Temporal aspects of logical procedure definition

hfon Systems Vol. 5. pp. 167-187 @ Pergamon Press Ltd., IBO. Printed in Great Britain

TEMPORAL ASPECTS OF LOGICAL PROCEDURE DEFINITION AMILCARSERNADAS London Schoolof Economics,Room S.110, Houghton Street, London WCZA 2AE, England (Received10May 1979;in revised

form10 December

1979)

Abstract-This paper discusses the inclusion of time in a message-oriented relational model of information systems order to achieve memory independent specifications. The concept of memory independence is reviewed and several systems languages are analysed from this point of view and also in other aspects of their temporal properties. The concept of temporal database is formally introduced and a special modal tense logic is developed to deal with it. This logic is extended with a transition imperative logic to allow the specification of processes within the information system at a very high level. The information system is seen as composed of these concurrent autonomous processes that communicate through the temporal database divided in event and state assertions. in

NOTATION

a before (exclusive) 4 before (inclusive) A within

Classical logic symbols

V 3 A v j (j =

for all (universal quantifier symbol) exists at least one (existential quantifier symbol) and (conjunction) or (disjunction) no (negation) implies (implication) is equivalent (equivalence) is equal (identify predicate)

I at FIRST (a) first period of a truth LAST (a) nth(a)

last period of a truth nth period of a truth

Messagelprocess diagram symbols 0 process

V 0 + * CI -

Usual symbols for arithmetic operations (functions in the logic): + ,- ,x ,I, etc.

event relation state relation trigger transitions reference

Usual symbols for order predicates: <,c,>

Extensions E belongs (membership predicate) C is included (inclusion predicate) x summation i integration convolution operators # cardinal

max min U n \ {x:a) [Xl7x21

1. INTRODUCTION

and 2

maximum minimum i union intersection complementation set of x satisfying a = {x:x, 5 x I x2}

Transition logic symbols B for all in paralleldo (parallelquantifiersymbol)

Y for all in sequence do (sequential quantifier symbol) E false/true transition predicate 3 true/false transition predicate 9 delay operator Tense logic symbols d always (in the past and now)

dp always in the past ‘rp ever (in the past or now) P ever in the past dt always during t %I ever during 1 [a]t a true at t [a]tAGO a true at t ago D after (exclusive) @ after (inclusive)

A good introduction to the problem of representing time in a database system is found in Bubenko[l]. Deeper problems arise in the field of systems specifications related to the concept of memory independence. A model of an information system is said to achieve memory independence if it allows the specification of all processes in the system without any assumption concerning which messages are stored in the current state of the system that refer to the past. This is a desirable feature of any systems language or model because it allows the delaying of the decision concerning what to store in files until the later stage of physical implementation design. Only at that stage is a cost/benefit analysis possible to compare the different solutions. This concept of memory independence (not to be confused with the weaker concept of data independence) was introduced by Teichroew[2] and Grindleyl31, both authors working on systems languages, respectively PSL and SYSTEMATICS. The former puts clearly that some piece of information must be stored only if it may be used at a time different of the instant of its production; another solution is to derive it when necessary. Between these two options the choice should come from physical design criteria, not applicable at the stage of the logical statement of systems requirements or systems specification. 167

168

A. SERNADAS

Several solutions to this problem will be analysed, including the simplest (but worst) known as the current view model. The results of this analysis show the need for a temporal model of the information system database (defined informally as the set of messages in thesystem). This model will be based on a specially developed modal tense logic. For this purpose the work made by the modal logicians in the area of time modelling is reviewed and extended in Section 3 below. A message-oriented model of the information system is assumed which allows the use of relational languages. Several timeless relational models are analysed in order to justify the multitype interpretation approach chosen herein. A predicate-oriented process specification language is introduced in Section 4 below. This language is a temporal version of the transition logic introduced by the author[4] to define DMTL2. (Dynamic MultiType Logic with higher-order capabilities). The information system is modelled by a network of concurrent autonomous processes that exchange messages amongst themselves and with the environment through the information system temporal database. These processes may only change the current state of the system and are aware of the previous states which they may refer to for decision making (but not change). The reference to these past versions of the temporal database is made with the tense logic defined in Section 3. This specification language is memory independent in the sense that nothing is assumed concerning how and what information from the past is actually stored in the current database. This temporal model of the information system database allows the useful distinction between events and state assertions. However, it will be shown that Grindley’s event triggered specification of procedures is not complete and the full process view introduced by the author[4] for DMTLZ is retained in DMTLT (Dynamic MultiType Logic with Time). The specification of a process corresponds to the specification of a set of event generation rules. Some events exist by themselves (such as the issuing of output messages) and others correspond to state transitions (such as the update of a stock level). The specification of the information system at the level of messages and processes is close to the approach taken by Grindley in SYSTEMATICS; another solution would be the direct specification of the object system (substantive level), as proposed by Stamper [5] for LEGOLZ. From the point of view of time modelling these two solutions have their counterparts in tense logic, as will be shown in 3.2 below. The message/process level was chosen as a matter of the author’s preferences; no doubt systems languages are needed at both levels and another field of research would be to link specifications at different levels. This choice has little influence on the syntax of a predicate oriented systems language because it affects mainly the semantics of such a language. Although the objective of this paper is to develop a memory independent model for the information system, leading to a suitable process specification language, the

modal tense logic chosen herein might also be used for database querying at a higher level than that achieved by current database languages. Indeed, this higher level would allow the user to consult an historical database without being concerned with the way the historical facts are represented in the current database. This seems to imply that the concepts of memory independence and tense logic deserve the attention of those interested in relational databases and their predicate-oriented languages. As an illustration to this argument see Mason[6], although in a relational algebra framework. 2. TIMELESS MODELS

2.1 The relational database and logic The definition of a “non-procedural” language for systems specification presupposes the introduction of a suitable model for the memory component of the information system (the database). A rather successful model that achieves a high degree of data independence is the relational model introduced by Codd[7]. This model has been extensively studied from several points of view. Herein its main interest comes from tb possibility of using a predicate calculus to refer to the database composed of relations: each relation is assigned to a predicate in the logic. For implementing this idea two main approaches are possible: (a) the axiomatic approach that corresponds to the inclusion of the database contents as axioms in the logic; (b) the interpretation approach that corresponds to using the database contents as an interpretation structure of the logic. For a comparative study of these two solutions see Nicolas[8]. There it is argued that the latter approach is more adequate. Both solutions allow the introduction of a virtual database (besides the object or extensional database discussed so far) composed of relations defined through general laws that take the form of axioms and may involve recursion. Integrity constraints may also take this form. Taking either of the two approaches, the chosen set of axioms and derivation rules should define a set of theses that is precisely the set of valid well formed formulae. Theses are axioms or formulae derived from them (using the derivation rules). Valid formulae are formulae true for every interpretation. In the second approach this means that valid formulae are true for every database state. In either case a sound and complete logic should be defined in order to avoid deriving false theses (for some interpretation) or being unable to derive formulae true for every interpretation. Moreover the chosen logic should contain the standard predicate calculus (in the sense that all standard theses are theses of the applied logic). This would ensure the validity of standard results that might be useful. This objective is achieved by including in the axiomatic definition of the applied logic a basis for the standard predicate calculus and avoiding any inconsistencies (which means that each new thesis should not be provable as false in that basis). These considerations seem to have been disregarded as such in the literature, except in what concerns the problem of the closed world assump-

Temporalaspects of logicalproceduredefinition tion (see for example Nicholas~8J and Reiterb]). It is beyond the scope of this paper to follow this problem any further. However, it is important to stress that it is possible to avoid it completely by taking the interpretation approach and defining the virtual relations not through-axioms but through expressions that are evaluated in terms of the object predicates. It seems that nothing is lost with this simple solution since even recursion is possible. Taking into consideration this argument and those presented by Nicolas (see supra cila), the interpretation approach will be chosen in this paper which completely avoids any deductive method in the interpretation of formulae. The chosen axioms and derivation rules will describe only universally~ valid propositions (true for every interpretation or database state). Their only interest is to derive general rules that may be used for example to simplify queries. So, a standard axiomatic basis may be used for the predicate calculus to access the database. Following this solution, a choice must be made between two models: B. I Codd’s model (Codd [7, lo]) corresponding to the introduction of a special uni-sorted first order logic with range predicates representing the database relations; B.2 ~mffj~-o~e#ted model (Lacroix[ll], Sernadas (121)corresponding to the use of a standard many-sorted first order logic (Enderton [ 131)where sorts are assigned to domains and predicates to relations. In order to avoid meaningless formulae, the former model has complex rules for defining the allowed well formed formulae. The latter approach is simpler from this point of view and has several advantages (see supru cita and Sernadas[4]) over the relational calculus proposed by Codd. From a theoretical point of view the multitype model (using Computing Science terminology, since the concept of sort corresponds to the concept of type) has the important advantage of leading to a predicate calculus for which the relational database constitutes an interpretation structure in the sense of Mathematical Logic. The same desideratum might be achieved with a unisorted approach although that is not the case of the special Codd’s relational calculus. However, the multitype model allows a closer description of the database domains and is easily extended to include higher order capabilities that are needed to deal, for example, with repeating groups. In conclusion, the adoption of an interpretation multitype model for the relational database is justified by the des~bility of using sanded logical statures as much as possible. Then well known axiomatics can be exploited to prove the equivalence of queries, or any other applications, where universally valid formulae are useful. The relevance of logical models of the relational database for the problem of systems specification follows and Section 3 below discusses the inclusion of time in the chosen logic. 2.2 Timeless systems specification Using a message-oriented model of information sys-

169

terns (as that intr~uced by the author~4]), it is possibte to develop a predi~ate~~ent~ language for systems specification. This language allows the specification of concurrent, autonomous processes at a very high level. Processes exchange messages amongst themselves and with the environment through a relational database. To each message type corresponds, in general, a relation in the database. These relations are not necessarily normalized because they may contain input/output messages which in many cases contain repeating groups. The database at the current time contains all valid messages at that instant. The past messages are forgotten unless explicitly stored in the current database. This approach corresponds to a current view of the time problem that leads to a high degree of memory dependence in the sense that the systems analyst cannot avoid specifying how and what is to be stored in the current database from the past. The great advantage of this approach is its relative simplicity. The dynamic evolution of the database imposed by the activity of the processes in the system (and the environment) is specified using an extension to the multitype logic. This extension constitutes a transition logic whose executional semantics may be defined formally (see Sernadas[4,141). Therein a process specification language (DMTLZ) based on this current view is intr~uced. For an illustration of the capabilities of DMTL2, consider an order entry process that receives incoming orders. For each product (in parallel) it sequentially selects each order of that product; if the respective stock is sufficient it fulfills the order by issuing a delivery inst~ction and updating the stock level and if the stock is not sufficient it creates a backorder; in either case the process deletes the processed order from its input file. Note that the only sequencing assumed is implied by the logic of the problem itself and not on the grounds of implementation criteria. DMTL2 achieves a high degree of non-procedurality from this and other points of view (see supru cita). 9prod, q, S&I ORDER(n, prod, q) ST~K(prod,

s)

* 01, prod, q) 3 ORDER (s 2 qj(n, prod, q) GDELIVERY (prod, s - q) E STOCK(prod) ELSE (n, prod, q) ~BACKORDER) The semantics of the dynamic logic symbols (9, Y: E, 3 ) are described below in Section 4. For the moment it is sufficient to recognize respectively the parallel universal quant~er (4p), the sequentiai universal quantifier (3, the insertion transition predicate (E) and the deletion transition predicate ( 3 ). This language represented an improvement over all earlier attempts from the non-procedurality point of

A. SERNADAS

170

view. The main purpose of Section 4 below is to develop a temporal version of this language retaining its nonprocedural properties and achieving a high level of memory independence. Note that the current view is pragmati~~ly complete in what concerns references to historical information. As Bubenko [ I] shows, it is possible to include in the current database a finite number of messages that are sufficient to describe the complete behaviour of the system in the past. Several solutions are always possible to achieve such a representation. The choice between them should be left to the implementation designer and not arbitrarily made by the systems analyst. With this serious disadvantage, the current view offers on the other hand simplicity. This is probably the main reason why so many systems languages were proposed taking the current view approach. Examples of these are Information Algebra (CODASYL[lS]), BDL (Leavenworthll61, Hammer [ 171)and STREMA (Clark [ 18,191). This type of systems specification could be referred to as ~~~e~e~~~pecj~cu~i~~since time is not dealt with directly in the underlying model of the information system. Against this solution see Grindley [3] and Teichroew [2]; lately Stamper [20] joins the group, although at the substantive level. Both Grindley and Stamper attempt to find a better model including time. These two attempts are briefly reviewed at the beginning of the next section. The experience gained from them will be used later on to choose a logic model for time. 3. TEMPORALMODELS

3.1 Early attempts Several related aspects are important in the treatment of time for systems languages, concerning what is recalled from the past, when procedures are executed and how their synchronization is achieved: (a) begot independence: as already intr~uced, this desirable feature corresponds to the possibility of recalling the past without being involved in its actual representation in the current state of the system; (b) Non-update: avoiding update specifications (and using instead integrity rules over a temporal database for the same purpose) is a sufficient condition to achieve memory independence; however it wig be shown below that it is possible to use update s~~ifi~ations and still achieve memory independence; (c) Priuileged present time: as opposed to the substantive temporal rule approach; the former corresponds to the specification of the system by transitions executed at the current time (with eventual references to the past but not changing it) and it is well suited to the message/process level of the specification; the latter corresponds to the specification of the system by integrity constraints to be satisfied trout all time; (d) Temporal database: in opposition to the current view introduced in the previous section; the temporal database is the family of database states through time; without it, memory independence is impossible; (e) Events and triggers: events are messages instantaneously true and triggers are events used to specify run

times of procedures; events are useful to specify when certain transitions should happen and are the only way to communicate with the environment; naturally, the use of events implies the temporal database approach, unless the concept of event is accepted as a primitive one and, for this reason, left undefined. The logical relationships between these approaches to time modelling are summarized in the two following networks of implications:

No-update

-

Events 8r triggers

Current database

Memory indepen~n~e -

1 Temporal database

-

Memory dependence

\ 4

Privileged present time

The arrows in this diagram indicate implications. For example, the use of a strictly current database implies the use of updates to specify changes, the implicit reference to a privileged current instant and a high level of memory dependence. The current model discussed in the previous section is characterized by: -current database: -update; -privileged present time; -memory dependence. Much more sophisticated models were proposed related to the two following systems languages: SYS~~~A~ZC~ (Grindley [3,21,22]) This language is based on a behavioural model of the information system (with input signals, action answers and feedback) that corresponds loosely to the message process level of specification. Processes (subsystems in Grindley’s terminolo~) are triggered off by certain input events (triggers). An important part of any s~cifi~ation with SYSTEMATICS is the statement of the triggering conditions for the production of each set of outputs. Grindley claims that the concept of updating is at the level of the implementation strategy and should be avoided at the specification stage in order to achieve memory independence. So SYSTEMATICS is based on a strict view of the system specified through inpu~output rules. The update of state assertions (such as the stock Ievel) is “avoided“ as follows: STOCK = X REPLENISHMENTS - Z DISPATCHES which corresponds to an integrity constraint on the underlying temporal database, although this concept is not explicitly used by Grindley. This integrity constraint is

Temporalaspects of logicalproceduredefinition better specified by: STOCK, = I: REPLINISHMENT,,I’<,

Z DISPATCH,, ,‘<,

In a SYSTEMATICS specification nothing is stated concerning the way such constraints are to be fulfilled. This approach has the following disadvantages (Waters[23]): -it is impractical in many situations: -it is difficult to establish the link between these integrity rules and the input/output procedures that may affect them or depend on them; this has particularly serious drawbacks in the case of procedures changing over time. Moreover, it does not achieve any improvement either from the point of view of non-procedurality or memory independence. Actually, the rule above is an update of the original stock: STOCK = X REPLENISHMENTS - X DISPATCHES + (ORIGINAL) STOCK (even if the original stock is null). It is unavoidable to assume the knowledge of some state of the system: then why not the current state? In this solution the stock changes might be specified within those processes dealing with replenishments and dispatches with all consequent advantages on readability. And such specifications: (NEW) STOCK = REPLENISHMENT + STOCK (NEW) STOCK = - DISPATCH + STOCK are not more procedural than the rule above that uses the original stock as the basis. This is more a question of formalism preference than a question of non-procedurality. So much more because those updates may be seen as just another kind of event and dealt with as such in the temporal database. An important conclusion results from this discussion. The temporal database should include state assertions that keep their truth values for a while. Changes on these state assertions are of two basic types: a state message may become true or become false. They correspond respectively to an insertion or to a deletion in the usual terminology. Both correspond to the update of a temporal state relation. The need for state relations (such as the stock) is imposed by the logic of the problem and not by implementation strategy. Changes to these state relations may be defined on the initial state (Grindley’s approach) or on the current state (the update approach). The latter solution is adopted herein (see Section 4) since it does not affect either the memory independence or the non-procedurality of the model and it overcomes some of the disadvantages of SYSTEMATICS indicated by Waters. Another weak point of SYSTEMATICS is its strictly event triggered specification of input/output processes.

171

This does not allow the specification of sequencings even when they are required at the logical level by the application itself (non-arbitrary sequencing, as introduced by Leavenworth[24]). This problem was solved in DMTLZ by the author[4] with a full process oiew of running the processes in the system. It is a point to take into consideration when defining the execution semantics of any systems language and will be raised again in Section 4 below. Besides being transition incomplete in this sense, SYSTEMATICS is also query incomplete (in Codd’s sense-see Codd [ IO] and supra cita). In what concerns time, SYSTEMATICS may be characterized by: -non-update; -memory independence: -events & triggers; -temporal database (implicit); -privileged initial time. However in SYSTEMATICS there are few tools to refer to the temporal database and for this reason some systems are not specifiable with it. LEGOLZ (Stamper[5,20], Jones [25]) This language is a temporal relational algebra and was developed for the substantive specification of systems at the organizational level. With LEGOL2 it is possible to specify rules that apply to the object system entities (things and their stales and conditions), avoiding completely the message approach and any reference to the information system. With this higher level semantics, the objective is to define rules such as the following: “The stock is decreased whenever a delivery of the corresponding product is made”. and not to define the process that receives messages describing deliveries and updates accordingly the state messages describing stock levels. This substantive specification of the object system rules might be made through integrity constraints. However LEGOLZ supports an operational view taking an update approach. These rules define changes to the object system for which a temporal model is used. Object entities are associated to their periods of existence in this model. So LEGOL2 is characterized from the point of view of time by: -memory independence; -temporal object system (instead of the database); -update. The main originality of the LEGOL2 time model is precisely its substantive view of the specification, avoiding a privileged treatment of any particular instant. In the following analysis of tense logic this difference between LEGOL2 and SYSTEMATICS-like models will be formally put into perspective. LEGOLZ brings together the update approach and a high degree of memory independence illustrating the conclusion made previously. It is the author’s belief that languages for system specification at both levels (the substantive and the mes-

A. SERNADAS

172

sage/process levels) are needed. At the present state of research it is by no meanr certain that a substantive specification would make completely useless a message/process specification. On the contrary. the latter level (closer to the information system) allows more details not relevant to the substantive specification that is closer to the object system. An interesting field of research is the establishment of methodologies to generate message/process specifications from substantive specifications. The main concern of this paper is to develop a memory independent message level systems language. However it will be shown that tense logic might also be used to develop substantive languages, avoiding completely the relational algebra approach present in LEGOLZ. In the following discussion of modal tense logic, an attempt will be made to find the kernel for a systems language characterized by: -memory independence; -events & triggers; -temporal database: -update; -privileged present time. Such a language will inherit the non-procedurality properties of the current view language DMTLZ, combining them with the memory independence allowed by the possibility of reference to a temporal database. 3.2 Modal tense logic 3.2.1 Motioation. The objective is to define a symbolic structure suitable to discuss the temporal database. This database is informally defined as the sequence of database stales through time. One possible solution is to treat the time index as an attribute of all relations in the database; then all temporal conditions are expressible in the database multitype logic that includes the convenient time sorts. This solution is to be avoided because of the following important disadvantages: -it is formally too close to the current view where all the past information is retained in the current database which precludes the achievement of memory independence; -it is not possible to achieve a topological view of time in the sense that in all expressions a direct reference to time would be always needed which prevents the writing of expressions like the following: “ever before event a, event p happened” where the actual instants are implicit and not important; -it is misleading since special properties of time and time operators (e.g. time quantifiers) are not expressible in the semantics of such logic; -finally, it would be cumbersome to state the run times of each process in every used relation. tit should be stressed that in plain language always and ever are sometimes used with equivalent meanings. Herein. ever stands for sometime.

Another way to deal with the temporal database is to see it as a family of interpretations to a multitype logic where the time is hidden as the family index. Then it would be possible to make complex temporal assertions such as the following: sB(Vx, Y(Pk

YN.

Always for all x and y? P(x, y) is true; 8(&a,

b)).

Ever P(a, b) was true; .dD P(&C?(a)). Always after P(o), Q(a) is true.t Such logic would allow the statement of any topological temporal condition (any condition not dependent on the direct reference to time); these topological conditions are sufficient in most cases. Situations where direct time references are needed are uncommon. Nevertheless some solutions will be presented to this problem. Temporal calculi or tense calculi have been under study by logicians since ancient times and recent developments with mathematical tools have started in this century, mainly in the 1950s. For an introduction to the subject, the standard text by Prior[26] is highly recommended. 3.2.2 Tense propositional logic. The discussion of the temporal propositional calculi will give sufficient insight to the problem for a later extension to the predicate calculi. For the moment, the temporal database is assumed to be composed only of propositions whose truth may vary with time. The family of snap-shot databases will be represented by: I = {I,: f E T} where I stands for the interpretation sequence and T is the time period of interest. In this family a rt$exiue relation is defined: I,, sees I,* or for short, I,, s I,,. Note that the objective is to define the relation S in such a way that:

But, for the moment, no other properties of S will be assumed. The ordered triple (I, S, V), where V is defined below, is an interpretation structure for the temporal propositional logic. This logic is defined with the usual symbols and rules for building wifs (well formed formulae); also

Temporalaspects of logicalproceduredefinition included are the symbols (tense quantifier symbols):

The modal operators ate:

.& (always);

L (necessarily);

@ever):

M(possibly).

and the expected rules: -if -if

0: is a wff so is &(a); a is a wff so is I.

Taking Q as the primitive symbol, Et:is defined as: $(a) & - (4-

(a))).

In the interpretation structure above, V is the value assignment satisfying the following conditions: -for

every proposition p and for every rt E I, either V@, 1,) = l(true)

or V(p, L) = O(false); -for

every wff LYand for every II E 1, V(- (a), r,) = 1 - V(a, I,);

-if

a! and /S are wffs, then for every I, E 4 V(cyAP, II)= min(V(a, 41, V/S, &)1;

-for

173

every w@ (Yand for every II E i, V(~(a), L) = 1

iff for every IV, seen by f, (that is to say, such that I, SI,,), Y(cr, r,*)= I; otherwise V(&a), 4) is false. The contents of the pro~sitional temporal database define completely the following appiication: F x I *{true, false} where F is the set of all well formed formulae, Note that formulae involving other connectives may be rewritten only with - , Aand ~4. This interpretation structure for the tense logic is called a Kripke’s structuret because Kripke1271 introduced it for the interaction of a modal logic that closely resembles the tense logic in discussion. tIncidentally, it is worthwhile to noticd that Kripke-structures have Iately received much attention in the area of the formal definition of the semantics of programming lan@Wes (e.g. Schwind(b] which was kindly indicated by a referee of this paper and Van Emde Boas[30]). This question falls outside the scope of tbe present paper although a modal approach can be used for defining the declarative semantics of the language defined in Section 4 (Sernadasfl4lf.

Intuitively, a similar behaviour of these operators and the tense operators (& and 8) is to be expected. This link was first recognized by Prior[28]. Until this point the only property assumed for the relation “sees*’ was its reflexivity (self-evident in the temporal environment); other properties (such as transitivity) should be assumed in order to describe time more closely. This analysis will be made after a brief sketch of an axiomatic basis corresponding to the semantics just introduced. This semantics defines a subset of F called the set of valid wfEs.A wfI is valid iff it is true in every 1, of every possible structure (4 S, V). These valid wffs have the interest of always being true, independentfy of the database contents and of the instant considered. Another way of defining the set of universally valid formulae is by taking an axiomatic approach. The axioms might be (i) Usual propositional axioms: -(P v PM; -430 v 41; -4 v 4)=X4 v PI: _-(4*+X@ v cl)%

v r)):

(ii) Plus: -~(p~q)~(~~)~~(q)). With these axioms and using the transformation rules below, it is possible to derive other thes. The derivation rules are: -substituting in a thesis a propositional symbol for the same ti in all its occurences will lead to another thesis; -if a and &3 are theses, so is @; -if IYis a thesis, so is &(a). The axioms and t~nsfo~ation rules above define the modal system T (see Hughes[3!]). This modal logic is sound and complete for the previously defined Kripke’s semantics because a ti is a thesis iff it is valid. For a proof of this result see sffpra cita, nese theses (valid wffs) are very useful for their universaiity, corresponding to assertions true in every instant of every database. Examples of them are the axioms, of course, and theorems such as: -sp(ukJ(%(-(a))); -%(a v Pw%(a) v S(8); -ti(l((y AI)%@ fi 46). These theorems and system T and other cita) are irn~~nt temporal operators.

others (for an extensive study of the systems referred to betow see supra for unders~~i~ the behaviour of The possibility of discovering and

A. SERNADAS

174

proving them justifies the logical approach to time modefling. Note that any further property assumed for the relation S (in order to describe time in a more precise way) will imply the adoption of new axioms in order to retain the completeness of the system. To assume another property of S corresponds to a restriction in the set of possible interpretations which may lead to a larger set of valid wffs. In the following paragraphs some possibly relevant properties of S are analysed. Transitivity of S Assuming the transitivity of S (which is implied by the usual conception of time) corresponds to the addition of the following axiom:

The new logical system obtained (called S4) is again sound and complete. Moreover S4 contains T in the sense that every T-thesis is a %-thesis. S4 is already very interesting for the purpose of time modelling. Prior, in his early work, even assumed that S4 might be the definitive temporal logic. However further developments led to much better descriptions of the properties of time. The main difference between T and S4 for the purpose of this paper concerns the so called modalities. It is possible to prove in S4 (but not in T) that:

S is an option for which no strong criteria exist. Both solutions are justifiable. If symmetry is assumed (which leads to the modal system SS with only three distinct affiirmative modalities), the modal operator SB is interpreted from the point of view of time as follows: d(n)--always

in the past, now and in the future a! is

true. It corresponds to a two direction model of time. Prom a certain instant it is possible to observe both the past and the future. This time model is best suited for the substantive specification of information systems, since no privileged instance is involved. But for the message/process level, symmetry is not desirable. For this type of specification the objective is to define processes that may change the database at their run time (the current instant) and that may observe the past versions of the temporal database. No interaction is desired with the future. So, for the message/process level of specification, the symmetry of S is not assumed and the one direction model of time is used instead. Then the modal temporal quantifier $ is interpreted as follows: &(Qj-always

in the past and now tl is true.

Further properties of S Starting with S4, the objective is to refine the model in order to achieve a closer description of time and of the temporal database. The semantic structure for S4 may be represented in a directed graph describing the reflexive and ~ansitive relation S (sees). A possible graph might be:

These theorems imply that there are only seven distinct a6rmative modalities in 54. On the contrary, in T the number of such distinct modalities is not finite. The diagram below represents the valid implications between those seven affirmative modalities.

.d(d ( .dW))

C(.d (P(a)))

L

E(.db.Y))

/

For this dia~m see for example Prior [32]. In a temporal inte~retation, any of these impli~tions is easily understood. For example:

means that “if (Yhas always been true then it has always been true that ever before (Y had always been true”. Although this is a simple consequence of the transitivity of S, it would be difficult to prove it without the modal model of time. Symmetry of S To assume or not to assume symmetry for the relation

In this graph the direction of arrows indicates “seeing” and each point corresponds to one element 1, of I (one world or database state). Note that although the relation represented by this graph is anti-symmetric, transitive and reflexive it does not correspond to the usual conception of time, since several “pasts” are possible. The reason for this is related to the pariah character of this relation. So to demand that a valid wif should be true even for a structure as the above is to demand too much. On the contrary, in a desirable model of time only one past line should be possible, as follows:

This is equivaient to assume that S defines a chain in the set I of database states. That is to say that S is a reflexive total order relation (which implies that S is transitive and antisymmetric). This amounts to the addition of the

Temporalaspects of logicalproceduredefinition

fogic (see for example Thomason[41]) take this approach. Herein a different approach will be taken that avoids any reference to the future. This is achieved by introducing a new set of temporal operators, such as:

following axiom to the system S4: &d(a)*&(P))

v &&i%W(a))

because from Lucas [39] this is equivalent to

-after; -before; -within

which is seen to correspond to the chain assumption. Note that, with this assumption, finally L, S& iff II 2 tz. The new logic obtained is called S4.3 by modal logicians and contains S4 (and T) and is contained in S5. In S4.3 there are only five distinct modalities, not involving negation, which are related as follows: w a -

.$(a) I.

4(.d(a))

-

kW(a

)I

175

F(a) f

For this diagram see Hughes [31]. The modal system S4.3 is the one required to mode1 time when the set Z(or the set T) is assumed dense (nondis~rete): see Bull[#~. Allowing the time space to be discrete means that for each instant there are its nart and preuious instants. Denseness does not allow the definition of these instants because in a dense space between any two instants there is a third one. However in some circumstances it might be useful to consider time as a discrete space: another system should be used then: the modal system D or S4.3.1 which intrudes S4.3. Assuming a dense, chained and un6ounded time space, the system S4.3 fulfills the need for a symbolic model of the propositional database. However, unboundedness should perhaps be abandoned. Indeed, in most real situations there is a starting instant of the information system life. Another possibility is to see this initial instant to as the instant before which no modifications were made to the database; propositions did not change their truth value before that instant. In either case, a new axiom should be considered:

that assign to a wff the time set in question. These time sets may be used to build restricted temporal quantifications, such as: dD@) (after a was true, 8 has always been true). Note that the whole observation is made into the past of the current instant (al~o~h it may include a part of the future as seen from the instant during which a was true). Another desirable feature of a practical temporal language based on K3 would be the possibility to refer directly to time terms. These extensions are introduced in the next section (where a temporal predicate calculus is defined) since they involve the use of time terms over the time domain 7’ (the interval [to, &If. 3.3 A temporal predicate calculus 3.3.1 To be or not to be. To deal with the temporal database, a multitype temporal predicate calculus is needed. To each domain in the database corresponds one type in the logic; and to each relation in the database corresponds one object predicate. Later on, object predicates wifl be dassified into event and state predicates. The type of an object predicate is a n-tuple of domain types, such as (i,, . . . , in), which is fixed by the domain structure of the associated relation. Variables and constants exist for each domain type. Functions are allowed (e.g. addition) which implies the use of the special predicate identity. A term of type i is a variable or a constant of type i or an expression of the form: f(x I,...,&)

&%Ca)WW(cu)). The system obtained from S4.3 by adding this new axiom is known as K3. In conclusion, the propositional logic for a temporal database may be the modal system K3, as defined above. This system contains S4.3, S4 and T. So theses of these systems are theses in K3. Moreover K3 has other theses such as the axiom above that implies the existence of only four affirmative modaiities in the system, since &(%‘(a))WS(.#(a)). incidentally note that K3 is not contained in SS. 3.2.3 Refinements. Several refinements are desirable for the basic temporal logic just described. To start with it might be useful to introduce: _&‘(a)-always

in the past a was true;

.@(a)-always

in the future a will by true;

and similarly %‘(a) and gF(a), in order to express before/after conditions. Recent developments in tense

where f is a function symbol of type (i,, . . . , i,, i) and Xl,. . I, xn are terms of types i,, , . . , i, respectively. An atomic formula is an expression of the form: R(x I>...,&) where R is a predicate symbol of type (i,, . . . , i,) and xl,. , . ,x, are terms of types i,, . . . , i, respectively. Note that an expression of the form: x = Y, if x and y are terms of the same type, is also an atomic formula. Similar atomic formulae may be built with order predicates. The set of weil footed formulae (wi%) is defined recursively as follows: -any

atomic formula is a wff;

-ifaisawff,sois-a; -ifaand@arewRs,soisa~/3; -if (Yis a wR and the variable x and the quantifier symbol V are of the same type, then

as follows: -if R(x,, . . . , x,) is an atomic formula (eventually in infix form), T(R(x,, . . . , xn), It) = 1

Wax) is also a wff; -if a is a ti,

so is d(a).

Other wffs may be built using derived operators (such as v ,j, 3 and 8). As any wfI written with such symbols can be rewritten without them, for the purpose of defining the interpretation it is sufficient to deal only with -, h,V and Jr”. A standard uxioM~~~ccubic for the desired modal predicate calculus follows: Axioms: Al-If a is obtained by uniformly replacing every proposition in a valid w# of the propositional logic K3, then a is an axiom. AZ-If x is a free variable in a w8 a and #! is any wfI obtained from a by uniformly replacing x by y (provided that y is of the same type and is not bound in p), then

iff the tuple associated by V and V’ to fx,, . . . ,x,) is in the relation associated to R at Z,; otherwise the truth value assigned to the atomic formula is 0. -For any ti a and I, E I, T( - a, I,) = 1 - T( a, 1,). -For

any wffs a and fi and I, E 1, T(a A&A) = min (T(a, t), T(P, J)).

-For any ti (Y,variable x and quantifier V of the same type and any I, E I, T(Vx(cr), It) = 1 iff, using any other variable assignment V’ that only differs from the former in the value assigned to x, T(a, I,) = 1;

is an axiom. otherwise the formula is false. -For any wff a and 1, E 1,

Derivation Rules D&If a+@ provided that D2-If (r and D3-If a is a

is a thesis, then a+Vx(& is a thesis, x is a variable not free in LY. &@ are theses, so is 8. thesis, so is &(a).

It is straightforward to prove that this axiomatic is consistent; moreover it is possible to prove that it is sound for the following semantics. A Kripke’s interpretation strucfure for the modal predicate calculus above is an ordered tuple, (1, S, D, V, V’) where: I is the family of database states indexed by the time interval 7’ = [to, t,], where to is the initial instant and t, is the ever changing current instant; S is a reflexive total order relation defining a chain in I; D = Di1.X... XDiN is the Cartesian domain of the whole temporal database: V is the constant assignment that assigns constants to values in the respective domains and predicates to temporal relations (relations varying with the 1, ~1 considered): a temporal relation R of type fit,, . . , in) is a set of tuples in the following Cartesian product: DilX.. . XDi,Xl; V’ is the variabie assignment that assigns variables to values in the respective domains. Then the t&t ~u~ct~o~ TzFxf-+{O,l), where F is the set of all well formed formulae, is defined

T(~(a), G) = 1 iff, for every I,, E 1 such that 1, St,, T(Ey,4,) = 1; otherwise the formula is false. In this framework the tempora~dat~6ase may be defined formaIfy as the ordered tuple

where 1, S, D and V are defined above. This is a restricted interpretation structure that assigns derived relations to wlTs with free variables. Then a formula is valid iff it is true for every temporal database at every 1, E 1 and for every variable assignment V’. Note that in the model just described the domain D is constant, independent of the particular 1, E 1 considered. In terms of the temporal database this means that a closed world assumption is made. Indeed, throughout time a formula will always be assigned a truth value. This does not seem to be a good model of a temporat database, since it wouId be more accurate to assign to each I#E I a domain D which might be different from the others. However the constant doMaj~ app~ac~ has the advantage of ensuring the validity of the formula: Wx(a)WVx(~(a))

Temporal aspects of logical procedure definition which might be called the Barcan formula (BF). Actually

is easily proved using the axioms above for the K3

predicate calculus (K3 + PC). But its converse A3-

vx(a(a))*&vx(a))

is not a thesis of the axiomatic above and may be added as a new axiom (the third). This axiom is valid for the semantics just introduced (with constant domain). This extended axiomatic (K3 t PC t BF) is consistent, sound and hopefully complete. The completeness is not very important however; it is sufficient to know that any thesis is valid for the purpose of deriving simplified expressions. Several attempts have been made to drop the constant domain assumption (see Hughes[31] and Kripke[33]). Without this assumption the Barcan formula is not valid. The analysis of the problems involved in this approach is beyond the scope of this paper. Fortunately the constant domain assumption is justifiable for the purpose of systems specification. However, for database querying it is rather odd to assume that for whatsoever instant and tuple of constants (a,, . . , a.) the atomic formula: R(a I,...,

a,)

(where R is any predicate of suitable type) is either true or false. A closer model of the temporal database should take into account the possibility of such formula neither being true nor false at a certain instant because the considered tuple was unknown at that time, that is to say nonexistent at the instant. Roughly a three valued logic is involved. This relationship between the existence problems in modal logic and an open world assumption in database shows that difficult theoretical problems arise from the relaxation of the closed world assumption. On the other hand, for systems specification nothing is lost by assuming the completeness of the database since no explicit domains are ever specified. Each domain may conceptually be seen as composed of all possible values of that type. Here negation might be a problem, but an implementation problem with no relevance to the systems specification itself. At the specification stage it would be possible to write:

177

concerning identity also appear. But at this level the temporal logic is no longer useful: a proceduralgrogramming language is a much better tool to deal with explicit storage structures. In conclusion, taking to the limit the argument for memory independence, there is no loss in assuming a constant set of domains throughout time for the temporal database and the above logic (which includes the Barcan formula) is acceptable. An interesting corollary of the Barcan formula in terms of the ever operator is the following formula:

3.3.2 Time references. Although the modal approach to the definition of a temporal language allows a very high degree of memory independence (nothing is assumed about how the information from the past is stored now) and leads to the discovery of several important properties of the time quantifiers, it has the disadvantage of not including any tools for the direct reference to time constants and variables or for expressing time comparisons, as pointed out previously. These insufficiencies will now be solved by introducing two new types in the logic: the type time and the type time set, associated respectively to the time domain T and to the domain B(T) composed of the Bore1 subsets of T. With the terms of these types it is possible to build other forms of atomic formulae, such as --If t, and tz are time set terms, then t1 c 12 is an atomic formula. (The inclusion predicate is used.) -If t is a time term and t is a time set term, then tEt is also an atomic formula. (Using the membership predicate.) The interpretation rules for these atomic formulae are straightforward. In the domain B(T) (that is to say for time set terms) the usual set operations (such as intersection II , union U and complementation \) are defined in the normal way. Also it is possible to build time set terms using the set generation operational symbol:

- ORDER@, P, 4)

0: 4t)J

referring to all messages of type ORDER not constituting a true order at that moment. This set would be probably infinite (that depends on what is intended to be the domain of order numbers, etc.) being composed of almost all possible combinations of values in the three domains. Only at the implementation stage is memory independence lost; then an explicit finite domain varying with time would be assigned to each doFain type. Only then do the existence problems arise. Related problems

is a time set term interpreted as the set of instants that make the wtT a true; and It,> f*l is another time set term interpreted as the interval between tl and t2. Similar expressions may be used to build open intervals. In the expressions above t is a variable, and t, and t2 are terms all of type time.

A. SERNADAS

178

Useful constants to be included in the language might be: -THISYEAR; -THISWEEK; -1980; -LASTMONTH;

etc.

Note that in the examples above some are moving time constants (e.g. THISWEEK) whose interpretation varies with the Z, E Z considered. Others are fixed time constants (e.g. 1980) whose interpretation is the same through all I, E I. No attempt is made here to define the micro-syntax rules governing the writing of constants, variables and names in general. However the macro-syntax is completely defined by the rules specifying the building of wlfs in the logic. Another way to obtain time set terms is to use any of the following operators: -After (inclusive) ------------. p, -After (exclusive) ------------ D -Before (inclusive) ----------. ,a -Before (exclusive) ---------- 4 -Within _______ _____ _____________. A -At ________ ______ ____ _____________ ( If a is a wtI and 13is any of the time operators above then

is a time set term. Also if 1 is any time term, then

are time set terms of straightforward interpretation. Assuming that a is a wtI then: -la is interpreted in L, as the time set A such that for everytEA:tst,andaistrueinZ,. -~a is interpreted in Z,, as the time set A such that for every t E A: t s t, and 8(a) is true in I,. -da is interpreted in I,, as the time set A such that for every t E A: t I t, and Sa(- (a)) is true in I,. Assuming the operator A defined, then by definition,

Formally, Aa in I,, is interpreted as the time set A such that for all t E A: -t5t,; -8(a) is true in I,; -and there is a t’ such that t 5 t’ 5 t, and a is true in Z1’. The existence of time set terms allows the introduction of restricted temporal quantifications. If t is a time set term and a is a wtI, then both: &(a)-always during t, a is true; It(a)-ever during t, a is true; are well formed formulae. Naturally,

and it is necessary to interpret only one of them. For example,

will be true in a Z, E Z iff for every Z,.E Z such that t’ E t (note that t is interpreted in C) a is true in I,,. Note also that t’ E 1 means that I,, is seen by It where 1 is evaluated. These restricted quantifications do not behave so well as the unrestricted ones as can easily be verified. No attempt is made here to extend the axiomatic introduced in 3.3.1 above to describe the properties of these operators. However some universally valid formulae may be informally indicated: -&(a A~)&&(a) A5&(P); --JBtr U t2(a@&(a) h &J&(a); --8t(a v p)&Yl(a) v st(& --%t, U t2(a)tStl(a) v 8&(a). Another form of restricted time quantification is obtained by introducing: SQ”and 8’ interpreted as always and ever in the past respectively. The past is the time set including all elements of T except the current instant. Other interesting time set generation operators might be found useful, such as:

and

FIRST

(a);

LAST(a); and in general: The within operator A is informally interpreted as follows:

is the time interval that goes from the“‘first” instant in which a is true until the “last” instant in which Q is still true. Note that such instants may not exist at all.

nth (a) where n is any term of type positive integer. For example, the interpretation of FIRST(a) would be as follows: -FIRST(a) in I,, is the time set A such that, for all SEA, t
Temporal aspects of logical procedure definition

not in A such that & is seen by every I, such that t E A.

a is false in I,.; and there is no other time set A’ satisfying the previous conditions containing A. Informally, FIRST(a) corresponds to the first time interval during which a! is continuously true. Another important feature desirable in the logical language being introduced to deal with the temporal database would be “~sitional” operators; ---If LYis a wtI and t is a term of type time, then [(~]t

((Ywas true at the instant t)

and

blf ago

(a was true at the instant t ago)

are wffs (provided that t and t ago are assigned to points of the time domain I’). Interesti~ axiomatics are found for logics based on these operators in Rescher[34]. Note that for example:

A practical example of the usefulness of these operators is to write formally: “three years ago LYwas true”. Note that the possibility of using different time scales indicates that the practical language should allow the inclusion of time unit declarations. It is beyond the scope of this paper to define formally the syntax of such constructs. However, it is rather simple to introduce instead subtypes of the time set type. such as days, months and years. Whenever a special subtype term is needed it is explicitly indicated. For example, DAY I (a) will be interpreted as the time set of subtype day during which cy was ever true, assuming that a was not true in more than one day. For these special time set subtypes the addition and subtraction operations easify defined, for example:

if+23 where d is a day time set, is also a day time set of st~i~~o~ard interpretation. Another useful extension would be the introduction of rime p~e~ic~~e~(without parameters) such as: NEWMONTH; NEWWEEK; etc. specially needed for specifying certain triggering conditions. 3.3.3 Otherextensions.Other useful extensions would be the inclusion of higher order facilities (for example, to deal with repeating groups) and of calculation facilities. For example, c XV+, Y)) IS Vol. 4. No. LB

179

is a term of the same type of the variable x with a simple interpretation. For a detailed definition of such extensions in a similar environment see Sernadasfl4f. Therein several useful convolution operators (besides the summation operator above) are formally defined. Notice that all these extensions not affecting the axiomatic basis of the kernel temporal logic (no further axioms were assumed) make this axiomatic incomplete (new valid formulae are possible that are not deducibte from the old axioms); however its soundness is retained. So any result deducible from the (incomplete) axiomatic is still valid and for this reason universally true. Examples of such results achieved by the axiomatic approach, probably more difficult to discover and more cum~rsome to prove on purely semantic grounds, are the theorems on modalities that are very helpful for the understanding of the character of the involved time operators. This illustrates the argument for the attempt to develop complete axiomatics (if possible) covering the extensions introduced previously. However such effort is beyond the scope of this paper. A partial solution to this problem is found in Sernadas [ 141. In the next section a process specification language is defined based on the modal tense predicate calculus introduced in this section.

4. D.MTLT: A TEMPORAL PROCESSSPRC~CATION LANGUAGE

4. I The model The temporal multitype predicate calculus introduced in the previous section allows the reference to a multidomain temporal database. In particular, this reference can be made from the current instant by any of the concurrent autonomous processes in the information system. So this system is seen as composed of: ---messages which constitute the temporal database; -processes that receive and generate messages through the temporal database, amongst themselves and with the environment. Processes run at the current time and may only affect the present state of the temporal database: they may also recall messages from the past (e.g. an old stock level) but not change them. Messages are grouped by type into relations of two kinds: --went relations,composed of events that are messages that appear instantaneously in the system; -state relations,composed of state assertions that are usually in the system for a while. Informally, state usse~io~s “are” and erects “happen”; formally, events are true in a discrete subset of the set I (of database states) and state assertions are true in intervals of I. Note that the negation of an event message is necessarily a state message. However, in general, the negation of a state message is also a state message. As an illustration of these concepts consider the simple order processing system represented in the message/processdiagram below.

180

A. SERNADAS

In this diagram, processes are represented by rectangles; and events and state assertions are represented respectively by triangles and circles. For further details see the list of symbols. It is beyond the scope of this paper to develop a systems analysis methodology for identifying events and state assertions. However the following basic rules may be indicated: (1) All inpudoutplct messages should be considered as events. This seems to be an elegant model of those messages that are “perceived” or “issued” at precise instants. (2) As much as possible avoid the introduction of state relations. These should only be introduced in the model when required by the logic of the application itself and without any concern on implementation constraints. (3) Whenever the logic of the application requires some form of sequencing, it is necessary to involve state assertions. If not, in a group of simul~neous events only the first would be processed. Indeed at the time the process is able to consider the second event, all the group is no longer present. In the example above, rule 1 implies that the messages: -Input Orders: -Replenishment Notices; -Refused Orders; -Delivery Inst~~tion5; should be considered events. On the other hand, rule 2 indicates that the following messages: - Stock Levels; -Customer Details; are better described as state assertions, since they represent state properties in the real world. However, this rule does not imply that either of the messages: -Orders; -Back Orders; should also be considered state assertions. Only rule 3

gives a correct justification in this case. Indeed both messages are fed to processes that attempt to fulfill them by consulting the respective stock levels. Clearly, for each product they must be considered in sequence in order to avoid mistakes. Note that this is a good example of “non-arbitrary sequencing” as was indicated in 2.2 above. The important aspect of the problem at this point is that such sequencings imply the involvement of state assertions. In what concerns the trigger&g of the processes in the system, the solution presented here is twofold: -Event triggering: This form of triggering is close to the solution first presented by Grindley for SYSTEMATICS (Cirindley [3]). A process is said to be event triggered iff its run times are strictly specified by the outcome of a certain event. Naturally this event may be rather complex (represented by an eve& wf in general which is a wff that may only be true in a discrete subset of I). -Full process view: As first introduced by the author141 for DMTL2. A process may not depend at all on events; in this case it keeps running as long as there are state assertions in the current state of the temporal database that it is able to process. Note that this activity of the process is a discrete sequence of runs. Nothing is assumed on the spacing between these runs. It is necessary at this point to make some comments on the nature of processes, states and events. A process is the activity corresponding to the execution of a procedural rule (see Dijkstra[35]). The objective here is to introduce a language for writing such rules which must be interpretable both from an executional point of view and a declarative (non-ope~tion~) point of view. A process can also be seen as a set of event o~c~ences which are causally related in a chain (see for instance Best[36]. In either case the two types of triggering can easily be defined. The full process view triggering is very close to the widely accepted firing mechanism of Petri

Temporal aspects of logical procedure definition

nets which can be used for defining condition event systems.

T

The conditions (or states) A and B are submitted to the rule that event T can fire when A is true and leads to the truth of B. Nothing is assumed concerning the timing of such tiring. All that is known is the existence of a chain of successive occurrences of T (a process). On the other hand the event triggering corresponds to the simultaneous occurrence of two events (if the remaining tiring conditions are also satisfied). A typical situation is defined by the following diagram.

Event T2 can only happen if A2 is true and T, is happening. Transition T2 depends on transition T, occuring (besides condition AZ). Naturally the two processes (respectively {T,} and IT’*})are highly synchronized in this case. The justification for this type of triggering is found in the aforementioned work by Grindley. In particular the modelling of interrupts is very much simplified by this approach. In the simple order processing system there are four processes: I II III IV

Process Process Process Process

Order Checking; Deliveries; Back Orders; Replenishments.

As indicated, processes I and IV are event triggered (respectively by the arrival of input orders or of replenishment notices). The other processes run as long as there are respectively pending orders or back orders in the current state of the system. Note that these processes are autonomous and run concurrently. The problems raised by their synchronization will be discussed at the end of 4.2 below. Processes affect the state of the system by issuing events. These events have two interpretations, but the most important for the purpose of the specification of processes is the executional interpretation. In terms of this interpretation, processes define transition events that are assumed to be executed at their run times. There are three basic forms of transition events: -Generation of an event message; -Transition false/true of a state message; -Transition true/false of a state message. In the standard terminology of the memory dependent

181

models, the second and third transition events correspond respectively to an insertion and a deletion. Besides these basic forms it might be useful to consider the modification form that corresponds to an insertion and the deletion of eventually several modified state assertions. This is just a matter of notational convenience, since nothing new is achieved. It is assumed that an event is generated at the instant of running the process responsible for that generation. But the transitions true/false and false/true only become effective in the following instants. That is to say, if a message was false and at the instant t a transition false/true is executed on it, then the message is only true at all t’ greater than t (disregarding further transitions), but not at f.

4.2 The language For defining complex transitions, a transition imperative logic is needed. This logic is defined herein as an extension to the temporal logic introduced in the previous section. Since processes only act on the current state of the temporal database (eventually recalling some messages from the past, but not changing them), the desired transition logic is very similar to the logic introduced by the author[4] for DMTLZ (see Section 2 above). Besides the symbols already introduced for the temporal logic, the special transition predicate symbols ( E and 3 ) and the transition quantifiers (9 and Y, for each type) are also needed. Then, an event atomic formula may take any of the forms: --E(x,, . . . ,I”) where E is an event predicate symbol of type (i,, . . . , in) and x ), . . . ,xX are terms of types i,, . . . , i, respectively. -_(x It. * . 9X”) ER where R is a state predicate symbol of type (i,, . . . , i.) and x ,, . . . ,x. are terms of types i,, . . . , in respectively. -0 ,,...,x.)3R in similar conditions. The interpretation of these event atomic formulae is straightforward. Naturally the transition predicate E represents a false/true transition and an atomic formula built with it will only be true in I, E I if the associated state messages become true in that state; that is to say, they are false in I, and true in the following elements of I. Similar interpretation is given to an atomic formula involving 3. With these atomic formulae and the others introduced in the previous section, it is possible to build temporal well formed formulae (for short, wflr) following the syntactic rules given therein. Moreover, it is also possible to build well formed transitions (for short, wfts) as follows: -Event atomic formulae are wfts (they may also be called atomic transitions); -If F and G are wfts, so is (that reads F and G), FAG

182

A. SERNADAS

non-arbitrary sequencing. This problem is illustrated in the specification of the order processing system that is F given below. It was also discussed in detail by the author [4] when introducing DMTL2. G Concerning the semantics of a set of processes it must instead; be stressed that nothing is assumed about their relative -If (Yis a wfI and F and G are wfts, then both speeds of execution beyond what is enforced by explicit synchronization rules. This comes close to the concept C&F of concurrent processes as presented in Dijkstra[35]. It and might be argued that the adoption of a total time order a$F ELSE G (through the successive states of the temporal database) are wfts (conditional wfts); precludes the consideration of asynchronous (concur-If F is a wft and the variable x and the quantifiers $5’ rent) processes. That is not the case because such a total and 9’ are of the same type, then both order can always be introduced by the internal time scale of an obseruer (which is not known by each of the 9x(F) (for all x in parallel do F) processes). This argument shows on the other hand that and it is necessary to take into account the limited capabili9x(F) (for all x in sequence do F) ties of an observer. When stating that are wfts. &B Then a process is any conditional wft without free variables (that is to say, all its variables must be bound it is necessary to take into account that what will be observable in general is by quantifications or convolution operators). The executional semantics of wfts was described by 9(A)+B the author[4] in a similar environment. For this reason no attempt is made here to repeat the process. However, where 9(A) is some event corresponding to the delayed some brief comments are justified. For a complete for- observation of A. The properties of the operator 9 are discussed below. mal definition refer to Sernadas[l41. The following diagram shows clearly that the Atomic transitions are interpreted through the actual execution of the transitions involved. Recall that these specification transitions may only refer to the present state of the AJB temporal database, although the choice of the changed precludes a distributed implementation. messages may depend on information from the past. The conjunction of two wfts is interpreted as the simultaneous execution of the actual transitions , represented by each of them. No ordering is assumed. ,’ They are executed independently and are unaware of x’ each other. See supra cita for the formal definition of Observer ’’ , \ this unordered transition connective. Therein all possible \\ clashes are theoretically solved. \\ Naturally the conjunction of wfts is both commutative \\ and associative; these two properties are different \ I aspects of the desired no ordering property. ’ Event B The intuitive interpretation of conditional wfts is In this diagram the arrow - represents the causality straightforward. On the other hand, the transition relation between events A and B. quantifications deserve a closer analysis. Returning to the concurrency problem consider the two Consider for example the simple wft processes P, and PZ as observed by a particular %E(x)) observer. where E is an event predicate of suitable type. F; This wft is interpreted as the issuing of event E for all elements in the domain of the variable x. All these events happen at the same time (in parallel). Writing %E(x))

which may be represented by

4 Event A

I

,

instead, means that the same events are generated but in sequence. Nothing is assumed concerning the applied sequencing rule. Nor is any assumption made on the spacing of the events through time. This sequential quantification is very useful when the application problem requires a sequencing but does not give an explicit rule governing it. This is a subtle form of

Temporalaspects of logical procedure definition Inde~ndently of the observer, event /3 will always precede event CY(because they are causally related). On the other hand 8 and /l are two concurrent events (see for instance Best(36J) and their ordering will depend on the chosen “point” of observation. Finally, it is important to stress the affirmaf& character of the transition logic just described. It is correct to ask for this and that, but it is not correct to ask for this or that. Negation is not allowed for the same reason. And naturally only universal transition quantification (in either form, parallel or sequential) is possible. In order to lighten the no~a~~o~,in the examples below, parentheses are sometimes forgotten. Also, a modification form of event atomic formulae is used. Informally, the interpretation of these transition atomic formulae may be understood, through the following example: (a, b) E&a) corresponds to the “deletion” of all state messages R (they become false) that are of the form (a, x) no matter the x involved; and to the “insertion” of the message (a, b) (that is to say, R(a, b) becomes true). EXAMPLES: These examples refer to the simple order processing system described previously. The following structure is assumed for the relations in the system: INORDER REFORDER CUSTOMER STOCK ORDER BACKORDER REPNOT DELINST

(Customer no, Product no, Quant.) idem (Customer no, Name, Address) (Product no, Quant., Price) (Order no, Customer no, Product no, Quant .) idem (Product no, Quant.) (Name, Address, Order no, Product no, Quant., Debit)

Then the process responsible for the checking of the input orders might be specified as follows: PROCESS Order Checking: 9O,C,P,9 INORDENc, P, 4) 3 (3 at, cu CUSTO~ER( c, cn, ca)

3s, f STOCK(p, s, f) o = 1f max m( %3c’, p’, q’ ORDER@, c’, p’, 9’)) 3 (0, c, P, q) ETORDER ELSE REFORDER(c, p, q).) This process is triggered by INORDER events. Besides checking the customer no and the product code in each input order, this process assigns to each order a unique order no. It is assumed that two orders may never be input at the same time. When that is not the case, there are several input channels and several receiving processes that feed the checking process trough a state relation. The next example illustrates the problem of non-arbitrary sequencing; the sequencing is needed to avoid

183

mistakes in the handling of the stock if it is assumed that several orders may appear at the same time. That should be the case if orders are received through several input channels. Even assuming that simultaneous orders are not possible, sequencing is unavoidable if the process is not assumed instantaneous. Indeed, in this case it is necessary to take into account the possibility of the arrival of several orders when the process is busy with a previous order. The problem of de~uysintroduced by the processes themselves is discussed subsequently. In either case, the relation order must be considered a state assertion and some form of sequencing is needed in the following process: PROCESS Deliveries: Pp, c, cn, ca, q, s, f Yo ORDER(o, c, P, 4 STOCK(p, s, f) CUSTOMER(c, cn, ca) 3 (0, c, P, q) 3 ORDER (S 2 q ~3 DELINST(cn, ce, o, p, q, f*q) (P, s - q, f 1E STOW.P) else(o, c, p, q) E BACKORDER.) It is possible to define explicitly a sequencing rule, instead of using the sequential quantifier (see Sernadas [4]). As an illustration of an important interaction with the past, consider the process responsible for dealing with back orders. This process is similar to the previous one, except in what concerns the assignment of prices. It is a common business requirement that back orders should be processed at the prices valid when they were tirst received. Moreover it is not worthwhile to attempt fulfilling back orders if no replenishment was ever made after them. PROCESS Back Orders: 9p, c, en, ca, q, s,f,f’ Yo BACKORDER( o, c, p, q) ~~BACKORDER(o, c, p, q)(3r REPNOT~p, r)) STOCK@, s, f’) %‘](o,c, p, q) EORDER (3s’STOCK(p, s’, f) CUSTOMER(c, en, ca) szq + (0, c, p, q) 3 BACKORDER @, s - q, f’) E STOCK(p) DELINST(cn, ca, o, p. q, f*q) Naturally it is possible to develop much better specifications (e.g. allowing partial fulfillments and giving priority to backorders), but this simple example is conplex enough to show non-t~vi~ interactions with the past. This frozen price problem is an illustration of the general problem of “delayed messages” (see Waters 1231). The name given by Waters to this class of problems may lead to confusions with a completely different question, the question of the so called “delayed communications” (or delayed knowledge). This new problem

A.

184

SERNADAS

concerns the treatment of messages conveying information about the past. As an illustration, consider the following problem (MasonI37J): The Health Service of a certain country pays its members for every medical consultation. This payment is either full or partial, depending on how frequently its members consult their physicians. More precisely, assume that if a consultation follows another by less than four weeks (28 days) the member in question only receives part of its price. For the sake of simplification assume also that all consultations have the same price. The interesting problem of delayed knowledge arises because in general physicians do not communicate at once to the system their consultations. So, assuming that the payment decision is made on the known previous consultations, it is necessary to revise that decision if a delayed communication affects it later on. Using a state relation of the form COMMCON

(Member, Physician, Date)

it is possible to define the two following processes: PROCESS

Payment:

9m.p. d (m. p, d) E COMMCON Czp’, d’ ZP(COMMCON(m, p’. d’,) A d’ E [d - 28, d]) 3 PARTIAL(m, p, d) ELSE FULL(m, p, d)) Note that this process is triggered off by the “creation” of a COMMCON message. The need to consider this relation as a state relation is found in the specification of the second process. Indeed it is necessary to avoid producing more than one return instruction for each consultation, even if two communications are made simultaneously that imply that action. PROCESS

sultation. In the solution above, the system deals only with messages communicating previously held consultations, This seems to preclude some implementations (e.g. real time communication of each consultation). So it would be advisable to refer to such real time communications in the requirements specification of the system. A new process is introduced which is supported by the physicians and other human components of the system. This process is responsible for passing the real time communications into the computer system. The following specification of this process is in general a mistake: PROCESS

Communication:

9m, P

COWm,

P)

$

COMMCON(m,

p)

since in general a delay will be imposed between the two events. This is precisely the reason why it is worthwhile to make the distinction between them. Even with a terminal in each consulting room such delays are bound to happen. To solve this problem it is useful to introduce a new time operator 9 (the delay operator). If F is a wft, then

is also a w-ft. It will be interpreted as a randomly delayed execution of the transitions specified by E In general, the delay operator will allow us to take into account execution delays (introduced by processes) when they are important from the point of view of the logic of the application problem. In the case of the process above, the delay operator allows the systems analyst to take into account the possibility of a lazy physician to communicate consultations from the previous day or before:

Revision:

%4,d COMMCON(m, p, d) 3 (m, p. d) 3 COMMCON (9~‘. d p’#pvd’Zd d’E[d,d+28] 8 FULL(m, p’* d’) - 8’3p”, d” RETURN(m, p’. d’. p”, d”) 3 RETURN(m, p’, d’, p, d)). Sequentially this process considers each COMMCON message to check if a full payment was ever made that this consultation shows to be incorrect. It is assumed that a consultation by the same member, to the same physician in the same day is impossible. This assumption is made to keep the example reasonably simple. The date in a COMMCON message refers to the object system event corresponding to an actual con-

PROCESS

Communication:

!%p,d

%CONS(m,

PN

d = DAYJCONS(m, p) 3 (m, p, d) E COMMCON. With this approach it is possible to specify administrative procedures that involve the real time messages CONS. These messages may correspond to manual records of the consultations that are kept by the physician. With the delay operator it is possible to establish the link between those messages and their delayed communication to other components of the information system. It is interesting to indicate some properties of the delay operator:

since nothing is assumed concerning the delays introduced by the sequential quantifier.

Temporal aspects of logical procedure definition

-However,

in general,

9(F) A9(G) # 9(F AG): 9(aJF) # 9(a)+Q(F), if a is a transition wff; 9(9%F) # 9@x%(F). Besides the executional semantics discussed in the examples above, bMTLT allows the definition of an alternative semantics free of any executional meaning. Indeed it is possible to see a well formed transition (specifying a process) as an integrity constraint on the temporal database. This is a declarative semantics for which no privileged instant is assumed. The wft specifying a process defines a temporal condition that is sup posed to be satisfied by the temporal database throughout time. In this semantics, atomic transitions are interpreted as event atomic formulae. So a process wft is associated to a truth value. By imposing that it must be always true, a constraint is imposed on the possible contents of the temporal database. Clearly, it is possible to define formally such a semantics along these lines. This decIarative semantics is based on the modal approach to language semantics as expected. Its formal definition is given in Sernadas[ 141.Moreover it is therein proved that the two semantics are equivalent in the sense that two process rules are declaratively equivalent (as logical formulae) iff they are executionally equivalent (as sets of insertions and deletions). Naturally it is necessary to give an alternative purely declarative definition of the transition constructs (g,.Y, 6,3) in order to achieve this desideratum. That is not difhcult within the tense logic framework but it is beyond the scope of this paper. It is important to make some comments on the problem of process ~y~c~~~iz~tio~. In the case of DMTU, it was sufficient to assume that two processes were never allowed to attempt changing the same message at the same time (see supru cita), since in that language the tri~ering by events was not considered. On the contrary, in the case of DMTLT the problem is more complex because the application of this rule may lead to unexpected results. As an illustration, consider the following system:

What happens if two triggering messages a and b appear simultaneously and both I and If try to change the same state message c at the same time? Applying the synchronization rule above, only one of them (it is not

185

known which) is allowed to make the change. Then the other will never be able to make its change since when it is allowed to do so the trigger is no longer present. The responsibility for avoiding such situations is left to the systems analyst. It is a useful sideline, never forget that triggers may only be used once, at the time they happen. Note also that even situations of deadlock are perfectly possible. As a trivial example consider the system composed of the following two processes: PROCESS

I:

PROCESS II: 6% K+%(x) If a and b are event predicates, these two processes will never run, unless some of the events may also be generated elsewhere (e.g. by the environment). Even in such cases, the two processes wilt not interact~te. It is beyond the scope of this paper to discuss any techniques for discovering such deadlock situations. Note that this would be a very desirable feature of any piece of software developed with the purpose of helping the systems analyst, by making automatic consistency checks on DMTLT specifications. DMTLT inherits all the non-procedural feutures of DMTL2 (see Sernadas[4]), which makes it a very high level language for process specification. In particular, the non-executional semantics of the new language is much more precisely defined than the descriptive semantics of its predecessor. No attempt is made to repeat here the analysis of the non-procedurality of these languages, but it is useful to recall that both languages support the following features: -associative referencing; -aggregate operators; -only non-arbitrary sequencing; -no ordering; -pa~llelism; -unifying view of data and procedures; -full process view (besides event triggering); -non-executional semantics; - recursion; -global specification (instead of output item by item specification). Concerning logical completeness (see Codd[7] and Bancilhon 1281)DMTLT is clearly complete as a timeless query language. Moreover its special capabilities concerning the temporal database suggest that it might be. used as the starting temporal completeness standard until a better criterion is introduced. On the other hand DMTLT is also transition complete (see SernadasI41) since it inherits all the transition capabilities of DMTLZ. In the aforementioned paper, a language is said to be t~~nsjtioncomplete iff given two states of a database and a description of one of them in terms of the other and a set of inputs (with a query complete language) it is

186

A. SERNADAS

possible to define the transition from the latter to the former with the language in question. It is worthwhile to notice again that in DMTLT there are two different methods for specifying the process runs. The event triggering method is implied by the need for memory independence. However it was shown previousty that this method is not sufficient to deal with all problems, since it does not allow the definition of sequencings (for example on groups of simultaneous events). Moreover the process view allows a form of transition recursion; indeed a process can itself create state messages that it is able to process in the next run (auto-feeding process). For an illustration concerning a “parts explosion” problem see supru cita. Recall that the inclusion of such state assertions and sequencings is made only when required by the application problem and without any concern on implementation strategy. DMTLT achieves a high degree of memory independence as desired. In fact, the possibility of using a temporal database allows the reference to old events and state assertions. The analyst is able to refer to them without being concerned with their representation in a current storage structure. It may be argued that a pure model should only include events and avoid state assertions. However it was indicated that reasons at the level of the logic of the application problem imply the use of state assertions. Moreover this is more a question of formalism than anything else. Indeed, a state assertion is completely described throughout time by its transition events and the two representations are equivalent. Besides a simpli~cation criterion that might be invoked, the strongest argument in favour of the inclusion of state assertions concerns the limitations of the event triggering approach. To deal with sequencings without state assertions (and the process view possible with them) means to allow processes to be triggered by past events. And this would be against the very concept of a trigger. 5 CONCLUSMlNS The adopted unidirectional model of time allowed the development of a temporal predicate calculus suitable for the specification of systems at the message/process level. A language for process specification is obtained by extending this temporal caIculus to a transition logic. Besides an executionai semantics, this logic also allows the definition of a declarative semantics, in terms of integrity constraints on the temporal database. The two semantics are close to each other which helps the writing of readable specifications. It is important to stress that the in~oduced process specification language is very formal. However it is a soundly defined starting point for the development of friendly versions. In computer-aided applications it might be used as an intermediate language. Moreover, it may be considered for the time being as a standard for tem~r~ languages, since it is possible to express with it a very rich class of temporal conditions. On the other hand, the language is transition complete. Indeed, it is possible to express with it any arbitrarily complex set of changes to the database.

Comp~ing the new language with previous temporal languages, it is to be noticed that it was possible fo find a language that is much less procedural (see Sernadas[4]), but that achieves also a very high degree of memory independence. Moreover DMTLT has stronger capabilities for dealing with the temporal database. The proposed logical approach has the advantage of allowing the introduction of the concepts of interpretation, validity and axiomatic. Along these lines, the temporal database is formally introduced as an interpretation structure for a special modal tense logic. And universally valid formulae can be recognized by two independent methods: the axiomatic and the semantic. Such universa1 assertions are very useful both for the purpose of simplifying specifications and in helping to understand the behaviour of the logical operators involved. There is no doubt that in any sufficiently effective formalism it would be possible to express the following formula:

However, to be able to recognize it as universally true it is necessary to use the logical concepts of interpretation and validity. This seems to be an important weakness of all non-~o~cai formalisms. To take full advantage of the logical approach, further research is necessary on the properties of the underlying dynamic temporal calculus in DMTLT. In particular, theoretical work is needed concerning the problem of existence in the temporal database. Ac~no~ledgemeuts-be author is greatly indebted to Dr. Sam Waters for his support and criticism and also to the Calouste Gulbenkian Foundation for the research scholarship that made this work possible.

REFERENCES [I] J. Bubenko: The temporal dimension in information modelling. In Architecture bnd Modefs in Data Base management Systems (Ed. by G. Nijssen). North-Holland, Amsterdam (1977). PI D. Teichroew: Problem statement analysis: requirements for the problem statement analyser (PSA). ISDOS Working Paper N43. Reprinted in Systems analysis Techniques (Ed. by J. Couger and R. Knapp). (1974). 131C. Grindley: A language for describing formal management systems. Ph.D. Thesis. University of London, 1972. [41A. Sernadas: The information system as an interpretation to a dynamic multitype logic. ACM Trans Database Syst. to be published. PI R. Stamper: LEGOL2: A language for specifying formal organizations. NATO Conf. ~n~o~afion Systems, Crete, 1978. f61P. Mason and S. Jones: Handling time in a query language. LEGOL, WorkingPaper, LSE, London, 1979. 171E. Codd: A relational model of data for large shared data banks. Commun ACM 13(6),377-387(1970). 181I. Nicholas, and H. Gallaire: Data base: theory versus interpretation. In Logic and Data Bases (Ed. by H: Gallaire and J. Minker). Plenum Press. New York (19781. I91 R. Reiter: On closed world d&a bases. In‘Log& and Data Bases (Ed by H. Gallaire and J. Minker). Plenum Press, New York (1978). [lOI E. Codd: Relational completeness of data base sub-languages. IBM RJ 987, 1972.

Temporal aspects of logical procedure de~nition 1111M. Lacroix and A. Pirotte: Domain-oriented relational languages. Proc. Very Large Data Base Conf. Japan, Oct. 1977. [I21 A. Sernadas: The relational database as an interpretation of a multitype first order logic. WorkingPaper, LSE, London, 1978. jI3f H. Enderton: A Matkemutical lnt~da~t~5n to Logic. Academic Press, New York (1972). [I41 A. Semadas Logicai procedure de~nition for i~ormation systems specitication. Ph.D. Thesis in preparation, 1980. [15] CODASYL Development Committee:’ An information algebra-phase I report. Commun ACM S(4). 190-204G%2). [I61 B. Leavenworth: Non-procedural data processing. Co&. i 20(l), 6-9 (1977). [I71 M. Hammer et al.: A very high level programming language for data processing applications. C5mmun ACM 20(l), 832848 (1977). fl8] I. Clark: STREMA: a graphic language for relational applications. IBM UK SC 0084, 1976. 1191I. Clark: STREMA: snecifvina aunlication orocesses usine streams. Camp. /. 21(i), 2j-3<(IbjS). ’ m R. Stamper: Information analysis of administrative systems based on statute law. In Proc. BIFOA Symp., Cologne, 1975. C. Grindley: SYSTEMATICS: A New Approach to Systems 1211 Analysis. McGraw-Hill, New York (1975). 1221C. Grindley: The role of the trigger in systematics. Prac. IFIP TC8 Wurk~agConf. on Formal Models and ~~~t~~ai Tools for ~nf5~at~o~ Systems &sign. Oxford 18-20 April 1979. (Ed. by Hans-Jochen Schneider) North-Holland, Amsterdam (1979). [231S. Waters: Sysfems Specifications. NCC, Manchester (1979). [24 B. Leavenworth and-J. Sammet: An overview of non-prdcedural lanauaaes. ACM SIGPLAN Not. 9c4). l-12 (1974). S. Jones, P.-Mason and R. Stamper: LEGOL2.b: a relational [251 specification language for complex rules. Inform. Syst. 4, 293-305( 1979). f261A. Prior: Past, Present and Future. Oxford University Press. (1967).

187

[27] S. Kripke: Semantical analysis of modal logic I-Normal oropositional calculi. Zeitschrifi fiir Mathematische Loaik ini Grundlagender Mathematik b, 67-% (1%3). ” [28] A. Prior: Diodorean modalities. Philosophical Quart. 2OS213 (1955). [29] C. Scbwind: Ein Formalisms zur Beschreibung der Syntax und Bedeutung von F~8e-Antwort-Systemen. Ph.D. Thesis, Technical University of Munich, 1977. 1301P. Van Emde Boas: The connection between modal logical and algorithmic logic. Proc. 7th Symp. Mathematicul Foundations of Computer Science (Ed. by J. Winkowski). Springer-Verlag, Berlin (1978). [31] G. Hughes and M. Cresswell: An Introduction to Modal Logic. Mathuen, New York (1972). [32] A. Prior: Time and Modality. Oxford University Press (1957). [a] S, Kripke: Semantical considerations on modal logics. Acta P~i~5sp~icaFennica. Modal and Many-valued Logics, 8394, I%3. [34] N. Rescher and J. Garson: Topological logic. J SymboEc Logic 33(4),537-548(1968). [35] E. Dijkstra: Co-operating sequential processes. In ProgrammingLanguages (Ed. by F. Genuys). Academic Press, New York (I%@. [36] E. Best: Aspects of occurrence nets. Advanced Course on General Net Theory of Processes and Systems. Hamburg, 8-18 Oct. 1979. 1371P. Mason: Private &ommuui~t~on,1979. [38] F. Bancilhon: On the completeness of query languages for relational data bases. In Proc. 7th Symp. ~athemuticai Foundations of Computer Science (Ed. by J. Winkowski). Springer-Verlag, Berlin (1978). [39] J. Lucas A Treatise on Time and Space. Methuen, New York (1973). [40] R. Bull: An algebraic study of diodorean modal systems. J. Symbolic Logic 30,584 (1%5). [41] S. Thomason: Semantic analysis of tense log&. .I. Symbolic Logic 37(l), 150-158(1972).