Directory UMM :Data Elmu:jurnal:B:Biosystems:Vol55.Issue1-3.2000:

(1)

A logic for biological systems

Zhenhua Duan, Mike Holcombe *, Alex Bell

Department of Computer Science,The Uni6ersity of Sheffield,Sheffield S1 4DP,UK

Abstract

This paper proposes a specification language, hybrid projection temporal logic of modelling, analyzing and verifying biological systems which can be considered, in general, to be hybrid systems consisting of a non-trivial mixture of discrete and continuous components. The syntax and semantics of the logic are presented, and some examples of hybrid systems are modelled to illustrate the formalism. © 2000 Elsevier Science Ireland Ltd. All rights reserved.

Keywords:Temporal logic; Dynamic systems; Biological systems; X-Machine; Automata; Hybrid systems

www.elsevier.com/locate/biosystems

1. Introduction

Biological systems can be viewed as complex, parallel collections of communicating and cooper-ating processing systems with a complex hierarchy (Holcombe, 1991). Attempts to model parts of these systems at various levels in the hierarchy have demonstrated that the processing that is going on is essentially a combination of both discrete events, perhaps involving threshold ef-fects and continuous, evolving, dynamic pro-cesses, for example chemical rate equations. Thus these systems are examples of hybrid systems.

Hybrid systems are systems that consist of a non-trivial mixture of continuous activities and discrete events. To model, analyze, verify, and control such a system, transition systems (Manna

and Pnueli, 1993), hybrid automata (Alur et al., 1993), hybrid graphs (Nicollin et al., 1993), state charts (Harel, 1987; Keten and Pnueli, 1992), and integration graphs (Keten et al., 1993), as well as formalisms based on temporal logic, e.g. duration calculus (Chaochen et al., 1993) systems based on a two-phase step assumption. In these models we explicitly describe the system state by a combina-tion of two types of variables, continuous ones that evolve without discontinuity during the life-time of the system and discrete variables which model disjoint state changes and external event: onsets and completions, for example.

The basic systems model we will use is a hybrid version of the X-machine (Eilenberg, 1974; Hol-combe and Ipate, 1998). Here we consider a sys-tem to possess a finite number of (internal) states. Associated with the system are two sets of vari-ables, continuous variables which might represent the concentration of a substance, temperature of some part of the system, real time value etc. and * Corresponding author. Tel.:+44-114-2221802; fax:+

44-114-2221810.

E-mail address:[email protected] (M. Holcombe)

(2)

discrete variables which will represent specific ab-stractions such as whether a particular substance is present or not, whether a given molecule is in a particular mode and whether some attribute is present or not etc. There are many examples which will be found of these variable types in every biological system. The modeller must decide the le6_el _{of detail and the} _scope _{of the model at}

the outset and the states and variables will be determined in the light of this. Models may be of molecular systems, cellular systems or tissue/ or-gan systems. Other phenomena which we need to identify are the sort of environmental influences that the system reacts to, these will be represented as discrete events. There will also be system ac-tions which describe discrete responses which the environment of the system experiences as a result of the system’s behaviour.

The next ingredients is a sets of equations (of-ten differential equations) which are associated with each internal state. These describe how the continuous variables change while time passes and the system is in that state. There may be special conditions associated with a state, called lea6ing conditions which will be conditions on one or more of the continuous variables that determine if a transition to another state must occur. Finally we have a set of discrete transitions which operate between states. These transitions are triggered ei-ther by a leaving condition becoming true or because a specific external event (input) has oc-curred. In some cases there may be several possi-ble transitions that can be taken once a leaving condition is true, which one happens, in a deter-ministic system, will depend on which event oc-curs first. Clearly there has to be some careful thought given to the relationships between leaving conditions, events and transitions to ensure that the system description is consistent and complete in the sense that we don’t find a situation where a leaving condition is satisfied and no valid transi-tion exists! The system then moves instanta-neously to another state where there is a new set of equations describing how the continuous ables will behave, naturally the continuous vari-ables behave in a continuous way after such a state change. A state transition may manipulate the discrete variables and there may be some sort of environmental action or output that occurs at the transition. To deal with the problem that some state transitions may take a non-trivial amount of time to operate we introduce an inter-mediate state and have instantaneous start and end transitions. The model operates in conjunc-tion with a continuous clock which provides a reference point for all activity. This is a hybrid X-machine, see Fig. 1.

Using it we can greatly simplify many mathe-matical models which try to capture the behaviour of variables but do not take advantage of the inherent state structure of systems, see Fig. 2 (Bell and Holcombe, 1998).

The purpose of the logic is to provide a rigor-ous language for describing these machines and the properties that they may posses. We can use a formal symbolic logic like this to either derive Fig. 1. A simple hybrid X-machine diagram.

(3)

Fig. 2. Complex behaviour modelled using a hybrid X-ma-chine.

ei₀,ai₀,ei₁,ai₁,… (1)

This model is similar to the interleaving model for concurrent computations.

Since discrete events take zero time, a discrete event ei_j takes place actually at the exact point in

time when continuous activity ai_j starts to evolve.

Thus, it is better to describe the sequence (Eq. (1)) of the computation run by the following sequence: {ei₀,ai₀}, {ei₁,ai₁},… (2)

where {ei_j,ai_j} represents a step of the

computa-tion which is the same as in sequence (1) but ei_j

and ai_j take place at the same time. However, ai_j

takes a time duration while ei_j occurs only at the

beginning of the time duration for ai_j. This

com-putational model is somewhat similar to the true concurrency model for concurrent computations.

Furthermore, the projection construct (Duan et al., 1994b), (p1,…,pm)prjq, can be thought of as a

special parallel operator. Intuitively, it means that

q is executed in parallel with p1,…, pm over an

interval obtained by taking the endpoints (ren-dezvous points) of the intervals over which p1,…,

pmare executed. The projection construct permits

the processesp1,…,pm,qto be autonomous, each

process having the right to specify the interval over which it is executed. In particular, the se-quence of processes p1,…, pm and process q may

terminate at different time points. Although the communication between processes is still based on shared variables, the communication and synchro-nization take place only at the rendezvous points (global states). Otherwise they are executed inde-pendently. See Fig. 3.

The two time scales of the projection construct may allow us to model hybrid systems. Naturally, if processes p1,…, pm are treated as continuous

activities over local time subintervals while pro-cess q is thought of as a discrete process which proceeds in a synchronous way with processes

p1,…,pmbut communicates with them only at the

time instants when processes p1,…, pmstart, then

the continuous activities and discrete events can be combined in a uniform way. A computation run of a projection construct modelling a hybrid system is exactly as indicated in sequence (2). Therefore, we believe that the projection construct Fig. 3. Projection construct.

consequential properties deduced from the ma-chine definition or to implement a logic program-ming language which could be used as a simulator deriving scenarios of behaviour that the system can undertake.

A computation run of a hybrid system is as-sumed to be a sequence of two-phase steps. The first phase of a step corresponds to a continuous state evolution usually described by differential equations, which may be describing, for example the evolution of specific enzyme driven process-ing; in the second phase, the state is submitted to a discrete change taking zero time, this results in the system being switched into a situation where a, possibly, different collection of differential equations is modelling the way the continuous variables behave. More precisely, a computation run of a hybrid system is an alternate sequence between continuous activities ai_j and discrete

(4)

is more suitable for modelling hybrid systems. It is not straightforward, however, to generalize the projection construct from a time-free notation to a timed notation for hybrid systems. The general-ization requires a radical shift in the semantics of the underlying logic.

This paper proposes a Logic, (HPTL), for mod-elling, analyzing, verifying and understanding hy-brid biological systems. The syntax and semantics are presented. It is intended to provide a fully general formal logic to allow for the precise rea-soning about arbitrary biological systems. Since these systems are going to be incredibly complex any formal reasoning has to be automated and a formal logic is the prequisite for achieving this. We are not considering the process as being only one of simulation. What we want to achieve is a mechanism whereby mathematical facts, which will be valid in precisely described conditions, can be deduced from the description of the model. Simulation can only provide a finite number of scenarios describing system behaviour and cannot generate statements that are universally true or true in infinitely many situations, however simula-tion is a valuable way of getting greater under-standing of the model and should be accommodated as well.

This paper is organized as follows: Section 2 explores hybrid systems; Section 3 is devoted to formalizing the hybrid projection temporal logic; in Section 4, examples of two simple biological systems are modelled with HPTL to illustrate the formalisms; finally, conclusions are drawn in Sec-tion 5.

2. Hybrid systems

2.1. Time and time inter6_als

We model time by the non-negative real line

R_{. So a time}

inter6_al1 _{is a left and right closed}

subinterval ofR _{if it is finite; or it is a left closed}

and right unbounded subinterval if the interval is

infinite. The left end-point of a time interval Iis denoted by lI and the right end-point, for

bounded I, is denoted byrI. Two intervals I1and

I2are adjacent ifrI₁=lI₂. Atime inter6al sequence

I(=I0I1… is a finite or infinite sequence of time

intervals that partitions R_:

Any two neighbouring intervalsIiandIi+1are

adjacent.

For the first time intervalI0,lI₀=0, and for the

final time interval of any finite interval se-quence, it is unbounded.

Note that the above definition guarantees that for all tR

, there is some interval Ii with tIi.

The time interval sequence I(1 refines the time interval sequence I(2 if I(1 is obtained from I(2 by

splitting some intervals. Clearly, for any finite set

SI of time interval sequences there is a time

inter-val sequence SSIthat refines all sequences in SI.

2.2. Obser6_{ing hybrid systems}

We first make the following assumptions: (1) any hybrid system is observable; that is, the exe-cutions of the components involved in the system can be recorded by an observer or an agent; (2) at any time instant, at least one component can be observed if the system has not finished; (3) a continuous activity takes a time duration and a discrete event takes zero time2_{; (4) time is}

continu-ous and time divergence excludes Zeno computa-tions in which there are infinitely many changes for discrete variables within a finite time interval. Suppose the set A={a1,…, an} of continuous

activities and the set E={e1,…, em} of discrete

events are involved in a hybrid physical environ-ment. As time goes by, an observation sequence of executing components from A and E can be obtained when an agent (or some equivalent) observes the system. Basically, an observation se-quence achieved in such a way can be in the following form:

c0,c1,c2,… (3)

2_{If a discrete event takes time, we can make a two-phase} step consisting of a man-made continuous activity by imposing a continuous variable as a timer but not changing discrete variables, followed by a discrete event changing the discrete variables instantaneously.

1_{The time interval and time interval sequence are similar to} that presented in (Alur et al., 1993) but they are modified for our purpose.

(5)

where ciA@E if the computation is

well-inter-leaved and all discrete events take no time. How-ever, in practice, a hybrid system is not so regular. The continuous activities and discrete events may be mixed in a very complicated way including overlapping and/or concurrency. Therefore, in general, the ci in sequence (3) can contain a

number of components, from A@E, which is executed in a concurrent and/or overlapping man-ner. Furthermore, if the discrete event ei can be

thought of as a continuous activity eai, which

takes a time duration, followed by a discrete event

ediwhich occurs instantaneously, andeis used as

a vacuous discrete event (a doing nothing opera-tion), then sequence (3) can be rewritten as: {edi₀,c0}, {edi₁,c1},… (4)

where ci=ai1…aik for some kN,

ai_jA@{eajejE}, andedi_j{edjejE}@{e}.

Sequence (4) tells us the following facts: (1) for all continuous activities, ai_j contained in ci

pre-cedesai_j₊₁ contained inci+1 and, for all discrete

events,edi_jis prior toedi_j₊₁; (2) eachci, containing

a set of continuous activities, takes a time interval

Ii, and I0I1I2… is a time interval sequence; (3)edi_j

andcitake place at the same time butedijoccurs

only at the time instant lI_i. Since an event which

takes a time duration can be decomposed as a continuous activity followed by a discrete event which takes no time, whenever the term ‘discrete event’ is used, in what follows, this implies the ‘event’ takes no time. Otherwise it will be clarified explicitly.

The computing model shown by sequence (4) for hybrid systems is similar to the true concur-rency model for time free concurrent computa-tions. It is a fundamental basis for both the finite state machine-based notation and the logic-based notation which we use for modelling hybrid systems.

2.3. Modelling of hybrid systems

In this section, we describe the observation sequence (4) in a more formal way. Let II be a finite set of propositions, and Vbe a finite set of real-valued variables. The variables are divided

into static variables, denoted byVsta, and dynamic

(or state) variables denoted by Vdyn; the dynamic

variables consist of discrete variables Vdand

con-tinuous variables Vc. The value of a continuous

variable can be changed at any time instant. A static variable keeps stable over a subsequence of a time interval sequence, while a discrete variable and a proposition remain unchanged only in a time interval over which a continuous activity evolves.

To formalize the observation sequence (4), we need a two-state notation. One is a microstate, the other is a macrostate.

A microstate s is an interpretation of all the variables in V and all the propositions in P_{. We} write S _{for the set of microstates.}

We make the following conventions: (1) at any time instant t, for each variable xV, x can have two values, one denoting the left limit x−₍_t_{), the}

other denoting the right limitx+₍_t_{). If}_x_is

contin-uous at the time instant t, then x−₍

t)=x+₍

t). In this case, we often write a single x instead of x−

andx+ _{(note that the same notations will be used}

for functions); (2) since variables can have two values at one time instant, a point in time can have two microstates, s− _{(called the left}

mi-crostate) and s+ _{(called the right microstate),}

where s−

represents the interpretation of all left limits of variables while s+ _{represents the}

inter-pretation of all right limits of variables. If, at any time instant, all variables are continuous, then s−

and s+ _{are identical. In this case, we also write a}

single microstate sinstead of s− _and_s+_.

Let I=[lI,rI] be a time interval, andI

=(lI,rI)

be its corresponding open interval. A function f:

I0_R_is _{piecewise smooth} _on _I0 _if:

at lI, the right limit and all right derivatives of

f exist;

at all points tI0_{, the right and left limits and}

all right and left derivatives of f exist, and fis continuous either from the right or from the left;

at rI, the left limit and all left derivatives of f

exist.

We assume each variablexVhas finitely many discontinuous points over a finite intervalIand is connected with a piecewise smooth function gx:

(6)

R. Thus, gx has finitely many discontinuous

points on I0_{. Hence, there is a sequence}

I(gx₌ I0I1… which partitionsIand the continuous

func-tion sequenceg0_xg1_x… ofgj_x:Ij

0_R_{, such that the}

restriction ofgxto each time interval Ijcoincides

with the restriction ofgj_xtoIj

0_{. Each restriction of}

gxto time intervalIj0is called aphase(macrostate,

see below) ofgx. Letg={gxxVc} be a family of

piecewise smooth functions gx: I0R. It is clear

that the phases ofg are the restriction ofgto the time intervals of the sequence I(g₌_S_{_I₍gx_x_V

c}.

This ensures that, for a given hybrid system, there exists a sequence of phases to model it.

A piecewise-smooth functiong:I0

Ris piece-wise linear if each phase ofg is linear.

A piecewise-linear function g: I0

R is a con-stant slope function if the slope ofg is a constant

kR. In particular, a constant slope function is a step, clock, or integrator function if the slopekis 0, 1, or sometimes 0 and sometimes 1, respectively (Alur et al., 1993).

It is now time to define macrostates. A

macrostate mi is a tuple, (s+i ,Ii,gi,s−i+1)3, which

models a continuous activity, where Ii is a time

interval (or duration), andgiis a family of

contin-uous (more often derivable) functionsgi_x: Dx×g:

iR,Dxis the domain of the variablex.

Equiv-alently, gi is a continuous (derivable) function

fromDx×I

i to.s

i denotes the right microstate

at time point lI_i whereas s−

i+1 _{denotes the left}

microstate at rI_i. Actually, gi can be defined by:

gi:VDx×Ii

0_R

gi:V×Dx×I0R.

Equivalently,

gi:Dx×I

0_S

We will use gi in a flexible manner within this

paper and often write gi_x(x0)(t) instead of

gi_x(x0,t). Note that gi and gi_x are respectively

unary functions from I0

i to and from I

i to R.

whenx0 is a constant ingi(x0,t) and gi_x(x0,t).

A computation run of a hybrid system can formally be defined by:

s_¯_:₍_s

+_,_I

0,g0,s1

−₎₍_s

+_,_I

1,g1,s2

−₎

(s+2,I2,g2,s−3)… (5)

such that:

I0I1I2 is a time interval sequence;

for all 05i, g+i (lI_i)=s+i , andg−i (rI_i)=s−i+1;

the function sequence g0g1… is a restriction of

some piecewise smooth functiongto each time interval I0

Sequence (5) above is a formal refinement of sequence (4). We can see the discrete events have disappeared in sequence (5) because the informa-tion has been recorded in the si

+_{. Actually, the}

discrete event edi initializes the function gi at

microstate si

+_{. The microstate} _s−

i+1 is redundant

but useful for manipulations.

For a macrostate mi, if gi=id (the identical

function), then over the time duration Ii, no

con-tinuous variables change but time progresses. Thus, s+i agrees withs−i+1, somican be simplified

to (si,Ii). This is the structure of a trace required

for discrete event systems. Furthermore, ifIi=[ti]

is a singleton interval, then it only describes the status of variables at time point ti.

In sequence (5), note that (1)s−

i andsi

can be identical; in this case, it implies that the macrostates mi−1 and mi are the two parts of a

macrostate, and are obtained by splitting this state. (2) A segment of or whole of sequence (5) can denote a discrete event sequence, as long as

gi=id in the segment. (3) The gi is a family of

functions gi_x for xV within the macrostate mi;

the members of gican change from state to state.

This allows us to cope with the overlapping and/ or concurrent activities and events.

Therefore, sequence (5) provides us with a generic faithful model for dealing with an arbi-trary mixture of continuous and discrete compo-nents in a hybrid system.

The pair (s−

i ,si

+_{) is called a partition point. The}

points in time lI_i−1, and rI_i are time stamps of

s−

I−1 andsi

+_{, respectively and the time durations,}

[rI_i−1,rI_i−1], i.e. the right end point of the time

intervalri−1with macrostatemi−1, andIi, i.e. the

time interval with microstate mi, are called the

time durations of s−

i– 1and s+i .

3_{More precisely, a macrostate is of the form ((}_s−

i ,s+i ),Ii,gi,

(s−

(7)

s_¯:(s0,I0,g0,s1)(s2,I1,g1,s3)(s4,I2,g2,s5)

… (6)

For ease of manipulations, in what follows, we use sequence (6) obtained from sequence (5) by splitting each pair of partition points into two separate microstates, hereafter called end mi-crostates, and re-numbering the subscripts of the end microstates in a consecutive manner and delet-ing their subscripts but keepdelet-ing their time stamps and time durations. For a macrostate mi=

(sj,Ii,gi,sj+1), ifIi=[tj,tj] is a trivial point interval,

then this macrostate retrogrades to a discrete state (sj,tj), and ifgiis the identical functionid, then this

macrostate retrogrades to (sj,Ii,id,sj). Therefore,

sequence (6) subsumes the case in which a discrete timed state subsequence may be involved. Sequence (6) provides us with a generic structure which can be used as both a logic model and a computation run of a finite state machine.

3. A hybrid projection temporal logic

This section is devoted to presenting briefly the hybrid projection temporal logic (HPTL). HPTL can be thought of as a generalization of the first order temporal logic (Moszkowski, 1986, 1993; Kroeger, 1987; Manna and Pnueli, 1992) and Timed ITL (Duan et al., 1994a) with projection (Duan et al., 1994b).

3.1. Syntax

The termseand formulaspof the logic are given by the following grammar:

e::=uxx+_x−_x ;+_x

;

−ebeg(e)end(e)TtfTff(e1,…,en)

p::=p_e₁

=e2P(e1,…,en)¬pp1

p2×x:ppp;cq(p1,…,pm)prjp

where pP _{is a proposition,} _x _{is a dynamic} variable anduis a static variable.x+_,_x−_,_x

;+_and

x;−_{are the right limit, left limit, right derivative, and}

left derivative of the variable x, respectively. In

f(e1,…,en) andP(e1,…,en), it is assumed that the

types of the terms are compatible with those of the arguments of f and P.

The time variable T denotes simply the current time instant; the time variable tf specifies a time

duration within the current time interval; the time variable Tf represents a time duration from the

current time instant to the end of the final time interval of the current state interval if any.

A formula (or term) is called a state formula (or term) if it does not contain any temporal operators; otherwise it is a temporal formula (or term). 3.2. Semantics

As mentioned earlier, a microstatesis an assign-ment which, for each variable6V, definess[6], and for each proposition pP defines s[p]. s[6] is a value of the appropriate type or nil (undefined), whereas s[p_]_{{true, false}.}

A state inter6al (or interval for short) s₌B

m0,m1,…\ is a non-empty (possibly infinite)

se-quence of macrostates. It is a subsese-quence of a computation runs_¯_{. The length of}s_{, denoted by}s_, is defined as v _if s _{is infinite; otherwise it is the} number of end microstates ins_{minus 1. For 0}5i,

j5s_{, we will use}s₍_i_.._j_{) to denote the subinterval} starting at the microstate si and ending at the

microstate sj, and s

(k)

to denote the interval B

mk,…\.

Let s₍_i_.._j₎₌Bsi,…sj\ be a state interval and

r1,…,rh(15h) be integers such thati5r15…5

rh5j. The projection of s on to r1,…, rh is the

interval:

s_¡(r1,…rh)=B(sn₁,tn₁), (sn₂,tn₂),…,(sn_k,tn_k)\

where n1,…, nk is obtained from r1,.., rh by

deleting all duplicates. That is, n1,…, nk is the

longest strictly increasing subsequence ofr1,…,rh;

and tn_j is the time stamp of the end microstatesn_j

for 15j5k. For example:

Bm0,m1,m2,m3,m4\¡(0, 0, 2, 2, 2, 3)=

B(s0,iI₁), (s3,rI₁)\

When it is clear in the context, we write the projected interval consisting of only states without times. For instance, the above interval can be simplified to Bs0,s2,s3\.

(8)

An interpretation is a tuple I₌(s,i,c,d,j), where s₌Bm0,m1,…\ is a state interval, i an

integer, andjan integer orv_{such that 05}_i5j5 s_{, while} _c _and_d _{are reals such that [}_c_,_d_]¤_I

i, Ii

is the time duration of the end microstate si.

Intuitively, s _{provides an interval over which} terms and formulas are interpreted pointwisely; the parameters i and j serve as indicators of the starting end microstate si and the final end

mi-crostate sj, respectively while c and d define a

subtime interval [c,d], called the active time inter-val, of the time duration Iiof the end microstate

si. The parameteriis needed because the

interpre-tations of, the terms and formulas with the next operator, as well as the formulas with the discrete chop (;) and the projection (prj) operators refer to it; the parameterjis required because the discrete chop and projection operators partition the cur-rent state interval by changing parametersiandj; the parameters c and d are indispensible for the continuous chop operator (;c) since a subformula

may be interpreted over a subtime interval of the current time interval Ii.

For simplicity, in what follows, we use the notations; (s_,_i_,_I_,_j_{) to stand for (}s_,_i_,_x_,_y_,_j_{) if}

I=[x,y], (s_,_i_,_x_,_j_{) to represent (}s_,_i_,_x_,_x_,_j_{) and} (s_,_i_,_x_{) to denote (}s_,_i_,_x_,_x_,_i_{). One point we} clarify here is that the interpretation notation (s,i,I,j) covers the discrete case since a discrete timed state (si,ti) over the interval s can be

refered by usingI=[ti,ti].

For every terme, the evaluation of e relative to interpretation I is defined in I[e] by induction on terms in the following way, where x is a dynamic variable,uis a static variable, ande1,…,

em are terms:

local interval and q holds at the beginning (a microstate) of the interval; in the second case,qis interpreted and stopped before some pk starts to

be interpreted; whereas in the third case.p1,…,pm

are all finished before q.

but only acts on the active time interval. p;c q

holds if the active time interval can be split into two time intervals, and p holds over the first and

q holds over the second. State sequence as well as the mixed state sequence. In the discrete case, the

Ii is merely a trivial point interval.

3.3. Satisfaction and 6_alidity

A model is a macrostate interval. Given a model s _{and a formula} _p_, s _{is a model of} _p _if s₌_p. If there exists a model s, s₌_p then p is called satisfiable. If for all modelss,s₌_pthenp

is said to be valid, denoted by =p. Sometimes, we denote =plq by p:q. Let R be a set of intervals satisfying some properties. A formula p

is calledR-satisfiable, denoted bys₌

Rp, if there

exists an interval sR and s₌_p_{. A formula is} said to be R-valid if for all intervals in R, p is

R-satisfiable.

Example 3.1 The formula (beg(x)= 1c(x;= −1)end(x)= −1) describes the

phase transition system given in (Manna and Pnueli, 1993). It is easy to check that the follow-ing interval satisfies the above formula:

s₌_B(_s₀_,_I₀_,_g₀_,_s₁_),…\

where s2_i[x]=1, Ii=[2i, 2(i+1)], gi_x(t)= −

t+2i+1 for tIi, and s2_i₊₁[x]= −1 for all

05i,iN.

3.4. Deri6_{ed formulas}

The derived connectives , and l as well as the logic constants true and false, and universal quantification Öx(xV), are defined as usual. We also use the following derived formulas:

(9)

3.4.1. Operators for microstates

1) cp def true;cp

2) 2cp def ¬c¬p

3) emptyc def tf=0

4) morec def ¬(emptyc)

5) finc(p) def c(emptycp)

6) keepc(p) def c(morecp)

7) haltc(p) def c(emptyclp)

The above formulas are defined over a continu-ous time duration, and interpreted over an active time interval. cp means that p holds at all time

instants from now on over the active time inter-val. 2cp means that p holds form now or from

some time instant in the future within the active time interval. emptyc tells us that the right end

point of the active time interval has been reached.

finc(p) holds over the active time interval as long

aspholds at the right end point of the active time interval;keepc(p) holds over the active time

inter-val ifpholds at all time instants ignoring the right end point. haltc(p) holds over the active time

interval if and only if p holds at the right end point of the active time interval.

3.4.2. Operators for macrostates

1) empty def ¬true

2) more def ¬empty

3) 0

p def p

4) n

p def ( n−1₎_p

5) len n def n_empty

6) skip def len1

7) 2p def true;p(see below for;) 8) p def ¬2¬p

9) Õp def ¬¬p

The above formulas are concerned with a macrostate sequence. The intuitive meanings of the above temporal constructs are similar as for

microstates. empty represents the right end point of the final macrostate over the current interval;

len(n) specifies the length of the state interval to be n; 2p means that p holds eventually in the future from some state, whereas pmeans thatp

holds always in the future from the current macrostate. Õp tells us that either the right end point of the current macrostate is reached or p

holds form the next macrostate of the present state interval.

3.4.3. Chop and chop star

1) p; q def (p,q) prj empty

2) (p0,…, ph)

(0)

prj q def (emptycprj q)hN

3) (p0,…, ph)

(1)_{prj q} _def

(p0,…, ph)prj q)hN

4) (p0,…, ph)(m)prj q def

(p0,…, ph, (p0,…,ph)(m−1) prj q)mN

−{0}hN

5) (p0,…, ph)

(*)

prj q def

×m: (mN(p0,…, ph)

(m)

prj q)hN

6) (p0,…, ph)

(+)

prj q def

×m: (mN−{0}(p0,…, ph)

(m)

prj q)hN

7) pm _def _p(m)_{prj empty}

8) p* def p(_*)_{prj empty}

9) p+ _def _p(+)_{prj empty}

In definitions (4 – 6) above, if h=1, we obtain the definitions of p(m)_{prj q}_,_p_(*)_{prj q}_{, and}_p(+)_prj

The chop star (*) (Moszkowski, 1993) operator can also be defined by the projection operator.p* holds over an interval if the interval can be parti-tioned into a sequence of finitely (or infinitely) many subintervals and p holds on each one. The formal interpretation can be given as follows: (s_,_i_,_c_,_d_,_j₎₌_p* _{if there exist integers} _r

1,…,

rh such that i5r15...5rh=j, and for 1Bn

Bh, (s_, _r_n

(10)

where In−1=[lI_k,lI_k] if rn=rn−1=k, and

In−1=Ik if i"k=rn−1Brn, and In−1=[c,d] if

i=rn−1Brn.

3.4.4. Parallel operator

pq=(p(q;true))(q(p;true))

With the parallel construct, the processesp and

q are executed over a sequence of macrostates synchronously, and can be modelled by true con-currency. In fact, the parallel operator presented here is very close to conjunction. The basic differ-ence between pq and pq is that the former allows processes bothpandqto be able to specify their own intervals while the latter only permits one of them, either p or q, to do so. For instance,

Tf=2Tf=3 holds but Tf=2Tf=3 is

obvi-ously false.

3.4.5. Conditional statement

if b then p else q def (bp)(¬bq)

if b then p def if b then p else empty

where b is a boolean state term consisting of constants, variables, propositions, and boolean connectives.

3.4.6. Unit assignment operator xe def skipx=e

wherexbe a variable, andean expression (term). The unit assignment assigns valueetox at the next state, and, in the meantime, it specifies the length of the interval over which the assignment takes place to be 1.

3.4.7. Terminations and iterations

1) fin(p) def (emptyp) 2) keep(p) def (morep) 3) halt(p) def (emptylp)

4) while b do p def (bp)*fin(¬b) 5) repeat p until ¬b def p; while b do p

6) for k=m to n do p def if (nBm)

then empty else (p; for k=m+1 to n do p) wheremand nare static variables or constants while k is a static variable. The fin(p), keep(p), and halt(p) have similar meanings to finc(p),

keepc(p), and haltc(p) but are concerned with the

discrete macrostate sequences. fin(p) holds over an interval if p holds at the final microstate over an interval, whereas keep(p) holds over an inter-val as long aspholds at all states ignoring the end microstate of the final macrostate. halt(p) holds over an interval if and only if p holds at the end microstate of the final macrostate.

The while, repeat and for constructs facilitate iterations. Their meanings are similar to their meanings in imperative programming languages. In particular,while b do pholds over an interval if and only if the interval can be partitioned into finitely or infinitely many subintervals on each of which bp holds (b evaluated at the starting microstate), and ¬b holds eventually at the final microstate (s−

k,s

k) but evaluated with the right

limit state s+

k if any. Otherwise, the formula p is

executed repeatedly ad infinitum.

The temporal operators are called next (),

projection (prj), chop(;), chop star (*), continuous chop (;c), continuous e6entually (2c), continuous

always (c), always (), sometimes (2). weak

next (Õ) and continuous parallel (c)

3.5. Precedence rules

In order to avoid an excessive number of paren-theses, the following precedence rules are used: (1) first: ¬; (2) second:2c,c,d,Õ,2,; (3) third:

×, Ö; (4) fourth: =, ; (5) fifth: , , c; (6)

sixth: , l; (7) seventh:;c;, prj.

4. Examples of hybrid systems

In this section, we illustrate how HPTL can be used to model hybrid systems. Two examples: ion flow and antigen-antibody interaction are mod-elled by the formalisms.

(11)

4.1. Ion flow through 6_oltage_-_{gated channels}

We first model a non-linear hybrid system — ion flow through voltage-gated channels during action potential depolarisation and repolarisation. Ini-tially the system is resting. At the start the mem-brane potential is approximately −70 mV. the Na+_{activation gate is closed, the Na}+ _activation

gate is open and the K+_{gate is closed. During the}

depolarisation phase at a threshold of about −55 mV the Na+_{activation gate opens with the}

poten-tial rising. Repolarisation begins at around +30 mV when the Na+_{inactivation gate closes and the}

K+ _{gate opens. Finally there is the repolarisation}

stage when the potential returns to−70 mV. Both polarisation and depolarisation are exponential processes. The model does not take into account leakage channels and Na+ _{pumps. The overall}

situation is similar to that of a thermostat control system in a processing plant. Here, the temperature of a plant is controlled through a thermostat, which continuously senses the temperature and turns a heater on and off (Nicollin et al., 1992; Alur et al., 1993).

The membrane potential is governed by differen-tial equations. During depolarisation, the mem-brane potential, denoted by the variable x, decreases according to the exponential function

x(u_,_t₎₌u_e−kt

, wheretis the time,u_{is the initial} potential, and k is a constant determined by the circumstances; when repolarisation is occurring, the potential follows the function x(u,t)=

u_e−kt

+h(1−e−kt_{), where} _h _{is another system}

constant. Suppose that the initial potential is u

We wish to keep the potential betweenu

M andum

(05u_m5u_M_{). We now model this system in} HPTL:

p1defc(x;= −kx)haltc(x=um)

p2defc(x;=h(X−x))haltc(x=uM)

qdefx=u_M(x=u_M(x=u_m₎₎ (x=u_m(x=u_M₎₎ then the formula:

(p1,p2)(+)prj q(p1, (p2,p1)(+))prj q

models the ion flow. It is clear that the first disjunct models the situation in which the process starting withp1and followed byp2is repeatedly executed,

whereas the second disjunct models the case in which the process p1 is firstly executed, then the

process starting with p2 and followed by p1 is

repeated. We require that the following hold:

(c(um5x5uM)).

4.2. Antigen–antibody interaction

t=0, antigen is introduced and increases towards the threshold X. L time units later, the antibody response starts.

The following formulas of HPTL describe the possible scenarios:

p1defc(x=x0ekt)c(y=y0)haltc(t=L)),

p2defc(x=x0ekt−yy

=y0e

haltc(x=0x=X)),

q def=t=0x0=Dy0

=D((x0=xy0=y))

2₍_x₌₀_{infection clears)}

(x=Xnasty outbreak of blue spots!). Thus, the following projection construct models the system:

(p1,p2)prj q

where the continuous variables,xandy, represent the amounts of Ag and Ab respectively. Further details of X-machine models of aspects of the immune system can be found in Bell (1999).

5. Conclusions

This paper proposes a faithful generic computa-tional model for hybrid systems based on which a

(12)

specification language called hybrid projection temporal logic is formalized. The syntax and se-mantics as well as a considerable number of derived formulas are presented. To illustrate the expressive power, a number of non-trivial hybrid systems are modelled within HPTL. We believe that our formalisms are powerful enough to define many important examples of biological systems. The langauge will be developed to incorporate a powerful communication construct which is based on channels which will link a dynamic network of hybrid machines. Further research is also needed into creating efficient techniques for symbolic sim-ulation and verification of biological systems ex-pressed in this language. Continuing develop-ments in automated reasoning will make this more and more possible in the future. These issues will be discussed elsewhere.

Acknowledgements

This research was partly supported by the UK EPSRC Grant GR/H73585.

Appendix A. The interpretations of terms 1. I_[_u_]₌_s_i_[_u_]₌_s_t_[_u_{] for}_l_I

i5t5rIj−1 and

st=gi(t), if u is a static variable, and Ii is

the time duration ofsi.

2. I[y]=si[y]=st[y]=si+1[y], for lI_iBtBrI_i

and st=gi(t), ify is a discrete variable,

and Iiis the time duration of si.

3. I[x]=g0_x(x0) (c), ifx is a continuous

variable, x0Dx (the same for those

be-low), and x+₌_x−_.

I_[_x+_]₌_lim

tc(g0_x(x0) (t)), ift−c\0,

and x is a continuous variable.

I[x−_]

=limtc(g0_x(x0) (t)), if t−cB0,

and x is a continuous variable. 6. I[x;+_]

=limtc(g0_x(x0) (t)−g0_x(x0) (c))/

(t−c), 7. I[x;−_]₌_lim

tc(g0_x(x0) (t)−g0_x(x0) (c))/

(t−c), ift−cB0, and x is a continuous variable.

I_[_f₍_e_1,…,_e m)]

!

nil if

I[eh]=nilfor someh{1,…,m} f(I_[_e

1],…,I[em]), otherwise

9. I[e]

>

(s,i+1,Ii+1,j)[e] ifi\j, andIi4+1is the time duration ofsi+1

nil otherwise

10. I_[_beg₍_e_)]₌_s₂_i_[_e_]. I_[_end₍_e_)]

11.

!

s2i+1[e] ifIiis a finite time interval

nil otherwise

I[T]=c

12.

I[tf]=d−c

13.

14. I[Tf]=rIs−c

As can be seen, variables and their limits and derivatives are interpreted at the beginning of the active time interval [c,d]. eis evaluated at the next end microstate (which may be a dis-crete state) with the active time interval being the time duration of the next end microstate.

For a formula p, the evaluation of p relative to the interpretation I is defined by I[p]. I₌ p iff I[p]=true. The relation = is inductively defined as in B.

Appendix B. The interpretations of formulas

I₌_true_.

15.

I*=false. 16.

I₌_p _iff _s+_i

[p]=sc[p]=s

−

i+1[p]=true,

17.

sc=gi(c), if p is a proposition.

18. I₌_P₍_e₁_,…, _e_m_{) iff for all} _h_{, 0}5h5m,

I_[_e_h_]"niland P(I_[_e₁_],…, I_[_e_m_])₌_true,

ifp is a primitive predicate other than =.

I=e1=e2 iff I[e1]=I[e2], if e1, e2 are

19.

terms.

20. I₌_¬_p _iff I*₌_p_.

21. I=pq iff I=p and I=q.

I₌_p iff (s,i+1,Ii+1,j)=p ifi\j,

22.

andIi+1 is the time duration of si+1.

I₌₍_p_;_c_q_{) iff there exists} _t _{such that} _c5 23.

t5d and (s_,_i_,_c_,_t_,_i₎₌_p _and (s_,_I_,_t_,_d_,_j₎₌_q_.

(13)

I₌(p;q) iff there exists k, i5k5j such 24.

that (s,i,c1,d1,k)=p and

(s_,_k_,_c

2,d2,j)=q, where, ifk=i then

c1=d1=lI_i and c2=c, d2=d; if k=j then

c1=c, d1=d andc2=d2=rI_j; otherwise

c1=c, d1=d andc2=lI_k, d2=rI_k; where Ih

is the time duration of sh.

I=×x: p iff there exists an interval s%_, s%

25.

and s _are_x_{-equivalent, denoted by} s%x

=s,

and (s%_,_i_,_c_,_d_,_i₎₌_p_{. We say} s% _is _x

-equivalent to s _if s₌s%_{, and in all}

macrostates, Ii=I%i for all i, 05i5s, s%

and s _{agree on all values of variables,} ex-cept possibly for the values assigned to x

by evolution functions and transition events. That is, sn, sn+1, gn coincide with

s%_n, s%_n₊₁, g%_n over In=I%n for all n, 05n5

s_{, and for all} _y_, _yV−{x}.

I=(p1,…, pm)prjq iff there are integers

26.

r0,r1,…, rm such that i=r05r15…5

rm=j and for all n, 0BnBm (s,rn−

1,In−1,rn)=pn and (s¡(r0), 0,lIi)=q or

there are integers r0,…, rh(05h5m) such

that i=r05r15…5rh and for all n, iB

n5h (s_, _r_n₋₁_,_I_n₋₁_,_r_n₎₌_p_n_{, and}

IfhBm, then (s_¡₍_r₀_,_r₁_,…,_r_h_{), 0,}_l_I_,_h₎₌_q and there are integersrh+1,…, rm such that

rh5…5rm=s and for all hBn5m (s,

rn−1,In−1, rn)=pn;

Ifh=m, then (s_¡(r0,r1,…,rm)s(rh+1…s), 0,

lI_i,s)=q. where In−1 is the time duration

of sn−1.

References

Alur, R., Courcoubetis, C., Henzinger, T.A., Ho, P.-H., 1993. Hybrid automata, an algorithmic approach to the specification and verification of hybrid systems. In: Grossman, R.L., Nerode, A., Ravn, A.P., Rischel, H. (Eds.), Hybrid Systems, vol. LNCS 736. Springer Verlag, pp. 209 – 229.

Bell, A., 1999. Formal Computational Models of Biological Systems. PhD thesis, University of Sheffield, 1999. Bell, A., Holcombe, M., 1998. Computational models of

immunological pathways. In: Holcombe, M., Paton, R. (Eds.), Information Processing in Cells and Tissues. Plenum Press, pp. 213 – 226.

Chaochen, Z., Ravn, A.P., Hansen, M.R., 1993. An extended duration calculus for hybrid real-time systems. In: Grossman, R.L., Nerode, A., Ravn, A.P., Rischel, H. (Eds.), Hybrid Systems, vol. LNCS 736. Springer Verlag. Duan, Z., Holcombe, M., Linkens, A., 1994. Timed interval

temperal logic and modelling of hybrid systems. In: Guasch, A., Huber, R.M. (Eds.), Proceeding of Modelling and Simulation ESM’94, Barcelona, Spain, June 1 – 3, pp. 534 – 541.

Duan, Z., Koutny, M., Holt, C., 1994. Projection in temporal logic programming. In Pfenning, F. (Ed.), Proceedings of Logic Programming and Automatic Reasoning, Lecture Notes in Artificial Intelligence, a subseries of LNCS, July, 1994, Vol. 822, Springer Verlag, pp. 333 – 344.

Eilenberg, S., 1974. Automata, Languages and Machines, vol. A. Academic Press.

Harel, D., 1987. Statecharts, a visual formalism for Complex Systems. Sci. Comp. Prog. 8, 231 – 274.

Holcombe, M., Ipate, F., 1998. Correct systems — building a business process solution. In: Applied Computing Series. Springer-Verlag.

Holcombe, M., 1991. Mathematical models of biochemistry. In: Ji, S. (Ed.), Molecular Theories of Cell Life and Death. Rutgers University Press, pp. 250 – 263.

Keten, Y., Pnueli, A., 1992. Timed and Hybrid Statecharts and their Textual Representation. Springer Verlag, pp. 561 – 619.

Keten, Y., Pnueli, A., Sifakis, J., Yovine, S., 1993. Integration graphs: a class of decidable hybrid systems. In: Nerode, A., Ravn, A.P., Rischel, H. (Eds.), Hybrid Systems, vol. LNCS 736. Springer Verlag, pp. 179 – 208.

Kroeger, F., 1987. Temporal Logic of Programs. Springer-Verlag, Berlin, Heidelberg.

Manna, Z., Pnueli, A., 1992. The Temporal Logic of Reactive and Concurrent Systems, vol. 1. Springer-Verlag. Manna, Z., Pnueli, A., 1993. In: Grossman, R.L., Nerode, A.,

Ravn, A.P., Rischel, H. (Eds.), Verifying Hybrid Systems, vol. LNCS 736.

Moszkowski, B., 1986. Executing Temporal Logic Programs. Cambridge University Press, Cambridge, England. Moszkowski, B., 1993. Some Very Compositional Temporal

Properties. No. 466, December, 1993, Department of Computing Science, University of Newcastle.

Nicollin, X., Olivero, A., Sifakis, J., Yovine, S., 1993. An approach to the description and analysis of hybrid systems. In: Grossman, R.L., Nerode, A., Ravn, A.P., Rischel, H. (Eds.), Hybrid Systems, vol. LNCS 736. Springer Verlag, pp. 149 – 178.

Nicollin, X., Sifakis, J., Yovine, S., 1992. From ATP to timed graphs and hybrid systems. In: de Bakker, J.W., Huizing, C., deRoever, W.P., Rozenberg, G. (Eds.), Proceeding of REX Workshop, Rel Time: Theory in Practice, Springer Verlag, LNCS 600, pp. 549 – 572.

(1)

An interpretation is a tuple I=(s,i,c,d,j), where s₌Bm0,m1,…\ is a state interval, i an integer, andjan integer orv_{such that 0}5i5j5

s_{, while} _c _and_d _{are reals such that [c,}_d_]¤Ii, Ii is the time duration of the end microstate si. Intuitively, s _{provides an interval over which}

terms and formulas are interpreted pointwisely; the parameters i and j serve as indicators of the starting end microstate si and the final end mi-crostate sj, respectively while c and d define a subtime interval [c,d], called the active time inter-val, of the time duration Iiof the end microstate si. The parameteriis needed because the interpre-tations of, the terms and formulas with the next operator, as well as the formulas with the discrete chop (;) and the projection (prj) operators refer to it; the parameterjis required because the discrete chop and projection operators partition the cur-rent state interval by changing parametersiandj; the parameters c and d are indispensible for the continuous chop operator (;c) since a subformula may be interpreted over a subtime interval of the current time interval Ii.

For simplicity, in what follows, we use the notations; (s_,_i,_I,_j_{) to stand for (}s_,_i,_x,_y,_j_{) if}

I=[x,y], (s_,_i,_x,_j_{) to represent (}s_,_i,_x,_x,_j_{) and}

(s_,_i,_x_{) to denote (}s_,_i,_x,_x,_i_{). One point we}

clarify here is that the interpretation notation (s,i,I,j) covers the discrete case since a discrete timed state (si,ti) over the interval s can be refered by usingI=[ti,ti].

For every terme, the evaluation of e relative to interpretation I is defined in I[e] by induction on terms in the following way, where x is a dynamic variable,uis a static variable, ande1,…, em are terms:

The formal interpretations of terms and formu-lae is described in the Appendix. The interpreta-tion of the projecinterpreta-tion construct seems rather tricky and it is somewhat difficult to grasp its meaning. Basically, the interpretation is con-cerned with three cases: the first is a trivial case in whichp1,…,pmare interpreted sequentially over a local interval and q holds at the beginning (a microstate) of the interval; in the second case,qis interpreted and stopped before some pk starts to be interpreted; whereas in the third case.p1,…,pm are all finished before q.

The chop operator (;) is a major operator in ITL (Moszkowski 1986) and Timed ITL (Duan et al., 1994a). It can be expressed by the projection operator (see derived formulas). The intuitive meaning of p; q is simple: p; q holds over an interval if the interval can be partitioned into two parts, and p holds over the first part and q holds over the second part. The continuous chop opera-tor (;c) is similar to the discrete chop operaopera-tor (;) but only acts on the active time interval. p;c q holds if the active time interval can be split into two time intervals, and p holds over the first and q holds over the second. State sequence as well as the mixed state sequence. In the discrete case, the Ii is merely a trivial point interval.

3.3. Satisfaction and 6_alidity

A model is a macrostate interval. Given a model s _{and a formula} _p, s _{is a model of} _p _if s₌p. If there exists a model s, s₌_p then p is called satisfiable. If for all modelss,s₌_pthenp is said to be valid, denoted by =p. Sometimes, we denote =plq by p:q. Let R be a set of intervals satisfying some properties. A formula p is calledR-satisfiable, denoted bys₌

Rp, if there exists an interval sR and s₌_{p. A formula is}

said to be R-valid if for all intervals in R, p is R-satisfiable.

Example 3.1 The formula (beg(x)= 1c(x;= −1)end(x)= −1) describes the phase transition system given in (Manna and Pnueli, 1993). It is easy to check that the follow-ing interval satisfies the above formula:

s₌B(s0,I0,g0,s1),…\

where s2_i[x]=1, Ii=[2i, 2(i+1)], gi_x(t)= − t+2i+1 for tIi, and s2_i₊₁[x]= −1 for all 05i,iN.

3.4. Deri6_{ed formulas}

The derived connectives , and l as well as the logic constants true and false, and universal quantification Öx(xV), are defined as usual. We also use the following derived formulas:

(2)

3.4.1. Operators for microstates 1) cp def true;cp

2) 2cp def ¬c¬p 3) emptyc def tf=0 4) morec def ¬(emptyc) 5) finc(p) def c(emptycp) 6) keepc(p) def c(morecp) 7) haltc(p) def c(emptyclp)

The above formulas are defined over a continu-ous time duration, and interpreted over an active time interval. cp means that p holds at all time instants from now on over the active time inter-val. 2cp means that p holds form now or from some time instant in the future within the active time interval. emptyc tells us that the right end point of the active time interval has been reached. finc(p) holds over the active time interval as long aspholds at the right end point of the active time interval;keepc(p) holds over the active time inter-val ifpholds at all time instants ignoring the right end point. haltc(p) holds over the active time interval if and only if p holds at the right end point of the active time interval.

3.4.2. Operators for macrostates 1) empty def ¬true 2) more def ¬empty 3) 0

p def p 4) n

p def ( n−1_)p 5) len n def n_empty 6) skip def len1

7) 2p def true;p(see below for;) 8) p def ¬2¬p

9) Õp def ¬¬p

The above formulas are concerned with a macrostate sequence. The intuitive meanings of the above temporal constructs are similar as for

microstates. empty represents the right end point of the final macrostate over the current interval; len(n) specifies the length of the state interval to be n; 2p means that p holds eventually in the future from some state, whereas pmeans thatp holds always in the future from the current macrostate. Õp tells us that either the right end point of the current macrostate is reached or p holds form the next macrostate of the present state interval.

3.4.3. Chop and chop star 1) p; q def (p,q) prj empty 2) (p0,…, ph)(0)

prj q def (emptycprj q)hN 3) (p0,…, ph)

(1)_{prj q} _def (p0,…, ph)prj q)hN 4) (p0,…, ph)(m)_{prj q} _def

(p0,…, ph, (p0,…,ph)(m−1) _{prj q)}_m_N −{0}hN

5) (p0,…, ph)(*)

prj q def ×m: (mN(p0,…, ph)(m)

prj q)hN 6) (p0,…, ph)(+)

prj q def

×m: (mN−{0}(p0,…, ph)(m)_{prj q)} hN 7) pm _def _p(m)_{prj empty}

8) p* def p(_*)_{prj empty} 9) p+ _def _p(+)_{prj empty}

In definitions (4 – 6) above, if h=1, we obtain the definitions of p(m)_{prj q,}_p_{(*)prj q, and}_p(+)_prj q.

The chop star (*) (Moszkowski, 1993) operator can also be defined by the projection operator.p* holds over an interval if the interval can be parti-tioned into a sequence of finitely (or infinitely) many subintervals and p holds on each one. The formal interpretation can be given as follows: (s_,_i,_c,_d,_j₎₌_p* _{if there exist integers} _r

1,…, rh such that i5r15...5rh=j, and for 1Bn Bh, (s_, _rn

(3)

where In−1=[lI_k,lI_k] if rn=rn−1=k, and

In−1=Ik if i"k=rn−1Brn, and In−1=[c,d] if i=rn−1Brn.

3.4.4. Parallel operator

pq=(p(q;true))(q(p;true))

With the parallel construct, the processesp and q are executed over a sequence of macrostates synchronously, and can be modelled by true con-currency. In fact, the parallel operator presented here is very close to conjunction. The basic differ-ence between pq and pq is that the former allows processes bothpandqto be able to specify their own intervals while the latter only permits one of them, either p or q, to do so. For instance, Tf=2Tf=3 holds but Tf=2Tf=3 is obvi-ously false.

3.4.5. Conditional statement

if b then p else q def (bp)(¬bq) if b then p def if b then p else empty where b is a boolean state term consisting of constants, variables, propositions, and boolean connectives.

3.4.6. Unit assignment operator xe def skipx=e

3.4.7. Terminations and iterations 1) fin(p) def (emptyp) 2) keep(p) def (morep) 3) halt(p) def (emptylp)

4) while b do p def (bp)*fin(¬b) 5) repeat p until ¬b def p; while b do p

6) for k=m to n do p def if (nBm) then empty else (p; for k=m+1 to n do p)

wheremand nare static variables or constants while k is a static variable. The fin(p), keep(p), and halt(p) have similar meanings to finc(p), keepc(p), and haltc(p) but are concerned with the discrete macrostate sequences. fin(p) holds over an interval if p holds at the final microstate over an interval, whereas keep(p) holds over an inter-val as long aspholds at all states ignoring the end microstate of the final macrostate. halt(p) holds over an interval if and only if p holds at the end microstate of the final macrostate.

The while, repeat and for constructs facilitate iterations. Their meanings are similar to their meanings in imperative programming languages. In particular,while b do pholds over an interval if and only if the interval can be partitioned into finitely or infinitely many subintervals on each of which bp holds (b evaluated at the starting microstate), and ¬b holds eventually at the final microstate (s−

k,s

k) but evaluated with the right limit state s+

k if any. Otherwise, the formula p is executed repeatedly ad infinitum.

The temporal operators are called next (), projection (prj), chop(;), chop star (*), continuous chop (;c), continuous e6entually (2c), continuous always (c), always (), sometimes (2). weak next (Õ) and continuous parallel (c)

3.5. Precedence rules

In order to avoid an excessive number of paren-theses, the following precedence rules are used: (1) first: ¬; (2) second:2c,c,d_,_Õ,_2,_{; (3) third:}

×, Ö; (4) fourth: =, ; (5) fifth: , , c; (6) sixth: , l; (7) seventh:;c;, prj.

4. Examples of hybrid systems

In this section, we illustrate how HPTL can be used to model hybrid systems. Two examples: ion flow and antigen-antibody interaction are mod-elled by the formalisms.

(4)

4.1. Ion flow through 6_{oltage-gated channels}

gate is open and the K+_{gate is closed. During the}

depolarisation phase at a threshold of about −55 mV the Na+_{activation gate opens with the}

poten-tial rising. Repolarisation begins at around +30 mV when the Na+_{inactivation gate closes and the}

K+ _{gate opens. Finally there is the repolarisation}

stage when the potential returns to−70 mV. Both polarisation and depolarisation are exponential processes. The model does not take into account leakage channels and Na+ _{pumps. The overall}

The membrane potential is governed by differen-tial equations. During depolarisation, the mem-brane potential, denoted by the variable x, decreases according to the exponential function x(u_,_t₎₌u_e−kt

, wheretis the time,u_{is the initial}

potential, and k is a constant determined by the circumstances; when repolarisation is occurring, the potential follows the function x(u,t)=

u_e−kt_+h₍₁_−e−kt_{), where} _h _{is another system} constant. Suppose that the initial potential is u

M. We wish to keep the potential betweenu

M andum (05u_m5u_{M). We now model this system in}

HPTL:

p1defc(x;= −kx)haltc(x=u_m)

p2defc(x;=h(X−x))haltc(x=u_M)

qdefx=u_M(x=u_M(x=u_m₎₎ (x=u_m(x=u_M))

then the formula:

(p1,p2)(+)_{prj q}_{(p1, (p2,}_p1)(+)_{)prj q}

models the ion flow. It is clear that the first disjunct models the situation in which the process starting withp1and followed byp2is repeatedly executed, whereas the second disjunct models the case in which the process p1 is firstly executed, then the process starting with p2 and followed by p1 is repeated. We require that the following hold: (c(u_m5x5u_M)).

4.2. Antigen–antibody interaction

This example, similar to the well-known cat and mouse example presented in Manna and Pnueli (1993), is a constant slope hybrid system. More detailed aspects of immune system modelling is to be found in Bell and Holcombe (1998). At time t=0, antigen is introduced and increases towards the threshold X. L time units later, the antibody response starts.

The following formulas of HPTL describe the possible scenarios:

p1defc(x=x0ekt_)c(y₌_y0)_haltc(t_=L)), p2defc(x=x0ekt−y_y

=y0ert

haltc(x=0x=X)),

q def=t=0x0=Dy0 =D((x0=xy0=y))

2_(x=₀_{infection clears)}

(x=Xnasty outbreak of blue spots!). Thus, the following projection construct models the system:

(p1,p2)prj q

where the continuous variables,xandy, represent the amounts of Ag and Ab respectively. Further details of X-machine models of aspects of the immune system can be found in Bell (1999).

5. Conclusions

This paper proposes a faithful generic computa-tional model for hybrid systems based on which a

(5)

Acknowledgements

This research was partly supported by the UK EPSRC Grant GR/H73585.

Appendix A. The interpretations of terms 1. I_[u_]_=si[u_]=_st_[u_{] for}_lI

i5t5rIj−1 and st=gi(t), if u is a static variable, and Ii is the time duration ofsi.

2. I[y]=si[y]=st[y]=si+1[y], for lI_iBtBrI_i and st=gi(t), ify is a discrete variable, and Iiis the time duration of si. 3. I[x]=g0

x(x0) (c), ifx is a continuous variable, x0Dx (the same for those be-low), and x+_=x−_.

I_[x+_]_=limt

c(g0

x(x0) (t)), ift−c\0, 4.

and x is a continuous variable.

I[x−_]_=lim

tc(g0_x(x0) (t)), if t−cB0, 5.

and x is a continuous variable. 6. I[x;+_]_=lim

tc(g0_x(x0) (t)−g0_x(x0) (c))/ (t−c),

7. I[x;−_]_=lim

tc(g0_x(x0) (t)−g0_x(x0) (c))/ (t−c), ift−cB0, and x is a continuous variable.

I_[_f₍_e1_,…,_e

m)] 8.

!

nil if

I[eh]=nilfor someh{1,…,m} f(I_[_e

1],…,I[em]), otherwise 9. I[e]

=> (s,i+1,Ii+1,j)[e] ifi\j, andIi4+1is the time

duration ofsi+1

nil otherwise

10. I_[beg_(e)]_=s₂_i[e]. I_[end_(e)]

11.

!

s2i+1[e] ifIiis a finite time interval nil otherwise

I[T]=c 12.

I[tf]=d−c 13.

14. I[Tf]=rIs−c

For a formula p, the evaluation of p relative to the interpretation I is defined by I[p]. I₌

p iff I[p]=true. The relation = is inductively defined as in B.

Appendix B. The interpretations of formulas

I_=true.

15.

I*=false. 16.

I_=p _iff _si+

[p]=sc[p]=s−

i+1[p]=true,

17.

sc=gi(c), if p is a proposition.

18. I_=P(e1,…, _em_{) iff for all} _{h, 0}5h5m,

I_[eh_]"niland P(I_[e1],…, I_[em])_=true,

ifp is a primitive predicate other than =.

I=e1=e2 iff I[e1]=I[e2], if e1, e2 are 19.

terms.

20. I_=¬p _iff I*_=p.

21. I=pq iff I=p and I=q.

I_=p iff (s,i+1,Ii+1,j)=p ifi\j, 22.

andIi+1 is the time duration of si+1.

I_=(p_;c_q_{) iff there exists} _t _{such that} _c5 23.

t5d and (s_,_i,_c,_t,_i₎_=p _and

(6)

I=(p;q) iff there exists k, i5k5j such 24.

that (s,i,c1,d1,k)=p and (s_,_k,_c

2,d2,j)=q, where, ifk=i then c1=d1=lI_i and c2=c, d2=d; if k=j then c1=c, d1=d andc2=d2=rI_j; otherwise c1=c, d1=d andc2=lI_k, d2=rI_k; where Ih is the time duration of sh.

I=×x: p iff there exists an interval s%_, s%

25.

and s _are_x_{-equivalent, denoted by} s%x

=s,

and (s%_,_i,_c,_d,_i₎_{=p. We say} s% _is

x-equivalent to s _if s₌s%_{, and in all}

macrostates, Ii=I%_i _{for all} _{i, 0}5i5s_, s%

and s _{agree on all values of variables,}

ex-cept possibly for the values assigned to x by evolution functions and transition events. That is, sn, sn+1, gn coincide with s%_n, s%_n₊₁, g_n% over In=I%n for all n, 05n5

s_{, and for all} _y, _yV−{x}.

I=(p1,…, pm)prjq iff there are integers 26.

r0,r1,…, rm such that i=r05r15…5 rm=j and for all n, 0BnBm (s_,_rn₋

1,In−1,rn)=pn and (s¡(r0), 0,lIi)=q or

there are integers r0,…, rh(05h5m) such that i=r05r15…5rh and for all n, iB n5h (s_, _rn₋_1,_In₋_1,_rn)_{=pn, and}

IfhBm, then (s_¡(r0,_r1,…,_{rh), 0,}_lI,_h₎₌_q

and there are integersrh+1,…, rm such that

rh5…5rm=s and for all hBn5m (s, rn−1,In−1, rn)=pn;

Ifh=m, then (s¡(r0,r1,…,rm)s_(rh₊_1…_s₎, 0, lI_i,s)=q. where In−1 is the time duration of sn−1.