A method for rigorous design of reconfigurable systems Science of Computer Programming

Contents lists available atScienceDirect

Science of Computer Programming

www.elsevier.com/locate/scico

A method for rigorous design of reconfigurable systems

Alexandre Madeira

^a,∗

, Renato Neves

^a

, Luís S. Barbosa

^a

, Manuel A. Martins

^b

aINESCTECandUniversidadedoMinho,Portugal

bCIDMAandDepartmentofMathematics,UniversidadedeAveiro,Portugal

a r t i c l e i n f o a b s t r a c t

Articlehistory:

Received20April2014

Receivedinrevisedform7February2016 Accepted5May2016

Availableonlinexxxx

Keywords:

Softwarespecification Reconfigurablesystems Hybridlogic

Reconfigurability, understoodas theabilityofasystemtobehavedifferentlyindifferent modes of operation and commute between them along its lifetime, is a cross-cutting concern inmodern Software Engineering. Thispaper introduces aspecification method forreconfigurablesoftwarebasedonaglobaltransitionstructuretocapturethesystem’s reconfigurationspace,andalocalspecificationofeachoperationmodeinwhateverlogic (equational, first-order, partial, fuzzy, probabilistic, etc.) is found expressiveenough for handlingitsrequirements.

Inthemethodthesetwolevelsare notonlymadeexplicitand juxtaposed,butformally interrelated. The key toachieve such agoalis asystematic process ofhybridisation of logicsthroughwhichtherelationshipbetweenthelocalandgloballevelsofaspecification becomesinternalisedinthelogicitself.

©^{2016ElsevierB.V.Allrightsreserved.}

1. Introduction

1.1. Motivation:theinsulininfusionpump

Diabetesmellitusisoneofthemostrapidlygrowingdiseasesinmoderntimes,predictedbymanytobecomeoneofthe mostchallenging health problems ofthiscentury. There is,currently, noknown cure fordiabetes.Moreover, in its most severe forms,the standard treatmentstill boils down toinsulin injections,a methodthat hindersa patient’snormal life andcarriesrisks.Forthisreason,new,moreconvenient,lessexpensiveandsafertechnologieshelpingpatientstopursuea betterqualityoflife,areinorder.

Theinsulininfusionpump(IIP)isanalternativetotheusualtreatment.Tocompensateforeventualinsulindisequilibri- umstheIIPmeasuresatregularintervalsthepatientneedsandinjectsinsulinthroughasubcutaneouscatheteratdifferent rates.Asanalternativetoinsulininjections,itbringsgreaterdosingprecisionandquickeradjustmentsonthefly.

The operation of a IIP is, ofcourse safetycritical in the sense that a small error in,for example,administrating the correctdose ofinsulin,maycausesevereharm, orevendeath. Potentialrisksare well-studied (cf.[111,110]), butcanbe mitigatedthroughrigorousdesign,abletoenforceimplementationstoobeyto(suitablyformalised)safetyrequirements.Not surprisinglythedesignofasafeIIPisregardedasachallengeintheengineeringofsafetycriticalsystems.Specificstrategies havebeenproposed resortingto,andeven combining,differentformalisms.Amongseveralothersone maycitethework reportedin[7],inwhichstate-basedspecificationsarevalidatedinUppaal,and[108]or[99],both basedonEvent-B,the laterbeingaratherextensiveandcompleteaccountoftheproblem.In[76],theauthorsresorttoPVStogenerateexecutable

*

Correspondingauthor.

E-mailaddresses:amadeira@inesctec.pt(A. Madeira),lsb@di.uminho.pt(L.S. Barbosa).

http://dx.doi.org/10.1016/j.scico.2016.05.001 0167-6423/©^{2016ElsevierB.V.Allrightsreserved.}

codefromtheformalisationofaninterface providedbyalegaldocument.Thepopularityoftheinsulinpumpexampleas a specificationcasestudyisalsowitnessedbythe discussionofaZspecificationintherecenteditionofI.Sommerville’s classiconSoftwareEngineering[100].

Tothebestofourknowledge allthoseapproachesfix,fromtheoutset,a specificationlogic,entailingaparticularper- spectiveontheIIPsystem.Thestrategyputforwardinthispaperhasadifferentstartingpoint:

(a) Firstly, werecognise thatthe projectofanIIPdevice involvesdifferentclassesofrequirementswhichare better expressedthrough differentlogicformalisms.Forexample,requirement“atalltimestheinsulinflowcannotsurpass agivenlimit” callsforsome sortofquantification andan ordering relation,whereas thestatement ‘‘iftheinsulin reservoirisalmostemptythenalarmmustsoundhigher”suggeststheuseofafuzzylanguagetocapturetheintended meaning ofalmost andhigher.Onthe otherhand,some variantoftemporallogic becomes necessarytoexpress propertiesoverlong-termexecutionsofthedevice,includingtypicalsafetyandlivenessrequirements.

(b) Secondly, we regard an IIP asa primeexample ofa reconfigurable device, i.e.one whose executionmodes, and not only the values storedin its internal memory,may change in response to thecontinuous interaction with theenvironment.Suchsystemsbehavedifferentlyindifferentmodesofoperation,orconfigurations,andcommute betweenthemalongtheirlifetime.

Clearly, the dynamicsof reconfigurationofa software system, understoodherein thesense ofstatically programmed changeofoperation mode,canbedescribed bysome sortoftransitionsystem,whosestatesrepresentconfigurationsand transitionsaretriggeredbywhateverconditionsenforcethemovefromaconfigurationtoanother.Indeed,requirement(b) aboveentailstheneedforadesignmethodabletoexpresssuchalocal/globaldichotomy,byspecifyingboththeindividual configurationsandthereconfigurationdynamics.However,oneneedsalsotocapturethespecific,localrequirementswhich characteriseeachconfigurationanddistinguishonefromtheothers.Formally,suchdifferentbehaviourscanbemodelledby imposing additionalstructureupon statesinthetransitionsystemwhichexpressestheoveralldynamics.Requirement (a), on its turn,suggestssucha methodto beagnosticw.r.t. whateverlogicis usedtospecifythe systemconfigurations: the natureoftherequirementsrelevantforaparticularviewshouldleadthechoiceofasuitablebaselogic.

1.2. Theapproach

Themethodproposedinthispaperaimsatbeingastepinthisdirection,byaddressingthefollowingresearchquestion:

canarigorousapproachtothedesignofreconfigurablesystemsbedevelopedbasedonthehybridisationofthelogicsusedfortheir localspecifications?Thenotionofhybridisationanditsmethodological useareexplainedbelow.Forthemoment,notethat themottooftheenvisagedapproach

reconfigurations as transitions

,

configurations as local models

embodies atwo-layeredabstraction betweenalocalspecificationstage (thatofthesystem’sindividual configurations)and aglobalone(concerningthedynamicsofreconfiguration).Inshort,modelsforreconfigurablesoftwarearestructuredtran- sition systems described within appropriate logical systems.Their statesare the individual configurations withwhatever structuretheyhavetobearinconcreteapplications.Transitionscorrespondtotheadmissiblereconfigurations.

Regarding reconfigurations astransitionssuggestssome sortofmodal logicasthe language toexpressthem. Amodal logic, however,hasno abilitytoexplicitlyrefertoindividual configurations.Thisview justifiestheuseofhybridlogic[63, 17,22,6] asthebasiclanguage to expressevolution(throughmodalities) andlocality (throughnominals).Actually, aspec- ification forthissortofsystemshould beable tomake assertions bothaboutthe transitiondynamicsand, locally,about each particularconfiguration.Thisleadstotheadoption ofhybridlogicasthespecificationlinguafrancafortheenvisaged methodology.

In general, hybrid logic adds to a modal language the ability to name,or to explicitly refer to specific states ofthe underlyingKripkestructure.Thisisdone throughtheintroductionofpropositional symbolsofanewsort,callednominals, each ofwhich istrueatexactly one possiblestate. Thesentences arethen enriched intwo directions.Ontheone hand, nominals are used assimplesentences holdingexclusively in thestate they name.On theother hand, explicitreference to statesis provided by sentences@_i

ρ

, statingthe validityof

ρ

atthestate named i. Onemay thereforespecify(local) properties of specific configurations in the system oreven to assert the equalitybetween two particular configurations, somethingwhichisbeyondwhatcanbesaidinamodallanguage.Modalities,however,capturestatetransitions,providing awaytospecifytheglobaldynamicsofreconfigurability.

Historically, hybridlogic was introduced by A.Prior inhis book[91].However, its seminal ideas emerged bythe end of the50’s, ina discussion ofC.A. Meredith[17].The theme was latterrevisited, inthe school ofSofia, by S. Passyand T. Tinchev[89].Itachievedglobalinterestwithinthemodallogiccommunityonthe90’s,beingcontributedbyP.Blackburn, C.Areces,B.tenCate,T.Braüner,T.Bolander,amongmanyothers(see,e.g.,[5,31,22,20]).Thisliftedthestatusofhybridlogic to anindependentbranchofmodern logic.Foranhistorical accountwe suggest[17,22],aswellas[18] foracomparison withtheoriginalperspectiveofA.Prior.

Fig. 1.Specification of reconfigurable systems: the approach.

Ontheotherhand,identifyingconfigurations,oroperationmodes,aslocalmodelsemphasisesthatnospecialrestrictions should be puttotheir specification. This meansthat it wouldnot beenough to take aparticular version ofhybridlogic forwritingspecifications.Actually,therelevantresearchquestionishowtocombineahybridlanguagewithwhateverlogic seems appropriate to express localrequirements for each configuration. Specific problems may requirespecific logics to describetheir configurations(e.g.,equational,first-order, fuzzy,etc.).Therefore,insteadofchoosinga particularversionof hybridlogic,themethodproposedherestartsbychoosingaspecificlogicforexpressingrequirementsattheconfiguration level.Thisislatertakenasthebaselogicontopofwhichthecharacteristicfeaturesofhybridlogicaredeveloped.

This process iscalledhybridisation [75,45] andwas introduced in the firstauthor’s PhDthesis [69]. The basicidea is quitesimple:todevelop,ontopofagivenlogic,calledthebaselogicandframedasaninstitution[52,41],thecharacteristic features of hybrid logic, both at the level ofsyntax (i.e. modalities, nominals,etc.) andsemantics (i.e.,possible worlds), togetherwithfirst-orderencodingsofsuch hybridisedinstitutions.Inparticular,givenabase institution‘encodable’inthe institutionoftheoriesinfirst-orderlogic,thehybridisationmethodprovidesasystematicconstructionofasimilarencoding forthecorrespondinghybridisedinstitution.

Toproceed in acompletely generic way,the wholeapproach is framed inthe context ofthetheory of institutions of Goguen andBurstall [28,41], each logic (base andhybridised) treated abstractly asan institution. Institutions provide a precisewaytotransport specificationsandproofsfromonelogictoanother, whichallowsustoseekforappropriate tool supportforsimulatingandvalidatingourconjectures.TheHetsframework offerssucha supportasdiscussedin[86] and exemplifiedlaterinthepaper.

Asitwillbecomecleareralongthepaper,thegeneralidea underlyingthedesignmethodproposedhereisdepictedin Fig. 1.Theupperpartrefers tothegloballevelofaspecification;thelower onetothelocaldescriptionofconfigurations.

Thelineinthemiddleemphasisestherole ofhybridfeatures:inaformulatheyprovideawaytonameevaluationstates, whereas in a modelthey index therelevant configuration.Actually, each configuration ischaracterised by a localmodel capturingitsfunctionalityandbehaviour.

1.3. Contributionandpaper’sstructure

The hybridisation process mentioned above, conductedin an institutional setting, isthe foundational work on top of which thespecificationmethod proposed in thispaperwas developed. The paperitself isdevoted to thedetailed intro- ductionofthespecificationmethod,illustratedwithfragmentsoftheIIPcasestudy.Inthissense,itextendsthe authors’

previouswork [70,72].Theformerreferenceisafirstintroductiontotheuseofhybridlogicsforspecificationofreconfig- urability,whereas thelatterdiscusses animportant,butsomehowcomplementaryaspect ofthedesignmethod proposed here—thatofrequirementselicitationthroughtheuseofasuitablesetofboilerplates.

Inthissettingthepaper’scontributionsaretwofold:

• ^The introduction, in a detailed way, of a method, based on hybridisation, for the design of reconfigurable systems (Sections3and4).

• ^Thetechnicaldevelopmentofamechanismforcapturingasystem’senduringtemporalproperties(Section5).

Sections3,4and5 contain,asexplainedabove, thepaper’soriginal contributions.Inall ofthem fragmentsoftheIIP designare usedforillustrationpurposes.Before thatan introductiontothe systematicconstructionofhybrid(ised) logics isprovidedinSection2.Thisincludesabriefsummarytotheinstitutionalrenderingoflogics. Suchabackgroundsection seems necessary toset the sceneforthe paper, exemplifyingthe generationof severallogics used inlater sections, and

providing relevant pointers to the literature. Finally, relatedwork andperspectives forfurther research are discussed in Section6.

2. Background:hybrid(ised)logics

2.1. Logicsasinstitutions

Thedevelopmentofasystematicprocessforhybridisinglogicsentailstheneedforamathematicalframeworkwherelog- icsaresuitablyhandledasgenericobjects.Thetheoryofinstitutions[52]providessuchaframeworkinacategorytheoretic setting.Thenotionofan institutionformalisesthat ofalogicalsystem,encompassingsyntax, semanticsandsatisfaction.It wasputforwardbyJ.GoguenandR.Burstall,inthelateseventies,inresponsetothe“populationexplosionamongthelogical systemsusedinComputingScience”[52].

The theory proved effective andresilient as witnessed by the wide number of logics formalised in this framework.

Examples range fromclassical logics (propositional,equational, first order,etc.), to the onesunderlying specificationand programming languagesor used fordescribing particular systemsfrom differentdomains. Well-known examples include probabilisticlogics[13],quantumlogics[29],hiddenandobservationallogics[27,14],coalgebraiclogics[32],aswellaslogicsfor reasoningaboutprocessalgebras[85],functional[97,98]andimperativeprograminglanguages[97].

Seekingforabstractcharacterisationsofbasicconceptualtools,e.g.,translationsandcombinationoflogics,thetheoryhad arelevantimpactintheoreticalComputerScience.Inparticular,itledtothedevelopmentofasolidinstitution-independent specificationtheory, on which, structuring and parameterisation mechanisms, required to scale up software specification methods,aredefined‘onceandforall’,irrespectiveoftheconcretelogicusedineachapplicationdomain[102].

Some basic definitionsare recalledbelowandillustrated witha few examplesto whichwe returnlater inthe paper.

Mostofthetechnicaldetails presentedarenot essentialforan appreciationofthedesignmethodproposed inthepaper, andcanbeskippedonafirstreading.Theinterestedreader,however,isreferencedto[41]foranextensiveaccountofthe theory.

Aninstitution I

=

Sign^I

,

Sen^I

,

Mod^I

, (|=

^I

)

_∈|SignI|

consistsof

•^{acategorySignI whoseobjectsaresignaturesandarrowssignaturemorphisms;}

•^afunctorSenI: ^SignI→S^{et givingforeachsignatureasetofsentencesoverthatsignature;}

•^{a functorModI}: (Sign^I)^op→C^{AT,givingforeachsignature} acategory whoseobjectsare -models,andarrows are -(model)homomorphisms;each arrow

ϕ

_:→∈^SignI,(i.e.,

ϕ

_:→∈(Sign^I)^op)ismappedintoafunctor Mod^I(

ϕ

):^ModI()→^ModI()calledareductfunctor,whoseeffectistocastamodelofasamodelof;

•^arelation|=^I⊆ |^ModI()|×^SenI()foreach∈ |^SignI|^,calledthesatisfactionrelation, suchthatforeachmorphism

ϕ

: →∈^SignI,thesatisfactioncondition

M

|=

^ISen^I

( ϕ )( ρ )

iff Mod^I

( ϕ )(

M

) |=

^I

ρ

(1)

holdsforeach M∈ |^ModI()|^and

ρ

∈^SenI().Graphically,

ϕ

Mod^I

()

^|=

I

Sen^I

()

Sen^I(ϕ)

Mod^I

(

)

Mod^I(ϕ)

|=^I Sen^I

(

)

ApresentationinI^{consistsofapair}(,)where isaI^{-signatureand}isasetof-sentences.

Thewholetheoryofinstitutionswasdevelopedtoprovideasoundwayofrelatinglogicsandtransportingspecifications betweenthem.Technically,thisisachievedthroughcomorphismswhichareaspecialkindofmappingsbetweeninstitutions.

Formally,acomorphismbetweenI ^anI^{consistsofatriple}(,

α

,β): I→I^whereisafunctorbetweenSign^I and Sign^I and

α

: ^Sen⇒;^{Sen and}β: ^op;^Mod⇒^{Mod, twonatural} transformationswhich map sentencesand models betweenboth institutionsassuring thefollowingsatisfactioncondition–foranysignature ∈ |^Sign|^,forany()-model Mand,forallthe-sentences

ρ

:

β

(

M

) |=

^I

ρ

iff M

|=

^I₍₎

α

( ρ ).

Acomorphismisconservativeifitsβ componentisa surjection.Thisbeingthecaseone hasthatforanysetofsentences {

ρ

}∪⊆^SenI()

|=

^I

ρ

iff

α

() |=

^I₍₎

α

( ρ ).

Inpractice,theexistenceofaconservativecomorphismconnectingtwologicsallowsthetransportofproofsupportmecha- nismsfromonetotheother.InthecontextofthedesignmethodproposedSection3,thisisusedtoallowfortheverification ofpropertiesexpressedinwhateverspecificationlogicwasfoundappropriateforagivenproblemusingstandardtheorem proversformorepopularlogics.

Anotherrelevantissueforthehybridisation processisthe wayquantifications aredealtwithininstitutionalterms.In thelightofthelemmaonconstantsoffirstorderlogic,(seee.g.[61]),asetofvariables X forasignaturecanberegardedas asetofconstantsinits X-expansion.Hence,

M

|=

^FOL_(S,F,P)

( ∀

^X

) ρ

iffM

|=

^FOL_(S,F+X,P)

ρ ,

for any(S,F+^X,P)-expansion M of M. In an institutionalsetting these expansionscan be understood asmodels M suchthatM=^ModFOL(i)(M)fori:(S,F,P)→(S,F+^X,P)aninclusionmorphism.Thismotivatestheintroductionofthe followingquantificationprinciple:givenamorphisms

χ

_:→,

M

|=

^I

( ∀ χ ) ρ

iffM

|=

^I

ρ ,

foranyM∈^ModI()suchthatMod^I(

χ

)(M)=^M.

InordertoassurethefunctorialityofSen^I,thequantificationmorphismneedstobecarefullyintroduced.Inthecontext offirstorderlogicthismeansthatSen^FOL(

ϕ

)(∀^X

ρ

)=(∀^Xϕ)Sen^FOL(

ϕ

)(

ρ

),where Xϕ and

ϕ

definethepushout:

(

S

,

F

,

P

)

^ϕ

X

(

S

,

F

,

P

)

Xϕ

(

S

,

F

^X

,

P

)

ϕ

(

S

,

F

^Xϕ

,

P

)

where Xϕ= {^x:

ϕ

st(s)|^x:^s∈^X}^,and

ϕ

isthecanonicalexpansionof

ϕ

mappingeach x:^sinx:

ϕ

st(s). 2.2. Thehybridisationprocess

AsmentionedintheIntroduction,thehybridisationprocess[75,45,69]whichunderliesthedesignmethodproposed in thispaper,isbasedon therepresentationoflogics asinstitutions.Itenriches a base(arbitrary)institutionI ^withhybrid logic featuresandthe correspondingKripke semantics.The resultisstill an institution,HI —thehybridisationofI. This subsectionreviewsasimplifiedversionofthisprocess,i.e.,quantifier-freeandnon-constrained,inordertoconveythebasic intuitions.

Atthe syntacticlevel thebasesignaturesare enriched withnominalsandpolyadicmodalities. Therefore,thecategory ofI^-hybridsignatures,denotedbySign^HI,isdefinedasthedirect(cartesian)productofcategoriesoftheoriginalcategory ofsignaturesSign^I andthat ofsignaturesofREL,thesub-institution of(theinstitutionof)first orderlogic,withoutnon- constantoperationsymbols,Sign^REL.SignaturesofthehybridisedinstitutioncombinethoseofIwithafamilyofconstants Nom for nominalsandasetofrelationalsymbolsto representmodalities.HI ^{signaturesare, thus,triples}(,Nom,), withsignaturemorphisms

ϕ

=(

ϕ

Sign,

ϕ

Nom,

ϕ

MS): (,Nom,)→(,Nom,),definedcomponent-wise:inheritedfrom I ^{forthefirstcomponent, givenasmapsrelatingnominals and}modalities,andpreserving thearities ofthelatterasex- pected.

The second step in the method is to enrich the base sentences accordingly. The sentences of the base institution I and the nominals in Nom are taken as atoms andcomposed withthe Boolean connectives,the modalities given in , andsatisfactionoperators indexedby nominals.Forexample,foran-arymodalityλ,anominali and

ρ

,

ρ

1,

ρ

2. . . ,

ρ

n HI sentences,thefollowingarealsosentencesinHI^:[λ](

ρ

1,. . . ,

ρ

n),λ(

ρ

1,. . . ,

ρ

n)and@_i

ρ

.

Givena HI^{-signature morphism}

ϕ

, thetranslationofsentencesSen^HI(

ϕ

)isdefinedstructurally:e.g., Sen^HI(

ϕ

)(i)=

ϕ

Nom(i),Sen^HI(

ϕ

)(@i

ρ

)=^@ϕNom(i)Sen^HI(

ρ

)andSen^HI(

ϕ

)([λ](

ρ

1,. . . ,

ρ

n))= [

ϕ

MS(λ)](Sen^HI(

ρ

1),. . . ,Sen^HI(

ρ

n)).

Turning tosemantics, models ofHI ^{canbe regarded as(}-)Kripke structureswhoseworldsare I^{-models. Formally,} they arepairs (M,W)where W is a(Nom,)-modelin RELand Mis afunctionwhichassigns toeach state w∈ |^W|^a modelinM_w∈ |^ModI()|^.

Ineachmodel(M,W),W_nprovidesinterpretationfornominaln,whereasrelationW_λinterpretsmodalityλ.Thereduct definitionisliftedfromthebaseinstitution:thereductofa-model(M,W)alongwithasignaturemorphism

ϕ

:→ isthe-model(M,W)suchthatW isthe(

ϕ

Nom,

ϕ

MS)-reductofW(i.e.,|^W|= |^W|^,Wn=^W_ϕNom(n)^{,foreachnominaln,} andWλ=^W_ϕMS(λ)^{foreachmodalityin})andforeach w∈ |^W|^,Mw=^ModI(

ϕ

Sign)(M_w).

Finally,thesatisfactionrelationforthehybridisedinstitutionresortstotheoneinthebaseinstitutionforsentencesin I^,i.e.,

• (M,W)|=^w

ρ

iffMw|=^I

ρ

when

ρ

_∈Sen^I(), capturesthesemanticsofnominals

• (M,W)|=^{wi iffW}i=^w,wheni∈^Nom,

• (M,W)|=^w@i

ρ

iff(M,W)|=^Wi

ρ

, andmodalities,asin

• (M,W)|=^w[λ](ξ1,. . . ,ξn)iff,forany(w,w₁,. . . ,w_n)∈^Wλ,(M,W)|=^wiξiforsome1≤ⁱ≤ⁿ,

andisdefinedasusualfortheBooleanconnectives.Notethat,wheneverthebaseinstitutionhasBooleanconnectives,there is a replication of theseconnectives inits hybridisation: thosein the baseinstitution sentences (thatwe denoteby ∧^, ∨^,⇒ ^and¬^{)andthoseintroduced bythe}hybridisationmethod(∧, ∨,⇒and¬).However, asshownin[45,69],they semanticallycollapse,inthesensethatforany

ρ

,

ρ

∈^SenI()wehavethat(M,W)|=^w¬

ρ

iff(M,W)|=^w¬

ρ

andthat (M,W)|=^w

ρ

ρ

iff (M,W)|=^w

ρ

ρ

forany ∈ {∧,∨,⇒}^{.In virtueofthis fact,we will notmake any}denotational distinctionbetweenthesetwolevelsofconnectives

ThemainresultisthatHI effectivelyconstitutesaninstitution[75].Thenextstepisthesystematiccharacterisationof encodingsofHIintotheinstitutionofmanysortedfirst-orderlogic(FOL)buildingonexistentencodingsofintoFOLofthe baseinstitutionI^.

Quantifiedhybridisation. Extendingthisprocedureto quantifiedsentences requirestheintroduction ofan adequatequan- tification space D^HI for Mod^HI such that, its projection in the first component belongsin a quantification space D^I adequateforMod^I.Thisisregardedasanadditionalparameterinthehybridisationprocess.

As a subclass of Sign^HI, the quantification morphisms consists of triples

χ

=(

χ

Sign,

χ

Nom,

χ

MS):(,Nom,)→ (,Nom,). Each ofthesecomponents is responsible fora particular kindof quantification.For example,considering

χ

Nom:^Nom→^Nom+^{Y,forY afinitesetofconstants,and}considering

χ

MStheidentitymorphism,weobtainthestandard statequantificationoftheliterature.

Thehybridisationprocessisadjustedtothequantifiedversionasfollows:thesetSen^HI()isenriched,forany

χ

: → ∈D^{HI and}

ρ

∈^SenHI(), with the sentence (∀

χ

)

ρ

; the translation of sentences is extended, in each morphism

ϕ

:→1,bySen^HI(

ϕ

)

(∀

χ

)

ρ

=(∀

χ

(

ϕ

))Sen^HI(

ϕ

[

χ

])(

ρ

);finally,forthesatisfaction,weconsider

• (M,W)|=^w(∀

χ

)

ρ

iff(M,W)|=^w

ρ

forany(M,W)suchthatMod^HI(

χ

)(M,W)=(M,W).

Existentialquantificationisintroducedinasimilarway.

Observethat,inthesecases,itisnecessarytodistinguishbetweenquantificationcomingfromthebaseinstitutionand theoneintroducedbythehybridisationprocess,itself.Therelationbetweenbothlevelsisgivenby

• (M,W)|=^w(∀

χ

)

ρ

impliesthat(M,W)|=^w(∀(

χ

,1_Nom,1))

ρ

,and

• (M,W)|=^w(∃(

χ

,1Nom,1))

ρ

impliesthat(M,W)|=^w(∃

χ

)

ρ

.

Constrainedmodels. Introducedin[43],representathirdparameterinthehybridisationprocess,providingaprecisewayto putconstraintsupon modelsofthehybridisedlogics. Typicalconstraintscomefromsharingamonglocaluniverses orthe rigidificationofthevariables.Theyareparticularlyimportanttoensuretheexistenceofproperencodings.

Formally, a constrainedmodelsfunctorforHI ^{consists of a subfunctor ModC} ⊆^{ModHI (i.e., such that ModC}() is a subcategoryofMod^HI(),forany∈ |^SignHI|^{)that reflectsweak}amalgamation,i.e.,such thatanypushoutin Sign^HI whichformsanamalgamationsquareforMod^HI,isalsoaweakamalgamationsquareforMod^C.ThemodelsofMod^C() arecalledconstrainedmodelof HI^{.ReplacingModHI byModC in}HI ^weobtainaninstitution,denotedbyHI^{C [43].}

2.3. Hybridisationexamples

Example2.1(Thetrivialinstitution).The simplestinstitutiononecanthinkofisTRIV.Itscategoryofsignatures,Sign^TRIV,is the finalcategory,i.e.,the category whose classof objects isthe singletonset {∗} ^{andmorphisms reduce to the identity} 1_∗(∗)= ∗^{.Thesentencesfunctor,SenTRIV,sendsobject}∗^{intotheempty set}∅^{and,morphism1}∗,intotheemptyfunction.

Themodelsfunctor,Mod^TRIV,sendsthesignature∗^{tothefinalcategory.Sincethesetofsentencesisempty,the}satisfaction conditionholdstrivially.

Letusconsiderthefree-hybridisationofTRIV.Thesignaturecategorycorrespondsto Sign^TRIV

×

^SignREL

∼ =

^SignREL

.

Since Sen^TRIV(∗)= ∅^{, SenHTRIV}(∗,Nom,) is the set of sentences built up from nominals in Nom by the application of modalities in and Boolean connectives. This kind of formulas are called purehybridformulas in [19,63]. Models of Mod^HTRIV(∗,Nom,)arerelationalstructures(W,M),whereMistheconstantfunctionMw= ∗^,foranyw∈ |^W|^.

Itis anusual assumptionto considerinitialstatesinthe models.Forthiscase,we mayconsiderthe‘pointed’ version of H^{TRIV,denoted by} H^TRIVP ^asthe institutionobtained considering by takingSign^HTRIVP =^{SignHTRIVP,SenHTRIVP}= Sen^HTRIVP andassumingforeach∈ |^SignHTRIVP|^{,thecategorywhoseobjects} |^ModHTRIVP()|=

(M,W),s

|(M,W)∈ Mod^HTRIV ands∈ |^W|

andwhosemorphisms arethemorphismsofMod^HTRIV()thatmap initialstatestoinitialstates.

Then,

(

M

,

W

),

s

|=

^HTRIVP

ρ

iff

(

M

,

W

)(|=

^HTRIV

)

^s

ρ .

An interesting institutionforthespecificationof hierarchicalstate transitionsystemsisobtainedthrough the hybridi- sation of H^TRIVP^{, which we denote (simply) by} H^{2TRIV. Models of this} institution are “Kripke structures of Kripke structures”. Thus H^{2TRIV signatures are triples} ((∗,Nom^l,^l),Nom^u,^u) with Nom^l,^l and Nom^u, ^u denoting the nominals and the modalities of the lower and upper layers of hybridisation, respectively. Hence, the set of sentences Sen^H2TRIV((∗,Nom^l,^l),Nom^u,^u)isdefinedbythegrammar

φ |

^I

|

^@I

|

^M

(, . . . , ) | [

^M

](, . . . , ) | ¬ | ,

(2)

where

φ

ⁱ

|

^@i

φ |

^m

(φ, . . . , φ) | [

^m

](φ, . . . , φ) | ¬φ | φ φ,

(3)

for I∈^{Nomu, M}∈^u_n, i∈^{Noml, m}∈^l_n and∈ {∧,∨,→}^{. In order to prevent} ambiguities, we use upper andlower caseletterstodistinguishthenominalsandmodalitiessymbolsofthesetwolevels.Sincetheycollapse,wedonotneedto makedenotationaldistinctioninthetwolevelsofBooleanconnectives.OurtaggingconventionisextendedalsotoH^2TRIV models:a((∗,Nom^l,^l),Nom^u,^u)-modelisdenotedby(M^u,W^u)where,forany w∈ |^Wu|^,themodelsMuw aredenoted by

(W^l_w,M^l_w),sw

.

Example2.2(EQ,FOL,PL and PA).SignaturesintheinstitutionEQofequationallogicarepairs(S,F)whereSisasetofsort symbolsandF= {^Far→s|^ar∈^S∗,s∈^S}^{isafamilyofsetsofoperation symbolsindexedby aritiesar (forthearguments)} andsorts s (forthe results). Signaturemorphisms map both components ina compatible way:they consist ofpairs

ϕ

= (

ϕ

^st,

ϕ

^op): (S,F)→(S,F),where

ϕ

^st: ^S→^{Sisafunction,and}

ϕ

^op= {

ϕ

^op_ar→s: Far→^s→^F_ϕst(ar)→ϕ^st(s)|^ar∈^S∗,s∈^S}^is afamilyoffunctionsmappingoperationssymbolsrespectingarities.

Amodel Mforasignature (S,F)isanalgebra interpretingeach sortsymbol sasacarrierset Ms andeachoperation symbol

σ

∈^Far→^{sasafunctionM}σ:^Mar→^Ms,whereMar istheproductofthearguments’carriers.Modelmorphisms are homomorphisms ofalgebras, i.e., S-indexed families offunctions {^hs: ^Ms→^Ms|^s∈^S} ^{such that for anym}∈^Mar, andfor each

σ

∈^Far→^s,hs(Mσ(m))=^M_σ(har(m)). For each signature morphism

ϕ

, the reduct ofa model M, say M= Mod^EQ(

ϕ

)(M)isdefinedby(M)x=^M_ϕ(x)^{foreachsortandfunctionsymbolxfromthedomainsignatureof}

ϕ

.Themodels functormapssignaturestocategoriesofalgebrasandsignaturemorphismstotherespectivereductfunctors.

Sentencesareuniversallyquantifiedequations(∀^X)t=^t.Sentencetranslationsalongasignaturemorphism

ϕ

_:(S,F)→ (S,F), i.e.,Sen^EQ(

ϕ

):^SenEQ(S,F)→^SenEQ(S,F), replacesymbols of(S,F) by therespective

ϕ

-images in(S,F).The sentencesfunctormapseachsignature tothesetofitssentencesandeachsignaturemorphismtotherespectivesentences translation.

ThesatisfactionrelationistheusualTarskiansatisfactiondefinedrecursivelyonthestructureofthesentencesasfollows:

• ^M|=(S,F)t=^{t whenM}t=^Mt,where Mt denotestheinterpretationofthe(S,F)-termt in Mdefinedrecursivelyby Mσ(t1,...,tn)=^Mσ(M_t1,. . . ,M_tn).

• ^M|=(S,F)(∀^X)

ρ

whenM|=(S,F+X)

ρ

forany(S,F+^X)-expansionMofM.

Signatures of HEQ are triples ((S,F),Nom,) and the sentences are defined as in (2) but taking (S,F)-equations (∀^X)t=^{tasatomicbasesentences.ModelsareKripkestructureswitha(local)-}(S,F)-algebraperworld.

The institutionof(multi-sorted) first-orderlogics, denotedby FOL,is definedasEQ butconsidering alsoan S^∗-family of symbols P interpreted as predicates in the models. The models are defined as in EQ but interpreting any

π

_∈ Par as a predicate Mπ⊆^Mar. The sentence of FOL is defined as usual, taking beyondthe equations, predicateformulas, its compositionsthroughBooleanconnectivesandquantifiedsentences.ThesatisfactionextendsthesatisfactionofEQbytaking

• ^M|=^FOLS,F,P

π

(t1,. . . ,tn)iff(Mt1,. . . ,Mtn)∈^{Mπ and}

• ^M|=^FOL_(S,F,P)(∀^X)

ρ

ifM|=^FOL_(S,F+X,P)

ρ

forany(S,F+^X,P)-expansion MofM(seediscussionintheabovesection).

The hybridisation of FOL constrained to the models with sharing in the universes shared and variables realisation was suggestedin[70] assuitablelogicforthereconfigurablesystemsspecification.Observethat theinstitutionofpropositional

logic PL canbeformalisedasthefragmentofFOLobtainedbyrestrictingthesignatureswithemptysetsofsorts(see[41]).

ThefragmentofthequantifiedfreehybridisationofPLwithanuniquebinarymodality,i.e.,1 isasingletonandn= ∅^for n=^1,correspondstothestandardpropositional hybridlogicoftheliterature.Anotherusefulhybridisationinthis‘family’

isthehybridisationoftheinstitutionPAofpartialalgebras.Modelsofthisinstitutionaredefinedasabove,butconsidering partial,insteadoftotal,functions. VersionsofhybridisationsFOLandPA withsharingandrigidificationofcomponentsare carefullytreatedin[69]andaredenotedinthesequelbyHFOLRandHPAR.

Example2.3(MVL_L).Multi-valuedlogics[54]generaliseclassiclogicsbyreplacing,asitstruthdomain,the2-elementBoolean algebrabylargersetsstructuredascompleteresiduatelattices.Theywereoriginallyformalisedasinstitutionsin[3](seealso [42]forarecentreference).

Residuatelattices aretuplesL=(L,≤,∧,∨,,⊥,⊗)^,where

• (L,∧,∨,,⊥)^{isalatticeorderedby}≤^{,withcarrierL,with(binary)infimum(}∧^{)andsupremum(}∨^{),andbiggestand} smallestelements^and⊥^;

• ⊗^isanassociativebinaryoperationsuchthat,foranyelements x,y,z∈^L, – x⊗ = ⊗^x=^x,

– y≤^{z impliesthat}(x⊗^y)≤(x⊗^z),

– thereexistsanelementx⇒^{zsuchthat y}≤(x⇒^z)iffx⊗^y≤^z.

The residuatelatticeL iscompleteifanysubset S⊆^{L hasinfimumandsupremumdenotedby}

S and

S,respec- tively.

Givenacompleteresiduatelattice L,theinstitutionMVLL isdefinedasfollows.

• ^MVLL-signatures arePL-signatures.

•^{SentencesofMVL}L consistofpairs(

ρ

,p)where pisanelementofLand

ρ

isdefinedasaPL-sentenceoverthesetof connectives{⇒ ∨,,⊥,⊗}^.

•^AMVLL-modelM isafunctionM:^{F P rop}→^L.

•^ForanyM∈^{ModM V LL}(F P rop)andforany(

ρ

,p)∈^{SenM V LL}(F P rop)thesatisfactionrelationis M

|=

^MVL_{F P rop}^L

( ρ ,

p

)

iff p

≤ (

M

|= ρ ),

whereM|=

ρ

isinductivelydefinedasfollows:

– foranyproposition p∈^{F P rop,}(M|=^p)=^M(p)), – (M|= )= ,

– (M|= ⊥)= ⊥,

– (M|=

ρ

1

ρ

2)=(M|=

ρ

1) (M|=

ρ

2),for∈ {∨,⇒,⊗}.

Thisinstitutioncapturesmanymulti-valued logicsintheliterature.Forinstance,takingLastheŁukasiewiczarithmetic lattice over the closed interval [⁰,1]^{, where x}⊗^y=¹−^max{⁰,x+^y−¹)} ^{(and x}⇒^y=^min{¹,1−^x+^y}^{), yields the} standardpropositionalfuzzylogic.

TheinstitutionobtainedthroughthehybridisationofMVLL,forafixedL,issimilartotheH^PLinstitutiondefinedabove, butfortwoaspects,

•^{sentencesaredefinedasin(2)but}consideringMVL F P rop-sentences(

ρ

0,p)asatomic;

•^toeachworldw∈ |^W|^{isassociatedafunctionassigningtoeach}propositionitsvalueinL.

Itisinterestingtonotethatexpressivityincreasesalonghybridisation,evenifonerestrictstothecaseofa(one-world) standardsemantics.Forinstance,differentlyfromthebasecasewhereeachsentenceistaggedbyanL-value,onemaynow dealwithmorestructuredexpressionsinvolvingseveralL-values,asin,forexample,(

ρ

,p)∧(

ρ

,p).

Example2.4(P^{P L).The}probabilisedpropositionallogic(P^{P L),obtainedfromthe}applicationoftheprobabilisationmethod [9],assignsaprobabilityvaluetoeachPL-sentence.Formally,

• PP L-signaturesarePL-signatures,

• PP L-sentencesaredefinedbythegrammar,

ρ

t

<

t

| ¬ ρ | ρ ⇒ ρ ,

where t

^r

|

β |

^t

+

^t

|

^t

.

t

,

forr∈R^andβ aPL-sentence.

• ^and PP L-models are tuples (S,F,P,V) where (S,F,P) is a probability space and V a function from the possible outcomes(elementsof S)toPL-models.

Then, the probability value of a given PL-sentence ( β) is equal to the sumof all the probabilities assigned to the outcomesthat,throughfunction V,pointtoaPL-modelsatisfyingβ.

ThroughhybridisationPP L givesrisetotheHPP L logicwhere,

• HPP L-signaturesaretriples(P rop,Nom,),

• HPP L-sentencesaregeneratedbythegrammar

ρ ρ

0

|

i

|

@i

ρ | ρ ρ | ¬ ρ | λ( ρ , . . . , ρ ) | [λ]( ρ , . . . , ρ ),

where

ρ

0 isaPP L-sentence,∈ {∧,∨,→}^{,iisa nominaland}λisa modality,

• ^andHP^{P L-modelsareKripkestructureswitha(local)}P^{P L-modelperworld.}

NotethatalongthisprocesstwolevelsofBooleanconnectivesareadded,which,asexpected,semanticallycollapse.Itis interesting tonotice,however,that theatomicconnectivescannotbe collapsedintothenewonesbecausethelatteronly actoutsidethescopeofthe operator,whiletheformeronlyapplywithin.

2.4. First-orderencodings

The firststeps indefining a methodfor generatingfirst-orderencodings forhybridised institutionswere presentedin [75] andfurther extendedtopresentations,constrainedandquantifiedmodelsin[45,69].Inparticular,foranyinstitution

‘encodable’ inpresentations in FOL, the methodconstructs an encoding fromits hybridisation to FOL.Therefore, a wide varietyofcomputerassistedproversforFOLcanbe‘borrowed’toreasonaboutspecificationsinthenew,hybridisedlogics.

Technicallysuchencodingsareachievedbyextendingtheclassicalstandardtranslationofmodallogicintothe(one-sorted) firstorderlogic[103],moreprecisely,foritshybridversion[17],totheencodingsofhybridisedinstitutionsintoFOL.

The generalidea of the standard translationfromH^{PL into the} (one-sorted) first-orderlogic, is toconsider a sortto denote the state space, where nominals are interpreted as constants, modalities asbinary relations, andpropositions as unarypredicates (where p(w)meansthat theproposition p holdsatstate w). Theidea underlyingthestandard transla- tion H^{FOL2FOL(e.g.[22]), istoextendthis encodingby} considering anewuniverse ST asan extra sortin thesignature, and‘flattening’theuniverses,operationsandpredicates ofthe (local)FOL-modelsintoaunique (global)FOL-model.Local functionsandpredicatesbecomeparametricoverstates,andthestate universesdistinguishedwithasort-familyofdefin- abilitypredicates.Intuitively,whenevermbelongstothe universeofw,

π

(w,m) and

σ

(w,m)=^{b means that}

π

(m)and

σ

(m)=^{b holdinthestate w.Moreover,} restrictingthisglobalmodel M tothelocaluniverses,operationsandpredicates ofa fixedworld w, weobtain a“sliceof M”,say M|w,whichconsistsofa localFOL-modelrepresenting(andcoinciding with)M_w.

The generalmethodis basedon the applicationofa state-parametrisation construction ofH^{FOL2FOLto lift}I^2FOLto HI^{2FOL, where}I ^{inthese acronyms stands foran arbitrary}institution —that ofthe baselogic to be hybridised. Thus, signatures andsentencestargeted by I^{2FOL become parametric onstates andtheremaining sentencesare treatedas in} H^{FOL2FOL. A slice M}|w corresponds now to the“FOL-interpretation”of the local I^{-model M}w,which can be recovered usingI2FOL.

3. Themethod

The hybridisationprocess discussedin section 2, providesan extensivenumber ofhybrid(ised)logics, severalofthem withappropriatefirst-orderencodings,whicharethebasisofaspecificationmethodforreconfigurablesystems.Thissection introducessuchamethod,offeringasortofguidedtourtoitsapplicationthroughtheIIPexample.

The method,summarised in Fig. 2, is dividedinto four steps:i) definitionof thespecification framework,ii) interface description,iii)specificationofpropertiesandiv)analysisandvalidation.Thenextfoursubsectionsprovidea ‘guidedtour’

throughthesestatesillustratingthemwiththespecificationofaIIPdevice.

3.1. Definitionofthespecificationframework

InthisfirststagetheSoftwareEngineerdefinesthespecificationframeworkbygeneratingthespecificationlanguagefor thelocalconfigurationsthroughthehybridisationofabaselogic.Thisentailstheneedforchoosing

• ^theinstitutionrepresentingthebaselogicfoundsuitabletospecifyindividualconfigurationsoftheproblemathand,

• ^thequantificationspace,toexpresswhichkindsofquantificationsarenecessary,and

• ^therelevantconstrainedmodels,tocaptureadditionalsemanticconstraints.

Fig. 2.Specification of reconfigurable systems: The method.

These choicesare crucial as they fix the workinginstitutionand thereforeconstrains all subsequent development. In particular, the choice ofthe base institutionI ^{needs to be madeonly aftermostof the probleminformal} requirements weregivenandclearlyunderstood.Theapproachproposedinthispaperislargelyindependentofthespecificlogicchosen to specifyconcrete configurations.Onemay,forexample,specifythem asmultialgebrasto copewithnon-determinism,or withmulti-valuedlogictodealwithuncertainty.Anotherpossibilityisusingpartialequationallogictodealwithexceptions, orobservationallogicswhenthelocallevelencapsulateshiddenspaces.Moreover,asmentionedabove,insomecaseseach configurationcanberegardedasatransitionsystemitselfandamodallanguageisinthenorder.Actually,differentlogics havebeensuggestedforsoftwarespecification(seee.g.[16])and,fromthepointofviewofourmethod,thereisnoreason tofavouroneovertheother.The onlypossiblelimitationisrelatedtotool support:forexample,choosingabaselogicfor which atranslationto FOLorCASLexists, maybe agoodoption iftoolsupport isan issue, assucha translationcanbe liftedtotheresultinghybridisedlogic.

Thetwootherchoicesareequallyrelevant.Thedecisionaboutwhatkindofquantificationistobeallowedhasadirect impactontheexpressivenessoftheframework.Ontheotherhand,enforcingadditionalconstraintsuponthemodelspro- videsthetechnicalsupporttodealwithsharing(e.g.ofdata,operationsorboth)acrossconfigurations.Suchconstraintsmay alsotune theaccessibilityrelationwhichexpressesthereconfigurationdynamics(imposing,forexample,reflexivityonan orderedstructure). Bothissuesarecloselyrelated:forexample,toobtainsuitableencodings,globalquantificationoverthe universesofindividualconfigurationsrequiresthepreviouschoiceofasuitableconstrainedmodel.Inpracticethefollowing kindsofquantificationarefounduseful:

•Quantificationoverthebaseinstitution,i.e.overthedomainsofsystem’sconfigurations.Thiscanbe

– global,ifa shareduniverseforalltheconfigurationsischosenandthequantifiedvariablesareassumedtoberigid.

Actually,thisisthetypicalwayto‘relatecomputationsof’orto‘communicatevaluesacross’differentconfigurations.

– orlocal,i.e.,rangingovereachparticularconfigurationdomain.Technically,thisisobtainedbytakingaquantifier-free hybridisationw.r.t.thefirstcomponentofthequantificationmorphisms.

•Quantificationovernominals,whichmakesitpossibletoexpresspropertiesaboutthesystemsglobalstatespace.Thisis particularlyuseful,forinstance,toexpresstheexistenceofconfigurationssatisfyingagivenrequirement.

•Quantificationovermodalities,aratherpowerfulformofquantification,which,ingeneral,allowsustocontrolinavery precisewaytheunderlyingaccessibilityrelations.

As usual, whenfacing these choicesthe specifiershould take intoaccount the compromise between expressivenessand formal tractability. Forinstance,quantificationover modalities shouldnot be used iftheaim isto take advantageof the first-order encodings discussed in [45,69] to obtain suitable tool support for validating the specifications. Similarly, the relationshipsbetweenthechoiceofconstrainedmodelsandthatofquantificationspacescannotbeoverlooked.

Example:TheIIPdevice

IntheIIPdevicecasestudy,weidentifyintheoriginalrequirements[110,111]twotypesofinsulininfusion:

•^{basal,whereinsulinis}continuouslyinjectedthroughoutthedayatadjustablerates;

Low F ail

Basal T Basal

sus• resc

nor• susc bolc

• bolus

susc

sus

•

resc nor susc •

sus• resc

nor• susc

diagc

• bolus

susc

• diag resc

bolc

sus

• Basalc Diagc

Loww Basalc

F aild Loww F aild

F aild Recoc

Fig. 3.Hierarchical state transition system for theIIPdevice.

• ^{andbolus,whichisaone-timeinsulindeliveryrapidly}administered,closelyresemblinganinjection.

The former is used asthe default, with insulinadministration ratesgiven by a 24 h-profile that takesinto account the schedulingofthepatientmeals,sleepandexercise.Whenunsuitable,suchprofilemaybe temporarilyreplaced.Thelatter adds up to the basal mode and is typically used to cover up unexpected situations or high-carb food intake. We also consider an additional suspension state where any kindof insulin administration is forbidden.Transitions among these differentstatesaretriggeredbyspecificevents.Theirstructure,however,dependsonwhichisthecurrentprofileofinsulin administrationchosenforthepatient.Eachsuchprofilecorrespondstoanupper-levelstatewhichconstitutesaconfiguration oftheIIPdevice.

The overallstructure oftheIIP specificationisthat ofanhierarchicaltransitionsystemasdepictedinFig. 3.Actually,each configurationisgivenasatransitionsystem;switchingbetweenthemprovidesahigherleveltransitionstructure.IfHTRIV isappropriatetospecifyplaintransitionsystems,astheonespopulatingeachlocalconfiguration,itshybridisationH^2TRIV willexpresstheglobaldynamicsandthechangefromoneprofiletoanother.

3.2. Interfacedescription

At this second stage all the relevant ‘vocabulary’ to specify the intended system is declared. This includes the enu- meration of all configurations to be considered (i.e., component Nom) and the events triggering reconfigurations (i.e., component). Moreover,a(local)I^{-signatureforthe}specificationofindividualconfigurations(i.e.,component) isalso required. In a sense, the latter can be understood as theactual interface of the system since all services andfunctions offeredateachconfigurationmustbedeclaredatthisstage.

Hybrid signatures are represented in the sequel in a notation similar to that of the specification language Casl [8], accordingtothefollowingstructure:

spec SpecNamein HBaseInst= Nom

declaration of nominal symbols Modal

declaration of modality symbols

BaseSig

signature of the base institution Axioms

set of axioms

SpecNameisthespecificationidentifier,andBaseInststandsforthebaseinstitutionI^{adoptedwhenfixingthe}specification framework. EntriesNomandModalareusedforthedeclarationofnominalandmodalitysymbols, respectively.Aritiesof modalities aregivenby naturalnumbers placedinfrontofthe respectivesymbol(e.g. event:kmeansthat modalityevent hasarityk).TheparameterBaseSigisthedeclarationoftheI-signature .Sincethestructureofthoselocalsignaturesis specific foreachhybridisation,thereisnowaytofixthesyntaxforthisdeclaration.Finally,thefield Axiomscontains the specificationexpressedinaxiomsofthechosenlogic.

Example:TheIIPdevice

Returning toourrunningexample,wefirstidentifythefourupperstatescorrespondingtodifferentinsulinadministration profiles:

• ^{Basal,denotingthepumpfollowinga24-hbasalprofile.}

• ^{T Basal,}representing thetemporary basal profilethat overrides basal dueto specific circumstances. Extracare isex- pectedinthisprofile:anewdiagnosisisrequiredbeforeinjectinginsulin.

• ^{Low,whichistriggeredwhenthepumpdetectsthatinsulinreservoirlevelsarebecominglow,andthereforeanyform} ofextrainsulindoses(asisthecaseofbolus)areforbidden.

• ^{F ail,triggeredwheneverfaultybehaviouris}encounteredandthusentailstheprohibitionofanysortofinsulinadmin- istration.

Switchingbetweentheseadministrationprofilesisaccomplishedbythefollowingtransitionswhichencodereconfiguration commands:Basal_c,toevolvetothe Basalprofile,Diag_c tochangetoadiagnosisrequiringprofile,F ail_dandReco_c tosignal thedevicefailureandrecovery,respectively.Thewarningassociatedtoalowinsulinlevelisdenotedby Loww.

Insideeachupper-state,theconfigurationbehaviourisgivenagainbyatransitionsystemwhosestatescorrespondtodiffer- entinfusionmodes,namely,

•^{nor,denotesinsulininfusionwithratesbeinggivenbyaspecificprofile;}

•^{bolus,addsuptonor throughbolus}injections;

• ^{sus,simplydenotessuspensionwhichentailsinsulininfusiontonotoccur;}

•^{diag,representsadiagnosisprocess,whichwhileoccurringalsoforbidsanykindofinsulininfusion.}

Allofthesecomponentsarecollectedinthefollowinghybridsignature:

spec IIPSpecin HHTriv= Nom

Basal,TBasal,Low,Fail Modal

Diagc:^1,Basalc:^1,Loww:^{1,F ail}d:^1,Recoc:¹ BaseSign {

Nom

sus,nor,bolus,diag Modal

resc:^1,susc:^1,bolc:^1,diagc:¹ }