We prove the most interesting rules, other rules are proved analogously. Rules (1) refers to basic propositional logic and is therefore not expanded here.
Rules (2) – (5) are straightforward to show, and are therefore omitted. (6) : Assume Γ Σ p ∼ q, let ρ Σ Γ, hence ρ Σ p ∼ q where (p, q) ∈ conns(Σ). By definition (p, q) ∈ ρ(0). Since ρ(0) is a valid state (see Sect. 4.1.1) we either have p, q ∈ρ(t) or p, q /∈ρ(t) hence ρΣ p↔q.
(9) : Assume ΓΣ φ, i.e. for allρ∈ R(Σ) it holds that if (ρ,0)Σ Γ then (ρ,0) Σ φ (*). Assume (ρ,0) Σ 2IΓ. Let t ∈ I and assume (ρ, t) Σ Γ. Define ρ0(t0) = ρ(t0+t). We know (ρ0,0) Σ Γ by definition of ρ0. Then by (*) it follows that (ρ0,0)Σ φ, and hence (ρ, t)Σ φ. Since t was arbitrarily chosen from I, it follows that (ρ,0)Σ 2Iφ.
(10) : Assume ΓΣ 2Iφ, let ρΣ Γ, henceρ Σ 2Iφ. Then for all t∈I,
(ρ, t)Σ φ. Hence, there is t0 ∈I such that (ρ, t0)Σ φ.
(12) : Assume Γ Σ 2I(φ → ψ), Γ Σ 3Jφ, and J ⊆ I. We need to
show hat Γ Σ 3Jψ. Let therefore ρ Σ Γ, and hence ρ Σ 2I(φ → ψ) and
ρ Σ 3Jφ. We know that there is t ∈ J such that (ρ, t) Σ φ. Since for all
t0 ∈Iit holds that (ρ, t0)Σ φ→ψandJ ⊆I, we know that (ρ, t)Σ φ→ψ. Using modus ponens, we get (ρ, t)Σ ψ, and hence ρΣ3Jψ.
(15) : Assume Γ Σ 2Jφ and J ⊇ I. Let ρ Σ Γ, hence ρ Σ 2Jφ. It
holds that for all t ∈ t+J (ρ, t) Σ φ. Since I ⊆ J, it follows that for all
t0 ∈I (ρ, t0)Σ φ. Hence, ρΣ 2Iφ.
(17) : Assume Γ Σ 2I2Jφ, and let ρ Σ Γ, hence ρ Σ 2I2Jφ. It
follows that for all t ∈ I, t0 ∈ t+J it holds that (ρ, t0) Σ φ, and hence for all t00 ∈(I+J) it holds that (ρ, t00)Σ φ, which implies thatρΣ 2I+Jφ.
(191) : Assume Γ Σ 2I(φ∧ψ), and let ρ Σ Γ, hence ρ Σ 2I(φ∧ψ).
We know that for all t ∈I it holds that (ρ, t) Σ φ∧ψ. It hence also holds that (ρ, t)Σ φ, and henceρΣ 2Iφ.
(20) : Assume ΓΣ 3Iφ and ΓΣ 2Iψ, and let ρ Σ Γ. It follows that
ρ Σ 3Iφ and ρΣ 2Iψ. We know hence that (ρ,0)Σ 3Iφ (ρ,0)Σ 2Iψ.
It follows directly that for there is t ∈ I (ρ, t) Σ φ. Since for all t0 ∈ I it holds that (ρ, t0)Σ ψ, it also holds for t. We get (ρ, t)Σ φ∧ψ, and hence (ρ,0)Σ 3I(φ∧ψ).
O P p p q S p q C
Figure 4.3: Example reconfiguration scenario
4.3
Simple framework application case study
We give a simple example to show how the assume-guarantee framework for reconfigurations can be applied. The scenario consists of one specification that simply requires a portqto be always true, and three simple components:
S, O and P. In this example, which is also shown in Figure 4.3, the “pro- cessing component” P is providing a port P.q and guaranteeing to maintain its truth only if its single required port, P.p is always true. P would be a natural fit for satisfying the system specification if a component would be available that is bound to P.q and always maintains its truth. However, in this example, we assume that the component O can always guarantee O.p
during the operation of the system except for a bootstrap phase – in this example here, the bootstrap phase is assumed to take four time units. In order to guaranteeP.p, the second providing componentS, informally called the “startup component”, is used to bridge this bootstrap phase. S is able to provide S.pfor exactly four time units.
We start to delve into the formal description of the system by investigating the global system specification that requires aq to be always true. It can be given as the following contractCG:
CG = (J>K,J2qK)
The component signature of this contract is ΣG = (∅,{q}).
The design of the system makes use of a processing component P that guaranteesq only if its required port p is always true. The signature ofP is
4.3 Simple framework application case study 157 therefore ΣP = ({P.p},{P.q}). Its contract can be specified as
CP = (J2P.pK,J2P.qK)
To satisfy the property 2P.p, we make use of the two components S
and O, where S takes care of guaranteeing p during the bootstrap phase (four time units) and O guarantees p during the normal operation of the system. The signature of SandO are similar, as they both provide one port: ΣS = (∅,{S.p}), and ΣO = (∅,{O.p}). The contracts of S and O are as
follows.
CS = (J>K,J2[0,4]S.pK) CO= (J>K,J2[4,∞)O.pK)
Additionally, an assembly specification is needed that assembles the three components in a way that the assumption ACP is satisfied, and guarantees
2psuch that the global contract holds. The composite component signature for the composite component C that hosts AC can be defined as ΣC =
(ΣExtC ,ΣIntC , Ci, Cd) where ΣExtC = (∅,{q}), ΣIntC = ({P.p},{P.q, S.p, O.p}),
Ci = {(P.p, S.p),(P.p, O.p}, and Cd = {(P.q, q)}. The following assembly
specification is proposed.
AC =J(2q∼P.q)∧(2[0,4]P.p ∼S.p)∧(2(4,∞)P.p∼O.p)K
Now, we bundle the three components P, S, and O together into one com- posite component C. The resulting composite component is given as
C = (ΣC,(AC, GC),AC,{P, S, O})
The component contract is specified as CC = (AC, GC) = (J>K,J2qK), which
is, obviously, a refinement of the specification CG. Figure 4.3 shows the
complete example scenario with the three components S, O,P boxed in the composite component C.
Fist, let us have a look at the receptivity of the contractsCG,CS,CO, and
CP to make sure that all contracts are consistent. Considering CG, CS and
CO it is clear that the assumptions of all three contracts are Prov-receptive,
as the assumptions are J>K, i.e. the set of all runs. The guarantees of CG,
CS and CO are Req-receptive for the simple reason that the set of required
ports in the signatures of CG,CS and CO is empty. It remains to investigate
CP. The assumption of CP, J2P.pK, is Prov-receptive, as J2P.pK↓(∅,{P.q})=
the guarantee of P, J2P.qK is Req-receptive. Obviously, J2P.qK↓({P.p},∅)=
R(({P.p},∅)).
Next, it is worthwhile to investigate the S-receptivity of the assembly specificationAC. It must be shown that for each Σ ∈ {ΣS,ΣO,ΣP}, it holds
thatAC↓Σ=R(Σ). As AC =J(2q∼P.q)∧(2[0,4]P.p ∼S.p)∧(2(4,∞)P.p ∼
O.p)K specifies only connectivity requirements, it is obvious that AC alone
does not restrict the runs of S, O, and P. Looking more closely to the semantics,AC reduces the set of runs to those that contain specific connectors
in specific states, which – due to the restriction of valid runs – does restrict the possible valuations of ports in each state by requiring that valuations of connected ports must be the same. At first, the semantics of AC can
be given as AC = {ρ ∈ R(ΣC) | (∀t ∈ R+0 (P.q, q) ∈ ρ(t)) and (∀t ≤ 4 (P.p, S.p) ∈ ρ(t)) and (∀t > 4 (P.p, O.p)∈ ρ(t))}. Now, we need to show that restrictingAC to ΣS is equal to the set R(ΣS). Since it obviously holds
that AC↓ΣS⊆ ΣS, it suffices to show that ΣS ⊆ AC↓ΣS. Let hence ρ ∈ ΣS
be a run. By the definition of restriction (Definition 25), we need to find a run ρ0 ∈ AC such that∀t ∈R+0.ρ0(t)∩ S(ΣS) = ρ(t). We take the run
ρ0(t) = {(P.p, S.p), P.p,(P.q, q)} ∪ρ(t) if t ≤4 and S.p∈ρ(t) {(P.p, S.p),(P.q, q)} ∪ρ(t) if t ≤4 and S.p6∈ρ(t) {(P.p, O.p),(P.q, q)} ∪ρ(t) if t >4. Obviously, ∀t ∈ R+
0.ρ0(t)∩ S(ΣS) = ρ(t), since ρ0 contains ρ in every state,
and does not add any predicates belonging to ΣS. At the same time, it holds
thatρ0 ∈ AC, sinceP.p is connected toS.pare connected in the time interval
[0,4], and P.p is connected to O.p in the time interval (0,∞), and P.q is always connected toq. Hence,AC is ΣS-receptive.
Similarly, it can be shown thatAC is ΣO-receptive. In order to show that
ΣO ⊆ AC↓ΣO, we choose for ρ∈ΣO the followingρ
0: ρ0(t) = {(P.p, S.p),(P.q, q)} ∪ρ(t) if t≤4
{(P.p, O.p),(P.q, q), P.p} ∪ρ(t) if t >4 and O.p∈ρ(t)
{(P.p, O.p),(P.q, q)} ∪ρ(t) if t >4 and O.p6∈ρ(t).
As before, it holds obviously that∀t ∈R+ 0.ρ
0(t)∩ S(Σ
O) = ρ(t). At the same
time it holds thatρ0 ∈ AC, sinceρ0 satisfies the connectivity requirements of
AC.
Finally, the proof that AC is ΣP-receptive is just the same as the proofs
4.3 Simple framework application case study 159 It remains to be shown that C is consistent, however. For this, it must be shown that the conditions (1)-(6) specified in Definition 35 are satisfied. We assume that P, S, O are correct, and therefor condition (1) is satisfied. Conditions (2) and (3) are satisfied as the naming of ports and components implies so. Condition (5) was just investigated before: AC is S-receptive.
Condition (6) is trivially true, as there is no externally visible required port. Hence, it only remains to show condition (4): The parallel composition of component contracts is indeed a refinement of the composite component con- tract:
CC CSkACCOkACCP
First, we compute the result of the parallel composition (A, G) = CSkACCOkACCP
Using Corollary 3, this can be performed on the syntactic level. The formula characterising the assumption resulting from the parallel composition of CS
and CO, the startup component and the operation component, is given in
the following, and immediately simplified. (1) AC∨ ¬(AC ∧GS∧GO)
(2) (AC ∨ ¬AC)∨ ¬(GS∧GO) from (1), by rule (1) and (3)
(3) > ∨ ¬(GS∧GO) from (2), by rule (1) and (3)
(4) > from (3), by rule (1) and (3)
While the assumption of the composition ofCSandCOunderAC can be sim-
plified to>, the guarantee remains the conjunction of assembly specification and the guarantees of CS and CO:
AC ∧GS∧GO
The composition of all three components finally yields the following assump- tion, which is also immediately simplified:
(1) (AC∧2P.p)∨ ¬(AC ∧2[0,4]S.o∧2[4,∞)O.p∧GP)
(2) (AC∧2P.p)∨ ¬(AC ∧2[0,4]P.p∧2[4,∞)P.p∧GP)
from (1), by rule (1) and (21) (3) (AC∧2P.p)∨ ¬(AC ∧2P.p∧GP) from (2), by rule (1) and (23)
(5) (AC ∧2P.p)∨ ¬(AC ∧2P.p)∨ ¬GP from (4), by rule (1)
(6) > from (5), by rule (1)
The composition of guarantees following Corollary 3 yields directly
G= (AC ∧2P.q∧2[0,4]S.p∧2[4,∞)O.p)
Now that the composition is constructed, it has to be verified that the composition is indeed a refinement. This can be done on the syntactic level again by using Corollary 2, in which we need to show two entailments. Both entailments are trivial: the assumption of the composite component contract
CC,>, entails the assumption of the composition, >. Similarly obvious, the
guarantee of the composite component,2pcan be shown from (AC∧2P.q∧
2[0,4]S.p∧2[4,∞)O.p) by applying rule (22).
Altogether, we have shown that the composite component is valid by proving all six requirements of validity of composite components. Since the contract of the composite component is a refinement of the initial specifi- cation (it is indeed identical), we have shown that the composite system undergoing reconfigurations that adhere to the assembly specification AC is
a design satisfying the specification initially imposed.