Composition and refinement of discrete real-time systems

Jonathan S. Ostroff
1999 ACM Transactions on Software Engineering and Methodology  
Reactive systems exhibit ongoing, possibly nonterminating, interaction with the environment. Real-time systems are reactive systems that must satisfy quantitative timing constraints. This paper presents a structured compositional design method for discrete real-time systems that can be used to combat the combinatorial explosion of states in the verification of large systems. A composition rule describes how the correctness of the system can be determined from the correctness of its modules,
more » ... out knowledge of their internal structure. The advantage of compositional verification is clear. Each module is both simpler and smaller than the system itself. Composition requires the use of both model-checking and deductive techniques. A refinement rule guarantees that specifications of high-level modules are preserved by their implementations. The StateTime toolset is used to automate parts of compositional designs using a combination of model-checking and simulation. The design method is illustrated using a reactor shutdown system that cannot be verified using the StateTime toolset (due to the combinatorial explosion of states) without compositional reasoning. The reactor example also illustrates the use of the refinement rule. 1 Formally, the bounded until operator is defined using a flexible clock variable t (that is incremented by one every time the clock ticks), and a rigid time variable t 0 (that retains the same value over all states) as follows: pᐁ [l,u] q def ϭ (@t 0 Ϻtype(t)͉(t ϭ t 0 ) 3 pᐁ(q ∧ (t 0 ϩ l Յ t Յ t 0 ϩ u))). Please refer to Ostroff [1989] and Ostroff and Wonham [1990] for the precise details. Since the bounded time operators are defined using ordinary quantified temporal logic, the untimed temporal theorem prover STeP [Manna 1994] can be used to show the validity of theorems such as { 0 { 2 p ϵ { 2 p, which can, in principle, be used for the deductive reasoning in the sequel.
doi:10.1145/295558.295560 fatcat:4zudnkqzszfgxivap2hoezpqnu