MODEL REDUCTION OF DISCRETE REALTIME SYSTEMS
by
Mark Stephen Lawford
A thesis submitted in conformity with the requirements for the Degree of Doctor of Philosophy Graduate Department of Electrical and Computer Engineering University of Toronto
c Copyright by Mark Stephen Lawford, 1997
For my parents
Model Reduction of Discrete RealTime Systems A thesis submitted in conformity with the requirements for the Degree of Doctor of Philosophy Graduate Department of Electrical and Computer Engineering University of Toronto c Copyright by Mark Stephen Lawford, 1997
Abstract In many DiscreteEvent Systems (DES) both state and event information are of importance to the systems designer. To obtain compositionally consistent hierarchical models of systems, the behavior of DiscreteEvent Systems with unobservable transitions and state output maps is considered. Observers for deterministic DES are generalized to nondeterministic DES and characterized using the join semilattice of compatible partitions of a transition system. This characterization points to ecient algorithms for computing both strong and weak stateevent observers as solutions to the Relational Coarsest Partition problem (RCP). The strong and weak observation equivalences of Milner are shown to be special cases of our observers under the trivial (constant) state output map. The stateevent equivalence based upon the observers is shown to be a congruence for a parallel composition operator, allowing the replacement of modules by their quotient systems. Logics such as Ostro's RTTL allow for the speci cation and veri cation of a system's stateevent behavior. To make realistic problems amenable to analysis, a designer must typically decompose the system into subsystems (modules) and use algebraic abstraction (quotient systems) to obtain hierarchical system models that preserve the properties to be veri ed. In this thesis we use stateevent observational equivalence to perform compositionally consistent model reduction for a subclass of formulas of stateevent linear temporal logics, with particular attention to a discrete time temporal logic that is a simpli cation of RTTL. The reduction technique allows limited use of immediate operators. In the process, we develop a method of specifying modules' input/output behavior by de ning observable satisfaction for RTTLstyle temporal logics. The results are applied to the shutdown system of a nuclear reactor.
i
Acknowledgments My supervisor, Prof. Murray Wonham, helped to shape this thesis from beginning to end with his extraordinary knowledge, insight and particular mathematical vision. Prof. Jonathan Ostro got me rolling by asking, \So how do you compute these observers for nite state systems?" He later provided constructive criticism of the model reduction results and kindly made York University's computing facilities available to me, thus making possible the computational results for the example application. Thanks to all my friends who are, or were, in the University of Toronto Systems Control Group for thoughtful discussions and moral support, especially when my life went nonlinear. Kai Wong's expert knowledge of aggregation provided the counterexample in Figure 3.1. Financial support during my graduate studies has been generously provided for by the Natural Sciences and Engineering Research Council of Canada (NSERC) and the University of Toronto through NSERC Scholarships and U of T Open Fellowships. Finally, my family has encouraged me from the beginning in this endeavor and helped me throughout in ways too numerous to mention here.
ii
Contents 1 Introduction
1.1 Setting and Issues . . . . . . . . . . . . . . . . . . . . . . . . . 1.2 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.1 Algebraic Equivalence Veri cation . . . . . . . . . . . . 1.2.2 Temporal Logic, ModelChecking and Model Reduction 1.3 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . .
2 Preliminaries
2.1 Notation and Mathematical Preliminaries . . . . . 2.1.1 Products, Projections and Equalizers . . . 2.1.2 Properties of Functional Operators . . . . 2.2 System Models . . . . . . . . . . . . . . . . . . . 2.2.1 Timed Transition Models . . . . . . . . . . 2.2.2 TTM Semantics . . . . . . . . . . . . . . . 2.2.3 StateEvent Labeled Transition Systems . 2.3 State Observers for a Class of Deterministic LTS .
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
3 Observers for StateEvent Labeled Transition Systems 3.1 Strong StateEvent Observers . . . . . . . . . . . . . . 3.1.1 Compatible Partitions . . . . . . . . . . . . . . 3.1.2 Computation of Strong StateEvent Observers . 3.1.3 Strong Quotient Systems and Homomorphisms . 3.2 Weak StateEvent Observers . . . . . . . . . . . . . . . iii
. . . . .
. . . . . . . . . . . . .
. . . . . . . . . . . . .
. . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . .
1
2 4 4 6 8
11
11 12 14 18 19 21 27 38
41
42 42 44 46 55
3.3 Example: The Weak StateEvent Observer of a Simple RealTime System 3.4 Compositional Consistency . . . . . . . . . . . . . . . . . . . . . . . . 3.4.1 Strong Compositional Consistency . . . . . . . . . . . . . . . . 3.4.2 Weak Compositional Consistency . . . . . . . . . . . . . . . . 3.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4 Model Reduction of Modules for StateEvent Temporal Logics 4.1 A Simple RealTime StateEvent Temporal Logic . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.1.1 Computations of SELTS . . . . . . . . . . . . . . . . . . 4.1.2 Temporal Logic of StateEvent Sequences . . . . . . . . . 4.2 Strong StateEvent Model Reduction . . . . . . . . . . . . . . . 4.3 Weak StateEvent Model Reduction . . . . . . . . . . . . . . . . 4.3.1 Weakly Observed Computations . . . . . . . . . . . . . . 4.3.2 Weak Satisfaction . . . . . . . . . . . . . . . . . . . . . . 4.3.3 StateEvent StutteringInvariance and Model Reduction . 4.4 Model Reduction of TTM Modules . . . . . . . . . . . . . . . . 4.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5 Design and Veri cation of an Industrial Realtime Controller 5.1 The Delayed Reactor Trip System . . . . . . . . . . . . . . . 5.1.1 Setting and Assumptions . . . . . . . . . . . . . . . . 5.1.2 Modeling the Delayed Reactor Trip Speci cation . . . 5.1.3 Modeling the Microprocessor DRT Implementation . 5.1.4 The Veri cation Problem in Terms of TTM Modules 5.2 Model Checking the DRT . . . . . . . . . . . . . . . . . . . 5.2.1 Modeling the Reactor . . . . . . . . . . . . . . . . . . 5.2.2 ModelChecking Details . . . . . . . . . . . . . . . . 5.2.3 Veri cation of System Response . . . . . . . . . . . . 5.2.4 Veri cation of System Recovery . . . . . . . . . . . . 5.3 ModelChecking Concurrent Controllers . . . . . . . . . . . . iv
. . . . . . . . . . .
. . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . .
65 68 69 76 80
82 . . . . . . . . . . . . . . . . . . . . .
. 87 . 88 . 89 . 92 . 94 . 94 . 99 . 100 . 103 . 117 . . . . . . . . . . .
119
120 121 123 126 128 129 130 132 133 138 141
5.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
6 Conclusions
148
A Equivalence Preserving Transformations of TTMs
152
6.1 Limitations and Future Research . . . . . . . . . . . . . . . . . . . . 149 A.1 A.2 A.3 A.4
Equivalence of TTMs . . . . . . . . . . . Observation Equivalence . . . . . . . . . Equivalence Preserving Transformations Limitations of Transformations . . . . .
B Equivalence Veri cation of the DRT
v
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
152 158 161 165
167
List of Figures 2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8
Commutative diagram de ning h = eq(f1 f2 ), the equalizer of f1 and f2 . An example of a simple TTM . . . . . . . . . . . . . . . . . . . . . . The transition graph format of a TTM . . . . . . . . . . . . . . . . . RG2 representing the legal trajectories of TTM M in Figure 2.2 . . . SELTS for timed behavior of u v . . . . . . . . . . . . . . . . . . . . General synchronous product can create nondeterminism . . . . . . . Stateevent synchronous product of 1 and 2 for I := ffg 1 2g . Commutative diagram relating js]j and jI ]j. . . . . . . . . . . . . .
13 23 25 29 32 34 36 38
3.1 3.2 3.3 3.4 3.5
Compatible partitions are closed under _ but not ^ . . . . . . . . . Graphical interpretation of a SELTS homomorphism . . . . . . . . . Commutative diagram for an SELTS homomorphism . . . . . . . . . Stateevent equivalent SELTS quotient systems that are not isomorphic Commutative diagram for the diamond property of SELTS homomorphisms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Commutative diagram for the transitivity of SELTS homomorphism de nition of se . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Example illustrating observational closure operator is manytoone . Example TTM M . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SELTS generated by TTM M . . . . . . . . . . . . . . . . . . . . . . ker(P ) and resulting w for SELTS generated by TTM M . . . . . . . Weak Quotient system generated by w . . . . . . . . . . . . . . . . Commutative diagram for Corollary 3.27 . . . . . . . . . . . . . . . .
43 48 49 53
3.6 3.7 3.8 3.9 3.10 3.11 3.12
Q Q
vi
54 55 62 65 66 67 68 71
3.13 Commutative diagram for Corollary 3.27 . . . . . . . . . . . . . . . . 3.14 Commutative diagram for Lemma 3.28 . . . . . . . . . . . . . . . . . 3.15 Observational closure fails to distribute over synchronous product. .
Q Q
Q
Q
73 73 77
4.1 Counterexample to converse of Lemma 4.5. . . . . . . . . . . . . . . . 93 4.2 1 se 2 but P1 (M( 1 )) 6= P2 (M( 2 )) . . . . . . . . . . . . . . . 97 4.3 SELTS for M1 kM2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 4.4 SELTS generated by M1 and M2 and their composition synchronizing on tick and the values of y z. . . . . . . . . . . . . . . . . . . . . . . 104 c1 Mc2. . . . . . . . . . . . . . . . . . . 106 4.5 SELTS for augmented TTMs M 5.1 5.2 5.3 5.4 5.5 5.6 5.7 5.8 5.9 5.10
Block Diagram for the DRT System . . . . . . . . . . . . . . . . . . . 121 Analog Implementation of the DRT System . . . . . . . . . . . . . . 122 Pseudocode for Proposed DRT Control Program . . . . . . . . . . . 124 SPEC: TTM Representation of DRT Speci cation . . . . . . . . . . 125 PROG: TTM Representation of Pseudocode for DRT . . . . . . . . . 127 PLANT := RELAY kOUTPUT  TTM model of the plant. . . . . . 130 0 . 135 RES { TTM Observer for FRes used in creating untimed formula FRes Input sequence generating a counter example to FRes . . . . . . . . . 136 0 .139 REC { TTM Observer for FRec used in creating untimed property FRec PLANTshn := RELAYnkOUTPUTsh  TTM models for plants with sample and hold on outputs. . . . . . . . . . . . . . . . . . . . . . . . 147
A.1 A.2 A.3 A.4 A.5 A.6 A.7 A.8
Simple TTM M := hV T i . . . . . . . . . . . . . . . M  the LTS reachability tree for M . . . . . . . . . TM jfy zg = r( M ) the restricted LTS for M . . . . . Commutative Diagram for Induced Operation Function Strong Equivalence Example . . . . . . . . . . . . . . Illustrating the need for a weaker equivalence . . . . . An example of Transition Addition/Transition Deletion Activity Merge/Activity Split . . . . . . . . . . . . . .
Q
Q
vii
.... .... .... ... .... .... .... ....
. . . . . . . .
. . . . . . . .
. . . . . . . .
. . . . . . . .
154 155 155 156 159 160 161 163
A.9 A Problem with the Rename Transition Transformation . . . . . . . 164 A.10 Wait Merge/Wait Split . . . . . . . . . . . . . . . . . . . . . . . . . . 165 B.1 B.2 B.3 B.4 B.5 B.6
TTM for PROG1 TTM for PROG2 . TTM for PROG3 TTM for PROG5 TTM for PROG8 . TTM for PROG12
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
viii
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
168 169 169 170 172 173
List of Tables 0 5.1 Summary of model checking results of System Response property FRes for controlkplant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 5.2 Summary of model checking results of Initialized System Response 0 for controlkplant . . . . . . . . . . . . . . . . . . . . . 137 property FIRes 0 5.3 Summary of model checking results for System Recovery property FRec for controlkplant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 5.4 Summary of model checking controlkplant and control1kcontrol2 kplant2 143 5.5 Summary of modelchecking control1kplantsh, control1 kcontrol2kplantsh2 and control1 kcontrol2kcontrol3kplantsh3 . . . . . . . . . . . . . . . . 145
ix
NZ ;
List of Symbols
Symbol Page Description
Q1 Q2 Q1 n Q2 Eq(Q) r ker(P ) P (Q) Q1 Q2 1 2 B eq(f1 f2) idQ g f f : f1 f2 f1 f2 f1 f2 f1 f2 M M1 M2 V T
Q QV Q
11
Set of Natural Numbers
11 11
Set of Integers Subset dierence of Q1 and Q2
11 12
Complement of Q1 with respect to Q2 Set of Equivalence Relations of set Q
12 12
inf(Eq(Q)) and sup(Eq(Q)) Equivalence Kernel of function P
13
Power set of the set Q
12
Product of sets Q1 and Q2
13 13
Canonical projections associate with product Canonical projections A0 7! A0 \ B
13 14 14
Equalizer of f1 and f2 Identity map on the set Q Functional composition
14 15
Lifting of function f to the power set level Disjoint union of f1 and f2
16 16
Union of functions Functional product
17 19
Setwise functional product Timed Transition Models (TTMs)
19
TTM variable set, initial condition and transition set
19
Set of state assignments of a TTM
19 Set of state assignments over the variable set V 22 30 Set of extended state assignments of a TTM x
Symbol Page Description (T )
QQ Q
M1 kM2 1 2 R Q RangeM (c)
Q Q Q j jQ Q j jQQ QQ Q Q Q Q !) Q ) QQ
M
25
Set of transition labels appearing in transition set T
25 27
Parallel composition of TTMs State Event Labeled Transition Systems (SELTS)
27
Event set of a SELTS
27
Set of transition relations associated with event set
27 30
Transition function for event in SELTS Reduced range space for c in TTM M
30 31
State Event Labeled Transition System generated by TTM M Canonical projection from QV to QV1 for V1 V
PQV1 r( ) 31 33 1 s ] 2 I 35 35 1 I ] 2 Con( ) 38 = 39 46 CP ( ) 42 s( ) 44 47 1 2 47 se h: 1 48 2 q se q0 56 q seq0 57 0 58 se w ( ) 60 se 60 61
Q
Q
r relabeling of SELTS Event synchronous composition of SELTS SELTS interface StateEvent synchronous composition of SELTS Set of congruence of the deterministic SELTS Quotient system of by congruence/compatible partition Compatible partitions of Strong stateevent observer of Union of SELTS Strong state event equivalence SELTS homomorphism from 1 to 2 Unobservable move from q to q0 ; observable move from q to q0 Observational closure of Weak stateevent observer Weak observation equivalence
QQ Q Q Q Q
xi
Q
Q
Symbol Page Description == ; jj k M( ) j= U Ulu] 3 2 P P j= m m1 m2 I I 1 I2 c M
Q
Qk
m
m1 m2
61
weak quotient system of
Q
by
88 88
Symbol for f;g, the event set union the \null" event Next transition variable
88
Computation  a stateevent sequence
88
Length of
90 88
kshifted su x of Set of computations of Temporal logic satisfaction relation Temporal logic \next", \until", and \bounded until" operators Temporal logic \eventually" and \henceforth" operators Strongly observed projection of computations Weakly observed projection of computations Weak satisfaction relation TTM modules TTM module interfaces Augmented TTM of a module m := (M I ) SELTS generated by the TTM module m TTM module composition
90 91 90 90 92 96 99 107 107 109 109 112
Q
xii
Chapter 1 Introduction Does this realtime control system do what we want?
With the widespread use of computers in control applications, this is becoming an increasingly common question. Systems of previously unprecedented ability and complexity are fast becoming commonplace. The space shuttle and \!ybywire" F16 jet ghter spring to mind as examples of systems that would not be possible without computer control. These new systems are also creating an unprecedented potential for catastrophic failures due to software errors. For example In 1987 a cancer treatment machine subjected a patient to a lethal dose of radiation. The machine at fault was a new computer controlled version of the original machine, which relied upon mechanical interlocks. A software bug caused the new machine's shielding mechanism to disengage if the machine operator made rapid corrections to the machine's settings using a particular method Lee91]. In January 1990 a software failure in a single Manhattan computerized telephone switch put almost half of AT&T's US long distance network out of service for almost 9 hours Lee91]. On June 4, 1996, the maiden !ight of the Ariane 5 launcher ended in failure when, less than 40 seconds after takeo, the launcher veered o its !ight path, broke up and exploded. The cause was traced to the software for the Inertial Reference System. Estimated loss: $500 million.Lio96] 1
The goal of this thesis is to provide a mathematical basis for the development and veri cation of realtime discrete event systems that will aid in answering the above question. The development of the theoretical results contained herein was driven by the practical considerations of solving a particular controller software veri cation problem. Although the author was originally motivated by a speci c problem, these concepts are applicable to a wide range of realtime discrete event systems, as the original problem captures many of the general issues involved.
1.1 Setting and Issues A discrete event system (DES) is a physical system that is discrete (in time and state space), asynchronous (event rather than clockdriven), and in some sense generative (or nondeterministic). An event in a DES can be thought of as an indivisible action that occurs when the system instantaneously changes from one discrete state to another. For example, for most purposes a relay can be adequately modeled as a system with the two discrete states, OPEN and CLOSED. When the relay is switched, it makes an instantaneous transition from one of these states to the other. Concurrency is one of the key features of DES. Most complex systems are composed of several interacting components or \modules". The two most common semantics for interacting DES are interleaving and maximal parallelism. In interleaving semantics, concurrent execution of two DES modules is represented by the interleaving of their atomic actions, while maximal parallelism requires the simultaneous execution of atomic actions in all system modules capable of performing an operation. The maximal parallelism semantics is generally applied to tightly coupled systems such as integrated circuits with a common clock. Interleaving semantics are generally thought to be more natural for modeling loosely coupled systems such as realtime control systems that react to changes in the plant under control. Therefore we will con ne ourselves to interleaving semantics. For either choice of concurrency semantics, the state space for a composite system is usually represented by the cross product of the state sets of the individual 2
components. As a result, the complete system's state space may grow exponentially with the number of interacting components. This is commonly referred to as the state explosion problem. In the absence of any hierarchical organization, seemingly modest discrete event systems quickly scale beyond what the designer can intuitively understand or verify, even with the aid of a computer. A realtime discrete event system is a DES that must meet hard timing deadlines in order to ensure its correct operation. An example of a such a system is a nuclear reactor shutdown system that has the requirement, \Within 2 seconds of the reactor pressure exceeding the maximum allowable limit, open the trip relay to shut down the reactor." To model such systems we will use a combined stateevent and discrete time setting. While it is possible to represent systems using only state information or only event information, there are many applications where the use of both state and event information is quite natural and may aid a designer's intuition. In the stateevent setting that we propose, the use of labeled transition relations permits the application of synchronous composition operators, thereby allowing interacting modules to perform synchronous execution of shared events such as ticks of a global discrete clock Ost89]. The tick events provide concurrent systems with a uniform notion of time, without the restrictiveness of clock driven models like EMSS92] where one transition is one time step, limiting the method to single processor systems. An example of the use of tick events is Ostro's RG2 graphs Ost89] that are employed for modelchecking RealTime Temporal Logic (RTTL) properties. RG2 graphs use event information to reduce in nite state timed systems to nite state systems while preserving the relative timing of state changes and event outputs through the use of \tick" transitions. While it has been suggested that discrete time models are inherently inaccurate ACD90], they are su ciently accurate in many instances, particularly when dealing with digital control systems that sample their inputs (eg. LW95]). In LW95] the authors argue that discrete time models such as Ostro's Timed Transition Models (TTMs) Ost89] allow for a straightforward application of well known process algebraic equivalences such as observation (bisimulation) equivalence from Milner's CCS Mil89]. On the 3
other hand continuous time extensions of CCS such as Wan91] lack the abstracting power of a congruence relation like weak observation congruence Mil89] because of technical di culties associated with their continuous time semantics. Also, continuous time models are too discriminating in many cases. Typically the behavior of digital control systems depends only on the state of the plant at the sampling instants, regardless of precisely when state changes occur between samples. The addition of event information is also crucial for performing synchronous composition of systems and thereby performing supervisory control through the disablement of controllable events RW87]. The ability to perform supervisory control provides a means of modifying an existing module's behavior to meet a new speci cation and opens up the possibility of exploiting the synthesis techniques of the supervisory control community (eg. RW87, ZW90, LW90, BW94]).
1.2 Related Work In this section we outline algebraic equivalence veri cation and temporal logic model reduction, two of the main approaches that have been developed to address the state explosion problem. Both of these methods are further developed in the thesis using an approach based upon the belief that if you get the algebra \right," then \good things" will happen. In this vein we rst rigorously develop an algebraic equivalence that is appropriate for equivalence veri cation in our realtime setting and then see how quotient systems with respect to our equivalence can be used for compositional temporal logic model reduction. The example at the end of the thesis illustrates the mutually bene cial relationship that can exist between equivalence veri cation and temporal logic model reduction.
1.2.1 Algebraic Equivalence Verication For well over a decade computer specialists have been looking at the problem of formally verifying the \equivalence" of a system implementation and a system speci cation. Two of the most in!uential theories in this area have been Hoare's Communi4
cating Sequential Processes (CSP) Hoa85] and Milner's Calculus of Communicating Systems (CCS) Mil80, Mil89]. These theories along with others are now often collectively referred to as Process Algebra. Process algebra models discrete event systems by using algebraic equations to describe the behavior of processes that communicate via synchronized actions. Equations can be constructed that model nite state automata and even some in nite state transition structures. Operations are then de ned that allow the equations to be combined to build larger, more complicated systems. The algebraic properties of the process equations and operations are studied to determine when, in a well de ned sense, two processes can be considered equivalent. The notion of equivalence is chosen in such a way that equivalent processes can then be substituted for each other resulting in construction of behaviorally equivalent systems. In Mil89], the author establishes the equivalence of several example system implementations and their speci cations using a set of equational laws. A visual method was introduced in FG89] for checking the reachability of a class of extended timed Petri nets. The net approach and the provision of net transformations led to a graphbased method of veri cation. As in Ost89], the problem of constructing equivalent abstract realtime systems from a given system model was not considered. In the same spirit as FG89], LW95] develops a set of easily applicable, and demonstrably correct, transformations that preserve system equivalence, and lend themselves to abstraction, in the setting of TTMs. A developer need not be familiar with observation equivalence or process algebra to be able to use the simple set of visual transformations to prove that a system correctly implements its speci cation in a well de ned way. In addition to the transformational methods of equivalence veri cation identi ed above, computational methods exist for the veri cation of process algebraic equivalences on nite state systems KS83, BC89, BCM92]. Computational tools for equivalence veri cation can con rm the equivalence of a system speci cation and its implementation, but they generally provide little information of use to the system design when the veri cation fails. This is in contrast to the temporal logic modelcheckers 5
discussed below. A modelchecker typically demonstrates the failure of a system to satisfy a temporal logic speci cation by generating a counterexample computation which can then help the designer to correct the system.
1.2.2 Temporal Logic, ModelChecking and Model Reduction In the case of equivalence veri cation, the implementation and system speci cation are modeled using the same technique { automata, process algebraic equations, TTMs, etc. In temporal logic modelchecking, logic formulas are used to specify the desired behavior of the implementation model or \program." Just as predicate logic permits reasoning about states, so temporal logic permits reasoning about sequences of states. The temporal logics in common use for formal veri cation can usually be classi ed as either linear time or branching time. Linear Temporal Logics such as MP92] and its realtime derivative RTTL Ost89] express properties of the set of in nite paths that can be generated from an initial state. In addition to safety properties that express the fact that no path ever reaches a set of \bad" states, linear temporal logics can also express fairness properties regarding the eventuality of certain states (e.g. \Henceforth if the reactor pressure exceeds its maximum allowable value in the current state, then eventually in a future state the relay will be OPEN"). In addition to safety properties, branching time temporal logics such as the Computational Tree Logic (CTL) CE81, ES84], allow one to express properties of a state such as the existence of a path to another state satisfying a desirable property (e.g. \There exists a path from the current state to a state where the relay is OPEN"). For nite state systems one can \modelcheck" a temporal formula. The global state transition graph of the system is represented as a Kripke structure, a state transition graph with a state output map that maps each state to the set of atomic predicates satis ed by the state. A modelchecking algorithm can then be used to determine if a program's Kripke structure is a valid model of (i.e. satis es) a speci 6
cation expressed as a temporal logic formula (e.g. CE81, LP85, CES86]). With recent advances in computing power and data structures, modelchecking techniques such as McM92] have proven eective for some very large systems BCM92]. The largest of these systems typically come from the digital hardware domain and have a great deal of regularity in their state transition structure that can be exploited by the symbolic techniques to obtain compact representations of large systems. If one wishes to modelcheck large concurrent systems lacking in regularity, larger digital hardware systems, or simply to reduce the computation time required for the modelcheck, one must perform some sort of model reduction to cope with the state explosion problem. In model reduction one starts out with a system for which one would like to verify (modelcheck) formulas from a particular set of formulas or class of temporal formulas that are of interest. To facilitate the veri cation process or, in some cases, render the problem tractable, a reduced model is obtained such that, if the reduced model satis es the temporal formulas under investigation, then the original system satis es the temporal formulas. One of the rst results on model reduction came from the use of the Process Algebra \strong observation" equivalence of Mil80] to generate property preserving quotient systems BFH+92]. In Kai96], KV91], and KV92], Kaivola et al. develop a compositional model reduction technique using an equivalence based upon the process algebraic \failure equivalence" of Hoa85]. This model reduction technique allows for the reduction of modules before they are composed in an eort to control the state explosion problem before it appears. In a similar vein we will de ne an algebraic equivalence relation to perform compositional model reduction but we will apply it to a realtime setting. In response to the need for formal methods with visual appeal, Ostro et al. have introduced Timed Transition Models Ost89, OW90]% but the RealTime Temporal Logic on which the proof and veri cation system is based is quickly overwhelmed by the state explosion problem inherent in composite discrete systems. No method was provided for moving between levels of abstraction of realtime models to allow model reduction or behavioral comparison of two TTMs. Such !exibility would 7
enable one to project out extraneous details to obtain highlevel TTM models or, conversely, to re ne high level TTM speci cations into workable implementations. While Law92, LW95] provided a means of abstraction for TTMs through equivalence preserving transformations, no eort was made to deal with the compositional aspects of TTMs. Also, the heuristic methods developed in these works require the active participation and insight of the systems designer in the veri cation process and are somewhat restrictive in the abstractions that they permit. By obtaining an algebraic characterization of the equivalence of Law92, LW95], we will be able to provide computationally e cient algorithms for equivalence veri cation of nite state systems and extend the results to the veri cation of composite systems using model reduction and RTTL modelchecking.
1.3 Contributions Research on discreteevent systems (DES) has led to renewed appreciation of control architecture  decentralized and hierarchical decomposition  for the eective modeling of large systems. In theoretical treatment, such architectural features are brought in through standard algebraic constructs, namely unions, products and quotient structures of the state sets involved. Inasmuch as architecture amounts to decomposition of information transfer and decision making, the systemic notions of observation and observer are fundamental. These nd their algebraic setting in lattices of equivalence relations (partitions), and the associated sublattices of congruences with respect to the dynamic !ow. Thus in approaching any new class of state transition structures, a rst item of business is to clarify the algebraic structure of observers (congruences) along with their computational complexity. Because, in general, equivalence is undecidable, these issues tend to be both nontrivial and of practical interest. We begin the contributions of this thesis by generalizing previous observers  well known (under various guises) in either the control or process algebra literature  to a uni ed construct that we call a stateevent observer. In this treatment both state changes and output events (or event signals) are assigned equal status, thus allowing 8
a !exible modeling approach to DES in which both state and eventbased control are equally natural. We recall the duality of states and events. Eventbased models include most processalgebraic theory derived from Mil80], Mil89] and Hoa85], as well as controltheoretic approaches such as ZW90], WW92] and Won94]. States are really only viewed as a way of keeping track of what sequences of events have been executed and what future events are possible. Quotient structure is induced by projection of languages. In FZ91], state outputs are used solely to provide additional information for the control of events% quotient structure is not considered. On the other hand in Won76, Har87, GF91], state structure is preeminent, and behavior treated as sequences of states or groups of states. For instance state charts Har87, BH93] oer a visual representation (nested boxes and arrows) of state set decomposition via nested products and disjoint unions, in principle to arbitrary depth. Of course the transition structure and control must admit compatible decomposition for the method to be computationally attractive, and to admit quotient structures induced by suitable statetransition homomorphisms. In many applications both state occupancy and event sequencing are important, and so we need quotients with respect to both. One instance is Timed Transition Models (TTMs) Ost89, OW90], which express behavior such as: \Do only when y = 2 for 3 or more `ticks' of the clock." In Law92, LW92] the authors adapted to TTMs the eventbased observation equivalence of Mil89] by projecting TTM states (the state assignments of Ost89]) to their factors de ned by selected subsets of data variables. Observable events are just those TTM state changes that aect the variables in question, and the event labels themselves are \projected out". The class of projections for which a quotient can be de ned was severely restricted% but we shall show how this situation can be improved on. In Chapter 3 we introduce strong and weak stateevent observers for StateEvent Labeled Transition Systems (SELTS) (the underlying model of many DES formalisms DeN87] including, as we will see, TTMs)% state output maps and event projections play symmetric roles. Our observers (congruences) induce consistent highlevel ab9
stractions (quotients) so that, just as in ZW90], control designed at the abstract level can be consistently implemented at the detailed (`realworld') level. The development of strong observers and their quotient systems parallels the results on indistinguishability of nite transition systems in Arn94]. On the basis of KS83, PT87, BC89] we are able to appeal to e cient polynomialtime algorithms for computing our observers on nitestate SELTS. We then investigate the algebraic properties of stateevent equivalence, obtaining results on minimum state realizations of equivalent systems and compositional consistency. These results then form the basis of the applications of stateevent equivalence to model reduction for temporal logic modelchecking of Chapter 4. There we use stateevent observational equivalence to perform compositional model reduction for a subclass of formulas of stateevent linear temporal logics, with particular attention being paid to a discrete time temporal logic that is a simpli cation of RTTL. In Chapter 5 we apply the theory of the previous chapters in an eort to answer the question, \Does this realtime control system do what we want?" for the realtime control system that originally motivated the author's investigation of formal methods. The Delayed Reactor Trip (DRT) control system exhibits many of the distinguishing characteristics of realtime discrete event systems. To operate correctly the implementation must meet hard realtime deadlines in response to inputs from the plant. For a simple shutdown system, it displays surprisingly complex behavior, and the
nal implementation incorporating 3 redundant controllers exhibits the characteristic state explosion at the implementation level. Preliminary results applying compositional modelchecking to the DRT illustrate compositional model reduction's potential for handling the state explosion problem and also demonstrate the technique's limitations.
10
Chapter 2 Preliminaries In this chapter we introduce notation and concepts that will be used throughout the thesis. Subsequent theoretical chapters are relatively selfcontained in that they rely upon dierent additional mathematical concepts. Each chapter introduces any additional mathematical concepts and notation as required to obtain the main results of the chapter.
2.1 Notation and Mathematical Preliminaries
Z N
In this thesis we use and to denote the set of integers and the set of natural numbers (f0 1 2 : : :g) respectively. We will use \i" as an abbreviation of \if and only if." We also require some basic set notation. Let Q1 and Q2 be sets. If Q2 Q1 then we de ne Q1 ; Q2 := fq 2 Q1 : q 62 Q2g. For two arbitrary sets Q and Q0 , we de ne Q n Q0 := Q ; (Q \ Q0 ). The cardinality of the set Q will be denoted by jQj. When Q is a countably in nte set we will write jQj = !. Let Q be a set and S Q Q be a binary relation. Then S is an equivalence relation if S satis es the following three conditions: (i) Re!exivity: (8q 2 Q) (q q) 2 S ,
(ii) Symmetry: (8q q0 2 Q) (q q0) 2 S implies (q0 q) 2 S , (iii) Transitivity: (8q q0 q00 2 Q) (q q0) 2 S ^ (q0 q00) 2 S implies (q q00) 2 S . 11
Denote the set of all equivalence relations on Q by Eq(Q). Any function P : Q ! R induces an equivalence relation ker(P ) 2 Eq(Q), the equivalence kernel of P , given by (q1 q2 ) 2 ker(P ) if and only if P (q1) = P (q2): Similarly, any 2 Eq(Q) de nes a canonical output map : Q ! Q=, which projects each q 2 Q onto its cell (equivalence class). Eq(Q) becomes a complete lattice under the operations ^ _ when we de ne: (i) (q q0) 2 1 ^ 2 i (q q0) 2 1 and (q q0) 2 2 (ii) (q q0) 2 1 _ 2 i (9q1 q2 : : : qn 2 Q)(qi qi+1) 1 : : : n ; 1 and q = q1 and q0 = qn .
2
1
or (qi qi+1)
2,i= 2
A basic result of universal algebra is that when each 2 Eq(Q) is associated with the partition of Q corresponding to the cells of , the lattice of equivalence relations is isomorphic to the poset lattice of partitions of Q with the partial order 1 2 i each cell of 1 is a subset of a cell of 2 . Thus we can talk interchangeably about equivalence relations and partitions. When talking about partitions 1 ^ 2 2 Eq(Q) (1 _2 ) is the coarsest ( nest) partition ner (coarser) than both 1 and 2 BS81]. We will denote the trivial partitions ffqg : q 2 Qg = inf(Eq(Q)) and fQg = sup(Eq(Q)) by and r respectively.
2.1.1 Products, Projections and Equalizers In this subsection we borrow some basic categorytheoretic de nitions and notation. The interested reader is referred to AM75] for a complete treatment of category theory. Given two sets A and B , we de ne the product of A and B to be the standard Cartesian product:
A B := f(a b) : a 2 A and b 2 B g: 12
With any product we associate two special maps, the elementwise projections:
1 : A B ! A (a b) 7! a 2 : A B ! B (a b) 7! b For a set A, we de ne the power set of A to be P (A) := fA0 : A0 Ag. In addition to the two projections associated with a product, we will nd it convenient to talk about the canonical projection from the power set P (A) of A to itself that results from intersection with a set B .
B : P (A) ! P (A) For A0 A A0 7! A0 \ B In talking about the synchronous composition of systems with shared variables, we will nd it convenient to identify the subset of a domain that \equalizes" two functions. In category theory, this set has the abstract, arrow theoretic characterization given below.
! A is an equalizer i there exists a pair of maps fi : A ! R, i = 1 2 such that f h = f h and such that whenever h0 : B 0 ! A satis es f h0 = f h0 , there exists a unique map such that h = h0. De nition 2.1 (cf. AM75]) A map h : B
1
1
2
2
In this situation we call h the equalizer of f1 and f2, and write h = eq (f1 f2 ).
B
h
A
f1 f2
R
h0
B0 Figure 2.1: Commutative diagram de ning h = eq(f1 f2), the equalizer of f1 and f2 . Given any f1 f2 as above, because we are dealing with the category of sets, eq(f1 f2 ) will always exist (see AM75]). In fact we can take B := fa 2 A : f1 (a) = f2 (a)g and let h : B ! A be the injection a 7! a. Henceforth we will use eq(f1 f2 ) to 13
denote both the injection into A and the set fa 2 A : f1(a) = f2 (a)g. The intended meaning of eq(f1 f2) should be clear from the context.
2.1.2 Properties of Functional Operators Throughout the thesis we will use several operators to combine functions to create new functions. Here we introduce the operators and establish some of their basic properties that will be used in proofs of results in subsequent chapters. It will often be useful to talk about the identity map on a set. Henceforth we will denote the identity map on a set Q by idQ : Q ! Q (i.e. q 7! q). Given two maps (functions) f : Q1 ! Q2 and g : Q2 ! Q3 such that the codomain of the rst is the domain of the second, we de ne the composite function g f : Q1 ! Q3 to be the function q1 7! g(f (q1)). We call the functional composition operator. Any function f : Q1 ! Q2 induces a function at the power set level, f : P (Q1 ) ! P (Q2). For Q Q1, f(Q) := ff (q) : q 2 Qg. We call f the lifting of f and refer to as the lifting operator. Since the lifting of a function applies the original function to each element of a subset of the original function's domain, any f distributes over set union.
Claim 2.2 Given f : Q1 ! Q2 and subsets Q Q0 Q1 . Then f(Q Q0 ) = f(Q) f (Q0)
Proof: f(Q Q0 ) = = = =
ff (q) : q 2 Q Q0g ff (q) : q 2 Q or q 2 Q0g ff (q) : q 2 Qg ff (q) : q 2 Q0g f(Q) f(Q0 ) 2 14
Now that we have the composition and lifting operator it seems logical to consider whether the lifting operator distributes over the functional composition operator. The next claim proves that this is in fact the case.
Claim 2.3 Given functions f : Q1 ! Q2 and g : Q2 ! Q3 (g f ) = g f
Proof: Let Q Q1 . Then g f (Q) = = = =
g(ff (q) : q 2 Qg) fg(q0) : q0 2 ff (q) : q 2 Qgg fg f (q) : q 2 Qg (g f )(Q)
2 On occasion we will nd it convenient to talk about various types of unions of functions as a notational convenience. The simplest form of functional union is the disjoint union. Given functions f1 : Q1 ! R1 and f2 : Q2 ! R2 , if Q1 \ Q2 = then : : we de ne the disjoint union of f1 and f2 to be the function f1 f2 : Q1 Q2 ! R1 R2 : such that for q 2 Q1 Q2 :
8 < f (q) q 2 Q : f f (q) := : f (q) q 2 Q 1
2
1
1
2
2
What we will call the \union of functions" is a more restricted operator. Suppose we have two functions with the same domain and codomain, where the codomain is closed under the operation of union (eg. a codomain of P (Q)). Then the value of the union of the functions on an element of the domain is simply the union of the evaluations of each function. More formally, given functions fi : Q ! R for i = 1 2, if for any r1 r2 2 R we have r1 r2 2 R, then we de ne the union of f1 and f2 , 15
f1 f2 : Q ! R, to be the function such that q 7! f1 (q) f2 (q).
Claim 2.4 Given functions fi : Q ! P (R) for i = 1 2, g : R ! S and h : Q1 ! Q. (i) g (f1 f2) = (g f1) (g f2 ) (ii) (f1 f2) h = (f1 h) (f2 h)
Proof: (i) Follows immediately from Claim 2.2 and the de nition of functional union. For (ii), let q1 2 Q1 . Then
(f1 f2 ) h](q1 ) = f1(h(q1 )) f2(h(q1 )) = (f1 h)(q1 ) (f2 h)(q1 ) = (f1 h) (f2 h)](q1 )
2
Thus (ii) is demonstrated.
A functional operator that we will use in the de nition of synchronous product of systems later in this chapter is the product operator. For functions f1 : Q1 ! R1 and f2 : Q2 ! R2, we de ne the product of f1 and f2 to be the function f1 f2 : Q1 Q2 ! R1 R2 such that (q1 q2 ) 7! (f1(q1 ) f2(q2)). The following claim demonstrates that the order in which product and composition operators are applied is irrelevant.
Claim 2.5 Given functions fi : Qi ! Ri and gi : Ri ! Si for i = 1 2. Then (g1 g2 ) (f1 f2) = (g1 f1) (g2 f2 )
Proof: Let q1 2 Q1 and q2 2 Q2 . Then (g1 g2) (f1 f2 )(q1 q2) = g1 g2(f1(q1 ) f2(q2 )) = (g1(f1(q1 )) g2(f2(q2 )))
= (g1 f1(q1 ) g2 f2 (q2))
= (g1 f1) (g2 f2 )(q1 q2 ) 16
2
as required.
We now de ne a variation of the functional product called the setwise functional product operator. The new operator will allow us to obtain an alternative functional characterization of synchronous product so that we may use arrow theoretic methods for proving properties of homomorphisms. Given f1 : Q1 ! P (R1 ) and f2 : Q2 ! P (R2), de ne the setwise functional product of f1 and f2 to be the function
f1 f2 : Q1 Q2 ! P (R1 ) P (R2 ) such that (q1 q2) 7! f1 (q1) f2 (q2 ). Thus if Ri0 Ri and fi(qi ) = Ri0 for i = 1 2 then f1 f2 (q1 q2 ) = R10 R20 = f(r1 r2) : r1 2 R10 and r2 2 R20 g while f1 f2(q1 q2) = (R10 R20 ). We can extend the setwise product operator to handle functions that range over elements instead of sets. For example with f1 as above, if f2 : Q1 ! R2 then de ne f1 f2 (q1 q2 ) = f1(q1 ) ff2(q2 )g. Next we present two specialized results regarding the composition of functional products and setwise functional products. These equalities will be used in proofs concerning the composition of equivalent systems in Section 3.4.
Claim 2.6 Given functions i : Qi ! P (Qi), hi : Q1 ! Ri and i : Ri ! P (Ri ) for
i = 1 2. Then
(i) (h1 h2) (1 2) = (h1 1) (h2 2 ) (ii) ( 1 2) (h1 h2 ) = ( 1 h1 ) ( 2 h2 )
Proof:
(i) Let q1 2 Q1 and q2 2 Q2 . Then (h1 h2 ) (1 2 )(q1 q2 ) = (h1 h2 )(1(q1 ) 2(q2 )) by Def. of
= (h1 h2 )(f(q10 q20 ) : q10 2 1(q1 ) and q20 2 2 (q2)g) = f(h1 h2)((q10 q20 )) : q10 2 1 (q1) and q20 2 2(q2 )g 17
by Def. of
= f(h1(q10 ) h2(q20 )) : q10 2 1 (q1) and q20 2 2(q2 )g
by Def. of = f(r1 r2) : r1 2 h1 1(q1 ) and r2 2 h2 2 (q2)g
= h1 1(q1 ) h2 2(q2 ) = (h1 1) (h2 2 (q2)) by Def. of
Thus (i) is proved. (ii) For any q1 2 Q1 and q2 2 Q2 : ( 1 2) (h1 h2)(q1 q2) = ( 1 2 )(h1(q1 ) h2(q2 )) by Def. of
= 1 (h1(q1 )) 2 (h2 (q2)) by Def. of = ( 1 h1)(q1 ) ( 2 h2 )(q2) by Def. of = ( 1 h1) ( 2 h2)(q1 q2) by Def. of
2
Thus (ii) is proved.
2.2 System Models In this section we introduce the mathematical models that will be used to describe Discrete Event Systems (DES) throughout the thesis. Timed Transition Models will be used as high level representations of systems that motivate the stateevent approach taken in this work. The StateEvent Labeled Transition Systems (SELTS) described later will be used as our underlying model of a Discrete Event System (DES).
18
2.2.1 Timed Transition Models Ostro's original work on Timed Transition Models Ost89] centered around the use of Real Time Temporal Logic to verify that controlled systems met certain realtime speci cations. No work was done on hierarchical or abstract representation of complex low level systems. In this subsection we introduce a modi ed version of the Timed Transition Models (TTMs) employed in OW90]. We drop the Real Time Temporal Logic (RTTL) assertion language, although we still use the in nite string semantics it required. To simplify matters, the initial condition is limited to specifying a unique initial state instead of (possibly) multiple initial states. Originally transitions' operation functions were required to be deterministic but we allow nondeterminisitc operation functions to allow the modeling of external behavior by TTM modules. The examples of this and subsequent chapters demonstrate that in this format TTMs provide a concise way of describing stateevent transition structures representing realtime systems. A Timed Transition Model (TTM) M is a triple given by
M := hV T i where V is a set of variables, is an initial condition (a booleanvalued expression in the variables), and T is a nite set of transitions.
V always includes two special variables: the global time variable t and an activity variable which we will usually denote by x. For v 2 V the range space of v is Range(v) (eg. Range(t) = where := f0 1 2 : : :g). We de ne Q, the set of state assignments of M , to be the product of the ranges of the variables in V .
N N
That is
Q := vi2V Range(vi) For a state assignment q 2 Q and a variable v 2 V , we will denote the value of v in state assignment q by q(v) where q(v) 2 Range(v). When we wish to distinguish between state assignments over dierent variable sets, we will use 19
the variable set as a subscript (i.e. the set of state assignments over V will be denoted QV := vi 2V Range(vi)).
T is the transition set. A transition is a labeled 4tuple := (e h l u) where is the transition's label. With a slight abuse of notation, we will then refer to the transition by its label (eg. 2 T ). Whether is meant to refer to the labeled 4tuple or the transition's label itself should be clear from the context. In the above e is the transition's enablement condition (a boolean valued expression in the variables of V ), h is the operation function, and l 2 Range(t) = and u 2 f1g are the lower and upper time bounds respectively with l u. We say that is enabled when q(e) = true. The (possibly nondeterministic) operation function h : Q ! P (Q), maps the current state assignment to the set of new state assignment that are possible next states when the transition occurs. If h (q) = then an transition is not possible from q. T always contains the special transition tick,
N
N
tick := (true t : t + 1] ; ;) which represents the passage of time on the global clock. tick is the only transition that aects the time variable t and also has no lower or upper time bound. All other transition time bounds are given relative to numbers of occurrences of tick. is the initial condition, a boolean valued expression in the variables of V that is used to identify a unique initial state of the system.
20
2.2.2 TTM Semantics A trajectory of a TTM is any in nite string of the TTM state assignments connected 0 1 2 by transitions, of the form q0 ! q1 !q2! : : :. The interpretation is that qi goes to qi+1 0 1 2 via the transition i . A state trajectory := q0 ! q1 !q2! : : : is a legal trajectory of a TTM M if it meets the following four requirements: 1. Initialization: The initial state assignment satis es the initial condition (q0() = true  i.e. q0 satis es and hence is the unique initial state assignment). 2. Succession: For all i, qi+1 is obtained from qi by applying the operation function of i (qi+1 2 hi (qi)) and i is enabled in state assignment qi (ie. qi(ei ) = true). 3. Ticking: The clock must tick in nitely often. That is, there are an in nite number of transitions i = tick. This eliminates the possibility of \clock stoppers" in the trajectory where an in nite number of nontick transitions occur consecutively without being interleaved with any ticks. This would imply that the TTM is performing an in nite number of actions in a nite time. 4. Time Bounds: To determine if the trajectory satis es the time bound requirements of the TTM M , we associate with each nontick transition , a counter variable c with Range(c) = . Each transition's counter is initially set to zero and is reset to zero after an transition or a transition that enters a new state assignment where is disabled (ie. e = false). The counter is only incremented by the occurrence of a tick transition when is enabled (e = true). Any nontick transition can legally occur only when when its counter is in the region speci ed by the transition's time bounds (ie. l c u). The upper time bounds on transitions represent hard time bounds by which time the transitions are guaranteed to occur. Thus if 's counter reaches its upper time bound, then it is forced to occur before the next tick of the clock unless it is preempted by another nontick transition that disables (and hence resets 's counter). Hence for a tick transition to legally
N
21
occur, every enabled transition must have a counter value less than its upper time bound (c < u). We now formalize the above description.
For the TTM M := hV T i, we will denote the set of transition counters by C := fc : 2 T ; ftickgg. We then obtain the TTM's underlying state set Q := Q C , the set of extended state assignments. From the trajectory we 0 1 2 derive the full trajectory ' := q'0 ! q'1!q'2 ! : : :, where each q'i 2 Q is obtained from as follows:
N
For all v 2 V , q'i (v) = qi(v).
For all c 2 C , q'0 (c) = 0 and for i = 0 1 2 : : :
q'i+1
8 >>< q'i(c) + 1 if qi(e) = true and i = tick (c) = > 0 if qi (e) = false or i = >: q'i(c) otherwise +1
The trajectory satis es the time bounds of M i the following two conditions hold in ' for all i = 0 1 : : :: (i) i = tick i for all 2 T
; ftickg, qi(e) = true implies q'i(c) < u. (ii) i = , 2 T ; ftickg i l q'i(c) u. A condition equivalent to (i) is that for all c 2 C , q'i (c) u. Note that any loop of
transitions in a TTM (a sequence of transitions starting and ending in the same activity) must have at least one transition with a nonzero upper time bound. Otherwise, once the rst transition of the loop is enabled, our transition rules could possibly force an in nite number of nontick transitions to occur without being interleaved by an in nite number of ticks. As a small example, consider the TTM M := hV T i shown in Figure 2.2. The full enablement conditions for the transitions should also include conditions that enable the transitions only when the TTM is in activities that they exit in the transition diagram. For instance in the case of , the full enablement condition is e := v 0 ^ (x = a _ x = b). When describing TTM transitions we will usually 22
M a
V T
b c
d e
:= fu v t xg := u = 0 ^ v = 1 ^ x = a := f := (u 0 u : u + v] 0 2) := (true u : u + 1 v : v ; 1] 2 1) := (v 0 ] 2 2) tick := (true t : t + 1] ; ;)g Figure 2.2: An example of a simple TTM
omit these activity variable conditions since they are obvious from the transition diagram. From the above discussion it is apparent that the de nition of a transition such as 2 T can result in several arrows with the same label in a TTM transition graph. To allow us to distinguish between a transition and the arrows that it de nes in a transition diagram, we will call the arrows in the transition diagram instances of the transitions they are labeled by. In the example TTM M , there is an instance of transition exiting activity a and another instance exiting activity b. Finally, the special transition tick is declared to be in T and may be omitted from future listings of transition sets. In writing out the operation functions of the transitions of M we employ a version of Ostro's assignment format. When a transition occurs, the new value of the activity variable x is obtained from the transition diagram. The other variables that are aected by the transition are listed in the form v1 : expr11 v2 : expr12 : : : vn : expr1n % v1 : expr21 v2 : expr22 : : : vn : expr2n % :::% v1 : exprk1 v2 : exprk2 : : : vn : exprkn]
23
with the interpretation that variables v1 to vn are assigned the new values given by the simultaneous evaluations of expressions expri1 to exprin respectively for some choice of i = 1 : : : k. Semicolons are used to separate dierent possible assignments of the variables in the next state when the operation function is nondeterministic. If the operation function is deterministic then no semicolons occur in the assignment format. The operation function acts as the identity on variables not listed in the assignment statement. For instance h := u : u + v] = u : u + v v : v] for M above. If we let the current state assignment be represented by a 4tuple of the form (u v x t), then a legal trajectory of M would be
q0 tick ! q1! q2tick ! q3! q4tick ! ::: (0 1 a 0)tick ! (0 1 a 1)! (1 1 b 1)tick ! (1 1 b 2)! (1 1 e 2)tick ! ::: where from q4 onward the trajectory is continued by an in nite string of ticks. Note that after the second occurrence of tick, is forced to occur. A tick could not take place from q3 since has u = 2 and, upon reaching q3 , e has been true for two ticks already. If the initial condition for M is := (u = 0 ^ v = ;1 ^ x = a), then a trajectory that by the above de nition is \legal" is (0 ;1 a 0)! (;1 ;1 b 0)tick ! (;1 ;1 b 1)tick ! (;1 ;1 b 2)tick ! :::
where again this trajectory is continued by an in nite number of tick transitions. This trajectory illustrates our interpretation of u = 1. We do not insist on \fairness," allowing trajectories such as the one above where is a possible next transition for an in nitely long time, although it does not occur. Thus an upper time bound of 1 means that a transition is possible but is not forced to occur in a legal trajectory. Occasionally we will use the transition graph representation of a TTM, where each instance of a transition in the TTM is represented as shown in Figure 2.3. This can be informally interpreted as follows: \if the TTM is currently in activity as and if e 24
: (e ) ! h as ad Figure 2.3: The transition graph format of a TTM evaluates to true, then the edge labeled by may be traversed while doing operation h , after which the TTM is in activity ad ." We will usually use this style of displaying TTM's when the time bounds are understood or not of particular importance. To be useful for designing real systems, a formalism must provide a means of decomposing large systems into smaller, more manageable subsystems. Complex systems are then typically constructed from interacting components running in parallel. In Ost90] Ostro de nes a TTM parallel composition operator that allows for shared variables and synchronous (shared) transitions. We extend this TTM parallel composition operator to handle nondeterministic operation functions. In the following de nition we denote the state assignments over a set of variables V by QV := v2V Range(v). For U V the natural state assignment projection PU : QV ! QU maps a state assignment over V to its corresponding state assignment over U . In order to allow us to distinguish between a transition and its label, for T , a given set of transitions (labeled 4tuples), let (T ) denote the set of transition labels. For the example TTM of Figure 2.2, (T ) = f tickg. We are now ready to de ne the parallel composition of two TTMs.
De nition 2.7 Given two TTMs Mi := hVi i Tii i = 1 2, the parallel composition
of M1 and M2 is given by M1 kM2 := hV1 V2 1 ^ 2 T1kT2 i, where the composite transition set T1kT2 is de ned as follows. (i) If := (e h l u) 2 T1 with operation function h : QV1 ! P (QV1 ) and 62 (T2 ) (the transition label does not occur in M2 ), then := (e h0 l u) 2 T1kT2 where h0 : QV1 V2 ! P (QV1V2 ) is the extension of h given by h0 := h idQV2 nV1 . (ii) Similarly if := (e h l u) 2 T2 and 62 (T1 ), then := (e h0 l u) 2 T1kT2 where h0 : QV1 V2 ! P (QV1V2 ) is the extension of h given by h0 := idQV1nV2 h.
25
(iii) If is a shared transition, i.e. 2 (T1 ) \ (T2 ), with := (e1 h1 l1 u1 ) 2 T1 and := (e2 h2 l2 u2) 2 T2 and operation functions hi : QVi ! P (QVi ) i = 1 2 then := (e0 h0 l0 u0) 2 T1kT2 where
e0 := e1 ^ e2 is the enablement condition.
h0 : QV1V2 ! P (QV1 V2 ) is the function such that h0(q) := fq0 2 QV1 V2 : PV1 (q0) 2 h1 PV1 (q) and PV2 (q0) 2 h2 PV2 (q)g l0 := max(l1 l2) is the lower time bound. u0 := min(u1 u2) is the upper time bound. Condition (i) states that if the transition := (e h l u) of M1 is not a shared transition then the new operation function in the composite system is given by h0 (q) = fq0 2 QV1V2 : PV1 (q0) 2 h PV1 (q) and PV2nV1 (q0) = PV2nV1 (q)g. The value of variables not in M1's variable set (i.e. v 2 V2 nV1) are left unchanged by a transition occurring only in M1 . Condition (iii) requires that any new assignment to the shared variables (V1 \ V2) made by a shared transition must be possible assignments by in both M1 and M2 . As an example, suppose M1 and M2 share the variable v and the transition label . If := (x1 = a ^ u = 0 u : 1 v : 2% v : 1] 4 1) in M1 and := (x2 = b v : 2 w : 1% v : 1 w : 0% v : 3 w : 0] 0 5), then in M1 kM2 we have
:= (x1 = a ^ u = 0 ^ x2 = b u : 1 v : 2 w : 1% v : 1 w : 0] 4 5) The case when v is set to 3 by in M2 does not occur in the composite transition since no matching assignment of v to 3 can be made by in M1 . Now let us consider a transition that is not shared. Suppose := (x1 = b u : 3 v : 4] 0 1) is a transition of M1 and the transition label does not occur in M2 . Then := (x1 = b u : 3 v : 4] 0 1) is a transition of M1 kM2 . In this case the full operation function would be u : 3 v : 4 w : w x2 : x2 ] and the new value of M1's 26
activity variable x1 would be obtained from the graph of M1 . Thus an occurrence of in the composite system does not aect M2 's private variables w and x2 . The above TTM parallel composition operator places only minimal restrictions on the way variables and transitions interact in the composite system. Any TTM can arbitrarily access and modify another TTM's variables when the TTMs are composed. In Section 4.4 we restrict the way in which system components can interact through the de nition of TTM Modules. The restrictions imposed upon TTM Modules will allow us to apply, at the TTM level, the compositional model reduction results of Chapter 4 for the less complex setting of StateEvent Labeled Transition Systems.
2.2.3 StateEvent Labeled Transition Systems StateEvent Labeled Transition Systems (SELTS) extend Labeled Transition Systems (LTS) DeN87] by adding a state output map. In the temporal logic setting of Chapter 4 the state output will be the set of atomic propositions satis ed by a state. Until then we will consider the state output to be some kind of state observation. While (state based) Kripke structures are generally used as the underlying model for temporal logic model checkers CES86] and are ultimately the model we would employ in any model checking algorithm for the temporal logics of Chapter 4, considering structures that are extended by transition labels has two main bene ts. First, the use of tick transitions provides an easy method of incorporating system components' timing information in a concurrent setting. An example of such a use of SELTS is Ostro's RG2 graphs Ost89] that are used for model checking RealTime Temporal Logic (RTTL) properties Ost90]. RG2 graphs use event information to reduce in nite state timed systems, to nite state systems that preserve the relative timing of state changes and event outputs in a concurrent setting. Secondly, the addition of event information is also crucial for performing synchronous composition of systems and thereby permitting supervisory control through the disablement of controllable events RW87].
27
Q
De nition 2.8 A StateEvent Labeled Transition System (SELTS) is a 5tuple
:= hQ R q0 P i where Q is an at most countable set of states, is a nite set of elementary actions or events, R = f! : 2 g is a set of binary relations on Q, q0 2 Q is the initial state and P : Q ! R is the state output map, a function mapping each state into the set of state outputs. 0 q means that the SELTS In the above de nition if 2 and q q0 2 Q, then q! can move from state q to q0 by executing elementary action . Any transition relation ! 2 R can be viewed as a function Q : Q ! P (Q), where P (Q) is the power set of Q. The function Q maps q to the set of states reachable from q via a single transition in the SELTS . When the SELTS to which we are referring is obvious from the context, we will simply write (q). For simplicity we assume Q 6= and jQj is nite. When discussing SELTS in Chapter 4, AP AP1 AP2 : : : will represent sets of atomic propositions and the SELTS state output map will map each state to the set of atomic propositions satis ed by the state (ie. P : Q ! P (AP )). For Chapter 3 it will su ce to consider state output maps of the more general form P : Q ! R where R is an arbitrary set of state outputs. A notion similar to LTS forms the basis of TTMs and many other models of concurrency. With the additional state output map, a SELTS provides a convenient way of modeling the state and event dynamics of a TTM. Figure 2.4 is the RG2 graph representing all legal trajectories of the simple TTM shown in Figure 2.2. The top line of each state in the graph contains the state assignments of the system variables in the format (u v x). The second line of each state contains the current values of each transition's counter variable in the format c c c ]. Thus the states of the RG2 graph are elements of M 's set of extended state assignments Q. Note that in accordance with the fact that both of their lower time bounds equal 2, the and transitions only exit states in which their respective counter variables equal or exceed 2. On the other hand both and have upper time bounds of 2 so no tick transition exits a state where c = 2 or c = 2. In such states an or transition is forced before the next clock tick unless it is preempted by another transition. For example, can be preempted by the transition that enters the state in the graph's lower right
Q
28
tick (0,1,a) 2,0,2]
(0,1,c) 0,0,0]
tick
tick (0,1,a) 1,0,1]
q0 (0,1,a) 0,0,0]
c
(1,1,b) 0,0,0] (1,1,b) 0,0,1]
(1,1,b) 0,0,2]
State Legend (u v x)
tick
(1,1,b) 0,1,2]
c c ]
tick (1,1,b) 0,1,1]
tick (1,1,b) 0,2,2]
(1,1,e) 0,0,0]
(2,0,d) 0,0,0]
tick
tick
Figure 2.4: RG2 representing the legal trajectories of TTM M in Figure 2.2
29
corner. The initial state q0 of the graph is indicated by an entering arrow. A TTM's legal trajectories are all in nite sequences and as can be seen from Figure 2.4, every path starting from q0 can be extended to an in nite path. The transitions' counter variables are only used to obtain the structure of the graph. They are not part of the system's observed timed behavior. The counter variables are hidden variables, the values of which are crucial to determining the Markovian dynamics of the structure. Thus if we were to treat the RG2 graph of Figure 2.4 as a SELTS, the state output map would be the canonical projection from extended state assignments to state assignments P : Q ! Q. Although the transition of M has an upper time bound of 1, the RG2 graph (and hence the SELTS of M ) is nite state since preempts , preventing an in nite number of ticks from causing c from becoming unbounded. What if also had an upper time bound of 1? How do we generate a nite state representation of the timed behavior of M ? The set of extended state assignments is reduced to produce a nite state set by rede ning the Range of the counter variables as follows. For M := hV T i and := (e h l u) 2 T
8 < fn 2 RangeM (c ) := : fn 2
NN
: n < lg f!g if u = 1 : n ug u<1
If has a nite upper time bound u, then TTM semantics prevent c from being incremented to a value exceeding u. For transitions with lower time bound l and upper time bound u = 1 when c is incremented to a value equal to l, we instead set c = ! and henceforth de ne ! +1 = !. For comparison purposes we de ne for all a 2 a < ! < 1. We now rede ne the set of extended state assignments to use this Q reduction as follows Q := Q c2C RangeM (c ) where C := fc : 2 T ;ftickgg. Henceforth when refering to the set of extended state assignments we will assume that we are dealing with the reduced set. We now formally de ne the SELTS obtained using the rede ned extended state assignments to be the SELTS generated by M .
N
30
De nition 2.9 Given a TTM M := hV T i with a nite RG2 graph, the TTM generated by M is de ned as:
Q
M
:= hQ R q0 P i
where Q = Q is the set of extended state assignments, and = (T ) is the set of transition labels for M . The transition relations of R are obtained from the de nition of TTM semantics and P : Q ! Q is the canonical projection from extended state assignments to state assignments. The initial state q0 = q'0 is the unique extended state assignment such that P ('q0 ) satis es and q'0 (c ) = 0 for each TTM transition counter variable c .
Often a TTM's activity variable x plays a role similar to the counter variables in that it is only used to keep track of when transitions might possibly be enabled. Similarly, not all transition labels may be of signi cance. For instance M may be designed to share and tick transitions while and represent transitions that are internal to M . If one's real interest in the TTM M was the timed behavior of the variables u and v and the occurrence of transitions, then this could be represented by the SELTS shown in Figure 2.5. We maintain the structure of M , the SELTS generated by M , and drop the extraneous information associated with the activity variable x and transition counter variables to obtain the SELTS's state output map P 0 = PQfuvg P where PQfuvg : Q ! Qfuvg is the canonical projection from M 's state assignments to the state assignments over fu vg. The new state output values are shown as labels of the various cells of ker(P 0) (eg. in state q0 , (u v) = P (q0) = (0 1)). The SELTS transitions formerly labeled by and have been relabeled as \unobservable" transitions since we do not need to distinguish them. In de ning TTM modules later we will nd use for this process of \relabeling" a SELTS and so formalize the de nition here.
Q
Q
De nition 2.10 Given a SELTS := hQ R q0 P i where P : Q ! R, a SELTS
relabeling is de ned to be a pair of maps r := (r rP ), r : ! 0 and rP : R ! R0. 31
u=0 v=1
q0 tick;
? h
; @
;
@
@ @
u=1 v=1
; ; @@ Rh h; . ; @ @ tick ; @ @ tick ; @ @ ; @ @ ; @ @@ Rh @ Rh h; @ @ @ @ @ tick @ tick @ @ @ @ @ @ @@ @ @@ Rh Rh @ Rh ? h @ ; J]J ; @ @@;; @ ; @ ; tick @@ ) R h; ; ? u=2 h ]J J ]J J v=0 @ ; @ ; @; @; ker(P 0)
tick
tick
Figure 2.5: SELTS for timed behavior of u v
32
The r relabeling of
Q
is given by:
Q
r( ) := hQ (r)() R(r )() q0 rP P i
() 0 0 where R(r ) () is obtained from R by replacing each transition q! q by qr! q.
We now de ne synchronous composition operators to provide a mechanism for constructing large systems consisting of interacting subsystems. Initially we deal with a strictly event based synchronization operator which is then extended to a variation of the more general stateevent synchronization operator found in GL93]. The event synchronous product operator below is a straightforward extension to the SELTS setting of the parallel composition operator of Mil89].
Q
= hQi i Ri qi0 Pii with Pi : Qi ! Ri for i = 1 2 and a set of synchronization events s 1 \ 2 , the ssynchronous product of 1 and 2 is given by: 1 js]j 2 := hQ1 Q2 1 2 R1 2 (q10 q20 ) P1 P2i, where the elements of R1 2 = f! : 2 1 2 g are binary relations over Q1 Q2 0 0 de ned as follows: (q1 q2 )! (q1 q2 ) i
De nition 2.11 Given two SELTS,
Q Q
Q Q ! Q ! Q ! Q
(i) 2 s, and qi qi0 in (ii) 62 s , q1 q10 in
(iii) 62 s, q2 q20 in
1
2
i
i
for i = 1 2, or
and q2 = q20 , or and q1 = q10 .
When s = 1 \ 2 then the above de nition of synchronous product specializes to the standard synchronous product operator used in RW87]. In its more general form when s 6= 1 \ 2 , it is possible for an 2 1 \ 2 n s to be executed independently by each subsystem and thereby introduce additional nondeterminism. In fact, in this case the synchronous product of two simple deterministic systems can result in a nondeterministic system (see Figure 2.6). Since our theory is speci cally designed to deal with the nondeterminism that typically results from creating hierarchical models, this and the following generalization of the synchronous product operator do not pose a problem. 33
Q
Qj jQ
1
] (1,1)
(2,1)
2
(1,2)
(2,2) Figure 2.6: General synchronous product can create nondeterminism By viewing the transition relations as functions from states to the power set of states and using the fact that Q = Q = for any set Q, we can formulate an alternative functional de nition of the event synchronous product transition relations as follows. For (q1 q2 ) 2 Q1 Q2
Q1 js]jQ2
8 < (q ) (q ) (q q ) = : ( (q ) fq g) (fq g Q1
1
2
Q1
Q2
1
1
2
2
1
2 s Q2 (q2 )) otherwise
Thus we can use the setwise functional product operator to express Q1 js]jQ2 at a functional level that can then be used in composition with homomorphisms.
Q1 js]jQ2
8 < =: ( idQ ) (idQ Q1
Q1
Q2
2
1
2 s Q2 ) otherwise
Note that when Q1 js]jQ2 is applied to a state in the composite system Q1 Q2 (q1 q2) results in the set of ordered state pairs given by Q1 (q1 ) Q2 (q2) as stated above and not the ordered pair of sets (Q1 (q1 ) Q2 (q2)) (ie. Q1 js]jQ2 6= Q1 Q2 ). While the above event synchronous composition operator allows systems to synchronize on global ticks and other shared events, it does not have any way of modeling the \state output synchronization" associated with the shared variables of TTMs. As a rst step towards representing TTM parallel composition at the SELTS level we extend event composition to stateevent synchronous composition. We begin by de ning the notion of a compatible interface for SELTS. 34
As a very general method of providing synchronization of state output changes, we assume that when two SELTS are composed, state output synchronization maps are associated with each system. These functions map the respective systems' state outputs to a common set. In the case of SELTS representing TTMs this common set will be the cross product of the ranges of variables shared by the TTMs (ie. QV1 \V2 ). An SELTS interface will then be a set of synchronization events together with a pair of maps that have a common codomain. An interface will be compatible with a pair of SELTS if the state output synchronization maps are de ned on appropriate domains and agree on their evaluation of the state outputs from their respective systems' initial states. More formally,
QQ h Q
= Qi i Ri qi0 Pii with Pi : Qi ! Ri for i = 1 2, a compatible interface for 1 and 2 is a 3tuple I := (s f1 f2 ) where s 1 \ 2 is a set of synchronization events, and fi : Ri ! R, i = 1 2 are state output synchronization maps such that f1 P1 (q10 ) = f2 P2(q20 ).
De nition 2.12 Given two SELTS
i
In addition to the conditions imposed by event synchronization, for stateevent composition we also require that systems \synchronize" on the value of the state output synchronization maps (ie. for any reachable state in the composite system (q1 q2), we have f1 P1(q1 ) = f2 P2 (q2)).
Q
Q
= hQi i Ri qi0 Pii with Pi : Qi ! Ri for i = 1 2 and a compatible interface I := (s f1 f2), the I synchronous product of 1 and 2 is de ned to be: 1 jI ]j 2 := hQ1 Q2 1 2 R12 (q10 q20) P1 P2i, where the elements of R1 2 = f! : 2 1 2 g are binary relations over Q1 Q2 0 0 de ned as follows: (q1 q2 )! (q1 q2 ) i f1 P1(q10 ) = f2 P2(q20 ) (y) and
De nition 2.13 Given two SELTS,
Q
Q Q
0 (i) 2 s, and qi ! qi in 0 (ii) 62 s , q1 ! q1 in
Q
1
Q
i
i
for i = 1 2, or
and q2 = q20 , or
35
0 (iii) 62 s, q2 ! q2 in
Q Q
Q
2
and q1 = q10 .
0 0 From the de nition we see that (q1 q2)! (q1 q2) in 0 0 1 js ]j 2 and f1 P1 (q1 ) = f2 P2 (q2 ).
Q
1
I ] u=0 v=0 w=0 1
I ]
1
0 0 i (q1 q2 )! (q1 q2) in
u=0 v=0
q12 v=1 w=1
2
q20
2
q11 v=1 w=0
Q j jQ
Q
v=0 w=0
q10
Q j jQ
q22
q21 u=0 v=1
u=1 v=1
q23
2
(q10 q20 )
u=0 v=1 w=1
(q12 q21 )
u=1 v=1 w=1
(q12 q23 )
Q Q Q Q
Figure 2.7: Stateevent synchronous product of
Q Q 1
and
2
for I := ffg 1 2 g
Figure 2.7 shows SELTS 1 and 2 and their stateevent synchronous composition when synchronized on event and value of their shared variable v. Formally both state output maps for 1 and 2 can be represented as functions from their state set to f0 1g2 so P1(q11 ) = (1 0) while P2(q21 ) = (0 1) (ie. P1 : Q1 ! f0 1g2 such that q1 7! (v w) for q1 2 Q1 and P2 : Q2 ! f0 1g2 such that q2 7! (u v) for q2 2 Q2 ). So we can take the rst state output synchronization map to be the canonical projection 1 : f0 1g2 ! f0 1g where (v w) 7! v and the second state output synchronization 36
Q
map to be the canonical projection 2 : f0 1g2 ! f0 1g where (u v) 7! v. In this case 1 P1(q10 ) = 2 P2 (q20 ) so I := (fg 1 2 ) is a compatible interface for 1 and 2 and hence 1 jI ]j 2 exists. Closer examination of 1 jI ]j 2 in Figure 2.7 reveals that only events from the synchronization set can modify shared variables (more generally, cause a change in the evaluations of the state output synchronization functions). The transi tion (q10 q20 )! (q11 q20 ) would be allowed in 1 jfg]j 2 but does not take place in 1 jI ]j 2 since 2 cannot synchronize on to make a move to a new state that also changes the value of v to 1. Note that the transition (q12 q21)! (q12 q23) is allowed to take place in 1 jI ]j 2 , changing the value of the independent variable u, since it does not change the value of the shared variable v For the synchronization event , the transition (q10 q20 )! (q12 q22 ) cannot occur in 1 jI ]j 2 because it would result in an inconsistent value of v since v changes from 0 to 1 when q10! q12 in 1 but v retains the value of 0 when q20 ! q22 in 2 . To obtain our arrow theoretic characterization of the stateevent synchronous composition operator we can simply build upon the arrow theoretic de nition of event synchronous composition. Recalling from Section 2.1.1 that the equalizer of a pair of functions with common domains and codomains, fi : A ! B , i = 1 2, is denoted by eq(f1 f2) := fa 2 A : f1(a) = f2 (a)g
Q
Q QQ Q
Q Q Q
Q Q
Q Q
Q Q
Q
Q
Considering the cross product Q1 Q2 with associate canonical projections 1 : Q1 Q2 ! Q1 and 2 : Q1 Q2 ! Q2 , we can rephrase condition (y) of De nition 2.13 as (q10 q20 ) 2 eq(f1 P1 1 f2 P2 2 ). Thus for a compatible interface I := (s f1 f2) and SELTS as in De nition 2.13, regarding the transition relations as functions from the state set to the power set of states we have for 2 1 2
Q1 jI ]jQ2 = Q1 js]jQ2 \ eq(f1 P1 1 f2 P2 2 ) = eq Q1 js]jQ2
37
where eq : P (Q1 Q2) ! P (Q1 Q2 ) is the projection resulting from intersection with the equalizer set A 7! A \ eq(f1 P1 1 f2 P2 2 ). Figure 2.8 illustrates the relationship between js]j and jI ]j as a commutative diagram.
Q1 Q2
Q1 js]jQ1
P (Q Q ) 1
eq
2
P (Q Q ) 1
Q1 jI ]jQ2 Figure 2.8: Commutative diagram relating js]j and jI ]j. When the state output synchronization maps are constant over their domain (eg. the trivial maps fi : Ri ! fg, qi 7! i = 1 2), then eq(f1 P1 1 f2 P2 2 ) = Q1 Q2 so eq = idP (Q1 Q2 ), the identity map. In this case jI ]j reduces to js]j as one might expect since the trivial state output synchronization maps provide synchronization of outputs for all states.
2.3 State Observers for a Class of Deterministic LTS In this section the lattice of congruences of a deterministic transition system and its role in characterizing the (strong) state observers of Won76] are reviewed. In Won76] the author considers SELTS of the form
Q
q0 P i = hQ fg f!g
where ! is a deterministic transition relation (ie. the lone transition relation can be represented as a function : Q ! Q). In this case the author views the SELTS as a discrete time dynamical system, given by x(0) = q0 and x(t + 1) = (x(t)), where it is the sequence of states generated by the LTS that is of interest. The output map P : Q ! R is assumed to have no special structure. Thus two states q q0 2 Q produce the same output observation precisely when P (q) = P (q0).
38
2
Q Q
De nition 2.14 Given a deterministic SELTS as de ned above, 2 Eq(Q) is a
Q
Q
congruence of the transition function for i (q q0) 2 implies ((q) (q0)) 2 . We let Con( ) denote the set of all congruences of the transition function for .
Q
Q
Q Q
Con( ) forms a complete sublattice of Eq(Q). Thus Con( ) is closed under ^ and _, and given any F Con( ), sup(F ) exists as an element of Con( ).
QQ
De nition 2.15 Given a deterministic SELTS as de ned above and a state output map P : Q ! R, the strong state observer, o ( ), is de ned to be
Q
Q
Q
o ( ) = supf 2 Con( ) : ker(P )g
Q
Q
When is clear from the context we will simply write o for o( ). The existence and uniqueness of o are an immediate result of Con( ) being a complete sublattice of Eq(Q). Here o is the coarsest congruence with respect to the transition function , that is ner than the equivalence kernel of P . For (q q0) 2 o , o ker(P ) implies P (q) = P (q0) while o 2 Con( ) so ((q) (q0)) 2 o and hence P ((q)) = P ((q0)). Thus if (q q0) 2 o , then q and q0 produce the same current state output and sequence of future state outputs. From an informational standpoint, o represents the minimum information you need about the current state of the system to be able to predict the future state outputs.
Q
Quotient Systems
Q
Q
Q
Given a deterministic SELTS = hQ fg f!g q0 P i, for any 2 f 2 Con( ) : ker(P )g we can de ne the quotient SELTS of by as
Q
= = hQ= fg f! g q0 = P i
Here q0= denotes the cell (equivalence class) containing q0 and Q= represents the set of all cells. The transition relation f! g can again be viewed as a function Q= : Q= ! Q= where for q= 2 Q=, Q= (q=) := Q (q)=. The state output 39
map P : Q= ! R is the unique map such that P = P . The existence of P follows from the fact that the partition is ner than ker(P ) while the uniqueness of P follows from the fact that the map : Q ! Q= is onto.
40
Chapter 3 Observers for StateEvent Labeled Transition Systems In this chapter we introduce strong and weak stateevent observers for StateEvent Labeled Transition Systems. State output maps and event projections play symmetric roles. Our observers (congruences) induce consistent highlevel abstractions (quotients) so that, just as in ZW90], control designed at the abstract level can be consistently implemented at the detailed (`realworld') level. The development of strong observers and their quotient systems in Section 3.1 parallels the results on indistinguishability of LTS in Arn94]. On the basis of KS83], PT87], BC89] we are able to appeal to e cient polynomialtime algorithms for computing our observers on nitestate SELTS. We end the section with some minimum realization results. In Section 3.2 the results are extended to the case when there is partial event information as well as partial state information. Section 3.3 provides a simple realtime system as an illustrative example of the theory discussed in the previous sections. We conclude the chapter with some key results on the compositional consistency of strong and weak stateevent equivalence that will be used in the chapters on model reduction.
41
3.1 Strong StateEvent Observers We now wish to generalize the observers for deterministic SELTS with a single transition function to observers for general SELTS with multiple nondeterministic transition relations. In this case it is not only the state output sequences that are important, but also the connecting events (relations). This is illustrated by the following three sequences and their images under the state output map P : Q ! R.
q11 q21 q31
9 8 !q !q >>= ><> r !r !r ! q ! q > 7!P > r ! r ! r ! q ! q > >: r ! r ! r
12
13
1
1
2
22
23
1
2
2
32
33
1
2
2
(3.1)
Later will be used to denote unobservable events but for now we assume that all transitions are observable. In this case the rst output sequence diers from the other two in the second state output while the second and third dier in the ordering of their connecting relations or \events". Thus no two of these sequences of states and connecting events produce identical output sequences.
3.1.1 Compatible Partitions Congruences are de ned only for transition functions but we are now dealing with nondeterministic transition relations so we must nd a class of partitions that plays the role of congruences for nondeterministic relations.
Q Q
= hQ R q0 P i, a partition 2 Eq(Q) is a compatible partition for if for all 2 , whenever q q0 are in the same partition block (cell) Ci, then for any block Cj of ,
De nition 3.1 Given a SELTS
(q) \ Cj 6= i (q0) \ Cj 6=
Q
The set of all compatible partitions for the SELTS
Q
Q
will be denoted by CP ( ).
From the above de nition we see that for 2 CP ( ) if (q q0) 2 and q! q1 then there 0 exists q10 such that q0! q1 and (q1 q10 ) 2 . The reader familiar with Milner's observa
42
1
2
1 _ 2
1 ^ 2
Figure 3.1: Compatible partitions are closed under _ but not ^ tion equivalence will note that compatible partitions are special cases of bisimulation relations and have been used for the e cient computation of (event) observation equivalence of LTS KS83], BC89]. We will have more to say about this later. First we will see if CP ( ) has any special algebraic structure. In the case of congruences, Con( ) forms a complete sublattice of Eq(Q) so perhaps we can expect something similar for CP ( ). Consider Figure 3.1. It is easy to verify that 1 , 2 and 1 _ 2 are compatible partitions of the given SELTS but 1 ^ 2 is not. Thus CP ( ) is not closed under the ^ operation of Eq(Q). The following Lemma claims that CP ( ) is closed under the _ operator of Eq(Q) so although CP ( ) is not a complete sublattice of Eq(Q), it does retain the complete join semilattice property of Con( ) that was used in de ning state observers in the Section 2.3. We were led to expect a join semilattice structure for de ning observers on systems with nondeterministic transition relations from Wong's investigation of the algebraic properties of hierarchy in Won94].
Q
Q
Q Q Q
Q Q
Q
Q Q
Lemma 3.2 For a given SELTS = hQ R q0 P i, the set of compatible parti
tions for , CP ( ), forms a complete subsemilattice (with respect to join) of Eq (Q),
43
the lattice of equivalence relations on Q.
Q Q
Proof: We know that Eq(Q) is a complete lattice so it only remains to show that
CP ( ) is closed under arbitrary join operations. W Let i 2 CP ( ) where I is an index set and write := i2I i . Suppose (a b) 2 . Then by de nition there exist i0 i1 : : : ik 2 I such that (a b)
2
i0 i1 : : : ik :
That is there exist a0 : : : ak+1 such that (aj aj+1) 2 ij with a0 = a and ak+1 = b. Assume that (a) 6= and let c 2 (a). We must show that there exists d 2 (b) such that (c d) 2 . Now (a a1) 2 i0 and i0 2 CP ( ) so there exists c1 2 (a1) such that (c c1) 2 i0 . Inductively assume there exists cj 2 (aj ) such that (cj;1 cj ) 2 ij;1 . Then for (aj aj+1) 2 ij , ij 2 CP ( ) so there exists cj+1 2 (aj+1) such that (cj cj+1) 2 j . Thus, by induction, with a = a0 , b = ak+1 and d = ck+1, we have
Q
Q
(c d) 2 i0 i1 : : : ik and hence we conclude that if c 2 (a) then there exists d 2 (b) such that (c d) 2 . The argument is easily reversed by switching a and b giving us the desired result, 2 CP ( ). 2
Q
3.1.2 Computation of Strong StateEvent Observers
Q
Q
An immediate result of Lemma 3.2 is that for any nonempty subset F CP ( ), there is a unique supremal element := sup(F ) and 2 CP ( ). We are now in a position to characterize a strong stateevent observer for any given SELTS.
Q
De nition 3.3 Given a SELTS
server, s( ) is de ned to be
Q
Q
= hQ R q0 P i the strong stateevent ob
Q
s( ) = supf 2 CP ( ) : ker(P )g: 44
Q QQ Q
Note that it is always the case that the trivial \bottom" partition 2 CP ( ) and for any state output map P : Q ! R, = ker(idQ) ker(P ) so s( ) always exists. When is clear from the context we will simply write s for s( ). As was the case for the state observers of Section 2.3, s is the coarsest compatible partition of that is ner than the equivalence kernel of the system's state output map P . Thus for (q q0) 2 s we have P (q) = P (q0) so q and q0 produce the same current state output. Now suppose that q! q1 , thereby producing event output and state output P (q1). 0 Since s 2 CP ( ) there exists q10 2 (q0) such that (q1 q10 ) 2 s . Hence q0! q1 and P (q1) = P (q10 ) so q0 can generate identical state and event outputs to q. As was the case with state observers, s represents the minimum information one needs about the current state to be able to predict all possible future state and event outputs. We say \possible" future outputs since the general SELTS dealt with by stateevent observers are nondeterministic. Hence knowing the cell of s that a state belongs to lets one know what may happen, not what will happen, in contrast with the case with the state observers for deterministic SELTS. The Relational Coarsest Partition problem (RCP) (as stated in KS83]) can be phrased \Given a LTS = hQ R q0i and 0 , an initial partition of Q, nd the coarsest compatible partition of that is ner than 0 (ie. nd supf 2 CP ( ) : 0 g)." Thus s is the solution to the RCP with 0 := ker(P ). In the special case when 0 = ker(P ) = r (no state information is provided by the state output map), the solution of the RCP is Milner's strong observation equivalence KS83]. Therefore when there are only event outputs and no state outputs, our strong stateevent observers reduce to Milner's strong observation equivalence. An O(m log n) algorithm, where m is the size of R (the number of related pairs) and n = jQj, for computing for nite state LTS, based upon Paige and Tarjan's solution to the (mono)RCP (RCP with only one relation present) PT87], can be found in BC89]. In this case 0 is, of course, r. This algorithm is easily adapted to computing s without any change in complexity (assuming ker(P ) is provided) by allowing the initial partition for the RCP to be ker(P ) which, in general, is not r. This close connection with leads us to write q se q0 when(q q0 ) 2 s and say that
Q
Q
Q Q
Q
45
q is strong stateevent observation equivalent to q0. What dierentiates our work from that of KS83] and BC89], is the use, as suggested in Arn94], of a nontrivial initial partition in the RCP, to consider both event and state outputs. The consideration of both state and event outputs takes on greater signi cance when we consider weak stateevent observers in the next section. With little additional eort we can adapt KS83] and BC89] to provide an e cient algorithm for computing weak stateevent observers.
3.1.3 Strong Quotient Systems and Homomorphisms As a generalization of congruences, we might expect that compatible partitions can be used to construct quotient systems of nondeterministic SELTS (and their underlying LTS).
Q h Q Qi
Q
:= Q R q0 P , for 2 CP ( ) such that ker(P ), we de ne the quotient system of by , =, as follows:
De nition 3.4 Given a SELTS
Q
= := hQ= R= q0= P i
Here q0 = denotes the cell of the partition containing q0 and Q= denotes the set of all cells of . For 2 , the transition relations of R= are de ned as Q= (q=) = Q (q)= = fq1= 2 Q= : q1 2 Q (q)g. P : Q= ! R is the unique map such that P = P .
The existence of P follows from the fact that ker(P ) while uniqueness is guaranteed by the fact that : Q ! Q= is onto. The remainder of this section is dedicated to proving that the quotient system generated by the compatible partition s is the \unique" (up to isomorphism) minimal state SELTS that is strongly stateevent (observationally) equivalent to the original system. To do this we rst have to have a de nition of when two SELTS are stateevent equivalent. 46
As was the case with observation equivalence in DeN87], strong stateevent observation equivalence can be extended to a relation se between two disjoint SELTS, SELTS having disjoint state sets and state output maps. This is done by forming the union of the transition systems and the disjoint union of the original systems' state output maps. The two SELTS are then strongly stateevent equivalent i their initial states are strongly stateevent observationally equivalent in the union system. More formally,
De nition 3.5 Given two disjoint SELTS
Q h Q Qi
= Qi Ri qi0 Pi with state output maps Pi : Qi ! R for i = 1 2, we de ne the union of 1 and 2 to be
Q Q 1
2
i
:= hQ1 Q2 R1 R2 q10 P1 P2i :
Here the disjoint union of the state output functions, P1 P2 : Q1 Q2 ! R, is given by 8 < P (q) for q 2 Q1 : P1 P2 (q) = : 1 P2(q) for q 2 Q2 :
QQ Q Q Q
We then say that 1 is strongly stateevent equivalent to (q10 q20 ) 2 s ( 1 2 ).
Q QQ 2
, written
1
se
2
, i
In the de nition of 1 2 we have made the arbitrary choice of q10 as the initial state. We could just as easily use q20 as the initial state. Either one will do for our purposes of proving properties of quotient systems. The notion of a homomorphism of a SELTS will, of course, play a central role in obtaining our results about quotient systems. The nondeterministic transition relations lead us to extend the notion of homomorphism in much the same way that we extended congruences of deterministic SELTS to compatible partitions of nondeterministic SELTS. Figure 3.2 illustrates the idea of a SELTS homomorphism. Any move in the low level system can be matched by an move in the high level system and vice versa. In addition, for a mapping to be a SELTS homomorphism, we also require that the initial state of the low level SELTS be mapped to the initial state of the high level SELTS. In the de nition of a SELTS homomorphism we use the fact 47
b a
Q2
Q2
b a
h
h
Q1 a
b
h
h
Q1
a
b
Figure 3.2: Graphical interpretation of a SELTS homomorphism that any function h : Q1 ! Q2 induces a function at the power set level using the lifting operator, h : P (Q1 ) ! P (Q2 ) (see Subsection 2.1.2).
Q hQ Q
= Qi Ri qi0 Pii for i = 1 2, a mapping h : Q1 ! Q2 is a SELTS homomorphism from 1 to 2 if
De nition 3.6 Given two SELTS (i) h(q10 ) = q20
i
(ii) For all 2 h Q1 = Q2 h (iii) P1 = P2 h
Q Q
In this case we will write h : 1 ! 2 . Henceforth homomorphism will be understood to mean SELTS homomorphism. Any map satisfying (i) and (ii) will be said to be a LTS homomorphism of the SELTS's underlying LTS.
The relationships between the various maps for a SELTS homomorphism are displayed as the commutative diagram of Figure 3.3. 48
P2 R
Q2
Q2
P (Q ) 2
h
(P2)
P (R)
h
(P1) Q1 P1 Q1 P (Q1) Figure 3.3: Commutative diagram for an SELTS homomorphism Typically, the composition of homomorphisms is also a homomorphism. SELTS homomorphisms are no exception in this regard.
Q !Q Q !Q Q !Q ! Q Q Q Q Q Q
Lemma 3.7 Given SELTS homomorphism h1 : h2 h1 :
That is, h2 h1 : Q1
1
1
2
and h2 :
2
3
,
3
Q3 is an SELTS homomorphism.
Proof: The composition h1 followed by h2 takes the initial state of
to the initial state of 3 as h2 h1 (q10 ) = h2 (h1 (q10)) = h2 (q20 ) = q30 since h1 and h2 are both homomorphisms from 1 to 2 and 2 to 3 respectively. Similarly for the state output maps P1 = P2 h1 = (P3 h2 ) h1 = P3 (h2 h1). Thus we need only show that (h2 h1 ) Q1 = Q3 (h2 h1 ). 1
(h2 h1 ) Q1 = (h2 ) (h1 ) Q1 by Claim 2.3 = (h2 ) ((h1 ) Q1 ) = (h2 ) (Q2 h1 ) by def. of SELTS homomorphism. = ((h2 ) Q2 ) h1
= (Q3 h2 ) h1 by def. of SELTS homomorphism. = Q3 (h2 h1 )
2 49
QQ If
Q Q Q! h
is a homomorphic image of 1 , any event and associated state output change in 1 can be matched in 2 . This situation leads us to expect that homomorphisms and compatible partitions are closely related. This relationship is the subject of the following three lemmas. 2
QQ
Lemma 3.8 Given a SELTS := Q R q0 P i, any 2 CP ( ) de nes a (nat
Q
ural) LTS homomorphism : Q system =.
Q= of the underlying LTS of
and its quotient
Q
Proof: Let : Q ! Q= be the map that takes each element of Q to its cell. Then
by de nition of = we have (q0 ) = q0=. It remains to show that for any 2 and any q 2 Q we have (Q (q)) = Q= ((q))
Q
0 Let x0 2 (Q (q)). Then there exists q0 2 Q (q) with (q0) = x0. But q! q and hence (q)!(q0 ) in = by de nition. Thus x0 = (q0) 2 Q= ((q)) giving
(Q (q)) Q= ((q))
Reversing the above argument gives the desired result.
Q !Q
Q
2
Corollary 3.9 For state output map P : Q ! R, if 2 f 2 CP ( ) : ker(P )g then :
= is a SELTS homomorphism.
The above lemma shows us that any compatible partition de nes a LTS homomorphism and any compatible partition ner than the equivalence kernel of the state output map results in a SELTS homomorphism. The next lemma demonstrates that there is a compatible partition associated with every LTS homomorphism.
Q
Q
Lemma 3.10 If h : Q1 ! Q2 is a LTS homomorphism for the underlying transition systems of
i
:= hQi Ri q0i Pii for i = 1 2, then ker(h) 2 CP ( 1 ).
Proof: Suppose (q q0) 2 ker(h). We want to show that if q! q1 , then there exists 0 q10 2 Q1 such that q0! q1 and (q1 q10 ) 2 ker(h).
50
Clearly h(q1 ) 2 h(Q1 (q)). But h is a LTS homomorphism and h(q) = h(q0) so
h(Q1 (q)) = Q2 (h(q)) = Q2 (h(q0 )) = h(Q1 (q0))
Q
And h(q1) 2 h(Q1 (q0 )) i there exists q10 2 Q1 (q0) such that h(q10 ) = h(q1 ). Thus 0 (q1 q10 ) 2 ker(h) and q0! q1. Hence ker(h) 2 CP ( 1 ). 2
Qg ! Q
Q
Corollary 3.11 If h :
CP ( ) : ker(P1)
1
2
is a SELTS homomorphism, then ker(h)
2 f 2
Q
We can now talk about output compatible partitions { those partitions of a SELTS that correspond to the kernel of a homomorphism of the SELTS . The next lemma states that the only output compatible partition of the quotient system generated by s is the trivial partition . Thus any homomorphism of =s is an isomorphism.
Q
Q
Lemma 3.12 If := hQ R q0 P i is an SELTS then
Q
f 2 CP (
QQ
=s ) : ker(Ps )g = fg
Q !Q Qg
Proof: Suppose 2 CP ( =s ) ker(Ps ). By Lemma 3.7 s :
( =s )= is a SELTS homomorphism of . Therefore ker( s ) 2 CP ( ) and ker( s ) ker(P ) by Corollary 3.11. But s = sup(f 2 CP ( ) : ker(P ) ) so ker( s) ker(s). Thus ker( s ) = ker(s) which implies = . 2
Q
We are now ready to prove the main result of this section, which states that two SELTS are strongly stateevent equivalent i they share an output compatible homomorphic image. As a corollary to this theorem, with the help of Lemma 3.12, we obtain the result that when is reachable, =s is the unique minimal state SELTS that is strongly stateevent equivalent to .
Q
QQ Q Q ! Q
QQ Q Q Q
Theorem 3.13 For two disjoint SELTS 1 3
i there exists a SELTS and h2 : 2 3. se
2
3
Q
and 2 as in De nition 3.6, we have for which there are homomorphisms h1 : 1 !
51
1
Q Q
Proof: (if) Let h := h1 : h2 (ie. h : Q1 Q2 ! Q3 be the map such that hjQi = hi i = 1 2). Since 1 and 2 have disjoint state sets and h1 and h2 are SELTS homomorphisms, it follows that h:
QQ
Q Q !Q 1
2
QQ
3
is a homomorphism with h(q10 ) = h(q20 ) = q30 . Therefore ker(h) 2 f 2 CP ( : 2 ) : ker(P1 P2 )g and (q10 q20 ) 2 ker(h) which implies that (q10 q20 ) 2 s ( 2 ). Hence, by de nition, 1 se 2 . (only if) Take = s( 1 2 ). By Corollary 3.9
QQ Q Q Q Q ! Q Q Q Q
Q j j Q Q Q Q Q Q Q !Q Q !Q Q Q Q Q Q Q Q Q Q Q Q Q !Q Q !Q Q !Q j jj j :
1
(
2
1
2
1
1
)=
is a SELTS homomorphism. Take 3 := ( 1 2 )=, h1 := Q1 and h2 := Q2 . From the fact that 1 and 2 have disjoint transition relations, it follows that h1 and h2 are SELTS homomorphisms. 2
Corollary 3.14 For any reachable SELTS , the quotient system =s is the unique (up to isomorphism), minimal state SELTS such that
Proof: We know that s :
se
=s .
=s is a homomorphism. Also the identity map on Q=s is an SELTS homomorphism IQ=s : =s =s . Thus se =s by Theorem 3.13. Uniqueness follows from Lemma 3.12. If se 2 we may assume that 2 is reachable since is reachable. Otherwise we can just take the reachable part of 2 and it will still be equivalent to . It follows that =s se 2 so by Theorem 3.13 there exists 3 with SELTS homomorphisms h1 : =s 3 and h2 : 2 3. But by Lemma 3.12 h1 is an isomorphism. Thus h;1 1 is a homomorphism and hence so is h;1 1 h2 : 2 =s . Therefore Q=s Q2 , giving us uniqueness up to isomorphism. 2 52
Q
Q
1
q10
2
q20
q21
QQ Q Q QQ
Figure 3.4: Stateevent equivalent SELTS quotient systems that are not isomorphic Figure 3.4 demonstrates why we require to be reachable in Corollary 3.14. 2 is not reachable and as can be easily veri ed, 2 =s = 2 . But 1 se 2 and jQ1j < jQ2j. From the above result we now derive the more precise result stated in Corollary 3.15. Two reachable SELTS are strongly stateevent equivalent i their strong stateevent observer quotient systems are isomorphic.
Q Q Q QQ Q Q Q Q Q Q ! Q Q ! Q Q Q Q !Q Q !Q Q !Q Q !Q QQ Q Q QQ Q Q Corollary 3.15 Let 1
se
2
and 2 be reachable SELTS and si = s ( i ) i = 1 2. Then i 1 =s1 and 2 =s2 are isomorphic. 1
Proof: (only if) By Corollary 3.14 1 =s1
=s2. Hence by Theorem 3.13 there exists 3 with homomorphisms h1 : 1 =s1 3 and h2 : 2 =s2 3 . But by Lemma 3.12 both h1 and h2 are isomorphisms. Therefore h;1 1 h2 is an isomorphism. (if) Assume 1 =s1 and 2 =s2 are isomorphic. Then there exists a homomorphism h : 1 =s1 2 =s2 . Also, by Corollary 3.9, si : i i =si for i = 1 2 are homomorphisms. Thus by Lemma 3.7 h s1 : 1 2 =s2 . Since s2 : 2 2 =s2 we can apply Theorem 3.13 to get 1 se 2 as required. 2 se
2
The simple SELTS in Figure 3.4 illustrates why both 1 and 2 are required to be reachable in Corollary 3.15. Clearly for any state output maps such that P1(q10 ) = P2(q20 ) we have 1 se 2 since then q10 se q20 in ( 1 2 ). But in this case both systems are their own quotient systems and are clearly not isomorphic. We now use the result of Corollary 3.15 to prove a version of the \diamond property" of Arn94] for SELTS homomorphism. As we will see, the diamond property 53
Q
h12
Q
1
h13
2
h24
Q
h34
Q
3
4
Figure 3.5: Commutative diagram for the diamond property of SELTS homomorphisms is the key to providing the transitivity for the homomorphism version of stateevent equivalence. The following corollary states that the diagram of Figure 3.5 commutes.
Q
Q !Q Q ! Q !Q Q !Q
Corollary 3.16 Given any pair of homomorphisms h12 : , there exists a pair of homomorphisms h24 : that h24 h12 = h34 h13 . 3
Q QQ Q Q Q Q QQ Q Proof: If
2
4
1
2
and h34 :
and h13 : 3
Q Q Q Q Q Q
1
4
such
and 3 are reachable then the result is immediate by Corollary 3.15 since we can take 4 := 1 =s( 1 ). In this case for i = 2 3 i se 1 =s( 1 ) since i se 1 and 1 se 1 =s ( 1 ). The existence of h24 and h34 is then guaranteed by Theorem 3.13. The general case is handled in a similar fashion by taking 4 to be the strong stateevent quotient system of the disjoint union of 2 and 3 . 2 2
The relationship to transitivity of Figure 3.5 is seen in Figure 3.6 where the diagram of Figure 3.5 occurs as a subdiagram of the larger diagram. This larger diagram is then guaranteed to commute as an immediate result of the previous corollary. Thus SELTS homomorphisms can be used to provide an alternative de nition of se by saying that 1 se 2 i there exists a SELTS 3 for which there are homomorphisms h1 : 1 ! 3 and h2 : 2 ! 3 . For this alternative de nition of strong stateevent equivalence, idempotence is guaranteed by the fact that the identity map idQ1 : 1 ! 1 is a homomorphism, symmetry follows from the symmetry of the de nition and transitivity follows from Figure 3.6. Theorem 3.13 guarantees
QQ Q Q Q Q Q Q 54
Q
Q
5
h52
Q
h12
Q
1
h13
2
h24
Q
Q
h63
Q
6
3
h34 4
Figure 3.6: Commutative diagram for the transitivity of SELTS homomorphism definition of se that this alternative de nition of se coincides with the original compatible partition de nition.
3.2 Weak StateEvent Observers Often in Discrete Event Systems it is the case that systems are event rather than timedriven. In this case what is important is the sequence of changes in the outputs, ignoring intermediate states and events that do not generate any new outputs. Before applying this point of view in our state event setting, we will see how it is applied in the event setting of Milner's weak observation equivalence. Again we will see that (event) observation equivalence becomes the special case of our setting in which ker(P ) = r. Consider a LTS := hQ R q0i. In the style of BC89], we assume there is a \silent event" 2 that represents unobservable actions. We then de ne the set of observable actions to be o := ; f g. This leads to some new relations on Q. 0 We say that q moves unobservably (from an event perspective) to q0, written q) q, i there exist q0 q1 : : : qn 2 Q, n 0, such that
Q
q = q0 ! q1! : : : ! qn;1 ! qn = q0 By convention, for any q 2 Q, q) q. For 2 o we can then say that q moves to q0
55
0 while producing event , written q) q , i there exist q1 q2 2 Q such that 0 q) q1 ! q2 )q
Q
0 0 In the weakly observable setting the actions q! q and q) q are indistinguishable since both produce the single event output . For a given , these double arrow relations can be used to de ne a new transition system,
Q
Q
0
:= hQ R0 q0i
Q Q
where R0 is de ned as follows. For all 2 o , Q0 (q) = fq1 2 Q : q) q1 in g and Q0 (q) = fq1 2 Q : q) q1 in g. In KS83], two states are shown to be weakly observation equivalent in in the sense of Mil80], written q q0, i the states are strongly observation equivalent (q q0) in 0 . Thus we have := sup(CP ( 0 )). In this case represents the minimum information one needs about Q to know what choices of future observable events are possible. We now generalize weak observation equivalence to our stateevent setting. Given a SELTS := hQ R q0 P i where, as usual, P : Q ! R is the state output map, we assume that the special event represents unobservable events. When a transition occurs, it does not produce an output event, though it may cause a change 0 in the state output. For instance, if q! q and P (q) = P (q0) then there is no noticeable 0 change in the system output. If, on the other hand, q! q and P (q) 6= P (q0) then although no event is seen to take place, a change in state output takes place when occurs. This leads us to de ne, for a given SELTS , an unobservable move from q to q0, written q )se q0 i there exist q0 q1 : : : qn 2 Q, n 0, such that
Q
Q
Q
Q
q = q0 ! q1! : : : ! qn;1 ! qn = q0 and for all j = 0 1 : : : n we have P (qj ) = P (q) = P (q0) Thus the relation )se is the transitive closure of the relation within each cell 56
of ker(P ). By convention q )se q always holds. While the )se relation captures a 0 relation which is indistinguishable from the case when q! q and P (q) = P (q0), we 0 now wish to de ne a relation which captures both this case and the case when q! q and P (q) 6= P (q0). We say that q moves to q0 without an event output, written q)seq0, i q = q0 or, there exist q1 q2 2 Q such that
q )se q1 ! q2 )se q0 By de nition q) seq . The relation )se is the transitive closure of ! subject to the 0 restriction that at most one boundary of the partition ker(P ) is crossed. If q) se q , then no output events are generated and there is at most one change in the state output. We now de ne a relation similar to ) se except that it produces exactly one event output. For 2 o , we say that q moves to q0 producing event output , written 0 q) seq i there exist q1 q2 2 Q such that q )se q1 ! q2 )se q0 0 Thus if q) se q , then q moves within a cell of ker(P ) via unobservable transitions, then performs an transition which could possibly (but not necessarily) take us to a new cell of ker(P ) and then the system again moves unobservably via transitions within the current cell. We emphasize that if a boundary of ker(P ) is crossed when 0 q) seq , then it is only crossed by the transition. There are four dierent types of one step moves that a SELTS can make and each of these moves can be matched by a double arrow relation de ned above. In the following let q and q0 be elements of Q such that P (q) = P (q0). Then the system can:
Q
1. Make an unobservable transition within a cell of ker(P ) (q! q1 and P (q) = P (q1)). State q0 can make the move q0) seq10 with P (q10 ) = P (q1 ) to produce the same (lack of) output. 2. Make a transition that moves from one cell of ker(P ) to another (q! q1 and
57
P (q) 6= P (q1)). State q0 can make the move q0) seq10 with P (q10 ) = P (q1) to produce the same change in state output. 3. Make an observable transition within a cell of ker(P ) (q! q1 and P (q) = P (q1)). State q0 can make the move q0)seq10 with P (q10 ) = P (q1 ) to produce the same event output.
4. Make an observable transition that moves from one cell of ker(P ) to another 0 (q! q1 and P (q) 6= P (q1)). State q0 can make the move q0) se q1 with P (q10 ) = P (q1) to produce the same event output and change of state output. Consider the state event sequences (3.1) of Section 3.1 from the point of view that only output (observable) events and changes in the state output are important. The
rst two sequences are indistinguishable when viewed from state and event outputs. In both sequences the event and the state output change from r1 to r2 occur simultaneously. Hence q11 ) seq13 and q21 )seq23 and in both cases at the output it appears as r1 ! r2 . In the case of the third string, the state output changes with the unobservable transition and then the event occurs. In terms of our newly de ned relations q31 ) se q32 )seq33 but not q31 )se q33 and so at the outputs the third sequence appears as r1! r2!r2. From a control point of view it is important that an observer be able to distinguish the rst two sequences from the third. Assume that r2 is a bad state output that we wish to avoid and that is a controllable event that can be disabled as in RW87]. Disabling prevents state output r2 from occurring in the rst two sequences of (3.1) but not in the third sequence! With the above examples in mind, we are ready to de ne weak stateevent observers by rst considering the transition system generated by the double arrow relations. We call the transition system generated by the double arrow relations the observational closure of the given SELTS. The observational closure of an SELTS is obtained using the observational closure operator de ned below.
Q Q
Q
De nition 3.17 Given a SELTS = hQ R q0 P i, the observational closure of
, denoted 0se is given by the observational closure operator 0se : SELTS ! SELTS
58
as follows:
Q
hQ R0 q P i where R0 is de ned as: For all 2 , se (q) = fq 2 Q : q) seq 0 in 0se i q ) seq in .
Q
Q
0
se :=
0
Q0
1
1
in
Qg
0 . Thus q! q
We will now take the time to establish the idempotence of the observational closure operator for use in later proofs. The result is expected since the observational closure operator performs a variation of transitive closure.
Q Q Q
Lemma 3.18 For any SELTS = hQ R q0 P i the observational closure oper
ator is idempotent (ie. ( 0se )0se = 0se ).
Proof: From De nition 3.17 we can see that
Q Q 0
and ( 0se )0se only dier in the de nitions of their transition relations which we will denote by R0 and R0 0 respectively. Thus proving the idempotence of the observational closure operator reduces to showing that R0 = R00. 0 0 We trivially have R0 R00 because when q! q in 0se , by de nition q) se q also. 0 Thus by De nition 3.17, q! q in ( 0se )0se. 0 0 It remains to show R0 R00. For any 2 , if q! q in ( 0se )0se then q) seq in 0 . Thus there exist q1 : : : qm q 0 : : : q 0 2 Q such that se 1 n se
Q
Q
Q
Q
Q
0 0 q! q1! : : : qm;1 ! qm ! q1!q2 ! : : : qn0 ;1! qn0 ! q0
Q Q
Q
in 0se . Also, for all i = 1 : : : m we have P (qi) = P (q) and for all j = 1 : : : n it is the case that P (qj0 ) = P (q0). But qa ! qb in 0se with P (qa) = P (qb) i qa )se qb in , and qc! qd in 0se i qc) se qd in . Hence
Q
Q
0 0 0 0 0 q )se q1 )se : : : qm;1 )se qm ) seq1 )se q2 )se : : : qn;1 )se qn )se q
in . But the )se relation is a transitive closure so 0 0 q )se qm ) se q1 )se q
59
Q
Q
Q
0 in and we conclude q) seq in . Thus, by De nition 3.17, q !q 0 in 0se and so we conclude that R0 R0 0. 2
The observational closure operator can now be combined with the previous de nition of strong stateevent observers to de ne weak stateevent observers.
Q
De nition 3.19 Given a SELTS
server, w ( ) is de ned to be
Q
Q
= hQ R q0 P i, the weak stateevent ob
Q
w ( ) = supf 2 CP (
Q
0
se ) :
ker(P )g
Q
By Lemma 3.2 and the fact that 2 f 2 CP ( 0se ) : ker(P )g, w always exists and is unique. Note that in 0 se the transition relations are dependent upon P so w is not just Milner's observation equivalence with a dierent initial partition (as was the case for strong stateevent observers). It is easy to see that in the case when ker(P ) = r then w is in fact , Milner's weak observation equivalence, since in that case ) se becomes ) and )se becomes ) and hence 0 se = 0 . As was the case for strong stateevent equivalence, when (q q0) 2 w for a given , we will write q se q0, read \q is weak stateevent observation equivalent to q0". The O(n3) algorithm (n = jQj) for computing Milner's weak observation equivalence of nite state LTS given in BC89] can be easily adapted to provide an O(n3) algorithm for w . The increase in complexity over the algorithm for strong stateevent observers is the result of having to compute the transitive closure of within each equivalence class (cell) to obtain the relation )se used in constructing 0 se. Once we have 0 se, the O(m log n) RCP algorithm (m is the size of R { the number of related pairs { and n = jQj) of PT87] can be employed to compute w giving an overall complexity of O(n3 + m log n). If we assume that we are dealing with a xed event set , then each event can label at most n2 transitions (each state is connected to all states by every event). Then m jjn2 hence the complexity of computing w is O(n3). Similar to the case of the state observers of Section 2.3 and the strong stateevent observers of Section 3.1, w is the coarsest compatible partition of 0 se that is
Q QQ
Q
Q
Q
60
Q
ner than the equivalence kernel of P . Although the double arrow relations used to construct 0 se may or may not cross a boundary of the partition of ker(P ), the use of ker(P ) as the initial partition detects when a change in state output occurs. Thus for (q q0) 2 w we have P (q) = P (q0) so q and q0 produce the same current state output. Now suppose that q! q1 in , thereby producing event output and state output P (q1). Then q) so q! q1 in 0 se, and since w 2 CP ( 0 se) there se q1 in 0 exists q10 2 Q0 se (q0) such that (q1 q10 ) 2 w . Hence q0 ! q1 in 0 se and P (q1) = P (q10 ). 0 But then in , q0) se q1 . Thus q 0 can generate state and event outputs that are indistinguishable from those produced from q. As was the case with strong stateevent observers, w represents the minimum information one needs about the current state to be able to predict all possible future changes in state and future event outputs. Since the weak stateevent observer for a SELTS is just the strong stateevent observer for 0se , we can use the results of the previous section to derive similar results about what we will term weak quotient systems. In de ning weak quotient systems 0 0 we use the intuition that in the weakly observable setting the actions q! q and q) se q are indistinguishable.
Q Q Q
Q
Q
Q
Q
Q
Q
Q
Q Q Q
De nition 3.20 Given a SELTS := hQ R q0 P i, for 2 CP ( 0se ) such that ker(P ) we de ne the weak quotient system of
by to be == := 0se =.
Again we can extend weak stateevent observation equivalence to a relation se between LTS by forming the union of disjoint SELTS (see De nition 3.5).
Q
QQ QQ
= hQ1 R1 q10 P1i and hQ2 R2 q20 P2i where P1 : Q1 ! R and P2 : Q2 ! R. We say that weakly stateevent equivalent to 2 , written 1 se 2 , i (q10 q20) 2 w ( 1
De nition 3.21 Given two disjoint SELTS
Q Q Q 1
= 1 is 2 ).
2
With Milner's (event) observation equivalence, strong equivalence of LTS implies weak equivalence LTS Mil89]. A similar situation holds for the stateevent equivalence of SELTS.
Lemma 3.22
QQ QQ 1
se
2
implies
1
se
2
61
.
The above lemma is an immediate result of the fact that when two transition systems with associated state output maps are strongly stateevent observation equivalent, any sequence of moves made in one system can be matched by an identical event sequence in the other system producing the same state outputs. We can now prove the main result of this section.
Q Q Q Q Q QQ Q Q Q Q Q Q Q Q Q Q Q Q Q 6 Q Q Q
Theorem 3.23 For any reachable SELTS , the weak quotient system ==w is a minimal state SELTS such that
==w .
se
Proof: Let = w ( ). By Theorem 3.13 0
se
0
se =
se
= ==w
Then by Lemma 3.22 Q0se se ==w . It then follows from the de nition of se that (Q0se)0se se ( ==w )0se. But by Lemma 3.18 ( 0se )0se = 0se . Thus 0se se ( ==w )se0 and therefore se ==w , as required. The minimality of the state set of =w follows from Theorem 3.13. 2 In general ==w is one of many possible minimal state SELTS that can be equivalent to but that dier in the de nition of their transition relations. Uniqueness of a minimal state equivalent SELTS is lost in the weak stateevent observation equivalence setting because of the use of the manytoone 0se observational closure operator in De nition 3.19. Consider Figure 3.7. In this case = 0se but by Lemma 3.18
r1
r1
r2
r1
0
se
r1
r2
Figure 3.7: Example illustrating observational closure operator is manytoone
Q Q
Q Q
( 0se )0se = 0se . Thus application of the observational closure operator to and 0se produces the same result. In fact, as a result of the following lemma, we can conclude that ==w as de ned has the maximum number of transitions.
Q
62
Q
Q Q !Q
Q
Q
Lemma 3.24 Given an SELTS and 2 fCP ( 0se ) : ker(P )g then ( 0se =)0se = 0
se =.
Proof: In the proof we will use the fact that de nes a homomorphism, which we
0 that maps each state to its cell (equivalence will also denote by , : 0se se class). As was the case for Lemma 3.18, demonstrating the equality of the transition systems reduces to showing that the transition relations of ==w contain those of 0 ( 0se =)0se. That is, for any x x0 2 Q= and 2 , if x! x in ( 0se =)0se then we must 0 show that x! x in ==w . 0 0 But if x! x in ( 0se =)0se then by De nition 3.17 x) sex in ==w . Thus there exists x1 : : : xm x01 : : : x0n 2 Q= such that
Q
QQ
QQ
Q
Q
0 0 x! x1 ! : : : xm;1 ! xm ! x1!x2 ! : : : x0n;1 ! x0n ! x0
Q
in 0se = and for all i = 1 : : : m we have P (xi) = P (x) and for all j = 1 : : : n it is xb in 0se = the case that P (x0j ) = P (x0). But is an epimorphism of SELTS, so xa ! with P (xa ) = P (xb) i there exist qa qb 2 Q such that (qa ) = xa , (qb ) = xb and qa ! qb in 0se . A similar situation holds for any transition made in 0se =. Hence there exist q q1 : : : qm q0 q10 : : : qn0 2 Q such that (q) = x (q0) = x0, (qi ) = xi where i = 1 : : : m, (qj0 ) = x0j for j = 1 : : : n and
Q
Q
0 0 q! q1! : : : qm;1 ! qm ! q1!q2 ! : : : qn0 ;1! qn0 ! q0
QQ Q QQ
Q Q
0 in 0se . Thus q) seq in 0se , so by the de nition of observational closure rq !q 0 in 0 ( 0se )0se. But ( 0se )0se = 0se by Lemma 3.18 so q! q in 0se . Since (q) = x, (q0) = x0 0 and is a homomorphism we can then conclude that x! x in 0se =. 2
Q Q Q
Corollary 3.25 For any SELTS
Q Q
( ==w )0se = ( 0se =w )0se = 0se =w = ==w 63
Thus the weak quotient system already has an instance of any transition that observational closure would add. The choice of transition relations used in De nition 3.20 was made for its algebraic and computational simplicity. In particular, all the selflooped transitions that result from the observational closure operator allow for the straightforward application of strong stateevent equivalence in the de nition of weak stateevent equivalence. An obvious reduction that one can make in the number of transition of ==w and still maintain weak equivalence is to eliminate all selflooped transitions since these are always added to every state by the observational closure operator. One might then ask if it is possible nd a system with a minimal number of transitions that is still weakly stateevent equivalent to ==w . To obtain a system that is weak stateevent equivalent to the weak quotient system and has a minimum number of transitions would involve the solution of multiple instances of the minimal equivalent digraph problem AHU83]. A directed graph (or digraph) can be represented as G := (V E ) where V is a set of vertices (states) and E is a set of edges (a transition relation). A graph G0 := (V E 0) is said to be a minimal equivalent digraph for G := (V E ) if E 0 is a minimal subset of E such that the transitive closure of both G and G0 are the same. In Sah74] the author shows that the problem of nding a minimal equivalent digraph in the general case is NPcomplete. Thus there is little hope of nding an e cient algorithm to solve the problem. In obtaining a system with a minimal number of transitions that is weak stateevent equivalent to ==w , one would have to solve the minimal equivalent digraph problem within each cell of the state output map for the graph with edges representing the silent transition relation (ie. we have to nd the minimum number of transitions that would still generate the same )se relation). While generating a minimal transition equivalent system could certainly speed up some model checking and supervisory control computations, it appears that the eort required to obtain any such minimal transition system would outweigh any gain in performance as the result of such transition minimization.
Q
Q
Q
64
3.3 Example: The Weak StateEvent Observer of a Simple RealTime System In this section we present a small example. The weak stateevent observer theory will be applied to the Timed Transition Model (TTM) M of Figure 3.8.
M
:= (true z : z 2 1] 0 1) := (z = 0 y : y 3 1] 1 1) := (y = z = 0) Figure 3.8: Example TTM M A TTM is a guarded transition system with lower and upper time bounds on the transitions that relate to the number of occurrences of the special transition tick. For M there are three transitions, , and tick, and two program variables, y and z. The initial condition speci es that M starts with both y and z set to 0. Now consider the transition := (true z : z 2 1] 0 1). The guard or \enablement condition" of is true, hence the transition is always enabled. When the transition occurs, it has the eect speci ed by its operation function: in this case z becomes z 2 1 (here n denotes addition mod n). The lower and upper time bounds for are 0 and 1 respectively. For to occur, its guard condition must evaluate to true continuously for at least 0 tick transitions and if its guard remains true after one tick, it will be forced to occur before the next tick event. Since 's guard transition always evaluates to true, the above time bounds force at least one, to a nite but unbounded number of 's to occur between successive ticks of the \clock". In the case of := (z = 0 y : y 3 1] 1 1), the value of z must be 0 for at least one tick before can occur. The upper time bound of 1 indicates that even if is continuously enabled for arbitrarily many occurrences of tick, it is never forced to occur. If does occur then y changes to y 3 1. The SELTS representing the \trajectories" of M is shown in Figure 3.9. The process of obtaining the SELTS representing the legal trajectories of a TTM is covered 65
brie!y in Section 2.2.3 The interested reader is referred to Ost89] for complete details of the semantics of TTMs used to obtain the SELTS. Beside each state of the SELTS (0,1)
(0,0) tick
tick
(0,1)
(2,0) tick (2,0)
(1,0)
(1,1)
(2,1)
tick
(2,1)
tick
(0,0)
(1,1) (0,0)
(1,0) tick
(2,0)
(1,0)
Figure 3.9: SELTS generated by TTM M in Figure 3.9, we write the ordered pair (y z) to give the current value of the program variables y and z. The initial state of the SELTS (q0 ) is the state with the entering arrow. Suppose we are interested in the timed behavior of M under the state output map,
8 < a y = 2 P (q) := : b otherwise
The SELTS resulting from these state and event observations is shown in Figure 3.10. The dashed line indicates the state partition induced by P . States to the left of the dashed line (states 19 and 15) result in a state output of b while those to the right (states 1014) produce a state output of a. In this case the event tick remains observable while and are replaced in the SELTS with unobservable transitions since it is only their eect on the state output that is of interest. Once the relations ) se 66
b
(0,1) 2
1 (0,0) tick
tick
(2,0) 13 tick (2,0) 14
3 (0,0) (0,1)
5 (1,0)
ker(PQ) !w
(1,1) 6
tick
8
(1,0) tick
11 (2,1)
tick
12 (1,1) 7
4
(0,0)
15
a
(2,1)
10
(2,0)
9 (1,0)
Figure 3.10: ker(P ) and resulting w for SELTS generated by TTM M and tick )se are determined, we can compute the weak state observer w, the re nement of ker(P ) shown as dotted lines in Figure 3.10. To understand how w is obtained from ker(P ), consider the individual states of the SELTS. States 9 and 14 are the only two states that are the sources of sequences of unobservable transitions that change the state output (eg. 9) se10 and P (10) = a 6= P (9)). All other states must rst execute at least one observable tick transition before causing a change in the state output. Hence 9 and 14 are sectioned o from their respective cells of ker(P ). When the relation tick )se is considered, further re nements of ker(P ) result. State 4 can reach state 9 via silent transitions within a cell of ker(P ) and a tick (eg. 4tick )se9) while also being able to access states 1 2 3 and 15, states that cannot reach state 9 via the tick )se relation. As a result 4 is split o from the other states of ker(P ). The rest of the re nement of ker(P ) proceeds in a similar fashion. It is left to the reader to verify that the partition w shown in Figure 3.10 is indeed a tick compatible partition for the relations ) se and )se as de ned in the previous section. 67
tick
b
a tick
tick tick tick
tick
ker(PQ=!w )
tick
tick tick
tick
Figure 3.11: Weak Quotient system generated by w Figure 3.11 presents the weak quotient system with respect to the weak stateevent observer w of the SELTS of Figure 3.10. Note that in the weak quotient system there is a single state for each cell of w . The cell containing state 1, the initial state of the original SELTS, becomes the initial state of the quotient system. Also, the map PQ=w is given by the displayed kernel partition. To simplify the graph for display purposes we have omitted the selflooped transitions that occur for de nitional reasons at each state of the weak quotient system.
3.4 Compositional Consistency The main goal of this section is to demonstrate that replacing a component system of a synchronous product with a stateevent equivalent system results in a composite system that is stateevent equivalent to the original synchronous product. The result is that when the properties of interest are preserved by stateevent equivalence, one can use the synchronous product of quotient systems in place of the synchronous product of the original systems. This replacement has the potential to result in dramatic state reductions of the models used (eg. Section 5.3 and Ost95]). The size of synchronous products typically grows as the product of the sizes of the state sets 68
of the component systems: thus any state reductions performed before synchronous composition have a multiplicative eect. The equivalence of a system with its quotient system together with the following results regarding the synchronous composition of equivalent systems provides us with the means for performing weak, compositionally consistent, model reduction for the temporal logic model checking of Chapter 4. Our proofs of the results of this section are greatly simpli ed by the use of Theorem 3.13. Instead of arguing at the element level to show that a particular partition is an output compatible partition, we are able to argue at the arrow level, demonstrating that certain maps are SELTS homomorphisms.
3.4.1 Strong Compositional Consistency As was the case with stateevent observers, we begin by considering the strong stateevent case and then extend the results to the weak stateevent setting. The rst lemma demonstrates how a homomorphism of a system can be used to construct a homomorphism of the new system created by the synchronous composition of the system with another SELTS. This lemma is followed by a simple corollary which together with Theorem 3.13 provides the means for proving the main result regarding synchronous composition of strongly stateevent equivalent systems.
Q Q Q !Q Q j jQ ! Q j jQ
Lemma 3.26 Given three SELTS
homomorphism, then for all s
and
h idQ :
1
s]
i i
= 1 2, if h :
2
1
2
is a SELTS
s]
(ie. h idQ : Q1 Q ! Q2 Q is a SELTS homomorphism)
Proof: Since h and idQ are homomorphisms h idQ((q10 q0)) = (q20 q0) and, with the help of Claim 2.5, (P2 P ) (h idQ) = (P2 h) (P idQ) = P1 P . All that remains is to show that for all 2 , (h idQ) Q1 js]jQ = Q2 js]jQ (h idQ) 69
For Q1 js]jQ there are two cases we have to consider. Case 1: 2 s. Then Q1 js]jQ = Q1 Q so (h idQ) Q1 js]jQ = (h idQ) (Q1 Q )
= (h Q1 ) ((idQ) Q ) by Claim 2.6 (i) = (Q2 h) (Q idQ)
since h and idQ are homomorphisms
= (Q2 Q ) (h idQ) by Claim 2.6 (ii)
= Q2 js]jQ (h idQ) as required. Case 2: 62 s. Then Q1 js]jQ = (Q1 idQ) (idQ1 Q ) so (h idQ) Q1 js]jQ = (h idQ) (Q1 idQ idQ1 Q )
= (h idQ) (Q1 idQ) (h idQ) (idQ1 Q ) by Claim 2.4 (i).
But, (h idQ) (Q1 idQ) = (h Q1 ) ((idQ) idQ) by Claim 2.6 (i) = (Q2 h) (idQ idQ)
since h and idQ are homomorphisms
= (Q2 idQ) (h idQ) by Claim 2.6 (ii). Similarly,
(h idQ) (idQ1 Q ) = (idQ2 Q ) (h idQ) So, 70
(h idQ) Q1 js]jQ = (Q2 idQ) (h idQ) (idQ2 Q ) (h idQ) = (Q2 idQ) (idQ2 Q )] (h idQ) by Claim 2.4 (ii) = Q2 js]jQ (h idQ)
2
as required.
Given that a homomorphism h can be used to construct the new homomorphism h idQ of the composed systems, it seems logical to ask if for homomorphisms hL hR , their product hL hR is a homomorphism of the synchronous product of their associated systems. This question is formalized and answered in the a rmative by the following corollary.
Q
Q !Q Q j jQ ! Q j j Q
Corollary 3.27 Given SELTS homomorphisms hL : R2 ,
then for any s :
hL hR :
Proof: Since
L1
s]
R1
L2
L1
s]
L2
and hR :
Q
R1
!
R2
hL hR = (hL idQR2 ) (idQL1 hR )
the result immediately follows from Lemma 3.26 together with the fact that the composition of SELTS homomorphisms is a homomorphism by Lemma 3.7. 2
QL2 QR2
QL2 js]jQR2
P (QL QR ) 2
hL hR
2
(hL hR )
QL1 js]jQR1
QL1 QR1 P (QL1 QR1 ) Figure 3.12: Commutative diagram for Corollary 3.27 Corollary 3.27 states that the diagram in Figure 3.12 commutes. 71
For the remainder of this section we assume that we are given SELTS
QQ
Li
Ri
= hQLi i RLi qLi0 PLii with PLi : QLi ! RL for i = 1 2
= hQRi i RRi qRi0 PRi i with PLi : QRi ! RR for i = 1 2
Q Q
Now assume that I := (s fL fR) with state output synchronization maps fL : RL ! R and fR : RR ! R is a compatible interface for the L1 and R1 . In order to extend this result of Corollary 3.27 on the compositional consistency of event composition to compositional consistency for stateevent composition, we combined the above commutative diagram with the commutative diagram in Figure 2.8 relating js]j to jI ]j (see Section 2.2.3). We then obtain the commutative diagram shown in Figure 3.13. Here eq1 eq2 are the \projections" resulting from intersection with their respective equalizer sets from the arrow theoretic de nition of jI ]j. That is, for i = 1 2 eqi : P (QLi QRi ) ! P (QLi QRi ) A 2 P (QLi QRi ) A 7! A \ eq(fL PLi 1 fR PRi 2 ) where, eq(fL PLi 1 fL PRi 2 )
= f(qLi qRi) 2 QLi QRi : fL PLi 1 (qLi qRi ) = fR PRi 2 (qLi qRi )g
= f(qLi qRi) 2 QLi QRi : fL PLi(qLi) = fR PRi(qRi )g
Given that the diagrams in Figures 2.8 and 3.12 commute, in order to prove that the diagram in Figure 3.13 commutes, we need only prove that the subdiagram in Figure 3.14 commutes. This is the subject of the following lemma.
Lemma 3.28 The diagram in Figure 3.14 commutes, ie. (hL hR ) eq1 = eq2 (hL hR )
72
QL2 jI ]jQR2 QL2 QR2
QL2 js]jQR2
P (QL QR ) 2
hL hR QL1 QR1
eq2
2
(hL hR )
QL1 js]jQR1
P (QL QR )
2
P (QL QR ) 1
(hL hR )
eq1
P (QL QR )
1
1
QL1 jI ]jQR1 Figure 3.13: Commutative diagram for Corollary 3.27
eq2
P (QL QR ) 2
2
2
(hL hR )
eq1
P (QL QR ) 1
P (QL QR ) 2
(hL hR ) 1
P (QL QR ) 1
Figure 3.14: Commutative diagram for Lemma 3.28
73
2
1
1
Proof: Let A QL1 QR1 and (qL2 qR2 ) 2 (hL hR ) eq1. Then there exists (qL1 qR1 ) 2 eq1 (A) such that
hL hR (qL1 qR1 ) = (hL(qL1 hR(qR1 )) = (qL2 qR2 )
(3.2)
Since (qL1 qR1 ) 2 eq1(A), by the de nition of eq1 we know
fL PL1(qL1 ) = fR PR1 (qR1 )
(3.3)
Thus using the fact that hL hR are homomorphisms so that PL2 hL = PL1 and PR2 hR = PR1 we have
fL PL2(qL2 ) = = = = =
fL PL2 hL (qL1) fL PL1(qL1 ) fR PR1 (qR1 ) by (3.3) fR PR2 hR (qR1 ) fR PR2 (qR2 )
By the de nition of eq2, if (qL2 qR2 ) 2 B for a given set B QL2 QR2 , then (qL2 qR2 ) 2 eq2 (B ). But by (3.2), (qL2 qR2 ) 2 (hL hR )(A). Thus (qL2 qR2 ) 2 eq2 (hL hR ) (A) Thus (hL hR ) eq1 (A) eq2 (hL hR )(A) Now assume (qL2 qR2 ) 2 eq2 (hL hR ) (A). Then by de nition of eq2,
fL PL2(qL2 ) = fR PR2 (qR2 )
(3.4)
and (qL2 qR2 ) 2 (hL hR ) (A) since eq2(B ) B . Thus there exists (qL1 qR1 ) 2 A such that (3.2) holds.
74
Again using the fact that hL hR are homomorphisms, we have
fL PL1(qL1 ) = = = = =
fL PL2 hL (qL1) fL PL2(qL2 ) fR PR2 (qR2 ) by (3.4) fR PR2 hR (qR1 ) fR PR1 (qR1 )
Thus (qL1 qR1 ) 2 eq1(A) by the de nition of pieq1 and hence (qL2 qR2 ) 2 (hL hR ) eq1(A). We conclude that (hL hR ) eq1 (A) eq2 (hL hR )(A)
2
thereby proving the desired result.
We are now ready to prove the rst of the two main results contained in this section. Theorem 3.29 is the strong version of the result which states that equivalent subsystems may be substituted for the original subsystems in a synchronous product and the resulting new composite system will be equivalent to the composition of the original systems.
Q Q Q Q Q Q Q j jQ Q j jQ Q Q Q !Q Q !Q Q j jQ ;! Q j jQ ; Q j jQ
Theorem 3.29 Given SELTS
= 1 2. If L1 se L2 and R1 then for any compatible interface I := (s fL fR ) as de ned above such (
L1
Li Ri i
I ]
R1 )
se
(
L2
Proof: By Theorem 3.13, there exist SELTS phisms hLi :
Li
L
L1
and hRi :
I ]
R1
R2 ,
R2 )
and R together with homomorR , i = 1 2. Hence
Ri
hL1 hR1
I ]
se
L
I ]
75
R
L
hL2 hR2
L2
I ]
R2
by Corollary 3.28. This then allows us to apply the opposite direction of Theorem 3.13 to obtain the desired result. 2 Theorem 3.29 also includes the pure event synchronous composition operator js]j since this is a special case of jI ]j when fL and fR are trivial constant state output synchronization maps.
3.4.2 Weak Compositional Consistency By de nition, weak stateevent equivalence is just strong stateevent equivalence of the observational closures of the original systems. Thus we begin this section by investigating the relationship between the observational closure operator 0se and the stateevent synchronous composition operator jI ]j. The event synchronous composition operator can be treated as a special case of stateevent composition. What we discover will allow us to reduce the weak compositional consistency problem to a case in which the results for strong compositional consistency can be applied. If the observational closure operator distributed over the synchronous composition operator, then we could use the fact that observational closure is idempotent, together with Theorem 3.13 to obtain a weak version of the previous theorem. Unfortunately observation closure does not distribute over synchronous composition. Consider Figure 3.15. Here we use the event synchronous composition operator with an empty synchronization set s = . To avoid cluttering the illustration, in the lower two SELTS we do not show the selflooped transitions that are present at every state by the de nition of 0se operator. One can easily see that
Q j jQ 6 Q j j Q Q j jQ 6 Q j j Q (
1
]
2
)0se = ( 1 )0se ] ( 2 )0se
In fact, ( 1 ] 2 )0se se ( 1 )0se ] ( 2 )0se either! This outcome results from the inability of the distributed observational closure to interleave silent transitions from one subsystem with transitions from the other subsystem. In Figure 3.15 this is re!ected by the lack of an transition from (1 1) to (2 2) in ( 1 )0sej]j( 2 )0se. A quick inspection of the two composite systems shows that they are weakly stateevent 76
Q Q
Q
1
Q j jQ
(
1
]
1
2
2
(1 2)
Q
2
Q Q
( 1 )0sej]j( 2 )0se (1 1)
)0se (1 1) 2
(2 1)
1
(2 1)
(1 2)
(2 2) (2 2) Figure 3.15: Observational closure fails to distribute over synchronous product.
Q Q Q Q Q Q 62 Q j jQ Q j j Q Q Q j jQ Q Q j j Q Q Q Q Q QQ Q Q 2 62 Q 2 ! Q
equivalent since ( 1 j]j 2 )0se = (( 1 )0sej]j( 2 )0se)0se. In the lemma below we show that this property holds in general for stateevent composition.
Lemma 3.30 Let
L R
be SELTS with compatible interface I := (s fL fR ) as de ned in Lemma 3.28. If s o (ie. s ) then
(
Proof: Let
L
I ]
0
R )se
= (( L )0se I ] ( R )0se)0se
:= L s] R and B := ( L )0se s] ( R )0se. A and B dier only in their sets of transition relations which we denote by RA and RB . Clearly RA RB since the 0se operator has the eect of adding transitions to a SELTS, hence the transition relations of the subsystems of A are contained in the transition relations of the corresponding subsystems of B . If we denote the set of transition relations of A 0se and B 0se by RA0 and RB0 , then RA RB implies RA0 RB0 . Thus to prove A 0se = B 0se, we need only show that RA0 RB0 . For this containment, we will separate the cases when an event s and s . Case 1: s . Assume that (qL1 qR1 ) (qL0 1 qR0 1 ) in B 0se . Therefore in B , A
77
(qL1 qR1 )) se(qL0 1 qR0 1 ). That is, there exist (qL2 qR2 ) and (qL0 2 qR0 2 ) such that in 0 (qL1 qR1 ) )se (qL2 qR2 )! (qL2 qR0 2 ) )se (qL0 1 qR0 1 )
Q
B
But the )se relation is made up entirely of unobservable transitions that do not change the system's state output and hence are unaected by the state output synchronization maps. Also, by assumption, 62 s, so we can conclude that qx1 )se qx2 and qx0 2 )se qx0 1 in x 0se for x = L R. By the idempotence of observational closure we have that for any , q )se q0 in i q )se q0 in 0se . Therefore from the above we can conclude that qx1 )se qx2 and qx0 2 )se qx0 1 in x for x = L R. Again, since )se consists only of transitions that are unaected by the state output synchronization maps and 62 s, we now know that (qL1 qR1 ) )se (qL2 qR2 ) 0 and (qL0 2 qR0 2 ) )se (qL0 1 qR0 1 ) in A . Thus in order to show that (qL1 qR1 )! (qL1 qR0 1 ) in A 0se, all that remains is to show that
QQ
Q
Q
QQ
Q
0 0 (qL2 qR2 )! (qL2 qR2 ) in (qL2 qR2 ))se(qL0 2 qR0 2 ) in
QQ
B
implies
A
This follows since (qL1 qR1 ) )se (qL2 qR2 )) se(qL0 2 qR0 2 ) )se (qL0 1 qR0 1 ) implies (qL1 qR1 )) se(qL0 1 qR0 1 ). 0 Now, by the de nition of jI ]j, since (qL2 qR2)! (qL2 qR0 2 ) in B and 2 s, it must be the case that,
fL PL(qL0 2 ) = fR PR (qR0 2 )
0 qx2 in qx2!
Q Q
Q
Q
0
x se
for x = L R and
(3.5) (3.6)
0 But then by (3.5), qx2) se qx2 in x for x = L R (ie. for x = L R there exists qx3 and 0 qx0 3 such that qx2 )se qx3! qx3 )se qx0 2 in x ). By (3.6) and the fact that )se does not change state outputs we can conclude that fL PL(qL0 3) = fR PR (qR0 3 ). But then
78
by the de nition of jI ]j we have
Q
0 (qL2 qR2 ) )se (qL3 qR3 )! (qL3 qR0 3 ) )se (qL0 2 qR0 2 )
Q
Q
0 so (qL2 qR2 )) se (qL0 2 qR0 2 ) in A and hence (qL2 qR2 )!(qL0 2 qR0 2 ) in A se. This completes our proof for Case 1. 0 Case 2: 62 s . Again assume that (qL1 qR1 )! (qL1 qR0 1 ) in B 0se. Therefore 0 0 fL PL(qL0 1 ) = fR PR(qR0 1 ) and in B (qL1 qR1 )) se(qL1 qR1 ). That is, there exists (qL2 qR2 ) and (qL0 2 qR0 2 ) such that in B
in
A
Q
QQ
0 (qL1 qR1 ) )se (qL2 qR2 )! (qL2 qR0 2 ) )se (qL0 1 qR0 1 )
Q
Q
0 Since 62 s, it must be the case that qL2 = qL0 2 and qR2 ! qR2 in R 0se or qR2 = qR0 2 0 and qL2 ! qL2 in L 0se. Without loss of generality, assume that qL2 = qL0 2 . From our 0 work in Case 1, the problem reduces to showing that (qL2 qR2 )! (qL2 qR0 2 ) in B implies (qL2 qR2 )) se(qL0 2 qR0 2 ) in A . The argument is the same as for Case 1 except that we need only concern ourselves with the transition in R 0se. 2
Q
Q
Q
Since weak observation equivalence ignores dierences resulting from unobservable transitions, in the weak stateevent version of Theorem 3.29 below, we require that not be part of the synchronization set s.
Q
QQ
Q Q Q
be given. If L1 se L2 and then for all compatible interfaces I := (s fL fR ) such that 62 s:
Theorem 3.31 Let SELTS R2
(
Q Q
Li Ri i = 1 2
Q j jQ Q j jQ L1
I ]
R1 )
se
(
L2
I ]
R2 )
Q Q
Proof: By the de nition of weak stateevent equivalence, 0
R1 se
0
se R2 se.
0
L1 se
Thus, by Theorem 3.29
Q j jQ Q j jQ
(
0
L1 )se
I ] (
0
R1 )se
se
79
(
0
0
L2 )se I ] ( R2 )se
se
R1
se
0
and
L2 se
(3.7)
The fact that se implies se together with (3.7) gives
Q j jQ Q j jQ Q j jQ Q j jQ Q j j Q Q j jQ Q j jQ Q j jQ (
0
L1 )se
Using the de nition of (( By Lemma 3.30 ((
se ,
0
L1 )se
Li )0se
I ] (
0
R1 )se
0
0
L2 )se I ] ( R2 )se
se
(
se
((
we have
I ] (
0 0
R1 )se)se
I ] (
Ri )0se)0se
=(
(
I ]
0
L1
R1 )se
0
L2 )se
Li
I ]
(
L2
se
which by de nition of se is our desired result.
I ] (
0 0
R2 )se )se
Ri )0se i = 1 2
I ]
so
0
R2 )se
Q Q
2
If we restrict systems to synchronizing on observable transitions then the above result together with the fact that for any SELTS se ==w means that we can take the synchronous product of the subsystems' quotient systems instead of the (typically) larger original systems. As we will see in the next chapter there are many system properties that are preserved by weak stateevent equivalence, allowing us to use the reduced models resulting from the quotient systems for veri cation. In the supervisory control of DES, the system supervisor can be viewed as another SELTS that imposes its control actions through running in a synchronous product with the plant. The importance of Theorem 3.31 then becomes apparent as it will eventually allow us to design a controller using the plant's weak quotient system in the case when all controllable transitions are observable.
3.5 Summary The general stateevent setting of SELTS with unobservable transitions is considered as a way of hiding complexity and inducing hierarchy through quotient systems. This setting leads to the development of stateevent observers that are applicable to a wide variety of problems since SELTS are the underlying model of many discrete 80
event formalisms. Stateevent observers of SELTS represent a unifying framework for observers, and thereby hierarchy, in state and event based settings, enabling us to de ne observers in DES settings where both states and events are important (eg. Ostro's TTMs). This uni cation of state and event methods is evidenced by the fact that the state observers of Won76] and event based observation equivalences of Milner Mil80], Mil89] are both special cases of stateevent observers. The uni cation of methodologies is obtained through the algebraic characterization of strong and weak stateevent observers using the upper semilattice of compatible partitions of a SELTS. The algebraic characterization then enables appeal to e cient polynomial time algorithms for computing stateevent observers based upon the Relational Coarsest Partition problem. The algebraic characterization of stateevent equivalence using SELTS homomorphisms aided us in demonstrating the compositional consistency of stateevent equivalence. It is this important property that in the following two chapters will allow us to perform model reduction of composite systems for temporal logic model checking and hierarchically consistent control systems design.
81
Chapter 4 Model Reduction of Modules for StateEvent Temporal Logics In this chapter we utilize algebraic stateevent structures to model systems together with stateevent temporal logics as a means of speci cation. The main contribution of the chapter is a compositionally consistent model reduction technique for a class of \stateevent stutteringinvariant" temporal formulas. In particular, the method provides a means of \weak" model reduction for a discrete time temporal logic that is a simpli cation of Ostro's RTTL Ost89]. The principal ideas of this chapter were
rst outlined in LOW96]. Justi cation of our choice of a combined stateevent and discrete time setting can be found in Section 1.1. We will therefore begin with a comparison of our work to previous works that outlines the sense in which our model reduction technique is both weak and compositionally consistent. While symbolic modelchecking techniques such as McM92] have proven eective for some very large systems BCM92], the largest of these systems typically come from the digital hardware domain and have a great deal of regularity in their state transition structure that can be exploited by the symbolic techniques to obtain compact representations of large systems. If one wishes to modelcheck large concurrent systems lacking in symmetry, larger digital hardware systems, or simply to reduce the computation time required, one must perform some sort of model reduction. In model reduction one starts out with a system for which one would like to verify 82
(modelcheck) formulas from a particular set of formulas or class of temporal formulas that are of interest. To facilitate the veri cation process, or, in some cases, make the problem tractable, a reduced model is obtained such that, if the reduced model satis es the temporal formulas under investigation, then the original system satis es the temporal formulas. If the modelchecking of a formula on the reduced model provides a de nitive answer regarding the satisfaction of the formula in the original (unreduced) system, we say the reduction technique is exact. If this model reduction technique is performed so that the mutual satisfaction of formulas is only guaranteed for a speci c nite set of formulas, we say that the method is a formulaspeci c model reduction technique. But if, as in this thesis, the method always guarantees the mutual satisfaction of all formulas in a class of temporal formulas, we refer to the technique as being formulaindependent for the given class of formulas. For example, the weak model reduction technique of Section 4.3 is formulaindependent for the class of \StateEvent StutteringInvariant" formulas de ned later in this chapter. In addition to preserving the truth values of a particular class of temporal formulas, the model reduction technique presented here is \compositionally consistent" in the sense that for any formula from a de ned class of formulas, the composition of two reduced models satis es the formula i the composition of the two original systems satis es the formula. In addition to the above terms, in our comparison of previous works with the work at hand, we will make distinctions between \strong" and \weak" model reduction techniques. In a strong reduction technique, a single transition in the original system model results in a single transition in the reduced model. In weak model reduction techniques, a single transition may be used by the reduced model to represent a nite sequence of transitions in the original system model. The result is that weak model reduction techniques tend to achieve a greater reduction in state size at the expense of preserving the truth values of fewer formulas and requiring greater computational eort to compute the reduced system. We now provide some additional motivation for the use of weak reduction techniques. In concurrent systems built from interacting modules, we are interested in specify83
ing a module's observable behavior or \interface" with other systems. If two modules produce identical behavior at their interfaces and dier only in their internal behavior, then they should satisfy the same interface speci cation. While many temporal logics have been successfully used to specify systems' behaviors, straightforward application of temporal logics is often too discriminating with respect to the internal actions of concurrent systems. Since we want to be able to reason about observed events and changes in the system's state output, we de ne \weak satisfaction" of a temporal formula to provide us with a class of stateevent stutteringinvariant formulas which is similar to stutteringinvariant formulas of MP92] with some key dierences as a result of our stateevent setting. The main result of the chapter provides a compositionally consistent, weak model reduction technique for the class of stateevent stutteringinvariant formulas by modelchecking a system's weak stateevent quotient system. Methods based upon abstract interpretations such as BBCS92], CGL94] and DGG94], provide examples of strong, formula speci c model reduction. Although they are \strong" techniques, these methods can provide a signi cant reduction in state size by an appropriate choice of abstraction. The development of the abstract model can be an iterative process, with the mapping between concrete and abstract domains being re ned when there is insu cient information at the abstract level to determine the truth value of one of the formulas of interest. The creation of these abstractions typically requires some insight from the systems designer. By dropping \immediate" operators from the temporal formulas and considering events with interleavings that do not aect the the truth values of the formulas of interest, Valmari has similarly been able to achieve substantial state reduction Val90]. The method, which makes use of \stubborn sets," has an extension to a \weak" observational setting, but the reduced models still suer from the fact that they are dependent upon the formulas to be veri ed. As a result of this dependency, changes to the system's speci cations require the computation of a new reduced model. All of the above formula dependent techniques suer from an inability to guarantee compositional consistency. Hence, to verify a composition of systems using these methods, 84
one is forced to compute the composition of the original systems and then perform model reduction for the speci c formulas on the (generally much larger) composite system. For the logic CTL , a superset of linear and branching temporal logics, strong bisimulation preserves the truth values of the standard satisfaction relation for all formulas BCG87], Jos90]. In practice strong bisimulation equivalence is often too strong to provide a signi cant reduction in the state size of the model. While this de ciency spawned the formula speci c reductions described above, it also led to formulaindependent methods that achieve greater reduction at the price of preserving the truth values of a smaller class of formulas. The formulaindependent methods of model reduction are typically based upon algebraic equivalences derived from the work of Hoare Hoa85] and Milner Mil89]. In KV91], KV92], Kaivola and Valmari provide a method of \weak" model reduction for a nexttimeless linear temporal logic based upon failure equivalence Hoa85]. As one might expect, the algorithm is worst case exponential. The papers deal with state based models that are converted into event oriented models by labeling transitions with the changes they cause in the states (similar to Law92], LW95]). In Kai96] Kaivola investigates the truth preserving properties of the equivalences of KV91, KV92] in a compositional setting, with state and event based parallel composition operators. Realtime aspects are not explicitly considered in the temporal logic used and immediate operators are forbidden. Another stateevent setting is that of GL93] where the separation of state values and event labels allows the use of the standard event synchronization parallel composition operators. In GL93] Graf and Loiseaux provide conditions under which abstractions preserving safety properties expressible in a fragment of the branching time calculus are compositionally consistent. Their underlying model of stateevent systems, which is equivalent to the StateEvent Labeled Transition Systems (SELTS) used in this thesis, can model the stateevent synchronous product of systems. This is a \strong" abstraction that does not deal with fairness properties. In our work we provide a method for \weak," compositionally consistent model 85
reduction for state event systems that preserves a class of safety and fairness properties related to systems' observed behaviors. The stateevent equivalence relation we use for our form of formulaindependent model reduction is an extension of Milner's weak observation (bisimulation) equivalence. Kaivola and Valmari rejected weak observation equivalence for model reduction on the grounds that it did not necessarily preserve fairness properties due to its inability to distinguish divergences (in nite sequences of unobservable events). This problem does not arise in Ostro's RTTL which has the requirement that an (observable) tick of the global clock must occur in nitely often in any legal computation. In the following section we use SELTS to model modules that can be combined via parallel composition operators to create new modules and systems. We also de ne a simple (realtime) stateevent temporal logic that can be used for system speci cation. Section 4.2 demonstrates how strong stateevent equivalence can be used as the basis of a strong, compositionally consistent and computationally e cient model reduction technique for our entire logic. Section 4.3 develops a weak model reduction technique for the subclass of stateevent stutteringinvariant temporal formulas through the use of weak stateevent equivalence and the results of the previous section. Greater state reduction is achieved through the restriction of the formulas to be preserved. It should be noted that all the reduced models of this chapter are computable in polynomial time, thereby permitting practical application of the methods. To conclude the chapter, we prove that our model reduction technique for SELTS can be applied to a special case of TTM parallel composition where the TTMs being composed have well de ned \compatible" interfaces. A TTM together with an interface speci cation is called TTM module.
86
4.1 A Simple RealTime StateEvent Temporal Logic In this section we rst de ne the stateevent sequences associated with a SELTS as a way of capturing the behavior of a SELTS. We then introduce stateevent temporal logics as an abstract method for reasoning about SELTS behavior with particular attention being paid to a simple realtime logic. In general when discussing SELTS throughout this chapter AP AP1 AP2 : : : will represent sets of atomic propositions and the SELTS state output map will map each state to the set of atomic propositions satis ed by the state (i.e. P : Q ! P (AP )). We make a slight modi cation of the stateevent synchronous product operator of De nition 2.13 to allow the straightforward application of the de nition of satisfaction of temporal formulas in subsequent sections. The state output map of the stateevent synchronous product is changed to map a state of the composite system to the union of the state outputs for the component subsystems. This poses a problem when the systems share some variables or atomic propositions. For example, if P1(q10 ) = fu = 0 v = 1g in 1 and P2(q20 ) = fv = 2 w = 1g in 2 then (q10 q20), the initial state of the composite system, would have a state output of fu = 0 v = 1 v = 2 w = 1g  which is not a consistent set of assignments for the shared variable v. In order to ensure that the set of atomic propositions satis ed by a state of the composite system remains consistent, we will restrict the state output synchronization maps of the interface de nition. We will consider interfaces of the form I := (s AP2 AP1 ). Otherwise the de nition remains unchanged. This modi cation does not aect the results of Section 3.4 regarding compositional consistency.
Q
Q
Q
= hQi i Ri qi0 Pii, i = 1 2 where Pi : Qi ! P (APi ) for i = 1 2 and a compatible interface I := (s AP2 AP1 ) where s 1 \ 2 and AP2 : P (Q1 ) ! P (Q1 ) such that A 7! A \ AP2 and AP2 : P (Q2) ! P (Q2) such that A 7! A \ AP1 . Then the I synchronous product of 1 and 2 is given by:
De nition 4.1 Given two SELTS,
i
Q
Q
87
Q j jQ 1
I ]
2
:= hQ1 Q2 1 2 R1 2 (q10 q20 ) P i
Here P : Q1 Q2 ! P (AP1 AP2 ) is de ned by P ((q1 q2 )) = P1(q1 ) P2 (q2 ) and the elements of R1 2 = f! : 2 1 2 g are binary relations over Q1 Q2 de ned 0 0 as follows: (q1 q2)! (q1 q2 ) i AP 2 P1(q10 ) = AP 1 P2(q20 ) ( y) and 0 (i) 2 s, and qi ! qi in 0 (ii) 62 s , q1 ! q1 in 0 (iii) 62 s, q2 ! q2 in
Q Q
Q
1 2
i
for i = 1 2, or
and q2 = q20 , or and q1 = q10 .
Condition (y) states that state output maps of the reachable states agree on the subsets of propositions from AP1 \ AP2 that they satisfy (e.g. P1(q10 ) \ AP2 = P2(q20 ) \ AP1).
4.1.1 Computations of SELTS Before de ning the computations of a SELTS, we will introduce some notation to aid in our discussion of generated and observed stateevent sequences. We are interested in sequences of both states and events so for notational convenience we de ne ; := f;g and S := Q ;. For s = (q ) 2 S , in addition to the set of atomic propositions found in P (q) we associate the atomic proposition = . We refer to as the (next) transition variable. The computations of the SELTS will then be a subset of the union of the set of all nite, nonempty, stateevent sequences S +, and the set of all in nite stateevent sequences S ! . As a notational convenience, we introduce the notation jj, which for = s0 s1s2 : : : sn 2 S + is de ned as jj = n and for = s0 s1s2 : : : 2 S ! , jj = !.
Q
88
Q
Q 2M Q
Q
De nition 4.2 Given a SELTS , the set of computations of , denoted M( ), is the largest subset of S + S ! such that for all
8
( ),
: : : sn = (q0 0)(q1 1) : : : (qn ;) 2 S + or, = (q0 0)(q1 1) : : : 2 S ! 1:::
0 1 0
Q
and
(i) Initialization: q0 is the initial state of .
Q
(ii) Succession: 0 i < jj implies i 2 and qi+1 2 Q (qi ) (i.e. qi! i qi+1 in ).
(iii) Diligence: i = ; i i = j j and for all 2 Q (qi ) = .
In De nition 4.2, the purposes of conditions (i) and (ii) are, respectively, to guarantee that the computation starts in the system's initial state and that the change from one state to the next via the given event is possible in . Condition (iii) states that the only nite sequences in M( ) are those which terminate in a state where no transitions are possible and hence the nal \event" of the stateevent sequence is denoted by ;. This diligence condition diers from that of MP92] in that there is no idling transition in our setting so we allow nite sequences of states to be computations and modify our de nition of temporal semantics accordingly Arn94].
Q
Q
4.1.2 Temporal Logic of StateEvent Sequences We now give a brief summary of temporal logic and refer the reader to MP92], Ost89] and Arn94] for the full details. Following Ost89], the stateevent sequences de ned above will play the role of the state sequences in MP92]. This will allow us to distinguish state formulas and stateevent formulas. RTTL, as an example of a stateevent temporal logic, is based upon MannaPnueli temporal logic with additional proof rules for dealing with realtime (tick event) properties. To allow us to express simple realtime properties we add a bounded \until" operator. 89
Stateevent formulas are arbitrary boolean combinations of atomic predicates. We say that a stateevent formula is state formula if is does not include any transition predicates such as = . For example, (y 10 ^ x = atdelay) _ t = 5 is both a state formula and a stateevent formula while = _ y = 3 is a stateevent formula but not a state formula. Stateevent formulas (and hence state formulas) do not contain any temporal operators. For a state formula Fs and a state q, we use the standard inductive de nition of satisfaction and write q j= Fs when Fs is true in state q. Similarly the de nition of satisfaction can be extended to any stateevent pair s 2 S and any stateevent formula Fse. In the following inductive de nition of satisfaction of temporal stateevent formulas we will consider an arbitrary (possibly nite) stateevent sequence = s0s1 : : : = (q0 0)(q1 1 ) : : : Henceforth k will be used to denote the kshifted su x of ,
k := sk sk+1 : : : = (qk k )(qk+1 k+1) : : : when it exists (i.e. when jj k). When talking about projections of computations we will denote the pre x of up to position k by ;k = (q0 0)(q1 1) : : : (qk k ). For each 2 we use the notation #( i) to denote the number of transitions that occur between q0 and qi in the stateevent sequence . If jj < i then #( i) is unde ned.
De nition 4.3 (Satisfaction) For temporal formulas F F1 F2 and stateevent sequence , the satisfaction relation is de ned as follows:
If F 2 AP is an atomic predicate, then j= F i s j= F (i.e. F 2 P (q )) If F := ( = ), then j= F i = j= F _ F 2 i j= F or j= F j= F ^ F 2 i j= F and j= F j= :F i 6j= F 0
0
1
1
1
1
2
2
90
0
j= F i exists and j= F j= F U F i j= F or 9k > 0 such that k is de ned, k j= F and 8i 0 i < k i j= F . j= F U lu F i j= F or 9k > 0 such that k is de ned, k j= F and 8i 0 i < k i j= F and l #( k) u. The \next" operator and \until" operator U are typically used to de ne addition operators. In particular the \eventually" operator 3F , which denotes (true)U F , and the \henceforth" operator 2F , which is an abbreviation of :3:F . As an ex1
1
1
2
2
2
1
1
] 2
2
2
1
ample of a temporal formula, consider F := 2 true. F is satis ed only by those such that jj = !. The Ulu] operator is just the until operator subject to the restriction that for a formula F1Ulu]F2 , F2 must become true after the lth occurrence of and before the (u + 1)th occurrence of . In systems in which time is represented by discrete tick events the Utick lu] operator can be used to specify that a system meets hard time bounds. For example, any system satisfying the formula (true)U0tick 2]( = ) will produce a event before 3 time units have passed. We will tick use U tick k as an abbreviation for U0k]. For example the above formula can be written as (true)U tick 2 ( = ).
Qj
Q2 M Q
Q
De nition 4.4 Given a SELTS and a temporal formula F , we say that F is 
valid, written
Fairness
= F , i for all
( ), j= F .
Typically when a given transition structure is used as the model for a system, a designer speci es some fairness constraints which a computation must satisfy if it is to be considered a \legal" computation of the system. For example, all systems in RTTL have the fairness constraint that the tick event must occur in nitely often (23( = tick)), that is the system must not stop the clock or permit an in nite number of nontick transitions to occur between successive clock ticks. Given a speci cation as a temporal formula F , one then is not so much interested in verifying that all the computations of the transition structure satisfy F but rather in verifying that all the 91
Q
legal computations satisfy F . That is j= :Ffair _F , where Ffair is the conjunction of all formulas that are to be satis ed by the system's legal computations. In performing such a veri cation one implicitly assumes that the set of legal computations considered is nonempty (i.e. 9 2 M( ) j= Ffair ).
Q
4.2 Strong StateEvent Model Reduction In this section we assume that while we have perfect event information (all events including events are observable), only partial state information is provided via the state output map. The main result of this section is that strongly stateevent equivalent systems satisfy the same temporal formulas and hence we can use a system's strong stateevent quotient system to verify system properties. The compositional consistency of this model reduction technique then follows immediately from the result on strong (\algebraic") compositional consistency of Section 3.4. While the results obtained in this section follow easily from the truth preserving properties of strong bisimulation equivalence, the technique employed in this section will be utilized in the following section on weak stateevent model reduction. In the following, unless stated otherwise, we assume that we are dealing with a SELTS = hQ R q0 P i where P is the state output map P : Q ! P (AP ), and AP is the set of atomic predicates of interest. Given a computation , the strongly observed computation generated by is given by applying P to the state of each stateevent pair in the computation. This provides a map from sequences over Q ; to sequences over P (AP ) ; .
Q
P : (Q ; )+ (Q ; )! ! (P (AP ) ;)(P (AP ) ;)! (q0 0)(q1 1 ) : : : (qn n) : : : 7! (P (q0) 0)(P (q1) 1) : : : (P (qn) n) : : : For C , a set of computations, we de ne P (C ) := fP () : 2 C g.
Q h MQ MQ
= Qi Ri qi0 Pii i = 1 2 be SELTS. If P1( ( 1 )) = P2( ( 2 ))
Lemma 4.5 Let
i
92
QQ 1
se
2
then
Q
1
r1
Q
r1 r1
r2
2
r1 r1
r2 r2 r2 Figure 4.1: Counterexample to converse of Lemma 4.5.
Proof: Follows immediately from the de nitions of se and P .
2
The systems in Figure 4.1 demonstrate that the converse of Lemma 4.5 is false. The transition systems are shown with the state outputs generated by their respective state output maps P1 and P2 next to each state. The initial states of the two transition systems are marked by entering arrows. In this case P1(M( 1 )) = P2(M( 2 )) = fr1! r1! r2! r2! : : : r1! r1! r2! r2! : : :g, but one can easily verify that 1 6se 2 . By extending Hoare's failure equivalence to a stateevent failure equivalence in a manner similar to the way that (event) observation equivalence was extended to stateevent observation equivalence, one obtains an equivalence which relates the two systems of Figure 4.1. Unfortunately the computation of failure equivalence is PSPACEcomplete KS83] making it unlikely that an e cient algorithm could be found to compute any extension to the stateevent setting. On the other hand strong stateevent equivalence is O(n log m) making stateevent equivalence preferable as a practical model reduction technique. As an immediate consequence of Lemma 4.5, we obtain the following result.
Q
Q
Qj Qj
Theorem 4.6 Given two SELTS as above, if mula F , we have
1
= F i
2
= F.
QQ 1
se
2
QQ
then for any temporal for
Q Q
The above theorem allows us to use a system's strong stateevent quotient system to reason about the state output and event behavior of the system since se =s . Lemma 3.29 provides the following Corollary to Theorem 4.6. 93
Corollary 4.7 Strong stateevent equivalence can be used for compositionally consistent model reduction of SELTS for all formulas in stateevent temporal logic.
4.3 Weak StateEvent Model Reduction We now turn our attention to the case with only partial event observations in addition to the partial state observations provided by the state output map. We assume that all unobservable transitions are labeled by . In this case we want to reason about the sequences of observed events and changes in state output. To this end we de ne a projection from computations to weakly observed computations similar to the strongly observed computation projection of the previous section. This time we delete a stateevent pair from the strongly observed computation if the event is an unobservable transition and the state output remains unchanged in the next state (i.e. there is no way to observe whether we remain in the current state or take the transition to the next state). Since weak stateevent equivalence suppresses system information regarding sequences of unobservable events that do not cause state changes, the equivalence can only be used for model reduction with a restricted set of temporal formulas. This restricted class, which we will call the class of StateEvent StutteringInvariant (SESI) formulas, is characterized as those formulas that are satis ed by a computation i the projected computation satis es the formula. We identify a set of SESI formulas, including some formulas making use of immediate operators ( =). The main result of the section states that weakly stateevent equivalent systems satisfy the same subset of SESI formulas. Thus for a given module we can perform compositionally consistent model reduction by computing the system's weak stateevent quotient system and then using the quotient system to modelcheck all the formulas of interest, provided the formulas are SESI.
4.3.1 Weakly Observed Computations
Q
For the remainder of the section, unless stated otherwise, we assume that we are dealing with a SELTS := hQ R q0 P i where the state output map P : Q ! 94
P (AP ).
In MP92] the authors use a statebased projection operator to develop a stateonly version of weak satisfaction. They de ne the reduced behavior of a computation via a two step process that amounts to rst applying P , the strong computation projection of the previous section, and then replacing uninterrupted sequences of identical \states" with a single copy of the state. In our case we are dealing with sequences of stateevent pairs rather than just sequences of states. We cannot simply apply P and then replace subsequences of uninterrupted stateevent pairs by a single stateevent pair since in this case important information relating state changes and event observations would be lost. Consider the three stateevent sequences shown below where tick is the event representing the passage of one second on the global clock. (q0 )(q0 )(q0 tick)(q0 )(q1 tick) : : : (q0 )(q0 tick)(q0 tick)(q0 )(q1 tick) : : : (q0 tick)(q0 )(q0 tick)(q0 )(q0 )(q1 tick) : : : If we assume that the state output map is the identity map, then following MP92] the rst and second sequences would result in the same reduced computation: (q0 )(q0 tick)(q0 )(q1 tick) : : : while the third sequence is its own reduced computation. This would lead us to believe that in the rst two cases the system delays for one second and then changes state from q0 to q1 via an transition when, in fact, the second and third computations do not make the transition until after 2 seconds. While we want our projection operator to distinguish the rst case from the other two, the second and third computations dier only by unobservable transitions that do not change the state output. Upon rewriting the three sequences in terms of the notation of weak stateevent observation
95
equivalence, the dierences and similarities in observed behaviors become apparent:
9 8 > > )se : : : q !q !q ! q !q ! : : : > q tick )seq )seq tick > = < P )seq tick )seq )seq tick )se : : : q ! q tick ! q tick ! q ! q tick ! : : : > 7! > q tick )seq tick )seq )seq tick )se : : : q ! q tick ! q ! q tick ! q ! q tick ! : : : > >: q tick 0
0
0
0
0
0
0
tick
0
0
0
0
0
1
tick
1
0
0
0
1
1
0
0
0
1
0
0
0
1
To an external observer the second and third computations would produce the same observed stateevent sequence: (q0 tick)(q0 tick)(q0 )(q1 tick) : : :. The projection de ned below has the eect of replacing all the stateevent pairs making up an ob served transition q1 ) se , with a single stateevent pair q1 !. The following weak stateevent sequence projection operator produces a system's weakly observed computations.
Q 2MQ
with state output map P : Q ! P (AP ) and = (q0 0)(q1 1) : : :, ( ), the weakly observed behavior of is denoted by P () which is de ned inductively as follows:
De nition 4.8 Given an SELTS
P (q0) = P8(q0) 0 1 < P (q0! q1 ! : : : qn) if n = ^ P (qn) = P (qn+1) 0 1 n P (q0!q1 ! : : : qn!qn+1) = : 0 1 n P (q0!q1 ! : : : qn)! P (qn+1) otherwise For C a set of computations, we de ne P (C ) := fP () : 2 C g.
Example 4.9 In this example we consider the weak stateevent observations generated by an SELTS with identity state output map P := IQ where IQ : Q ! Q.
1 P (1 ) 2 P (2 )
q0!q0 !q1 !q1!q2 ! : : : = (q0 )(q0 )(q0 )(q1 )(q1 )(q2 ) : : : = q0 !
= q0 ! q0 !q1!q2 ! : : : = (q0 )(q0 )(q1 )(q2 ) : : : = (q0 )(q0 )(q0 ) : : : = q0! q0 !q0 ! : : :
= q0 = (q0 ;)
In P (1) all the transitions are eliminated except for the q0! q1 transition since this transition can be inferred from the external observer's observation of a state
96
Figure 4.2:
Q
1
QQ
r
1
r
se
2
Q
Q
2
Q
r r but P1 (M( 1 )) 6= P2 (M( 2 ))
change from q0 to q1 without any observed event. In this case we say that is an implicitly observed transition. The computation 2 is initially observed to be in state q0 and then produces no state change or event observations. This is re!ected in P (2 ) as (q0 ;), the observed state output with no de ned transition. Thus an in nite stateevent sequence can result in a nite weakly observed sequence. This is why the eort was made earlier to extend the de nition of temporal operators to
nite as well as in nite sequences, allowing us to de ne weak satisfaction of temporal formulas below. As the basis of weak stateevent model reduction, we would like to obtain a result similar to Lemma 4.5 which stated that strongly stateevent equivalent systems result in the same set of strongly observed computations. In this case we have to be careful with our treatment of the unobservable transitions that are erased by the weak projection. Consider the two weakly stateevent equivalent systems shown in Figure 4.2. Here r 2 P (AP ) is the same state output for all the systems' states. In this case P1 (M( 1 )) = fr! r!r!r! : : :g but P2 (M( 1 )) = fr r! r!r!r! : : :g. The above systems agree upon their trajectories that produce an in nite number of observations. It is the in nite sequence of unobservable 's that 2 can produce that causes the discrepancy. This observation is formalized in the following two lemmas. The rst lemma states that a system and its observational closure (see De nition 3.17 on p. 58) produce the same in nite weakly observed computations (i.e. fP () : 2 M( ) and j ()j = !g = f () : 2 M( 0s ) and j ()j = !g).
Q
Q
Q
Q P P Q P Q h i !P MQ \ P MQ \ P MQ MQ Q
Lemma 4.10 Given an SELTS = Q R q0 P , where P : Q P ( ( )) ( (AP ) )! = P ( (
Proof:
( )
0
se ))
( 0se ) since the transition relations of 97
(AP ),
( (AP ) )! are a subset of those of
Q
0
Thus the containment of sets in the direction is trivial. To show containment in the direction we begin by assuming that
se .
Q
2 P (M(
Q
0
se ))
\ (P (AP ) )!
Then there exists r 2 M( 0se ) such that = P (r ). In particular, since r produces an in nite number of observations (i.e. it does not end with an in nite sequence of self0 1 2 looped transitions), for simplicity we can chose r so that in r = q0 ! q1 !q2! : : : there are no transitions resulting from selflooped transitions. Then as a result of i the de nition of the observational closure operator, each transition qi ! qi+1 in 0se i can be matched by a sequence of transitions qi) se qi+1 in . The silent transitions i that help make up the ) se relation leave the state output unchanged and hence the i sequence of states and transitions making up the qi ) seqi+1 relation will produce the i same projected results as the qi ! qi+1 transition in 0se . We simply take the nite i sequences of states and transitions making up each matching qi! qi+1 relation to obtain a l with P (l ) = P (r ). We know l 2 M( ) because it is an in nite sequence of transitions in . 2
Q
Q
Q
Q
Q
QQ MQ \ P MQ \ P 2 MQ \ P MQ MQ 2MQ 2M Q 2MQ Q Q
Lemma 4.11 Given two SELTS, i = 1 2, if
1
se
2
then
i
Q
= hQi Ri qi0 Pii, where Pi : Qi ! P (AP ),
P ( ( 1 )) ( (AP ) )! = P ( ( 2 )) ( (AP ) )!
Q
Proof: Let P ( ( 1 )) ( (AP ) )! . Then there exists 1 2 M( 1 ) such
that = P (1 ). But ( 1 ) ( 1 0se) so 1 ( 1 0se). By Lemma 4.5 there exists 20 ( 2 0se) such that P (1 ) = P (20 ) and hence P (1 ) = P (20 ). ( 2 ) such that P (20 ) = P (2 ). This Now by Lemma 4.10 there exists 2 shows containment in the direction. Exchanging 1 and 2 in the above argument gives the opposite direction and hence the desired result. 2 The above lemma states that weakly stateevent equivalent systems produce identical in nite sequences of observations, though equivalent systems may disagree on 98
sequences that produce nite observations as in the case of the systems in Figure 4.2. In RTTL and the simpli ed realtime stateevent logic presented here, the fairness constraint 23( = tick) guarantees that the clock ticks in nitely often in all legal computations (i.e. all legal computations result in in nite sequences of observations). Thus if we can identify a subclass of formulas with truth values that are only dependent upon the observations a computation produces, the above lemma will allow us to use weak stateevent equivalence to perform model reduction for those formulas. The systems in Figure 4.1 that provide a counterexample to the converse to Lemma 4.5 also provide a counterexample to the converse of Lemma 4.11.
4.3.2 Weak Satisfaction As a rst step towards obtaining a subclass of temporal formulas with truth values that are dependent upon the weakly observed computations, we will de ne weak satisfaction. While our main interest in introducing weak satisfaction is to obtain a subclass of formulas for weak stateevent model reduction, weak satisfaction also provides a means of specifying the behavior of weakly projected computations and hence of specifying the behavior of the system at its outputs or interface with other modules.
Q
Q
Q
De nition 4.12 Given a SELTS and a temporal formula F , a computation 2 M( ) is said to weakly satisfy F , written j= F , i P () j= F . The SELTS weakly satis es F , written
Qj
Q
= F , i P (M( )) j= F .
Example 4.13 For 1 and 2 as in Example 4.9 we have 1 j= 2 6j=
= ^ q = q0 2 true
In the case of 1 we are stating that the rst observed action of the computation is an transition that does not change the state output. In the case of 2 we are stating that the computation does not produce an in nite number of observations. A 99
computation weakly satis es 2 true if the weak projection of the computation is an in nite sequence. Thus j= 2 true becomes a concise way of saying that produces an in nite number of observations.
Q
Theorem 4.14 Given two SELTS, if we have 1 j= :(2 = tick) _ F i
QQ j :Q 1
2
se
=
then for any temporal formula F (2 = tick) _ F . 2
2
Proof: Follows immediately from Lemma 4.11.
The implication of the above theorem is that weak stateevent equivalence can be used to perform model reduction for any realtime stateevent temporal logic formula provided the satisfaction relation of interest is weak satisfaction. In general we are interested in performing model reduction for the standard satisfaction relation j=. In the following subsection Theorem 4.14 will be the key to developing model reduction results for the subclass of SESI formulas under the standard satisfaction relation.
4.3.3 StateEvent StutteringInvariance and Model Reduction We now consider those formulas with truth values that are robust with respect to unobservable transitions.
De nition 4.15 Given a stateevent temporal formula F over the set of atomic predicates AP , we say that F is StateEvent StutteringInvariant (SESI) if for all
Q
Q
SELTS with state output map P : Q ! P (AP ), for all computations 2 M( ), the following equation holds: j= F i j= F (4.1)
Equation (4.1) provides the link relating satisfaction to weak satisfaction that will be used to extend Theorem 4.14 to standard satisfaction of SESI formulas. Additionally, the existence of relatively complete proof systems, theorem provers and modelcheckers for verifying j= for variations of stateevent temporal logics, together with (4.1), allow one to use existing tools to check j= for SESI formulas. We now 100
try to identify some SESI formulas before providing a formal statement that allows us to build more general SESI formulas. Let Fs be a state formula. Then j= Fs i j= Fs since P does not aect the value of the initial state output. The case for general stateevent formulas is complicated by references to the (next) transition variable . Considering Example 4.9 we see that 1 j= ( = ) but 1 j= ( = ) (i.e. the rst transition of the computation is a transition but the rst transition of the weakly observed computation is an event). This dierence results from the weak stateevent projection operator deleting all transitions that do not cause any change in the state output. The formula ( = ) states that eventually an transition occurs so clearly for any 6= , j= ( = ) i j= ( = ) since P does not erase any non transitions. With a similar argument one can also show that for p 2 AP and 2 ;f g, the formula 2( = ) ! p], stating that in the state following an transition p always holds, is SESI. Such \base" formulas can be used to build up more complex temporal formulas as outlined in the following lemma.
N
Lemma 4.16 Let be a computation and F F1 F2 be SESI formulas. Then for all
2 ; f g l u 2
formulas.
we have :F , F1 _ F2 , F1 U F2 and F1 Ulu]F2 are all SESI
Proof: The cases of :F and F1 _ F2 are immediate from the de nitions so let us
N
consider the case when F := F1 U F2 . (only if) Assume P () j= F . Then there exists i 2 such that P ()i j= F2 and for all j = 0 1 : : : i ; 1, P ()j j= F1 by de nition of U . Let ki 2 be the smallest integer such that P (ki ) = P ()i. Therefore P (ki ) j= F2. But by our inductive assumption, P (ki ) j= F2 i ki j= F2 . Now, for all li 2 f0 1 : : : ki ; 1g P (li ) < P (ki ) (i.e. P (li ) is a strictly proper pre x of P (ki )). Therefore there exists j 2 f0 1 : : : i ; 1g such that P (li ) = P ()j . But as noted above, P ()j j= F1 so P (li ) j= F1 and hence li j= F1. By de nition of U , we have j= F1 U F2 as required.
N
101
(if) The above proof can be reversed to obtain the if part of (4.1). The case of F := F1Ulu]F2 follows immediately from the F := F1 U F2 case and the fact that P does not erase any non events. 2 From the above discussion we see that all nonimmediate formulas, formulas composed solely of state predicates together with the _ ^ U Ulu] operators (i.e. that do not contain the next operator or next transition variable ) are SESI. Additionally, a formula of the form 2 ( = tick) is SESI since ( = tick) is SESI and 2F = : :F . We can now extend Theorem 4.14 to provide results about j= for formulas that belong to the subclass of SESI formulas.
Q Q Q QQ Q Q Q Q Q Q Q Q Q Q
Q Q Q Q Q
Theorem 4.17 Let F be an SESI formula. If 1 2 are SELTS such that 1 se 2 then 1 j= :(2 = tick) _ F i 2 j= :(2 = tick) _ F . Proof: Assume F 1 2 are as in the theorem statement. Also assume that 1 j= :(2 = tick) _ F . Using the fact that 2 ( = tick) and F are SESI together with Lemma 4.16, we know that the formula :(2 ( = tick)) _ F must be SESI. Therefore, by the de nition of SESI, 1 j= :(2 = tick) _ F . But 1 se 2 , so applying Theorem 4.14, we have 2 j= :(2 = tick) _ F . We can then apply the opposite direction of the SESI de nition to obtain 2 j= :(2 = tick) _ F . Switching 1 and 2 in the above argument provides the desired result. 2
Recalling from Section 3.2 that se ==w , where ==w is the weak stateevent quotient system of , Theorem 4.17 allows us to modelcheck SESI formulas on a system's quotient system and infer the result for the original system. Additionally, Lemma 3.31 guarantees that our model reduction technique is compositionally consistent. This allows one to avoid computing massive synchronous products before performing model reduction, by rst doing model reduction on the component subsystems and then forming their synchronous product. This ability is signi cant since synchronous products typically grow as the product of the subsystem's state spaces. Once it is constructed we can take what should be the signi cantly smaller synchronous product of the quotient systems and compute its quotient system to further reduce our model. 102
4.4 Model Reduction of TTM Modules Theorem 3.31 and Theorem 4.17 allow us to perform compositional model reduction for realtime systems modeled as interacting systems of SELTS. Typically though, a systems designer will want to work within a more expressive framework, such as TTMs, that provides a more compact representation of the system. In this section we adapt the results of the previous two chapters to the TTM setting. This is done by considering systems composed of interacting \TTM modules" { TTMs with the property that parallel composition at the TTM level can be modeled by stateevent synchronous composition at the SELTS level. To motivate the introduction of TTM modules, we rst provide an example of TTM parallel composition that does not correspond to stateevent synchronous composition at the SELTS level.
Example 4.18 Consider the following two simple TTMs.
M1 := hfy zg y = z = 0 T1 i, where T1 = f := (y = z y : y 2 1] 1 1)g and, M2 := hfy zg y = z = 0 T2 i, where T2 = f := (y 6= z z : z 2 1] 1 1)g.
In the above transitions' operation functions, 2 denotes addition mod 2. Thus transition of M1 will toggle the value of y between 0 and 1 when y = z for one tick of the global clock. Transition of M2 performs a similar function on z when y 6= z. The TTMs' parallel composition is given by
M1 kM2 := =
hfy zg y = z = 0 T kT i hfy zg y = z = 0 T T i 1 1
2
2
The SELTS generated by M1 kM2 is shown in Figure 4.3. In the composite system
rst and then alternate with tick transitions. M1 reacts to changes to its \input" z and produces \output" y while M2 reacts to the input value of y and produces output z. Now let us consider the SELTS generated by the individual TTM component systems before their composition (see Figure 4.4). M1's transition does not aect the value of z. With no other transitions to change z from its initial value, after an 103
Q
M1 kM2
tick
y=0
y=1 tick
z=0 z=1
z=0 z=1
tick tick
y=0 y=1 Figure 4.3: SELTS for M1 kM2.
Q
M1
y=0 y=1 tick
Q j jQ
tick
z=0 z=0 M1
I ]
Q
M2
tick y = 0 z=0
M2
tick
y=0
z=0 Figure 4.4: SELTS generated by M1 and M2 and their composition synchronizing on tick and the values of y z.
104
Q
initial tick, changes the value of y to 1 and then only tick transitions are possible in M1 . This is re!ected in M1 as the tick sequence ending in a sel!ooped tick state. Considering M2 in isolation, the transition is not initially enabled and there are no other transitions of M2 that could change the value of y or z to enable . As a result, M2 is simply a tick sel!ooped at an initial state with state output (y z ) = (0 0). M1 and M2 do not have any states with state output (y z ) = (1 1) so clearly for any compatible SELTS interface I that synchronizes on the values of y and z, M1 jI ]j M2 will not produce the same computations or even observed computations as M1 kM2 . This result is not particularly surprising since the TTM parallel composition operator does not place any restrictions on how one TTM may access another TTM's variables other than the restrictions upon transitions with shared labels. These restrictions in turn can allow a TTM to prevent any transition in another TTM, simply by having a transition with the same label and a false enablement condition. In the case of M1 and M2 , these two TTMs were designed with speci c interfaces in mind. In order to produce interesting behavior, M1 expects changes in the value of z. To avoid transition label con!icts we could associate a transition label (or labels) with the transitions which M1 expects to change z, for example ( z). By adding a nondeterministic transition := (true z : 0% z : 1] 0 1) to M1 , we provide a well de ned interface for M2 without restricting how M2 may alter z. The semicolon occurring in the operation function of this particular transition indicates that when occurs, a choice is made between setting z = 0 and z = 1 in the next state (see Section 2.2.1 p. 24). Similarly we may add := (true y : 0% y : 1] 0 1) to the transition set of c1 M2 to provide an interface for our new M1. Denote these augmented TTMs by M c2 respectively. Their generated SELTS are shown in Figure 4.5. For the sake and M of legibility, sel!ooped and transitions have been omitted from all of the states c1kMc2, the shared of Mc1 and Mc2 respectively. In the TTM parallel composition M transition would be given by
QQ Q QQ Q
Q Q
:= (y = z ^ true h0 max(0 1) min(1 1)) 105
Q
Q c1 M
tick
y=0
y=1
tick
y=0
y=1
tick
z=0 z=1
tick
c2 M
y=0 y=1
z=0 z=1 tick
tick
tick
y=0 y=1
z=0 z=1 tick
c1 Mc2. Figure 4.5: SELTS for augmented TTMs M = (y = z y : y 2 1] 1 1)
From De nition 2.7, h0 is the operation function that results from making transitions only to those new state assignments that are possible in both component systems. Since can make arbitrary changes to y in M2 , the composite transition results in changes to y that are identical to those produced by M1. Similarly := (y 6= z z : c1kMc2. Therefore we conclude that Mc1kMc2 = M1kM2. z 2 1] 1 1) in M We can now take I := (f tickg idQfyzg idQfyzg ) to be our SELTS interface. This choice of I forces synchronization on and tick events, and the value of the shared variables which is the state output of both systems. Applying the de nition of stateevent synchronous composition for Mc1 jI ]j Mc2 we obtain a SELTS that is isomorphic to M1 kM2 . Thus we see that when TTMs are de ned with \compatible interfaces", the composition of their generated SELTS indeed produces identical strongly observed computations to the generated SELTS of their composition . This property is signi cant because in the special case of interface compatible TTMs, it reduces composition at the TTM level to composition at the SELTS level. Thus anything that we can say about the compositional properties of SELTS can be
Q Q
Q
106
applied to these \interface compatible" TTMs. We call these TTMs with interfaces \TTM modules". In formally de ning modules we assume that system components are designed to have a particular interface with other components. This is speci ed in terms of input and output variables paired with labels of transitions (events) to be executed synchronously with other system modules when changes are made to the associated input or output variable. Recalling from Section 2.2.2 that for T , a set of TTM transitions, (T ) denotes the set of transition labels used in T , we are now ready to de ne TTM modules.
De nition 4.19 A TTM module is de ned to be a TTMinterface pair m := (M I ) where M := hV T i is a TTM and I is an interface for M such that
I := (Vin in Rin Vout out Rout) The components of I are:
Vin V is a set of input variables in is a set of input transition labels such that in \ (T ) = Rin in Vin is the module's input relation, a relation between input transition labels and variables
Vout V is a set of output variables out (T ) is a set of output transition labels. It includes all the transitions of M that modify one or more output variables.
Rout out Vout is the module's output relation, a relation that contains a ( v) pair for every output transition that modi es an output variable v .
In the above de nition, M is a TTM partially specifying the module's behavior. It does not specify the behavior of input transitions or input variables. The above de nition requires that transition labels occurring in in are not already used by 107
the TTM M and hence will not have any restrictions placed upon them by M . Such \input transitions" will only be allowed to aect the behavior of M through modifying the value of the input variables they are associated with in Rin . The constraint placed upon the module's output transition label set out states that if v is an output variable then the transition label of any transition belonging to M that aects v must appear in out . The transition label/variable pair ( v) must then appear in the output relation Rout . More formally, for := (e h l u) 2 T , if there exist v 2 Vout and state assignments q q0 2 QV such that q0 2 h(q) (q0 is an successor of q) and q0(v) 6= q(v) then 2 out and ( v) 2 Rout. Let us go back and rede ne the TTMs M1 and M2 of Example 4.18 as TTM modules. The systems can be described by modules mi := (Mi Ii ) i = 1 2 where
I I I
1 2
:= (in Vin Rin out Vout Rout)
:= (f g fzg f( z)g fg fyg f( y)g) := (fg fyg f( y)g f g fzg f( z)g)
Note that the interfaces of m1 and m2 appear to be \compatible" since one system's input relation equals the other's output relation. We will have more to say on the matter of TTM module compatibility following the de nition of the SELTS generated by a module. In Example 4.18 the TTMs M1 and M2 were augmented by adding nondeterministic input transitions that could make arbitrary changes to each ystem's input variables, thereby representing all possible actions that other modules could perform at c1 Mc2 generated the system's interface. As a consequence, these augmented TTMs M SELTS that result in a SELTS composition that was isomorphic to the SELTS generated by the TTM parallel composition of the augmented TTMs. We will generalize this result to the composition of any two \compatible" TTM modules. We begin by de ning the augmented TTM of a module. In the following de nition we use the fact that for any function f : A ! B , ker(f ), the equivalence kernel of f , de nes a mapping ker(f ) : A ! P (A), a 7! a= ker(f ). Here a= ker(f ) := fa0 2 A : f (a0 ) = f (a)g is 108
the ker(f ) equivalence class of a.
De nition 4.20 Consider m, a TTM module as in De nition 4.19. For 2 in
out let V := fv 2 V : ( v) 2 Rin Rout g. Then the augmented TTM of m, denoted c, is the TTM Mc := hV T 0i where M
T 0 := T f := (true h 0 1) : 2 in and h = ker(PQ
V;V
)g
Here PQV;V : QV ! QV;V is the canonical projection from state assignments over V onto the state assignments over V ; V.
c are identical to those of m's TTM M , while The variable set and initial condition of M T 0 is obtained from T , the transition set of M , by the addition of input transitions. For each 2 in, 's operation function h maps the current state assignment to the set of all state assignments that dier only in the value of variables v 2 Vin such that ( v) 2 Rin . More formally, for 2 in , h : Q ! P (Q) such that q 7! q= ker(PQV;V ). But q= ker(PQV;V ) = fq0 2 Q : PQV;V (q0) = PQV;V (q)g = fq0 2 Q : 8v 2 V ( v) 62 Rin implies q0(v) = q(v)g
c. Thus variables in V ; V are unchanged by the occurrence of an transition in M Now we can de ne the SELTS generated by a module to be a relabeling of the SELTS generated by the module's augmented TTM. We relabel the SELTS events by replacing all transitions that are not tick, input, or output transitions by . The states are relabeled by projecting the state assignments (the state outputs for the augmented TTM's SELTS) onto the state assignments over the module's input and output variables. This SELTS relabeling allows us to hide internal transitions and variables while retaining the input/output behavior of the system.
109
De nition 4.21 Let m be a TTM module as de ned in De nition 4.19 De ne r := (r rP ) to be the SELTS relabeling such that
r
8 < () = :
if 2 in out ftickg otherwise
and rP := PQVin Vout is the canonical projection from state assignments over V to state assignments over Vin Vout. Then the SELTS generated by the TTM module m is de ned to be m := r( Mc ).
Q Q
In De nition 4.21 the operation functions of the augmenting \input" transitions of c map the current state assignment to all possible variations of assignments to M the input variables associated with the transition label . Since we are restricting ourselves to nite state SELTS with nite event sets, we must restrict ourselves to input variables with nite range spaces. This is adequate to handle the industrial example of Chapter 5. While it should be possible to extend the theory to handle variables with in nite range spaces, that is beyond the scope of this thesis. Having de ned the SELTS generated by a module, we can immediately apply all the formal methods developed for transition systems to TTM modules. For example, if EQ is an SELTS equivalence relation then we say that module m1 is EQ equivalent to module m2 , written m1 EQ m2 i I1 = I2 and m1 EQ m2 . Similarly the de nition of satisfaction of a temporal logic formula j= F for SELTS found in Section 4.1.2 can be applied to a TTM module m by saying that m satis es the temporal logic formula F i the SELTS generated by m satis es F (ie. m j= F i m j= F ). We now generalize the \interface compatibility" of the modules from Example 4.18. For the formal de nition of interface compatibility we will be dealing with a pair of modules m1 m2 and referencing speci c elements of these modules' interfaces. As a notational convenience we will parameterize the interface speci cation of the TTM module de nition by the module name.
Q Q
110
Q
De nition 4.22 Let TTM modules m1 := (M1 I (m1 )) and m2 := (M2 I (m2 )) be
given. For i = 1 2 Mi := hVi i Ti i, write and
I (mi) := (in(mi) Vin(mi) Rin(mi) out(mi) Vout(mi) Rout(mi)) Then we say that m1 and m2 are interface compatible modules i all the following conditions hold: (i) (T1 ) \ (T2 ) = ftickg (ii) for i = 1 2, V1 \ V2 Vin (mi ) Vout (mi) (iii) for i 6= j , Rout (mi ) \ out (mi ) (V1 \ V2 )] Rin (mj ) (iv) for i 6= j , Rin (mi ) \ in (mi ) (V1 \ V2 )] Rin (mj ) Rout (mj )
Condition (i) states that for interface compatible modules m1 and m2, their TTMs M (m1 ) and M (m2 ) only share the tick transition. Since out (mi) Ti , this condition implies that out (m1 ) \ out (m2) = so there can be no con!icts with output transition labels. By (ii) shared variables are required to appear in Vin(mi ) and/or Vout (mi) of both modules to insure that interacting TTMs do not have naming con!icts of internal variables. Condition (iii) requires that all output transition labels associated with a shared variable in one system must be paired with the shared variable in the other system's Rin(mj ) relation. Finally (iv) demands that if v is a shared variable and is an input transition label for v in mi , then in mj is either an input transition label for v or an output transition label. In this way input to a shared variable is expected to come from an outside source to both systems via the same transition label, or mj is supplying the input to mi via its output transition label . Note that the above conditions do not rule out the possibility of v 2 V1 \V2 being both an input and an output to both systems. Conditions (iii) and (iv) force any event label one system uses for output of v to be used for input of v in the other system. The other system can then use a dierent transition label for its output of v which then must similarly be used for input of v in the rst module. 111
After de ning interface compatibility we can now de ne the composition of modules. The de nition below relies on the intuition that while only one system can output to a shared variable at a given time, many systems can simultaneously receive that output at their inputs (via a broadcast mechanism). Hence the Rout relation of the composite system is simply the union of the Rout (mi ) relations of the component systems. Even if a transition label/variable pair that is the output of one system is the input to the other system, the label/variable pair is removed from the composite system's Rin relation. It remains an output pair of the composite system to enable other systems to receive changes to the variable in further synchronous products.
De nition 4.23 Given interface compatible modules m1 m2 , as in De nition 4.22,
the synchronous composition of m1 and m2 is de ned to be the TTM module
m1 km2 := (M1 kM2 I (m1 km2 )) where the components of I are:
in(m km ) = (in(m ) in(m )) n (out(m ) out(m )) Vin(m km ) = fv 2 Vin(m ) Vin(m ) : 9 2 in(m km ) ( v) 2 Rin(m km )g Rin(m km ) = (Rin(m ) Rin(m )) n (Rout(m ) Rout(m )) out(m km ) = out(m ) out (m ) Vout(m km ) = Vout(m ) Vout(m ) Rout(m km ) = Rout(m ) Rout(m ) In the above de nition we can not merely set Vin(m km ) = (Vout (m ) Vout(m )) n (Vout (m ) Vout (m )) as one might expect given the formulas for in(m km ) and Rin(m km ). To avoid output transition label con!icts in other systems, a given 1
2
1
1
2
1
2
2
1
1
1
1
2
1
1
2
1
1
2
1
2
2
1
2
1
1
1
2
2
2
2
2
1
1
2
2
2
1
2
1
2
2
input transition label (and hence transition label/variable input pair ( v)) can only be used by one module with the output transition label . This restriction does 112
not prevent another module from writing to v via another input transition label as a given variable may have multiple input transitions. In the case of the modules associated with the systems of Example 4.18, m1 km2 := (M1 kM2 I (m1 km2 )) where
I (m km ) := ( f g fy zg f( y) ( z)g) 1
2
The absence of any input transition labels, variables and input pairs indicates that M1 kM2 is a closed system that does not require input from an external source. Hence M1 kM2 completely speci es the behavior of the output variables y z. The following lemma will help us to prove that for interface compatible modules, the SELTS generated by the composition of the modules and the SELTS resulting from the composition of the SELTS generated by each module, dier only in the labeling of their underlying state sets. Hence they produce identical sequences of state outputs and connecting events. Thus our ultimate goal is to show that for an appropriate SELTS interface I , m1 km2 is isomorphic to m1 jI ]j m2 . We begin by showing that M\ is isomorphic to Mc1 jI ]j Mc2 . The desired result then follows 1 kM2 by applying relabelings to these systems to produce m1 km2 and m1 jI ]j m2 .
Q Q Q Q Q Q Q Q
Q
Lemma 4.24 Let m1 m2 be two interface compatible TTM modules as in De nition 4.22, and I := (I PQV1 \V2 PQV1 \V2 ) be the SELTS interface, where
I := (in (m1) out (m1 )) \ (in (m2) out (m2 ))] ftickg
Q
Q Q
and PQV1\V2 is the canonical projection onto the state assignments over V1 \V2 . Then the reachable parts of M\ and Mc1 jI ]j Mc2 are isomorphic. 1 kM2
113
Proof: As a notational convenience, let
QQ QQ
:= R := 1 := 2 := L
QQ j jQ QQ
= c1 I ] Mc2 = M = c1 M = c2 M M\ 1 kM2
hQL L R L qL PLi hQR R R R qR PRi hQ R q P i hQ R q P i
0
0
1
1
1
10
1
2
2
2
20
2
First we establish that L = R . From De nitions 4.21 and 4.23 it follows that L = (T1 kT2 ) in (m1km2 )
= ((T1 ) (T2 )) (in (m1 ) in (m2)) n (out (m1 ) out (m2))] By def. 2.7 and Def. 4.23 = (T1 ) in(m1 ) ((T2 ) in (m2)) Since out (mi) (Ti ) for i = 1 2
= 1 2 by def. 4.21 = R by def. of jI ]j
Q Q
We now examine the underlying state sets of L and R . Recall from Section 2.2.3, p. 30, that in order to obtain a nite state representation of a TTM M := hV T i, for := (e h l u) 2 T , the range space of c , the counter variable associated with , is de ned to be:
8 < fn 2 RangeM (c ) := : fn 2
Q
NN
: n < lg f!g if u = 1 : n ug otherwise
\
QL, the state set of L , is the set of extended state assignments for M1 kM2 (ie. the cross product of the state assignments over the variables of the TTM and the range spaces of the TTM transition counter variables). For 2 in (m1km2 ), in ML := M1 kM2 we have the \input transition" := (true h 0 1). Therefore in this
\
114
case RangeML (c) = f!g. Thus,
QL = = = =
QV V Y RangeML (c) 2 L QV V Y RangeML (c) Y RangeML (c) 2 T T 2 in m km Y Y QV V RangeML (c) f!g 2 T T 2 in m km Y QV V RangeML (c) f!gj in m km j 1
2
1
1
1
2
( 1 ) ( 2 )
( 1
2)
( 1 ) ( 2 )
( 1
2)
2
( 1
2
Q
2(T1 )(T2 )
Q Q
2)
From the de nition of jI ]j we know that the state set of R is the cross product of the state sets of Mc1 and Mc2 . The state set Qi is the set of extended state ci for i = 1 2. We now apply the method used in the development assignments of M of QL to obtain QR .
QR =
QV Y RangeMc (c) Y RangeMc (c) 2 T 2 in m Y Y QV RangeMc (c) RangeMc (c) 2 T 2 in m Y QV RangeMc (c ) f!gj in m j 2 T QV Y RangeMc (c) f!gj in m j 1
( 1 )
1
2
2
( 2 )
=
1
( 1 )
2
2(T2 )
( 1)
( 2)
1
2
( 1)
1
2
( 2)
c1 By the de nition of interface compatible modules (def. 4.22) it follows that M c2 only share the tick transition label. Thus by the TTM parallel composition and M de nition, (def. 2.7) if 1 := (e h l u) 2 T1, then 1 := (e h0 l u) 2 T1 kT2 h0 := h idQV2nV1
(z)
Thus the only dierence in the transitions is that h0 has been extended appropriately to V1 V2. But then RangeMc1 (1 ) = RangeML (1). By identical reasoning for 2 := (e h l u) 2 T2, we also know that RangeMc2 (2) = RangeML (2) 115
From the above discussion, we see that a typical qL 2 QL is
qL = (q c11 : : : c1m c21 : : : c2n ! : : : !) where 11 : : : 1m 2 T1 and 21 : : : 2m 2 T2 , while q 2 QV1V2 . Thus we can de ne an embedding of QL into QR , denoted f : QL ! QR , by
f (qL) = (PQV1 (q) c11 : : : c1m ! : : : ! PQV2 (q) c21 : : : c2n ! : : : !) Clearly f is one to one. It is not onto QR if V1 \ V2 6= since for v 2 V1 \ V2 there are elements (q1 q2) 2 Q1 Q2 such that q1 (v) 6= q2 (v). But, by the de nition of synchronous composition, these states are not reachable in R because of their con!icting state output values. Therefore while f is not onto, the set of reachable states of R is a subset of f(QL ). For any state such as qL, the state output of qL in L is PL(qL) = q. In R , PR (f (qL)) = PQV1 (q) PQV1 (q) = q. Thus in order to show that f de nes an isomorphism of the reachable parts of L and R , all that remains is to show that for all 0 2 L and qL qL0 2 QL , qL! qL in L i f (qL)! f (qL0 ) in R . This follows immediately from form the following two facts: First (z) above guarantees that any noninput transition has time bounds and an operation function that are unchanged in the composite system. Thus the occurrence of a transition in the composite system produces the same variable and transition clock updates as in the individual components. Second, in the composition at either the TTM level or the SELTS level, a transition of one component is never block by the other TTM or SELTS. This follows from the interface compatibility of the modules ensuring that an input transition, if required, is always available to match another system's output transition. 2
Q
QQ Q
Q Q
Q
Q
Q
Q
The relabeling that produces m from Mc results in a coarser state output map to the system's input and output variables and relabels by internal transitions that do not take part in any synchronizations with compatible modules. Therefore as an 116
immediate consequence of Lemma 4.24 we obtain the following corollary.
Q
Corollary 4.25 Given two interface compatible TTM modules m1 and m2 then for
Q Q
SELTS interface I as de ned in Lemma 4.24, the reachable part of phic to the reachable part of m1 jI ]j m2 .
m1 km2
is isomor
We do not have to worry about stopping time when composing interface compatible TTMs. Since each system allows arbitrary combinations of input events, the progress of time is never blocked by composition at the SELTS level, as it was in Example 4.18 when 2 could not match the state output change of 1 . We can now state the TTM module version of Theorem 3.31 as an immediate consequence of Corollary 4.25.
Q
Q
Theorem 4.26 Let mLi mRi be TTM modules such that mLi and mRi are interface compatible for i = 1 2. If mL1 se mL2 and mR1 se mR2 then
(mL1 kmR1 ) se (mL2 kmR2 ) This result together with Theorem 4.17 allow us to perform compositionally consistent model reduction of TTM modules.
4.5 Summary The main contribution of this chapter is the development of a computationally eective weak model reduction technique for a simple discrete time temporal logic. The model reduction is done in a compositionally consistent way as a result of using the systems' stateevent quotient systems. The method works for the subclass of stateevent stutteringinvariant formulas de ned in Section 4.3.3. These formulas are robust with respect to stateevent \stuttering," changes in the length of subsequences of unobservable events that do not cause observable state changes. In developing the subclass of SESI formulas we de ned the notion of weak satisfaction of a temporal formula. Weak satisfaction, which 117
can be thought of as a satisfaction relation capturing a system's observable behavior, reduces to standard satisfaction for SESI formulas. TTM modules were de ned to allow the model reduction results for SELTS to be applied to systems modeled by TTMs.
118
Chapter 5 Design and Verication of an Industrial Realtime Controller This chapter illustrates, via the design of a reactor shutdown system, the use of stateevent equivalence as both a model reduction technique for the realtime linear temporal logic speci cation/veri cation method and an equivalence veri cation method in its own right. In the process we demonstrate how a design can bene t from the combined application of these two formal methods. Traditionally in equivalence veri cation one has a \low level" detailed model of the implementation and a \high level" abstract model of the speci cation. One then veri es via computational or transformational methods, that the two models are equivalent in a well de ned sense. In the case of the reactor shutdown system, equivalencepreserving transformations (Appendix A) have been used to demonstrate that an implementation TTM module is weakly stateevent equivalent to a speci cation module (see Appendix B). This is the point where traditional equivalence veri cation schemes are nished with a veri cation problem. The assumption is that the speci cation model properly characterizes the requirements of the system. In the example presented here, after performing equivalence veri cation we then use realtime temporal logic as an alternative means of speci cation. Model checking is then used to verify that the speci cation TTM module satis es the temporal logic speci cations. By Section 4.4, the model checking results for the implementation TTM 119
module can then be inferred from the speci cation module results. In the case that the high level system (and hence the low level system) fails to satisfy the desired temporal properties, the system is redesigned to satisfy the properties. One could then perform a top down design by using the equivalence preserving transformation to re ne the redesigned speci cation into a workable implementation which is guaranteed to satisfy the temporal logic speci cations. We will see that model checking helps to identify subtle bugs that are often incorporated into high level speci cations and therefore go undetected when only using equivalence veri cation techniques. Conversely, the ability to model check high level models and infer the results for low level models has the potential to dramatically improve the performance of model checking and in, some case, perform model checks that would otherwise be impossible due to the state explosion resulting from the composition of low level models. The above concepts will be illustrated by the \simple" realtime control software veri cation problem that is described in Section 5.1. The equivalence veri cation proof that was done previously in Law92] can be found in Appendix B. We take the software veri cation problem a step further through the application of temporal logic modelchecking in Section 5.2. The scope of the veri cation problem is then widened in Section 5.3 to consider the behavior of the closedloop system with redundant controllers operating concurrently. We attempt to verify the temporal logic speci cations of the previous section's single controller implementation with interesting results.
5.1 The Delayed Reactor Trip System In general it is easier to understand a mathematical theory if one can relate the theory to a physical example. This section introduces the Delayed Reactor Trip (DRT) problem, a realtime software veri cation example from the nuclear industry. After describing the DRT setting the software veri cation problem is recast as a TTM module equivalence veri cation problem. The solution to an equivalent formulation of the DRT example was rst put forward in Law92] and LW95] is included in 120
Appendix B. For the next generation of reactors a company hopes to use microprocessor implementations for many of the control systems that were previously implemented using discrete and analog components. The main reasons for the switch to digital control systems are the cost savings and greater !exibility typically associated with microprocessor based systems. A question that now arises is whether the new systems behave the same as the old systems. That is, are the two implementations equivalent?
5.1.1 Setting and Assumptions The DRT system is typical of many realtime problems from industry. When a certain set of circumstances arises, we want the system to produce the correct response in a timely fashion. In this case when the reactor pressure and power exceed acceptable safety limits in a particular way, we want the DRT control system to trip a relay causing the reactor to shut down. The result of the DRT system failing to shut down Reactor Pressure Reactor Trip Trip Relay State System Reactor Power Figure 5.1: Block Diagram for the DRT System the reactor could be catastrophic. Conversely, each time the reactor is improperly shut down, the utility operating the reactor may lose hundreds of thousands of dollars as fossil fuel powered generating stations have to be brought on line to meet demand. Clearly it is important that the DRT behave in a very speci c manner. The desired input/output relationship for the DRT block diagram has the following informal description: if the power exceeds power threshold PT and the pressure exceeds delayed set point DSP, then wait for 3 seconds. If after 3 seconds the power is still greater than PT, then open the relay for 2 seconds. The old implementation of the DRT using timers, comparators and logic gates is shown in Figure 5.2. The hardware implementation is almost a direct translation of the above informal speci cation. When the reactor power and pressure exceed PT and DSP respectively, the comparators cause Timer1 to start. Timer1 times out after 3 seconds, sending 121
Pressure
AND
Timer 1
AND
Timer 2
Relay
Power Figure 5.2: Analog Implementation of the DRT System a signal to one input of the second AND gate. The other input of the second AND gate is reserved for the output of the power comparator. The output of the second AND gate causes Timer2 to start if the power is exceeding its threshold and Timer1 has timed out. Once Timer2 starts it runs for 2 seconds while signaling the relay to remain open. The new DRT system is to be implemented on a microprocessor system with a cycle time of 100ms. That is, the system samples the inputs and passes through a block of control code every 0.1 seconds. We assume that the input signals have been properly ltered and that the sampling rate is su ciently fast to ensure proper control. Figure 5.3 contains the pseudocode for a proposed control program for the microprocessor. The program makes use of the variables Pressure, Power and Relay for the sampled DRT system inputs and output respectively. Also, the code mimics the original analog implementation by using integer counter variables c1 and c2 in place of Timer1 and Timer2 respectively. In the pseudocode we say that a counter is \reset" when it is set to its initial value (ie. 0 in the pseudocode TTM model below). A counter variable may then be incremented in place of starting the timer it represents. With each subsequent pass through the block of code, the counter variable is incremented to represent the passage of another 100ms since the represented timer was started. Once the counter variable is equal to or exceeds a value appropriate for the particular timer and given cycle time (30 for c1 and 20 for c2 in the case when the cycle time is 100ms), we say that the counter variable has \timed out". The use of the 122
terms \reset" and \timed out" in the pseudocode abstracts from the implementation details so that the pseudocode does not have to be rewritten if the cycle time of the microprocessor is changed. That the original hardware implementation satis es the informal speci cation seems obvious at a glance. The answer to the question of whether a microprocessor implementing the algorithm of Figure 5.3 satis es the informal requirements above is somewhat more problematic. To help answer this question we now pose the DRT problem in the TTM framework.
5.1.2 Modeling the Delayed Reactor Trip Specication By modeling the DRT speci cation as a TTM we can remove any ambiguities from the informal speci cation and ensure that the input/output behavior of the microprocessor system is completely determined. When the DRT is implemented in the actual reactor there are three identical DRT systems running in parallel, with the nal decision on when to shut down the reactor implemented on a majority rule basis (see Section 5.3). As a result it is important that an individual system be able to recover when it is in disagreement with the other two systems. Also a system should never deadlock. For instance, after the power and pressure have exceeded their critical values and the system has waited 3 seconds to check the power level again, if the power is below its threshold value PT, then we wish the system to reset and go back to monitoring both inputs. This is implicit in the informal speci cation. Unfortunately, as most systems designers are painfully aware, computers require explicit instructions if their behavior is to be predictable. In order to facilitate the veri cation process, the TTM representation of the desired I/O characteristics for the DRT is put in a form that closely resembles the microprocessor behavior. A tick of the global TTM clock is assumed to represent 100ms, the cycle time of the microprocessor. As mentioned in the previous subsection, we assume proper ltering of the input signals and a su ciently high sample rate. Thus in the TTM speci cation SPEC of Figure 5.4, the enablement conditions of a transition must be satis ed for at least one clock tick before the transition can 123
If
Power
PT then If counter 1 is reset then If counter 2 is reset then If DSP then increment 1 1 Endif Else If counter 2 timed out then reset 2 Else increment 2 2 open Endif Endif Else If counter 1 timed out then open reset 1 increment 2 Else increment 1 1 Endif Endif Else If counter 1 is reset then If counter 2 is reset then close Else If counter 2 timed out then close 2 reset 2 Else increment 2 2 open Relay Endif Endif Else If counter 1 timed out then reset 1 1 Else increment 1 1 Endif Endif Endif
c
c Pressure c
]
c
c
Relay
]
e c
c
c
c
e j c
c
]
c c Relay
]
Relay c
Relay c
c
e c e c
c
c
c
]
c
]
Figure 5.3: Pseudocode for Proposed DRT Control Program 124
a
b
!29
c
1
d
!19
2 !29 !19 1 2 where e
:= := := := := := := :=
SPEC Transition Table x = a ^ Relay = CLOSED (e ] 1 1) (Power PT Relay : OPEN] 1 1) (True ] 29 29) (True ] 19 19) (Power < PT ] 1 1) (Power < PT Relay : CLOSED] 1 1) (Power PT ] 1 1)
:= Power PT ^ Pressure DSP
Figure 5.4: SPEC: TTM Representation of DRT Speci cation
125
e
occur. The transition has lower and upper time bounds of 1, exemplifying this
ltering assumption. After transition occurs, SPEC waits in activity b for 29 clock ticks (2.9 seconds) before proceeding to activity c. Activity c is where the power level is checked again. If the power is too high then the system opens the relay via transition , else the system resets via 1 to continue monitoring both inputs in activity a. After the system waits in activity d for 19 clock ticks (1.9 seconds) and then moves to e. At e, as an added safety feature, the system is once again required to evaluate the power level. If Power PT, the system returns to activity a with the relay still open via transition . Otherwise the system resets to a via 2 while closing the relay. From the above paragraph it is apparent that the TTM SPEC gives a more thorough description of what is required of the DRT, expanding upon the previous informal speci cation. It now remains to model the microprocessor system in the TTM framework before formalizing the veri cation problem.
5.1.3 Modeling the Microprocessor DRT Implementation On the right hand side of Figure 5.3 is a list of transition names. Each time the microprocessor passes through the block of code represented by the pseudocode it performs one of the group of operations identi ed by a transition name. Identical groups of operations on the program variables are identi ed by identical transition names. A group of program operations then becomes the operation function of the transition. The enablement conditions for these transitions are formed by taking the conjunction of the conditions speci ed by the `If' statements for each occurrence of a given transition name's program operations. As an example consider e 2 , the enablement condition for 2. The rst occurrence of 2 happens if Pressure DSP, Power PT, c1 is reset, :(c2 is reset) and :(c2 has timed out). The second occurrence is executed if :(Pressure DSP), c1 is reset, :(c2 is reset) and :(c2 has timed out). Counting o 20 consecutive cycles through the code translates to an elapsed time of 2 seconds, the minimum time the relay is to remain open. If we consider the counter variables to be reset when they are equal to zero and counter c2 126
as timed out when c2 20, 2's enablement condition becomes:
e 2 = (Pressure DSP ^ Power PT ^ c1 = 0 ^ c2 6= 0 ^ c2 < 20) _(Pressure < DSP ^ c1 = 0 ^ c2 6= 0 ^ c2 < 20) = ((Pressure DSP ^ Power PT) _ Pressure < DSP) ^c1 = 0 ^ 0 < c2 < 20 In the nal step we use the fact that c2 can never be negative since it starts at c2 = 0 and all transitions reset c2 to zero or increment it. sel!oop(1 2 1 2) 1 2 1 2 where e 1
:= := := := := := := :=
PROG Transition Table c1 = c2 = 0 ^ Relay = CLOSED (e 1 c1 : c1 + 1] 1 1) (c1 = 0 ^ 1 c2 19 c2 : c2 + 1 Relay : OPEN] 1 1) (Power PT ^ c1 30 c1 : 0 c2 : c2 + 1 Relay : OPEN] 1 1) (Power < PT ^ c1 = c2 = 0 Relay : CLOSED] 1 1) (Power PT ^ c1 = 0 ^ c2 20 c2 : 0] 1 1]) (Power < PT ^ c1 30 c1 : 0] 1 1) (Power < PT ^ c1 = 0 ^ c2 20 c2 : 0 Relay : CLOSED] 1 1)
:= (Power PT ^ Pressure DSP ^ c1 = c2 = 0) _ (1 c1 29)
Figure 5.5: PROG: TTM Representation of Pseudocode for DRT Similarly we can obtain the enabling conditions for the other transitions. As mentioned earlier, with each pass through the code, the microprocessor picks out one of the labeled blocks of code. The block chosen is the one whose enabling conditions are satis ed. The program then loops back to the start and reevaluates all the enabling conditions in the next cycle. Hence each transition has a lower and upper time bound of one. All of the above information is used to construct the simple TTM PROG (see 127
Figure 5.5). The single activity is representative of the fact that the program is basically a large case statement implemented using If statements, the appropriate case being selected out of all possible cases on each pass through the code.
5.1.4 The Verication Problem in Terms of TTM Modules Having modeled the internal workings of the speci cation and pseudocode as TTMs in the two preceding subsections, we can now create modules detailing the two models' interfaces. This will then allow us to recast the original question: `Does the program do what we want?' in terms of module equivalence. We will use spec to denote the module for the speci cation and prog for the module for the program. The modules' input variables are clearly Power and Pressure. With each of these variables we associate an input transition label: w for Power and p for Pressure. This gives us in := fw pg, V := fPower Pressureg and Rin := f(w Power) (p Pressure)g. The set of output variables for both modules is Vout := fRelayg. Then by De nition 4.19 the set of output transition labels for both systems is out := f 2g, identifying the set of transitions that modify Relay in both systems. Hence letting Rout := f( Relay) ( Relay) (2 Relay)g we de ne spec := (SPEC I ) and prog := (PROG I ) for
I := (in Vin Rin out Vout Rout) as de ned above. The DRT veri cation problem has now been reduced to checking whether spec se prog. In Law92] and LW95] Equivalence Preserving Transformations were used to prove that SPEC and PROG would produce weakly equivalent timed input/output behavior. For completeness Appendix A contains a modi ed description of the theoretical explanation of equivalence preserving transformations that rst appeared in LW95] while Appendix B provides the proof of the input/output equivalence of SPEC and PROG that rst appeared in Law92]. In Zha96] the algorithms for computing stateevent equivalence outlined in Section 3.1 and Section 3.2 were im128
plemented and used to verify the weak stateevent equivalence of modi ed versions of the underlying SELTS for spec and prog. Since spec and prog have been de ned with identical interfaces, the equivalence of spec and prog establishes that indeed spec se prog.
Q Q
5.2 Model Checking the DRT In Law92],LW95] and Zha96], the DRT veri cation problem was deemed to be solved, in eect, as soon as prog was veri ed to be weakly stateevent equivalent to spec. While the equivalence veri cation process proved to be useful (an error in the original pseudocode was found and xed in Law92]), the problem with such equivalence veri cation techniques is that while the implementation has been veri ed, its correct operation still depends upon the abstract speci cation model correctly capturing the desired system properties. An equivalent implementation is only as good as its speci cation. How can one verify that the original speci cation was correct? Is there any guarantee that the equivalence used in the veri cation process preserves the relevant system properties? For the DRT we will attempt to state some desired system properties as SESI temporal logic formulas. By verifying the temporal logic speci cation formulas on the DRT speci cation module spec using modelchecking, the satisfaction preserving properties of weak stateevent equivalence will guarantee that the property holds in any equivalent implementation module. Each temporal logic formula that is modelchecked on the speci cation will also be modelchecked on the equivalent implementation. Veri cation of the detailed implementations provides some empirical con rmation of the correctness of Theorem 4.17, and also illustrates the computational bene ts of using reduced models for veri cation purposes. We will see in one particular case from Section 5.3 that the state explosion of the detailed implementation as redundant controllers are added to the system, quickly causes the veri cation to become intractable while the reduced model experiences a roughly linear increase in time and space requirements. 129
5.2.1 Modeling the Reactor Before modelchecking our DRT design we have to \close the loop" by composing a model of our plant (the reactor system) with our controller model (spec or prog). Among computer specialists, modeling the plant is commonly referred to as \specifying the operating environment" of the \embedded system" (controller). Initially we will use an extremely simple model of the plant that places only minimal restrictions upon the behavior of the reactor Power and Pressure variables. Later we will make some further assumptions about the plant in order to guarantee desirable system properties and illustrate the compositional model reduction theory of the previous chapters. A block diagram and the initial TTM model of the internal structure of the reactor are shown in Figure 5.6. PLANT consists of two TTMs running in parallel. OUTPUT models the \dynamics" of PLANT 's outputs Power and Pressure as
Pressure Power xRELAY RELAY closed
Reactor (PLANT )
OUTPUT
o c
Relay
a
open
p w
PLANT := RELAY kOUTPUT :=
o c w p
:= := := :=
PLANT Transition Table xRELAY = closed ^ Relay = CLOSED ^xOUTPUT = a ^ Power = LO ^ Pressure = LO (Relay = OPEN ] 0 0) (Relay = CLOSED ] 0 0) (true Power : LO% Power : HI] 1 1) (true Pressure : LO% Pressure : HI] 1 1)
Figure 5.6: PLANT := RELAY kOUTPUT  TTM model of the plant. 130
variables that both initially have LO values (values below their respective threshold values { HI will be assigned to Power or Pressure to indicate values exceeding the respective thresholds). Each variable may be altered at most once between successive clock ticks by w (for Power) and p (for Pressure). The reactor's relay is modeled by TTM RELAY . We assume that RELAY 's activity variable xRELAY represents the current state of the reactor's relay. A change to the reactor's input variable Relay causes an \instantaneous" change in XRELAY (ie. before the next clock tick, provided Relay's value remains at the new value) so that after o or c occurs XRELAY = Relay. Although RELAY provides the possibility of nonZeno behavior, an in nite number of successive nontick transitions, this would require nonZeno behavior of the input variable Relay. In both SPEC and PROG, all TTM transitions have lower time bounds 1 and so each can only perform a nite number of transitions between successive clock ticks. Similarly the OUTPUT portion of PLANT has all transition lower time bounds equal to 1 while the remaining RELAY portion of the plant can only perform a single action without changes to its input variable Relay. Thus the composite system is guaranteed to have an in nite number of ticks in all computations and hence controlkplant j= 23( = tick) for control 2 fspec progg. Therefore we may drop the :23( = tick) disjunction that occurs in Theorem 4.17 since it is false for all computations of controlkplant. We nish this subsection by formally de ning the plant module to be plant := (PLANT Iplant ) where the plant module interface is basically I for spec and prog with the input and output elements swapped and xRELAY , the reactor relay state, added to the set of output variables. We add xRELAY to the other plant output variables Power and Pressure because we wish to prove properties about the timed behavior of all these variables in the closedloop system. Thus
Iplant
:= (out (spec) Vout(spec) Rout (spec)
in (spec) Vin(spec) fxRELAY g Rin(spec)) 131
and so by De nition 4.22, plant is interface compatible with both spec and prog.
5.2.2 ModelChecking Details The TTMs of the plant and controller systems were entered using a recent extension of the StateTime Tool developed by Ostro et. al. at York University Ost95]. StateTime is a visual modeling tool for the creation of StateChartlike hierarchical TTM systems. The reader is referred to Ost95] for a full description of the StateTime tool and Har87] for an introduction to StateCharts. There has been a preliminary attempt to develop realtime modelcheckers to allow the direct interpretation of TTMs and RTTL formulas Ost92]. While the Verify tool of Ost92] supports the data variables and interleaved, discretetime semantics of TTMs, it cannot e ciently handle the large state spaces that are generated by the composite systems of Section 5.3 and hence was not employed in this thesis. The Verify tool has been applied to a single controller case of the DRT in Ost95] but in that work it became apparent that the tool would not be able to handle the full 3 controller DRT version dealt with in Section 5.3. In order to pro t from the development eort already invested in untimed modelchecking, StateTime has implemented a facility for translating its TTM models into (untimed) fair transition systems with integer variables and tick events ON96] that can be used by the Stanford Temporal Theorem Prover (STeP) Man94]. STeP has a Linear Temporal Logic (LTL) modelchecker that can then interpret the fair transition system models and verify LTL properties. Recently StateTime has added integer \timer variables" that can be started or stopped and, while running, are decremented (or incremented) from their initial values with the occurrence of each tick transition. The timer variables enable the creation of \observer" systems that allow realtime properties to be veri ed by checking untimed temporal properties of the systems StateTime exports to STeP. In the following modelchecking results we will say that a realtime temporal logic formula F has been modelchecked or veri ed for a given timed system when, in fact, we have veri ed an untimed temporal logic formula F 0 on the untimed system 132
that incorporates timer variables and additional TTM transitions to \observe" the timed property. The construction of F 0 and the TTM transitions to be added to the system before it is translated into an untimed fair transition system can be di cult. Often the untimed modelcheck will fail to capture precisely the desired realtime behavior but may verify something close enough to the original realtime behavior to suit the designer's purposes. Below we assume that the untimed modelchecks are \close enough" when stating that a timed property has been veri ed by the untimed modelcheck. In the absence of a powerful modelchecking tool for RTTL, the untimed modelchecks will have to su ce to illustrate our compositional model reduction theory. All of the model checking results below are for the Solaris version of STeP1.1 running on an UltraSparc1 with 288MB of RAM. The timing results are taken from STeP's estimate of the CPU time utilized in its computations. The state numbers below do not correspond to the number of states of the system being veri ed but rather to the number of states in a veri cation table used by STeP that is dependent upon the size of the system model and the formula to be modelchecked Man94].
5.2.3 Verication of System Response This subsection demonstrates that speci cation models and formulas do not always embody the properties one initially thinks they capture. The rst property we would like to check for our speci cation module, and hence the implementation module, is correct response to stimulae from the plant. The informal DRT system requirements from Section 5.1.1 may be restated in a form more suggestive of a Temporal Logic translation as: Henceforth, if Power and Pressure simultaneously exceed their threshold values for at least 2 ticks and 30 ticks later Power exceeds its threshold for another 2 ticks, then within 30 to 32 ticks open the reactor relay for at least 20 ticks.
133
In the rephrased informal speci cation we have added \at least 2 ticks" requirements to ensure that the DRT has time to react to the changes to its input. We call our temporal logic translation of this formula the System Response formula, FRes:
22<2 (Power PT ^ Pressure DSP) ^ 330 2<2 Power PT ! 33032]2<20xRELAY = open] The rst 2 operator with the square braces around the rest of the formula says that the property contained within holds in the initial state of the computation and at all later points (all su xes) of the computation. For a formula F , 33032]F is shorthand notation for true U3032]F which translates directly as \eventually after at least 30 but no more than 32 ticks, F is true". 330 F and 2<2 F are used to denote 33030]F and :301]:F . We can paraphrase 2<2F as \From now until 2 ticks have occurred, F holds". As stated earlier, the STeP model checker does not explicitly support realtime properties. Thus in order to verify the realtime aspects of FRes we will add the timer variable Tr to the RELAY part of PLANT to time how long xRELAY = open. We assume that initially Tr = 0. The operation functions of o and c become cd(Tr 20)] and stop(Tr )] respectively. Here cd(Tr 20) in the operation function of o has the eect of initializing Tr to a value of 20 whenever xRELAY changes from closed to open. Tr will then count down with each tick until it reaches a value of 0 or is halted at its current value via the stop(Tr ) operation. Thus if Tr = 0 and xRELAY = open, the reactor relay has been open for 20 ticks. The addition of the Tr operations to RELAY will allow the untimed system to \observe" the 2<20 xRELAY = open part of FRes. The rest of the formula will be dealt with in the untimed system by an additional \property observer" TTM RES (see Figure 5.7) that will run in parallel with the rest of the system. When Power and Pressure simultaneously exceed their threshold values, the start transition of RES starts the timer Tw counting down from 32. If Power or Pressure drop below their threshold values before two ticks of the the clock have 134
start
a
stop1
b cont 30 Tw 32
c Tw 30
stop2 := start := stop1 := stop2 := cont :=
RES Transition Table xRES = a ^ Power = LO ^ Pressure = LO ^ Tw = 0 (Power PT ^ Pressure DSP cd(Tw 32)] 0 0) (Power < PT _ Pressure < DSP stop(Tw)] 0 0) (Power < PT ^ 0 Tw 2 stop(Tw )] 0 0) (Tw = 30 ] 0 0)
0 . Figure 5.7: RES { TTM Observer for FRes used in creating untimed formula FRes
occurred (ie. before Tw = 30) then stop1 occurs, stopping timer Tw . If Tw counts down to 30 then 2<2 Power PT ^ Pressure DSP is true. Transition cont occurs to \observe" this fact. We then wait to check the power when 0 Tw 2 (30 to 32 ticks after Power and Pressure rst exceeded their threshold values). If during that time Power < PT , then the 330 2<2xRELAY Power PT conjunct in the antecedent of FRes is violated so RES resets via stop2, stopping Tw . On the other hand, if RES is in activity c and Tw = 0, then 3302<2 Power PT is true and previously 2<2Power PT ^ Pressure DSP was true since cont occurred to bring us to c in the rst place. Thus we will approximate the antecedent of FRes by Tw = 0 ^ xRES = c. Combining the above observations we have the untimed formula 0 that we will modelcheck with STeP: FRes
2(Tw = 0 ^ xRES = c) ! 3(xRELAY = open ^ Tr = 0)] 0 without timed operators we translate our sysNow that we have the formula FRes tem with the additional counter variables and property observer TTM into STeP 0 in place of property FRes . Verifying F 0 compatible input and modelcheck FRes Res
135
with the STeP modelchecker produces the following surprising results: We conclude
control Result States Time(sec) spec fail 52375 2854 prog fail 101689 21039 0 for Table 5.1: Summary of model checking results of System Response property FRes controlkplant
speckplant 6j= FRes and progkplant 6j= FRes. The computational results are summarized in Table 5.1. The counterexample computation generated by STeP reveals why our system speci cation module, implementation module, and indeed the original hardware implementation, all fail to satisfy this property. While Timer 1 is running (SPEC is in activity b or PROG has a nonzero value of c1), the system is eectively ignoring its inputs. Consider the possible input timing diagram in Figure 5.8. Power and Pressure simultaneously exceeding their threshold Power Pressure T T + 10 T + 20 T + 30 T + 40 Figure 5.8: Input sequence generating a counter example to FRes
T + 50
values at time T will cause Timer 1 to start but at time T + 30, Power = LO so the Relay = open \signal" is not sent and the system goes back to monitoring its inputs. However, while Timer 1 was running, at T + 10 Power and Pressure also exceeded their threshold values and 30 ticks later at time T + 40 Power is exceeding its threshold. Because Timer 1 was already running at T + 10 in response to the conditions at time T , it is unable to respond to the conditions at T + 10. The system therefore has no way of knowing that it should check the value of Power at time T + 40 and consequently open the relay. While it is possible to design a relatively simple software implementation that does satisfy FRes through the use of registers as bit arrays, for illustrative purposes 136
we will assume that we are trying to design a software system that provides similar input/output behavior to the original system. In this case FRes is an inappropriate temporal logic speci cation. Changing the antecedent of FRes to require that the DRT controller be in its initial state (ie. neither timer is running) when Power and Pressure exceed their threshold values, we can alter FRes to obtain a formula capturing the behavior of the original system. We call this new property the Initialized System Response formula, FIRes:
2CONTROL ^ 2<2(Power PT ^ Pressure DSP) ^ 330 2<2 Power PT ! 33032]2<20XRELAY = open] Here CONTROL := SPEC or CONTROL := PROG depending on whether we are modelchecking control spec or control prog. 0 used in place of FRes can be used as the untimed formula The untimed formula FRes 0 to modelcheck in place of FIRes provided we modify the property observer TTM FIRes RES . We add the control conjunct to the enablement condition of start to obtain the new property observer TTM IRES . Thus the new enablement condition for start is CONTROL ^ Power PT ^ Pressure DSP .
control Result States Time(sec) spec pass 6305 55 prog pass 12063 218 Table 5.2: Summary of model checking results of Initialized System Response property 0 for controlkplant FIRes 0 The results of modelchecking FIRes with its observer system are contained in Table 5.2. show that for both the speci cation and implementation, controlkplant j= 0 . FIRes The above pair of model checking results have helped us to gain a deeper understanding of the behavior of our system and, by the agreement of results for the use of spec and prog as the control, have illustrated Theorem 4.17. We will have more to say about the results regarding the space (number of states) and time requirements
137
in Section 5.3.
5.2.4 Verication of System Recovery In the original hardware implementation a signal to open the reactor relay is only sent during the 2 seconds that Timer 2 is running. As an added safety feature in our microprocessor design, SPEC was set up to continue sending the Relay = open signal until Power was no longer exceeding its threshold. Since the DRT is but one of many reactor control systems operating in the actual reactor, a reasonable requirement might be that the closedloop system \recover" in a timely fashion after the Relay = OPEN signal has been sent for at least 20 ticks (2 seconds) and Power returns to normal operating levels. An informal statement of this property might be: Henceforth if xRELAY = open for the next 20 ticks and after the 20th tick Power < PT for at least 2 ticks, then before the 22nd tick XRELAY = closed. We translate this statement into the System Recovery formula FRec:
2(2<20 XRELAY = open ^ 320 2<2 Power = LO) ! (3<22XRELAY = closed)] As we did for FRec, we can use the addition of the timer Tr to RELAY to check the subproperty 2<20 XRELAY = open. Again the remainder of the formula will be handled by a property observer TTM. Figure 5.9 contains REC , the TTM property observer for FRec . The transition start occurs once the reactor relay has been open for 20 ticks (xRELAY = open ^ Tr = 0) and Power is LO (Power < PT ). It starts timer Tw counting down from an initial value of 2. If Power becomes HI or the reactor relay closes, transition stop takes place, immediately stopping the timer Tw and returning REC to activity stop. Thus if REC is in activity run and Tw = 0 then the reactor relay has been open for 20 ticks, and subsequently Power has been LO for more than 2 clock ticks. This is a violation of FRec. Therefore we can reduce modelchecking 138
start stop
stop
run
REC Transition Table := xREC = stop ^ Tw = 0 ^ xRELAY = closed ^ Power = LO start := (xRELAY = open ^ Tr = 0 ^ Power < PT cd(Tw 2)] 0 0) stop := (xRELAY = closed _ Power PT stop(Tw )] 0 0) 0 . Figure 5.9: REC { TTM Observer for FRec used in creating untimed property FRec 0 : the timed property FRec to modelchecking the untimed safety property FRec
2:(Tw = 0 ^ xREC = run) 0 says that it is never the case that Tw = 0 when TTM REC is in activity Thus FRec run. While it seems plausible that our current spec and prog will force the closed loop system to satisfy FRec, modelchecking proves the contrary (see Table 5.3). The counterexamples generated by STeP show that the transitions of SPEC and PROG are at the root of the closedloop systems' failures to meet the recovery speci cation. Consider the TTM SPEC in Figure 5.4 (p. 125). Activity e is where the value of Power is reevaluated after Relay = OPEN has been true for the required 20 ticks in activity d. If Power PT then SPEC returns to activity a via transition , leaving Relay = OPEN. If upon returning to a, Pressure DSP then transition can occur, starting another cycle of the transition graph% only this time Relay = OPEN. The Power may return to an acceptable level immediately following the transition, but the system will take 30 ticks to return to activity a and \recover" by nally executing a transition that sets Relay = CLOSED.
139
control spec prog specr progr
Result States Time(sec) fail 1400 1 fail 2528 2 pass 4745 8 pass 9161 16
0 for Table 5.3: Summary of model checking results for System Recovery property FRec controlkplant
Removal of the transition will ensure that SPEC remains at activity e until Power < PT . If Power is less than PT while SPEC is in e, then before two clock ticks 2 occurs, setting Relay = CLOSED, and thereby ensuring satisfaction of FRec. With the removal of , the transition that resets Relay in activity a becomes redundant, since the only way that SPEC can enter a when Relay = OPEN is via 2 . We will also delete the and of PROG. Call the revised systems formed by the elimination of these transitions SPECr and PROGr . The new modules associated with these systems, similarly denoted by specr and progr , can be obtained from their unprimed predecessors simply by removing all references to from their interfaces. While the new systems are smaller and perhaps agree more closely with the designer's intuition of how the system should behave, changing the systems brings into question their equivalence and the satisfaction of the Initialized Response formula FIRes, while creating the possibility that the closedloop system will now satisfy FRec. From Table 5.3 we see that specr kplant j= FRec and progr kplant j= FRec . Further modelchecks also con rm that specr kplant j= FIRes and progr kplant j= FIRes. This mutual satisfaction of FRec and FIRes by spec and prog was not merely accidental. It was forced by Theorem 4.17 because specr se progr . The Equivalence Preserving Transformation proof of spec se prog in Appendix B can be used virtually without change to provide a proof of specr se progr . This is not particularly surprising given the simple structure of the systems and the onetoone correspondence between and transitions in spec and prog.
140
5.3 ModelChecking Concurrent Controllers So far we have typically seen a factor of 2 improvement in modelchecking time and space by using the reduced spec models instead of the full prog model. If this were always the case it would be hard to justify the additional complexity of the O(n3) weak stateevent equivalence model reduction computation or the additional eort to reduce the system by hand using Equivalence Preserving Transformations. More dramatic gains from our model reduction technique can be made when there are multiple controllers running in parallel. Such redundant controller schemes, in particular 3version control with majority voting logic, have been recommended for safety critical systems such as nuclear power plants PAM91]. Each controller module is identical. Therefore, because of the compositional consistency of weak stateevent equivalence for TTM modules, the model reduction computation or proof need only be performed once for a single controller module. The reduction can be used for each controller module added to the system providing a multiplicative eect in the reduction of the state size without any additional computational or manual eort. To illustrate the preceding concept, this section extends the basic DRT closedloop system to 2 and 3 copies of our revised DRT controllers running in parallel with the plant. The enablement conditions of the plant's RELAY transitions are changed to accommodate the additional controllers and the plant module's interface is modi ed accordingly. We will attempt to verify FIRes and FRec for compositions of the reduced and unreduced revised DRT models. The results demonstrate that the real bene ts of modular model reduction are realized when multiple reduced models are composed. We will see that composition of reduced models can lead to a multiplicative eect in the reduction of the composite model that soon makes modelchecking the unreduced system intractable due to memory limitations. Another interesting conclusion of the modelchecking results for the composite systems is that properties satis ed by the single controller version do not necessarily hold for the multiple controller versions. We will begin by considering the two controller case. The TTMs SPECr and PROGr can have their transitions and internal and output variables subscripted by 141
integers i = 1 2 to avoid transition label and variable name con!icts. The Power and Pressure variables and their associated input transition labels w and p are the only parts of the controller TTMs that need not be subscripted. The reactor TTM PLANT supplies these inputs to the multiple controllers. Thus when de ning the modules, the input part of the control modules' interfaces remains the same. The new modules are, for i = 1 2, specri := (SPECri Ii) and progri := (PROGri Ii) where
Ii
:= (in(specr ) V (specr ) Rin(specr )
falphai i g fRelayig f(alphai Relayi) ( i Relayi)g) 2
2
In interfacing the plant with the two controllers we assume that the plant will only change the state of the reactor relay xRELAY when both controllers are in agreement. To accomplish this we modify the PLANT TTM of Figure 5.6 to obtain the TTM PLANT2 as follows: (i) Initial condition PLANT2 is obtained from PLANT by removing the Relay = CLOSED conjunct and replacing it with Relay1 = CLOSED^Relay2 = CLOSED. (ii) The enablement conditions for c and o are changed to Relay1 = CLOSED ^ Relay2 = CLOSED and Relay1 = OPEN ^ Relay2 = OPEN respectively. We then have the two version plant module plant2 := (PLANT2 I2 ) where I2 is an appropriately de ned modi cation of the interface used in plant. The results of modelchecking are shown in Table 5.4. In this table and Table 5.5 below, `?' as a table entry indicates that the results of the attempted modelcheck were indeterminate as the computation out of memory and failed to terminate successfully. We see that for the control1 kcontrol2kplant2 case the modelchecks of property FIRes ran out of memory for both the reduced controli := specri case and the detailed controli := progri case. This can be attributed to the PSPACEcompleteness of Linear Temporal Logic model checking SC85]. Modelchecking algorithms typically employed for Linear Temporal Logic have a complexity of O(j m jjF j), where jF j is 142
Q
0  System Response 0  System Recovery FIRes FRec # in k control Result States Time(sec) Result States Time(sec) 1 specr pass 6305 55 pass 4745 8 progr pass 12063 218 pass 9161 16 2 specr ? ? ? fail 1141 1 progr ? ? ? fail 8025 10 Table 5.4: Summary of model checking controlkplant and control1 kcontrol2kplant2
Q
the number of temporal operators in F and j m j is the number of transitions plus the number of states of the SELTS generated by the module m LP85]. In the case of FIRes any state space reduction achieved by the use of specr was negated by the jFIResj exponent. The results of the modelcheck for the somewhat simpler property FRec show a de nite improvement in the time and space required to decide the property using the reduced models. The answer is somewhat unexpected. While operating in the single control environment both specr and progr result in closed loop systems that satisfy FRec but when run concurrently with another control, the closedloop system fails to satisfy FRec. The counterexamples generated by STeP show that controllers can get out of synchronization from their initial states. If Power PT while Pressure < DSP then the following stateevent sequence can occur in specr1 kspecr2 kplant2 : p (HI LO a a)! (HI HI a a)tick ! (HI HI a a)! 1 (HI HI b a)!w (LO HI b a)tick ! :::
The 4tuples represent the value of the variables (Power Pressure xSPECr1 xSPECr2 ). We see that once Pressure = HI for one tick, module specr1 reacts, but before specr2 can react, w occurs setting Power = LO and disabling 2 . The two systems are now out of synchronization and the situation deteriorates from there to a point where the reactor relay, once opened for more than 20 ticks will in some cases not close even if Power < PT for up to 19 ticks! At rst one might think the failure of the 2 controller system to satisfy FRec is the result of the lower time bounds of 1 on the reactor OUTPUT transitions w and p but putting reactor outputs through a low 143
pass lter to increase the lower bounds up to at least 19 would still fail to eliminate all possible counterexamples. Instead we must place some restrictions upon our plant to ensure that multiple controllers are reacting to the same output samples. The plant behavior restrictions are implemented by replacing the TTM OUTPUT in PLANT with the new TTM OUTPUTsh, a TTM that implements a sample and two tick hold on the reactor outputs. This change eliminates the previous problem. The sample and hold version of the plants for the one, two and three controller cases are shown in Figure 5.10. PLANTsh1 and PLANTsh2 are sample and hold versions of PLANT and PLANT2 respectively while PLANTsh3 implements a majority vote scheme in the enablement conditions of o3 and c3 . For XRELAY , the reactor relay state, to change in PLANTsh3 at least 2 of the three control modules must agree to the change. As was the case for plant, for n = 1 2 3 controlkplantshn j= 23( = tick). Although h p and s have lower and upper time bounds of 0 in OUTPUTsh, at most only one of each of these transitions can occur before the next s transition. Since s has a lower time bound of 2, OUTPUTsh can only generate a nite number of transitions between successive ticks. The remaining closed loop system components are the same as for the PLANT case so the same arguments can be applied. Thus we can continue to check the desired system properties without adding the disjunctive clause :23( = tick) of Theorem 4.17. The results of modelchecking for the sample and hold closedloop systems are shown in Table 5.5. Due to memory limitations we are still unable to verify the response property FIRes for the multiple controller case. The results for the veri cation of FRec are very promising. Model reduction provides the same positive answer as the unreduced system in the one and two controller cases with the unreduced (progr control) closedloop taking approximately twice the number of states and time for the single controller closedloop system and four times the number of states and time for the dual controller closedloop system. This is in keeping with the multiplicative eect that the theory predicted would result from the composition of reduced models. When we go to the 3 control majority vote closed144
0  System Response FIRes # in k control Result States Time(sec) 1 specr pass 7023 129 progr pass 13342 398 2 specr ? ? ? progr ? ? ? 3 specr ? ? ? progr ? ? ?
0  System Recovery FRec Result States Time(sec) pass 7965 11 pass 16191 29 pass 9489 101 pass 34523 456 pass 12897 35 ? > 540000 > 105min
Table 5.5: Summary of modelchecking control1 kplantsh, control1kcontrol2kplantsh2 and control1kcontrol2kcontrol3kplantsh3 loop system, the results are even more dramatic. The state size of the reduced (specr control) closedloop system continues to grow in a roughly linear fashion but there is a sudden state explosion that results in the unreduced case that prevents us from
nishing the modelcheck (the computation runs out of memory). The state explosion is in large part due to the interleavings of events that increment the internal counter variables of progri . Fortunately there is no need to modelcheck the unreduced 3 controller closedloop system. We can already conclude that this system satis es FRec because specr1 kspecr2 kspecr3 kplantsh3 j= FRec.
5.4 Summary The modelchecking results con rm the correctness of Theorem 4.17. Weakly stateevent equivalent systems did satisfy the same formulas on all their computations in which time advances. The bene ts of compositionally consistent model reduction have been demonstrated by the multiple controller FRec modelchecking results. In this example veri cation of the composite system composed of unreduced models was impossible on the given hardware, but the modelcheck of the composition of reduced system was easily handled. This allowed us to know what the result for the unreduced composition would be without having to compute it. We also discovered that model reduction alone is not enough in some cases (eg. FIRes with two or more controllers). In such cases the reduced system model may still 145
result in a composite system that is too large to be veri ed on the available hardware. This is particularly true of linear temporal logics where the complexity of the model checking algorithms grows exponentially with the number of temporal operators. In these cases a designer may wish to investigate the possibility of using branching time temporal logics such as CTL to express system properties. Unfortunately the StateTime tool does not currently support the transition system formats of other untimed model checking systems, so we leave the investigation of other temporal logic frameworks for future research. During the temporal logic modelchecking process two interesting additional points came to light. First, we found that speci cation models used in equivalence veri cation may not always accurately capture the designer's concept of the system requirements. Temporal logic model checking of speci cation models used in the equivalence veri cation process can be most useful for identifying any errors in the speci cation model, helping the designer to discover whether the correct speci cation model has been chosen. The counter example generation features of the modelchecker are particularly useful in this regard. The counter examples from the failed modelchecks of the DRT system illuminated system behavior that otherwise would not have been considered in the system design. The modelchecking in turn bene ted from the compositionally consistent equivalence veri cation technique as it provided a means of compositionally consistent model reduction. In the case of the DRT design, the combination of equivalence veri cation and modelchecking were mutually bene cial, leading to a better design than would have been achieved by the application of either method in isolation.
146
OUTPUTsh
sample2
h RELAY closed
on cn
open
hold
w
w
s sample1 h
p
p
h
PLANTshn := RELAYnkOUTPUTsh
sample3
PLANTshn n = 1 2 3^Transition Table := xRELAY = closed ^ Relayi = CLOSED i=1:::n
on cn h s w p
:= := := := := :=
eo1 ec1 eo2 ec2 eo3
:= := := := :=
ec3 :=
^xOUTPUT = hold ^ Power = LO ^ Pressure = LO
(eon ] 0 0) (ecn ] 0 0) (true ] 0 0) (true ] 2 2) (true Power : LO% Power : HI] 0 1) (true Pressure : LO% Pressure : HI] 0 1) where (Relay1 = OPEN) (Relay1 = CLOSED) (Relay2 = OPEN ^ Relay2 = OPEN) (Relay2 = CLOSED ^ Relay2 = CLOSED) (Relay1 = OPEN ^ Relay2 = OPEN) _ (Relay1 = OPEN ^Relay3 = OPEN) _ (Relay2 = OPEN ^ Relay3 = OPEN) (Relay1 = CLOSED ^ Relay2 = CLOSED) _ (Relay1 = CLOSED ^Relay3 = CLOSED) _ (Relay2 = CLOSED ^ Relay3 = CLOSED)
Figure 5.10: PLANTshn := RELAYnkOUTPUTsh  TTM models for plants with sample and hold on outputs. 147
Chapter 6 Conclusions We have investigated StateEvent Labeled Transition Systems (SELTS) with unobservable transitions, as a framework in which complexity may be hidden, and hierarchy induced through quotient systems. This eort has led to the discovery of unifying constructs, called stateevent observers, which subsume both deterministic state observers Won76] and event based observation equivalences Mil80, Mil89]. The close relationship between stateevent observers and (event) observation equivalences makes possible e cient polynomial time algorithms for computing stateevent observers for nite state SELTS. Strong and weak stateevent equivalences for comparison of SELTS are derived from stateevent observers. A SELTS synchronous composition operator is de ned that models both shared transitions and shared variables. The algebraic characterization of stateevent equivalence using SELTS homomorphisms was used to demonstrate that stateevent equivalence is a congruence for the SELTS synchronous composition operator. Thus in a synchronous composition one may replace the system's modules (components) with equivalent quotient modules. Typically the resulting system has a smaller state space and is equivalent to the original composition. The size of a composite system's state space grows as the product of the sizes of the components' state spaces, so any reductions to system modules will have a multiplicative eect. In this way the state explosion problem is dealt with at the component level before it occurs in the composite system. 148
Any two strongly stateevent equivalent systems are shown to satisfy identical sets of formulas of a simple discrete time temporal logic derived from Ostro's RTTL. This result is extended to the preservation of truth values by weak stateevent equivalent systems for the class of stateevent stuttering invariant formulas. The latter result, together with the fact that stateevent composition is a congruence for synchronous product, allows one to perform compositionally consistent model reduction. TTM modules are de ned to allow the model reduction results for SELTS to be applied to systems modeled by TTMs. The eectiveness of compositionally consistent model reduction techniques in dealing with the state explosion problem is illustrated by the application of weak stateevent model reduction to the Delayed Reactor Trip (DRT) system. In this case the greatest return on model reduction eorts is seen when more than one identical module appears in a parallel composition, as in the case of redundant controllers implementing a majority vote scheme. In this case the reduction is performed once for a single module, and the reduced module is then substituted for all copies of the component.
6.1 Limitations and Future Research In this thesis we have not addressed many of the details involved in creating working implementations. No attempt was made to deal with problems such as numerical over!ow, data conversion errors and other troubles that often result in system failure. A method of dealing with these important issues in a rigorous fashion would go a long way towards bridging the gap between theory and practice in the design of safety critical systems. As evidenced by the failure of our model reduction technique in dealing with the system response properties for the multiple controller cases of the DRT, there are cases when weak stateevent model reduction alone does not succeed in making a veri cation problem tractable. The inability to verify the system response property was in no small part due to the particular choice of temporal logic used for speci 149
Q
cations. As mentioned in the previous chapter, modelchecking algorithms employed for Linear Temporal Logic (LTL) have a complexity of O(j m jjF j), where jF j is the number of temporal operators in F and j m j is the number of transitions plus the number of states of the SELTS generated by the module m LP85]. On the other hand modelchecking for the branching time temporal logic CTL can be done in time O(j m j jF j) CES86]! Although the expressive powers of LTL and CTL are incomparable, when a complex property can be expressed in both logics, CTL is clearly the preferable choice for modelchecking purposes. In this circumstance, a realtime stateevent extension to CTL should hold considerable promise for proving realtime properties of TTMs via model checking. The alternative de nition of Milner's observation equivalence given in Section A.2 makes the branching nature of observation equivalence apparent with its use of existential quanti ers. Two states are equivalent i they have the same future choices of observable events to equivalent states. Thus stateevent equivalence should be better suited to performing model reduction for branching time logics. Results similar to those obtained for our RTTL style logic should be attainable for any similar realtime extensions of CTL. While the initial modelchecking results are promising, further practical application of weak stateevent model reduction to industrial problems is needed to establish the method's advantages and limitations. Although the transformational technique of Appendix A was adequate for performing model reduction of the DRT example, an automated method for computing a nite state system's weak stateevent quotient system would greatly facilitate the use of the equivalence in larger practical examples. One possible solution to this problem is the use of modelcheckers for the calculus Par81] to compute the weak stateevent quotient systems. In BCM92] the authors provide not only a calculus characterization of observation equivalence that could be easily adapted to computing weak stateevent equivalence, but also characterizations of LTL and CTL, enabling a calculus modelchecking tool to perform both the model reduction and modelchecking. The power of stateevent equivalence to support compositional model reduction and equivalence veri cation, its simple algebraic characterization, and the above
Q
Q
150
noted future research possibilities, indicate that further investigation of the stateevent theory is warranted.
151
Appendix A Equivalence Preserving Transformations of TTMs This appendix summarizes the theoretical results of Law92],LW95] and points out some of the work's limitations that we attempt to address in this thesis. These previous results are covered in detail since they motivated much of the present work and are applied to the detailed example of Chapter 5. We begin by detailing the model of TTM input/output behavior and resulting de nition of equivalence that formed the basis of the transformations. Next we use bisimulations to de ne Milner's strong and weak observation equivalences that were used as the notion of system equivalence and then detail the equivalence preserving TTM transformations. Finally the limitations of the results are brie!y discussed.
A.1 Equivalence of TTMs In this section Labeled Transition Systems (LTS) are used to describe the behavior of TTMs and thus allow us to develop a notion of equivalence for TTMs. LTS have been used by De Nicola DeN87] to compare dierent notions of equivalence proposed for concurrent systems. We now borrow some of the de nitions and notation of DeN87]. A Labeled Transition System := hQ R q0 i is simply a SELTS without the state output map. Following the notation of Mil80] and Mil89], the special symbol
Q
152
2 , is used to denote internal (unobservable) actions. Hence q! q0 means that the system can move from q to q0 via an unobservable or silent transition. The following notation is also helpful: o := n f g denotes the set of observable actions. denotes the set of nite strings of actions.
a!s a0 where s = 1 2 : : : k 2 denotes (9q1 : : : qk;1 and q!s will mean (9q0 2 Q)q!s q0.
8 m n < q ! q0 2 o 0 q) q means : m n q = q0 or q ! q0 =
N
2 Q) q! q ! : : : qk; !k q0 1
1
2
1
for m n 2 .
The idea behind the relation ) is that the system can move from q to q0 while producing observation . As before we will write q) as a short form for (9q0 2 Q)q)q0.
One of the operations of Mil89] that we will nd useful is that of relabeling an LTS. In this operation the structure of an LTS is left unaltered while the transition labels are changed in a consistent way. That is, if one instance of a label is changed to a new label, then all instances of the label must be changed to the same new label in the relabeled LTS.
Q
Q
De nition A.1 Let r be a function from transition labels to transition labels and := hQ R q0i be an LTS. Then the r relabeling of is given by:
Q
Q
r( ) := hQ fr() : 2 g Rr() q0 i
We now consider M , the Labeled Transition System generated by a TTM M := hV T i. There are many possible LTS that represent the legal trajectories of a given TTM but for simplicity we adopt tree structures with all possible next transitions exiting the current LTS state to new LTS states. It is often the case that the transition names are unimportant. What is important is the eect the transitions have upon the variables of interest and how the latter aect the ordering of transitions. Accordingly 153
Q
the event labels of M are the actual operation functions of the TTM transitions. We will see in the example below that h (where h = w : w + 1 y : y + z]) is written in M when transition occurs in the legal trajectory of M . A convenient state set for M is the set of all nite strings of transitions T . We then let the initial state of M be , the empty string. The transition relations follow naturally by de ning for any h s 2 T , s! s if, starting from its unique initial state assignment, M can perform the transitions s as the initial sequence of transitions of a legal trajectory. More formally, for a TTM M := hV T i we have M := hT fh : 2 T g Rfhg i. As we have de ned them, each TTM has a unique initial state and the operation functions of the TTM's transitions are deterministic. Thus the eect on a TTM's variables can be completely determined by knowing the sequence of transitions that has taken place. This is what will allow us to compare the behavior of TTMs by comparing forms of the LTS that they generate. From now on the LTS representing the behavior of a TTM will be the LTS M as described above. Consider M , the simple TTM of Figure A.1. The LTS representing the behavior
QQ
Q
Q
Q
c
:= := := :=
a
b
x=a^v =w =y =z =0 (w = 0 w : w + 1 y : y + z] 0 1) (true w : w ; 1 z : z ; 1] 0 0) (w = 0 ^ y 0 w : ;1 v : v + 1] 1 2)
Figure A.1: Simple TTM M := hV T i
Q Q
of M , which we denote by M , is shown in Figure A.2. Note that the tick transitions of the clock have been included in M and that at each state all legal continuations of the trajectory are possible. The selflooped htick transition at the end of some paths is for display purposes only and helps indicate that the path can only be continued by an in nite string of ticks. We now consider the restriction of an LTS (representing the behavior of a TTM) 154
h htick h h h htick h h tick
h
Q
h
h
h h
h htick h h h
h
...
...
htick ...
... Figure A.2: M  the LTS reachability tree for M y : y + z] t : t + 1] z : z ; 1] y : y + z] y : y + z] t : t + 1]z : z ; 1] ... y : y + z ] t : t + 1] z : z ; 1] ... y : y + z] t : t + 1] z : z ; 1] t : t + 1] y : y + z ] y : y + z ] z : z ; 1] t : t + 1] Figure A.3: TM jfy zg = r( M ) the restricted LTS for M
htick
Q
to a subset of variables of interest. We need some preliminary de nitions.
De nition A.2 For a TTM M with variable set V and a subset of variables U V , we de ne the state assignments over U , denoted by QU , to be the product of the ranges of the variables in U . Hence
QU := vi2U Range(vi) The natural projection PU : Q ! QU maps a state assignment to its corresponding state assignment over U .
De nition A.3 Suppose M := hV T i is a TTM, U
V is a set of variables,
and 2 T is a transition. Let h : Q ! Q be the operation function of and PU : Q ! QU be the natural projection from the state assignments Q to QU , the state
155
assignments over U . Then the map induced in QU by h , when it exists, is the map h : QU ! QU such that PU h = h PU .
The relationship between h and h is illustrated in the commutative diagram, Figure A.4.
Q
h

Q
PU
Q?U
PU h

Q?U
Figure A.4: Commutative Diagram for Induced Operation Function For a given U , h will exist if the operations of h upon the elements of U are independent of the values of the variables in V ; U . For instance with h := w : w + 1 y : y + z] = w : w + 1 y : y + z z : z] and U = fy zg we have h = y : y + z]. Note that h is not de ned for U = fw yg since the new value of y depends upon the current value of z. The existence condition for h can be formally stated as the mapping kernel condition ker(PU ) ker(PU h). We now have the machinery to de ne the timed behavior of a TTM M restricted to a subset of its variables.
Q
Q Q jU Q
De nition A.4 For M := hV T i, U V and M := hT fh : 2 T g Rfhg i we de ne the restriction of M to U as follows. Let r be the LTS relabeling function
such that r(h) = h where h is the map induced in QU 0 by h when U 0 := U ftg. Then M := r( M ) = hT fr(h ) : 2 T g Rr(fh )g i We then denote the timed behavior of M restricted to U by M jU :=
Q
Note that M jU is de ned i (8 2 T ) h exists. When U is restrictable for M . 156
Q jU M
Q jU M
.
is de ned we say that
If the variables of interest for the TTM M of Figure 1 are U = fy zg (and implicitly t to guarantee the timing) then the LTS of the behavior of M over these variables can be obtained by replacing the transitions' operation functions with their induced maps. For example we replace h in M with h := y : y + z]. In the case of the transition , h := ] the identity or `silent' function for fy z tg. TM jfy zg, the restriction of M as described above, is shown in Figure A.3. Here we replace h with the silent transition to help it stand out in the graph. Starting from the initial state of TM jfy zg, if the rst transition is a clock tick, the next event may be y changing to y + z or the system moving unobservably via to a state where no further changes can be made to fy zg. The example of Figure A.3 illustrates how restriction can create systems that can move unobservably to a deadlocking state  a state with only strings of ticks as possible legal continuations. We shall use a notion of equivalence that can distinguish between a deadlocking and a nondeadlocking system. The main purpose of looking at the LTS generated by a TTM is to develop a notion of equivalence for TTMs. We will consider two TTMs to be equivalent over a set of variables U if their initial states agree on all variables in U and their respective LTS are equivalent when restricted to the variables of interest. More formally:
Q
Q
hV T i and M := hV T i and EQ, an equivalence relation over the set of all LTS. Let Q and Q be the sets of state assignments for M and M and P : Q ! QU and P : Q ! QU be their respective natural projections, for some U , a set of variables. We say that M is EQ equivalent over U to M , written M EQ=U M , if and only if (i) If q 2 Q and q 2 Q then q ( ) = true and q ( ) = true implies De nition A.5 Given two TTMs M1 :=
1
1
1
2
2
1
1
2
1
0
1
2
2
2
2
2
0
1
2
1
1
2
QQ jU Q Q jU
1
2
2
1
1
2
2
P1(q1 ) = P2(q2 )
(ii) where
M1
M1
and
EQ M2
M2
are the LTS generated by M1 and M2 respectively.
In practice usually U V1 \V2 though this need not be the case in general. The rst condition in the de nition guarantees that the systems start out in state assignments 157
that are identical when restricted to U while the second condition guarantees that observed changes to variables in U will be equivalent.
A.2 Observation Equivalence We begin this section by introducing an equivalence that is much stronger than what we require. The strong observation equivalence of Mil89] treats silent transitions as if they were observable. Informally it requires that in a system each state reached by s, a string of transitions, there must be a state reachable by s in the equivalent system that has the same choice of next transitions (including the unobservable transition) at each step along the way and in the end state. We begin by de ning the notion of a strong bisimulation that will help us to capture this informal property. More formally, let 1 := hQ1 R1 q10 i and 2 := hQ2 R2 q20 i.
Q
Q
De nition A.6 A unary relation S Q1 Q2 is a strong bisimulation if (q1 q2) 2 S implies (8 2 ),
0 0 (i) Whenever q1 ! q1 then (9q20 2 Q2 ) q2 ! q2 and (q10 q20 ) 2 S . 0 0 (ii) Whenever q2! q2 then (9q10 2 Q1 ) q1 ! q1 and (q10 q20 ) 2 S .
From Mil89] we know that the set of strong bisimulation relations over Q1 Q2 is closed under union and thus there is always a largest strong bisimulation relation , relating the states of 1 and 2 . Note that
Q Q
:= fS jS is a strong bisimulation over Q Q g 1
2
We will often use in x notation and write q1 q2 when (q1 q2) 2. We can now formally de ne strong equivalence for LTS. We will use to denote this binary relation over LTS as well as the largest strong bisimulation relation over the state sets of a pair of LTS. This should not cause any confusion as the relation we wish to refer to will usually be clear from the context in which is used. 158
De nition A.7 Strong Equivalence : Suppose
hQ R q i are LTS. Then 2
Q Q Q Q 2
1
20
2
Q
1
:= hQ1 R1 q10 i and
Q
2
:=
i (9S 2 fstrong bisimulations over Q1 Q2 g) (q10 q20 ) 2 S
Thus 1 2 i q10 q20 , which is the reason is used to denote both the relation over LTS and the relation over the state sets of two LTS.
6
Figure A.5: Strong Equivalence Example In Figure A.5, the rst two LTS are strongly equivalent since they have the same choices after executing the same strings of events. The third LTS is not in the same equivalence class because there is no state reachable by executing that can be continued by both and . One can think of strongly equivalent systems deciding which futures will be possible at the same points in their execution. For example the third LTS chooses what transition will follow when actually occurs. The rst and second systems are still free to choose the next transition after happens. Having equivalent systems make their choices of possible future events at the same junctions in their execution eliminates the problems associated with mere string equivalence. Figure A.6 demonstrates that strong equivalence is more discriminating than we would like because it \observes" . If we ignore transitions then after observing an , both systems are in states that can be observably continued by . To deal with this situation we now consider a weaker equivalence that is de ned in a way that closely parallels strong equivalence. Reducing the problem of TTM equivalence to one of LTS equivalence allows us to choose from the multitude of LTS equivalence relations in DeN87]. For deadlock 159
6
Figure A.6: Illustrating the need for a weaker equivalence avoidance and other control properties described in Law92], we will use Milner's weak m n 0 observation equivalence (see Mil89]). Recalling that q) q denotes q ! q0 for some m n m n 2 when 6= and q=q' or q ! q0 for = , we now give the de nition of Milner's observation equivalence.
N
Q
Q
:= hQ1 R1 q10 i and 2 := hQ2 R2 q20i be LTS. A relation S Q1 Q2 is a weak bisimulation if (q1 q2 ) 2 S implies for all 2 (including = ),
De nition A.8 Let
1
0 0 (i) Whenever q1 ! q1 then (9q20 2 Q2 ) q2 ) q2 and (q10 q20 ) 2 S . 0 0 q1 and (q10 q20 ) 2 S . (ii) Whenever q2! q2 then (9q10 2 Q1 ) q1 )
In other words, two states q1 2 Q1 , q2 2 Q2 , are weakly bisimilar if any move from q1 to a new state q10 can be matched by a nite sequence of moves from q2 , that produces the same observation and leads to a state q20 that is weakly bisimilar to q10 . Also, any move from q2 must be matched in a similar fashion. From Mil89] we know that the set of weak bisimulation relations over Q1 Q2 is closed under union and thus there is always a largest weak bisimulation relation , relating the states of 1 and 2 . That is
Q
Q
:= fSjS is a weak bisimulation over Q Q g 1
We write q1 q2 when (q1 q2 ) 2. 160
2
We can now formally de ne weak observation equivalence for LTS. We will use to denote both this binary relation over LTS and the largest weak bisimulation relation over the state sets of a pair of LTS.
Q
Q Q
De nition A.9 Weak Observation Equivalence : Let and 2 := hQ2 R2 q20 i be LTS. Then S over Q1 Q2 such that (q10 q20 ) 2 S
Q Q
1
2
Q
:= hQ1 R1 q10i i there exists a weak bisimulation 1
Thus 1 2 i a0 b0 . The relation is an equivalence relation over the set of LTS% the reader is referred to Mil89] for the details in the setting of Milner's process algebra.
A.3 Equivalence Preserving Transformations The purpose of this section is to explain transformations and their use. After demonstrating an intuitive notion of transformation with a simple example, we de ne a set of behavior preserving transformations and conclude by proving that these preserve the formal observation equivalence of TTMs. A transformation is behavior preserving if it changes a TTM in such a way that the timed behavior of the transformed TTM restricted to the variables of interest, is equivalent (for a speci ed LTS equivalence relation) to the restricted timed behavior of the original TTM. Consider the two TTMs M1 and M2 of Figure A.7. Suppose
M1
M2
db
: z = 2 ! w : w ; 2] : z = 0 !dy : y +() 1] d: z = 0 ! y:dy + 1] d; a a 1 := (z = 0) ^ (x1 = a) 2 := (z = 0) ^ (x2 = a)
; ;
c
c
Figure A.7: An example of Transition Addition/Transition Deletion we are only interested in the timed behavior of the variables y and z. The initial condition 1 prevents from ever being enabled. If has the same time bounds in both systems then it is apparent that M1 and M2 allow the same timed trajectories 161
over y and z. In fact, since is never enabled we could delete this transition from M1 to transform M1 into M2 . Similarly we could add a transition to M2 without changing its set of legal trajectories as the initial condition 2 would prevent the new transition from ever occurring. Thus M2 can also be transformed into M1 . This is the idea behind the transformational technique of equivalence veri cation. Given a set of variables of interest U , if it is possible to change one TTM into another by a set of behavior preserving transformations, then the two TTMs' timed behavior restricted to U will be equivalent (ie. M1 jU M2 jU ) and hence the TTMs will behave equivalently in a well de ned sense. Clearly if our transformational method is correct, the transformations must abstract away unimportant details in such a way that the key features of the structure of M jU are preserved. The addition of transition to M2 to form M1 is an example of the Transition Addition transformation (TA). Going from M1 to M2 is an application of the dual of TA, the Transition Deletion transformation (TD). Below we describe these and the other transformation pairs needed to solve the veri cation problem of LW95]. Throughout the section the transformations refer to the \set of variables of interest" U . These are the variables we wish to \observe" so the transformations are designed to produce TTMs that generate equivalent timed behaviors when restricted to the variables in U .
Q Q Q
TA/TD Transition Addition/Transition Deletion: As demonstrated above one may
add an instance of a transition to a TTM without changing its timed behavior if the transition's enablement condition is never satis ed in the new source activity. More formally, consider a TTM M with the transition := (e h l u), where 's full enablement condition from the transition graph of M is e := e ^ (x = a1 _ x = a2 _ : : : _ x = an) implying that there are instances of exiting activities a1 : : : an in the transition graph. One may add an instance of exiting activity a 62 fa1 : : : ang, with any other activity as its destination, provided that in any reachable state assignment q of M it is the case that q(x) = a implies q(e) = false. The new full enablement condition for after the transformation is e := e ^ (x = a1 _ x = a2 _ : : : _ x = an _ x = a) 162
Similarly one can change the full enablement condition of the transition from e := e ^ (x = a1 _ x = a2 _ : : : _ x = an _ x = a) to e := e ^ (x = a1 _ x = a2 _ : : : _ x = an), thereby removing the instance of exiting activity a in the transition graph of M if in all the reachable state assignments q of M it is the case that q(x) = a implies q(e) = false. That is, one may remove an instance of a transition from a TTM if the transition's enablement condition is always false in the source activity from which the instance of the transition will be deleted.
CA/CD Control Addition/Control Deletion: This transformation lets one add or remove a condition from a transition's enablement condition under certain conditions. Consider a transition with e := e and let p be some rst order predicate over the variables in V . If whenever a source activity for is entered, new p is true (p is false), then enew := e ^ p (e := e _ p).
Conversely if e := e ^ p (e := e _ p) and, in every activity that exits, p is guaranteed to be true (false), then enew := e.
AM/AS Activity Merge/Activity Split: This transformation is de ned only when
the activity variable x is not in the set of variables of interest (ie. x 62 U ). The basic idea of this transformation is that two activities can be merged if they have the same future. Hence, two activities may be merged if they have the same exiting transitions going to the same destination activities. In the example of Figure A.8, the activity merge transformation changes 's full enablement condition from e := e ^ (x = a1 _ x = a2 _ : : :) to e := e ^ (x = a _ : : :). For the merged activity one must be careful to choose a name that diers from the remaining TTM activities. 1 b () 1 b 2 a1 3 2 c a2 a c 3 Figure A.8: Activity Merge/Activity Split For activity splitting, if activity a is the destination activity of transitions 1 : : : k k+1 : : : n then split a into a1 and a2. 1 : : : k will have des163
tination activity a1 and k+1 : : : n will have destination activity a2. a1 and a2 will be the source activities for the same transitions to the same destination activities as in the case of activity a.
RT Rename Transition: This transformation is its own dual. It renames one or more
Q
instances of a transition with a new name provided the latter does not con!ict with another name or change the structure of M jU . Consider Figure A.9,
M1 d
d d b d @@ ; :5:7 :5:7 R d; c :4:4
a
:1:2
M2 d
 d :1:2 d b d @@ :5:7 R d; c; 0 :5:7
()
a
:4:4
Figure A.9: A Problem with the Rename Transition Transformation where one instance of the transition is renamed 0, altering the behavior of the system. If the numbers immediately following the transition labels denote the lower and upper time bounds respectively, it is apparent that transition is enabled across activities a and b in M1 so although happens before , has been enabled long enough that it can occur before . On the other hand in M2 is always preempted by and 0 is always preempted by . In general, when it is possible for a transition to remain enabled when moving from one activity to another, then it is not possible to rename the two instances independently (ie. in any application of RT the two instances must be given the same name).
OM Operation Modi cation: If a variable does not occur in the enablement condition of any transition or the operations aecting any other variables and is not in U , the set of variables of interest, then any operations aecting the variable can be added or deleted from any transition.
Let v 2 V;U and PV;fvg : Q ! QV;fvg be the natural projection from the state assignments to state assignments over QV;fvg . Then the OM transformation is de ned if for all 2 T , the enablement condition e of is independent 164
of v, and ker(PV;fvg ) ker(PV;fvg h ) (ie. there exists an induced operation function h : QV;fvg ! QV;fvg such that h PV;fvg = PV;fvg h ). If v satis es these conditions then for any 2 T , h can be replaced with the h induced by PV;fvg . The rationale behind this transformation is that the value of v has no eect upon how the TTM operates on the variables in U , hence we can set v to any value we wish, or ignore it altogether.
WM/WS (Wait Merge/Wait Split): A commonly occurring transition is the \wait"
transition that serves the purpose of marking the passing of a xed number of clock ticks. This transformation is a statement of the intuitive notion that waiting for n ticks and then waiting for m ticks is equivalent to waiting for n+m ticks. For technical reasons we require that n 1. d
!n
!m  d () d !n+m d where !i := (True ] i i)
d
Figure A.10: Wait Merge/Wait Split
T
TjU T
Theorem A.10 Let M := hV T i be a TTM, U V and be one of the TTM transformations of subsection A.3. If (M ) is de ned, then M
(M )jU .
More transformations can be added to those listed in subsection A.3. One has to verify that each new transformation preserves observation equivalence. Theorem A.10 implies that any TTM derived from another TTM via a nite sequence of the transformations of subsection A.3 is observationally equivalent to the original TTM.
A.4 Limitations of Transformations In Law92] the set of transformations of Section A.3 is shown to be incomplete for proving observation equivalence of TTMs and it is further demonstrated that no nite set of transformations is complete for proving observation equivalence of general 165
TTMs. The proof closely follows a similar proof in Milner's process algebra Mil89]. As in Milner's setting, the incompleteness property does not prevent the theory from being potentially useful in many practical applications. Indeed the exponential state explosion that occurs with the addition of new variables can make exhaustive veri cation routines impractical for even nite state TTMs. Thus heuristic methods such as the transformational technique introduced in this appendix provide a useful method of realtime system veri cation. Also, the transformations may be used to synthesize an implementation from a speci cation that is correct by construction. That is, the implementation resulting from the transformations will be guaranteed to be observationally equivalent to the speci cation, thereby eliminating the need to perform an exhaustive equivalence veri cation.
166
Appendix B Equivalence Verication of the DRT We now solve the DRT veri cation problem by applying the transformations described in Appendix A to formally check the equivalence of PROG and SPEC over the set of variables of interest U := fPower Pressure Relay tg. The inclusion of t in U guarantees that the timing as well as the ordering of changes to the inputs and outputs of the two systems will be the same. In future we will omit t since we are dealing with realtime systems and so the timing is assumed to always be of interest. The proof that follows relies upon the system designer's intuition in places for the choice of the next applicable transformation. Starting from PROG with SPEC as our nal goal, we progressively try to make PROG look more like SPEC until, if all goes well, we are left with a copy of SPEC at the end. At each step we check that the desired transformation is applicable and describe its eect. Starting with PROG0:=PROG, at each step i we apply a transformation to PROGi;1 to obtain PROGi.
Claim B.1 PROG is behaviorally equivalent to SPEC over U (ie. PROG =U SPEC ). Proof: (PROG ;! SPEC Over U ) 0. The original PROG TTM is shown in Figure 5.5. 167
1. AS The rst transformation to be applied is the Activity Split transformation. We only have to make sure that instances of every transition exit both of the new activities. Since all the transitions are selflooped to the only activity in the
1 2
1 2 a
1 2 b
1 2 new := PROG ^ x = a Figure B.1: TTM for PROG1 original system, we have some choice over how we distribute their destination activities. The reasons for the choice shown in Figure B.1 will become apparent in the next few steps. Although at this point it does not matter, we choose activity a as the initial activity for reasons that again will become clear later.
2. TD The Transition Deletion Transformation is applied next to remove the instance of the transition exiting activity b and the instances of transitions and 1 exiting activity a. We are justi ed in these actions since:
i. All transitions entering b increment either c1 or c2 . ii. All transitions either increment or reset ci to 0 so in any activity ci 0. iii. All transitions entering a either set c1 = 0 or leave c1 unaected while requiring c1 = 0 in their enablement conditions. Therefore in activity a c1 = 0.
Hence by (i), (ii) and (iii) we know that:
x=b and
x=a
) )
c1 > 0 _ c2 > 0 e = false
)
e = e1 = false
168
Thus we are justi ed in deleting the exiting activity b and the and 1 exiting activity a. 1 2 2 1 2 a b 1 2 new := PROG ^ x = a Figure B.2: TTM for PROG2
3. AS This time we split activity b with exiting b to the newly formed c activity (see Figure B.3). This is an eort to make the transformed PROG look more like SPEC. Notice that in splitting activity b into b and c we have not altered the dynamics. Both b and c have the same possible futures as activity b in PROG2. 1 2 1 2 2 1 2 a b c 1 2 new := PROG ^ x = a Figure B.3: TTM for PROG3
1 2
4. TD Upon entering activity c we know that c1 = 0 ^ c2 > 0 since h := c1 : 0 c2 :
c2 + 1 Relay : OPEN] and by 2(ii) we know that ci 0 in activity b. But e 1 requires that either c1 = c2 = 0 or 1 c1 29, so e 1 is initially false in activity c. Also the other transitions entering c ( and 2) leave c1 unaltered and only increment c2 . Hence x = c =) c1 = 0 ^ c2 > 0 =) e 1 = e1 = e = false Conclusion: delete the instances of 1, 1 , and with source activity c. 169
5. TD The initial condition new starts PROG4 out in activity a with c2 = 0. The
only transitions that aect c2 are 2 and . Transition 2 requires c2 > 0 to occur. Hence, starting from the initial state, must precede 2. Once has occurred we have x=c with only 2 and exiting c. Both these transitions set c2 = 0 so (i)c2 > 0 i x=c. Thus (i) =) (e 2 = true () x = c) also
e2 = true () x = c e = true () x = c
Conclusion: delete all instances of 2, 2 and except those with source activity
c1 = 0 c2 > 0
a
1 1
1 b c1 = 0 c2 > 0
2 c
new := PROG ^ x = a Figure B.4: TTM for PROG5
c1 = 0 c2 > 0
2
c. This leaves us with PROG5 as shown in Figure B.4. The range of values that c1 and c2 take on in each activity can be easily deduced from 5(i) and 2(iii) so we include this information in Figure B.4 as well.
6. RT Referring to Figure B.4, we can rename the instance of 1 exiting activity a without aecting the dynamics of the variables of interest because 1 is now the only transition entering activity b and after a transition occurs, if it remains enabled, its time bounds are reset. This means that a problem like that illustrated in RT Figure A.9 cannot occur as a result of renaming only one of the instances of 1 since its time bounds are not carried across any group of activities. The new transition exiting a will be called . Of course := 1. 170
7. CD Considering the enablement conditions in PROG6 we have: e := e 1 := (Power PT ^ Pressure {z DSP ^ c1 = c2 = 0)} _ (1 c{z1 29)} p
q
When x=a by 2(iii) and 5(i) we know that c1 = c2 = 0 and when x=b by 2(ii) we know that c1 > 0. This gives: (i)x = a =) q = false
(ii)x = b =) p = false Using the Control Deletion transformation with (i) as justi cation, we can change e to enew := p. Similarly using (ii) and Control Deletion again we obtain enew 1 := q . Now consider enew and e :
enew := Power PT ^ Pressure DSP ^ c1 = c2 = 0 e := Power < PT ^ c1 = c2 = 0 but x = a =) c1 = c2 = 0 Applying CD yet again to simplify further we now have:
enew := Power PT ^ Pressure DSP enew := Power < PT In a similar fashion, again applying CD:
x = c =) c1 = 0 so enew := Power < PT ^ c2 20 2 171
enew := Power PT ^ c2 20
8. AS The activity b is now split into thirty dierent activities with 1 taking the TTM from one new b activity to the next as c1 is incremented. After occurs we are in an activity where c1 = 1. 1 takes us to the next activity where c1 = 2
c1 = 0 c2 > 0
a
1 c1 = 1
1 c1 = 2 1
... c1 = 3
new := PROG ^ x = a Figure B.5: TTM for PROG8
1
1 c 30 1 c1 = 29
2 c c1 = 0 c2 > 0
2
and so on until we reach an activity where c1 30 and 1 is selflooped. For each value of c1 between 1 and 29, b has been spit into a new activity, with an additional activity for c1 30. We are attempting to `press out' the TTM's dependence on c1 by !attening out the TTM to a point where for each value of c1 between 1 and 30 there is an individual activity. Again note that we are in no way changing the dynamics of the system over U as the same transitions exit each of the new activities.
9. TD Knowing the value of c1 in each of the newly added activities allows us to
delete all instances of and 1 except for the activity where c1 30 since both transitions enablement conditions require c1 30. Also, the 1 transition selflooped at the c1 30 activity may be removed because e 1 := (1 c1 29) in PROG8.
10. CD Now that transition 1 has as source activities only those activities for which 1 c1
29, e
1
is always true in any of 1's source activities. Thus we can
172
remove the c1 dependence from e 1 . The same can be done for and 1 giving:
enew 1 := true enew := Power PT enew 1 := Power < PT
11. OM Variable c1 no longer occurs in any transition's enabling conditions or op
eration functions that aect other variables. Hence we can drop the variable from all transition operations. The modi ed transitions are
new := (Power PT ^ Pressure DSP ] 1 1) new := (true ] 1 1) = !1 1
12. WM All occurrences of 1 are now merged into one !29 by the Wait Merge transformation (See Figure B.6).
1 a
!29
2
b1 1
b30
new := Relay = CLOSED ^ c2 = 0 ^ x = a Figure B.6: TTM for PROG12
c
2
1317. Now repeat steps 812 for activity c and transition 2 to map out the dynamics of variable c2 and we have the desired result, a TTM identical to SPEC.
2 By transforming PROG into SPEC above we have shown that the corrected pseudocode implements an algorithm that satis es the behavior requirements expressed 173
by SPEC. The transformational proof above is su cient to guarantee the formal observation equivalence of SPEC and PROG over U.
174
Bibliography ACD90]
R. Alur, C. Courcoubetis, and D. Dill. Modelchecking for realtime systems. In Proc. of the 5th IEEE Symposium on Logic in Computer Science, pages 414{425, 1990.
AHU83]
A. V. Aho, J. E. Hopcroft, and J. D. Ullman. Data Structures and Algorithms. AddisonWesley, 1983.
AM75]
M. A. Arbib and E. G. Manes. Arrows, Structures and Functors: The Categorical Imperative. Academic Press, 1975.
Arn94]
A. Arnold. Finite Transition Systems. Prentice Hall, 1994.
BBCS92] S. Bensalem, A. Bouajjani, C.Loiseaux, and J. Sifakis. Property preserving simulations. In Proc. of 4th Conf. on Computer Aided Veri cation, number 663 in LNCS, pages 260{275. SpringerVerlag, 1992. BC89]
B. Bolognesi and M. Caneve. Equivalence veri cation: Theory, algorithms and a tool. In C. Vissers P. van Eijk and M. Diaz, editors, The Formal Description Technique LOTOS, pages 303{326. NorthHolland, 1989.
BCG87]
M.C. Brown, E.M. Clarke, and O. Gr*umberg. Characterizing kripke structures in temporal logic. In G. Levi H. Erhig, R. Kowalski and U. Montanari, editors, TAPSOFT'87, vol. I, number 249 in LNCS, pages 256{270. SpringerVerlag, 1987. 175
BCM92]
J.R. Burch, E.M. Clarke, and K.L. McMillan. Symbolic model checking: 1020 states and beyond. Information and Computation, 98:142{170, 1992.
BFH+92] A. Bouajjani, J.C. Fernandez, N. Halbwachs, P. Raymond, and C. Ratel. Minimal state graph generation. Science of Computer Programming, 18:247{269, 1992. BH93]
Y. Brave and M. Heymann. Control of discrete event systems modeled as hierarchical state machines. IEEE Trans. Autom. Control, 38:1803{1819, December 1993.
BS81]
S. Burris and H. P. Sankappanavar. A Course in Universal Algebra. SpringerVerlag, 1981.
BW94]
B. Brandin and W.M. Wonham. Supervisory control of timed discreteevent systems. IEEE Trans. Autom. Control, 39(2):329{342, Feb 1994.
CE81]
E.M. Clarke and E.A. Emerson. Synthesis of synchronization skeletons for branching time temporal logic. In IBM Logic of Programs Workshop, number 131 in LNCS, pages 52{71. SpringerVerlag, May 1981.
CES86]
E.M. Clarke, E.A. Emerson, and A.P. Sistla. Automatic veri cation of
nitestate concurrent systems using temporal logic speci cations. ACM Trans. Programming Languages and Systems, 8(2):244{263, April 1986.
CGL94]
E.M. Clarke, O. Grumberg, and D.E. Long. Model checking and abstraction. ACM Trans. Programming Languages and Systems, 16(5):1512{ 1542, September 1994.
DeN87]
R. DeNicola. Extensional equivalences for transition systems. Acta Informatica, 24:211{237, 1987.
DGG94]
D. Dams, O. Gr*umberg, and R. Gerth. Abstract interpretation of reactive systems: Abstraction preserving 8CTL 9CTL and CLT . In E.R. Olderog, editor, Programming Concepts, Methods and Calculi, pages 573{592. NorthHolland, 1994. 176
EMSS92] E.A. Emerson, A.K. Mok, A.P. Sistla, and J. Srinivasan. Quantitative temporal reasoning. RealTime Systems, 4:331{352, 1992. ES84]
E.A. Emerson and A.P. Sistla. Deciding full branching time logic. Information and Control, 61:175{201, 1984.
FG89]
M. K. Franklin and A. Gabrielian. A transformational method for verifying safety properties in realtime systems. In Proc. of 10th IEEE RealTime Systems Symposium, pages 112{123, December 1989.
FZ91]
J. Fa and Y. Zheng. Biobservability of discrete event systems. In Proc. of IFAC Workshop on Discrete Event System Theory and Applications in Manufacturing and Social Phenomena, pages 71{74. International Academic Publishers, Schenyang, China, June 1991.
GF91]
A. Gabrielian and M.K. Franklin. Multilevel speci cation of realtime systems. Communications of the ACM, 34(5):50{60, May 1991.
GL93]
S. Graf and C. Loiseaux. Property preserving abstraction under parallel composition. In M.C. Gaudel and J.P. Jouannaud, editors, TAPSOFT'93, number 668 in LNCS, pages 644{657. SpringerVerlag, 1993.
Har87]
D. Harel. Statecharts: A visual formalism for complex systems. Science of Computer Programming, 8(3):231{274, 1987.
Hoa85]
C.A.R. Hoare. Communicating Sequential Processes. International Series in Computer Science. PrenticeHall International, Englewood Clis, NJ, 1985.
Jos90]
B. Josko. A context dependent equivalence relation between kripke structures. In Proc. of 2nd Conf. on Computer Aided Veri cation, number 531 in LNCS, pages 204{213. SpringerVerlag, 1990.
Kai96]
R. Kaivola. Equivalences, Preorders and Compositional Veri cation for Linear Time Temporal Logic and Concurrent Systems. PhD thesis, Uni177
versity of Helsinki, Department of Computer Science, Helsinki, Finland, 1996. Appears as Report A19961. KS83]
P.C. Kanellakis and S.A. Smolka. CCS expressions, nite state processes, and three problems of equivalence. In Proc. of 2nd ACM Symposium on the Principles of Distributed Computing, pages 228{240, Montreal, Canada, August 1983. ACM.
KV91]
R. Kaivola and A. Valmari. Using truthpreserving reductions to improve the clarity of kripkemodels. In Proc. of CONCOUR'91, number 527 in LNCS, pages 361{375. SpringerVerlag, 1991.
KV92]
R. Kaivola and A. Valmari. The weakest compositional semantic equivalence preserving nexttimeless linear temporal logic. In Proc. of CONCOUR'92, number 630 in LNCS, pages 207{221. SpringerVerlag, 1992.
Law92]
M.S. Lawford. Transformational equivalence of timed transition models. Master's thesis, Dept. of El. Eng., Univ. of Toronto, Canada, January 1992.
Lee91]
L. Lee. The Day the Phones Stopped. Donald I. Fine Inc., New York, 1991.
Lio96]
J.L. Lions and et. al. Rapport de la Commission d'enqu^ete Ariane 501: Echec du vol Ariane 501. Communiqu,e de presse conjoint, ESACNES, Paris, France, 1996.
LOW96]
M. Lawford, J.S. Ostro, and W.M. Wonham. Model reduction of modules for stateevent temporal logics. In R. Gotzhein and J. Bredereke, editors, Formal Description Techniques IX: Theory, application and tools, Proceedings of FORTE/PSTV'96, pages 263{278. Chapman & Hall, 1996.
LP85]
O. Lichtenstein and A. Pnueli. Checking that nite state concurrent programs satisfy their linear speci cation. In Proc. of 12th ACM Symposium 178
on Principles of Programming Languages, pages 97{107, New Orleans, January 1985.
LW90]
F. Lin and W.M. Wonham. Decentralized control and coordination of discreteevent systems with partial observation. IEEE Trans. Autom. Control, 35(12):1330{1337, December 1990.
LW92]
M. Lawford and W.M. Wonham. Equivalence preserving transformations for timed transition models. In Proc. of 31st Conf. Decision and Control, pages 3350{3356, Tucson, AZ, USA, December 1992.
LW95]
M. Lawford and W.M. Wonham. Equivalence preserving transformations of timed transition models. IEEE Trans. Autom. Control, 40:1167{1179, July 1995.
McM92]
K.L. McMillan. Symbolic Model Checking. Kluwer, 1992.
Man94]
Z. Manna and et. al. The Stanford Temporal Theorem Prover. Technical Report STANCSTR941518, Dept. of Computer Science, Stanford University, CA, USA, 1994.
Mil80]
R. Milner. A Calculus of Communicating Systems, volume 92 of LNCS. SpringerVerlag, New York, 1980.
Mil89]
R. Milner. Communication and Concurrency. Prentice Hall, New York, 1989.
MP92]
Z. Manna and A. Pnueli. The Temporal Logic of Reactive and Concurrent Systems. SpringerVerlag, New York, 1992.
ON96]
J.S. Ostro and H.K. Ng. Verifying realtime systems using untimed tools. In Proc. of 3rd AMAST Workshop on RealTime Systems, pages 132{146. ONR and Iowa University, Salt Lake City, Utah, March 1996.
Ost89]
J.S. Ostro. Temporal Logic for RealTime Systems. RSP. Research Studies Press / Wiley, 1989. Taunton, UK. 179
Ost90]
J.S. Ostro. Deciding properties of timed transition models. IEEE Trans. Parallel and Distributed Systems, 1(2):170{183, April 1990.
Ost92]
J.S. Ostro. A veri er for realtime properties. RealTime Journal, 4:5{ 35, 1992.
Ost95]
J.S. Ostro. A CASE tool for the design of safety critical systems. In H. A. M*uller and R. J. Norman, editors, Proc. of CASE'95, pages 370{ 380. IEEE Computer Society Press, July 1995.
OW90]
J.S. Ostro and W.M. Wonham. A framework for realtime discrete event control. IEEE Trans. Autom. Control, 35(4):386{397, April 1990.
PAM91]
D.L. Parnas, G.J.K. Asmis, and J. Madey. Assesment of safetycritical software in nuclear power plants. Nuclear Safety, 32(2):189{198, 1991.
Par81]
D. Park. Concurrency and automata on in nite sequences. In 5th GI Conference on Theoretical Computer Science, pages 167{183. Berlin, Germany: SpringerVerlag, 1981. LNCS104.
PT87]
R. Paige and R.E. Tarjan. Three partition re nement algorithms. SIAM J. of Computing, 16(6):973{989, December 1987.
RW87]
P.J. Ramadge and W.M. Wonham. Supervisory control of a class of discrete event processes. SIAM J. Control Optim., 25(1):206{230, January 1987.
Sah74]
S. Sahni. Computationally related problems. SIAM J. of Computing, 3(3):262{279, 1974.
SC85]
A.P. Sistla and E.M. Clarke. The complexity of propositional linear temporal logic. J. ACM, 32:733{749, 1985.
Val90]
A. Valmari. A stubborn attack on state explosion. In Proc. of 2nd Conf. on Computer Aided Veri cation, number 531 in LNCS, pages 156{165. SpringerVerlag, 1990. 180
Wan91]
Y. Wang. CCS + Time = an Interleaving Model for Real Time Systems, volume 510 of LNCS, pages 217{228. Springer{Verlag, 1991.
Won76]
W.M. Wonham. Towards an abstract internal model principle. IEEE Trans. Systems Man and Cybernetics, 6(11):730{752, November 1976.
Won94]
K.C. Wong. Control Architecture of DiscreteEvent Systems: An Algebraic Approach. PhD thesis, Dept. of El. Eng., Univ. of Toronto, Canada, June 1994.
WW92]
K.C. Wong and W.M. Wonham. Hierarchical and modular control of discreteevent systems. In Proc. of 30th Allerton Conference on Communication, Control and Computing, pages 614{623, Champaign, IL, USA, September 1992.
Zha96]
Y. Zhang. Software for stateevent observation theory and its application to supervisory control. Master's thesis, Dept. of El. Eng., Univ. of Toronto, Canada, Canada, July 1996.
ZW90]
H. Zhong and W.M. Wonham. On the consistency of hierarchical supervision in discreteevent systems. IEEE Trans. Autom. Control, 35(10):1125{1134, October 1990.
181