show that this property can be derived in ITLn from the encoded axioms. We need the instances in H6 and the Theorem of Heine-Borel [Rud64]. Lemma 5.9. Given an arbitrary H-triple (IITLn , V, [a1 , b1 ] × [a2 , b2 ]) such that a1 < b1 and a2 < b2 , i.e. the interval is non-empty, then for every π ∈

151

Chapter 5 Axiomatisability S there is a finite partition in sub-rectangles [a11 , b11 ] × [a12 , b12 ], . . . [an1 , bn1 ] × [an2 , bn2 ] such that for every rectangle [ai1 , bi1 ] × [ai2 , bi2 ] holds either IITLn , V, [ai1 , bi1 ] × [ai2 , bi2 ] |=ITLn dv[π] e or IITLn , V, [ai1 , bi1 ] × [ai2 , bi2 ] |=ITLn dv[¬π] e Proof. Let (x, y) ∈ [a1 , b1 ] × [a2 , b2 ]. Then by H6 there exists x1 ≤ x ≤ x2 and y1 ≤ y ≤ y2 such that IITLn , V, [x1 , x] × [y1 , y] |=ITLn dv[π] e ∨ dv[¬π] e

and

IITLn , V, [x1 , x] × [y, y2 ] |=ITLn dv[π] e ∨ dv[¬π] e

and

IITL , V, [x, x2 ] × [y1 , y] |=ITL dv[π] e ∨ dv[¬π] e

and

n

n

IITLn , V, [x, x2 ] × [y, y2 ] |=ITLn dv[π] e ∨ dv[¬π] e Now (x1 , x2 ) × (y1 , y2 ) is an open interval covering the point (x, y) and the closed interval [x1 , x2 ] × [y1 , y2 ] has the desired property. Then by HeineBorels Theorem there is a finite subset of this infinite partition covering [a1 , b1 ] × [a2 , b2 ] . The cases where (x, y) is on the border are handled similarly. This yields the finite partition as required. From ITLn interpretations to SC interpretations We have to show that for every valid SC formula there is a valid ITLn formula such that we can lift the derivation of the ITLn formula to a derivation of the SC formula. We will show the contrapositive, i.e., that an ITLn interpretation satisfying the axioms and the formula, corresponds to an SC interpretation satisfying the formula. At first, we show that for an ITLn interpretation that satisfies the axioms we can construct a valid SC interpretation that has the finite variability property and respects the definition of SC semantics. The key is the notion of H-triples. Let (IITLn , V, [a1 , b1 ] × [a2 , b2 ]), be an H-triple. We construct an SC-interpretation ISC by defining for every observable X the interpretation ISC (X) to be  1 if there are x1 , x2 , y1 , y2    df x1 ≤ x < x2 , y1 ≤ y < y2 such that ISC (X)((x, y)) = (5.6) IITLn , V, [x1 , x2 ] × [y1 , y2 ] |=ITLn dv[X] e    0 otherwise This interpretation has the required finite variability property: each interval can be partitioned into finitely many subintervals such that the value

152

5.3 Relative Axiomatisation of each observable X is constant on each subinterval. It is to be shown that the SC interpretation given by this definition satisfies dπe if and only if the ITLn interpretation satisfies dv[π] e. This result is established by the following lemma. Lemma 5.10. For an H-triple (IITLn , V, [a1 , b1 ] × [a2 , b2 ]), a state assertion π, and an SC-Interpretation as defined in equation (5.6), there is a finite partition [m11 , m21 ] × [m12 , m22 ], . . . , [mn−1 , mn1 ] × [mo−1 , mo2 ] of the 21 2 dimensional interval [a1 , b1 ]×[a2 , b2 ] such that for every interval [mi1 , mi+1 1 )× j j+1 i+1 i , m ) × [m , m ) the following holds: [mj2 , mj+1 ) and point (x, y) ∈ [m 1 1 2 2 2 j j+1 n IITLn , V, [mi1 , mi+1 1 ) × [m2 , m2 ) |=ITL dv[π] e ∨ dv[¬π] e

(5.7)

and ISC [[π]] (x, y) =

( j j+1 n 1 if I, V, [mi1 , mi+1 1 ) × [m2 , m2 ) |=ITL dv[π] e j j+1 i+1 i 0 if I, V, [m1 , m1 ) × [m2 , m2 ) |=ITLn dv[¬π] e. (5.8)

Proof. We prove this lemma by induction on the structure of π. We consider the system with negation and disjunction, to build all propositonal combinations instead of the system comprising of negation and conjunction. Case 1: Observable X This case is clear from the definition of ISC and Lemma 5.9. Case 2: ¬π By the induction hypothesis the lemma holds for π and we use the i+1 i same partition. Let (x, y) ∈ [mj1 , mj+1 1 ) × [m2 , m2 ). From the induction hypothesis we obtain j j+1 n IITLn , V, [mi1 , mi+1 1 ) × [m2 , m2 ) |=ITL dv[π] e ∨ dv[¬π] e.

As π ≡ ¬¬π, we obtain v[π] = v[¬(¬π)] and therefore i+1 i n IITLn , V, [mi1 , mi+1 1 ) × [m2 , m2 ) |=ITL dv[¬¬π)] e ∨ dv[¬π] e. i+1 i n 1. If IITLn , V, [mi1 , mi+1 1 ) × [m2 , m2 ) |=ITL dv[¬¬π] e then by the hypothesis ISC [[π]](x, y) = 1 and by definition of negation we obtain ISC [[¬π]](x, y) = 1 − ISC [[π]](x, y) = 0 as required.

153

Chapter 5 Axiomatisability i+1 i n 2. If IITLn , V, [mi1 , mi+1 1 ) × [m2 , m2 ) |=ITL dv[¬π] e then by the hypothesis ISC [[π]](x, y) = 0 and we obtain ISC [[¬π]](x, y) = 1 − ISC [[π]](x, y) = 1 as required.

Case 3: π1 ∨ π2 Applying the induction hypothesis on π1 and π2 , we obtain two par0 0 0 0 00 00 0 0 0 0 titions. Let [m11 , m21 ] × [m12 , m22 ], . . . [mn1 −1 , mn1 ] × [mo2 −1 , mo2 ] be a common refinement of both partitions. By Lemma 5.8 (4) this is also a valid partition for π1 and π2 . On every interval one of the following cases holds. Case 3.1: At least one disjunct π1 or π2 is true throughout the interval, i.e., dv[π1 ] e or dv[π2 ] e. Without loss of generality, we assume 0

0

0

0

IITLn , V, [mi1 , mi+1 ) × [mj2 , mj+1 ) |=ITLn dv[π1 ] e. 1 2 Applying the induction hypothesis yields for each 0 0 0 0 (x, y) ∈ [mi1 , mi+1 ) × [mj2 , mj+1 ) 1 2 ISC [[π1 ]](V, (x, y)) = 1 and by the definition of the semantics of state assertions in SC 0 0 0 0 we obtain ISC [[π1 ∨ π2 ]](V, [mi1 , mi+1 ) × [mj2 , mj+1 )) = 1. The 1 2 ITLn evaluation is derived as follows: {By Lemma 5.8 (3)} 0

0

0

0

0

0

0

0

IITLn , V, [mi1 , mi+1 ) × [mj2 , mj+1 ) |=ITLn v[π1 ] ≤ v[π1 ∨π2 ] 1 2 {By Lemma 5.8 (2)} IITLn , V, [mi1 , mi+1 ) × [mj2 , mj+1 ) |=ITLn v[π1 ∨π2 ] ≤ ` 1 2 {By the assumption and dv[π1 ] e = v[π1 ] = ` ∧ ` > 0} 0

0

0

0

IITLn , V, [mi1 , mi+1 ) × [mj2 , mj+1 ) |=ITLn v[π1 ] = `. 1 2 {Combining the equations} 0

0

0

0

0

0

0

IITLn , V, [mi1 , mi+1 ) × [mj2 , mj+1 ) |=ITLn v[π1 ∨π2 ] = ` 1 2 {By definition} 0

IITLn , V, [mi1 , mi+1 ) × [mj2 , mj+1 ) |=ITLn dv[π1 ∨π2 ] e. 1 2

154

5.3 Relative Axiomatisation Case 3.2 Both π1 and π2 are false throughout the interval, i.e. 0

0

0

0

IITLn , V, [mi1 , mi+1 ) × [mj2 , mj+1 ) |=ITLn dv[¬π1 ] e ∧ dv[¬π2 ] e 1 2 Applying the induction hypothesis yields 0

0

0

0

0

0

0

0

ISC [[π1 ]](V, [mi1 , mi+1 ) × [mj2 , mj+1 )) = 0 1 2 and

) × [mj2 , mj+1 ISC [[π2 ]](V, [mi1 , mi+1 )) = 0 1 2 and hence 0

0

0

0

ISC [[π1 ∨ π2 ]](V, [mi1 , mi+1 ) × [mj2 , mj+1 )) = 0. 1 2 The derivation of the ITLn evaluation proceeds as follows: {By the assumptions} 0

0

0

0

0

0

0

0

IITLn , V, [mi1 , mi+1 ) × [mj2 , mj+1 ) |=ITLn v[π1 ] = 0 and 1 2 IITLn , V, [mi1 , mi+1 ) × [mj2 , mj+1 ) |=ITLn v[π2 ] = 0 1 2 {and by Lemma 5.8 holds} 0

0

0

0

0

0

0

0

0

0

0

0

IITLn , V, [mi1 , mi+1 ) × [mj2 , mj+1 ) |=ITLn v[π1 ∨π2 ] ≥ 0 and 1 2 IITLn , V, [mi1 , mi+1 ) × [mj2 , mj+1 ) |=ITLn v[π1 ∧π2 ] ≥ 0 1 2 {By H4 } IITLn , V, [mi1 , mi+1 ) × [mj2 , mj+1 ) |=ITLn v[π1 ∨π2 ] = 0 1 2 {and by Lemma 5.8 (1) holds} 0

0

0

0

IITLn , V, [mi1 , mi+1 ) × [mj2 , mj+1 ) |=ITLn dv[¬(π1 ∨π2 )] e 1 2

R As the integral π is derived by summation over the piecewise constant parts we obtain the following corollary. Corollary 5.11. For the interpretation ISC and every state assertion π and interval [a1 , b1 ] × [a2 , b2 ] R ISC [[ π]]([a1 , b1 ] × [a2 , b2 ]) = IITLn [[v[π] ]]([a1 , b1 ] × [a2 , b2 ])

155

Chapter 5 Axiomatisability 5.3.4 Proving Relative Completeness Starting with a valid Shape Calculus formula F , we have shown how to construct an Shape Calculus interpretation for every ITLn interpretation that satisfies certain instances of the Shape Calculus Axioms in the ITLn formula ~e1 ~e2 HFI . n Corresponding to the Shape Calculus R Formula F , we define the ITL I formula F by replacing the measure π with a variable v[π] . Using the above result, we can construct for every ITLn interpretation IITLn which violates ~e1 ~e2 HFI ⇒ F I , i.e, the interpretation satisfies ~e1 ~e2 HFI but violates F I , an SC interpretation ISC violating F . This proves the following lemma. Lemma 5.12. |=SC F implies |=ITLn ~e1 ~e2 HFI ⇒ F I . To show the converse implication, let ISC be an SC interpretation violating F . Define the violating ITLn interpretation IITLn by R df IITLn (v[π] )([a1 , b1 ] × [a2 , b2 ]) = ISC [[ π]]([a1 , b1 ] × [a2 , b2 ]). Using this interpretation and the soundness of our axiomatisation, we obtain Lemma 5.13. |=ITLn ~e1 ~e2 HFI ⇒ F I implies |=SC F . To prove the relative completeness, suppose |=SC F . Then by Lemma 5.12 holds |=ITLn ~e1 ~e2 HFI ⇒ F I . Take the ITLn derivation ÌTLn R ~e1 ~e2 HFI ⇒ F I and replace every occurrence of v[π] by π to obtain an SC derivation. As HF is a boxed conjunction of instances of SC axioms, it can be easily deduced in SC and therefore we obtain a derivation of F by modus ponens.

5.4 Related Work Real-Time Logics Hansen, Zhou and Sestoft show in [HZ04, ZHS93] that Duration Calculus is undecidable in general. The proofs use a reduction from the halting problem of two counter machines. The configuration a two counter machine, i.e., the state and the value of both counters, is encoded in intervals of constant length. The value of the counter is represented by the number of changes of an oberservable in an interval of length one.

156

5.4 Related Work Hence, this proof relies on the continuous temporal domain, as encoding arbitrary large counters in a interval of fixed length requires the possibility of an arbitrary number of changes of the interpretation. Duration Calculus is not recursively axiomatisable. This is consequence of the missing compactness [Doe96]. However, Duration Calculus can be axiomatised relative to Interval Temporal Logic [HZ04, HZ97]. Henzinger provides a survey in [Hen98] on decidability and complexity of the satisfiability problem for several real-time logics. TPTL [AH94] turns out to have exponential space complexity for discrete time and is undecidable and not recursively axiomatisable for dense time. The same is true for MTL [Koy90] whereas MITL with non-singular intervals has “only” exponential complexity. Undecidability stems from the ability to specify overconstraint requirements specifying an exact temporal distance of the form ♦=c φ which reads as in exactly c time units φ holds. An axiomatisation of several decidable real-time logics with increasing expressivity ending with MITL with nonsingular intervals is provided by Schobbens et al in [SRH02].

Region Connection Calculus The full Region Connection Calculus is undecidable which is shown by Gotts in [Got96]. Renz and Nebel proved NP-completeness for the subset RCC-8 in [RN97]. A combinations of the RCC-8 with Linear Time Temporal Logic (LTL) yielding a spatio-temporal logic is PSPACE-complete as discussed in the survey chapter [KKWZar] in the Handbook of Spatial Reasoning [vBAPHar]. The better computational complexity is not surprising due to the lesser expressivity.

Modal Logics, Fusions, and Products The complexity of modal logics and their various combinations is discussed in [GKWZ03]. The decision problem for the modal logic Log(N, 0 k1 +k2 =k

_

R R (( P = k1 ) h~et i ( P = k2 ))

k1 ,k2 >0 k1 +k2 =k

6.2 From Discrete to Dense Domains The Restricted Duration Calculus (RDC) is known to be decidable for dense time domains [HZ04]. This result relies on an operation called contraction closure ↓ that adds for a word vaaw ∈ Σ∗ the word vaw to the language. Hansen and Zhou [HZ04] show that the regular languages are closed under contraction closure. Furthermore, by defining the language L(FDC ; GDC ) =↓ L(FDC )L(GDC ) and leaving the other definitions as for discrete domains they can reduce satisfiability in dense time to emptiness of regular languages. However, using dense interpretation one loses the ability to define measures as abbreviations as sketched above. It is easy to see, that the result of Hansen and Zhou directly transfers to Shape Calculus. So handling dense time RSC and finite discrete space remains decidable by putting df

cont Lcont et i F2 ) =↓ Lcont D (F ) ◦ LD (G) D (F1 h~

Considering continuous space with a fixed maximal number of alternations in the interpretation, requires two things: 1. Define the alphabet to be the union of all functions from a finite subset of the spatial interval to set of fulfilled observables.

168

6.3 Formulae without Chop Alternation 2. Introduce the spatial contraction closure removing duplicate slices. This can be defined using the homomorphisms h from the previous section as follows: df

↓~ei L =

[ j ∈ [mini D, maxi D) ∃k ∀l ∈ [j, k] hD→Di j≺i j+1 (L) = hD→Di k≺i k+1 (L)

h−1 D→D≺i j+1 (hD→D≺i j+1 (L)) ∩h−1 D→Di l+1 (hD→D≺i l+1 (L))

Recall that a letter in L represents a spatial configuration for a moment in time. The homomorphisms hD→Di j≺i j+1 (L) yields one slice of the spatial configuration according to the direction determined by ~ei . If two or more successive slices are equal, i.e., represent the same configuration, they are removed by the operator. As regular languages are closed under all used operations, it is easy to see that the resulting language is regular and spatially contraction closed.

6.3 Formulae without Chop Alternation For deriving a decidable subset for infinite time and infinite space, we use the ideas of fibrings and dovetailing presented by Gabbay et al [Gab99, GKWZ03] to combine modal logics. In order to create a structure for a combined logic, they start with a structure for the first logic, associate to each world a structure for the second logic and so on. The idea is depicted in Figure 6.2 (a). Using this approach a lot of nice properties like axiomatisability and decidability are inherited by the combination. As we are interested in models isomorphic to the grid, we need to rule out models like those sketched in 6.2 (b) where going up and right is not equivalent to going right first and up afterwards because our main goal is to reason about objects in Nn . To this end, we do not allow chop-alternation. On the innermost nesting level we only allow formulae using h~e2 i nested in formulae using h~e1 i and so on. To preserve decidability, we restrict the interaction of formulae by adding a constraint on the length. The language of this n-dimensional subset of Shape Calculus with nonalternating chop SCnAlt is the set of formulae F n generated by the following

169

Chapter 6 Decidable Subsets

w w’

(a)

(b)

Figure 6.2: (a) Dovetailing linear modal structures (b) Points w and w0 need not to be equal. EBNF: F 1 ::= dπe | F11 h~e1 i F21 | F11 ∧ F21 | ¬F11 F n+1 ::= F1n+1 h~en+1 i F2n+1 | F1n+1 ∧ F2n+1 | ¬F1n+1 | (F n ∧ `~en+1 = 1) Let δ(F ) denote the minimal i such that F can be generated from F i . Although the restriction F n ∧ `~en+1 = 1 appears to be severe, this construction can be used to describe intervals of constant length by using chop. Note that without this restriction, it is already possible to encode the tiling problem and the resulting subset is undecidable. Remark 6.9. An SCnAlt formula of type δ(F ) = n cannot only be interpreted by n-dimensional interpretations I n : (Obs × Intvn ) → B but also by kdimensional functions I k (Obs × Intvk ) → B for any k ≥ n. The following lemma is an immediate consequence. Lemma 6.10. Let F be an SCnAlt formula of type δ(F ) = n. (α) Assume I k for k ≥ n to be a k-dimensional interpretation and D a k-dimensional interval such that I k , D |= F . Define I k→k+1 as df

a (k + 1)-dimensional interpretation by I k→k+1 (X)(~x, y) = I k (~x). Then any interval [a, b] satisfies I k→k+1 , D × [a, b] |= F . (β) Conversely, assume I k+1 , D × [a, a + 1] |= F for a ∈ N, then for an df

interpretation I k+1→k (X)(~x) = I k+1 (~x, a) we obtain I k+1→k , D |= F.

170

6.3 Formulae without Chop Alternation (γ) Let I, I 0 be two n-dimensional interpretations, [0, b] a one-dimensional interval and D, D0 two (n − 1)-dimensional intervals such that I, D×[j, j +1] |= F n−1 ∧`~en = 1 iff I 0 , D0 ×[j, j +1] |= F n−1 ∧`~en = 1 for all subformulae F n−1 of type (n − 1) which occur in F and all j ∈ [0, b). Then I, D × [0, b] |= F iff I 0 , D0 × [0, b] |= F The last proposition states that if validity for two interpretations coincides on every slice and every subformula then validity coincides for the whole formula. Proof. (α) Proof by structural induction. It is a special case of Corollary 2.47 for discrete domains. Case dπe From the assumption we deduce I[[π]](~x) = 1 for all points ~x ∈ D. By construction of the interpretation I k→k+1 we obtain for all x~0 ∈ D × [a, b] the condition that I k→k+1 [[π]](x~0 ) = 1 and therefore I k→k+1 , D × [a, b] |= dπe as required. Case F1 ∧ F2 , ¬F1

These cases are clear from the definition.

Case F1 h~ei i F2 , i ≤ k

By definition of chop there is an r such that

I k , D ≺i r |= F1 and I k , D i r |= F2 . Applying the induction hypothesis, yields I k→k+1 , (D ≺i r) × [a, b] |= F1 and I k→k+1 , (D i r) × [a, b] |= F2 . Henceforth, I k→k+1 , D × [a, b] |= F1 h~ei i F2 . (β) Similar to (α) and also a consequence of Corollary 2.47. Note that I is assumed to be constant on [n, n + 1) for all n ∈ N. (γ) Proof by structural induction. Case F n−1 ∧ `~en = 1 This case is obvious from the assumptions.

171

Chapter 6 Decidable Subsets Case F1n ∧ F2n I, D × [0, b] |= F1n ∧ F2n ⇐⇒ I, D × [0, b] |= F1n and I, D × [0, b] |= F2n {By (IH)} ⇐⇒ I 0 , D0 × [0, b] |= F1n and I 0 , D0 × [0, b] |= F2n ⇐⇒ I 0 , D0 × [0, b] |= F1n ∧ F2n

Case ¬F1n Follows directly from the definition and induction hypothesis. Case F1n h~en i F2n “only if” Assuming I, D × [0, b] |= F1n h~en i F2n , there is an m ∈ [0, b] such that I, D × [0, m] |= F1n and I, D × [m, b] |= F2n . Let I ←m and I 0←m be the functions obtained from I, respectively I 0 by left-shifting by m in the n-th dimension. Then I ←m , D × [0, b − m] |= F2n and for all j ∈ [0, b − m) and all subformulae F n−1 I ←m , D × [j, j + 1] |= F n−1 ∧ `~en = 1 iff I 0←m , D0 × [j, j + 1] |= F n−1 ∧ `~en = 1 Applying the induction hypothesis on this yields I 0←m , D0 × [0, b − m] |= F2n and therefore I 0 , D0 × [0, b] |= F1n h~en i F2n “if” similar.

Like for finite spatial domains, the decision procedure constructs regular languages associated to fulfilling interpretations. For a model of an ndimensional formula, we encode each (n−1)-dimensional slice of this model

172

6.3 Formulae without Chop Alternation by one letter. As this spatial slice is still infinite, we use the set of all (n−1)dimensional subformulae that are true in this slice as a representative of the slice. Conversely, having no chop alternation, it is possible to obtain an n-dimensional model by joining (n − 1)-dimensional slices. This idea gives rise to the following definition of the alphabets where the dimension n is indicated by a superscript n if necessary for clarity and omitted if it is clear from the context Definition 6.11 (Alphabet ΣnnA (F )). Let F be an n-dimensional SCnAlt formula. Case

δ(F ) = n = 1. If F is a pure DC formula (i.e. n = 1) a letter characterises which observables are true at the current position. Henceforth, we define the alphabet to be the powerset of the observables Obs as Σ1nA (F ) = P(Obs).

Case

δ(F ) = n > 1. In this case the subformulae of type (n − 1) play the role of the observables. Let Subn−1 (F ) = {F1 , . . . , Fy } be the set of subformulae of F with type δ(Fi ) = n − 1. A subset of Subn−1 (F ) is used to characterise the set of all true formulae that hold for an interval of length one in direction n. Therefore the alphabet is defined by ΣnnA (F ) = P(Subn−1 (F )).

The construction of the language LnnA (F ) proceeds inductively on the structure of the formula. Case δ(F ) = 1 In this case F is a pure DC formula and we construct the language in the same way as for discrete DC. Let Obs = {X0 , . . . , Xz } be the Boolean observables occurring in F . Then a subset a of Obs represents a valuation of these observables for an interval (hypercube) of unit length. Define L1nA (F ) inductively by df

L1nA (dπe) = {a | a π}+ , df

L1nA (F1 ∧ F2 ) = L1nA (F1 ) ∩ L1nA (F2 ), df

L1nA (F1 h~e1 i F2 ) = L1nA (F1 ) ◦ L1nA (F2 ), df

L1nA (¬F1 ) = L1nA (F1 ).

173

Chapter 6 Decidable Subsets Case δ(F ) = n + 1 In this case the subformulae of type n play the role of the observables. Let Subn (F ) = {F1 , . . . , Fy } be the set of subformulae of F with δ(Fi ) = n. Then a set a ⊆ Subn (F ) can be used to describe which formulae are required to hold for an interval of length one. At first we construct an auxiliary regular language L0 (F ) for the formula F in the same way as in the above case. One letter determines which subformula are required to hold for one slice of space-time in direction given by ~en+1 . The words in the auxiliary language define a sequence of slices such that the whole formula F is satisfied if and only if for each slice all the subformulae hold which are indicated by the current letter – and not more– and there is model for each slice that satisfies a subformula if and only if the subformula is contained in the set determined by the letter. df

L0 (F n ∧ `~en+1 = 1) = {a|F ∈ a} df

L0 (¬F n+1 ) = L0 (F n+1 ) df

L0 (F1n+1 h~en+1 i F2n+1 ) = L0 (F1n+1 ) ◦ L0 (F2n+1 ) df

L0 (F1n+1 ∧ F2n+1 ) = L0 (F1n+1 ) ∩ L0 (F2n+1 ) Different from the simple case, the language L0 does not represent the set of satisfying interpretations, since a word in L0 does not guarantee that there is a satisfying interpretation. A requirement that two subformulae F1n and F2n of type n hold jointly for the very same interval may not be satisfiable. Additionally, we have to ensure that •

for each letter occurring in a word, i.e., subset a ⊂ Subn (F ), there is an interpretation which satisfies exactly those formulae F where F ∈ a and

•

there is a common length k such that for all letters occurring in words, there is a satisfying interpretation of this length such that joining these models yields a rectangular model.

To capture these requirements, we introduce the notion of consistency, i.e., the existence of a common model, first for letters and then for alphabets. A letter a ∈ Σn+1 nA (F ) denotes a set of formulae of type n. It is consistent if there is an n-dimensional interpretation satisfying all formulae in a. For one formula F ∈ a, there is such an interpretation if the language LnnA (F )

174

6.3 Formulae without Chop Alternation is not empty. A set a of formulae is consistent if there is a word in the conjunction of all such languages and only built from consistent letters of the lower dimensional type n−1. A set of letters Π ⊆ Σn+1 nA (F ) is consistent if there are satisfying n-dimensional interpretations and intervals for each letter having all the same size such that they can be concatenated to form an n + 1-dimensional interpretation. Therefore, for every word over a consistent alphabet Π ⊆ Σn+1 nA (F ) there is an interpretation such that each letter corresponds to a slice of length one in direction (n + 1) satisfying all the n-dimensional subformulae occurring in the letter. For regarding only the length of a word we employ the following homomorphism, which “obscures” the actual letters of the word leaving only its pure shape. Definition 6.12. Let ] be an arbitrary symbol and h] : Σ∗ → {]}∗ be the homomorphism that replaces every letter by ]. For defining consistency formally, we extend the definition of an associated language for a formula F to a set of characteristic formulae a by \ df \ LnnA (F 0 ). LnnA (a) = LnnA (F 0 ) ∩ F 0 ∈a

F 0 6∈a

For n = 1, the language LnnA (a) is already defined. The definition of the languages LnnA (a) will be only used for defining Ln+1 nA (a) so the languages are well-defined. Using this definition, the intuition illustrated above is formalised inductively as follows. n+1 Definition 6.13. A subset Πn+1 S ⊆ ΣnA (F S ) for n > 1 is called consistent n iff there is a consistent Π ⊆ a∈Πn+1 (F ) G∈a ΣnnA (G) such that \ h] (LnnA (a) ∩ (Πn )∗ ) 6= ∅ a∈Πn+1

For the basic case we define every subset Π1 ⊆ Σ1nA (F ) to be consistent. Combining consistency – the existence of interpretations satisfying the formulae for each slice that can be concatenated – and the property of L0 that piecewise satisfaction of subformulae yields satisfaction of the whole formula, we define the language by [ df 0 Ln+1 (F ) = L (F ) ∩ ( Π∗ ). nA Π⊆Σn+1 nA (F ) Π is consistent

175

Chapter 6 Decidable Subsets The correspondence between words in LnnA (F ) and n-dimensional interpretations is established by the following definition and lemma. Definition 6.14 (word-interpretation correspondence). Let F be an n-dimensional SCnAlt formula, I be an n-dimensional interpretation, D an (n − 1)-dimensional interval and [0, b] a one-dimensional interval. We associate a word wI = aI0 . . . aIb−1 ∈ ΣnnA (F )∗ to this interpretation such that for n=1 df

aIj = {X|X is an observable occurring in F and I, D × [j, j + 1] |= dXe} and for n > 1 df

aIj = {F 0 |F 0 ∈ Subn−1 (F ) and I, D × [j, j + 1] |= F 0 } respectively. Vice versa, we associate to a word w ∈ ΣnnA (F )∗ a set [w] of interpretations and intervals such that (I, D) ∈ [w] ⇐⇒ w = wI . The following lemma states three facts. Firstly, the definition of consistency ensures the existence of an interpretation for each word over a consistent alphabet. Secondly, it states that for every interpretation satisfying a formula, the corresponding word wI is in the language constructed by the above definition. Finally, it states that for each word in the language constructed, there is satisfying interpretation. Lemma 6.15. Let F be an n-dimensional SCnAlt formula. (α) A subset Π ⊆ ΣnnA (F ) is consistent iff for every w = a0 . . . ak ∈ Π∗ there is an n-dimensional interpretation I, an (n − 1)-dimensional interval D such that I, D × [j, j + 1) |= G ⇐⇒ G ∈ aj holds for every j ∈ [0, k] and every G ∈ Subn−1 (F ). (β) I, D × [0, b] |= F implies wI ∈ LnnA (F ). (γ) w ∈ LnnA (F ) implies [w] 6= ∅ and ∀ (I, D) ∈ [w] : I, D × [0, |w|] |= F Proof. We simultaneously prove (α)-(γ) induction on the structure of F . Case

176

δ(F ) = 1

6.3 Formulae without Chop Alternation (α) “only if” As all Π ⊂ Σ1nA are consistent, let Π be be an arbitrary subset and w = a0 . . . ak ∈ Π∗ . The interpretation I given by ( 1 if X ∈ ai I[[X]](i) = 0 otherwise has the required property. As every subset of Σ1nA is consistent there is nothing to show. (β, γ) These cases are clear from the classical construction for Duration Calculus. “if”

Case

δ(F ) = 1 (α) “only if” Two separate problems are to be considered in this case. At first, the from the hypothesis for (α) we can deduce that there are interpretations and intervals which all have the same size such that they can be “glued” together. Secondly, for each letter the hypothesis for (γ) yields an interpretation. satisfying all formulae determined by this letter. Combining both statements, yields the required interpretan tion and interval. Let Πn+1 ⊆ Σn+1 en+1 = 1) be nA (F ∧ `~ a consistent alphabet and w = a0 . . . ak ∈ (Πn+1 )∗ a word over this alphabet. By Definition 6.13, there is a consistent alphabet Πn and for each letter ai , 0 ≤ i ≤ k there is a word ui = ui (0)...ui (l) ∈ L(ai ) ∩ (Πn )∗ and all these words have the same length, i.e., |ui | = l for all 0 ≤ i ≤ k. The concatenation u0 . . . uk of all words u0 , . . . , uk is still a word in (Πn )∗ and therefore the induction hypothesis for (α) is applicable. It yields an n-dimensional interpretation I 0 and an (n − 1)-dimensional interval D0 such that for all subformulae G occurring in u1 . . . uk the condition I 0 , D0 × [i · l + j, i · l + j + 1] |= G0 ⇐⇒ G0 ∈ ui (j) holds. The interpretation I 00 obtained from “folding” I 0 defined by I 00 (X)(~x, i, j) = I 0 (X)(~x, i · l + j) still satisfies I 00 , D0 × [i, i + 1] × [j, j + 1] |= G0 ⇐⇒ G0 ∈ ui (j). (6.1)

177

Chapter 6 Decidable Subsets It remains to show that this interpretation I 00 satisfies for all subformulae G of type n I 00 , D0 × [i, i + 1] × [0, i] |= G ⇐⇒ G ∈ ai .

(6.2)

Applying the induction hypothesis for (γ) on each word ui ∈ L(ai ), we obtain interpretations and intervals (Ii , Di ) satisfying all formulae given in ai . Due to consistency, these interpretations additionally satisfy for all subformulae G0 of type n − 1 Ii , Di × [j, j + 1] |= G0 ⇐⇒ G0 ∈ ui (j). Using Lemma 6.10 (γ), we then obtain that I 00 satisfies all formulae given in ai , thus equation (6.2) and hence I 00 is the required interpretation. “if” Let Πn+1 be an alphabet, w = a0 . . . ak ∈ (Πn+1 )∗ be a word containing all letters in Πn+1 . Let further I be the interpretation and D the n-dimensional interval satisfying for all subformula G that I, D × [j, j + 1) |= G ⇐⇒ G ∈ aj . Then for every j the restrictions given by Ijn+1→n (X)(~x) = I(~x, j) satisfy Ijn+1→n , D |= G ⇐⇒ G ∈ aj n+1→n

due to Lemma 6.10 (β). Then all words wIj constructed from the interpretations Ijn+1→n and intervals D have the same length by construction. By the induction n+1→n are in L(aj ). Define Πn hypothesis (β) all words wIj n+1→n (X)j to be the common alphabet of all words wI . This yields \ h] (LnnA (a) ∩ (Πn )∗ ) 6= ∅. a∈Π n+1→n

As the interpretations Ijn+1→n and words wIj satisfy the righthand side of (α), applying the induction hypothesis for part (α) yields consistency of Πn . This entails the consistency of Πn+1 .

178

6.3 Formulae without Chop Alternation For part (β) and (γ) a more detailed distinction is necessary. Case

F n ∧ `~en+1 = 1 (β) Let I, D × [0, b] |= F n ∧ `~en +1 = 1. From `~en+1 = 1 we obtain b = 1. Therefore wI = aI0 and F n ∈ aI0 and due to Definition 6.14 wI ∈ L0 (F n ∧ `~en+1 = 1). The consistency of Π = {aI0 } is a consequence of (α). Therefore wI ∈ L(F ∧ `n+1 = 1). n n (γ) Let w ∈ Ln+1 en+1 =1). By definition w = a and F ∈ a nA (F ∧ `~ n+1 n holds. As L (F ∧ `~en+1 = 1) is non-empty, {a} is consistent. Therefore, (α) yields an interpretation I n and interval D such that I n , D |= F n . Any interpretation I n satisfying I n , D |= F n can be extended by Lemma 6.10 (α) to I n→n+1 such that

I n→n+1 , D × [0, 1] |= F n ∧ `~en = 1. n→n+1

, D × [0, 1] ∈ [w] and [w] 6= ∅. Assume Henceforth, wI 0 (I 0 , D) ∈ [w]. As wI = w = a and F n ∈ a, this yields by I0 Definition 6.14 of w I 0 , D × [0, 1] |= F n and therefore also I 0 , D × [0, 1] |= F n ∧ `~en+1 = 1. Case

F1n+1 ∧ F2n+1 (β) Let I, D × [0, b] |= F1n+1 ∧ F2n+1 . By definition of conjunction n+1 and the induction hypothesis, we conclude wI ∈ Ln+1 ) nA (F1 n+1 n+1 I and w ∈ LnA (F2 ) and consistency. Therefore n+1 wI ∈ Ln+1 ∧ F1n+1 ) nA (F1

holds as required. n+1 n+1 (γ) Let w ∈ Ln+1 ∧ F2n+1 ). By construction w ∈ Ln+1 ) nA (F1 nA (F1 n+1 n+1 and w ∈ LnA (F2 ). Applying the induction hypothesis yields [w] 6= ∅ and for every interpretation I and interval D corresponding to w the relation I, D × [0, |w|] |= F1n+1 ∧ F2n+1 holds as required.

179

Chapter 6 Decidable Subsets Case

¬F1n+1 (β) Let I, D ×[0, b] |= ¬F1n+1 , so I, D ×[0, b] 6|= F1n+1 . Applying the n+1 induction hypothesis for (γ), we obtain wI 6∈ Ln+1 ) and nA (F1 n+1 I 0 therefore w ∈ L (¬F1 ). By Definition 6.14 the righthand side of (α) is satisfied therefore yielding consistency. Henceforth, n+1 wI ∈ Ln+1 ). nA (¬F1 n+1 (γ) Let w ∈ Ln+1 ). At first we show [w] 6= ∅. Assume nA (¬F1 [w] = ∅. Then for all (I, D) such that wI = w we conclude I, D × [0, |w|] 6|= ¬F1 and therefore I, D × [0, |w|] |= F1 . But then, applying the induction hypothesis yields w ∈ Ln+1 nA (F ) n+1 contradicting w ∈ Ln+1 ). Therefore [w] 6= ∅. The secnA (¬F1 ond proposition is a direct consequence of the induction hypothesis for (β).

Case

F1n+1 h~en+1 i F2n+1 (β) Let I, D × [0, b] |= F1n+1 h~en+1 i F2n+1 . By definition of the chop operator there is an m ∈ [0, b] such that I, D × [0, m] |= F1n+1 and I, D × [m, b] |= F2n+1 . The interpretation I 0 defined by leftshifting I by m along dimension (n + 1) satisfies I 0 , D × [0, b − m] |= F2n+1 . Applying the induction hypothesis twice yields two 0 words w1I ∈ L(F1n+1 ) and w2I ∈ L(F2n+1 ) corresponding to I on 0 D × [0, m] and I on D × [0, b − m] respectively. By construction 0 wI = w1I w2I holds and henceforth wI ∈ L0 (F1n+1 h~en+1 i F2n+1 ). Consistency is a consequence of (α). n+1 (γ) Let w = a0 . . . a|w|−1 ∈ Ln+1 h~en+1 i F2n+1 ). By definition nA (F1 n+1 n+1 n+1 w = w1 w2 such that w1 ∈ LnA (F1 ) and w2 ∈ Ln+1 ). nA (F2 The induction hypothesis yields two pairs (I1 , D1 ) and (I2 , D2 ) such that

I1 , D1 × [0, |w1 |] |= F1n+1 and I2 , D1 × [0, |w2 |] |=

F2n+1

(6.3) (6.4)

From consistency of the alphabet and (α) we obtain an interpretation I 0 and n-dimensional interval D such that for all j ∈ [0, |w| − 1] and for all subformulae F n of type n holds

180

6.3 Formulae without Chop Alternation I 0 , D × [j, j + 1] |= F n ⇐⇒ F n ∈ aj . By definition 6.14 I1 , D1 × [j, j + 1] |= F n ⇐⇒ F n ∈ aj for j ∈ [0, |w1 |) and (6.5) I2 , D2 × [j − |w1 |, j − |w1 | + 1] |= F

n

n

⇐⇒ F ∈ aj for j ∈ [|w1 |, |w1 | + |w2 |). (6.6)

Applying Lemma 6.10 (γ) on equations (6.3), (6.4),(6.5) and (6.6), we conclude I 0 , D × [0, |w1 |] |= F1n+1 and I 0 , D × [|w1 |, |w1 | + |w2 |] |= F2n+1 . Therefore I 0 , D × [0, |w|] |= F1n+1 h~en+1 i F2n+1 . The second part follows from Lemma 6.10 (γ).

An easy consequence is the following lemma. Lemma 6.16. L(F ) 6= ∅ iff F is satisfiable. Since all these constructions can be done effectively, this proves the following theorem. Theorem 6.17. Satisfiability and validity for SCnAlt are decidable. Like for SCfin the complexity is non-elementary due to the complementation of finite automata for each negation. Example 6.18. These constructions are illustrated in 6.3. Consider the formula df

F = (F1 ∧ `~e1 = 1 h~e1 i F1 ∧ `~e1 = 1 h~e1 i F1 ∧ `~e1 = 1) ∧ (F2 ∧ `~e1 = 1 h~e1 i F3 ∧ `~e1 = 1 h~e1 i F3 ∧ `~e1 = 1)

181


4 X2

X3

X3

3 X2 2 X1 1 X1

X1

X1

0 0

1 2 3 {F1 , F2 } {F1 , F3 } {F1 , F3 }

Figure 6.3: Dovetailing SC with df

F1 = dX1 e h~e2 i true,

df

F2 = true h~e2 i dX2 e,

df

F3 = true h~e2 i dX3 e.

The word {F1 , F2 }, {F1 , F3 }, {F1 , F3 } is in L0 (F ) and, as the alphabet is consistent, also in L(F ). Therefore the models for F1 , F2 , F3 can be combined to form a model for F . Expressivity Like in SCfin operators can be reobtained in SCnAlt . We illustrate the 2-dimensional case here. At first we give definitions for formulae of type 1 which are to be used in the context of “ ∧ `~e2 = 1”. We use the superscript 1 here to stress this restriction. df

true1 ⇐⇒ d1e1 ∨ ¬d1e1 df

`~e11 = 0 ⇐⇒ ¬d1e1 df

`~e11 = 1 ∧ ¬de ⇐⇒ d1e1 ∧ ¬(d1e1 h~e1 i d1e1 ) df

`~e11 = k + 1 ⇐⇒ (`~e11 = k) h~e1 i (`~e11 = 1)

182

6.3 Formulae without Chop Alternation df

`~e11 > k ⇐⇒ (`11 = k) h~e1 i d1e1 df

R1

P = 0 ⇐⇒ d¬P e1 ∨ `~e11 = 0 R1 R1 df R 1 P = 1 ⇐⇒ P = 0 h~e1 i dP e1 ∧ `~e11 = 1 h~e1 i P = 0 R1 R1 df R 1 P = k + 1 ⇐⇒ P = k h~e1 i P = 1 For formulae of type 2 the definitions are more complicated. At first true can be defined in the standard way. df

true ⇐⇒ (d1e ∧ `~e2 = 1) ∨ ¬(d1e ∧ `~e2 = 1) As `~e2 is nearly a primitive in SCnAlt , it can be defined as follows: df

`~e2 = 1 ⇐⇒ (true1 ) ∧ `~e2 = 1 df

`~e2 = k + 1 ⇐⇒ (`~e2 = k) h~e2 i (`~e2 = 1) R The measure P is nonzero iff there is a subinterval of length 1 on which the measure is Rnonzero. Therefore the measure can be defined using the 1 type 1 formula P = 0. R

R1 df P = 0 ⇐⇒ ¬ true h~e2 i ((¬( P = 0)) ∧ `~e2 = 1) h~e2 i true

Using the same idea, we can define R

R

P = 1.

R1 R df R P = 1 ⇐⇒ P = 0 h~e2 i ( P = 1 ∧ `~e2 = 1) h~e2 i P = 0

R On an interval of length m the measure P equals k iff it is equal to k1 on the leftmost subinterval of length m − 1, is equal to k2 on the rightmost subinterval of length 1 and k = k1 + k2 . R

df

P = k ⇐⇒

_

R

R P = k1 h~e2 i P = k2

k1 ,k2 ∈N0 k1 +k2 =k

183


6.4 Related Work Decidability of the validity problem for Duration Calculus is discussed in [HZ04] and [ZHS93]. The authors present a decision procedure by constructing a finite automaton corresponding to a Duration Calculus formula such that satisfiability of the formula corresponds to non-emptiness of the finite automaton. Both decision procedures presented in this chapter rely on this construction for the one-dimensional case. However, there are different approaches to validity checking. For example, bounded validity checking is introduced by Fr¨ anzle [Fr¨ a02] and further investigated by Pandya et al. in [SPC05]. The advantage of this approach is the reduced complexity, which is “only” in NP. Additionally, Fränzle provided a small model property for classes of formulae. From that property follows that validity and not only bounded validity is in NP for this class of formulae. A different direction of research investigates the translation into transition constraint systems for checking satisfiability of continuous time Duration Calculus [HM05, Hoe06, MFR06]. Translations of other subsets into hybrid automata [BLR95] or event clock automata [Pan02] are also considered. Considering a robust interpretation, i.e., an interpretation that does not change under small variations, Fränzle and Hansen [FH05] show that under this assumption undecidable subsets of Duration Calculus become decidable. All these approaches may turn out to be applicable to the multi-dimensional Shape Calculus and deserve further investigation. A subset of the spatial logic for the π-calculus [CC03] for which the model-checking problem is decidable is presented by Caires in [Cai04]. Decidability for this subset is due to removing the adjunct operator from the logic. The binary adjunct operator A B B is satisfied by a process if for process running in parallel and satisfying the requirement A then the process satisfies requirement B. This operator is powerful enough to define validity internally in the logic itself [CL04].

6.5 Conclusion Despite of the negative results concerning decidability and axiomatisability, we have identified two decidable subsets of Shape Calculus. For the first subset, decidability stems from the restriction to only one infinite dimension and restricting all other dimension to a finite discrete set. For the other subset, decidability stems from prohibiting arbitrary alternation

184

6.5 Conclusion of the chop operator. Both decision procedures have a non-elementary complexity as negation may result in an exponential blow-up.

185

186

Chapter 7 Automatic Verification Contents 7.1

From Shape Calculus to WS1S . . . . . . . . . . . 7.1.1 Weak S1S . . . . . . . . . . . . . . . . . . . . 7.1.2 MONA . . . . . . . . . . . . . . . . . . . . . 7.1.3 Encoding Shape Calculus in WS1S . . . . . . 7.1.4 Proof of Correctness . . . . . . . . . . . . . . 7.2 Automatic Verification of Shape Calculus Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . 7.2.1 The tool MoDiShCa . . . . . . . . . . . . . . 7.2.2 Using SC for modelling the Railroad Crossing 7.2.3 The Extended Generalised Railroad Crossing 7.2.4 The Single-Track Line Segment Case Study . 7.3 Related Work . . . . . . . . . . . . . . . . . . . . .

. . . . .

188 188 189 189 193

. . . . . .

198 199 199 202 203 210

In this chapter we present a practical approach for checking validity and satisfiability of Restricted Shape Calculus (RSC) which is implemented in a prototypical tool MoDiShCa by J.D. Quesel. We do not consider an operational model for mobile real-time systems in this thesis. Instead, both the system and the desired property are specified by Shape Calculus formulae. The question whether the system satisfies the desired property is therefore equivalent to question whether the system specification implies the property. To obtain decidability, we have to restrict the space to be finite and discrete and the time to be discrete and infinite. Instead of implementing a new tool from scratch, it is promising to use an existing tool and thereby profit from the experience made in the development and the optimisations included in the tool. In this chapter we describe a translation of Shape Calculus into the Weak Second-Order Logic with one successor predicate (WS1S). This logic is known to be decidable

187

Chapter 7 Automatic Verification [Tho97], and the tool MONA developed at BRICS is available for automatically verifying the satisfiability and validity of WS1S formulae. This tool is also used as backend for the Duration Calculus checker DCValid developed by P. Pandya [Pan00].

7.1 From Shape Calculus to WS1S 7.1.1 Weak S1S At first we briefly review Weak Second-Order Logic with one successor predicate. Second-Order Logic enriches First-Order Logic by permitting the quantification over sets and relations thereby adding expressive power but losing axiomatisability [EFT96]. We will only consider Monadic SecondOrder Logic, which uses quantification over sets only and not over relations. Weak Second-Order Logic with one successor imposes a further restriction on the quantifiers and considers quantification only over finite sets and uses only one predicate symbol with fixed interpretation. B¨ uchi [B¨ uc60] and Elgot [Elg61] showed in the 1960s that this restriction entails decidability. However, the formalism is powerful enough to describe Presburger arithmetic and characterise the class of regular or ω-regular languages [Tho97]. The decision procedure exploits the connection of WS1S and regular languages by constructing a finite automaton for the second-order formula. However, the complexity of this construction is non-elementary in the size of the WS1S formula. Weak S1S formulae can be constructed using the following EBNF grammar: F ::= x ∈ X | S(x, y) | F ∧ G | ¬F | ∃x : F | ∃X : F where X is a second-order variable, x and y are first-order variables, F and G are formulae and S(x, y) is the successor predicate; the expression S(x, y) is true iff y = x + 1. The linear orders < and ≤ can be defined as abbreviations. Semantics of WS1S The semantics of WS1S is given by a tuple of valuations σ = (σ1 , σ2 ) such that σ1 is a valuation of the first-order variables assigning a natural number to each variable and σ2 is a valuation of the second-order variables assigning a finite subset of the set of natural numbers to each second-order variable. We denote the set of finite subsets of the natural numbers N by F(N). Furthermore, we denote by σ[x/d] the

188

7.1 From Shape Calculus to WS1S valuation that coincides with σ on every variable except for x which is assigned d. The same notation is used for second-order variables. The definition of satisfiability for WS1S, denoted by σ |=W S1S F , is taken from [AB00]. σ |=W S1S x ∈ X

iff σ1 (x) ∈ σ2 (X)

σ |=W S1S S(x, y)

iff σ1 (x) = σ1 (y) + 1

σ |=W S1S ¬F

iff σ 6|=W S1S F

σ |=W S1S F ∧ G

iff σ |=W S1S F and σ |=W S1S G

σ |=W S1S ∃x : F

iff σ[x/d] |=W S1S F for some d ∈ N

σ |=W S1S ∃X : F

iff σ[X/D] |=W S1S F for some D ∈ F(N)

7.1.2 MONA The tool MONA [KM01, KMS00] is a verifier for WS1S. Its development started 1994 at BRICS [HJJ+ 95]. It performs a validity and satisfiability checking for the logics WS1S by constructing a finite automaton equivalent to the weak second-order specification. A formula is satisfiable if and only if the language accepted by the finite automaton is non-empty. To this end, the tool performs a reachability check of the final states. As the number of outgoing transitions for every state is exponential in the number of second-order variables, MONA uses BDDs as a efficient representation of the transition relation. However, the states of the automaton are represented explicitly. When checking a second-order specification, MONA provides satisfying valuations of the variables as well as counterexamples if such valuations exist. This is essential for identifying errors in the specified systems. Among others, it is used as a backend by the model checker DCValid for Duration Calculus [Pan00]. 7.1.3 Encoding Shape Calculus in WS1S To use MONA for automatic verification with Shape Calculus, we provide a translation of SC formulae into WS1S. Considered Subset of Shape Calculus For the translation we consider the Restricted Shape Calculus Restricted Shape Calculus (RSC) as defined in Definition 5.3 on page 140. Additionally, we explain how to handle

189

Chapter 7 Automatic Verification projections onto spatial axes or the temporal axis. Since we have shown in previous chapters that for RSC infinite space and time yield undecidability, we restrict the space to be finite and discrete, and time to be infinite and discrete. To stress this difference, we use the same notation for spatiotemporal intervals as in Definition 6.1 in Chapter 6. Idea of Translation Fixing the number of spatial dimensions to n, we introduce for each observable X and each point Qn ~x in the finite space one second-order variable X~x – thus altogether i=0 card(i) · |Obs| variables – such that X~x models the truth value of X at spatial position ~x on the time line. So the observable X is true at spatial point ~x and moment in time t iff t ∈ X~x . Assuming a temporal interval [t1 , t2 ] and a spatial interval D, we derive a WS1S formula that is satisfiable if and only if the SC formula is satisfiable on these intervals. This is accomplished by a translation function SO defined inductively on the structure of the Shape Calculus formula. The function takes three parameters: a spatial interval (hypercube) D which is given explicitly and contains no variables, a temporal interval [t1 , t2 ], where t1 and t2 are first-order variables, and the Shape Calculus formula to be translated. In the following, we use the same naming convention for the axes as in the previous chapters. Inductive Translation The construction of the second-order formula according to a SC formula is performed inductively on the structure of the SC formula. State Expression State expressions π are Boolean combinations of observables and they translate straightforward into Second-Order Logic using set operations and Boolean connectives. The translation of state expressions is independent of the observation interval but depends on the point in space ~x and moment in time t. Therefore, the signature of the translation function SO for state expressions is different from the signature of the function for formulae. The function can be stated as follows: df

SO(~x, t, X) = t ∈ X~x for an observable X df

SO(~x, t, ¬π) = ¬SO(~x, t, π) df

SO(~x, t, π1 ∧ π2 ) = SO(~x, t, π1 ) ∧ SO(~x, t, π2 )

190

7.1 From Shape Calculus to WS1S Translating dπe (everywhere-Operation) As the formula is satisfied on a spatio-temporal interval if the state expression π is true for all points in time and space, the second-order translation involves quantification over all temporal and all spatial points. Due to the finiteness of all spatial dimensions, the universal quantification over the spatial points can be expressed by a finite conjunction. Additionally, the translation has to ensure that the interval has a non-zero n-dimensional volume. df

SO(D, [t1 , t2 ], dπe) = t1 < t2 ∧

n ^

mini D < maxi D ∧

i=0

^

∀tm : t1 ≤ tm < t2 ⇒

SO(~x, tm , π),

~ x∈D −

where D− is the interior as defined in Definition 6.1 on Page 160. Translating dπe~ei and dπe~et The formula dπe~ei evaluates to true if for all possible values of xi ∈ [mini D, maxi D) of the spatial observation interval, there is a point in time and space that a) satisfies π and b) projects on xi . Clearly, this is a projection to the i-th spatial axis. The existential quantification over spatial points is expressed as finite disjunction over all possible points. df

SO(D, [t1 , t2 ]dXe~ei ) = t1 < t2 ∧ mini D < maxi D ∧ max^ i D−1

_

∃tm : t1 ≤ tm < t2 ∧ SO(~x ⊕ {i 7→ xi }, tm , π)

xi =mini D ~ x∈D −

The expression ~x ⊕ {i 7→ xi } denotes a vector that coincides with ~x in all entries except for the i-th entry, where it coincides with xi . The override operator ⊕ is taken from the Z language. The operator dπe~et (all-the-time) expresses that for every point in time t there is a vector ~x such that X is true at the point ~x and time t. Obviously, this is a projection to the time line. df

SO(D, [t1 , t2 ], dXet ) = t1 < t2 ∧ ∀tm : t1 ≤ tm < t2 ⇒

_

SO(~x, tm , π)

~ x∈D −

191

Chapter 7 Automatic Verification Translating chops The temporal chop is defined as: there is a point t in the current temporal interval [t1 , t2 ] such that F is true in the interval [t1 , t] and G is true in the interval [t, t2 ]. Hence, we translate it using conjunction and changing the timestamp parameters. The spatial observation interval remains unchanged. df

SO(D, [t1 , t2 ], F h~et i G) = ∃tm : t1 ≤ tm ≤ t2 ∧ SO(D, [t1 , tm ], F ) ∧ SO(D, [tm , t2 ], G) The chop operator in ~ei direction is defined as: there is a point xm on the ith-axis such that F is true for the subinterval “below” xm and G is true for the subinterval “above”. To translate this operation, we use the same idea as for the translation of the temporal chop, but explicitly calculate all possible intervals D ≺i xm and D i xm instead of changing the timestamps as quantification over spatial points results in a finite disjunction. df

SO(D, [t1 , t2 ], F h~ei i G) =

max _i D

SO(D ≺i xm , [t1 , t2 ], F ) ∧

xm =mini D

SO(D i xm , [t1 , t2 ], G) Translating Boolean connectives The translation of conjunction and negation is straightforward. df

SO(D, [t1 , t2 ], F ∧ G) = SO(D, [t1 , t2 ], F ) ∧ SO(D, [t1 , t2 ], G) df

SO(D, [t1 , t2 ], ¬F ) = ¬SO(D, [t1 , t2 ], F ) Translating spatial and temporal diameter expressions Using `~et ∼ n with ∼ ∈ {≤, ≥, , =}, we can determine the length of the temporal interval. In the temporal case, `~et is obtained as the difference of the two boundaries of the temporal interval, namely df

SO(D, [t1 , t2 ], lt ∼ n) = t2 − t1 ∼ n. As WS1S encompasses Presburger arithmetic with inequality this encoding is a valid WS1S formula. In contrast, expressions involving `~ei — a length of the spatial observation interval — are to be calculated explicitly beforehand. Due to the finiteness of space, all spatial intervals are explicitely

192

7.1 From Shape Calculus to WS1S enumerated and therefore the length can always be calculated. Hence, the length of the spatial interval `~ei is given by ( true if maxi D − mini D ∼ n. df SO(D, [t1 , t2 ], ldi ∼ n) = f alse otherwise which can be evaluated during the translation process. 7.1.4 Proof of Correctness We will now prove that the construction given is above is correct. To this end, we show that for every second-order valuation a Shape Calculus model can be constructed and vice versa. This is established by the following two lemmata. Lemma 7.1. Let F be a RSC Formula possibly involving projection onto spatial or temporal axes and let SO(D, [t1 , t2 ], F ) be its weak second-order translation. If SO(D, [t1 , t2 ], F ) is satisfiable under a valuation σ = (σ1 , σ2 ) with σ1 (t1 ) ≤ σ1 (t2 ), then F is satisfiable on the interval D×[σ1 (t1 ), σ1 (t2 )]. Lemma 7.2. Let F be a RSC formula possibly involving projection onto spatial or temporal axes and let SO(D, [t1 , t2 ], F ) be its the weak secondorder translation. If F is satisfiable on the interval (D × [n, m]), then SO(D, [t1 , t2 ], F ) is satisfiable under a valuation σ = (σ1 , σ2 ) satisfying n = σ1 (t1 ) ≤ σ1 (t2 ) = m. Proof. We prove slightly stronger versions of both lemmata, which relate the SC interpretation and the WS1S valuation directly, by simultaneous structural induction, assuming as induction hypothesis that a stronger version of both lemmata is proven for formulae with simpler structure. Let F be a RSC Formula possibly involving projection onto spatial or temporal axes, [n, m] a temporal interval, D a spatial interval and t1 and t2 two first-order variables. Assume that SO(D, [t1 , t2 ], F ) is the weak secondorder translation of F . Let further I be a Shape Calculus interpretation and σ = (σ1 , σ2 ) be a WS1S valuation for SO(D, [t1 , t2 ], F ) such that ( 1 if p ∈ σ2 (X~x ) df I(X)(~x, p) = . 0 otherwise and σ1 (t1 ) = n and σ1 (t2 ) = m. At first, for state expressions we prove I[[π]](~x, n) = 1 iff σ |=W S1S SO(~x, t1 , π).

(7.1)

193

Chapter 7 Automatic Verification The proof proceeds by simultaneous structural induction on the state assertions. Observable X: 7.1: Assume I[[X]](~x, n) = 1, then I(X)(~x, n) = 1. By the assumption on σ, we obtain n = σ1 (t1 ) and by the assumption on the relation between I and σ2 , also n ∈ σ2 (X~x ). So σ |=W S1S t1 ∈ X~x as required. 7.2: As SO(~x, t, X) = t1 ∈ X~x and σ |=W S1S t1 ∈ X~x , the definition immediately yields n = σ1 (t1 ) ∈ σ2 (X~x ). Therefore, I(X)(~x, n) = 1 and therefore I[[X]](~x, σ1 (t)) = 1. Negation (¬π): 7.1: Assume I[[¬π]](~x, n) = 1. Then I[[π]](~x, n) = 0. By the induction hypothesis for Lemma 7.2, we conclude σ 6|=W S1S SO(~x, t1 , π). Henceforth, σ |=W S1S ¬SO(~x, t1 , π) and σ |=W S1S SO(~x, t1 , ¬π). 7.2: Assume σ |=W S1S SO(~x, t1 , ¬π). As SO(~x, t1 , ¬π) = ¬SO(~x, t1 , π), by definition σ 6|=W S1S SO(~x, t1 , π). Applying the induction hypothesis for Lemma 7.1, yields I[[π]](~x, n) = 0 and therefore I[[¬π]](~x, n) = 1. Conjunction (π1 ∧ π2 ): This is obtained immediately from the induction hypothesis. Having established the relation for state assertions, we are ready to prove the correspondence for formulae: I[[F ]](D × [n, m]) = true iff σ |=W S1S SO(D, [t1 , t2 ], F )

(7.2)

This proof also proceeds by structural induction. Everywhere dπe: 7.1: Assume I[[dπe]](D × [n,Rm]) = true. This is true if and only if the R following equality holds: I[[ π]](D ×[n, m]) = I[[ 1]](D ×[n, m]). Note that in the discrete setting the integration on the interval [a, b] b

Z

f (x)dx a

is equivalent to the discrete sum b−1 X a

194

f (n).

7.1 From Shape Calculus to WS1S Therefore, the translation of the everywhere operation considers the right open interval D− ×[n, m) instead of the closed interval D×[n, m]. Hence, for all points (~x, i) ∈ D− × [n, m) I[[σ]](~x, i) = true. Applying Equation 7.1 yields σ[t/i] |=W S1S (~x, t, π) for all points (~x, i) ∈ D− × [n, m). So, by definition of the translation σ |=W S1S SO(D, [t1 , t2 ], dπe) holds. 7.2: Assume σ |=W S1S SO(D, [t1 , t2 ], dπe). From the definition of SO(D, [t1 , t2 ], dπe) follows that for all points ~x ∈ D− and moments in time p ∈ [n, m) σ[t1 /p] |=W S1S SO(~x, t1 , π) holds. Using Equation 7.1, we obtain I[[π]] = 1 for all points in space in D− and moments in time in the right-open interval [n, m). So, I[[π]] coincides on the observation interval with the function that yields 1 constantly. Therefore the measures of both functions must coincide and so R R I[[ π]](D × [t1 , t2 ]) = I[[ 1]](D × [t1 , t2 ]) which yields I[[dπe]](D × [t1 , t2 ]) = true. The proofs for the everywhere operator with projection are similar. Negation (¬F ) : 7.1: Assume I[[¬F ]](D × [n, m]) = true. Then by definition of the semantics I[[F ]](D×[n, m]) = false. Applying the induction hypothesis for Lemma 7.2 yields σ 6|=W S1S SO(D, [t1 , t2 ], F ) from which we can conclude σ |=W S1S SO(D, [t1 , t2 ], ¬F ) as required. 7.2: Assume σ |=W S1S SO(D, [t1 , t2 ], ¬F ). Then by definition of the translation of negation σ |=W S1S ¬SO(D, [t1 , t2 ], F ) and therefore σ 6|=W S1S SO(D, [t1 , t2 ], F ). Applying the induction hypothesis for Lemma 7.1 yields I[[F ]](D × [n, m]) = false and by definition therefore I[[¬F ]](D × [n, m]) = true. Conjunction (F ∧ G): This is a straightforward consequence of the induction hypothesis. Temporal Chop F h~et i G:

195

Chapter 7 Automatic Verification 7.1: Assume I[[F h~et i G]](D × [n, m]) = true. By definition there is an i ∈ [n, m] such that I[[F ]](D × [n, i]) = true and I[[G]](D × [i, m]) = true. Applying the induction hypothesis yields σ[t/i] |=W S1S SO(D, [t1 , t], F ) and σ[t/i] |=W S1S SO(D, [t, t2 ], G). Therefore, σ |=W S1S ∃t : SO(D, [t1 , t], F ) ∧ SO(D, [t, t2 ], G) which is the second-order translation of F h~et i G. 7.2: From σ |=W S1S SO(D, [t1 , t2 ], F h~et i G) = ∃tm : t1 ≤ tm ≤ t2 ∧SO(D, [t1 , tm ], F )∧SO(D, [tm , t2 ], G) we can conclude that there is a q ∈ N such that σ[tm /q] |=W S1S SO(D, [t1 , tm ], F ) and σ[tm /q] |=W S1S SO(D, [tm , t2 ], G). The induction hypothesis yields that the interpretation I satisfies F on the interval D × [n, q] × D and G on the interval D × [q, m]. Therefore, I satisfies F h~et i G on D × [n, m] as required. Spatial Chop F h~ei i G: 7.1: Assume I[[F h~ei i G]](D × [n, m]) = true. By definition, there is an r ∈ [mini D, maxi D] such that I[[F ]](D ≺i r × [n, m]) = true and I[[G]](D i r × [n, m]) = true. Applying the induction hypothesis yields σ 0 |=W S1S SO(D ≺i r, [t1 , t2 ], F ) and σ 00 |=W S1S SO(D i r, [t1 , t2 ], G). As SO(D ≺i r, [t1 , t2 ], F ) and SO(D i r, [t1 , t2 ], G) use disjoint sets of free second order variables for the points in space and the valuations

196

7.1 From Shape Calculus to WS1S agree on the first order variables t1 and t2 , they can be combined to a valuation σ such that σ |=W S1S

max _i D

SO(D ≺i xm , [t1 , t2 ], F ) ∧

xm =mini D

SO(D i xm , [t1 , t2 ], G) [= SO(D, [t1 , t2 ], F h~ei i G)] as required. 7.2: From σ |=W S1S SO(D, [t1 , t2 ], F h~ei i G) it follows that σ satisfies at least one subformula SO(D ≺i xm , [t1 , t2 ], F ) ∧ SO(D i xm , [t1 , t2 ], G). Applying the induction hypothesis, yields two interpretations I 0 and I 00 that satisfy I 0 , [n, m] × D ≺i xm |= F and I 00 , [n, m] × D i xm |= G. These interpretations can be combined to an interpretation I that satisfies F h~ei i G on [n, m] × D. Spatial and Temporal Diameter:

This case is clear from the definition.

From these lemmata two corollary follow directly, establishing the correctness of the translation and thereby the correctness of the verification approach. Corollary 7.3 (Satisfiability Checking). Let F be a RSC Formula possibly involving projection onto spatial or temporal axes and let SO(D, [t1 , t2 ], F ) be its weak second-order translation. Let further D be the finite space under consideration. Then the following holds: The Shape Calculus formula F is satisfiable if and only if the WS1S formula ∃t1 , t2 : t1 ≤ t2 ∧ SO(D0 [t1 , t2 ], F ) is satisfiable for some spatial interval D0 ⊆ D.

197

Chapter 7 Automatic Verification Operation Everywhere Everywhere in direction x All the time Temporal chop Spatial chop Length of observation interval Always Eventually Conjunction Disjunction Implication Equivalence Negation

SC dπe dπex dπet hti hxi lt or lx t or x t or x ∧ ∨ ⇒ ⇔ ¬

MoDiShCa [pi] [pi]_x [pi]_t l_t or l_x []_t or []_x _t or _x & | -> not

Table 7.1: MoDiShCa formula syntax Corollary 7.4 (Validity Checking). Let F be a RSC Formula possibly involving projection onto spatial or temporal axes and let SO(D, [t1 , t2 ], F ) be its weak second-order translation. Let further D be the finite space under consideration.Then the following holds: The Shape Calculus formula F is valid if and only if the WS1S formula ∀t1 , t2 t1 ≤ t2 ⇒ SO(D0 [t1 , t2 ], F ) is valid for all finitely many spatial intervals D0 ⊆ D.

7.2 Automatic Verification of Shape Calculus Specifications The decision procedure presented beforehand has been prototypically implemented by J.-D. Quesel in the tool MoDiShCa (Model Checker for Discrete Shape Calculus) [Que05, QS06]. In the spirit of DCValid [Pan00] it translates a textual representation of the Restricted Discrete Shape Calculus into MONA syntax and uses MONA as a backend for checking satisfiability and validity. Additionally, MONA is able to generate satisfying examples and counterexamples. Beyond the basic operators defined in Chapter 2.2 the abbreviations are also implemented in order to enhance

198

7.2 Automatic Verification of Shape Calculus Specifications Declaration Boolean observable Integer observable Constant Spatial dimension Formula macro

Keyword bool int const dim

Example bool X int a[5] const ten = 10 dim x = 3 $require = [X][Y]

Table 7.2: MoDiShCa declaration part the usability of the program. Additionally, MoDiShCa supports formula macros, constants and integer variables permitting structured specifications. 7.2.1 The tool MoDiShCa MoDiShCa supports an arbitrary number of spatial dimensions which have to be declared together with their cardinality as sketched in Figure 7.2. Observables can either be Boolean or bounded integers. Formula macros can be used to make the specification more concise. The formula to be checked is introduced by the keyword verify: in the last line in the file. As the translation of SC for satisfiability checking is different from the encoding for validity checking, the keyword validity is used to switch MoDiShCa to validity checking mode, as shown in listing 1. An overview of the MoDiShCa operator syntax is given in Figure 7.1. 7.2.2 Using SC for modelling the Railroad Crossing In this section we demonstrate the expressiveness of the discrete Restricted Shape Calculus by using it for the specification of the GRC case study. This specification is automatically verified using the tool MoDiShCa. In the first part, we model the standard GRC in Shape Calculus. In the second part, we elaborate a specification for two trains that pass the crossing successively. The Standard Benchmark Version We model the rails using one spatial dimension x and employ two observables: train and open. The observable train is true in a spatial point at a given time iff the train occupies this position at that point in time. The other observable models the gate status:

199

Chapter 7 Automatic Verification it is true iff the gate is open. The train touches the bound of a spatial interval if this interval cannot be split such that there is no train on the first part. This is defined in SC as follows: df

trainPartWeak = ¬(d¬traine h~ex i true). While trainPartWeak is satisfied for the empty observation interval without enforcing the existence of a train, the existence is ensured by a stronger version additionally requiring the observation interval to be non-zero. df

trainPart = trainPartWeak ∧ `~ex > 0 Using this specification, the distance of the nearest train is captured by the following formula: df

dist(δ) = ((d¬traine ∨ de~ex ) ∧ `~ex = δ) h~ex i trainPart Using the chop operator h~ex i, we split the track into two parts such that the leftmost part has length δ and is not occupied by any train. As the rightmost part itself cannot be split again without the beginning being occupied, this expresses the maximality of the chopping position and therefore the maximum choice for the variable δ. Using this pattern, we can formally specify the three regions empty, approaching and crossing. df

empty =d¬traine

df

appr =dist(δ) ∧ 2 ≤ δ < 10

df

cross =dist(δ) ∧ δ < 2

Thus, the track is empty iff there is no train. The train is considered to be approaching (appr) if it is in the spatial interval [2, 10), and it is crossing (cross) if it is in the interval [0, 2). We model the train to proceed with velocity maxSpeed spatial units per time unit and define the progress requirement by the following formula. df

runProgress = ~et ~ex (`~ex = maxSpeed h~ex i trainPart) ∧ `~et = 1 h~et i `~et = 1 ⇒ (`~et = 1 h~et i trainPart) The formula runProgress reads as follows. If for some spatio-temporal subinterval some part of the train has distance of maxSpeed spatial units

200

7.2 Automatic Verification of Shape Calculus Specifications then one time-unit later it has distance zero. The operators ~et and ~ex quantify over all spatio-temporal subintervals. A subinterval satisfies the antecedent of the implication if it can be chopped in time such that both subintervals have a temporal length of one. Furthermore, the first subinterval can be chopped in space such that the first part has length maxSpeed and the second part satisfies trainPart. Henceforth, the antecedent is satisfied if the train is maxSpeed spatial units away at the beginning. Similarly, the succedent is satisfied if the interval is chopped in the middle again and the train has arrived on the second part. Vice versa, we have to ensure that a train may only have distance zero now if it has been maxSpeed spatial units away a second ago. Otherwise teleportation would be permitted by the specification. df

runMaxSpeed = ~et ~ex `~ex > maxSpeed ∧ (`~et = 1 h~et i trainPart) ⇒ (`~ex = maxSpeed h~ex i trainPart) ∧ `~et = 1 h~et i `~et = 1 We need the following assumptions about the environment. Initially, the track is assumed to be empty and reactTime time units after some train is detected in the approaching or crossing region the gates are closed. df

initEmpty = `~et > 0 ⇒ (empty h~et i true) df

reactBound = ~et (appr ∨ cross) ∧ `~et > reactTime ⇒ (`~et = reactTime) h~et i d¬opene

Using these assumptions, the main safety requirement can be automatically verified for predefined values of maxSpeed and reactTime: df

safety = ¬ ♦~et (cross ∧ dopene) Extending the GRC To allow for two trains to pass the crossing successively, we introduce two observables train1 and train2 and use two constants maxSpeed1 and maxSpeed2 to describe the speed of first and the second train, respectively. The movement of both trains is modelled using the same patterns as in the previous section. The only new requirement that is needed is initial mutual exclusion, i.e, df

initExcl = ¬ ♦~et (`~ex = 9) h~ex i dtrain1 ∧ train2 e.

201

Chapter 7 Automatic Verification This formula reads as follows: it is never possible that on the last spatial position both train1 and train2 are true. Using this assumption and assuming that both trains have the same speed, i.e., maxSpeed1 = maxSpeed2 , it is possible to verify a second safety requirement expressing that the two trains never collide: df

safety2 = ¬ ♦~et ♦~ex dtrain1 ∧ train2 e. 7.2.3 Verifying the Extended Generalised Railroad Crossing The specification of the extended case study in MoDiShCa syntax is given slightly abbreviated in Listing 1. As the spatial points are explicitly enumerated, the spatial parameters are to be instantiated to concrete values. We assume maxSpeed = 1 and reactTime = 5 in this specification and verified the requirement using an increasingly larger spatial dimension. The results of the tests presented in table 7.3 were conducted on an AMD Sempron 2800+ with 1 GB RAM. For a spatial cardinality of 5 the safety requirement is not satisfied, as the train can proceed 5 spatial units during the reaction time. This behaviour is exhibited by the generated counterexample. Similarly to DCValid for Duration Calculus, MoDiShCa suffers from the non-elementary complexity of the validity problem. The W1S1 formula grows polynomial in the size of the spatial dimension (its cardinality) and the degree of the polynomial is determined by the number of nested spatial chops. Therefore, even small spatial dimensions – here a size of 15 – exceed the capacity of MONA, although the MONA developers devoted much attention to an efficient BDD based representation of the transition relation. The usage of projection in specifications permits more system behaviour and therefore increases the model checking complexity. Specifying the three zones empty, approach, and crossing using projection onto the x-axis exceeds the capabilities of MONA even for a space of cardinality ten. bool t1; bool t2; dim x = 6; const speed1 = 1;

# declaration of observable t1 for the first train # declaration of observable t2 for the second train # declaration of dimension with cardinality 6 # declaration of the constant speed1 for # the first train, the same for second train const reactTime = 5; # declaration of constant reactTime for # the gate controller validity; # checking for validity

202

7.2 Automatic Verification of Shape Calculus Specifications

# specification of the GRC in MoDiShCa Syntax # The train-patterns $trainPart1 = (( not ([not t1] true)) & l x > 0) ; $trainPartWeak1 = (( not ([not t1] true))) ; # defining the three zones $empty = ([not t1] & [not t2]); $appr = ([(not t1) & (not t2)] & l x < 5 & l x >= 2) not ([not (not t1) & (not t2)] true); $cross = (([( not t1) & (not t2)] & l x < 2 ) | l x = 0) ((not ([(not t1) & (not t2)] true)) & l x > 1); # Defining the movement of both trains $runProgress1 = ([] t ([] x ((((( l x = speed1) ($trainPart1))& l t = 1) (l t=1)) −> (l t = 1 (($trainPart1)))))); $runMaxSpeed1 = ([] t ([] x (( l x > speed1 & (l t = 1 ($trainPart1 & l t = 1))) −> (((l x = speed1) ($trainPartWeak1))& l t = 1) (l t=1)))); # ... the same for the second train... # specifying the reaction time of the gate controller $reactAppr = ([] t ((( $appr | $cross ) & l t > reactTime) −> ((l t = reactTime)[not open]))); #assumptions on the Environment $initEmpty = l t > 0 −> ($empty true); $initExclusion = [] t (not (l x = 5 [t1 & t2] true)); $assumptions = $reactAppr & $initEmpty & l x = 6 & $runMaxSpeed1 & $runMaxSpeed2 & $runProgress1 & $runProgress2 & $initExclusion ; # the safety requirement $safety = $assumptions −> ( (not t x [t1 & t2]) & not ( t ($cross & [open]))); # formula to verify verify: $safety

Listing 1: Extended Railroad crossing in MoDiShCa syntax

7.2.4 Verifying the Single-Track Line Segment Case Study As indicated in the introduction, a central case study in the UniForM project was a formal verification of a controler for a tramway system. During maintenance of a two track tramway, one track may be blocked and the traffic for both directions is directed over a critical single-track line

203

Chapter 7 Automatic Verification segment (SLS). Access to this segment is regulated by two light signals. Sensors attached to the tracks are activated by passing trains. This scenario is depicted in Figure 7.1. As tramsways do not operate with a high

Figure 7.1: Szenario of the SLS Case Study speed, a sequence of trams going in the same direction shall be allowed to pass the critical segment consecutively. Futhermore, trams are eligable to change the direction within the critical segment if there is no other tram behind. To sum up, mutual exclusion in the critical segment is too strong. Requiring all trams in the critical segment to go in the same direction is still too strong as sketched in Figure 7.2. We use two observables Train1 and Train2 to model two trains. The direction of the trains are given by DIR1 and DIR2, the state of the light signals by SIG1 and SIG2. The space is assumed to have size of 4 which is a reasonable abstraction in this case, as the first and the last positions represent the boundaries of the ciritical Card. 5 10 11 12 13 14 15

MoDiShCa runtime 0.05 sec 0.15 sec 0.20 sec 0.28 sec 0.40 sec 0.52 sec 0.66 sec

file size 192 K 1.7 M 2.3 M 3.2 M 4.4 M 5.9 M 7.8 M

MONA runtime 0.3 sec 2.7 sec 4.2 sec 7.8 sec 13.7 sec 26.2 sec Overflow of MONA BDD structure

Table 7.3: Experimental results for checking safety in GRC.

204

7.2 Automatic Verification of Shape Calculus Specifications

a)

b) Figure 7.2: a) Safe situation b) Unsafe situation segment two segments in the middle are enough to contain two consecutive trams. bool Train1; bool Train2; bool DIR1; bool DIR2; bool SIG1; bool SIG2; dim x = 4;

The value of the observables modelling the directions and signal states are independent of the spatial position. This is specified by the following requirements. $DIR1AS = [] t (([DIR1] true) | ([ not DIR1] true) | l t $DIR2AS = [] t (([DIR2] true) | ([ not DIR2] true) | l t $SIG1AS = [] t (([ SIG1] true) | ([ not SIG1] true) | l t $SIG2AS = [] t (([ SIG2] true) | ([ not SIG2] true) | l t $NONSPAT = $DIR1AS & $DIR2AS & $SIG1AS & $SIG2AS;

= = = =

0); 0); 0); 0);

205

Chapter 7 Automatic Verification Similar to the railroad crossing example, we specify the movement of a tramway. However, the behaviour is more complex, as the tram can run forward – indicated by the suffix Fwd – and backward – indicated by the suffix Bwd – depending on the value of the observable DIR indicating the direction of the movement. The specification of the second train is analogue. ### Train 1 $trainBegin1= (( not ([not Train1] true)) & l x > 0) ; $trainBeginWeak1= (( not ([not Train1] true))) ; $runProgressFwd1 = ([] t ([] x ((((( l x = maxSpeed) ($trainBegin1)) & l t = 1) (l t = 1)) −> (l t = 1 (($trainBegin1)))) & (((( $trainBegin1) & l t = 1) (l t = 1)) −> ((l t = 1) (( [not Train1] true ) & l t = 1))))); $runMaxSpeedFwd1 = ([] t ([] x (( l x > maxSpeed & (l t = 1 ($trainBegin1 & l t = 1))) −> (((l x = maxSpeed) ($trainBeginWeak1))& l t = 1) (l t=1))) ); $runProgressBwd1 = ([] t ([] x (((( (l x > maxSpeed & ($trainBegin1))& l t = 1)(l t=1)) −> (l t = 1 ((l x = maxSpeed) ($trainBegin1)))) & ((( (l x = maxSpeed & ($trainBegin1))& l t = 1)(l t=1)) −> (l t = 1 ( [not Train1] ))) ))); $runMaxSpeedBwd1 = ([] t ([] x (( l x > maxSpeed & (l t = 1 (((l x = maxSpeed) ($trainBegin1))& l t = 1))) −> ($trainBegin1& l t = 1)(l t=1))));

The size of a train is fixed to one. $size1 = not t x ([Train1] & l x > 1);

A train may only change the direction if there is no other train ahead in the new direction. This requirement is given by the following formula. ## Combining Behaviour for Train1 and Train2 $changeDir1 = not t x (([ DIR1] ([not DIR1] & (( $trainBegin1 $trainBegin2) | ($trainBegin1 & $trainBegin2)))) | ([ not DIR1] ([DIR1] & (( $trainBegin2 $trainBegin1) | ($trainBegin2 & $trainBegin1)))));

206

7.2 Automatic Verification of Shape Calculus Specifications It states that it is never nowhere possible that the state changes from DIR1 to ¬DIR1 and the beginning of Train1 is in front of the beginning of Train2, i.e., $trainBegin1 h~ex i $trainBegin2 or both trains coincide $trainBegin1 ∧ $trainBegin2. The second disjunct imposes the analogue requirement for the other direction. A train is running forward if the state of the DIR observable is true and running backward otherwise. This is ensured by the following requirement. $runDir1 = [] t ((([ DIR1] (l t = 1) ) −> ($runFwd1 & $runonlyFwd1)) & (([ not DIR1] (l t = 1)) −> ($runBwd1 & $runonlyBwd1))); $run1 = ($runDir1) & ($changeDir1) & $size1;

To ensure safety on the critical segment, at most one train may enter the critical segment on each side. ## MUTEX Entry (MUTEX on waiting zone x = 1 or x = 4) $MUTEXENTRY = not t (([Train1 & Train2] true ) | (true [Train1 & Train2] ));

Furthermore, a train may only enter the critical segment if the light signal on the respective side is lit. ## Entry from right = 4 only if SIG2 is true $ENTRYR1 = (not t ((true [not SIG2]) & ((( true ([not Train1] & l x = 2)) (true [Train1])) | (( true ([not Train2] & l x = 2)) (true [Train2]))) )); ## Entry from left = 0 only if SIG1 is true $ENTRYL1 = (not t ((true [not SIG1]) & (((([ not Train1] & l x = 2) true) ([ Train1] true)) | ((([ not Train2] & l x = 2) true) ([ Train2] true)))));

Initially, the tracks are empty.

207

Chapter 7 Automatic Verification

$INITEMPTY = ([not Train1] & [not Train2]) true;

We now specify the requirements for the real-time signal controler for the light control. At first, both signals may not be green at the same time. Additionally, the signals may only change the status if the critical segment is empty. This can be detected by the controler by counting incoming and outgoing trains. ## Requirements on signal lights $MUTEX = [(not SIG1) | (not SIG2) ]; #Signals Change only on empty track $SIGCHANGE = not t ((([ SIG1] [not SIG1]) & not [not Train1 & not (([ SIG2] [not SIG2]) & not [not Train1 & not (([ not SIG1] [SIG1]) & not [not Train1 & not (([ not SIG2] [SIG2]) & not [not Train1 & not $SIGREQ = $MUTEX & $SIGCHANGE;

Train2]) | Train2]) | Train2]) | Train2]));

With these requirements, we can automatically verify the safety requirement that two trains never overlap. To this end, we check whether the formula $REQ ∧ `~ex = 4 ∧ ♦~ex ♦~et dTrain1 ∧ Train2e specifying the unsafe behaviour is satisfiable. $REQ = $NONSPAT & $run1 & $run2 & $INITEMPTY & $ENTRYL1 & $ENTRYR1 & $SIGREQ & $MUTEXENTRY; verify: $REQ & l x = 4 & x t ([Train1 & Train2])

Running the tool MoDiShCa shows that this is not possible. However, as the output of an incorrect specification yields deeper insides than a correct one, we also consider an unsafe specification. Omitting the requirement $SIGCHANGE in the specification enables an unsafe behaviour. This possibility is revealed by MoDiShCa in presenting a valuation satisfying ♦~ex ♦~et dTrain1 ∧ Train2e. The example is given in Figure 7.3. It shows clearly that after the first train (Train2) has entered the critical segment at time point 2, the signal changes and Train1 also enters the critical segment which is to be avoided by the signal controller.

208

7.2 Automatic Verification of Shape Calculus Specifications A satisfying example of least length (5) is: t1 X 1XXXX t2 X 00001 Train1_0 X 0010X Train1_1 X 0001X Train1_2 X 0000X Train1_3 X 0000X Train2_0 X 0000X Train2_1 X 0001X Train2_2 X 0010X Train2_3 X 0100X DIR1 X 0000X DIR2 X 1111X SIG1 X 0010X SIG2 X X10XX

Figure 7.3: Example computed by MoDiShCa / MONA satisfying the negated safety property.

Abstraction and Evaluation However, the prototypical implementation of the algorithm introduces four second-order variables for each of the four observables that do not depend on the spatial position (SIG1,SIG2,DIR1 and DIR2). As these observables do not change over space, one second-order variable is sufficient. Therefore, they are substituted by only one secondorder variable for each of these observables by a post-processing script. Without this modification the model becomes too large to be analysed by the second-order model checker MONA.

Summary We have shown that the assumptions on the environment and the reasonable behaviour of the tramway driver can be specified very naturally in Shape Calculus. Using these assumptions, we have reduced the spatio-temporal requirements of the overall system to real-time requirements for the controller, which can be checked with standard tools for real-time systems.

209

Chapter 7 Automatic Verification

7.3 Related Work The tool DCValid [Pan00] checks validity and satisfiability by translating Duration Calculus into Weak Second-Order Logic and using MONA [KM01] as a verification backend. Instead of modelling the system behaviour by logical formulae, the model checking approach may also consider an operation model, e.g., Timed Automata for real-time systems, and verify whether the runs of the automaton satisfy a property stated in a temporal logic. For Duration Calculus the decidability of the model checking problem for Timed Automata and discrete time domain is shown in [Han94]. Subsets of continuous time Duration Calculus for which decidability of this model checking problem still holds are investigated by Fränzle in [Frä04]. Aiming at verifying mobile systems described by π-calculus processes, the spatial logics model checker [Cai04, VC05] is able to verify for a subset of the π-calculus processes if they satisfy properties given by a spatial logic based on [CC03].

210

Chapter 8 Conclusion 8.1 Summary In this thesis we have presented a new spatio-temporal formalism called Shape Calculus designed to fit the needs for the specification and verification of mobile real-time system designs. Shape Calculus The Shape Calculus is derived from Duration Calculus that is already established as a suitable tool for formal modelling of real-time systems. We have elaborated a theory, starting with a formal definition of the semantics and establishing basic algebraic properties. Applicability Formal methods even dealing only with real-time systems are difficult to handle for unexperienced users. As complexity increases when taking time and space into account, we elaborated an approach to make usage easier. To this end, we presented a set of patterns for specification problems that occur frequently. These patterns are accompanied by rules for the formal manipulation. We demonstrated the use and expressiveness of Shape Calculus by conducting case studies and presenting the results. Basic Properties Investigating basic properties, we gave a proof of undecidability and non-axiomatisability of Shape Calculus for dense and discrete spatio-temporal domains. This result is new as Duration Calculus is decidable for discrete temporal domains. Nevertheless, we have shown that a relative axiomatisation similar to the result for Duration Calculus is still possible. Due to the undecidability in the general case, we considered subsets of Shape Calculus that preserve decidability. Two decidable subsets

211

Chapter 8 Conclusion are presented, one obtained by restricting space to finite domains and one obtained by forbidding arbitrary mixing of chop operators. Tool Support Apart from these theoretical results, we developed an embedding of Shape Calculus in Weak Second-Order Logic of one successor. This embedding has been exploited in the development of a model checking tool for discrete Shape Calculus translating Shape Calculus into the input format of the tool Mona.

8.2 Perspectives Although we have presented a rich theory for Shape Calculus, there are several questions that arise naturally and that are left for future work. Domains Considering the application domains, the formalisms is initially developed for formal verification of mobile real-time systems. A discussion with Anders Ravn revealed different new areas of application. The question of inverse kinematics [Mur94] is vital in robotics. The problem is how to adjust degrees of freedom in such a way that the whole object has a given spatial configuration. Apart from robotics this problem is important in computational biology concerning protein structure [vdBLLD05]. There is a no analytic solution to this class of problems. However, if the object and the goal configuration can be specified in Shape Calculus, the problem may be tackled by model checking techniques. A different promising domain in robotics is the representation of the perception of the environment. Traditional approaches like the Region Connection Calculus do not provide any metric information, whereas representing points in a Euclidean space explicitly might provide too much and unnecessary information. Operational Models There are operational models like Timed Automata for real-time systems and the π-calculus for mobile systems. Therefore operational models for systems exhibiting mobility and real-time aspects are to be investigated. This includes model checking of properties given in Shape Calculus for these operational models. Applicability Concerning applicability of the Shape Calculus, we have presented a set of patterns. By conducting additional case studies, the set of patterns and rules can be extended. Additionally, it might be desirable

212

8.2 Perspectives to develop a graphical representation of Shape Calculus. This would enable a more intuitive usage while preserving the formal foundation. The graphical representation shall include graphical refinement rules similar to the Constraint Diagrams [Kle00, Die96b] for Duration Calculus. In general, developping a more convenient calculus for example in natural deduction style like presented in [Ras02] for interval logic also deserves further attention. Tool Support Tool support is still prototypical. Optimisations and different representations are to be taken into account. This also includes abstraction techniques. But not only optimisations may be envisaged for future work, but also completely different verification approaches. Bounded model checking using SAT solver techniques is still to be investigated. Combinations A combination of Duration Calculus, the process algebra CSP and the method Z has been recently proposed and investigated [HM05, Hoe06]. As Z is well suited for the specification of data, a combination with Shape Calculus might be useful for representing internal states of and complex computations in mobile systems.

213

214

Bibliography [AB00]

A. Abdelwaheb and D. Basin. Bounded Model Construction for Monadic Second-Order Logics. In 12th International Conference on Computer-Aided Verification (CAV’00), volume 1855 of LNCS, pages 99–113, Chicago, USA, July 2000. Springer-Verlag.

[AD94]

R. Alur and D. L. Dill. A theory of timed automata. Theoretical Computer Science, 126(2):183–235, 1994.

[ADN97]

S. N. Artemov, J. Davoren and A. Nerode. Modal Logics and Topological Semantics for Hybrid Systems. Technical Report 97-05, Cornell University Ithaca, 1997.

[AH94]

R. Alur and T. A. Henzinger. A Really Temporal Logic. J. ACM, 41(1):181–204, 1994.

[Aie02]

M. Aiello. Spatial Reasoning: Theory and Practice. PhD thesis, University of Amsterdam,Institute for Logic, Language and Computation, 2002.

[All83]

J. F. Allen. Maintaining Knowledge about Temporal Intervals. Commun. ACM, 26(11):832–843, 1983.

[AvB01]

M. Aiello and H. van Benthem. A Modal Walk Through Space. Technical Report PP-2001-23, University of Amsterdam, Institute for Logic, Language, and Computation, 2001.

[BB91]

J. C. M. Baeten and J. A. Bergstra. Real Space Process Algebra. In J. C. M. Baeten and J. F. Groote, editors, CONCUR, volume 527 of LNCS, pages 96–110. Springer, 1991.

215

Bibliography [BB92]

J. Baeten and J. Bergstra. Asynchronous Communication in Real Space Process Algebra. In J. Vytopil, editor, FTRTFT ’92, Nijmegen, The Netherlands, volume 571 of LNCS, pages 473–492. Springer, 1992.

[BBD+ 02]

G. Behrmann, J. Bengtsson, A. David, K. G. Larsen, P. Pettersson and W. Yi. Uppaal Implementation Secrets. In W. Damm and E.-R. Olderog, editors, Formal Techniques in Real-Time and Fault-Tolerant Systems 2002, volume 2469 of LNCS, pages 3–22, 2002.

[BCTH00a]

B. Bennett, A. Cohn, P. Torrini and S. Hazarika. RegionBased Qualitative Geometry. Technical Report 2000.07, School of Computing, University of Leeds, LS2 9JT, UK, 2000.

[BCTH00b]

B. Bennett, A. G. Cohn, P. Torrini and S. M. Hazarika. Describing Rigid Body Motions in a Qualitative Theory of Spatial Regions. In Proceedings of the Seventeenth National Conference on Artificial Intelligence and Twelfth Conference on Innovative Applications of Artificial Intelligence, pages 503–509. AAAI Press / The MIT Press, 2000.

[BCWZ02a]

B. Bennett, A. Cohn, F. Wolter and M. Zakharyaschev. Multi-Dimensional Modal Logic as a Framework for SpatioTemporal Reasoning. Applied Intelligence, 17(3):239–251, 2002.

[BCWZ02b]

B. Bennett, A. Cohn, F. Wolter and M. Zakharyaschev. Multi-Dimensional Multi-Modal Logics as a Framework for Spatio-Temporal Reasoning. Applied Intelligence, 17(3):239–251, 2002.

[BDL04]

G. Behrmann, A. David and K. G. Larsen. A Tutorial on Uppaal. In M. Bernardo and F. Corradini, editors, Formal Methods for the Design of Real-Time Systems: 4th International School on Formal Methods for the Design of Computer, Communication, and Software Systems, SFMRT 2004, number 3185 in LNCS, pages 200–236. Springer– Verlag, September 2004.

216

Bibliography [BDM+ 98]

M. Bozga, C. Daws, O. Maler, A. Olivero, S. Tripakis and S. Yovine. Kronos: A Model-Checking Tool for Real-Time Systems. In A. J. Hu and M. Y. Vardi, editors, Proc. 10th International Conference on Computer Aided Verification, Vancouver, Canada, volume 1427 of LNCS, pages 546–550. Springer-Verlag, 1998.

[Ben96]

B. Bennett. Modal Logics for Qualitative Spatial Reasoning. Bulletin of the Interest Group in Pure and Applied Logic (IGPL), 4(1):23–45, 1996. WWW address ftp://ftp. mpi-sb.mpg.de/pub/igpl/Journal/V4-1/index.html.

[Bit01]

F. Bitsch. Safety Patterns - The Key to Formal Specification of Safety Requirements. In U. Voges, editor, SAFECOMP, volume 2187 of LNCS, pages 176–189. Springer, 2001.

[BLR95]

A. Bouajjani, Y. Lakhnech and R. Robbana. From Duration Calculus To Linear Hybrid Automata. In P. Wolper, editor, CAV, volume 939 of LNCS, pages 196–210. Springer, 1995.

[BS95]

P. Blackburn and J. Seligman. Hybrid Languages. Journal of Logic, Language and Information, 4:251–272, 1995.

[B¨ uc60]

J. B¨ uchi. Weak second-order arithmetic and finite automata. Zeitschrift fur mathematische Logik und Grundlagen der Mathematik, 6:66–92, 1960.

[BY03]

J. Bengtsson and W. Yi. Timed Automata: Semantics, Algorithms and Tools. In J. Desel, W. Reisig and G. Rozenberg, editors, Lectures on Concurrency and Petri Nets, volume 3098 of LNCS, pages 87–124. Springer, 2003.

[Cai04]

L. Caires. Behavioral and Spatial Observations in a Logic for the pi-Calculus. In I. Walukiewicz, editor, FoSSaCS, volume 2987 of LNCS, pages 72–89. Springer, 2004.

[CC03]

L. Caires and L. Cardelli. A Spatial Logic for Concurrency. Information and Computation, 186(2):194–235, 2003.

[CC04]

L. Caires and L. Cardelli. A spatial logic for concurrency II. Theor. Comput. Sci., 322(3):517–565, 2004.

217

Bibliography [CD04]

V. Coulthard and J. Davoren. Spatio-temporal logics for continuous dynamical systems, January 2004.

[CDZG+ 01]

W. Charatonik, S. Dal-Zilio, A. D. Gordon, S. Mukhopadhyay and J.-M. Talbot. The Complexity of Model Checking Mobile Ambients. In F. Honsell and M. Miculan, editors, FoSSaCS, volume 2030 of LNCS, pages 152–167. Springer, 2001.

[CDZG+ 03]

W. Charatonik, S. Dal-Zilio, A. D. Gordon, S. Mukhopadhyay and J.-M. Talbot. Model checking mobile ambients. Theor. Comput. Sci., 308(1-3):277–331, 2003.

[CE81]

E. M. Clarke and E. A. Emerson. Design and Synthesis of Synchronization Skeletons Using Branching-Time Temporal Logic. In D. Kozen, editor, Logic of Programs, volume 131 of LNCS, pages 52–71. Springer, 1981.

[CES86]

E. M. Clarke, E. A. Emerson and A. P. Sistla. Automatic Verification of Finite-State Concurrent Systems Using Temporal Logic Specifications. ACM Trans. Program. Lang. Syst., 8(2):244–263, 1986.

[CG00a]

L. Cardelli and A. D. Gordon. Anytime, Anywhere: Modal Logics for Mobile Ambients. In POPL 2000, pages 365–377. ACM Press, 2000.

[CG00b]

L. Cardelli and A. D. Gordon. Mobile Ambients. Theor. Comput. Sci., 240(1):177–213, 2000.

[CGP00]

E. Clarke, O. Grumberg and D. Peled. Model Checking. MIT Press, 2000.

[CHLR93]

P. C. Rose. Time pages

[CL04]

´ Lozes. Elimination of Quantifiers and UnL. Caires and E. decidability in Spatial Logics for Concurrency. In P. Gardner and N. Yoshida, editors, CONCUR, volume 3170 of LNCS, pages 240–257. Springer, 2004.

218

Clements, C. L. Heitmeyer, B. G. Labaw and A. T. MT: A Toolset for Specifying and Analyzing RealSystems. In IEEE Real-Time Systems Symposium, 12–22, 1993.

Bibliography [Cra53]

W. Craig. On Axiomatizability Within a System. J. Symb. Log., 18(1):30–32, 1953.

[CT01]

W. Charatonik and J.-M. Talbot. The Decidability of Model Checking Mobile Ambients. In L. Fribourg, editor, CSL, volume 2142 of LNCS, pages 339–354. Springer, 2001.

[CZ97]

A. Chagrov and M. Zakharyaschev. Modal logic. Oxford logic guides. Clarendon Press, Oxford, 1997.

[DD97]

H. Dierks and C. Dietz. Graphical Specification and Reasoning: Case Study “Generalized Railroad Crossing”. In J. Fitzgerald, C. Jones and P. Lucas, editors, FME’97, volume 1313 of LNCS, pages 20–39. Springer-Verlag, 1997.

[Die96a]

C. Dietz. Graphical Formalization of Real-Time Requirements. In B. Jonsson and J. Parrow, editors, FTRTFT, volume 1135 of LNCS, pages 366–384. Springer, 1996.

[Die96b]

C. Dietz. Graphical Formalization of Real-Time Requirements. In B. Jonsson and J. Parrow, editors, Formal Techniques in Real-Time and Fault-Tolerant Systems (FTRTFT’96) (Uppsala, Sweden), volume 1135 of LNCS, pages 366–385. Springer-Verlag, 1996.

[Die99]

H. Dierks. Specification and Verification of Polling RealTime Systems. PhD thesis, University of Oldenburg, July 1999.

[Die00]

H. Dierks. PLC-Automata: A New Class of Implementable Real-Time Automata. Theoretical Computer Science, 253(1):61–93, 2000.

[Die05]

H. Dierks. Time, Abstraction and Heuristics – Automatic Verification and Planning of Timed Systems using Abstraction and Heuristics. Habilitation thesis, July 2005.

[DK04]

J. J. Duistermaat and J. A. C. Kolk. Multidimensional Real Analysis II: Integration. Cambridge University Press, 2004.

[DL02]

H. Dierks and M. Lettrari. Constructing Test Automata from Graphical Real-Time Requirements. In Damm and Olderog [DO02], pages 433–454.

219

Bibliography [DO02]

W. Damm and E.-R. Olderog, editors. Formal Techniques in Real-Time and Fault-Tolerant Systems, 7th International Symposium, FTRTFT 2002, Co-sponsored by IFIP WG 2.2, Oldenburg, Germany, September 9-12, 2002, Proceedings, volume 2469 of LNCS. Springer, 2002.

[Doe96]

K. Doets. Basic Model Theory. CSLI Publications, Stanford, California, 1996.

[DPS+ 01]

H. Dierks, M. Pakdaman, L. Salih, A. Schäfer, R. Schumann and T. Toben. Practical course Real-Time Systems: Final report. http://csd.informatik.uni-oldenburg. de/teaching/fp_realzeitsys_ws0001/result/eindex. html, 2001.

[Dut95]

B. Dutertre. Complete Proof Systems for First Order Interval Temporal Logic. In LICS, pages 36–43. IEEE Computer Society, 1995.

[ECS99]

ECSAG. ERTMS/ETCS Functional Requirements Specification. http://www.aeif.org/ccm/default.asp, 1999.

[EFT96]

H. Ebbinghaus, J. Flum and W. Thomas. Mathematical Logic. Undergraduate Texts in Mathematics. Springer, 1996.

[Elg61]

C. Elgot. Decision Problems of Finite Automata Design and Related Arithmetics. Transactions of the American Mathematical Society, 98:21–52, 1961.

[FH05]

M. Fr¨ anzle and M. R. Hansen. A Robust Interpretation of Duration Calculus. In D. V. Hung and M. Wirsing, editors, ICTAC, volume 3722 of LNCS, pages 257–271. Springer, 2005.

[FMdR04]

M. Franceschet, A. Montanari and M. de Rijke. Model Checking for Combined Logics with an Application to Mobile Systems. Autom. Softw. Eng., 11(3):289–321, 2004.

[Fr¨ a02]

M. Fr¨ anzle. Take It NP-Easy: Bounded Model Construction for Duration Calculus. In Damm and Olderog [DO02], pages 245–264.

220

Bibliography [Frä04]

M. Fr¨ anzle. Model-checking dense-time Duration Calculus. Formal Asp. Comput., 16(2):121–139, 2004.

[Gab99]

D. M. Gabbay. Fibring Logics. Oxford University Press, Oxford, 1999.

[Gal95]

A. Galton. Towards a Qualitative Theory of Movement. In Spatial Information Theory, pages 377–396, 1995.

[GHJV93]

E. Gamma, R. Helm, R. E. Johnson and J. M. Vlissides. Design Patterns: Abstraction and Reuse of Object-Oriented Design. In O. Nierstrasz, editor, ECOOP, volume 707 of LNCS, pages 406–431. Springer, 1993.

[GHJV95]

E. Gamma, R. Helm, R. Johnson and J. Vlissides. Design patterns: elements of reusable object-oriented software. Addison-Wesley Longman Publishing Co., Inc., Boston, MA, USA, 1995.

[GKWZ03]

D. Gabbay, A. Kurucz, F. Wolter and M. Zakharyaschev. Many-Dimensional Modal Logics: Theory and Applications. Elsevier, 2003.

[Got96]

N. M. Gotts. Using the RCC Formalism to Describe the Topology of Spherical Regions. Technical Report 96.24, School of Computer Studies, University of Leeds, 1996.

[GR97]

D. Giammarresi and A. Restivo. Two-Dimensional Languages. In G. Rozenberg and A. Salomaa, editors, Handbook of Formal Languages – Beyond Words, volume 3, chapter 4, pages 215–267. Springer, 1997.

[Gue98]

D. P. Guelev. A Calculus of Durations on Abstract Domains: Completeness and Extensions. Technical Report 139, UNUIIST, P.O.Box 3058, Macau, May 1998.

[Han94]

M. R. Hansen. Model-Checking Discrete Duration Calculus. Formal Asp. Comput., 6(6A):826–845, 1994.

[Har83]

D. Harel. Recurring Dominoes: Making the Highly Undecidable Highly Understandable (Preliminary Report). In M. Karpinski, editor, FCT, volume 158 of LNCS, pages 177– 194. Springer, 1983.

221

Bibliography [Har86]

D. Harel. Effective transformations on infinite trees, with applications to high undecidability, dominoes, and fairness. J. ACM, 33(1):224–248, 1986.

[HC96]

G. E. Hughes and M. J. Cresswell. A New Introduction to Modal Logic. Routledge, 1996.

[Hei98]

C. L. Heitmeyer. On the Need for Practical Formal Methods. In A. P. Ravn and H. Rischel, editors, FTRTFT, volume 1486 of LNCS, pages 18–26. Springer, 1998.

[Hen96]

T. A. Henzinger. The Theory of Hybrid Automata. In LICS, pages 278–292, 1996.

[Hen98]

T. A. Henzinger. It’s About Time: Real-Time Logics Reviewed. In D. Sangiorgi and R. de Simone, editors, CONCUR, volume 1466 of LNCS, pages 439–454. Springer, 1998.

[HESV91]

A. Hsu, F. Eskafi, S. Sachs and P. Variya. The Design of Platoon Maneuver Protocols for IVHS. PATH Research Report UCB-ITS-PRR-91-6, University of California at Berkeley, 1991.

[HJJ+ 95]

J. Henriksen, J. Jensen, M. Jørgensen, N. Klarlund, B. Paige, T. Rauhe and A. Sandholm. Mona: Monadic Second-order logic in practice. In Tools and Algorithms for the Construction and Analysis of Systems, First International Workshop, TACAS ’95, volume 1019 of LNCS, 1995.

[HKPV98]

T. A. Henzinger, P. W. Kopke, A. Puri and P. Varaiya. What’s Decidable about Hybrid Automata? J. Comput. Syst. Sci., 57(1):94–124, 1998.

[HL94]

C. L. Heitmeyer and N. A. Lynch. The Generalized Railroad Crossing: A Case Study in Formal Verification of Real-Time Systems. In IEEE Real-Time Systems Symposium, pages 120–131. IEEE Computer Society, 1994.

[HM05]

J. Hoenicke and P. Maier. Model-Checking of Specifications Integrating Processes, Data and Time. In J. Fitzgerald, I. Hayes and A. Tarlecki, editors, FM 2005, volume 3582 of LNCS, pages 465–480. Springer, 2005.

222

Bibliography [HMU01]

J. E. Hopcorft, R. Motwani and J. D. Ullman. Introduction to Automata Theory, Languages, and Computation. Addison Wesley, 2001.

[HNSY92]

T. A. Henzinger, X. Nicollin, J. Sifakis and S. Yovine. Symbolic Model Checking for Real-time Systems. In LICS, pages 394–406. IEEE Computer Society, 1992.

[Hoe06]

J. Hoenicke. Combination of Processes, Data, and Time. PhD thesis, University of Oldenburg, 2006.

[HZ97]

M. R. Hansen and Zhou Chaochen. Duration Calculus: Logical Foundations. Formal Aspects of Computing, 9:283–330, 1997.

[HZ04]

M. R. Hansen and Zhou Chaochen. Duration Calculus: A Formal Approach to Real-Time Systems. EATCS: Monographs in Theoretical Computer Science. Springer, 2004.

[J¨ an94]

K. J¨ anich. Topology. Springer,Berlin, 1994.

[JHF+ 94]

Jifeng He, C. A. R. Hoare, M. Fränzle, M. M¨ uller-Olm, E.R. Olderog, M. Schenke, M. R. Hansen, A. P. Ravn and H. Rischel. Provably Correct Systems. In Langmaack et al. [LdRV94], pages 288–335.

[KBPOB99]

B. Krieg-Br¨ uckner, J. Peleska, E.-R. Olderog and A. Baer. The UniForM Workbench, a Universal Development Environment for Formal Methods. In J. Wing, J. Woodcock and J. Davies, editors, FM’99 – Formal Methods, volume 1709 of LNCS, pages 1186–1205. Springer, 1999.

[KF70]

A. Kolmogorov and S. Fomin. Introductory Real Analysis. Dover Publications, New York, 1970.

[KKWZar]

R. Kontchakov, A. Kurucz, F. Wolter and M. Zakharryaschev. Space + Time = ? In van Benthem et al. [vBAPHar].

[Kle00]

C. Kleuker. Constraint Diagrams. PhD thesis, University of Oldenburg, 2000.

223

Bibliography [KM01]

N. Klarlund and A. Møller. MONA Version 1.4 User Manual. Technical report, Department of Computer Science, University of Aarhus, January 2001.

[KMS00]

N. Klarlund, A. Møller and M. I. Schwartzbach. MONA Implementation Secrets. In S. Yu and A. Paun, editors, CIAA, volume 2088 of LNCS, pages 182–194. Springer, 2000.

[Koy90]

R. Koymans. Specifying Real-Time Properties with Metric Temporal Logic. Real-Time Systems, 2(4):255–299, 1990.

[Lan97]

S. A. Lang. Introduction to Linear Algebra. Springer, 1997.

[LdRV94]

H. Langmaack, W. P. de Roever and J. Vytopil, editors. Formal Techniques in Real-Time and Fault-Tolerant Systems, Third International Symposium Organized Jointly with the Working Group Provably Correct Systems - ProCoS, L¨ ubeck, Germany, September 19-23, Proceedings, volume 863 of LNCS. Springer, 1994.

[MFR06]

R. Meyer, J. Faber and A. Rybalchenko. Model Checking Duration Calculus: A Practical Approach. In K. Barkaoui, A. Cavalcanti and A. Cerone, editors, 3rd International Colloquium on Theoretical Aspects of Computing, ICTAC, volume 4281 of LNCS, pages 332–346, 2006.

[Mil99]

R. Milner. Communicating and mobile systems: the πcalculus. Cambridge University Press, 1999.

[Mul98]

P. Muller. A Qualitative Theory of Motion Based on SpatioTemporal Primitives. In A. G. Cohn, L. K. Schubert and S. C. Shapiro, editors, KR’98. Principles of Knowledge Representation and Reasoning, Trento, Italy, pages 131–143. Morgan Kaufmann, 1998.

[Mur94]

R. M. Murray. A Mathematical Introduction to Robotic Manipulation. CRC Press, 1994.

[MWZ03]

S. Merz, M. Wirsing and J. Zappe. A Spatio-Temporal Logic for the Specification and Refinement of Mobile Systems. In M. Pezzè, editor, FASE 2003, Warsaw, Poland, volume 2621 of LNCS, pages 87–1014. Springer, 2003.

224

Bibliography [ORS96]

E.-R. Olderog, A. P. Ravn and J. U. Skakkebæk. Refining System Requirements to Program Specifications. In C. Heitmeyer and D. Mandrioli, editors, Formal Methods for RealTime Computing, volume 5 of Trends in Software, chapter 5, pages 107–134. Wiley, 1996.

[Pan00]

P. Pandya. Specifying and Deciding Quantified Discretetime Duration Calculus formulae using DCVALID. Technical report, Tata Institute of Fundamental Research, 2000.

[Pan02]

P. K. Pandya. Interval Duration Logic: Expressiveness and Decidability. Electr. Notes Theor. Comput. Sci., 65(6), 2002.

[PAT]

PATH - Program on Advanced Technology for the Highway - Project Homepage. http://www.path.berkeley.edu/.

[PH98]

P. K. Pandya and D. V. Hung. Duration Calculus of Weakly Monotonic Time. In A. P. Ravn and H. Rischel, editors, FTRTFT’98, Lyngby, Denmark, volume 1998 of LNCS, pages 55–64. Springer, 1998.

[Pon01]

M. Pont. Patterns for time-triggered embedded systems: Building reliable applications with the 8051 family of microcontrollers. ACM Press / Addison-Wesley, 2001.

[QS82]

J.-P. Queille and J. Sifakis. Specification and verification of concurrent systems in CESAR. In M. Dezani-Ciancaglini and U. Montanari, editors, Symposium on Programming, volume 137 of LNCS, pages 337–351. Springer, 1982.

[QS06]

J.-D. Quesel and A. Sch¨ afer. Spatio-Temporal Model Checking for Mobile Real-Time Systems. In K. Barkaoui, A. Cavalcanti and A. Cerone, editors, Theoretical Aspects of Computing, ICTAC 2006, volume 4281 of LNCS, pages 347–361. Springer, 2006.

[Que05]

J.-D. Quesel. MoDiShCa: Model-Checking discrete Shape Calculus. Minor Thesis, University of Oldenburg, August 2005.

225

Bibliography [Ras02]

T. M. Rasmussen. Interval logic. Proof theory and theorem proving. PhD thesis, Informatics and Mathematical Modelling, Technical University of Denmark, DTU, Richard Petersens Plads, Building 321, DK-2800 Kgs. Lyngby, 2002.

[Rav95]

A. Ravn. Design of Embedded Real-Time Computing Systems. Technical report, Dept. Comp. Science, Technical University of Denmark, Bld. 344, DK-2800 Lyngby, 1995.

[RCC92]

D. A. Randell, Z. Cui and A. Cohn. A Spatial Logic Based on Regions and Connection. In B. Nebel, C. Rich and W. Swartout, editors, KR’92., pages 165–176. Morgan Kaufmann, San Mateo, California, 1992.

[RN97]

J. Renz and B. Nebel. On the Complexity of Qualitative Spatial Reasoning: A Maximal Tractable Fragment of the Region Connection Calculus. In IJCAI (1), pages 522–527, 1997.

[RS85]

J. H. Reif and A. P. Sistla. A Multiprocess Network Logic with Temporal and Spatial Modalities. J. Comput. Syst. Sci., 30(1):41–53, 1985.

[Rud64]

W. Rudin. Principles of Mathematical Analysis, page 35. McGraw-Hill, 1964.

[Sch05a]

A. Sch¨ afer. Axiomatisation and Decidability of MultiDimensional Duration Calculus. In J. Chomicki and D. Toman, editors, Proceedings of the 12th International Symposium on Temporal Representation and Reasoning, TIME 2005, pages 122–130. IEEE Computer Society, June 2005.

[Sch05b]

A. Sch¨ afer. A Calculus for Shapes in Time and Space. In Z. Liu and K. Araki, editors, Theoretical Aspects of Computing, ICTAC 2004, volume 3407 of LNCS, pages 463–478. Springer, 2005.

[Sch07]

A. Sch¨ afer. Axiomatisation and Decidability of MultiDimensional Duration Calculus. Information and Computation, 205(1):25–64, 2007.

226

Bibliography [SPC05]

B. Sharma, P. K. Pandya and S. Chakraborty. Bounded Validity Checking of Interval Duration Logic. In N. Halbwachs and L. D. Zuck, editors, TACAS, volume 3440 of LNCS, pages 301–316. Springer, 2005.

[SRH02]

P.-Y. Schobbens, J.-F. Raskin and T. A. Henzinger. Axioms for real-time logics. Theor. Comput. Sci., 274(1-2):151–182, 2002.

[SS94]

J. U. Skakkebæk and N. Shankar. Towards a Duration Calculus Proof Assistant in PVS. In Langmaack et al. [LdRV94], pages 660–679.

[Tap01]

J. Tapken. Model-Checking of Duration Calculus Specifikations. PhD thesis, Carl von Ossietzky Universität Oldenburg, 2001.

[Tho97]

W. Thomas. Languages, Automata, and Logic. In G. Rozenberg and A. Salomaa, editors, Handbook of formal languages, volume III, chapter 7, pages 389–455. Springer-Verlag New York, Inc., 1997.

[vBAPHar]

J. van Benthem, M. Aiello and I. Pratt-Hartmann, editors. Handbook of Spatial Reasoning. to appear.

[VC05]

H. Vieira and L. Caires. The Spatial Logic Model Checker User’s Manual. Technical report, Departamento de Informatica, FCT/UNL, 2005. TR-DI/FCT/UNL-03/2004.

[vdBLLD05]

H. van den Bedem, I. Lotan, J.-C. Latombe and A. Deacon. Real-Space Protein-Model Completion: an InverseKinematics Approach. Acta Crystallographica, 61(1):2–13, 2005.

[Ven94]

Y. Venema. Completeness through Flatness in TwoDimensional Temporal Logic. In D. M. Gabbay and H. J. Ohlbach, editors, ICTL, volume 827 of LNCS, pages 149– 164. Springer, 1994.

[Wei00]

K. Weihrauch. Springer, 2000.

Computable Analysis – An Introduction.

227

Bibliography [WZ03]

F. Wolter and M. Zakharyaschev. Reasoning about distances. In G. Gottlob and T. Walsh, editors, IJCAI-03, Acapulco, Mexico, August 9-15, 2003, pages 1275–1282. Morgan Kaufmann, 2003.

[WZ05]

F. Wolter and M. Zakharyaschev. A logic for metric and topology. Journal of Symbolic Logic, 70(3):795–828, 2005.

[YPD94]

W. Yi, P. Pettersson and M. Daniels. Automatic Verification of Real-Time Communicating Systems By ConstraintSolving. In D. Hogrefe and S. Leue, editors, Proc. of the 7th Int. Conf. on Formal Description Techniques, pages 223– 238. North–Holland, 1994.

[ZHR91]

Zhou Chaochen, C. Hoare and A. Ravn. A calculus of durations. IPL, 40(5):269–276, 1991.

[ZHS93]

Zhou Chaochen, M. R. Hansen and P. Sestoft. Decidability and Undecidability Results for Duration Calculus. In P. Enjalbert, A. Finkel and K. W. Wagner, editors, STACS 93, 10th Annual Symposium on Theoretical Aspects of Computer, volume 665 of LNCS, pages 58–68, 1993.

[Zor03]

V. A. Zorich. Mathematical Analysis II. Springer, Berlin, 2003.

[Zor04]

V. A. Zorich. Mathematical Analysis. Springer, Berlin, 2004.

[ZRH93]

Zhou Chaochen, A. Ravn and M. Hansen. An Extended Duration Calculus for Hybrid Real-Time Systems. In R. L. Grossman, A. Nerode, A. P. Ravn and H. Rischel, editors, Hybrid Systems, volume 736 of LNCS, pages 36–59. Springer, 1993.

228

Index

Symbols (Θn )s . . . . . . . . . . . . . . . . . . . . . . . . 25 (~ex )T . . . . . . . . . . . . . . . . . . . . . . . . 24 ; (DC-chop) . . . . . . . . . . . . . . . . . . 17 [~ex , ~ey ]T . . . . . . . . . . . . . . . . . . . . . . 24 . . . . . . . . . . . . . . . . . . . . .18, 37, 64 θ (globally) . . . . . . . . . . . . . 37, 64 ♦ . . . . . . . . . . . . . . . . . . . . . 18, 37, 64 ♦θ (somewhere) . . . . . . . . . . 37, 64 ITLn . . . . . . . . . . . . . . . . . . . 147, 148 M (polyhedron) . . . . . . . . . . . . . . 25 Π (state expressions) . . . . . . . . . 23 (in some subpolyhedron) . . 37, 65 (in every subpolyhedron). .37, 65 · ↓ (contraction closure) . . . . . 168 ·T . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 `θ . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 ≡ . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 −→DC . . . . . . . . . . . . . . . . . . . . . . . 74 −→d~ . . . . . . . . . . . . . . . . . . . . . . . . . 82 _ . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 λ1 . . . . . . . . . . . . . . . . . . . . . . . . . . .103 λ2 . . . . . . . . . . . . . . . . . . . . . . . . . . .103 h·, ·i (scalar product) . . . . . . . . 31 h·i (chop) . . . . . . . . . . . . . . . . . . . . 30 C . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 N (set of natural numbers) . . . 19 P (powerset). . . . . . . . . . . . . . . . . . .3 R (set of real numbers) . . . . 3, 19 In (unit matrix) . . . . . . . . . . 22, 25 T . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 mi,j . . . . . . . . . . . . . . . . . . . . . . . . . . 27 |= . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 |=a . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 |=DC . . . . . . . . . . . . . . . . . . . . . . . . . 18 |=nI . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 |=nP . . . . . . . . . . . . . . . . . . . . . . . . . . 35 νmax (velocity) . . . . . . . . . . . . . . 103 ⊕ (override) . . . . . . . . . . . . . . . . . . 18 ⊗ (fusion) . . . . . . . . . . . . . . . . . . . . 65 d·e (everywhere) . . . . . . . . . . . . . 36 d·eθ (everywhere) . . . . . . . . . . . . 36 de (everywhere) . . . . . . . . . . . . . . 18 ≺i . . . . . . . . . . . . . . . . . . . . . . . . . . 160 ψ (angle rate) . . . . . . . . . . . . . . . 103 σ |=W S1S . . . . . . . . . . . . . . . . . . . 189 σ (WS1S valuation) . . . . . . . . . 188 i . . . . . . . . . . . . . . . . . . . . . . . . . . 160 Vars . . . . . . . . . . . . . . . . . . . . . . . . . 21 C(X, Y ) . . . . . . . . . . . . . . . . . . . . . . 66 S . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 SC (·) (RCC-8 embedding) . . . . 71 (·) (erasing) . . . . . . . . . . . . . . . . . 52

229

Index ι

(·) (inflate) . . . . . . . . . . . . . . . . . . 58 ζ (·) (cylindric) . . . . . . . . . . . . . . . 59 ~ei (unit vector) . . . . . . . . . . . . . . . 22 ~et (unit vector, time) . . . . . . . . . 22 ~ex (unit vector) . . . . . . . . . . . . . . 22 ~ey (unit vector) . . . . . . . . . . . . . . 22 ~ez (unit vector) . . . . . . . . . . . . . . 22 ~ . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 θ.i. hD→D0 . . . . . . . . . . . . . . . . . . . . . 162 ~ein (unit vector in Rn ) . . . . . . . . 22 MoDiShCa . . . . . . . . . . . . . . . 198 · ~~·· . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 · ~~·· . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Pn . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 A adjunct . . . . . . . . . . . . . . . . . . . . . 184 ambient calculus . . . . . . . . . . . . 158 ambient logic . . . . . . . . . . . . . . . . 158 axiomatisability . . . . . . . . 139, 140 B BrickOS. . . . . . . . . . . . . . . . . . . . .116 C car platooning. . . . . . . . . . . . . . .111 Change of Variables Theorem28, 43, 52, 58 chop . . . . . . . . . . . . . . . . . . . . . . 17, 30 polyhedron . . . . . . . . . . . 30–31 clock . . . . . . . . . . . . . . . . . . . . . . . . . . 5 closure . . . . . . . . . . . . . . . . . . . . . . . 67 compositionality . . . . . . . . . . . . . . 63 constant . . . . . . . . . . . . . . . . . . . . . . 21 contraction closure . . . . . . . . . . 168 D D− . . . . . . . . . . . . . . . . . . . . . . . . . 160 DC-Implementables. .74, 82, 114

230

decidability . . . . . . . . . . . . 139, 140 degree of freedom . . . . . . . . . . . 212 determinant . . . . . . . . . . . . . . . . . . 27 Duration Calculus . . . . . . . . . . . . 42 formula. . . . . . . . . . . . . . . . . .17 model checking . . . . . . . . . . 19 Restricted . . . . . . . . . . . . . . 140 satisfiability . . . . . . . . . . . . . 18 state expression . . . . . . . . . 15 term . . . . . . . . . . . . . . . . . . . . 16 validity . . . . . . . . . . . . . . 18, 19 E equivalence . . . . . . . . . . . . . . . . . . 35 F finite variability . . . . 15, 147, 147 Fischer’s Protocol . . . . . . . . . . . . . 6 flexible variable . . . . . . . . . . . . . 148 frame . . . . . . . . . . . . . . . . . . . . . . . . 65 Fubini’s Theorem . . . . . . . . . . . . 53 Func . . . . . . . . . . . . . . . . . . . . . 15, 21 fusion (of modal logics) . . . 11, 65 G gas burner . . . . . . . . . . . . . . . . . . . 14 globally. . . . . . . . . . . . . . . . . . .37, 50 GRC . . . . . . . . . . . . . . . . . . . . . . . . 199 H Hybrid Automaton . . . . . . . . . . . . 6 I I-satisfiable . . . . . . . . . . . . . . . . . . 35 I-valid . . . . . . . . . . . . . . . . . . . . . . . 35 I-validity . . . . . . . . . . . . . . . . . . . . . 65 implementable initialisation . . . . . . . . . . . . . 75 sequencing . . . . . . . . . . . . . . . 75 stability . . . . . . . . . . . . . . . . . 75

Index interior . . . . . . . . . . . . . . . . . . . . . . . 66 interpretation integrability constraint . . . 22 Interval Temporal Logic . . . . . 147 inverse kinematics . . . . . . . . . . . 212 ITL.see Interval Temporal Logic Int (set of intervals) . . . . . . . . . . 17 K Kronos . . . . . . . . . . . . . . . . . . . . . . . . 6 L lead-to operator . . . . . . . . . . 74, 82 Lego Mindstorms . . . . . . . . 76, 116 Linear Time Temporal Logic 157 LTL . . see Linear Time Temporal Logic M matrix . . . . . . . . . . . . . . . . . . . . 21, 27 orthogonal . . . . . . . . . . . . . . . 39 mini . . . . . . . . . . . . . . . . . . . . . . . . 160 mini . . . . . . . . . . . . . . . . . . . . . . . . 160 modal logic. . . . . . . . . . . . . . . . . . .64 MoDiShCa . . . . . . . . . . . . . 187, 199 MONA . . . . . . . . . . . . . . . . . 188, 189 N n-hypercube . . . . . . . . . . . . . . . . . . 34 Necessity-Rule . . . . . . . . . . . . . . . 37 O Obs . . . . . . . . . . . . . . . . . . . . . . . . . . 15 observable . . . . . . . . . . . . . . . . 15, 20 open set . . . . . . . . . . . . . . . . . . . . . . 67 operator precedence . . . . . . . . . . 36 P P -satisfiable . . . . . . . . . . . . . . . . . 35 P -valid . . . . . . . . . . . . . . . . . . . . . . 35

PATH project . . . . . . . . . . . . . . . 111 pattern cartesian2D . . . . . . . . . 85, 121 circle . . . . . . . . . . . . . . . 93, 125 cont-move . . . . . . . . . . 89, 112 distance . . . . . . . . . . . . . 87, 112 rectangle. . . . . . . . . . . . . . . . .91 position . . . . . . . . 83, 103, 104 π-calculus . . . . . . . . . . . . . . . . . . . . . 7 PLC . . . . . . . . . . . . . . . . . . . . . . . . . 75 PLC-Automaton. . . . . . . . .75, 116 polyhedron . . . . . . . . . . . . . . . . . . . 25 precedence . . . . . . . . . . . . . . . . . . . 36 Pred . . . . . . . . . . . . . . . . . . . . . . 15, 22 Presburger arithmetic . . . . . . . 188 product (of modal logics) . . . . . 11 PVS . . . . . . . . . . . . . . . . . . . . . . . . . 19 R RCC . . . . . see Region Connection Calculus RCC relation C . . . . . . . . . . . . . . . . . . . . . . . . 68 DC . . . . . . . . . . . . . . . . . . 68, 71 EC . . . . . . . . . . . . . . . . . . . 68, 71 EQ . . . . . . . . . . . . . . . . . . 68, 72 NTPP . . . . . . . . . . . . . . . 68, 72 NTPPi . . . . . . . . . . . . . . . . . . . 72 PO . . . . . . . . . . . . . . . . . . 68, 72 TPP . . . . . . . . . . . . . . . . . 68, 72 TPPi . . . . . . . . . . . . . . . . . . . . 72 RCC-8 . . . . . . . . . . . . . . . . 9, 66, 157 RDC. . . . . . . . . . .19, 140, 148, 168 projection . . . . . . . . . . . . . . 148 refinement. . . . . . . . . . . . . . . .73, 73 Region Connection Calculus . 14, 66, 157 regular closed set . . . . . . . . . . . . . 67

231

Index Restricted Shape Calculus . . 140, 160, 189 Riemann-Integral . . . . . . . . . . . . . 22 rigid . . . . . . . . . . . . . . . . . . . . . . 25, 41 formula . . . . . . . . . . . . . . 33, 48 term . . . . . . . . . . . . . . . . . 26, 38 Road Runner . . . . . . . . 2, 102, 114 rotation matrix . . . . . . . . . . . . . . . 41 RSC . . . . . . . . . . . . . . . 140, 189, 199 S S . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 S4 (modal logic) . . . . . . . . . . 14, 64 scalar . . . . . . . . . . . . . . . . . . . . . . . . 21 scalar product . . . . . . . . . . . . . . . . 31 SCnAlt . . . . . . . . . . . . . . . . . . . . . . 169 SCfin . . . . . . . . . . . . . . . . . . . . . . . 160 Shape Calculus . . . . . . . . . . . . . . 19 formula. . . . . . . . . . . . . . . . . .31 Restricted. . . . .140, 160, 189 Terms . . . . . . . . . . . . . . . . . . . 25 SO . . . . . . . . . . . . . . . . . . . . . . . . . .190 somewhere operator . . . . . . 37, 50 sort . . . . . . . . . . . . . . . . . . . . . . . . . . 21 ST code . . . . . . . . . . . . . . . . . . . . . . 76 state assertion . . . . . . . . . . . . . . . . 23 state expression . . . . . . . . . . 22, 23 T tautology . . . . . . . . . . . . . . . 35, 139 Timed Automaton . . . . . . . . . . . . . 5 topological space . . . . . . . . . . . . . 66 trajectory . . . . . . . . . . . . . . . . 15, 20 transformation cylindric . . . . . . . . . . . . . . . . . 59 erasing . . . . . . . . . . . . . . . . . . 52 inflating . . . . . . . . . . . . . . . . . 58 truth relation . . . . . . . . . . . . . . . . 35 type . . . . . . . . . . . . . . . . . . . . . . . . . . 21

232

U UniForM . . . . . . . . . . . . . . 2, 75, 203 universe (topological space). . .66 Uppaal . . . . . . . . . . . . . . . . . . . . . . . . 6 V Val (set of valuations) . . . 17, 21 validity . . . . . . . . . . . . . . . . . . . . . . . 35 Var . . . . . . . . . . . . . . . . . . . . . . . . . . 15 vector . . . . . . . . . . . . . . . . . . . . . . . . 21 verification . . . . . . . . . . . . . . . . . . 139 volume . . . . . . . . . . . . . . . . . . . . . . . 36 W Weak Second-Order Logic . . . 187 WS1S (Weak Second-Order Logic) 187

Index Curriculum Vitae November 7,1977 1997 1997 – 1998 1997 – 1998 1998 – 2002 January 2002

since 2002

December 20, 2006

born in Witten, Germany Abitur alternative national service study computer science at the Fernuni Hagen continue to study computer science at the Carl-von-Ossietzky University of Oldenburg Diplom (M.S. degree) in Computer Science Title of the thesis: “Fehlerbaumanalyse und Model-Checking” (Fault Tree Analysis and Model Checking) Research Assistant in the working group of Prof. E.-R. Olderog at the Carl-von-Ossietzky University, Oldenburg. defence of the dissertation

233

234

Technical Reports Fakult¨ at II, Department f¨ ur Informatik, Universität Oldenburg, Postfach 2503, 26111 Oldenburg, Germany 1/87

A. Viereck: Klassifikationen, Konzepte und Modelle f¨ ur den Mensch-Rechner” Dialog“ (Dissertation)

2/87

A. Schwill: Forbidden subgraphs and reduction systems: A comparison“ ” J. K¨ amper: Non-uniform proof systems: A new framework to describe non” uniform and probabilistic complexity classes“

3/87 1/88

K. Ambos-Spies, H. Fleischhack, H. Huwig: Diagonalizing over deterministic ” polynomial time“

2/88

A. Schwill: Shortest edge-disjoint paths in geodetically connected graphs“ ” V. Claus, U. Lichtblau (Hrsg.): 1. Tagung zur K¨ usten-Informatik“ ” U. van der Valk: Einige Entscheidbarkeits- und Unentscheidbarkeitsresultate ” f¨ ur Klasse von S/T-Netzen unter Maximum Firing Strategie und unter Priorit¨ atenstrategien“

3/88 1/89

2/89

J. K¨ amper: Strukturelle Untersuchungen im Umfeld der Komplexit¨ atsklassen P ” und NP unter besonderer Ber¨ ucksichtigung nichtuniformer, probabilistischer und disjunktiv selbstreduzierender Algorithmen“ (Dissertation)

3/89

J. K¨ amper: Nondeterministic oracle Turing machines with maximal computation ” paths“

1/90

A. Schwill: Shortest edge-disjoint paths in graphs“ (Dissertation) ” K.R. Apt, E.-R. Olderog: Using transformations to verify parallel programs“ ” U. Lichtblau: Flußgraphgrammatiken“ (Dissertation) ” K.R. Apt, E.-R. Olderog: Introduction to program verification“ ” H. Jasper: Datenbankunterst¨ utzung f¨ ur Prolog-Programmierumgebungen“ (Dis” sertation)

2/90 3/90 4/90 5/90 1/91 2/91 3/91

F. Korf: Net-based efficient simulation of AADL specifications“ ” S.V. Krishnan, C. Pandu Rangan, A. Schwill, S. Seshadri: Two disjoint paths in ” chordal graphs“ H. Eirund: Modellierung und Manipulation multimedialer Dokumente“ (Disser” tation)

235

Technical Reports

4/91

¨ G. Schreiber: Ein funktionaler Aquivalenzbegriff f¨ ur den hierarchischen Entwurf ” von Netzen“

1/92

A. Viereck (Hrsg.): Ergebnisse der 11. Arbeitstagung, Mensch-Maschine Kom” munikation“

2/92

P. Gorny, U. Daldrup, H. Schwab: Zwischenbilanz: Menschengerechte Gestaltung ” von Software“

3/92

E.-R. Olderog, St. R¨ ossig, J. Sander, M. Schenke: ProCoS at Oldenburg: The In” terface between Specification Language and occam-like Programming Language“

4/92

F. Korf: Synthesis of VHDL Test Environments form Temporal Logic Specifica” tions“

5/92

W. Kowalk: Konstruktorentechnik: Neue Methoden zur Mengenrechnung, Lo” gikrechnung und Intervallrechnung“

1/93

Ch. Dietz, G. Schreiber: Eine Termdarstellung f¨ ur S/T-Netze“ ” J. Sauer: Wissensbasiertes L¨ osen von Ablaufplanungsproblemen durch explizite ” Heuristiken“

2/93 3/93

M. Sonnenschein, U. Lichtblau (Hrsg.): 6. Kolloquium der Arbeitsgruppe Infor” matik-Systeme“

4/93

H. Fleischhack, U. Lichtblau, M. Sonnenschein, R. Wieting: Generische Defini” tion hierarchischer zeitbeschrifteter h¨ oherer Petrinetze“

5/93

F. K¨ oster, L. Twele, R. Wieting, W. Ziegler: Fallbeispiele zur Modellierung mit ” THORNetzen“

1/94

R. G¨ otze: Dialogmodellierung f¨ ur multimediale Benutzerschnittstellen“ ” B. M¨ uller: PPO – Eine objektorientierte Prolog-Erweiterung zur Entwicklung ” wissensbasierter Anwendungssysteme“

2/94 3/94

W. Damm, A. Mikschl: Projekt Entwurf und Implementierung eines Multi” threaded RISC-Prozessors“

4/94

S. R¨ ossig: A Transformational Approach to the Design of Communicating Sys” tems“ (Dissertation) ¨ G. Schreiber: Funktionale Aquivalenz von Petri-Netzen“ (Dissertation) ” A. Gronewold, H. Fleischhack: Language Preserving Reductions of Safe Petri” Nets“

5/94 1/95 2/95

H. Reineke: Struktur und Verhalten von verteilten endlichen Automaten“ (Dis” sertation)

3/95

H. Behrends: Beschreibung ereignisgesteuerter Aktivit¨ aten in datenbankgest¨ utz” ten Informationssystemen“ (Dissertation)

4/95

U. M. Levens: Computerunterst¨ utztes Modellieren von Musikst¨ ucken mit Petri” Netzen: Das Mail¨ ander Konzept“

1/96

M. Burke: FDDI und ATM in multimedialen Anwendungsumgebungen“ (Dis” sertation)

2/96

I. Pitschke: Interaktive Rekonstruktion geometrischer Modelle aus digitalen Bil” dern“ (Dissertation)

236

Technical Reports

1/97

L. B¨ olke: Ein akustischer Interaktionsraum f¨ ur blinde Rechnerbenutzer“ (Dis” sertation)

2/97

S. Sch¨ of: Verteilte Simulation h¨ oherer Petrinetze“ (Dissertation) ” S. Kleuker: Inkrementelle Entwicklung von verifizierten Spezifikationen f¨ ur ver” teilte Systeme“ (Dissertation)

1/98 2/98

J. Bohn: Mechanical Support and Validation of a Design Calculus for Commu” nicating Systems by a Logic-Based Proof System“ (Dissertation)

3/98

L. K¨ ohler: Fuzzy Geometrie und Anwendungen in der medizinischen Bildverar” beitung“ (Dissertation)

4/98

J. Helbig: Linking Visual Formalisms: A Compositional Proof System for Stat” echarts Based on Symbolic Timing Diagrams“ (Dissertation)

5/98

G. Stiege: Edge Partitions in Undirected Graphs“ ” A. Gerns: Entwicklung und Bewertung von Objektmigrationsstrategien f¨ ur ver” teilte Umgebungen“

6/98 7/98

M. Stadler: Abstrakte Rechnernetzmodelle als Grundlage einer umfassenden Au” tomatisierung des Netzmanagements – Konzepte und Sprachen zu ihrer Umsetzung“ (Dissertation)

8/98

M.-S. Steiner: Lastverteilung in heterogenen Systemen“ ” Clemens Otte: Fuzzy-Prototyp-Klassifikatoren und deren Anwendung zur auto” matischen Merkmalsselektion“

9/98 1/99

Juliane Vorndamme: Die Auswirkungen rechtlicher Verpflichtungen auf die Soft” ware-entwicklung“

2/99 3/99

E. Best/K.M. Richter: Relational Semantics Revisited“ ” J. S. Lie: Einsatz von Objektmigrationssystemen zur Leistungssteigerung in ver” teilten Systemen“

4/99

Zweijahresbericht des Fachbereichs Informatik

5/99

Ingo Stierand, Olaf Maibaum, Bj¨ orn Briel, G¨ unther Stiege: Cassandra – Ge” nerierung, Analyse und Simulation von eingebetteten Multiprozessor-Echtzeitsystemen“

6/99

Gunnar Wittich: Ein problemorientierter Ansatz zum Nachweis von Realzeitei” genschaften eingebetteter Systeme“

7/99

Annegret Habel, J¨ urgen M¨ uller, Detlef Plump: Double-Pushout Graph Trans” formation Revisited“

8/99

Ingo Stierand: Eine Konfigurationssprache zur Erstellung von Ambrosia/MP” Systemen“

9/99

Igor V. Tarasyuk: Equivalences for Concurrent and Distributed Systems“ ” Eike Best, Alexander Lavrov: Generalised Composition Operations for High” Level Petri-Nets“

10/99 11/99

Alexander Lavrov: Enhancing Mixed Nonlinear Optimization: A Hybrid Ap” proach“

237

Technical Reports

12/99

Alexander Lavrov: Hybrid Techniques in Discrete-Event System Modelling and ” Control: some Examples“

13/99

Eike Best, Raymond Devillers, Maciej Koutny: Recursion and Petri Nets“ ” Eike Best, Raymond Devillers, Maciej Koutny: The Box Algebra = Petri Nets ” + Process Expressions“

14/99 15/99

Eike Best, Harro Wimmel: Reducing k-safe Petri Nets to Pomset-equivalent 1” safe Petri Nets“

16/99

Udo Brockmeyer: Verifikation von STATEMATE Designs“ (Dissertation) ” Henning Dierks: Specification and Verification of Polling Real-Time Systems“ ” (Dissertation)

1/00 2/00

Clemens Fischer: Combination and Implementation of Processes and Data: from ” CSP-OZ to Java“ (Dissertation)

3/00

Cheryl Kleuker: Constraint Diagrams“ (Dissertation) ” Thomas Thielke: Linear-algebraische Methoden zur Beschreibung, Verfeinerung ” und Analyse gef¨ arbter Petrinetze“ (Dissertation)

4/00 1/01 2/01

G¨ unther Stiege: Higher Decomposition in Undirected Graphs“ (Bericht) ” Ute Vogel: Zweijahresbericht

3/01

Josef Tapken: Model-Checking of Duration Calculus Specifications“ (Disserta” tion)

4/01

Bj¨ orn Briel: Analyse eingebetteter Systeme mittels verteilter Simulation“ (Dis” sertation)

5/01

G¨ unther Stiege: Standard Decomposition and Periodicity of Digraphs“ (Bericht) ” Ingo Stierand: Ambrosia/MP – Ein Echtzeitbetriebssystem f¨ ur eingebettete ” Mehrprozessorsysteme“ (Dissertation)

6/01 1/02

Giorgio Busatto, Annegret Habel: Improving the Quality of Hypertexts Using ” Graph Transformation“ (Bericht)

2/02

Giorgio Busatto: Modeling Hyperweb Dynamics through Hierarchical Graph ” Transformation“ (Bericht)

3/02

Giorgio Busatto: An Abstract Model of Hierarchical Graphs and Hierarchical ” Graph Transformation“ (Dissertation)

4/02

Laila Kabous: An Object Oriented Design methodology for hard real Time Sys” tems: The OOHARTS approach“ (Dissertation)

1/03

Ute Vogel: Zweijahresbericht“ ” Olaf Maibaum: Bestimmung symbolischer Laufzeiten in eingebetteten Echtzeit” systemen“ (Dissertation)

2/03 3/03

G¨ unther Stiege, Ingo Stierand: Connectedness-Based Hierarchical Decomposi” tion of Undirected Graphs“ (Bericht)

4/03

Willi Hasselbring, Susanne Petersen: Standards f¨ ur die medizinische Kommuni” kation und Dokumentation“ (Bericht)

5/03

Andreas M¨ oller: Eine virtuelle Maschine f¨ ur Graphprogramme“ (Bericht) ”

238

Technical Reports

6/03

Tom Bienm¨ uller: Reducing Complexity for the Verification of Statemate De” signs“ (Bericht)

7/03

Sandra Steinert: Graph Programs for Graph Algorithms“ (Bericht) ” Jochen Klose: Live Sequence Charts: A Graphical Formalism for the Specifica” tion of Communication Behavior“ (Dissertation)

8/03 1/04

Jens Oehlerking: Transformation of Edmonds’ Maximum Matching Algorithm ” into a Graph Program“ (Bericht)

2/04

Sergej Alekseev: Dienste Intelligenter Netze Graphentheoretische Methoden in ” der Kontrollflussanalyse“ (Bericht)

3/04

Giorgio Busatto: GraJ: A System for Executing Graph Programs in Java“ (Be” richt)

1/05

Sergej Alekseev: Ablaufanalyse objektorientierter Echtzeitanwendungen mit gra” phentheoretischen Methoden“ (Dissertation)

2/05

Ute Vogel: Zweijahresbericht“ ” Igor Tarasyuk: Discrete time stochastic Petri box calculus“ (Bericht) ” Henning Dierks: Time, Abstraction and Heuristics“ (Habilitation) ” Li Sek Su: Full-Output Siphons and Deadlock-Freeness for Free Choice Petri ” Nets“ (Bericht)

3/05 1/06 2/06 3/06 4/06

Timo Warns: Solving Consensus Using Structural Failure Models“ (Bericht) ” Sergej Alekseev: Graphentheoretische Methoden in der Ablaufanalyse objektori” entierter Anwendungen“ (Dissertation)

5/06

Li Sek Su: Some Considerations on the Foundation of NP-Completeness Theory“ ” (Bericht)

6/06

Li Sek Su: Semitraps and Deadlock-Freeness for Reduced Asymmetric Choice ” Nets“ (Bericht)

7/06

Li Sek Su: Algorithms of computing the Deadlock Markings Sets for Petri Nets“ ” (Bericht)

8/06

Annegret Habel, Karl-Heinz Pennemann, Arend Rensink: Weakest Preconditions ” for High-Level Programs (Long Version)“ (Bericht)

9/06

Jochen Hoenicke: Combination of Processes, Data, and Time“ (Dissertation) ” Steffen Becker, Marco Boscovic, Abhishek Dhama, Simon Giesecke, Jens Happe, Wilhelm Hasselbring, Heiko Koziolek, Henrik Lipskoch, Roland Meyer, Margarethe Muhle, Alexandra Paul, Jan Ploski, Matthias Rohr, Mani Swaminathan, Timo Warns, Daniel Winteler: Trustworthy Software Systems: A Discussion of ” Basic Concepts and Terminology“ (Bericht)

10/06

11/06

Christian Zuckschwerdt: Ein System zur Transformation von Konsistenz- in An” wendungsbedingungen“ (Bericht)

1/07

Andreas Sch¨ afer: Specification and Verification of Mobile Real-Time Systems“ ” (Dissertation)

239