A Denotational Semantics of Timed RSL using Duration ...

UNU/IISTInternational Institute forSoftware Technology

UNU/IIST Report No. 168 R

A Denotational Semantics of TimedRSL using Duration CalculusLi Li and He JifengJuly 1999

UNU/IIST and UNU/IIST ReportsUNU/IIST is a Research and Training Center of the United Nations University. It was founded in 1992,and is located in Macau. UNU/IIST is jointly funded by the Governor of Macau and the Governments ofChina and Portugal through contribution to the UNU Endowment Fund.The mission of UNU/IIST is to assist developing countries in the application and development of softwaretechnology.UNU/IIST contributes through its programmatic activities:1. advanced development projects in which software techniques supported by tools are applied,2. research projects in which new techniques for software development are investigated,3. curriculum development projects in which courses of software technology for universities in developingcountries are developed,4. courses which typically teach advanced software development techniques,5. events in which conferences and workshops are organised or supported by UNU/IIST, and6. dissemination, in which UNU/IIST regularly distributes to developing countries information on in-ternational progress of software technology.Fellows, who are young scientists and engineers from developing countries, are invited to actively partic-ipate in all these projects. By doing the projects they are trained.At present, the technical focus of UNU/IIST is on formal methods for software development. UNU/IISTis an internationally recognised center in the area of formal methods. However, no software technique isuniversally applicable. We are prepared to choose complementary techniques for our projects, if necessary.UNU/IIST produces a report series. Reports are either Research R , Technical T , Compendia C orAdministrative A . They are records of UNU/IIST activities and research and development achievements.Many of the reports are also published in conference proceedings and journals.Please write to UNU/IIST or visit UNU/IIST home page: http://www.iist.unu.edu, if you would like toknow more about UNU/IIST and its report series. Zhou Chaochen, Director | 01.8.1997 { 31.7.2001

UNU/IISTInternational Institute forSoftware TechnologyP.O. Box 3058Macau

A Denotational Semantics of TimedRSL using Duration CalculusLi Li and He JifengAbstractThis paper provides a denotational semantics to a subset of Timed RAISE Speci�cation Lan-guage (RSL) using Extended Duration Calculus (EDC) model. We add some novel features intothe EDC model and explore their algebraic laws which play the vital role in formalising real-time programs and veri�cation of real-time properties. Some algebraic laws of Timed RSL arepresented, which can be proved from the denotational semantics, and can be used in programtransformation and optimization.

Li Li is a Fellow of UNU/IIST, on leave of absence from University of Science and Technologyof China, where he is a Ph.D student. E-mail: [email protected] Jifeng is a Senior Research Fellow of UNU/IIST, on leave of absence from East ChinaNormal University, Shanghai, where he is a professor. His research interest lies in the soundmethods of speci�cation of computer systems, communications, application and standards, andthe techniques for designing and implementing those speci�cations in software and/or hardware,with high reliability and at low cost. E-mail: [email protected]

Copyright c 1999 by UNU/IIST, Li Li and He Jifeng

Contents iContents1 Introduction 12 Preliminaries 23 Advanced Features 43.1 Greatest Lower Bound and Least Upper Bound . . . . . . . . . . . . . . . . . . . 43.2 Initial and Final Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53.3 Stability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63.4 Left and Right Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63.5 Hiding State Variable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73.6 Chopping points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83.7 Fixed Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 Denotational Semantics of Timed RSL 104.1 Observations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104.2 Semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145 Discussion 20

Report No. 168, July 1999 UNU/IIST, P.O. Box 3058, Macau

Introduction 11 IntroductionHybrid systems are interactive systems of continuous devices and real-time control programs.The design of a real-time control system is ideally decomposed into a progression of relatedphases. It starts with an analysis of requirements and properties of the process evolving withinits environment. From these are derived formal speci�cations of the components of the system.A high level program generated in the later phase of the project is usually translated into ma-chine code of the chosen computer. Additional application-speci�c hardware components maybe needed to embed the computer into the system which it controls. Reliability of the deliveredsystem requires that all the conceptual gaps between speci�cation and implementation be closed.For hybrid system a variety of formal methods have been developed, among them Phase Tran-sition System [5, 13], Declarative Control [11], the Extended State-Transition Graph [16] andthe Hybrid CSP [8]. However, it remains a di�cult task to mix the description of quantitativetiming properties with that of discrete changes of sequential systems. An interval temporal logicwith discrete time was investigated for presenting the kinds of temporal properties and signaltransitions that occur in real-time control programs. The behaviour of hardware devices canoften be decomposed into successively smaller intervals of activity [6, 14]. Moreover, state tran-sitions of programs can also be characterised by properties relating the initial and �nal valuesof variables over interval of times [4, 15]. But in the treatment of hybrid systems where thephysical world evolves continuously, this approach seems inappropriate. Furthermore, we losesome important algebraic laws of the guarded command language in that framework, such asinduction rules for recursions and the combination of assignments.The RAISE Speci�cation Language (RSL)[1] is one of the most versatile languages for formalspeci�cation, design and development of software systems. However, it has no particular fea-tures for real-time applications. This paper proposes a conservative extension of RSL for hybridsystems, based on the model of the Extended Duration Calculus (EDC)[22]. Our research isinspired by the pioneering work presented in [7, 17, 18, 19, 21, 22, 23]. The main contributionof this paper includes1. Some novel features which play the vital role in formalising stable state of program variablesand sequential composition operator, inspired by [9]2. A mathematical framework for Timed RSL equipped with delay and time-out constructs,proposed in [3]3. Some algebraic laws of Timed RSL which play an important role in RAISE method andprogram transformation and optimization.The advantage of a model-oriented calculus is that it describes as directly as possible, usingthe full expressive power of mathematics, the observable and testable properties of the desiredsystems. These properties can be speci�ed in independent modules, and can be assembled bysimple combinators. Because both design notation and implementation languages are also givenmodel-oriented semantics, correctness can be proved by deduction.Report No. 168, July 1999 UNU/IIST, P.O. Box 3058, Macau

Preliminaries 2The rest of the paper is organised as follows. Section 2 gives a brief account of EDC andrevisits its main constituents. We introduce some advanced features and explore their algebraicproperties in Section 3. Section 4 provides a observation-oriented semantics for Timed RSL, andpresents some algebraic laws. The paper ends with a brief summary and discussion.2 PreliminariesLike in EDC, we adopt continuous time represented by realsT ime =df RealAn interval is represented by [t1; t2] where t1; t2 2 T ime and t1 � t2. We use Intv to stand forthe set of intervals, and � to range over intervals, and �:b and �:e to represent its left and rightend points. Adjacent intervals can be merged using the catenation operator _�_1 �2 =df �1 [ �2 if �1:e = �2:bOur formalism includes the following basic symbols, each associated with a type Type(:)� Global variables represent constant (i.e., independent of time) and are denoted by lowerletters x; y; : : : ; z.� State variables represent functions on T ime and are denoted by capital letters U; V; : : : ; W ,� Temporal variables are identi�ed as functions on intervals, and denoted by lower lettersu; v; : : : ; w.� We use f; g; : : : ; h for function names.� p; q; : : : ; r represent predicates.A modelM gives the meaning of every symbol:� Global variable x is assigned a valueM(x) : Type(x).� State variable V is interpreted as a time functionM(V ) : T ime! Type(V ).� Temporal variable v is associated with an interval functionM(v) : Intv ! Type(v).A speci�c temporal variable l is present to denote the length of intervalM(`)(�) =df �:e� �:bReport No. 168, July 1999 UNU/IIST, P.O. Box 3058, Macau

Preliminaries 3� M assigns an n-ary function name f a functionM(f) : Type1 � : : : � Typen ! Type(f). Constants are 0-ary function names interpretedas its value.� An n-ary predicate name p is special function name with type Bool. Boolean constantstrue and false are 0-ary predicate names interpreted as value true and false, respectively.Let h be a variable. Two modelsM1 andM2 are called to be h-equivalent, denoted byM1 �hM2, if for all variables v di�erent from hM1(v) = M2(v)The state expressions of the language are de�ned by induction, and interpreted as functions onT ime.� Global and state variables are state expressions.� If E1; : : : ; En are state expressions and f is an n-ary function name, then f(E1; : : : ; En) isalso a state expressionM(f(E1; : : : ; En))(t) =df M(f)(M(E1)(t); : : : ;M(En)(t))The terms of the language are de�ned by induction, and interpreted as functions over intervals.� Global and temporal variables are terms.� If �1; : : : ; �n are terms and f is an n-ary function name, then f(�1; : : : ; �n) is also a termM(f(�1; : : : ; �n))(�) =df M(f)(M(�1)(�); : : : ;M(�n)(�))Formulae are interpreted as functions from intervals to the Boolean values true and false . Theset of well-formed formulae is generated by the following rules:� Boolean typed terms are well-formed formulae.� If �1; : : : ; �n are terms, and p is an n-ary predicate name, then p(�1; : : : ; �n) is a well-formedformulaM(p(�1; : : : ; �n))(�) =df M(p)(M(�1)(�); : : : ;M(�n)(�))Report No. 168, July 1999 UNU/IIST, P.O. Box 3058, Macau

Advanced Features 4� If F and G are well-formed formulae, so are :F and F ^G, F_G and 9x � F , where x isa global variable.M(F_G)(�) =df 9�1; �2 � � = (�_1 �2) ^M(F )(�1) ^M(G)(�2)M(9x � F )(�) =df 9M0 �M0(F )(�) ^ (M�xM0)All the usual logical connectives (disjunction, implication, etc.) and quanti�ers can be de�nedin interval term.F _G =df :(:F ^ :G)F ) G =df :F _G8x � F =df :(9x � :F )The modal operators 3 and 2 can be de�ned in terms of the chop operator. The formula 3Fholds on the interval � if F does so on one of its subintervals.3F =df true_(F_true)The formula 2F holds if F holds on all its subintervals.2F =df :3(:F )Let b be a Boolean typed term. De�neF � b�G =df (F ^ b) _ (G ^ :b)3 Advanced Features3.1 Greatest Lower Bound and Least Upper BoundDe�nition 3.1 (Greatest lower bound)Let F be a set of formulae. We de�ne its greatest lower bound uF byM(uF)([t1; t2]) =df 9F 2 F �M(F )([t1; t2]) 2u can be de�ned algebraically by the following law:(glb-0) F ( uF i� F ( X for all X 2 F .CorollaryReport No. 168, July 1999 UNU/IIST, P.O. Box 3058, Macau

Advanced Features 5(1) ufg = false(2) u (F1 [ F2) = (uF1) _ (uF2)(3) ufFg = F 2The greatest lower bound operator distributes over _.(glb-1) (distributivity)(uF)_G = u fF_G jF 2 FgG_(uF) = u fG_F jF 2 FgExample 3.2Let F be a formula. We de�neF � =df ufF n j n � 0gwhere F 0 =df (` = 0) and F n+1 =df F_F n 2De�nition 3.3 (Least upper bound)Let F be a set of formulae. We de�ne its least upper bound tF byM(tF)([t1; t2]) =df 8F 2 F �M(F )([t1; t2]) 2t can be de�ned algebraically by the following law:(lub-0) F ) tF i� F ) X for all X 2 F .Corollary(1) tfg = true(2) t (F1 [ F2) = (tF1) ^ (tF2)(3) tfFg = F 23.2 Initial and Final ValuesDe�nition 3.4 (Initial and �nal values)Let V be a state variable. We introduce two terms b:V and e:V de�ned byM(b:V )([t1; t2]) =df M(V )(t1)M(e:V )([t1; t2]) =df M(V )(t2)For a state expression E, its initial value b:E and �nal value e:E can be de�ned in the sameway. 2The initial and �nal values are subject to the following laws:Report No. 168, July 1999 UNU/IIST, P.O. Box 3058, Macau

Advanced Features 6(V -1) (intermediate value) (F ^ p(e:V ))_G = F_(p(b:V ) ^G)(V -2) (initial value) (p(b:V ) ^ F )_G = p(b:V ) ^ (F_G)(V -3) (�nal value) F_(G ^ p(e:V )) = (F_G) ^ p(e:V )(V -4) (initial and �nial value of state expression)p(b:f(V )) = p(f(b:V )) b:p(V ) = p(b:V )p(e:f(V )) = p(f(e:V )) e:p(V ) = p(e:V )3.3 StabilityDe�nition 3.5 (Stability)Let S be an Boolean state expression. Like in EDC, a Boolean typed term dSe is de�ned byM(dSe)([t1; t2]) =df t1 < t2 ^ 8t 2 (t1; t2) �M(S)(t) 2The following law indicates that d:e is a derived operator.(stb-0) (stability and initial value)dSe = :(` > 0_:b:S_̀ > 0) ^ ` > 0d:e enjoys the following algebraic properties.(stb-1) dtruee = (` > 0)(stb-2) dfalsee = false(stb-3) dS1 ^ S2e = dS1e ^ dS2eWe de�nebSc =df dSe _ ` = 0 bbScc =df b:S ^ bSc ^ e:SdSee =df dSe ^ e:S bScc =df dSee _ ` = 03.4 Left and Right LimitsDe�nition 3.6 (Left and right limits)A state variable V is �nitary if for all model M and all time interval �, � can be divided to�nite number of sub-intervals, so thatM(V ) keep constant in each sub-interval:(9x � bV = xc)� = trueReport No. 168, July 1999 UNU/IIST, P.O. Box 3058, Macau

Advanced Features 7We introduce the left limit �V and right limit �!V of a �nitary state variable V as terms de�ned byM( �V )([t1; t2]) = c if 9 � > 0 �M(bV = cc)([t1 � �; t1]) = trueM(�!V )([t1; t2]) = c if 9 � > 0 �M(bV = cc)([t2; t2 + �]) = trueFor a state expression E, its left limit �E and right limit �!E can be de�ned in the same way. 2The concepts of limit are captured by the following laws:(limit-1) (removal of limit)(F ^ ` > 0)_(p( �V ) ^G) = (F ^ 9x � (p(x) ^ (true_dV = xe)))_G(F ^ p(�!V ))_(G ^ ` > 0) = F_(G ^ 9x � (p(x) ^ (dV = xe_true)))(limit-2) (limit and composition)(F ^ ` = 0)_(p( �V ) ^G) = p( �V ) ^ ((F ^ ` = 0)_G)(p( �V ) ^ F )_G = p( �V ) ^ (F_G)(F ^ p(�!V ))_(G ^ ` = 0) = (F_(G ^ ` = 0)) ^ p(�!V )F_(G ^ p(�!V )) = (F_G) ^ p(�!V )(limit-4) (limit of state expression)p( ���f(V )) = p(f( �V )) ��p(V ) = p( �V )p(���!f(V )) = p(f(�!V )) ��!p(V ) = p(�!V )We de�ne�bScc =df �S ^ bScc bScc� =df bScc ^ �!S �bScc� =df �S ^ bScc ^ �!S�bbScc =df �S ^ bbScc bbScc� =df bbScc ^ �!S �bbScc� =df �S ^ bbScc ^ �!S3.5 Hiding State VariableDe�nition 3.7 (Hiding state variable)Let V be a state variable. De�neM(9V � F )([t1; t2]) =df 9M0 �M0(F )([t1; t2]) ^ (M�V M0) 2(9-1) (distributivity) If (�!V =2 F ) and ( �V =2 G), and (e:V =2 F ) or (b:V =2 G), then(9V � F )_(9V �G) = 9V � (F_G)(9-2) (conjunctivity) If none of fV; �V ; �!V g occurs in both F and G, then9V � (F ^G) = (9V � F ) ^ (9V �G)(9-3) (extension of scope) If the state variable V is not mentioned in G, thenReport No. 168, July 1999 UNU/IIST, P.O. Box 3058, Macau

Advanced Features 8(9V � F )_G = 9V � (F_G)G_(9V � F ) = 9V � (G_F )(9-4) (hiding and substitution)F = 9V 0 � (F [V 0=V ] ^ �bbV = V 0cc�)Corollary If �!V =2 F and �V =2 G, thenF = 9V 0 � (F [V 0=V ] ^ �bbV = V 0cc)G = 9V 0 � (G[V 0=V ] ^ bbV = V 0cc�) 2We de�neF [ �V 7! x] =df 9V 0 � (F [V 0=V ] ^ bbV = V 0cc� ^ �V 0 = x)F [�!V 7! x] =df 9V 0 � (F [V 0=V ] ^ �bbV = V 0cc ^ �!V 0 = x)F [b:V 7! x] =df 9V 0 � (F [V 0=V ] ^ �bV = V 0cc� ^ b:V 0 = x)Theorem 3.8 If �!V =2 F and �V =2 G, thenF [�!V 7! x] = F G[ �V 7! x] = G 23.6 Chopping pointsDe�nition 3.9 (Superdense chop)Let F and G be formulae of state variable V . De�neF �G =df 9x � (F [�!V 7! x]_G[ �V 7! x]) 2The chop operator _ is used to compose the continuously evolving hybrid systems, whereasthe relational composition operator is used to model the sequential composition of imperativeprogramming languages. The following theorem states that � can be seen as the product of thechop operator _ and the relational composition operator,Theorem 3.10 If �V and �!V do not occur in F nor G, then(F ^ p( �V ; �!V )) � (q( �V ; �!V ) ^G) = (F_G) ^ 9x � (p( �V ; x) ^ q(x; �!V ))Proof: We use \PL" when refer to Predicate Logic.LHS fDef of �; (9 � 2); (limit � 4)g= 9x � (9V1 � (F [V1=V ] ^ bbV = V1cc) ^ 9V1 � ( �V = �V1 ^ �!V1 = x ^ p( �V1; �!V1)))_(9V2 � (G[V2=V ] ^ bbV = V2cc) ^ 9V2 � (�!V = �!V2 ^ �V2 = x ^ q( �V2; �!V2)))fCoro. of (9 � 4);PLg= 9x � ((F ^ p( �V ; x))_(G ^ q(x; �!V ))) f(limit-2)g= RHS 2Theorem 3.11 (� and _) If �!V =2 F and �V =2 G, thenReport No. 168, July 1999 UNU/IIST, P.O. Box 3058, Macau

Advanced Features 9F �G = F_G 2� also enjoys the following familiar algebraic laws:Theorem 3.12(1) (associativity) (F �G) �H = F � (G �H)(2) (unit) F � I = F = I � F , where I =df ` = 0 ^ �!V = �V(3) (disjunctivity) F � (G _H) = (F �G) _ (F �H)(G _H) � F = (G � F ) _ (H � F )(4) (zero) F � false = false = false �G(5) (initial stable state) (p( �V ) ^ F ) �G = p( �V ) ^ (F �G)(6) (�nal stable state) F � (G ^ q(�!V )) = (F �G) ^ q(�!V )(7) (consistency) (F ^ r(�!V )) �G = F � (r( �V ) ^G)(8) (invisible stable state) If �!V =2 F and �V =2 G, then(F ^ �!V = y) �G = F_GF � ( �V = y ^G) = F_G(F ^ �!V = y) � ( �V = z ^G) = (F_G) ^ (y = z) 2Proof of (8): We use \ITL" when refer to Interval Temporal Logic.(F ^ (�!V = y)) � (( �V = z) ^G) fDef. of �; (9 � 2)g= 9x � ((9V1 � (F [V1=V ] ^ �bbV = V1cc) ^ 9V1 � (�!V1 = y ^ �!V1 = x))_(9V2 � ( �V2 = x ^ �V2 = z) ^ 9V2 � (G[V2=V ] ^ bbV = V2cc�))) fCoro. of (9 � 4); ITLg= 9x � (x = y ^ x = z) ^ (F_G) fPLg= (y = z) ^ (F_G) 23.7 Fixed PointsDe�nition 3.13 (Weakest �xed point)Let � be a monotonic mapping of formulae. We de�ne its weakest �xed point by�X � �(X) =df u fF jF ) �(F )g 2From Tarski's Fixed Point Theorem [20] it follows that �X � �(X) is subject to the followinglaws.(�-1) (�xed point) �(�X � �(X)) = �X � �(X)(�-2) (weakest �xed point) If F ) �(F ), then F ) �X � �(X).De�nition 3.14 (Strongest �xed point)Let � be a monotonic mapping of formulae. We de�ne its strongest �xed point by�X � �(X) =df t fF jF ( �(F )g 2Report No. 168, July 1999 UNU/IIST, P.O. Box 3058, Macau

Denotational Semantics of Timed RSL 10�X � �(X) is subject to the following laws.(�-1) (�xed point) �(�X � �(X)) = �X � �(X)(�-2) (strongest �xed point) If F ( �(F ), then F ( �X � �(X).4 Denotational Semantics of Timed RSLIn this paper, we consider a subset of Timed RSL expressions, which has the form:chaos j stop j skip j r j v := r j P ; Q j let x = P in Q end j cc j wait r jP de Q j if r then P else Q end j debci2I Gi j while r do P end j P k Q j P {k Qwhere r ranges over read-only expressions, i.e. expressions not involving assignment, input,output or wait, v over variables, P and Q over expressions, x over bindings(a binding is astructure of identi�ers, possibly grouped by parentheses), cc over inputs and outputs of theform c? or c!r. Gi has the form Ci, Mi, where Ci ranges over expressions of the form: let xi =cci in Pi end, Mi over expressions of the form wait ri & Qi. debci2fg Gi is de�ned as stop.In RSL, sequencing (;) is a derived notion, it is de�ned in terms of let, we include it to give aconventional presentation.4.1 ObservationsThe semantics of a Timed RSL expression are observations on its channels, and observations onits variables and return value when it terminates. We will use the following observables:Tr : a state variable representing the sequence of communications which have been recorded sofar, also called trace. We use Tr # A to denote the subsequence of Tr of communicationson channels in set A.Vi : a state variable recording the current value of Timed RSL variable vi.V : the binding of all state variables Vi: (V1; : : : ; Vn).r( �V ) : a term constructed by replacing each occurrence of Timed RSL variable vi in the read-only Timed RSL expression r with temporal variable �Vi , each occurrence of Timed RSLidenti�er xi with global variable xi. It is used to map a read-only Timed RSL expressionto an EDC term, using current value of all Timed RSL variables.W : a state variable recording the value returned by a terminating expression, having thesame type of the expression.Report No. 168, July 1999 UNU/IIST, P.O. Box 3058, Macau

Denotational Semantics of Timed RSL 11Ref : a state variable recording the current set of communications which may be refused bythe expression. An element ci?(ci!) in the set represents that the expression may refusedinput from(output to) channel ci.ok : a global Boolean variable recording the observation that the expression has been started.ok0 : a global Boolean variable recording the observation that the expression has �nishedsuccessfully.wait : a global Boolean variable, which is true when the expression is asked to start in a waitingstate of its predecessor.wait0 : a global Boolean variable, which is true when the expression is in a state waiting forcommunication with the environment.We use a EDC formula to de�ne the semantics of a Timed RSL expression. Since the executionof a Timed RSL expression can never undo any communication performed previously, the tracecan only get longer. A formula P which de�nes the semantics of a Timed RSL expression musttherefore imply this fact. So it satis�es the healthiness condition:(H1) P = P ^R1where R1 =df 9s � ( �Tr = s^ @pp(s � b:Tr ^ b:Tr � e:Tr) ^ (` = 0 _ e:Tr � �!Tr) ^ �Tr � �!Tr)@ppF =df :(` > 0_:F_true).Theorem 4.1 R1 � R1 = R1 2De�nition 4.2(Sequential composition)P ;Q =df 9w; o � (P [w; o=wait0; ok0] �Q[w; o=wait; ok]) 2The main purpose of global variable wait0 is to distinguish intermediate observations from theobservations made on termination. In sequential composition, the intermediate observations ofP are also intermediate observations of P ;Q. If Q is asked to start in a waiting state of P , itleaves the state unchanged, i.e., it satis�es the healthiness condition:(H2) P = II / wait . PwhereII =df (true ` wait0 = wait ^ I) ^R1P ` Q =df ok ^ P ) ok0 ^QI = (�!Tr = �Tr ^ �!V = �V ^ ��!Ref = ��Ref ^ �!W = �W ^ ` = 0)De�nition 4.3(Healthy formula) P is healthy if it satis�es H1 and H2. 2Theorem 4.4 P is healthy i� it satis�es P = H(P ) whereH(X) =df II / wait . (X ^R1) 2Theorem 4.5 For any EDC formula P , H(P ) is a healthy formula 2A Timed RSL expression must conform to the basic healthiness condition of sequential processes,Report No. 168, July 1999 UNU/IIST, P.O. Box 3058, Macau

Denotational Semantics of Timed RSL 12that it makes no prediction about a process that has not started(except that the trace can onlyget longer); and it is monotonic on the variable ok0 [10]:(H3) P = P _ :ok ^R1(H4) P [false=ok0]) P [true=ok0]De�nition 4.6(Healthy design) A healthy design is a EDC formula having the form:H(P `W / wait0 . T )D will stand for the set of healthy designs. 2Example 4.7 II is a healthy design:II= II / wait . II= II / wait . (true ` :wait0 ^ I) ^R1= H(true ` false / wait0 . I) 2Theorem 4.8 A healthy formula satis�es H3 and H4 i� it is a healthy design. 2Theorem 4.9(Closure of healthy design)If D1 and D2 are healthy design, so are D1 _D2, D1 / r( �V ) . D2, and D1;D2.where H(P1 `W1 / wait0 . T1);H(P2 `W2 / wait0 . T2)= H(:((:P1 ^R1) � R1) ^ :((T1 ^R1) � (:P2 ^R1)) `W1 ^R1 _ ((T1 ^R1) � (W2 ^R1)) / wait0 . (T1 ^R1) � (T2 ^R1)) 2The conclusion for disjunction generalises to the union of arbitrary sets of healthy design, andsimilar law holds for arbitrary intersections.Theorem 4.10(Closure of glb and lub)(1) ui H(Pi `Wi / wait0 . Ti) = H(tiPi ` uiWi / wait0 . uiTi)(2) ti H(Pi `Wi / wait0 . Ti) = H(uiPi ` ti(Pi )Wi) / wait0 . ti(Pi ) Ti)) 2This means that healthy designs form a complete lattice under implication ordering. Like allcomplete lattices, it contains a bottom elementH(true) and a top elementH(:ok). The weakest�xed point of a monotonic mapping of healthy designs can therefore be de�ned by:�DX � �(X) =df ufDjD ) �(D);D 2 DgIf a Timed RSL expression described by a healthy design H(P ` W / wait0 . T ) starts and itsbehaviour is not divergence described in P , it will �nish successfully and its waiting behaviouris described by W , its terminating behaviour is described by T . Therefore, we use the followingde�nition of the semantics of a Timed RSL expression P:Report No. 168, July 1999 UNU/IIST, P.O. Box 3058, Macau

Denotational Semantics of Timed RSL 13De�nition 4.11(Semantics of Timed RSL expression)[[P]] =df H(:[[P]]div ` [[P]]wait / wait0 . [[P]]ter )where[[P]]div = [[P]]div ^R1[[P]]wait = [[P]]wait ^R1[[P]]ter = [[P]]ter ^R1 2Theorem 4.12(Re�nement ordering)[[P]]) [[Q]] i�([[P]]div ) [[Q]]div ) ^ ([[P]]wait ) [[Q]]div _ [[Q]]wait ) ^ ([[P]]ter ) [[Q]]div _ [[Q]]ter ) 2Corollary [[P]] = [[Q]] i� ([[P]]div = [[Q]]div )^(([[P]]div _ [[P]]wait ) = ([[Q]]div _ [[Q]]wait )) ^ (([[P]]div _ [[P]]ter ) = ([[Q]]div _ [[Q]]ter )) 2Another healthy condition of sequential processes which must be conformed by Timed RSLexpressions is the right unit law:(H5) P = P ; IITheorem 4.13 A healthy design H(P `W / wait0 . T ) satis�es H5 i�(:P ^R1) �R1 = (:P ^R1)ProofH(P `W / wait0 . T ); II fExample 4.7g= H(P `W / wait0 . T );H(true ` false / wait0 . I) fTh. 4.9, Th. 3.12(4)g= H(:((:P ^R1) � R1) `W / wait0 . (T ^R1) � (I ^R1)) fI ^R1 = I, Th. 3.12(2)g= H(:((:P ^R1) � R1) `W ^R1 / wait0 . T ^R1)H(P `W / wait0 . T ) fPLg= H(:(:P ^R1) `W ^R1 / wait0 . T ^R1)The conclusion follows from Corollary of Theorem 4.12 and De�nition 4.11. 2Corollary [[P]]div � R1 = [[P]]div 2Theorem 4.14(Sequential composition)[[P]]; [[Q]] = H(:([[P]]div _ ([[P]]ter � [[Q]]div )) `[[P]]wait _ ([[P]]ter � [[Q]]wait ) / wait0 . [[P]]ter � [[Q]]ter )ProofThe conclusion follows from De�nition 4.11, Theorem 4.9, and Theorem 4.13. 2De�nition 4.15(Equivalence) Two Timed RSL expression P and Q are equivalent, denoted byReport No. 168, July 1999 UNU/IIST, P.O. Box 3058, Macau

Denotational Semantics of Timed RSL 14P ' Q, is de�ned by:P ' Q =df [[P]] = [[Q]] 24.2 SemanticsTo de�ne the semantics of Time RSL expressions, we use the following abbreviations:An expression is stable, if either the length of interval is zero, or the trace remains unchangedin a right closed interval:Stbw =df 9s � (�bTr = scc�)Stbt =df 9s � (�bTr = scc)Here Stbw describes stable in waiting behaviour, while Stbt describes stable in terminatingbehaviour, where the right limit of trace may be changed by communication.The output of an expression is the right limit of the trace, all state variables, and the returnvalue when it terminates:O(�; �; w) =df �!Tr = � ^ �!V = � ^�!W = wChaos. The expression chaos is the worst expression, whose behaviour is totally unpredictable:[[chaos]] =df H(false ` true / wait0 . true) = H(true)Stop. The expression stop never communicates with its environment. It does not diverge butstays in idle forever, for it does not pursue any internal computation nor terminate:[[stop]] =df H(true ` Stbw / wait0 . false)Skip. The expression skip terminates immediately and returns the unit value () of type Unit:[[skip]] =df H(true ` false / wait0 . ` = 0 ^O( �Tr ; �V ; ()))Read-only expression. The read-only expression terminates immediately and returns its valueevaluated by values of the left limit of all variables:[[r]] =df H(true ` false / wait0 . ` = 0 ^O( �Tr ; �V ; r( �V )))Assignment. The assignment expression vi:=r terminates immediately, changes the value ofvi to the value of r, and returns unit value () of type Unit:[[vi:=r]] =df H(true ` false / wait0 . ` = 0 ^O( �Tr ; �V [r( �V )= �Vi ]; ()))Report No. 168, July 1999 UNU/IIST, P.O. Box 3058, Macau

Denotational Semantics of Timed RSL 15Sequential composition. The sequential composition P ; Q executes P �rst until it terminatesand then runs Q:[[P ; Q]] =df [[P]]; [[Q]]where ; on the right hand side stands for the sequential composition operator de�ned inDe�nition 4.2.Local identi�ers can be introduced by existential quanti�er:[[let x=P in Q end]] =df [[P]];9x � (x = �W ^ [[Q]])It can be proved that if x is not free in Q then P ; Q ' let x=P in Q end. This is thede�nition of sequencing (;) in RSL.Theorem 4.16 (chaos, stop, skip, assignment, and sequential composition)(1) chaos ; P ' chaos(2) stop ; P ' stop(3) skip ; P ' P(4) v:=r1 ; v:=r2 ' v:=r2[r1/v](5) (P ; Q) ; R ' P ; (Q ; R)Proof of (1)[[chaos ; P]] fDef.g= H(false ` true / wait0 . true); [[P]] fPLg= H(:R1 ` R1 / wait0 . R1); [[P]] fDef. 4.11, Th. 4.14g= H(:(R1 _ (R1 � [[P]]div )) ` R1 _ (R1 � [[P]]wait ) / wait0 . R1 � [[P]]ter )fDef. 4.11, Th. 3.12(3), Th. 4.1g= H(:R1 ` R1 / wait0 . R1 � [[P]]ter ) fCoro. of 4.12g= H(:R1 ` R1 / wait0 . R1 _ (R1 � [[P]]ter )) fDef. 4.11, Th. 3.12(3), Th. 4.1g= H(:R1 ` R1 / wait0 . R1) fPLg= [[chaos]] 2Communication. The communication expression is stable while waiting for synchronizationwith its partner. As soon as its partner is ready, the communication will take place,the trace will be updated, the time elapsed while waiting (and the value received if theexpression is input) will be returned:[[c?]] =df Active(fc?g); [[c?']][[c!r]] =df Active(fc!g); [[c!r']]Report No. 168, July 1999 UNU/IIST, P.O. Box 3058, Macau

Denotational Semantics of Timed RSL 16whereActive(C) =df H(true `W (C) / wait0 . T (C))W (C) =df Stbw ^ bC \Ref = fgcc�T (C) =df 9� � (Stbt ^ bC \Ref = fgcc ^ ` = � ^O( �Tr ; �V ; �))[[c?']] =df H(true ` false / wait0 . [[c?']]ter )[[c?']]ter =df 9m � (` = 0 ^O( �Trbhc:mi; �V ; (m; �W )))[[c!r']] =df H(true ` false / wait0 . [[c!r']]ter )[[c!r']]ter =df ` = 0 ^O( �Trbhc:r( �V )i; �V ; �W )Here Active(C) describes the stable behaviour while waiting for synchronization with itspartner(not refusing any communication in the set C). When terminates, it returns thetime elapsed while waiting. [[cc']] describes the occurrence of communication at a timepoint.Theorem 4.17 (communication, assignment and sequential composition)c? ; v:=r ; skip ' v:=r ; c? ; skip 2Wait. The expression wait r remains idle for r time units, and then terminates with returnvalue unit, leaving all program variables unchanged. Here r is a read-only expression oftype Time, which is de�ned as the set of all non-negative real numbers :[[wait r]] =df Active(fg)[r( �V )]; [[skip]]whereActive(C)["] =df H(true `W (C) ^ ` < " / wait0 . T (C) ^ ` = ")Theorem 4.18 (wait, stop and sequential composition)(1) wait 0 ' skip(2) wait r1 ; wait r2 ' wait (r1+r2)(3) wait r ; stop' stopProof of (1)[[wait 0]] fDef.g= H(true `W (fg) ^ ` < 0 / wait0 . T (fg) ^ ` = 0); [[skip]] fITL, Def.g= H(true ` false / wait0 . O( �Tr ; �V ; 0) ^ ` = 0);H(true ` false / wait0 . O( �Tr ; �V ; ()) ^ ` = 0) fTh. 4.14, Th. 3.12(4)g= H(true ` false / wait0 . (O( �Tr ; �V ; 0) ^ ` = 0) � (O( �Tr ; �V ; ()) ^ ` = 0))fTh. 3.10, ITLgReport No. 168, July 1999 UNU/IIST, P.O. Box 3058, Macau

Denotational Semantics of Timed RSL 17= H(true ` false / wait0 . O( �Tr ; �V ; ()) ^ ` = 0) fDef.g= [[skip]] 2Internal choice. The expression P de Q behaves like either P or Q. The choice between themis made non-deterministically:[[P de Q]] =df [[P]] _ [[Q]]Theorem 4.19 (chaos, sequential composition and internal choice)(1) chaos de P ' chaos(2) P ; (Q de R) ' (P ; Q) de (P ; R)(P de Q) ; R ' (P : R) de (Q ; R)Proof of (1)[[chaos de P]] fDef.g= H(false ` true / wait0 . true) _ [[P]] fDef. 4.11, Th. 4.10(1), Coro. of glb-0 lub-0g= H(false ` true / wait0 . true) fDef.g= [[chaos]] 2Conditional. The expression if r then P else Q end executes P if the initial value of r is true,otherwise it executes Q instead:[[if r then P else Q]] =df [[P]] / r( �V ) . [[Q]]External choice. The expression debci2I let xi=cci in Pi end is willing to do any communicationdescribed in the set C = fci?jcci is ci?; i 2 Ig[fci!jcci is ci!ri; i 2 Ig until one of the them(for example cci) occurs and executes thecorresponding expression(Pi):[[debci2I let xi=cci in Pi end]] =df Active(C);ui2I [[let xi=cci' in Pi end]]The expression debci2I let xi=cci in Pi end debc debcj2J wait rj & Qj is willing to do anycommunication described in the set C de�ned above until one of the them(for example cci)occurs and executes the corresponding expression(Pi) or the fastest wait expression(forexample wait rj) terminates and executes the corresponding expression(Qj):[[debci2I let xi=cci in Pi end debc debcj2J wait rj & Qj ]] =df9r � (r =Minj2J(rj( �V ))^ (Active(C)(r);ui2I [[let xi=cci' in Pi end]])_(Active(C)[r];uj2J ([[Qj ]] ^ rj( �V ) = r)))whereActive(C)(") =df H(true `W (C) ^ ` < " / wait0 . T (C) ^ ` � ")Report No. 168, July 1999 UNU/IIST, P.O. Box 3058, Macau

Denotational Semantics of Timed RSL 18Theorem 4.20 (internal choice and external choice)let x1=cc1 in P end debc let x1=cc1 in Q end 'let x1=cc1 in P de Q end 2Iteration. It can be easily veri�ed that the conditional operator ( / r( �V ) . ) and the sequentialoperator (;) are monotonic, so we can de�ne the semantics of iteration as the weakest �xedpoint:[[while r do P end]] =df �DX � (([[P]];X) / r( �V ) . [[skip]])Theorem 4.21 (skip and iteration)(1) while true do skip end ' chaos(2) while true do wait r end ' stopProof of (1)[[while true do skip end]] fDef.g= �DX � ([[skip]];X) fDef. of �DX � �(X)g= ufDjD ) [[skip]];D; D 2 Dg f[[chaos]]=[[skip]] ; [[chaos]], Coro. of glb-0g= ufDjD ) [[skip]];D; D 2 Dg _ [[chaos]] fDef. of [[chaos]]g= ufDjD ) [[skip]];D; D 2 Dg _H(false ` true / wait0 . true)fTh. 4.10(1), Coro. of glb-0 lub-0g= H(false ` true / wait0 . true) fDef. of [[chaos]]g= [[chaos]] 2Concurrent composition. In the expression P k Q, P and Q are assignment disjoint, whichmeans neither of them can write variables that can be read or written by the other. Both ofthem return unit. They are executed concurrently until the one of them terminates, whenthe other continues. When a communication can take place, it will occur immediately.This is so called maximal progress. The communication between P and Q is not visible.We use �(P ) to represent the set of variables P can access, and use V�(P ) instead of V :�(P k Q) =df �(P) [ �(Q)[[P k Q]]div =df 9Ref 0;Ref 1;Tr0;Tr1 � ([[P]]wdiv [0] ^ [[Q]]wdiv [1]_[[P]]div [0] ^ ([[Q]]wwait [1] _ [[Q]]wter [1])_[[Q]]div [1] ^ ([[P]]wwait [0] _ [[P]]wter [0])) � R1[[P k Q]]wait =df 9Ref 0;Ref 1;Tr0;Tr1 � ([[P]]wwait [0] ^ [[Q]]wwait [1]_[[P]]wait [0] ^ [[Q]]wter [1] _ [[Q]]wait [1] ^ [[P]]wter [0])[[P k Q]]ter =df 9Ref 0;Ref 1;Tr0;Tr1 � ([[P]]ter [0] ^ [[Q]]tter [1] _ [[Q]]ter [1] ^ [[P]]tter [0])Report No. 168, July 1999 UNU/IIST, P.O. Box 3058, Macau

Denotational Semantics of Timed RSL 19where[[P]]wdiv [i] =df [[P]]div [i] ^ Conc[[P]]wwait [i] =df [[P]]wait [i] ^ Conc[[P]]wter [i] =df ([[P]]ter [i] � CIdlew(i)) ^ Conc[[P]]tter [i] =df ([[P]]ter [i] � CIdlet(i)) ^ ConcP [i] =df P [Ref i=Ref ][Tr i=Tr ]Conc =df Maxp ^ 9s � ( �Tr = s ^ ��Tr0 = s ^ ��Tr 1 = s^b(Tr � s) 2 (Tr 0 � s)k(Tr 1 � s) ^ Ref = Ref 0 \ Ref 1cc�)Maxp =df tib:(ci? 62 Ref 0 ^ ci! 62 Ref 1 _ ci? 62 Ref 1 ^ ci! 62 Ref 0)cc�hikt =df tkhi =df ftg(hxibs)k(hyibt) =df 8><>:zbu ������� z = hxi ^ u 2 (sk(hyibt))_z = hyi ^ u 2 ((hxibs)kt)_z = hi ^ x = y ^ u 2 (skt) 9>=>;CIdlew(i) =df 9si(�bTr i = sicc�)CIdlet(i) =df CIdlew(i) ^ �V�i = �!V�i�1 =df �(P ) �2 =df �(Q)Here Maxp represents the phenomenon maximal progress, Conc describes the concurrentexecution, the last line of k de�nition between traces in the braces hides the communicationbetween P and Q.In RSL, channels can be hided by local declaration, so that they are not visible outsidethe the local expression. We use PnA to represent the expression P which has the set Aof channels hided by local declaration:[[PnA]]div =df [[P]]div nA[[PnA]]wait =df [[P]]wait n A[[PnA]]ter =df [[P]]ter n AwhereP n A =df (P ^ 9s � ( �Tr = s ^ b(Tr � s) # A = hicc�))[Ref � fci?; ci!jci 2 Ag=Ref ]Theorem 4.22 (communication, concurrent composition and hiding)(1) let (x,t1)=c? in P end k let t2=c!r in Q end 'let (x,t1)=c? inP k let t2=c!r in Q[t2+t1/t2] endenddebc let t2=c!r inReport No. 168, July 1999 UNU/IIST, P.O. Box 3058, Macau

Discussion 20Q k let (x,t1)=c? in P[t1+t2/t1] endenddebc wait 0 & let x=r in P[0/t1] k Q[0/t2] end(2) (let (x,t1)=c? in P end k let t2=c!r in Q end)nfcg 'let x=r in (P[0/t1] k Q[0/t2])nfcg end(3) c?nfcg ' stop 2Interlocked composition. The interlocked composition P {k Q is similar to concurrent com-position, however: during the concurrent execution, any external communication is pre-vented. The semantics of interlocked composition is therefore de�ned similar to that ofconcurrent composition, except using the rede�ned [[P]]wter [i] and [[P]]tter [i], using Lock in-stead of Conc, LIdlew and LIdlet instead of CIdlew and CIdlet:[[P]]wter [i] =df ([[P]]ter [i] ^ Lock) � LIdlew(i)[[P]]tter [i] =df ([[P]]ter [i] ^ Lock) � LIdlet(i)Lock =df Maxp ^ 9s � (�bTr = s ^ Tr0 = Tr1cc� ^ ��Tr1 = s)LIdlew(i) =df 9s; s0; s1( �Tr = s ^ ��Tr0 = s0 ^ ��Tr1 = s1^bTr � s = Tr1�i � s1�i ^ Tr i = si ^ Ref = Ref 1�icc�)LIdlet(i) =df LIdlew(i) ^ �V�i = �!V�iNote that we assume the concurrent or interlocked composition of P and Q can not causein�nite communications occurring in a �nite interval, which is divergence. Therefore, forexample, if P is a in�nite loop of a single input, Q can not be a in�nite loop of a singleoutput on the same channel.Theorem 4.23 (communication and interlocked composition)let (x,t1)=c? in P end {k let t2=c!r in Q end 'let x=r in P[0/t1] {k Q[0/t2] end 25 DiscussionIn this paper, we have given a denotational semantics to a subset of Timed RSL expressionsusing EDC with advanced features. Some algebraic laws of Timed RSL which can be provedfrom the denotational semantics are presented. A proof rule for iterations and a case study waspresented in [12]. To e�ectively reason about Timed RSL programs, we need a set of high-levelsyntax driven proof rules. More case studies will be helpful.Our work is a part of the Timed RAISE Project. RAISE is not only a speci�cation language, itReport No. 168, July 1999 UNU/IIST, P.O. Box 3058, Macau

References 21also includes the RAISE development method [2] and RAISE tools. The method of developingTimed RSL speci�cations and veri�cation tools are also important research work for extendingRAISE to Timed RAISE.There has been some related work where semantics of several languages have been formalisedusing appropriate extensions of Duration Calculus. A semantics for an OCCAM-like languagewas de�ned in [23] using DC with super-dense chop, where the semantics was de�ned by two DCformulae, describing terminating and non-terminating behaviour respectively. Pandya, Wangand Xu[19] de�ned a compositional semantics of Sequential Hybrid Programs using DurationCalculus with super-dense time, �xed point operators and in�nite intervals, where the semanticswas de�ned by a single DC formula. They used a mixture of weakest and strongest �xed pointto de�ne the semantics of iteration.In this paper, we de�ne the semantics by a single DC formula, which is composed by threeformulae describing divergence, waiting, and termination respectively. The semantics of iterationis de�ned by a single weakest �xed point. The advantage of our approach is that we can establisha link between the untimed re�nement calculus and our timed one, which preserves the laws ofuntimed programming. In this paper, the super-dense chop is a derived modality, so that wecan use the properties of original chop to get a set of theorems for it.References[1] The RAISE Language Group: The RAISE Speci�cation Language. Prentice Hall Interna-tional (UK) Ltd., 1992.[2] The RAISE Method Group: The RAISE Development Method. Prentice Hall International(UK) Ltd., 1995.[3] Chris George and Xia Yong: An Operational Semantics for Timed RAISE. Research Report149, UNU/IIST, P.O.Box 3058, Macau, November 1998.[4] R.W.S. Hale: Programming in Temporal Logic. Technical Report 42 of Computing Labora-tory, University of Cambridge, 1983.[5] R.W.S. Hale, R. Cardell-Oliver and J.M.J. Herbert: An embedding of Timed TransitionSystem in HOL. Formal Methods in System Design 3, 151{174, 1993.[6] J. Halpern, Z. Manna and B. Moszkowski A hardware semantics based on temporal intervals.Proc of 10th International Colloquium on Automata, Languages and Programming, 278{291,1983.[7] M. Hansen, P. Pandya and Zhou Chaochen. Finite divergence Theoretical Computer Science138, 113{139, 1995.[8] He Jifeng: From CSP to Hybrid Systems. In A.W. Roscoe (ed), A Classical Mind, 171{190,1993.Report No. 168, July 1999 UNU/IIST, P.O. Box 3058, Macau

References 22[9] He Jifeng and Xu Qiwen: Advanced Features of Duration Calculus and Their ApplicationsOn Proceedings of Advanced Software Symposiums, Oxford, U.K, 1999[10] C.A.R. Hoare and He Jifeng: Unifying Theories of Programming. Prentice Hall, 1998.[11] W. Kohn: A Declarative Theory for Rational Controllers. Proc. 27th CDC, 130{136, 1988.[12] Li Li and He Jifeng: Timed RSL and its applications. submitted to The 20th IEEE Real-Time Systems Symposium, 1999[13] O. Maler, Z. Manna and A. Pnueli: From timed to hybrid systems. LNCS 600, 1992.[14] B.C. Moszkowski: A temporal logic for multi-level reasoning about hardware IEEE Com-puter, 18(2):10{19, 1985.[15] B.C. Moszkowski: Executing Temporal Logic Programs. Cambridge University Press, 1986.[16] X. Nicolin et.al: An Approach to the Description and Analysis of Hybrid Systems. LNCS736, 121{149, 1992.[17] P. Pandya and Y. Ramakrishna: A recursive duration calculus Technical Report, CS-95/3,Computer Science Group, TIFR, Bombay, 1995[18] P. Pandya and V.H. Dang: Duration calculus with weakly monotonic time. Research Report122, UNU/IIST, P.O.Box 3058, Macau, July 1996.[19] P. Pandya, H.P. Wang and Q.W. Xu: Towards a theory of sequential hybrid programs.In David Gries and Willem-Paul de Roever, editors, Programming Concepts and Meth-ods(Procomet '98), pages 366{384. Chapman & Hall, 1998.[20] A. Tarski: A lattice-theoretical �xpoint theorem and its applications. Paci�c Journal ofMathematics, 5:285{309, 1955.[21] Zhou Chaochen, C.A.R. Hoare, and A.P. Ravn: A calculus of durations. Information Pro-cessing Letters, 40(5):269{276, 1991.[22] Zhou Chaochen, A.P. Ravn, and M.R. Hansen: An extended duration calculus for hybridsystems. In Hybrid Systems, R.L. Grossman, A. Nerode, A.P. Ravn, H. Rischel (Eds.),volume 736 of LNCS, pages 36{59. Springer-Verlag, 1993.[23] Zhou Chaochen and M. R. Hansen: Chopping a point. In J-F. He, J. Cooke, and P. Willis,editors, Proc. BCS FACS 7th Re�nement Workshop, Electronic Workshops in Computing.Springer-Verlag, 1996.Report No. 168, July 1999 UNU/IIST, P.O. Box 3058, Macau