A Hybrid Dynamic Logic for Event/Data-based Systems

We propose $\mathcal{E}^{\downarrow}$-logic as a formal foundation for the specification and development of event-based systems with local data states. The logic is intended to cover a broad range of abstraction levels from abstract requirements specifications up to constructive specifications. Our logic uses diamond and box modalities over structured actions adopted from dynamic logic. Atomic actions are pairs $e /\psi$ where $e$ is an event and $\psi$ a state transition predicate capturing the allowed reactions to the event. To write concrete specifications of recursive process structures we integrate (control) state variables and binders of hybrid logic. The semantic interpretation relies on event/data transition systems; specification refinement is defined by model class inclusion. For the presentation of constructive specifications we propose operational event/data specifications allowing for familiar, diagrammatic representations by state transition graphs. We show that $\mathcal{E}^{\downarrow}$-logic is powerful enough to characterise the semantics of an operational specification by a single $\mathcal{E}^{\downarrow}$-sentence. Thus the whole development process can rely on $\mathcal{E}^{\downarrow}$-logic and its semantics as a common basis. This includes also a variety of implementation constructors to support, among others, event refinement and parallel composition.


Introduction
Event-based systems are an important kind of software systems which are open to the environment to react to certain events. A crucial characteristics of such systems is that not any event can (or should) be expected at any time. Hence the control flow of the system is significant and should be modelled by appropriate means. On the other hand components administrate data which may change upon the occurrence of an event. Thus also the specification of admissible data changes caused by events plays a major role.
There is quite a lot of literature on modelling and specification of event-based systems. Many approaches, often underpinned by graphical notations, provide formalisms aiming at being constructive enough to suggest particular designs or implementations, like e.g., Event-B [1,8], symbolic transition systems [17], and UML behavioural and protocol state machines [16,12]. On the other hand, there are logical formalisms to express desired properties of event-based systems. Among them are temporal logics integrating state and event-based styles [4], and various kinds of modal logics involving data, like first-order dynamic logic [11] or the modal µ-calculus with data and time [10]. The gap between logics and constructive specification is usually filled by checking whether the model of a constructive specification satisfies certain logical formulae.
In this paper we are interested in investigating a logic which is capable to express properties of event/data-based systems on various abstraction levels in a common formalism. For this purpose we follow ideas of [15], but there data states, effects of events on them and constructive operational specifications (see below) were not considered. The advantage of an expressive logic is that we can split the transition from system requirements to system implementation into a series of gradual refinement steps which are more easy to understand, to verify, and to adjust when certain aspects of the system are to be changed or when a product line of similar products has to be developed.
To that end we propose E ↓ -logic, a dynamic logic enriched with features of hybrid logic. The dynamic part uses diamond and box modalities over structured actions. Atomic actions are of the form e ψ with e an event and ψ a state transition predicate specifying the admissible effects of e on the data. Using sequential composition, union, and iteration we obtain complex actions that, in connection with the modalities, can be used to specify required and forbidden behaviour. In particular, if E is a finite set of events, though data is infinite we are able to capture all reachable states of the system and to express safety and liveness properties. But E ↓ -logic is also powerful enough to specify concrete, recursive process structures by integrating state variables and binders from hybrid logic [7] with the subtle difference that our state variables are used to denote control states only. We show that the dynamic part of the logic is bisimulation invariant while the hybrid part, due to the ability to bind names to states, is not.
An axiomatic specification Sp = (Σ, Ax ) in E ↓ is given by an event/data signature Σ = (E, A), with a set E of events and a set A of attributes to model local data states, and a set of E ↓ -sentences Ax , called axioms, expressing requirements. For the semantic interpretation we use event/data transition systems (edts). Their states are reachable configurations γ = (c, ω) where c is a control state, recording the current state of execution, and ω is a local data state, i.e., a valuation of the attributes. Transitions between configurations are labelled by events. The semantics of a specification Sp is "loose" in the sense that it consists of all edts satisfying the axioms of the specification. Such structures are called models of Sp. Loose semantics allows us to define a simple refinement notion: Sp 1 refines to Sp 2 if the model class of Sp 2 is included in the model class of Sp 1 . We may also say that Sp 2 is an implementation of Sp 1 .
Our refinement process starts typically with axiomatic specifications whose axioms involve only the dynamic part of the logic. Hybrid features will successively be added in refinements when specifying more concrete behaviours, like loops. Aiming at a concrete design, the use of an axiomatic specification style may, however, become cumbersome since we have to state explicitly also all negative cases, what the system should not do. For a convenient presentation of constructive specifications we propose operational event/data specifications, which are a kind of symbolic transition systems equipped again with a model class semantics in terms of edts. We will show that E ↓ -logic, by use of the hybrid binder, is powerful enough to characterise the semantics of an operational specification. Therefore we have not really left E ↓ -logic when refining axiomatic by operational specifications. Moreover, since several constructive notations in the literature, including (essential parts of) Event-B, symbolic transition systems, and UML protocol state machines, can be expressed as operational specifications, E ↓ -logic provides a logical umbrella under which event/data-based systems can be developed.
In order to consider more complex refinements we take up an idea of Sannella and Tarlecki [18,19] who have proposed the notion of constructor implementation. This is a generic notion applicable to specification formalisms based on signatures and semantic structures for signatures. As both are available in the context of E ↓ -logic, we complement our approach by introducing a couple of constructors, among them event refinement and parallel composition. For the latter we provide a useful refinement criterion relying on a relationship between syntactic and semantic parallel composition. The logic and the use of the implementation constructors will be illustrated by a running example.
Hereafter, in Sect. 2, we introduce syntax and semantics of E ↓ -logic. In Sect. 3, we consider axiomatic as well as operational specifications and demonstrate the expressiveness of E ↓ -logic. Refinement of both types of specifications using several implementation constructors is considered in Sect. 4. Section 5 provides some concluding remarks. Proofs of theorems and facts can be found in App. A.

A Hybrid Dynamic Logic for Event/Data Systems
We propose the logic E ↓ to specify and reason about event/data-based systems. E ↓logic is an extension of the hybrid dynamic logic considered in [15] by taking into account changing data. Therefore, we first summarise our underlying notions used for the treatment of data. We then introduce the syntax and semantics of E ↓ with its hybrid and dynamic logic features applied to events and data.

Data States
We assume given a universe D of data values. A data signature is given by a set A of attributes. An A-data state ω is a function ω : A → D. We denote by Ω(A) the set of all A-data states. For any data signature A, we assume given a set Φ(A) of state predicates to be interpreted over single A-data states, and a set Ψ (A) of transition predicates to be interpreted over pairs of pre-and post-A-data states. The concrete syntax of state and transition predicates is of no particular importance for the following. For an attribute a ∈ A, a state predicate may be a > 0; and a transition predicate e.g. a ′ = a + 1, where a refers to the value of attribute a in the pre-data state and a ′ to its value in the post-data state. Still, both types of predicates are assumed to contain true and to be closed under negation (written ¬) and disjunction (written ∨); as usual, we will then also use false, ∧, etc. Furthermore, we assume for each A 0 ⊆ A a transition predicate id A0 ∈ Ψ (A) expressing that the values of attributes in A 0 are the same in pre-and post-A-data states.
is satisfied in the pre-data state ω 1 and post-data state ω 2 . In particular, Definition 1. An event/data signature (ed signature, for short) Σ = (E, A) consists of a finite set of events E and a data signature A. We write E(Σ) for E and A(Σ) for A. We also write Ω(Σ) for Ω(A(Σ)), Φ(Σ) for Φ(A(Σ)), and Ψ (Σ) for Ψ (A(Σ)). The class of ed signatures is denoted by Sig E ↓ .
Any ed signature Σ determines a class of semantic structures, the event/data transition systems which are reachable transition systems with sets of initial states and events as labels on transitions. The states are pairs γ = (c, ω), called configurations, where c is a control state recording the current execution state and ω is an A(Σ)-data state; we write c(γ) for c and ω(γ) for ω.

Definition 2.
A Σ-event/data transition system (Σ-edts, for short) M = (Γ, R, Γ 0 ) over an ed signature Σ consists of a set of configurations Γ ⊆ C × Ω(Σ) for a set of control states C; a family of transition relations R = (R e ⊆ Γ × Γ ) e∈E(Σ) ; and a non-empty set of initial configurations Γ 0 ⊆ {c 0 } × Ω 0 for an initial control state c 0 ∈ C and a set of initial data states Ω 0 ⊆ Ω(Σ) such that Γ is reachable via R, i.e., for all γ ∈ Γ there are γ 0 ∈ Γ 0 , n ≥ 0, e 1 , . . . , e n ∈ E(Σ), and Atomic actions are given by expressions of the form e ψ with e an event and ψ a state transition predicate. The intuition is that the occurrence of the event e causes a state transition in accordance with ψ, i.e., the pre-and post-data states satisfy ψ, and ψ specifies the possible effects of e. Following the ideas of dynamic logic we also use complex, structured actions formed over atomic actions by union, sequential composition and iteration. All kinds of actions over an ed signature Σ are called Σ-event/data actions (Σ-ed actions, for short). The set Λ(Σ) of Σ-ed actions is defined by the grammar λ ::= e ψ | λ 1 + λ 2 | λ 1 ; λ 2 | λ * where e ∈ E(Σ) and ψ ∈ Ψ (Σ). We use the following shorthand notations for actions: For a subset F = {e 1 , . . . , e k } ⊆ E(Σ), we use the notation F to denote the complex action e 1 true + . . . + e k true and −F to denote the action E(Σ) \ F . For the action E(Σ) we will write E. For e ∈ E(Σ), we use the notation e to denote the action e true and −e to denote the action E \ {e}. Hence, if E(Σ) = {e 1 , . . . , e n } and e i ∈ E(Σ), the action −e i stands for e 1 true + . . . + e i−1 true + e i+1 true + . . . + e n true.
The actions Λ(Σ) are interpreted over a Σ-edts M as the family of relations To define the event/data formulae of E ↓ we assume given a countably infinite set X of control state variables which are used in formulae to denote the control part of a configuration. They can be bound by the binder operator ↓x and accessed by the jump operator @x of hybrid logic. The dynamic part of our logic is due to the modalities which can be formed over any ed action over a given ed signature. E ↓ thus retains from hybrid logic the use of binders, but omits free nominals. Thus sentences of the logic become restricted to express properties of configurations reachable from the initial ones.
Definition 3. The set Frm E ↓ (Σ) of Σ-ed formulae over an ed signature Σ is given by where ϕ ∈ Φ(Σ), x ∈ X, and λ ∈ Λ(Σ). We write [λ]̺ for ¬ λ ¬̺ and we use the usual boolean connectives as well as the constant false to denote ¬true. 4 The set Sen E ↓ (Σ) of Σ-ed sentences consists of all Σ-ed formulae without free variables, where the free variables are defined as usual with ↓x being the unique operator binding variables.
Given an ed signature Σ and a Σ-edts M , the satisfaction of a Σ-ed formula ̺ is inductively defined w.r.t. valuations v : X → C(M ), mapping variables to control states, and configurations γ ∈ Γ (M ): . By borrowing the modalities from dynamic logic [11,10], E ↓ is able to express liveness and safety requirements as illustrated in our running ATM example below. There we use the fact that we can state properties over all reachable states by sentences of the form [E * ]ϕ. In particular, deadlock-freedom can be expressed by [E * ] E true. The logic E ↓ , however, is also suited to directly express process structures and, thus, the implementation of abstract requirements. The binder operator is essential for this. For example, we can specify a process which switches a boolean value, denoted by the attribute val, from tt to ff and back by the following sentence:

Bisimulation and Invariance
Bisimulation is a crucial notion in both behavioural systems specification and in modal logics. On the specification side, it provides a standard way to identify systems with the same behaviour by abstracting the internal specifics of the systems; this is also reflected at the logic side, where bisimulation frequently relates states that satisfy the same formulae. We explore some properties of E ↓ w.r.t. bisimilarity. Let us first introduce the notion of bisimilarity in the context of E ↓ : Now we are able to establish a Hennessy-Milner like correspondence for a fragment of E ↓ . Let us call hybrid-free sentences of E ↓ the formulae obtained by the grammar The converse of Thm. 1 does not hold, in general, and the usual image-finiteness assumption has to be imposed: A Σ-edts M is image-finite if, for all γ ∈ Γ (M ) and all e ∈ E(Σ), the set {γ ′ | (γ, γ ′ ) ∈ R(M ) e } is finite. Then: Then there exists a bisimulation B between M 1 and M 2 such that (γ 1 , γ 2 ) ∈ B.

Axiomatic Specifications
Sentences of E ↓ -logic can be used to specify properties of event/data systems and thus to write system specifications in an axiomatic way.

Definition 5. An axiomatic ed specification
As a running example we consider an ATM. We start with an abstract specification Sp 0 of fundamental requirements for its interaction behaviour based on the set of events E 0 = {insertCard, enterPIN, ejectCard, cancel} 5 and on the singleton set of attributes A 0 = {chk} where chk is boolean valued and records the correctness of an entered PIN. Hence our first ed signature is Σ 0 = (E 0 , A 0 ) and Sp 0 = (Σ 0 , Ax 0 ) where Ax 0 requires the following properties expressed by corresponding axioms (0.1-0.3): -"Whenever a card has been inserted, a correct PIN can eventually be entered and also the transaction can eventually be cancelled." -"Whenever either a correct PIN has been entered or the transaction has been cancelled, the card can eventually be ejected." -"Whenever an incorrect PIN has been entered three times in a row, the current card is not returned." This means that the card is kept by the ATM which is not modelled by an extra event. It may, however, still be possible that another card is inserted afterwards. So an ejectCard can only be forbidden as long as no next card is inserted.
The semantics of an axiomatic ed specification is loose allowing usually for many different realisations. A refinement step is therefore understood as a restriction of the model class of an abstract specification. Following the terminology of Sannella and Tarlecki [18,19], we call a specification refining another one an implementation. Formally, a specification Sp ′ is a simple implementation of a specification Sp over the same signature, in symbols Sp Sp ′ , whenever Mod(Sp) ⊇ Mod(Sp ′ ). Transitivity of the inclusion relation ensures gradual step-by-step development by a series of refinements.
Example 2. We provide a refinement Sp 0 Sp 1 where Sp 1 = (Σ 0 , Ax 1 ) has the same signature as Sp 0 and Ax 1 are the sentences (1.1-1.4) below; the last two use binders to specify a loop. As is easily seen, all models of Sp 1 must satisfy the axioms of Sp 0 .
-"At the beginning a card can be inserted with the effect that chk is set to ff ; nothing else is possible at the beginning." -"Whenever a card has been inserted, a PIN can be entered (directly afterwards) and also the transaction can be cancelled; but nothing else." -"Whenever either a correct PIN has been entered or the transaction has been cancelled, the card can eventually be ejected and the ATM starts from the beginning." -"Whenever an incorrect PIN has been entered three times in a row the ATM starts from the beginning." Hence the current card is kept.

Operational Specifications
Operational event/data specifications are introduced as a means to specify in a more constructive style the properties of event/data systems. They are not appropriate for writing abstract requirements for which axiomatic specifications are recommended. Though E ↓logic is able to specify concrete models, as discussed in Sect. 2, the use of operational specifications allows a graphic representation close to familiar formalisms in the literature, like UML protocol state machines, cf. [16,12]. As will be shown in Sect. 3.3, finite operational specifications can be characterised by a sentence in E ↓ -logic. Therefore, E ↓ -logic is still the common basis of our development approach. Transitions in an operational specification are tuples (c, ϕ, e, ψ, c ′ ) with c a source control state, ϕ a precondition, e an event, ψ a state transition predicate specifying the possible effects of the event e, and c ′ a target control state. In the semantic models an event must be enabled whenever the respective source data state satisfies the precondition. Thus isolating preconditions has a semantic consequence that is not expressible by transition predicates only. The effect of the event must respect ψ; no other transitions are allowed.
Definition 6. An operational ed specification O = (Σ, C, T, (c 0 , ϕ 0 )) is given by an ed signature Σ, a set of control states C, a transition relation specification an initial control state c 0 ∈ C, and an initial state predicate ϕ 0 ∈ Φ(Σ), such that C is syntactically reachable, i.e., for every c ∈ C \ {c 0 } there are (c 0 , ϕ 1 , e 1 , ψ 1 , c 1 ), . . . , (c n−1 , ϕ n , e n , ψ n , c n ) ∈ T with n > 0 such that c n = c. We write Σ(O) for Σ, etc.  Example 3. We construct an operational ed specification, called ATM , for the ATM example. The signature of ATM extends the one of Sp 1 (and Sp 0 ) by an additional integer-valued attribute trls which counts the number of attempts to enter a correct PIN (with the same card). ATM is graphically presented in Fig. 1. The initial control state is Card , and the initial state predicate is true. Preconditions are written before the symbol →. If no precondition is explicitly indicated it is assumed to be true. Due to the extended signature, ATM is not a simple implementation of Sp 1 , and we will only formally justify the implementation relationship in Ex. 5.
Operational specifications can be composed by a syntactic parallel composition operator which synchronises shared events. Two ed signatures Σ 1 and Σ 2 are composable if A(Σ 1 ) ∩ A(Σ 2 ) = ∅. Their parallel composition is given by , and C and T are inductively defined by c 0 ∈ C and for Algorithm 1 Constructing a sentence from an operational ed specification

Expressiveness of E ↓ -Logic
We show that the semantics of an operational ed specification O with finitely many control states can be characterised by a single It is fin(c) where this algorithm mainly deviates from [15]: To ensure that no other transitions from c exist than those specified in O, fin(c) produces the requirement that at state c, for every event e and for every subset P of the transitions outgoing from c, whenever an e-transition can be done with the combined effect of P but not adhering to any of the effects of the currently not selected transitions, the e-transition must have one of the states as its target that are target states of P . The rather complicated formulation is due to possibly overlapping preconditions where for a single event e the preconditions of two different transitions may be satisfied simultaneously. For a state c, where all outgoing transitions for the same event have disjoint preconditions, the E ↓ -formula returned by fin(c) is equivalent to

Constructor Implementations
The implementation notion defined in Sect. 3.1 is too simple for many practical applications. It requires the same signature for specification and implementation and does not support the process of constructing an implementation. Therefore, Sannella and Tarlecki [18,19] have proposed the notion of constructor implementation which is a generic notion applicable to specification formalisms which are based on signatures and semantic structures for signatures. We will reuse the ideas in the context of E ↓ -logic.
The notion of constructor is the basis: for signatures Σ 1 , . . . , Σ n , Σ ∈ Sig E ↓ , a constructor κ from (Σ 1 , . . . , Σ n ) to Σ is a (total) function κ : . Given a constructor κ from (Σ 1 , . . . , Σ n ) to Σ and a set of constructors κ i from (Σ 1 i , . . . , Σ ki i ) to Σ i , 1 ≤ i ≤ n, the constructor (κ 1 , . . . , κ n ); κ from (Σ 1 1 , . . . , Σ k1 1 , . . . , Σ 1 n , . . . , Σ kn n ) to Σ is obtained by the usual composition of functions. The following definitions apply to both axiomatic and operational ed specifications since the semantics of both is given in terms of ed signatures and model classes of edts. In particular, the implementation notion allows to implement axiomatic specifications by operational specifications. The notion of simple implementation in Sect. 3.1 is captured by choosing the identity. We now introduce a set of more advanced constructors in the context of ed signatures and edts. Let us first consider two central notions for constructors: signature morphisms and reducts. For data signatures A, A ′ a data signature morphism σ : A → A ′ is a function from A to A ′ . The σ-reduct of an A ′ -data state ω ′ : A ′ → D is given by the A-data state ω ′ |σ : A → D defined by (ω ′ |σ)(a) = ω ′ (σ(a)) for every a ∈ A. If A ⊆ A ′ , the injection of A into A ′ is a particular data signature morphism and we denote the reduct of an A ′ -data state ω ′ to A by ω ′ ↾A. If A = A 1 ∪ A 2 is the disjoint union of A 1 and A 2 and ω i are A i -data states for i ∈ {1, 2} then ω 1 + ω 2 denotes the unique A-data state ω with ω↾A i = ω i for i ∈ {1, 2}. The σ-reduct γ|σ of a configuration γ = (c, ω ′ ) is given by (c, ω ′ |σ), and is lifted to a set of configurations Γ ′ by Definition 9. An ed signature morphism σ = (σ E , σ A ) : Σ → Σ ′ is given by a function σ E : E(Σ) → E(Σ ′ ) and a data signature morphism σ A : A(Σ) → A(Σ ′ ). We abbreviate both σ E and σ A by σ.
A further refinement technique for reactive systems (see, e.g., [9]), is the implementation of simple events by complex events, like their sequential composition. To formalise this as a constructor we use composite events Θ(E) over a given set of events E, given by the grammar θ ::= e | θ+θ | θ; θ | θ * with e ∈ E. They are interpreted over an Then we can introduce the intended constructor by means of reducts over signature morphisms mapping atomic to composite events: Definition 12. Let Σ, Σ ′ be ed signatures, D ′ a finite subset of Θ(E(Σ ′ )), ∆ ′ = (D ′ , A(Σ ′ )), and α : Σ → ∆ ′ an ed signature morphism. The event refinement constructor Finally, we consider a semantic, synchronous parallel composition constructor that allows for decomposition of implementations into components which synchronise on shared events. Given two composable signatures Σ 1 and Σ 2 , the parallel composition γ 1 ⊗ γ 2 of two configurations γ 1 = (c 1 , ω 1 ), γ 2 = (c 2 , ω 2 ) with ω 1 ∈ Ω(A(Σ 1 )), ω 2 ∈ Ω(A(Σ 2 )) is given by ((c 1 , c 2 ), ω 1 + ω 2 ), and lifted to two sets of configurations Definition 13. Let Σ 1 , Σ 2 be composable ed signatures. The parallel composition con- An obvious question is how the semantic parallel composition constructor is related to the syntactic parallel composition of operational ed specifications.
The next theorem shows the usefulness of the syntactic parallel composition operator for proving implementation correctness when a (semantic) parallel composition constructor is involved. The theorem is a direct consequence of Prop. 1 and Def. 8.  Example 6. We finish the refinement chain for the ATM specifications by applying a decomposition into two parallel components. The operational specification ATM of Ex. 3 (and Ex. 5) describes the interface behaviour of an ATM interacting with a user. For a concrete realisation, however, an ATM will also interact internally with other components, like, e.g., a clearing company which supports the ATM for verifying PINs. Our last refinement step hence realises the ATM specification by two parallel components, represented by the operational specification ATM ′ in Fig. 2a and the operational specification CC of a clearing company in Fig. 2b. Both communicate (via shared events) when an ATM sends a verification request, modelled by the event verifyPIN, to the clearing company. The clearing company may answer with correctPIN or wrongPIN and then the ATM continues following its specification. For the implementation construction we use the parallel composition constructor κ ⊗ from (Σ(ATM ′ ), Σ(CC )) to Σ(ATM ′ ) ⊗ Σ(CC ). The signature of CC consists of the events shown on the transitions in Fig. 2b. Moreover, there is one integer-valued attribute cnt counting the number of verification tasks performed. The signature of ATM ′ extends Σ(ATM ) by the events verifyPIN, correctPIN and wrongPIN. To fit the signature and the behaviour of the parallel composition of ATM ′ and CC to the specification ATM we must therefore compose κ ⊗ with an event refinement constructor κ α such that α(enterPIN) = (enterPIN; verifyPIN; (correctPIN + wrongPIN)); for the other events α is the identity and for the attributes the inclusion. The idea is therefore that the refinement looks like ATM κ⊗; κα ATM ′ , CC . To prove this refinement relation we rely on the syntactic parallel composition ATM ′ CC shown in Fig. 2c, and on Thm. 3. It is easy to see that ATM κα ATM ′ CC . In fact, all transitions for event enterPIN in Fig. 1 are split into several transitions in Fig. 2c according to the event refinement defined by α. For instance, the loop transition from PIN to PIN with precondition trls < 2 in Fig. 1 is split into the cycle from (PIN , Idle) via (PINEntered , Idle) and (Verifying , Busy) back to (PIN , Idle) in Fig. 2c. Thus, we have ATM κα ATM ′ CC and can apply Thm. 3 such that we get ATM κ⊗; κα ATM ′ , CC .

Conclusions
We have presented a novel logic, called E ↓ -logic, for the rigorous formal development of event-based systems incorporating changing data states. To the best of our knowledge, no other logic supports the full development process for this kind of systems ranging from abstract requirements specifications, expressible by the dynamic logic features, to the concrete specification of implementations, expressible by the hybrid part of the logic.
The temporal logic of actions (TLA [13]) supports also stepwise refinement where state transition predicates are considered as actions. In contrast to TLA we model also the events which cause data state transitions. For writing concrete specifications we have proposed an operational specification format capturing (at least parts of) similar formalisms, like Event-B [1], symbolic transition systems [17], and UML protocol state machines [16]. A significant difference to Event-B machines is that we distinguish between control and data states, the former being encoded as data in Event-B. On the other hand, Event-B supports parameters of events which could be integrated in our logic as well. An institution-based semantics of Event-B has been proposed in [8] which coincides with our semantics of operational specifications for the special case of deterministic state transition predicates. Similarly, our semantics of operational specifications coincides with the unfolding of symbolic transition systems in [17] if we instantiate our generic data domain with algebraic specifications of data types (and consider again only deterministic state transition predicates). The syntax of UML protocol state machines is about the same as the one of operational event/data specifications. As a consequence, all of the aforementioned concrete specification formalisms (and several others) would be appropriate candidates for integration into a development process based on E ↓ -logic.
There remain several interesting tasks for future research. First, our logic is not yet equipped with a proof system for deriving consequences of specifications. This would also support the proof of refinement steps which is currently achieved by purely semantic reasoning. A proof system for E ↓ -logic must cover dynamic and hybrid logic parts at the same time, like the proof system in [15], which, however, does not consider data states, and the recent calculus of [6], which extends differential dynamic logic but does not deal with events and reactions to events. Both proof systems could be appropriate candidates for incorporating the features of E ↓ -logic. Another issue concerns the separation of events into input and output as in I/O-automata [14]. Then also communication compatibility (see [2] for interface automata without data and [3] for interface theories with data) would become relevant when applying a parallel composition constructor.

A Proofs
In order to prove Thm. 1 we have to consider the following result: Lemma 1. Let M 1 , M 2 be Σ-edts and B ⊆ Γ (M 1 ) × Γ (M 2 ) a bisimulation between M 1 and M 2 , let ̺ be a hybrid-free sentence, and (γ 1 , We proceed by induction over the structure of hybrid-free sentences. For base sentences ϕ, by definition For sentences λ ̺ we use a well-known result: dynamic logic constructors are safe for bisimulation (see [5]), i.e., the (zig) and (zag) properties of B are preserved from atomic actions to composed Σ-ed actions (provable by induction on the structure of Σ-ed actions). Hence, The converse implication is analogously proved using the (zag) property. The proof for the remaining cases is straightforward.