Approximating Idealised Real-Time Specifications Using Time Bands Electronic Communications of the EASST Volume 46 (2011) Proceedings of the 11th International Workshop on Automated Verification of Critical Systems Approximating Idealised Real-Time Specifications Using Time Bands Brijesh Dongol and Ian J. Hayes 16 pages Guest Editors: Jens Bendisposto, Cliff Jones, Michael Leuschel, Alexander Romanovsky Managing Editors: Tiziana Margaria, Julia Padberg, Gabriele Taentzer ECEASST Home Page: http://www.easst.org/eceasst/ ISSN 1863-2122 http://www.easst.org/eceasst/ ECEASST Approximating Idealised Real-Time Specifications Using Time Bands Brijesh Dongol1 and Ian J. Hayes 2∗ 1brijesh@itee.uq.edu.au 2Ian.Hayes@itee.uq.edu.au School of Information Technology and Electrical Engineering, The University of Queensland Abstract: Timed specifications are often formalised at an absolute level of pre- cision, which does not reflect the real world that the specifications model, i.e., in the real world, inputs cannot be sampled with absolute precision and physical hard- ware cannot react instantaneously. As a result the developed specifications can often become unimplementable. In this paper, we consider the time bands model which allows time to be structured into several layers of abstraction and relationships be- tween bands to be formalised. This allows the timed specifications developed under idealised assumptions to be approximated using the time band in which the variables are sampled. We implement the approximated specifications using teleo-reactive programs embedded with time bands. Keywords: Time bands, Real-time systems, Teleo-reactive programs, Refinement, Cyber-physical systems 1 Introduction There is an increasing prevalence of cyber-physical systems, where software controllers are used to control physical hardware. Formally reasoning about cyber-physical systems is complicated because one must inherently consider real-time properties, parallelism between an agent and its environment and hardware/software interactions. Furthermore, components tend to operate over multiple time granularities (e.g., days, milliseconds) and hence, the reasoning rules must be able to incorporate each of these within a single formalism. A more difficult task is the development of correct real-time implementations via stepwise re- finement. Real-time logics tend to produce specifications that are too precise about their timing requirements. As a result, the assumptions and models that are developed often become unim- plementable due to the mismatch between the idealised assumptions of the specification and imprecision of digital clocks, delays in processing and imprecision of physical hardware that are inevitable in the real world. However, development of implementations from idealised assump- tions remains an attractive option because it allows one to decouple development so that systems are first developed under idealised timing constraints (which allows one to focus on component interactions). The idealised system can be modified at a later stage of the development so that it takes real-world timing constraints into account. ∗ This research is supported by Australian Research Council Discovery Grant DP0987452. 1 / 16 Volume 46 (2011) mailto:brijesh@itee.uq.edu.au mailto:Ian.Hayes@itee.uq.edu.au Approximating Idealised Real-Time Specifications Using Time Bands water w_high sensor methane sensor alarm pump w_low sensor Figure 1: Mine pump example pump alarm controllerenvironment Figure 2: Controller diagram Modifying idealised systems to handle real-world timing inaccuracies seldom produce refine- ments [WDMR08]. Thus, in this paper, we propose a method of approximating an idealised specification. We use the time bands framework [BH10], which includes a logic for reasoning about sampling errors (see Section 4.1) and allows specifications to be associated with notions such as precision and accuracy (see Section 4.2). In particular, we propose a method where we a develop a program for an idealised specification. Then, we produce an approximation of this specification using time bands and consider the modifications that are necessary to the program so that it implements this approximated specification. Throughout this paper, we consider the safety-critical system in Fig. 1 in which a pump is used to remove water from a mine shaft [BL91]. To prevent an explosion, the pump must not be operating if there is a critically high level of methane in the mine. As depicted in Fig. 2, the controller must sample sensor values from the environment (dashed arrow) and send signals to the pump and alarm to turn them on or off. In turn, the pump may change the water level, which affects the state of the environment. We implement the controllers using teleo-reactive programming model, which is a high-level approach to developing real-time systems [Nil01, Hay08]. The teleo-reactive paradigm is rad- ically different from frameworks such as action systems, timed automata and TLA+ because actions are considered to be durative (as opposed to instantaneous). Teleo-reactive programs are particularly useful for implementing controllers for autonomous agents that must react robustly to their dynamically changing environments. 2 A real-time framework We reason about a teleo-reactive program by reasoning over the contiguous time intervals within which it executes. We model time using the real numbers R and define: Interval =̂ { ∆ ⊆R ∆ 6={}∧∀t,t′: ∆ •∀t′′:R• t < t′′ < t′ ⇒ t′′ ∈ ∆ } Thus, if t and t′ are elements of an interval ∆, then all real numbers between t and t′ are also in ∆. Note that an interval may be open or closed at either end. We use glb.S and lub.S to refer to the greatest lower and least upper bounds of a set of numbers S, respectively, where ‘.’ represents function application. For intervals ∆,∆′, we define the length of ∆ (denoted `.∆) and ∆ adjoins ∆ ′ (denoted ∆ ∝ ∆′) as follows: `.∆ =̂ lub.∆−glb.∆ ∆ ∝ ∆′ =̂ (lub.∆ = glb.∆′)∧ (∆∪∆′ ∈ Interval)∧ (∆∩∆′ ={}) AVoCS 2011 2 / 16 ECEASST The partitions of an interval ∆ ∈ Interval is given by Π.∆, which is defined as follows: Π.∆ =̂ {z: seq.Interval | (∆ = ⋃ ran.z)∧ (∀i: dom.z−{0}• z.(i−1) ∝ z.i)} Given that variable names are taken from the set V ⊆ Var, a state space is given by ΣV =̂ V → Val, which is a total function mapping each variable in V to a value from Val. We leave out the subscript when the set V is clear from the context. A state is a member of ΣV and a predicate over a type X is given by PX =̂ X →B (e.g., a state predicate is a member of PΣV ). The (real-time) trace of environment behaviours is given by StreamV =̂ R → ΣV , which is a total function from time to states representing the evolution of the state of the system over time. To define properties of programs running over a time interval ∆, we use an interval stream predicate, which has type IntvPredV =̂ Interval → PStreamV . We use lim x→a+ f .x and lim x→a− f .x to denote the limit of f .x from the right and left, respectively. To ensure that limits are well defined, we assume all variables are piecewise continuous [GM01]. For a state predicate c, interval ∆ and stream s, we define: −→c .∆.s =̂ { c.(s.(lub.∆)) if lub.∆ ∈ ∆ lim t→lub.∆− c.(s.t) otherwise ←−c .∆.s =̂ { c.(s.(glb.∆)) if glb.∆ ∈ ∆ lim t→glb.∆+ c.(s.t) otherwise Thus, −→c .∆.s and ←−c .∆.s state that c holds in s at the right and left ends of ∆, respectively. We define the always and sometime operators as follows. (�c).∆.s =̂ ∀t: ∆ • c.(s.t) (�c).∆.s =̂ ∃t: ∆ • c.(s.t) Thus, (�c).∆.s and (�c).∆.s hold iff c holds in s for all times and some time with ∆, respectively. Example 1 (Safety requirement for the mine pump.) A required safety condition of our mine pump example is that in any state of the real-time stream (i.e., at the absolute level of precision), if the methane level, m, is above the critical level, C, then the pump must be stopped. Note that this means that the pump must have physically come to a stop, which we distinguish from the output control signal that turns the pump off. The safety condition Safety is defined as follows: Safety =̂ �(m ≥ C ⇒ stopped) (1) For an interval predicate p and interval ∆, we say p holds in an immediately previous interval if (prev p).∆ holds, which is defined as follows: (prev p).∆ =̂ ∃∆′: Interval • ∆′ ∝ ∆ ∧ p.∆′ We use � and prev to define invariance of a state predicate c and stability of a set of variables V as follows: inv c =̂ (prev−→c ⇒�c) st V =̂ ∀v: V •∀k: Val • inv(v = k) 3 / 16 Volume 46 (2011) Approximating Idealised Real-Time Specifications Using Time Bands Hence, (inv c).∆ holds iff �c.∆ holds provided that c holds at the right ends of an interval that precedes ∆ (i.e., c is invariant within ∆) and st V holds iff the value of each v∈V does not change within ∆ (i.e., V is stable in ∆). Note that defining st V as ∀v: V •∃k: Val • inv(v = k) is incorrect because ∃k: Val • inv(v = k) can be trivially satisfied by choosing a k such that prev( −−−→ v 6= k). We define the following operators to facilitate reasoning about interval predicates. The chop operator ‘;’ allows one to split a given interval into two parts, where p1 holds for the first interval and p2 holds for the second [ZH04]. The weak chop ‘:’ states that either p1 holds or the chop p1 ; p2 holds over the given interval. (p1 ; p2).∆ =̂ ∃∆1,∆2: Interval • (∆ = ∆1 ∪∆2)∧ (∆1 ∝ ∆2)∧ p1.∆1 ∧ p2.∆2 (p1 : p2).∆ =̂ p1.∆ ∨ (p1 ; p2).∆ Note that the stream is implicit in both sides of the definitions above. Furthermore, unlike the duration calculus [ZH04], we do not require that the intervals ∆1 and ∆2 in the definition of chop are closed. We assume point-wise lifting of the boolean operators on stream and interval predicates in the normal manner, e.g., if p1 and p2 are interval predicates, ∆ is an interval and s is a stream, we have (p1 ∧ p2).∆.s = (p1.∆.s ∧ p2.∆.s). Furthermore, when reasoning about properties of programs, we would like to state that whenever a property p1 holds over any interval ∆ and stream s, a property p2 also holds over ∆ and s. Hence, we define universal implication over intervals and streams as follows. Operators ‘≡’ and ‘W’ are similar. p1 V p2 =̂∀∆: Interval • p1.∆ V p2.∆ p1.∆ V p2.∆ =̂∀s: Stream • p1.∆.s ⇒ p2.∆.s 3 Idealised teleo-reactive programs We introduce teleo-reactive programs by considering a program that monitors the methane and controls the mine-pump in Fig. 1. Example 2 (Teleo-reactive controller for the mine-pump.) The teleo-reactive program in Fig. 3 implements a controller for the system in Fig. 2. The main program (mine pump) consists of a sequence of two guarded actions. For such a sequence, the first alternative that has a true guard is executed continuously while that guard remains true and no earlier guard in the sequence be- comes true. As soon as that guard becomes false or an earlier guard becomes true, the execution switches to the first true guard. For example, if program mine pump is executing pump water, it continues to do so while the methane level, m, is continuously less than the critical level, C, i.e., m < C. In doing so, pump water may switch back and forth between its two alternatives, depending on the water level. However, as soon as the methane level reaches its critical level, the execution of pump water is immediately terminated and control is passed to the first alternative of mine pump. That is, within a hierarchical teleo-reactive program, the guards of the top-level program take precedence over an activity within a lower-level program. Note that program pump water refers to an output variable stopped that is fed back as input stopped0. In this paper, we focus on the interaction between the mine pump and pump water programs, and hence elide discussion of feedback. AVoCS 2011 4 / 16 ECEASST mine pump =̂ 〈 m ≥ C → alarm‖stop pump , true → pump water 〉 pump water =̂ 〈 w high ∨ (¬w low ∧¬stopped0) → run pump , true → stop pump 〉 Figure 3: Teleo-reactive controller for the mine pump The first branch of mine pump executes within any interval in which m ≥ C continuously holds. Execution of alarm‖stop pump consists of the parallel execution of primitive actions alarm and stop pump. Note that the parallel actions execute in a truly concurrent manner (as opposed to via an interleaving semantics). Definition 1 For a state predicate c, set of variables F and interval predicates r and p, the syntax of a teleo-reactive program is given by P where: P ::= F:JpK | seq.GP | P −→ ‖ P | rely r • P | init c • P GP ::= c → P Here F:JpK denotes a primitive action with outputs F that behaves as described by the interval predicate p. A guarded program c → P consists of a state predicate c that guards a teleo-reactive program. A program may either be a primitive action, a sequence of guarded programs, the parallel composition of two programs, a program with a rely condition r or a program with an initialisation c. We follow the convention of using Z for a teleo-reactive program and S for a sequence of guarded programs. Sequences are written within brackets ‘〈’ and ‘〉’ and ‘a’ is used for sequence concatenation. We let vars.p and vars.c denote the set of all variables that occur free in interval predicate p and state predicate c, respectively. The set of variables of Z is given by vars.Z, where vars.(F:JpK) =̂ vars.p∪F vars.〈〉 =̂ {} vars.(〈c → Z〉a S) =̂ vars.c∪vars.Z∪vars.S vars.(Z1 −→ ‖ Z2) =̂ vars.Z1 ∪vars.Z2 vars.(rely r • Z) =̂ vars.r∪vars.Z vars.(init c • Z) =̂ vars.c∪vars.Z The functions in,out: P→PVar return the input and output variables of a teleo-reactive program, respectively, where: out.(F:JpK) =̂ F out.〈〉 =̂ {} out.(〈c → Z〉a S) =̂ out.Z∪out.S out.(Z1 −→ ‖ Z2) =̂ out.Z1 ∪out.Z2 out.(rely r • Z) =̂ out.Z out.(init c • Z) =̂ out.Z We define the set of input variables of Z as in.Z =̂ vars.Z\out.Z. Because the semantics of teleo-reactive programs is truly concurrent (as opposed to an inter- leaving semantics), two concurrent programs Z1 −→ ‖ Z2 may not modify the same variable, i.e., we require that out.Z1 ∩out.Z2 = {}. Furthermore, in program Z1 −→ ‖ Z2 the outputs of Z1 may be 5 / 16 Volume 46 (2011) Approximating Idealised Real-Time Specifications Using Time Bands Suppose F is a set of variables, p is an interval predicate, Z, Z1 and Z2 are teleo-reactive programs, and S and T =̂ 〈c → Z〉a S are sequences of guarded programs and r is a rely condition of Z. If V is an output context of each of the programs below, we define: behV.(F:JpK) =̂ p ∧ st(V\F) (2) behV.〈〉 =̂ true (3) behV.T =̂ ((�c∧behV.Z) : (←−¬c∧behV.T))∨ ((�¬c∧behV.S) : (←−c ∧behV.T)) (4) behV.(Z1 −→ ‖ Z2) =̂ behV\out.Z2.Z1 ∧ behV\out.Z1.Z2 (5) behV.(rely r • Z) =̂ r ⇒ behV.Z (6) behV.(init c • Z) =̂ prev−→c ∧ behV.Z (7) Figure 4: beh function used as inputs to Z2, thus parallel composition is not necessarily commutative. We define simple parallelism Z1‖Z2 as a special case of parallel composition in which the inputs of Z1 and Z2 are disjoint with the outputs of Z2 and Z1, respectively. Unlike Z1 −→ ‖ Z2, the programs under simple parallelism commute. Teleo-reactive programs are often only required to execute correctly under certain environment assumptions; these assumptions may be formalised within a rely condition. Definition 2 We say interval predicate r is a rely condition of teleo-reactive program Z iff vars.r∩out.Z ={}. Definition 3 A set of variables V is an output context of a teleo-reactive program Z iff V ⊇out.Z and V ∩in.Z ={}. The behaviour of a teleo-reactive program Z in a possibly wider output context V is given by behV.Z as defined in Fig. 4. The behaviour of a specification F:JpK with respect to the set V is given by (2), where in addition to behaving as specified by p, the variables of V that are not in F are guaranteed to be stable. An empty sequence of programs (3), is chaotic and allows any behaviour. The behaviour of a non-empty sequence of guarded programs, (4), is defined recursively. There are two disjuncts corresponding to either c or ¬c holding initially on the interval. If c holds initially, either �c ∧ behV.Z holds for the whole interval or the interval may be split into an initial interval in which �c ∧ behV.Z holds, followed by an interval in which ¬c holds initially and behV.T holds (recursively) for the second interval. The other disjunct is similar. Note that each chopped interval must be a maximal interval over which either �c or �¬c holds. The behaviour of the parallel composition between Z1 and Z2 is given by (5) and is defined to be the conjunction of the two behaviours with the outputs of each branch removed from the output context of the other. The behaviour of a program Z with rely condition r is denoted rely r • Z and its behaviour is given by (6). Thus, the program executes as defined by behV.Z provided the rely condition r holds. The initialisation of Z specifies a condition that holds prior to execution of Z and hence, the behaviour of init c • Z is given by (7). AVoCS 2011 6 / 16 ECEASST Y Z Y Z �c �(¬ c ∧ d) �c �(¬ c ∧ d) Figure 5: Execution of program 〈c → Y,d → Z〉 Example 3 Consider the execution of program 〈c → Y,d → Z〉 in Fig. 5, where program Y executes over any interval in which �c holds and Z executes over any interval in which �(¬c∧d) holds. Note that both programs Y and Z may themselves be teleo-reactive programs, and hence, each interval shown in Fig. 5 may further split into smaller sub-intervals for the branches of Y and Z. Because �c and �(¬c ∧ d) are guaranteed to hold during the execution of Y and Z, respectively, we may assume �c and �(¬c ∧ d) when reasoning about the subprograms within Y and Z, respectively. Definition 4 For teleo-reactive programs Z and Z′, we say Z is refined by Z′ (denoted Z v Z′) iff out.Z′ ⊆ out.Z and behV.Z′ V behV.Z for any V that is an output context of both Z and Z′. Lemma 1 If F, F′ are a sets of variables and p, p′ are interval predicates, then (F′ ⊆ F)∧ (vars.p′ ⊆ vars.p)∧ (st(F\F′)∧ p′ V p)⇒ (F:JpKv F′:Jp′K). Definition 5 For an interval predicate p, we say p splits iff p.∆ V∀δ : Π.∆•∀i: dom.δ •p.(δ .i), and p joins iff (∃δ : Π.∆ •∀i: dom.δ • p.(δ .i)) V p.∆. For example, interval predicate ` < 3 splits but does not join, �c and ` ≥ 3 join but do not split and �c both splits and joins. The next theorem presents a method for decomposing refinements for programs that are se- quences of guarded programs. Theorem 1 For a teleo-reactive program T =̂ 〈c → Z〉a S, if r is a rely condition of T that splits and g is an interval predicate that joins, then rely r • F:JgKv T holds provided that both: rely r • F:J�c ⇒ gK v Z (8) rely r • F:J�¬c ⇒ gK v S (9) Example 4 (Mine-pump in Fig. 3 satisfies Safety.) Note that the program in Fig. 3 is idealised, i.e., we assume that the guards are continuously evaluated and that the pump reacts instanta- neously. By defining MO =̂ out.mine pump and stop pump =̂ {stopped}:J�stoppedK (10) the proof of MO:JSafetyK v mine pump is straightforward, which proves that the mine pump program in Fig. 3 implements the safety requirement Safety. In particular, we have: MO:JSafetyKv mine pump ⇐ Theorem 1, Safety joins 7 / 16 Volume 46 (2011) Approximating Idealised Real-Time Specifications Using Time Bands MO:J�(m ≥ C)⇒ SafetyK v (alarm‖stop pump)∧ MO:J�(m < C)⇒ SafetyK v pump water ⇐ first conjunct, LHS: Lemma 1, definition of Safety, RHS: definition of ‖ second conjunct: definition of Safety (MO:J�stoppedK v stop pump)∧ (MO:JtrueK v pump water) ⇐ first conjunct: (10) and Lemma 1, second conjunct: Lemma 1 and out.pump water ⊆ MO true The ideal execution of a teleo-reactive program would continuously evaluate its guards all the time. Of course, continuous evaluation is not feasible and it has to be approximated by repeated sampling and evaluation. One of the main issues addressed in this paper is handling the imprecision introduced by such implementations by making use of Burns’ time band framework [BB06, BH10]. 4 Teleo-reactive programs with sampling 4.1 Sampling A reactive controller uses (discrete) sampling events to determine the state of its (continuous) environment. Although a sampling event is viewed as instantaneous in the time band of the controller, sampling events actually take time. Thus, sampling events are prone to timing preci- sion errors (where there is a range of possible sampled values due to imprecise timing of when the sample is taken) and sampling anomalies, i.e., sampling two or more sensors causes a non- existent state to be returned. Sampling is also prone to sensor errors (where the sensors have inaccuracies in measuring the environment), however, sampling errors are not the focus of this paper, and hence are elided. We use a logic that assumes each environment variable in an expression is read exactly once within a sampling event and that this value is used for each occurrence of the variable in the expression. However, different variables may be read at different times within an interval, which makes it possible for a sampling event to return a state that does not actually exist [BH10]. Given a set of states SS ⊆ ΣV , we define: values.SS =̂ λ v: V •{σ : SS • σ.v} apparent.SS =̂ {σ : Σ | (∀v: V • σ.v ∈ values.SS)} where the notation {σ : SS • σ.v} is equivalent to {x | (∃σ : SS • x = σ.v)}. That is, values.SS returns a state that maps each variable v to the set of values that v may have in SS and apparent.SS generates the set of all states in which each variable is one of its values in a state in SS, but different states could be used for different variables. To reason about sampling anomalies, we define functions states and av that return the sets of all states and all apparent states within an interval of a stream, respectively. That is, if ∆ is an interval and s is a stream, we define: states.∆.s =̂ {t: ∆ • s.t} av.∆.s =̂ apparent.(states.∆.s) AVoCS 2011 8 / 16 ECEASST Using functions states and av, we formalise state predicates that are definitely true (denoted �) and possibly true (denoted �) over a given interval ∆ and stream s as follows: (�c).∆.s =̂∀σ : av.∆.s • c.σ (�c).∆.s =̂∃σ : av.∆.s • c.σ If (�c).∆.s holds, then c holds for each apparent state in the interval ∆ and if �c holds then c holds in some apparent state. Note that because states.∆.s ⊆ apparent.∆.s holds for any interval ∆ and stream s, both �c V �c and �c V �c hold. There are several relationships between � and � [BH10]. In this paper, we find the following lemma to be useful [HBDJ11]. Lemma 2 For a state predicate c and variable v, st(vars.c\{v}) V (�c = �c)∧ (�c = �c). That is, if at most one variable of c is non-stable within an interval then c definitely holds iff c holds everywhere (and similarly c possibly holds). 4.2 Time bands The set of all time bands is given by the primitive type TimeBand, which defines a unit of time, e.g., seconds, days, years. The precision of a time band is given by ρ : TimeBand → R>0. We define a time band b1 + b2 to be a band such that ρ.(b1 + b2) =̂ ρ.b1 + ρ.b2. For a real-valued variable v, interval ∆ and stream s, we define: diff .v.∆.s =̂ let vs ={σ : states.∆.s • σ.v} in lub.vs−glb.vs Thus, diff returns the difference between the maximum and minimum values of the given variable in the given interval and stream. To this end, we define the accuracy of a variable v in time band b using accuracy.v.b, which limits the maximum change to the variable within events of time band b. For any variable v and time band b, we implicitly assume the following rely condition: `.∆ ≤ ρ.b V diff .v.∆ ≤ accuracy.v.b (11) Lemma 3 For a variable v, constant k, and time band b, `≤ ρ.b ∧�(v < k−accuracy.v.b) V �(v < k). Proof. The proof is trivial by the assumption (11) on accuracy. 2 4.3 Extended syntax and semantics For a guarded sequence of actions T and a time band b, we use T † b to denote that the guards of T are repeatedly evaluated within the precision of time band b. We use functions grd.(c→Z) =̂ c and body.(c → Z) =̂ Z to denote the guard and body of the guarded program c → Z, respectively. Definition 6 For any i ∈ dom.T , the effective guard of T.i (denoted eff .(T.i)) is given by grd.(T.i)∧ ∧ j:0..i−1¬grd.(T.j). 9 / 16 Volume 46 (2011) Approximating Idealised Real-Time Specifications Using Time Bands That is, the effective guard of T.i is the actual guard of T.i in conjunction with the negations of all guards that precede i in T . Execution of program T † b consists of evaluation of all guards within intervals of size ρ.b or less. Then, branch T.j is executed over interval ∆ if there is a partition δ of ∆ such that the effective guard of T.j possibly holds in each δ .i, and furthermore, the body of T.j executes as defined by the behaviour function over ∆. For a state predicate c, time band b and interval ∆, we define the following: �bc =̂ `≤ ρ.b ∧�c (12) (�+b c).∆ =̂ ∃δ : Π.∆ •∀i: dom.δ • (�bc).(δ .i) (13) Lemma 4 If c is a state predicate, b is a time band, p is an interval predicate that joins, s is a stream and ∀Ω: Interval • (�bc ⇒ p).Ω.s holds, then ∀∆: Interval • (�+b c ⇒ p).∆.s. Proof. For any interval ∆, we have the following calculation: (�+b c ⇒ p).∆.s = point-wise lifting, definition of �+b c (∃δ : Π.∆ •∀i: dom.δ • (�bc).(δ .i).s)⇒ p.∆.s = logic ∀δ : Π.∆ •∀i: dom.δ • (�bc).(δ .i).s ⇒ p.∆.s ⇐ p joins ∀δ : Π.∆ •∀i: dom.δ • (�bc).(δ .i).s ⇒ p.(δ .i).s ⇐ logic ∀Ω: Interval • (�bc ⇒ p).Ω.s 2 We prove the following lemma that relates a sampled value of a variable to its true value in the environment using the accuracy of the variable. Lemma 5 For a variable v, constant k and time band b, �+b (v < k−accuracy.v.b) V �(v < k). Proof. For any interval ∆ and stream s, we have (�+b (v < k−accuracy.v.b)⇒�(v < k)).∆.s ⇐ Lemma 4, �c joins ∀Ω: Interval • (�b(v < k−accuracy.v.b)⇒�(v < k)).Ω.s ⇐ Lemma 3 and Lemma 2 true 2 If j ∈ dom.T , we define the execution of guarded program T.j within time band b as follows: execV.(T.j).b.∆ =̂ (�+b eff .(T.j)).∆ ∧ behV.(body.(T.j)).∆ AVoCS 2011 10 / 16 ECEASST Y Z Y Z �+b c � + b (¬ c ∧ d) �bc�bc �bc �bc ··· �+b (¬ c ∧ d) � + b c Figure 6: Execution of program 〈c → Y,d → Z〉† b with guard approximation 〈 m ≥ D → alarm‖stop pump, true → pump water 〉 †M Figure 7: Top-level program with methane time band Thus, there must exist a partition of ∆, δ , such that for each index i ∈ dom.δ , the length of the interval δ .i is at most the precision, ρ.b, of time band b and the effective guard of T.j possibly holds within δ .i. Furthermore, the behaviour of body.(T.j) holds over ∆. We say a teleo-reactive program T is well-formed iff last.T = true → Z for some program Z. Definition 7 For a well-formed teleo-reactive program T † b, we define behV.(T † b).∆ =̂ ∃δ : Π.∆ •∃act:(dom.δ → dom.T)•∀i: dom.act • ((execV.(T.(act.i)).b).(δ .i)∧ ((i > 0)⇒ act.i 6= act.(i−1)) Thus, we say behV.(T † b).∆ holds iff there is a partition, δ , of ∆ and a mapping, act, from the domain of δ to the domain of T such that for every i ∈ dom.act, execution of T.(act.i) holds in δ .i and furthermore, consecutive intervals of δ are mapped to different elements of T . Note that dom.act = dom.δ . Definition 7 allows both Zeno and non-Zeno executions of T , however, we can only implement non-Zeno behaviour. This is not problematic because the definition does not require Zeno behaviour, i.e., it allows non-Zeno behaviour. Example 5 Execution of the program 〈c → Y,d → Z〉† b is given in Fig. 6, where the guard �c is approximated as �+b c. Note that �bc holds iteratively over the interval, whereas Y executes over the whole interval in which �+b c holds. A version of the top-level mine pump program from Fig. 3 that does not make idealised as- sumptions is given in Fig. 7, where the changes are identified within the boxes. In particular, we have introduced a time band M ∈ TimeBand which represents the time band of the methane. In- troduction of M within the program defines the minimum rate at which the methane is sampled. Because the program approximates the value of m using a sampling event, the guard m ≥ C has been replaced by m ≥ D. We calculate the relationship between C and D that is necessary for proving Safety in Section 5.1. 11 / 16 Volume 46 (2011) Approximating Idealised Real-Time Specifications Using Time Bands 5 Approximating specifications with time bands We have developed a method of refining timed specifications and a formal semantics for both idealised and time-banded teleo-reactive programs. We are able to prove that the idealised teleo- reactive programs implement the (ideal) specifications. However, as with robust automata, prov- ing that the requirements that are specified at the absolute level of precision are implemented by the time-banded teleo-reactive programs is, in general, difficult. 5.1 Incorporating the methane time band We have a decomposition theorem for time-banded teleo-reactive programs that is similar to Theorem 1 for idealised programs. Theorem 2 Suppose T =̂ (〈c → Z〉a S) † b is a time-banded teleo-reactive program and F is a set of variables. If r is a rely condition of T that splits and g is an interval predicate that joins, then rely r • F:JgKv T holds provided that both rely r • F: q �+b c ⇒ g y v Z (14) rely r • F: q �+b ¬c ⇒ g y v S (15) Example 6 (Program in Fig. 7 satisfies Safety.) Applying Theorem 2 to prove MO:JSafetyK gives us the following proof obligations. MO: q �+M(m ≥ D)⇒ Safety y v alarm‖stop pump (16) MO: q �+M(m < D)⇒ Safety y v pump water (17) We let D ≤ C−accuracy.m.M and have the following calculations: �+M(m ≥ D)⇒ Safety W logic �stopped �+M(m < D)⇒ Safety W Lemma 5, D ≤ C−accuracy.m.M �(m < C)⇒ Safety ≡ antecedent of Safety is false true Hence, we have: (16) ⇐ calculation above, definition of ‖ MO:J�stoppedK v stop pump ⇐ (10) definition of stop pump true (17) ⇐ calculation above MO:JtrueK v pump water ⇐ out.pump water ⊆ MO true We have considered the time taken to sample the methane into account and established a relationship between the sampled and real value of the methane, which we use to prove Safety. However, the program in Fig. 7 is not realistic because it assumes that the pump is stopped instantaneously. In fact, the specification requires the pump to be stopped from the beginning of the interval over which the methane is sampled to be high, even before the first high sample AVoCS 2011 12 / 16 ECEASST is taken. In the next section, we describe how the program may be modified so that the safety condition holds for a pump that is guaranteed to stop in its own time band. 5.2 Incorporating the pump time band We consider the program in Fig. 8, where the program begins executing after initialisation stopped, the guard for stopping the pump has been modified to m ≥ E and stop pumpP is used to stop the pump. Given that P ∈ TimeBand is the time band of the pump, we define: stop pumpP =̂ {stopped}:Jinv stopped ∧ ((`≤ ρ.P) : (�stopped))K (18) i.e., if the pump is already stopped it will remain so and otherwise, execution of stop pumpP over any interval of length ρ.P or greater (i.e., the precision of the pump) is guaranteed to stop the pump. Note that this specification does not limit the deceleration of the pump, i.e., there may be several possible implementations of this specification at higher precision time bands. Each implementation must only guarantee that −−−−→ stopped holds within an interval of the precision ρ.P. Note that the bands within the program in Fig. 8 serve slightly different purposes; band P restricts the precision of the pump events, whereas band M restricts the rate at which the methane is sampled. Lemma 6 For a continuous variable, m, in time band M, and constant E, prev�+M(m < E) V ←−−−−−−−−−−−−−−−− m ≤ E + accuracy.m.M Proof. The proof makes use of the accuracy of m within time band M. prev(�+M(m < E)) V Lemma 3 prev(�(m < E + accuracy.m.M)) V continuity of m prev( −−−−−−−−−−−−−−−−→ m ≤ E + accuracy.m.M) V continuity of m ←−−−−−−−−−−−−−−−− m ≤ E + accuracy.m.M 2 Lemma 7 For a continuous variable m in time band P, and constant K, ←−−−− m ≤ K ∧ ` < ρ.P V �(m < K + accuracy.m.P). Proof. Because m is continuous and no greater than K at the left limit of an interval that is of length bounded by ρ.P, m cannot increase by more than its accuracy in band P. 2 We present a third decomposition theorem for proving refinements where the given program executes after some initialisation. 13 / 16 Volume 46 (2011) Approximating Idealised Real-Time Specifications Using Time Bands init stopped •〈 m ≥ E → alarm ‖ stop pumpP , true → pump water 〉 † M Figure 8: Top-level program with methane and pump time bands Theorem 3 Suppose T =̂ (〈c → Z〉a S) † b is a time-banded teleo-reactive program, F is a set of variables, and d is an state predicate. If r is a rely condition of T that splits and g is an interval predicate that joins, then rely r • F:JgKv init d • T holds provided: rely r • F: r �+b c ∧ prev(� + b ¬c ∨ −→ d )⇒ g z v Z (19) rely r • F: r �+b ¬c ∧ prev(� + b c ∨ −→ d )⇒ g z v S (20) Note that Theorem 2 can be derived from Theorem 3 if the predicate d is just true. Example 7 (Program in Fig. 8 satisfies Safety.) Applying Theorem 3 to prove MO:JSafetyKv init stopped • mine pump gives us: MO: r �+M(m ≥ E)∧ prev(� + M(m < E)∨ −−−−→ stopped)⇒ Safety z v alarm‖stop pumpP(21) MO: r �+M(m < E)∧ prev(� + M(m ≥ E)∨ −−−−→ stopped)⇒ Safety z v pump water (22) By assuming E ≤ C−accuracy.m.M, using Lemma 5, the proof of (22) is straightforward be- cause the left-hand-side of v in (22) reduces to MO:JtrueK. For (21), we strengthen the assump- tion to E < C−accuracy.m.(M + P) and perform the following calculation: �+M(m ≥ E)∧ prev(� + M(m < E)∨ −−−−→ stopped)⇒ Safety W weaken antecedent, definition of prev ((prev�+M(m < E))⇒ Safety)∧ ((prev −−−−→ stopped)⇒ Safety) W strengthen consequents ((prev�+M(m < E))⇒ ((`≤ ρ.P) : (�stopped))∧ Safety)∧ ((prev −−−−→ stopped)⇒�stopped) W Safety joins, definition of inv ((prev�+M(m < E))⇒ ((`≤ ρ.P ∧ Safety) : (�stopped ∧ Safety)))∧ inv stopped W Lemma 6; definition of Safety ( ←−−−−−−−−−−−−−−−− m ≤ E + accuracy.m.M ⇒ ((`≤ ρ.P ∧�(m < C)) : �stopped))∧ inv stopped W Lemma 7 and assumption E < C−accuracy.m.(M + P) ( ←−−−−−−−−−−−−−−−− m ≤ E + accuracy.m.M ⇒ ((`≤ ρ.P) : �stopped))∧ inv stopped W logic ((`≤ ρ.P) : �stopped)∧ inv stopped Using Lemma 1 and the definition of ‖, it is straightforward to verify that the specification MO:J((`≤ ρ.P) : �stopped)∧ inv stoppedK is refined by alarm‖stop pumpP, which completes the proof of Safety. AVoCS 2011 14 / 16 ECEASST 6 Related work and conclusions In the context of timed-automata, researchers have developed robust timed automata [GHJ97], which weaken the specification of the original automata to accept more traces. Implementation of robust automata is known to be problematic because the original specification is weakened. Algorithms for developing robust automata from idealised automata so that safety properties are preserved are currently impractical and preservation of general temporal logic properties is currently not possible [WDMR08]. Alur et al have considered perturbed timed automata, which focus on clock errors (or pertur- bations) [ALM05]. However in their own words: Thus, checking equivalence of timed circuits composed of components with im- perfect clocks, in terms of timed languages over inputs and outputs, remains an interesting open problem. [ALM05, pg84] In the context of refinement, Boiten and Derrick have proposed “approximating refinements” [BD05], where metrics are used to develop implementations for situations in which refinement is not possible. The argument is that realistic implementations are limited by physical resources such as memory, which place restrictions on the ideal specifications. Our work differs from this in that we are concerned with approximating idealised timing specifications. Henzinger presents a theory of timed refinement where sampling events are executed by a separate process [HQR99]. Moszkowski presents a method of abstracting between different time granularities for interval temporal logic, however the model uses a discrete framework of time [Mos95] as opposed to our continuous model. The formalisms above do not consider the possibility of sampling anomalies. Broy [Bro01] presents a refinement framework that formalises the relationships between different models of time. This includes abstraction techniques from dense to discrete models of time using sampling. However, the sampling theory is not well developed and the techniques only consider discretisation of dense streams. We have presented a model in which specifications defined over an absolute level of precision may be approximated using the time bands in which the input variables are sampled. This ap- proximating process loosens the specification and the values of variables interpreted in a time band, say b, are taken to be the values of the variable within the precision of b. We have pre- sented lemmas for relating the sampled and real values of a variable. We have also described how the behaviour of output variables may be formalised over a time band, which allows one to take delays in both signalling and hardware into account. Implementation of specifications is defined with respect to a refinement relation on interval predicates, which ensures that each real-time behaviour of the implementation is an behaviour of the abstract specification. Future work includes proofs of progress properties and methods for approximating specifica- tions in the presence of feedback. It is also important to consider more complicated systems in which the teleo-reactive controller samples multiple variables, where it is possible for sampling events to suffer from sampling anomalies. 15 / 16 Volume 46 (2011) Approximating Idealised Real-Time Specifications Using Time Bands Bibliography [ALM05] R. Alur, S. La Torre, P. Madhusudan. Perturbed Timed Automata. In Morari and Thiele (eds.), Hybrid Systems: Computation and Control. LNCS 3414, pp. 70–85. Springer Berlin / Heidelberg, 2005. [BB06] A. Burns, G. Baxter. Time bands in systems structure. In Structure for Dependabil- ity: Computer-Based Systems from an Interdisciplinary Perspective. Pp. 74–88. Springer-Verlag, 2006. [BD05] E. A. Boiten, J. Derrick. Formal Program Development with Approximations. In Treharne et al. (eds.), ZB. LNCS 3455, pp. 374–392. Springer, 2005. [BH10] A. Burns, I. J. Hayes. A Timeband Framework for Modelling Real-Time Systems. Real-Time Systems 45(1):106–142, 2010. [BL91] A. Burns, A. M. Lister. A Framework for Building Dependable Systems. Comput. J. 34(2):173–181, 1991. [Bro01] M. Broy. Refinement of time. Theor. Comput. Sci. 253(1):3–26, 2001. [GHJ97] V. Gupta, T. A. Henzinger, R. Jagadeesan. Robust Timed Automata. In Maler (ed.), HART. LNCS 1201, pp. 331–345. Springer, 1997. [GM01] A. Gargantini, A. Morzenti. Automated deductive requirements analysis of critical systems. ACM Trans. Softw. Eng. Methodol. 10:255–307, July 2001. [Hay08] I. J. Hayes. Towards reasoning about teleo-reactive programs for robust real-time systems. In SERENE ’08. Pp. 87–94. ACM, New York, NY, USA, 2008. [HBDJ11] I. J. Hayes, A. Burns, B. Dongol, C. Jones. Comparing Models of Nondeterministic Expression Evaluation. Technical report CS-TR-1273, Newcastle University, 2011. [HQR99] T. A. Henzinger, S. Qadeer, S. K. Rajamani. Assume-Guarantee Refinement Be- tween Different Time Scales. In Halbwachs and Peled (eds.), CAV. LNCS 1633, pp. 208–221. Springer, 1999. [Mos95] B. C. Moszkowski. Compositional reasoning about projected and infinite time. In ICECCS. Pp. 238–245. IEEE Computer Society, 1995. [Nil01] N. J. Nilsson. Teleo-reactive programs and the triple-tower architecture. Electronic Transactions on Artificial Intelligence 5:99–110, 2001. [WDMR08] M. Wulf, L. Doyen, N. Markey, J.-F. Raskin. Robust safety of timed automata. Form. Methods Syst. Des. 33:45–84, December 2008. [ZH04] C. Zhou, M. R. Hansen. Duration Calculus: A Formal Approach to Real-Time Systems. EATCS: Monographs in Theoretical Computer Science. Springer, 2004. AVoCS 2011 16 / 16 Introduction A real-time framework Idealised teleo-reactive programs Teleo-reactive programs with sampling Sampling Time bands Extended syntax and semantics Approximating specifications with time bands Incorporating the methane time band Incorporating the pump time band Related work and conclusions