Compositionality for quantitative specifications

Abstract

We provide a framework for compositional and iterative design and verification of systems with quantitative information, such as rewards, time or energy. It is based on disjunctive modal transition systems where we allow actions to bear various types of quantitative information. Throughout the design process, the actions can be further refined and the information made more precise. We show how to compute the results of standard operations on the systems, including the quotient (residual), which has not been previously considered for quantitative non-deterministic systems. Our quantitative framework has close connections to the modal nu-calculus and is compositional with respect to general notions of distances between systems and the standard operations.

Appendix: Proof of Theorem 7

\(\underline{\smash {d_\textsf {m} ^\mathbb {L}}( \textit{da}( \mathcal D_1), \textit{da}( \mathcal D_2))\sqsubseteq _\mathbb {L}\smash {d_\textsf {m} ^\mathbb {L}}( \mathcal D_1, \mathcal D_2):}\)

Let and be DMTS. There exists a DMTS refinement family \(R=\{ R_\alpha \subseteq S_1\times S_2\mid \alpha \in \mathbb {L}\}\) such that for all \(s^0_1\in S^0_1\), there is \(s^0_2\in S^0_2\) with \(( s^0_1, s^0_2)\in R_{ \smash {d_\textsf {m} ^\mathbb {L}}( \mathcal D_1, \mathcal D_2)}\). We show that R is an NAA refinement family.

Let \(\alpha \in \mathbb {L}\) and \(( s_1, s_2)\in R_\alpha \). Let \(M_1\in \text {Tran} _1( s_1)\) and define

The condition

$$\begin{aligned}&\forall ( a_2, t_2)\in M_2: \exists ( a_1, t_1)\in M_1, \beta \in \mathbb {L}: \\&\quad ( t_1, t_2)\in R_\beta , F( a_1, a_2, \beta )\sqsubseteq \alpha \end{aligned}$$

is satisfied by construction. For the inverse condition, let \(( a_1, t_1)\in M_1\), then , and as R is a DMTS refinement family, this implies that there is and \(\beta \in \mathbb {L}\) for which \(( t_1, t_2)\in R_\beta \) and \(F( a_1, a_2, \beta )\sqsubseteq _\mathbb {L}\alpha \), so that \(( a_2, t_2)\in M_2\) by construction.

We are left with showing that \(M_2\in \text {Tran} _2( s_2)\). First we notice that by construction, indeed for all \(( a_2, t_2)\in M_2\). Now let ; we need to show that \(N_2\cap M_2\ne \emptyset \).

We have such that \(\forall ( a_1, t_1)\in N_1: \exists ( a_2, t_2)\in N_2, \beta \in \mathbb {L}:( t_1, t_2)\in R_\beta , F( a_1, a_2, \beta )\sqsubseteq _\mathbb {L}\alpha \). We know that \(N_1\cap M_1\ne \emptyset \), so let \(( a_1, t_1)\in N_1\cap M_1\). Then there is \(( a_2, t_2)\in N_2\) and \(\beta \in \mathbb {L}\) such that \(( t_1, t_2)\in R_\beta \) and \(F( a_1, a_2, \beta )\sqsubseteq _\mathbb {L}\alpha \). But \(( a_2, t_2)\in N_2\) implies , hence \(( a_2, t_2)\in M_2\).

\(\underline{\smash {d_\textsf {m} ^\mathbb {L}}( \mathcal D_1, \mathcal D_2)\sqsubseteq _\mathbb {L}\smash {d_\textsf {m} ^\mathbb {L}}( \textit{da}( \mathcal D_1), \textit{da}( \mathcal D_2)):}\)

Let and be DMTS. There exists an NAA refinement family \(R=\{ R_\alpha \subseteq S_1\times S_2\mid \alpha \in \mathbb {L}\}\) such that for all \(s^0_1\in S^0_1\), there is \(s^0_2\in S^0_2\) for which \(\left( s^0_1, s^0_2\right) \in R_{ \smash {d_\textsf {m} ^\mathbb {L}}( \textit{da}( \mathcal D_1), \textit{da}( \mathcal D_2))}\). We show that R is a DMTS refinement family. Let \(\alpha \in \mathbb {L}\) and \(( s_1, s_2)\in R_\alpha \).

Let , then we cannot have . Let , then \(M_1\in \text {Tran} _1( s_1)\) by construction. This implies that there is \(M_2\in \text {Tran} _2( s_2)\), \(( a_2, t_2)\in M_2\) and \(\beta \in \mathbb {L}\) such that \(( t_1, t_2)\in R_\beta \) and \(F( a_1, a_2, \beta )\sqsubseteq _\mathbb {L}\alpha \), but then also as was to be shown.

Let and assume, for the sake of contradiction, that there is no for which \(\forall ( a_1, t_1)\in N_1: \exists ( a_2, t_2)\in N_2, \beta \in \mathbb {L}:( t_1, t_2)\in R_\beta , F( a_1, a_2, \beta )\sqsubseteq _\mathbb {L}\alpha \) holds. Then for each , there is an element \(( a_{ N_1}, t_{ N_1})\in N_1\) such that \(\exists ( a_2, t_2)\in N_2, \beta \in \mathbb {L}:( t_{ N_1}, t_2)\in R_\beta , F( a_{ N_1}, a_2, \beta )\sqsubseteq _\mathbb {L}\alpha \) does not hold.

Let , then \(M_1\in \text {Tran} _1( s_1)\) by construction. Hence, we have \(M_2\in \text {Tran} _2( s_2)\) such that \(\forall ( a_2, t_2)\in M_2: \exists ( a_1, t_2)\in M_1, \beta \in \mathbb {L}:( t_1, t_2)\in R_\beta , F( a_1, a_2, \beta )\sqsubseteq \alpha \). Now \(N_2\cap M_2\ne \emptyset \), so let \(( a_2, t_2)\in N_2\cap M_2\), then there is \(( a_1, t_1)\in M_1\) and \(\beta \in \mathbb {L}\) such that \(( t_1, t_2)\in R_\beta \) and \(F( a_1, a_2, \beta )\sqsubseteq _\mathbb {L}\alpha \), in contradiction to how \(M_1\) was constructed.

\(\underline{\smash {d_\textsf {m} ^\mathbb {L}}( \textit{ad}( \mathcal A_1), \textit{ad}( \mathcal A_2))\sqsubseteq _\mathbb {L}\smash {d_\textsf {m} ^\mathbb {L}}( \mathcal A_1, \mathcal A_2):}\)

Let \(\mathcal A_1=\left( S_1, S^0_1, \text {Tran} _1\right) \), \(\mathcal A_2=\left( S_2, S^0_2, \text {Tran} _2\right) \) be NAA, with DMTS translations , . There is an NAA refinement family \(R=\{ R_\alpha \subseteq S_1\times S_2\mid \alpha \in \mathbb {L}\}\) such that for all \(s^0_1\in S^0_1\), there is \(s^0_2\in S^0_2\) with \(\left( s^0_1,s^0_2\right) \in R_{ \smash {d_\textsf {m} ^\mathbb {L}}( \mathcal A_1, \mathcal A_2)}\).

Define a relation family \(R'=\left\{ R'_\alpha \subseteq D_1\times D_2\mid \alpha \in \mathbb {L}\right\} \) by

$$\begin{aligned} R'_\alpha&= \big \{ ( M_1, M_2)\mathrel {\big |}\exists ( s_1, s_2)\in R_\alpha : \\&\quad M_1\in \text {Tran} _1( s_1), M_2\in \text {Tran} ( s_2), \\&\quad \forall ( a_1, t_1)\in M_1: \exists ( a_2, t_2)\in M_2, \beta \in \mathbb {L}: \\&\qquad ( t_1, t_2)\in R_\beta , F( a_1, a_2, \beta )\sqsubseteq _\mathbb {L}\alpha , \\&\quad \forall ( a_2, t_2)\in M_2: \exists ( a_1, t_1)\in M_1, \beta \in \mathbb {L}: \\&\qquad ( t_1, t_2)\in R_\beta , F( a_1, a_2, \beta )\sqsubseteq _\mathbb {L}\alpha \big \}. \end{aligned}$$

We show that \(R'\) is a witness for \(\smash {d_\textsf {m} ^\mathbb {L}}( \textit{ad}( \mathcal A_1), \textit{ad}( \mathcal A_2))\sqsubseteq _\mathbb {L}\smash {d_\textsf {m} ^\mathbb {L}}( \mathcal A_1, \mathcal A_2)\). Let \(\alpha \in \mathbb {L}\) and \(( M_1, M_2)\in R'_\alpha \).

Let . By construction of , there is \(( a_2, t_2)\in M_2\) such that \(N_2=\left\{ \left( a_2, M_2'\right) \mid M_2'\in \text {Tran} _2( t_2)\right\} \). Then \(( M_1, M_2)\in R'_\alpha \) implies that there must be \(( a_1, t_1)\in M_1\) and \(\beta \in \mathbb {L}\) such that \(( t_1, t_2)\in R_\beta \) and \(F( a_1, a_2, \beta )\sqsubseteq _\mathbb {L}\alpha \). Let \(N_1=\left\{ ( a_1, M_1')\mid M_1'\in \text {Tran} _1( t_1)\right\} \), then .

We show that \(\forall \left( a_1,M_1'\right) \in N_1: \exists \left( a_2,M_2'\right) \in N_2:\left( M_1', M_2'\right) \in R'_\beta \): Let \(\left( a_1, M_1'\right) \in N_1\), then \(M_1'\in \text {Tran} _1( t_1)\). From \(( t_1, t_2)\in R_\beta \) we get \(M_2'\in \text {Tran} _2( t_2)\) such that

$$\begin{aligned} \forall ( b_1, u_1)&\in M_1': \exists ( b_2, u_2)\in M_2', \gamma \in \mathbb {L}:( u_1, u_2)\\&\in R_\gamma , F( b_1, b_2, \gamma )\sqsubseteq _\mathbb {L}\beta , \\&\forall ( b_2, u_2)\in M_2': \exists ( b_1, u_1)\in M_1', \gamma \in \mathbb {L}:( u_1, u_2)\\&\in R_\gamma , F( b_1, b_2, \gamma )\sqsubseteq _\mathbb {L}\beta , \end{aligned}$$

hence \(\left( M_1', M_2'\right) \in R'_\beta \); also, \(\left( a_2, M_2'\right) \in N_2\) by construction of \(N_2\).

Let , then we have for which \(\left( a_1, M_1'\right) \in N_1\) by construction of . This in turn implies that there must be \(( a_1, t_1)\in M_1\) such that \(N_1=\left\{ \left( a_1, M_1''\right) \mid M_1''\in \text {Tran} _1( t_1)\right\} \). By \(( M_1, M_2)\in R'_\alpha \), we get \(( a_2, t_2)\in M_2\) and \(\beta \in \mathbb {L}\) such that \(( t_1, t_2)\in R_\beta \) and \(F( a_1, a_2, \beta )\sqsubseteq _\mathbb {L}\alpha \). Let \(N_2=\{( a_2, M_2')\mid M_2'\in \text {Tran} _2( t_2)\}\), then and hence for all \(( a_2, M_2')\in N_2\). By the same arguments as above, there is \(( a_2, M_2')\in N_2\) for which \(( M_1', M_2')\in R'_\beta \).

We miss to show that \(R'\) is initialized. Let \(M_1^0\in D_1^0\), then we have \(s_1^0\in S_1^0\) with \(M_1^0\in \text {Tran} _1( s_1^0)\). As R is initialized, this entails that there is \(s_2^0\in S_2^0\) with \(( s_1^0, s_2^0)\in R_{ \smash {d_\textsf {m} ^\mathbb {L}}( \mathcal A_1, \mathcal A_2)}\), which gives us \(M_2^0\in \text {Tran} _2( s_2^0)\) which satisfies the conditions in the definition of \(R'_{ \smash {d_\textsf {m} ^\mathbb {L}}( \mathcal A_1, \mathcal A_2)}\), whence \(( M_1^0, M_2^0)\in R'_{ \smash {d_\textsf {m} ^\mathbb {L}}( \mathcal A_1, \mathcal A_2)}\).

\(\underline{\smash {d_\textsf {m} ^\mathbb {L}}( \mathcal A_1, \mathcal A_2)\sqsubseteq _\mathbb {L}\smash {d_\textsf {m} ^\mathbb {L}}( \textit{ad}( \mathcal A_1), \textit{ad}( \mathcal A_2)):}\)

Let \(\mathcal A_1=\left( S_1, S^0_1, \text {Tran} _1\right) \), \(\mathcal A_2=\left( S_2, S^0_2, \text {Tran} _2\right) \) be NAA, with DMTS translations , . There is a DMTS refinement family \(R=\{ R_\alpha \subseteq D_1\times D_2\mid \alpha \in \mathbb {L}\}\) such that for all \(M_1^0\in D_1^0\), there exists \(M_2^0\in D_2^0\) with \(\left( M_1^0, M_2^0\right) \in R_{ \smash {d_\textsf {m} ^\mathbb {L}}( \textit{ad}( \mathcal A_1), \textit{ad}( \mathcal A_2))}\).

Define a relation family \(R'=\{ R'_\alpha \subseteq S_1\times S_2\mid \alpha \in \mathbb {L}\}\) by

$$\begin{aligned} R'_\alpha= & {} \big \{ ( s_1, s_2)\mathrel {\big |}\forall M_1\in \text {Tran} _1( s_1): \\&\exists M_2\in \text {Tran} _2( s_2):( M_1, M_2)\in R_\alpha \big \}; \end{aligned}$$

we will show that \(R'\) is a witness for \(\smash {d_\textsf {m} ^\mathbb {L}}( \mathcal A_1, \mathcal A_2)\sqsubseteq _\mathbb {L}\smash {d_\textsf {m} ^\mathbb {L}}( \textit{ad}( \mathcal A_1), \textit{ad}( \mathcal A_2))\).

Let \(\alpha \in \mathbb {L}\), \(( s_1, s_2)\in R'_\alpha \) and \(M_1\in \text {Tran} _1( s_1)\), then by construction of \(R'\), we have \(M_2\in \text {Tran} _2( s_2)\) with \(( M_1, M_2)\in R_\alpha \).

Let \(( a_2, t_2)\in M_2\) and define \(N_2=\{( a_2, M_2')\mid M_2'\in \text {Tran} _2( t_2)\}\), then . Now \(( M_1, M_2)\in R_\alpha \) implies that there must be satisfying \(\forall ( a_1, M_1')\in N_1: \exists ( a_2, M_2')\in N_2, \beta \in \mathbb {L}:( M_1', M_2')\in R_\beta , F( a_1, a_2, \beta )\sqsubseteq _\mathbb {L}\alpha \). We have \(( a_1, t_1)\in M_1\) such that \(N_1=\{( a_1, M_1')\mid M_1'\in \text {Tran} _1( t_1)\}\); we only miss to show that \(( t_1, t_2)\in R'_\beta \) for some \(\beta \in \mathbb {L}\) for which \(F( a_1, a_2, \beta )\sqsubseteq _\mathbb {L}\alpha \). Let \(M_1'\in \text {Tran} _1( t_1)\), then \(( a_1, M_1')\in N_1\); hence, there is \(( a_2, M_2')\in N_2\) and \(\beta \in \mathbb {L}\) such that \(( M_1', M_2')\in R_\beta \) and \(F( a_1, a_2, \beta )\sqsubseteq \alpha \), but \(( a_2, M_2')\in N_2\) also entails \(M_2'\in \text {Tran} _2( t_2)\).

Let \(( a_1, t_1)\in M_1\) and define \(N_1=\{( a_1, M_1')\mid M_1'\in \text {Tran} _1( t_1)\}\), then . Now let \(( a_1, M_1')\in N_1\), then ; hence, we have and \(\beta \in \mathbb {L}\) such that \(( M_1', M_2')\in R_\beta \) and \(F( a_1, a_2, \beta )\sqsubseteq _\mathbb {L}\alpha \). By construction of , this implies that there is with \(( a_2, M_2')\in N_2\), and we have \(( a_2, t_2)\in M_2\) for which \(N_2=\{( a_2, M_2'')\mid M_2''\in \text {Tran} _2( t_2)\}\). Now if \(M_1''\in \text {Tran} _1( t_1)\), then \(( a_1, M_1'')\in N_1\); hence, there is \(( a_2, M_2'')\in N_2\) with \(( M_1'', M_2'')\in R_\beta \), but \(( a, M_2'')\in N_2\) also gives \(M_2''\in \text {Tran} _2( t_2)\).

We miss to show that \(R'\) is initialized. Let \(s^0_1\in S^0_1\) and \(M^0_1\in \text {Tran} _1( s^0_1)\). As R is initialized, this gets us \(M^0_2\in D_2\) with \(( M^0_1, M^0_2)\in R_{ \smash {d_\textsf {m} ^\mathbb {L}}( \textit{ad}( \mathcal A_1), \textit{ad}( \mathcal A_2))}\), but \(M^0_2\in \text {Tran} _2( s^0_2)\) for some \(s^0_2\in S^0_2\), and then \(( s^0_1, s^0_2)\in R'_{ \smash {d_\textsf {m} ^\mathbb {L}}( \textit{ad}( \mathcal A_1), \textit{ad}( \mathcal A_2))}\).

\(\underline{\smash {d_\textsf {m} ^\mathbb {L}}( \textit{dn}( \mathcal D_1), \textit{dn}( \mathcal D_2))\sqsubseteq _\mathbb {L}\smash {d_\textsf {m} ^\mathbb {L}}( \mathcal D_1, \mathcal D_2):}\)

Let and be DMTS, with \(\nu \)-calculus translations \(\textit{dn}( \mathcal D_1)=\left( S_1, S_1^0, \varDelta _1\right) \) and \(\textit{dn}( \mathcal D_2)=( S_2, S_2^0, \varDelta _2)\). There is a DMTS refinement family \(R=\{ R_\alpha \subseteq S_1\times S_2\mid \alpha \in \mathbb {L}\}\) such that for all \(s_1^0\in S_1^0\), there exists \(s_2^0\in S_2^0\) for which \(( s_1^0, s_2^0)\in R_{ \smash {d_\textsf {m} ^\mathbb {L}}( \mathcal D_1, \mathcal D_2)}\).

Let \(\alpha \in \mathbb {L}\), \(( s_1, s_2)\in R_\alpha \), \(a_1\in \varSigma \), and \(t_1\in \Box ^{ a_1}_1( s_1)\). Then ; hence, we have and \(\beta \in \mathbb {L}\) with \(( t_1, t_2)\in R_\beta \) and \(F( a_1, a_2, \beta )\sqsubseteq _\mathbb {L}\alpha \), but then also \(t_2\in \Box ^{ a_2}_2( s_2)\).

Let \(N_2\in \Diamond _2( s_2)\), then also , so that there must be such that \(\forall ( a_1, t_1)\in N_1: \exists ( a_2, t_2)\in N_2, \beta \in \mathbb {L}:( t_1, t_2)\in R_\beta , F( a_1, a_2, \beta )\sqsubseteq _\mathbb {L}\alpha \), but then also \(N_1\in \Diamond _1( s_1)\).

\(\underline{\smash {d_\textsf {m} ^\mathbb {L}}( \mathcal D_1, \mathcal D_2)\sqsubseteq _\mathbb {L}\smash {d_\textsf {m} ^\mathbb {L}}( \textit{dn}( \mathcal D_1), \textit{dn}( \mathcal D_2)):}\)

Let and be DMTS, with \(\nu \)-calculus translations

\(\textit{dn}( \mathcal D_1)=\left( S_1, S_1^0, \varDelta _1\right) \) and \(\textit{dn}( \mathcal D_2)=\left( S_2, S_2^0, \varDelta _2\right) \). There is a \(\nu \)-calculus refinement family \(R=\left\{ R_\alpha \subseteq S_1\times S_2\mid \alpha \in \mathbb {L}\right\} \) such that for all \(s_1^0\in S_1^0\), there exists \(s_2^0\in S_2^0\) for which \(\left( s_1^0, s_2^0\right) \in R_{ \smash {d_\textsf {m} ^\mathbb {L}}( \mathcal D_1, \mathcal D_2)}\).

Let \(\alpha \in \mathbb {L}\) and \(( s_1, s_2)\in R_\alpha \) and assume that . Then \(t_1\in \Box ^{ a_1}_1( s_1)\), so that there is \(a_2\in \varSigma \), \(t_2\in \Box ^{ a_2}_2( s_2)\) and \(\beta \in \mathbb {L}\) for which \(( t_1, t_2)\in R_\beta \) and \(F( a_1, a_2, \beta )\sqsubseteq _\mathbb {L}\alpha \), but then also .

Assume that , then \(N_2\in \Diamond _2( s_2)\). Hence, there is \(N_1\in \Diamond _1( s_1)\) so that \(\forall ( a_1, t_1)\in N_1: \exists ( a_2, t_2)\in N_2, \beta \in \mathbb {L}:( t_1, t_2)\in R_\beta , F( a_1, a_2, \beta )\sqsubseteq _\mathbb {L}\alpha \), but then also .

\(\underline{\smash {d_\textsf {m} ^\mathbb {L}}( \textit{nd}( \mathcal N_1), \textit{nd}( \mathcal N_2))\sqsubseteq _\mathbb {L}\smash {d_\textsf {m} ^\mathbb {L}}( \mathcal N_1, \mathcal N_2):}\)

Let \(\mathcal N_1=\left( X_1, X_1^0, \varDelta _1\right) \), \(\mathcal N_2=\left( X_2, X_2^0, \varDelta _2\right) \) be \(\nu \)-calculus expressions in normal form, with DMTS translations and . There is a \(\nu \)-calculus refinement family \(R=\{ R_\alpha \subseteq X_1\times X_2\mid \alpha \in \mathbb {L}\}\) such that for all \(x_1^0\in X_1^0\), there is \(x_2^0\in X_2^0\) for which \(\left( x_1^0, x_2^0\right) \in R_{ \smash {d_\textsf {m} ^\mathbb {L}}( \mathcal N_1, \mathcal N_2)}\).

Let \(\alpha \in \mathbb {L}\) and \(( x_1, x_2)\in R_\alpha \) and assume that . Then \(y_1\in \Box _1^{ a_1}( x_1)\); hence, there are \(a_2\in \varSigma \), \(y_2\in \Box _2^{ a_2}\) and \(\beta \in \mathbb {L}\) such that \(( y_1, y_2)\in R_\beta \) and \(F( a_1, a_2, \beta )\sqsubseteq _\mathbb {L}\alpha \), but then also .

Assume that , then \(N_2\in \Diamond _2( x_2)\). Hence, there must be \(N_1\in \Diamond _1( x_1)\) such that \(\forall ( a_1, y_1)\in N_1: \exists ( a_2, y_2)\in N_2, \beta \in \mathbb {L}:( y_1, y_2)\in R_\beta , F( a_1, a_2, \beta )\sqsubseteq _\mathbb {L}\alpha \), but then also .

\(\underline{\smash {d_\textsf {m} ^\mathbb {L}}( \mathcal N_1, \mathcal N_2)\sqsubseteq _\mathbb {L}\smash {d_\textsf {m} ^\mathbb {L}}( \textit{nd}( \mathcal N_1), \textit{nd}( \mathcal N_2)):}\)

Let \(\mathcal N_1=\left( X_1, X_1^0, \varDelta _1\right) \), \(\mathcal N_2=\left( X_2, X_2^0, \varDelta _2\right) \) be \(\nu \)-calculus expressions in normal form, with DMTS translations and . There is a DMTS refinement family \(R=\{ R_\alpha \subseteq X_1\times X_2\mid \alpha \in \mathbb {L}\}\) such that for all \(x_1^0\in X_1^0\), there is \(x_2^0\in X_2^0\) for which \(\left( x_1^0, x_2^0\right) \in R_{ \smash {d_\textsf {m} ^\mathbb {L}}( \mathcal N_1, \mathcal N_2)}\).

Let \(\alpha \in \mathbb {L}\), \(( x_1, x_2)\in R_\alpha \), \(a_1\in \varSigma \), and \(y_1\in \Box ^{ a_1}_1( x_1)\). Then ; hence, we have and \(\beta \in \mathbb {L}\) so that \(( y_1, y_2)\in R_\beta \) and \(F( a_1, a_2, \beta )\sqsubseteq _\mathbb {L}\alpha \), but then also \(y_1\in \Box ^{ a_2}_2( x_2)\).

Let \(N_2\in \Diamond _2( x_2)\), then also . Hence, we must have with \(\forall ( a_1, y_1)\in N_1: \exists ( a_2, y_2)\in N_2, \beta \in \mathbb {L}:( y_1, y_2)\in R_\beta , F( a_1, a_2, \beta )\sqsubseteq _\mathbb {L}\alpha \), but then also \(N_1\in \Diamond _1( x_1)\). \(\square \)