is more suitable for modelling hybrid systems. It is not straightforward, however, to generalize the projection construct from a time-free notation to a timed notation for hybrid systems. The general- ization requires a radical shift in the semantics of the underlying logic. This paper proposes a Logic, HPTL, for mod- elling, analyzing, verifying and understanding hy- brid biological systems. The syntax and semantics are presented. It is intended to provide a fully general formal logic to allow for the precise rea- soning about arbitrary biological systems. Since these systems are going to be incredibly complex any formal reasoning has to be automated and a formal logic is the prequisite for achieving this. We are not considering the process as being only one of simulation. What we want to achieve is a mechanism whereby mathematical facts, which will be valid in precisely described conditions, can be deduced from the description of the model. Simulation can only provide a finite number of scenarios describing system behaviour and cannot generate statements that are universally true or true in infinitely many situations, however simula- tion is a valuable way of getting greater under- standing of the model and should be accommodated as well. This paper is organized as follows: Section 2 explores hybrid systems; Section 3 is devoted to formalizing the hybrid projection temporal logic; in Section 4, examples of two simple biological systems are modelled with HPTL to illustrate the formalisms; finally, conclusions are drawn in Sec- tion 5.

2. Hybrid systems

2 . 1 . Time and time inter6als We model time by the non-negative real line R š . So a time inter6al 1 is a left and right closed subinterval of R š if it is finite; or it is a left closed and right unbounded subinterval if the interval is infinite. The left end-point of a time interval I is denoted by l I and the right end-point, for bounded I, is denoted by r I . Two intervals I 1 and I 2 are adjacent if r I 1 = l I 2 . A time inter6al sequence I =I I 1 … is a finite or infinite sequence of time intervals that partitions R š : “ Any two neighbouring intervals I i and I i + 1 are adjacent. “ For the first time interval I , l I = 0, and for the final time interval of any finite interval se- quence, it is unbounded. Note that the above definition guarantees that for all t R š , there is some interval I i with t I i . The time interval sequence I 1 refines the time interval sequence I 2 if I 1 is obtained from I 2 by splitting some intervals. Clearly, for any finite set S I of time interval sequences there is a time inter- val sequence S S I that refines all sequences in S I . 2 . 2 . Obser6ing hybrid systems We first make the following assumptions: 1 any hybrid system is observable; that is, the exe- cutions of the components involved in the system can be recorded by an observer or an agent; 2 at any time instant, at least one component can be observed if the system has not finished; 3 a continuous activity takes a time duration and a discrete event takes zero time 2 ; 4 time is continu- ous and time divergence excludes Zeno computa- tions in which there are infinitely many changes for discrete variables within a finite time interval. Suppose the set A = {a 1 ,…, a n } of continuous activities and the set E = {e 1 ,…, e m } of discrete events are involved in a hybrid physical environ- ment. As time goes by, an observation sequence of executing components from A and E can be obtained when an agent or some equivalent observes the system. Basically, an observation se- quence achieved in such a way can be in the following form: c , c 1 , c 2 ,… 3 2 If a discrete event takes time, we can make a two-phase step consisting of a man-made continuous activity by imposing a continuous variable as a timer but not changing discrete variables, followed by a discrete event changing the discrete variables instantaneously. 1 The time interval and time interval sequence are similar to that presented in Alur et al., 1993 but they are modified for our purpose. where c i A E if the computation is well-inter- leaved and all discrete events take no time. How- ever, in practice, a hybrid system is not so regular. The continuous activities and discrete events may be mixed in a very complicated way including overlapping andor concurrency. Therefore, in general, the c i in sequence 3 can contain a number of components, from A E, which is executed in a concurrent andor overlapping man- ner. Furthermore, if the discrete event e i can be thought of as a continuous activity ea i , which takes a time duration, followed by a discrete event ed i which occurs instantaneously, and e is used as a vacuous discrete event a doing nothing opera- tion, then sequence 3 can be rewritten as: {ed i , c }, {ed i 1 , c 1 },… 4 where c i = a i1 ‚ … ‚ a ik for some k N, a i j A {ea j e j E}, and ed i j {ed j e j E} {e}. Sequence 4 tells us the following facts: 1 for all continuous activities, a i j contained in c i pre- cedes a i j + 1 contained in c i + 1 and, for all discrete events, ed i j is prior to ed i j + 1 ; 2 each c i , containing a set of continuous activities, takes a time interval I i , and I I 1 I 2 … is a time interval sequence; 3 ed i j and c i take place at the same time but ed ij occurs only at the time instant l I i . Since an event which takes a time duration can be decomposed as a continuous activity followed by a discrete event which takes no time, whenever the term ‘discrete event’ is used, in what follows, this implies the ‘event’ takes no time. Otherwise it will be clarified explicitly. The computing model shown by sequence 4 for hybrid systems is similar to the true concur- rency model for time free concurrent computa- tions. It is a fundamental basis for both the finite state machine-based notation and the logic-based notation which we use for modelling hybrid systems. 2 . 3 . Modelling of hybrid systems In this section, we describe the observation sequence 4 in a more formal way. Let II be a finite set of propositions, and V be a finite set of real-valued variables. The variables are divided into static variables, denoted by V sta , and dynamic or state variables denoted by V dyn ; the dynamic variables consist of discrete variables V d and con- tinuous variables V c . The value of a continuous variable can be changed at any time instant. A static variable keeps stable over a subsequence of a time interval sequence, while a discrete variable and a proposition remain unchanged only in a time interval over which a continuous activity evolves. To formalize the observation sequence 4, we need a two-state notation. One is a microstate, the other is a macrostate. A microstate s is an interpretation of all the variables in V and all the propositions in P. We write S for the set of microstates. We make the following conventions: 1 at any time instant t, for each variable x V, x can have two values, one denoting the left limit x − t, the other denoting the right limit x + t. If x is contin- uous at the time instant t, then x − t = x + t. In this case, we often write a single x instead of x − and x + note that the same notations will be used for functions; 2 since variables can have two values at one time instant, a point in time can have two microstates, s − called the left mi- crostate and s + called the right microstate, where s − represents the interpretation of all left limits of variables while s + represents the inter- pretation of all right limits of variables. If, at any time instant, all variables are continuous, then s − and s + are identical. In this case, we also write a single microstate s instead of s − and s + . Let I = [l I , r I ] be a time interval, and I = l I , r I be its corresponding open interval. A function f: I “ R is piecewise smooth on I if: “ at l I , the right limit and all right derivatives of f exist; “ at all points t I , the right and left limits and all right and left derivatives of f exist, and f is continuous either from the right or from the left; “ at r I , the left limit and all left derivatives of f exist. We assume each variable x V has finitely many discontinuous points over a finite interval I and is connected with a piecewise smooth function g x : I “ R. Thus, g x has finitely many discontinuous points on I . Hence, there is a sequence I g x = I I 1 … which partitions I and the continuous func- tion sequence g x g 1 x … of g j x : I j “ R, such that the restriction of g x to each time interval I j coincides with the restriction of g j x to I j . Each restriction of g x to time interval I j is called a phase macrostate, see below of g x . Let g = {g x xV c } be a family of piecewise smooth functions g x : I “ R. It is clear that the phases of g are the restriction of g to the time intervals of the sequence I g = S {I gx xV c }. This ensures that, for a given hybrid system, there exists a sequence of phases to model it. A piecewise-smooth function g: I “ R is piece- wise linear if each phase of g is linear. A piecewise-linear function g: I “ R is a con- stant slope function if the slope of g is a constant k R. In particular, a constant slope function is a step, clock, or integrator function if the slope k is 0, 1, or sometimes 0 and sometimes 1, respectively Alur et al., 1993. It is now time to define macrostates. A macrostate m i is a tuple, s i + , I i , g i , s − i + 1 3 , which models a continuous activity, where I i is a time interval or duration, and g i is a family of contin- uous more often derivable functions g i x : D x × g: I i “ R, D x is the domain of the variable x. Equiv- alently, g i is a continuous derivable function from D x × I i to . s + i denotes the right microstate at time point l I i whereas s − i + 1 denotes the left microstate at r I i . Actually, g i can be defined by: g i :V “ D x × I i “ R or g i :V × D x × I “ R. Equivalently, g i :D x × I “ S . We will use g i in a flexible manner within this paper and often write g i x x t instead of g i x x , t. Note that g i and g i x are respectively unary functions from I i to and from I i to R. when x is a constant in g i x , t and g i x x , t. A computation run of a hybrid system can formally be defined by: s ¯ : “ s + , I , g , s 1 − “ s 1 + , I 1 , g 1 , s 2 − “ s 2 + , I 2 , g 2 , s 3 − “ … 5 such that: “ I I 1 I 2 is a time interval sequence; “ for all 0 5 i, g i + l I i = s i + , and g i − r I i = s − i + 1 ; “ the function sequence g g 1 … is a restriction of some piecewise smooth function g to each time interval I j ; Sequence 5 above is a formal refinement of sequence 4. We can see the discrete events have disappeared in sequence 5 because the informa- tion has been recorded in the s i + . Actually, the discrete event ed i initializes the function g i at microstate s i + . The microstate s − i + 1 is redundant but useful for manipulations. For a macrostate m i , if g i = id the identical function, then over the time duration I i , no con- tinuous variables change but time progresses. Thus, s i + agrees with s − i + 1 , so m i can be simplified to s i , I i . This is the structure of a trace required for discrete event systems. Furthermore, if I i = [t i ] is a singleton interval, then it only describes the status of variables at time point t i . In sequence 5, note that 1 s − i and s i + can be identical; in this case, it implies that the macrostates m i − 1 and m i are the two parts of a macrostate, and are obtained by splitting this state. 2 A segment of or whole of sequence 5 can denote a discrete event sequence, as long as g i = id in the segment. 3 The g i is a family of functions g i x for x V within the macrostate m i ; the members of g i can change from state to state. This allows us to cope with the overlapping and or concurrent activities and events. Therefore, sequence 5 provides us with a generic faithful model for dealing with an arbi- trary mixture of continuous and discrete compo- nents in a hybrid system. The pair s − i , s i + is called a partition point. The points in time l I i − 1 , and r I i are time stamps of s − I − 1 and s i + , respectively and the time durations, [r I i − 1 , r I i − 1 ], i.e. the right end point of the time interval r i − 1 with macrostate m i − 1 , and I i , i.e. the time interval with microstate m i , are called the time durations of s − i – 1 and s i + . 3 More precisely, a macrostate is of the form s − i , s + i , I i , g i , s − i + 1 , s + i + 1 . s ¯ : “ s , I , g , s 1 “ s 2 , I 1 , g 1 , s 3 “ s 4 , I 2 , g 2 , s 5 “ … 6 For ease of manipulations, in what follows, we use sequence 6 obtained from sequence 5 by splitting each pair of partition points into two separate microstates, hereafter called end mi- crostates, and re-numbering the subscripts of the end microstates in a consecutive manner and delet- ing their subscripts but keeping their time stamps and time durations. For a macrostate m i = s j , I i , g i , s j + 1 , if I i = [t j , t j ] is a trivial point interval, then this macrostate retrogrades to a discrete state s j , t j , and if g i is the identical function id, then this macrostate retrogrades to s j , I i , id, s j . Therefore, sequence 6 subsumes the case in which a discrete timed state subsequence may be involved. Sequence 6 provides us with a generic structure which can be used as both a logic model and a computation run of a finite state machine. 3. A hybrid projection temporal logic This section is devoted to presenting briefly the hybrid projection temporal logic HPTL. HPTL can be thought of as a generalization of the first order temporal logic Moszkowski, 1986, 1993; Kroeger, 1987; Manna and Pnueli, 1992 and Timed ITL Duan et al., 1994a with projection Duan et al., 1994b. 3 . 1 . Syntax The terms e and formulas p of the logic are given by the following grammar: e:: = u xx + x − x; + x; − ebegeendeTt f T f fe 1 ,…, e n p:: = p e 1 = e 2 Pe 1 ,…, e n ¬pp 1 ‚ p 2 ×x:ppp; cqp 1 ,…, p m prjp where p P is a proposition, x is a dynamic variable and u is a static variable. x + , x − , x; + and x; − are the right limit, left limit, right derivative, and left derivative of the variable x, respectively. In fe 1 ,…, e n and Pe 1 ,…, e n , it is assumed that the types of the terms are compatible with those of the arguments of f and P. The time variable T denotes simply the current time instant; the time variable t f specifies a time duration within the current time interval; the time variable T f represents a time duration from the current time instant to the end of the final time interval of the current state interval if any. A formula or term is called a state formula or term if it does not contain any temporal operators; otherwise it is a temporal formula or term. 3 . 2 . Semantics As mentioned earlier, a microstate s is an assign- ment which, for each variable 6 V, defines s[6], and for each proposition p P defines s[p]. s[6] is a value of the appropriate type or nil undefined, whereas s[p] {true, false}. A state inter6al or interval for short s = B m , m 1 ,… \ is a non-empty possibly infinite se- quence of macrostates. It is a subsequence of a computation run s¯. The length of s, denoted by s, is defined as v if s is infinite; otherwise it is the number of end microstates in s minus 1. For 0 5 i, j 5 s, we will use s i..j to denote the subinterval starting at the microstate s i and ending at the microstate s j , and s k to denote the interval B m k ,… \ . Let s i..j = B s i ,…s j \ be a state interval and r 1 ,…, r h 1 5 h be integers such that i 5 r 1 5 … 5 r h 5 j. The projection of s on to r 1 ,…, r h is the interval: s ¡ r 1 ,…r h = B s n 1 , t n 1 , s n 2 , t n 2 ,…,s n k , t n k \ where n 1 ,…, n k is obtained from r 1 ,.., r h by deleting all duplicates. That is, n 1 ,…, n k is the longest strictly increasing subsequence of r 1 ,…, r h ; and t n j is the time stamp of the end microstate s n j for 1 5 j 5 k. For example: B m , m 1 , m 2 , m 3 , m 4 \ ¡ 0, 0, 2, 2, 2, 3 = B s , i I 1 , s 3 , r I 1 \ When it is clear in the context, we write the projected interval consisting of only states without times. For instance, the above interval can be simplified to B s , s 2 , s 3 \ . An interpretation is a tuple I = s, i, c, d, j , where s = B m , m 1 ,… \ is a state interval, i an integer, and j an integer or v such that 0 5 i 5 j 5 s, while c and d are reals such that [c, d]¤I i , I i is the time duration of the end microstate s i . Intuitively, s provides an interval over which terms and formulas are interpreted pointwisely; the parameters i and j serve as indicators of the starting end microstate s i and the final end mi- crostate s j , respectively while c and d define a subtime interval [c, d], called the active time inter- val, of the time duration I i of the end microstate s i . The parameter i is needed because the interpre- tations of, the terms and formulas with the next operator, as well as the formulas with the discrete chop ; and the projection prj operators refer to it; the parameter j is required because the discrete chop and projection operators partition the cur- rent state interval by changing parameters i and j; the parameters c and d are indispensible for the continuous chop operator ; c since a subformula may be interpreted over a subtime interval of the current time interval I i . For simplicity, in what follows, we use the notations; s, i, I, j to stand for s, i, x, y, j if I = [x, y], s, i, x, j to represent s, i, x, x, j and s, i, x to denote s, i, x, x, i . One point we clarify here is that the interpretation notation s, i, I, j covers the discrete case since a discrete timed state s i , t i over the interval s can be refered by using I = [t i , t i ]. For every term e, the evaluation of e relative to interpretation I is defined in I[e] by induction on terms in the following way, where x is a dynamic variable, u is a static variable, and e 1 ,…, e m are terms: The formal interpretations of terms and formu- lae is described in the Appendix. The interpreta- tion of the projection construct seems rather tricky and it is somewhat difficult to grasp its meaning. Basically, the interpretation is con- cerned with three cases: the first is a trivial case in which p 1 ,…, p m are interpreted sequentially over a local interval and q holds at the beginning a microstate of the interval; in the second case, q is interpreted and stopped before some p k starts to be interpreted; whereas in the third case. p 1 ,…, p m are all finished before q. The chop operator ; is a major operator in ITL Moszkowski 1986 and Timed ITL Duan et al., 1994a. It can be expressed by the projection operator see derived formulas. The intuitive meaning of p; q is simple: p; q holds over an interval if the interval can be partitioned into two parts, and p holds over the first part and q holds over the second part. The continuous chop opera- tor ; c is similar to the discrete chop operator ; but only acts on the active time interval. p; c q holds if the active time interval can be split into two time intervals, and p holds over the first and q holds over the second. State sequence as well as the mixed state sequence. In the discrete case, the I i is merely a trivial point interval. 3 . 3 . Satisfaction and 6alidity A model is a macrostate interval. Given a model s and a formula p, s is a model of p if s =p. If there exists a model s, s=p then p is called satisfiable. If for all models s, s =p then p is said to be valid, denoted by =p. Sometimes, we denote =plq by p:q. Let R be a set of intervals satisfying some properties. A formula p is called R-satisfiable, denoted by s = R p, if there exists an interval s R and s =p. A formula is said to be R-valid if for all intervals in R, p is R-satisfiable. Example 3.1 The formula begx = 1 ‚ c x;= −1‚endx= −1 describes the phase transition system given in Manna and Pnueli, 1993. It is easy to check that the follow- ing interval satisfies the above formula: s = B s , I , g , s 1 ,… \ where s 2 i [x] = 1, I i = [2 i, 2 i + 1], g i x t = − t + 2 i + 1 for t I i , and s 2 i + 1 [x] = − 1 for all 0 5 i, i N. 3 . 4 . Deri6ed formulas The derived connectives –, “ and l as well as the logic constants true and false, and universal quantification Öxx V, are defined as usual. We also use the following derived formulas: 3 . 4 . 1 . Operators for microstates 1 c p def true; c p 2 2 c p def ¬ c ¬p 3 empty c def t f = 4 more c def ¬empty c 5 fin c p def c empty c “ p 6 keep c p def c more c “ p 7 halt c p def c empty c l p The above formulas are defined over a continu- ous time duration, and interpreted over an active time interval. c p means that p holds at all time instants from now on over the active time inter- val. 2 c p means that p holds form now or from some time instant in the future within the active time interval. empty c tells us that the right end point of the active time interval has been reached. fin c p holds over the active time interval as long as p holds at the right end point of the active time interval; keep c p holds over the active time inter- val if p holds at all time instants ignoring the right end point. halt c p holds over the active time interval if and only if p holds at the right end point of the active time interval. 3 . 4 . 2 . Operators for macrostates 1 empty def ¬true 2 more def ¬empty 3 p def p 4 n p def n − 1 p 5 len n def n empty 6 skip def len1 7 2p def true;psee below for; 8 p def ¬2¬p 9 Õp def ¬¬p The above formulas are concerned with a macrostate sequence. The intuitive meanings of the above temporal constructs are similar as for microstates. empty represents the right end point of the final macrostate over the current interval; lenn specifies the length of the state interval to be n; 2p means that p holds eventually in the future from some state, whereas p means that p holds always in the future from the current macrostate. Õp tells us that either the right end point of the current macrostate is reached or p holds form the next macrostate of the present state interval. 3 . 4 . 3 . Chop and chop star 1 p; q def p, q prj empty 2 p ,…, p h prj q def empty c prj q ‚ h N 3 p ,…, p h 1 prj q def p ,…, p h prj q ‚ h N 4 p ,…, p h m prj q def p ,…, p h , p ,…, p h m − 1 prj q ‚ m N − {0} ‚ h N 5 p ,…, p h prj q def × m: m N ‚ p ,…, p h m prj q ‚ h N 6 p ,…, p h + prj q def × m: m N − {0} ‚ p ,…, p h m prj q ‚ h N 7 p m def p m prj empty 8 p def p prj empty 9 p + def p + prj empty In definitions 4 – 6 above, if h = 1, we obtain the definitions of p m prj q, pprj q, and p + prj q. The chop star Moszkowski, 1993 operator can also be defined by the projection operator. p holds over an interval if the interval can be parti- tioned into a sequence of finitely or infinitely many subintervals and p holds on each one. The formal interpretation can be given as follows: s, i, c, d, j =p if there exist integers r 1 ,…, r h such that i 5 r 1 5 ... 5 r h = j, and for 1 B n B h, s, r n − 1 , I n − 1 , r n =p where I n − 1 = [l I k , l I k ] if r n = r n − 1 = k, and I n − 1 = I k if i k = r n − 1 B r n , and I n − 1 = [c, d] if i = r n − 1 B r n . 3 . 4 . 4 . Parallel operator p q=p‚q; true–q‚p; true With the parallel construct, the processes p and q are executed over a sequence of macrostates synchronously, and can be modelled by true con- currency. In fact, the parallel operator presented here is very close to conjunction. The basic differ- ence between p q and p‚q is that the former allows processes both p and q to be able to specify their own intervals while the latter only permits one of them, either p or q, to do so. For instance, T f = 2 T f = 3 holds but T f = 2 ‚ T f = 3 is obvi- ously false. 3 . 4 . 5 . Conditional statement if b then p else q def b “ p ‚ ¬b “ q if b then p def if b then p else empty where b is a boolean state term consisting of constants, variables, propositions, and boolean connectives. 3 . 4 . 6 . Unit assignment operator x œ e def skip ‚ x = e where x be a variable, and e an expression term. The unit assignment assigns value e to x at the next state, and, in the meantime, it specifies the length of the interval over which the assignment takes place to be 1. 3 . 4 . 7 . Terminations and iterations 1 finp def empty “ p 2 keepp def more “ p 3 haltp def empty l p 4 while b do p def b ‚ p ‚ fin¬b 5 repeat p until ¬b def p; while b do p 6 for k = m to n do p def if n B m then empty else p; for k = m + 1 to n do p where m and n are static variables or constants while k is a static variable. The finp, keepp, and haltp have similar meanings to fin c p, keep c p, and halt c p but are concerned with the discrete macrostate sequences. finp holds over an interval if p holds at the final microstate over an interval, whereas keepp holds over an inter- val as long as p holds at all states ignoring the end microstate of the final macrostate. haltp holds over an interval if and only if p holds at the end microstate of the final macrostate. The while, repeat and for constructs facilitate iterations. Their meanings are similar to their meanings in imperative programming languages. In particular, while b do p holds over an interval if and only if the interval can be partitioned into finitely or infinitely many subintervals on each of which b ‚ p holds b evaluated at the starting microstate, and ¬b holds eventually at the final microstate s − k , s + k but evaluated with the right limit state s + k if any. Otherwise, the formula p is executed repeatedly ad infinitum. The temporal operators are called next , projection prj , chop ;, chop star , continuous chop ; c , continuous e6entually 2 c , continuous always c , always , sometimes 2. weak next Õ and continuous parallel c 3 . 5 . Precedence rules In order to avoid an excessive number of paren- theses, the following precedence rules are used: 1 first: ¬; 2 second: 2 c , c , d, Õ, 2, ; 3 third: × , Ö; 4 fourth: = , œ ; 5 fifth: ‚ , –, c ; 6 sixth: “ , l ; 7 seventh:; c ;, prj.

4. Examples of hybrid systems