Formalising the Continuous/Discrete Modeling Step

J. Derrick , E.A. Boiten, S. Reev es (Eds.): Refinement W orkshop 2011. EPTCS 55, 2011, pp. 121–138, doi:10.4204/EPTCS.55.8 c  R. Banach, H. Zhu, W . Su, R. Huang F ormalising the Continuous/Discr ete Modeling Step Richard Banach ∗ School of Computer Science, Univ ersity of Manchester , Oxford Road, Manchester , M13 9PL, U.K. banach@cs.man.ac.uk Huibiao Zhu † W en Su Software Engineering Institute, East China Normal Uni versity , 3663 Zhongshan Road North, Shanghai 200062, P .R. China. { hbzhu,wensu } @sei.ecnu.edu.cn Runlei Huang Alcatel-Lucent Shanghai Bell, 388 Ningqiao Road, Pudong Jinqiao, Shanghai 201206, P .R. China. runleihuang@alcatel-sbell.com.cn Formally capturing the transition from a continuous model to a discrete model is inv estigated using model based refinement techniques. A very simple model for stopping (eg. of a train) is de veloped in both the continuous and discrete domains. The difference between the tw o is quantified using generic results from ODE theory , and these estimates can be compared with the exact solutions. Such results do not fit well into a con ventional model based refinement frame work; ho we ver they can be accommodated into a model based retrenchment. The retrenchment is described, and the way it can interface to refinement dev elopment on both the continuous and discrete sides is outlined. The approach is compared to what can be achiev ed using hybrid systems techniques. 1 Intr oduction Con ventional model based formal refinement technologies (see for e xample [37, 19, 38, 1, 34, 43, 2]) are based on purely discrete mathematical and logical concepts. These turn out to be ill suited to modeling and formally developing applications whose usual models are best expressed using continuous mathe- matics. Nevertheless, man y such applications, control systems in particular , are these days implemented using digital techniques. So there is a mismatch between continuous modeling and discrete development techniques. In this paper we tackle this mismatch head on. Although traditional model based refinement is too exacting to straddle the continuous to discrete demarcation line, a judicious weakening of it, retrench- ment, proves to be adaptable enough to do the job, which we show . Importantly , retrenchment techniques interface well with refinement, so that a de velopment starting from continuous and ending at discrete can be captured in an integrated w ay . In this paper we tackle the continuous to discrete issue by taking a simple running example, one that can be solved fully by analytic means in both the continuous and discrete domains, and tracing it through the critical formal dev elopment step. W e start with a continuous control problem: bringing an object (eg. a train) to a halt. This is formulated as a continuous control problem, and giv en the (deliberately chosen) simplicity of the problem, an exact solution is presented. In reality , continuous control is implemented these days via digital controllers. These periodically read inputs and recompute ∗ The majority of the work reported in this paper was done while the first author was a visiting researcher at the Software Engineering Institute at East China Normal Univ ersity . The support of ECNU is gratefully acknowledged. † Huibiao Zhu is supported by the National Basic Research Program of China (No. 2011CB302904), the National Natural Science Foundation of China (No. 61061130541), China HGJ Significant Project (No. 2009ZX01038-001-07), and Doctoral Program Foundation of Institutions of Higher Education of China (No. 200802690018). 122 Formalising the Continuous/Discrete Modeling Step outputs at multiples of a sampling interval during the dynamics. In this sense, the control becomes discretized, although the discretized control is obviously still played out in the continuous real world. W e thus remodel the continuous problem as a discrete control problem, and derive a formal description of the discretization step via a suitable retrenchment, drawing on rigorous results from the theory of ordinary differential equations (ODEs) to supply the justification. Gi ven the limited size of this paper, our technical focus is on this critical step, and the remainder of the development (comprising the associated refinements either side of it) is sk etched rather than treated in detail. The latter is a task for which a fuller treatment will be gi ven in the extended v ersion of the paper . The rest of the paper is as follows. W e start in Section 2 by describing relev ant existing work in the hybrid systems domain and how it contrasts with our own approach, after which we get down to details. Section 3 then formulates our train stopping problem as a con ventional open loop continuous control problem. Section 4 then describes the discretization of the control problem using a simple zero order hold strategy . In Section 5 we revie w what we need of ASM refinement and retrenchment in a form suitable for our problem. Section 6 then shows how our earlier discretization process can be captured using a suitable retrenchment, citing the needed ODE results. Section 7 sketches ho w all this can fit into a wider formal de velopment strategy , in which the greater flexibility of retrenchment can be combined with the stronger guarantees of fered by refinement via the T ower Pattern [8, 28]. Section 8 concludes. 2 Related W ork The relationship between continuous and discrete transition systems has long been a topic for in vestiga- tion in the hybrid systems field. Earlier work includes [4, 26, 5, 25]; also, the International Conference on Hybrid Systems: Computation and Control, has been the venue for a large amount of research in this area. A more recent reference is [42]. Hybrid systems are dynamical systems that mix smooth, continuous transitions with discrete, dis- continuous ones. The major focus in this field has been the automatic verification of properties of such systems. Obviously , such verification demands the representation of the systems in question in discrete and finite terms, whether by means of an explicitly constructed finite state space (which is manipulated directly), or a state space whose states arise via the symbolic representation of the less tractable state space of a pre viously constructed underlying system (which is manipulated symbolically). The main tool for bringing an intractable state space within the scope of computable techniques is the equiv alence relation. Regions of the state space are gathered into equi valence classes, and a represen- tation of these equiv alence classes (whether as individual elements in a simple approach, or as symbolic expressions that denote the equiv alence class in question) constitutes the state space of the abstraction. T ransitions between these states are introduced to mirror the behaviour of the underlying system. The properties of interest can then be check ed against the abstract system. For instance, properties that can be expressed as reachability properties fall within the scope of model checking approaches that are applied to the abstraction. Of course what has been constructed thereby is a (bi)simulation, and a major strand of hybrid systems research is the in v estigation of such (bi)simulations. The same remarks apply when there is an external control applied to the systems. One disadv antage of the abov e approach is the frequent reliance on brittle properties of the studied systems. Put most simply , a number of techniques rely on the parameters of the problem falling within a subset of measure zero of the parameter space. Real systems can never hit such small targets reliably . Equally , the simulation relations studied can also be just as brittle. T o alleviate this, and to address R. Banach, H. Zhu, W . Su, R. Huang 123 other issues of interest, the notion of appr oximate (bi)simulation has been studied in recent years ([42] gi ves a good introduction). Here, instead of defining the simulation relation R ( u , v ) between an abstract state u and a concrete state v as a simple predicate on states, it is defined via a distance function d as R ε ( u , v ) ≡ d ( f ( u ) , v ) ≤ ε , where f is a precise relationship between the two state spaces which is in some sense “semantically natural” (we don’ t ha ve space to elaborate on this aspect here). For bisimulation you need a symmetrical arrangement of course. (Bi)simulation depends on assuming the appropriate relation between the two before-states and re- establishing it in the after-states of suitable pairs of transitions. T o preserve a relationship based on distance, the dynamics needs to be inherently stable . The obvious centre of attention thus becomes stable control systems, normally linear stable control systems, because of their calculational tractability . These are discussed in very man y places, eg. [32, 20, 22, 18, 3, 40, 11, 6]. In a stable system all trajectories con ver ge to a single point, so the distance between two trajectories decreases monotonically; hence a simulation relation based on distance between trajectories is main- tained. But although most systems are designed to be stable in this sense, some are not, and there can be parts of a system phase space in which trajectories div erge rather than conv erge, without rendering the system useless. Belo w , we treat in detail a very simple example which happens to be unstable in the sense just discussed. W e know it is not stable because we solv e it exactly . Also, in the usual hybrid systems literature, it is normal that the discrete approximation to a given system is manufatured from it (eg. by constructing equiv alence classes, as indicated above). In our ap- proach, by contrast, we take a more “of f the shelf ” attitude to discretization, analysing a straightforward “zero order hold” version of the continuous system (in which the ne w output v alues to be sent to the actuators are recalculated at regular intervals, and the new values are “held” for the duration of the next inte val 1 ) rather than something extracted from an analysis of the original system. In this sense our ap- proach is closer to con ventional engineering practice, since it is directed at the typical practical approach. Of course these two ways of doing things are not mutually exclusi ve: the parameters of the zero order hold may f all within the parameters of a discrete approximation extracted by analysis of the original system, and vice versa . Finally , our approach is via retrenchment, one consequence of which is that our analysis is not confined to the purely stable case. In effect, the greater expressi veness of retrenchment permits (the analogue of) the simulation relation mentioned abov e, to increase its permitted margin of error , as well as to decrease it, although this emer ges indirectly . 3 T rain Stopping: a Continuous Control System Our tar get application domain is control problems in the railw ay sphere. In this paper we ha ve train stopping as a specific case study . Of course, in reality , train position control is a complex problem [41, 27], relying on the co-operation of many mechanisms to achiev e a reliable outcome, and we do not hav e the space to deal with all these aspects and their subtle interactions. Instead we focus on a single technical issue —the relationship between a continuous control problem and its discrete counterpart— in a very simple w ay , commenting on the extreme simplicity belo w . Suppose a train, of mass M , is trav eling at its cruise velocity V , when it needs to stop. W e assume that a linearly increasing deceleration rate a is appropriate. (It has to be said here that our notion of ap- propriateness is not quite the usual one. Rather than usability or any similar consideration governing our choice, simplicity is the priority . A constant deceleration would ha ve been ev en simpler — unfortunately 1 “Zero order” refers here to “holding” the output value constant throughout the interv al, in contrast to a higher order hold which would use a suitably designed higher order polynomial. 124 Formalising the Continuous/Discrete Modeling Step the zero order hold approximation to constant deceleration is identical to it, tri vialising our problem.) T o bring the train to a standstill using linearly increasing deceleration, a force F = − M a t (where t is time) has to be applied, by Newton’ s Law . W e will assume that M is known, so that we can focus on just the kinematic aspects. A cursory knowledge of kinematics is enough to rev eal that under linear deceleration, the decelera- tion, distance and stopping time are linked. W e suppose that there is a single stopping episode, which starts at time 0 and at x position 0, and which ends at time T St o p , with the train having trav eled to position x = D . Representing time deriv ati ves with a dot, if v is the v elocity , then we know that ˙ v = − at v ( 0 ) = V v ( T St o p ) = 0 (1) Regarding the distance tra veled x , we kno w that ˙ x = v x ( 0 ) = 0 x ( T St o p ) = D (2) Integrating these, rapidly brings us to V = 1 2 aT 2 St o p D = V T St o p − 1 3! aT 3 St o p = 2 3 V T St o p (3) W e now recast the above as a control theory problem. At the introductory lev el, control theory is usually developed in the frequenc y domain [32, 20, 22, 18], because of the relativ e simplicity and perspicuity of the design techniques in that domain. Howe ver , for results suf ficiently rigorous to interface to formal techniques, we need to go to the state space formulation fav oured by more mathematically precise treatments [3, 40, 15, 14, 11, 6]. In the state space picture, the system consists of a number of state variables, and their ev olution is governed by a corresponding number of first order differential equations. State variables and dif ferential equations mirror the states and transition systems of model based refinement formalisms suf ficiently closely that we can hope to make a connection between them. T o use the first order frame work in our e xample, the state has to consist of both the position x ( t ) and the velocity v ( t ) . So we get the state vector x x x ( t ) =  x ( t ) v ( t )  (4) The dynamics of the system is captured in the equation 2 ˙ x x x ( t ) =  ˙ x ( t ) ˙ v ( t )  = f f f ( ˙ x ( t ) , u ( t )) =  v ( t ) u ( t )  (5) where u ( t ) = − a t (6) is the external control control signal. W e also have the initial condition x x x ( 0 ) =  0 V  (7) 2 It is clear that when (5) is expressed as a linear control law (with external control signal), the linear part has only zero eigen values. Thus it is not stable in the usual (Liapunov) sense. R. Banach, H. Zhu, W . Su, R. Huang 125 4 Fr om Continuous Control to Discr ete Contr ol T o truly implement a continuous control model, such as our case study , requires analogue apparatus. In the highly digitized world of today , hardly any such systems are b uilt. Instead, continuous control designs are discretized, and it is the corresponding digital control systems that are implemented. The digital approach to control has many parallels with the continuous case — in the frequency do- main the main dif ference is the use of the z -transform rather than the Laplace transform. The state based picture too boasts many parallels, with first order dif ference equations replacing first order differential equations [23, 24, 33, 29]. In this section we examine a discrete counterpart of the previous continuous control problem, in preparation for a formal reappraisal in the next section. One advantage of the e xtreme simplicity of our example, is that it admits an analytic solution in both continuous and discrete domains, enabling an incisi ve e v aluation to be made later , of the reappraisal in Section 6.3. The starting point for our problem remains as before: the train, trav eling at velocity V , needs to stop after time T St o p , having gone a distance D D . 3 Instead of doing so continuously though, it will do it in a number of discrete episodes. For this purpose, let us assume that T St o p is divided into N short periods, each of length T , so that T St o p = N T (8) Our discretization scheme will be based on a zero order hold, in which the same control input value is maintained throughout an indi vidual time period. The counterpart of the linear deceleration rate a of the continuous treatment, will be a piecewise constant deceleration, with the constant rate decreasing by an additional multiple of a constant a D after each time interv al of length T . Calling the discretized velocity v ariable v D , we hav e for the acceleration ˙ v D ( t ) = − ka D T (9) where k = l t T m (10) and k ranges over the v alues 1 . . . N . If we set, for a general t , δ t k = t − ( k − 1 ) T = t − j t T k T (11) then recalling that the initial v elocity is V , pro vided ( k − 1 ) T < t < k T , the velocity during the k ’th period is v D ( t ) = V − a D T 2 − 2 a D T 2 − . . . − ( k − 1 ) a D T 2 − k a D T δ t k (12) Since the final velocity is zero, we deri ve V = a D T 2 + 2 a D T 2 + . . . + N a D T 2 = 1 2 a D T 2 N ( N + 1 ) (13) 3 W e will use a subscript ‘ D ’ to indicate quantities in the discretized model that differ from their continuous counterparts. 126 Formalising the Continuous/Discrete Modeling Step Kno wing the velocity , we can integrate again, and work out the distance trav eled. Calling the displace- ment in the discretized world x D , the contribution to x D during the period ( k − 1 ) T < t < kT comes out as ( V − a D T 2 − 2 a D T 2 − . . . − ( k − 1 ) a D T 2 ) δ t k − 1 2 ka D T δ t 2 k (14) Thus for the total distance we find D D = NV T − a D T 3 N − 1 ∑ k = 1 ( N − k ) k − 1 2 a D T 3 N ∑ k = 1 k = V T St o p − 1 12 a D T 3 ( 2 N 3 + 3 N 2 + N ) (15) Both (13) and (15) feature a D . Substituting the a D v alue from (13) into (15) giv es D D = V T St o p  1 − 2 N 2 + 3 N + 1 6 N 2 + 6 N  = 2 3 V T St o p  1 − 1 4 N + O ( N − 2 )  (16) W e see that (16) for D D contains an O ( 1 / N ) correction compared with (3) for D (assuming we keep V and T St o p the same). This is because we have an extra constraint generated by the requirement that T St o p is an inte gral multiple of T , making the problem overconstrained if we wished D and D D to be the same. Recasting the preceding as an initial v alue first order system along the lines of (4)-(7) is not hard. The state vector is x x x D ( t ) =  x D ( t ) v D ( t )  (17) and the dynamics of the system is captured in the equation ˙ x x x D ( t ) =  ˙ x D ( t ) ˙ v D ( t )  = f f f ( ˙ x D ( t ) , u D ( t )) =  v D ( t ) u D ( t )  (18) where u D ( t ) = ˙ v D ( t ) = − ka D T (19) as gi ven by (9), is the external control. W e also hav e the initial condition x x x D ( 0 ) =  0 V  (20) It is hard not to notice how much more complicated the above is compared with (1)-(7). It is always so with discrete systems — hence the strong desire to model systems in the continuous domain. The very rapid ramp-up in complexity when we consider the discrete version of a continuous problem is our justification for restricting to a particularly simple example. The ability to keep the complexity still low enough to permit an exact solution, is extremely useful in an in vestigation such as this one, allowing a comparison between exact and approximate approaches to be made with confidence. R. Banach, H. Zhu, W . Su, R. Huang 127 A C D B Ref A , C Ret C , D Ret A , B Ref B , D Achieve[ComfortableTimelyTrainStopping] Maintain[LinearDecelerationWhileStopping] Maintain[StoppingDistanceAppropriate] Maintain[StoppingTimeAppropriate] Maintain[LinearAccelerationAppropriate] Achieve[StopTrainInit] Achieve[StopTrainFin] • • • • • • • • • • . . . . . . . . m steps n steps x x ′ y ′ y R ( x , y ) R ( x ′ , y ′ ) Figure 1: An ASM ( m , n ) diagram, showing ho w m abstract steps, going from state x to state x 0 simulate n concrete steps, going from y to y 0 . The simulation is embodied in the retriev e relation R , which holds for the before-states of the series of steps R ( x , y ) , and is re-established for the after -states of the series R ( x 0 , y 0 ) . 5 ASM Refinement and Retr enchment In this section we revie w what we need of ASM refinement and retrenchment, which will be the vehicles for formalization in this paper . The standard reference for the ASM method is [13], building on the earlier [12]. In general, to prove an ASM refinement, one verifies so-called ( m , n ) diagrams, in which m abstract steps simulate n concrete ones. The situation is illustrated in Fig. 1, in whch we suppress input and output for clarity . For this paper , it will be sufficient to focus on the refinement proof obligations (POs) which are the embodiment of this policy . The first is the initialization PO: ∀ y 0 • C I nit ( y 0 ) ⇒ ( ∃ x 0 • AI ni t ( x 0 ) ∧ R ( x 0 , y 0 )) (21) In (21), it is demanded that for each concrete initial state y 0 , there is an abstract initial state x 0 such that the retrie ve or abstraction relation R ( x 0 , y 0 ) holds. The second PO is correctness, and is concerned with the verification of the ( m , n ) diagrams. F or this, we hav e to hav e some way of deciding which ( m , n ) diagrams are sufficient for the application. Let us assume that we have done this. Let C F rags be the set of fragments of concrete execution sequences that we ha ve previously determined will permit a covering of all the concrete e xecution sequences of interest for the application. W e write y :: ys :: y 0 ∈ CF r ags to denote an element of CF rags starting with concrete state y , ending with concrete state y 0 , and with intervening concrete state sequence ys . Like wise x :: x s :: x 0 ∈ AF r ags for abstract fragments. Also, let is , j s , os , ps denote the sequences of abstract inputs, concrete inputs, abstract outputs, concrete outputs, respectiv ely , belonging to x :: xs :: x 0 and y :: ys :: y 0 , and let I n ( is , j s ) and Ou t ( os , ps ) denote suitable input and output relations. Then the correctness PO reads: ∀ x , is , y , ys , y 0 , j s , ps • y :: ys :: y 0 ∈ CF rags ∧ R ( x , y ) ∧ I n A O ps , C O ps ( is , j s ) ∧ CO ps ( y :: ys :: y 0 , j s , ps ) ⇒ ( ∃ xs , x 0 , os • AO ps ( x :: xs :: x 0 , is , os ) ∧ R ( x 0 , y 0 ) ∧ Out A O ps , CO ps ( os , ps )) (22) In (22), it is demanded that when there is a concrete ex ecution fragment of the form C O ps ( y :: ys :: y 0 , j s , ps ) , carried out by a sequence of concrete operations CO ps , with state sequence y :: ys :: y 0 , input sequence j s and output sequence ps , such that the retrieve and input relations R ( x , y ) ∧ I n ( is , j s ) hold 128 Formalising the Continuous/Discrete Modeling Step A C D B Ref A , C Ret C , D Ret A , B Ref B , D Achieve[ComfortableTimelyTrainStopping] Maintain[LinearDecelerationWhileStopping] Maintain[StoppingDistanceAppropriate] Maintain[StoppingTimeAppropriate] Maintain[LinearAccelerationAppropriate] Achieve[StopTrainInit] Achieve[StopTrainFin] • • • • • • • • • • . . . . . . . . m steps n steps x x ′ y ′ y R ( x , y ) R ( x ′ , y ′ ) Figure 2: The T ower P attern basic square, with refinements vertical, retrenchments horizontal. between concrete and abstract before-states and inputs, then an abstract execution fragment AO ps ( x :: xs :: x 0 , is , os ) can be found to re-establish the retrie ve and output relations R ( x 0 , y 0 ) ∧ Out ( os , ps ) . The ASM refinement policy also demands that non-termination be preserved from concrete to ab- stract, but we will not need that in this paper . W e now turn to retrenchment. For retrenchment, [10, 9] giv e definitive accounts; latest dev elopments are found in [36]. See also [7] for formulations of retrenchment adapted to se veral specific model based refinement formalisms in- cluding ASM. Like refinement, retrenchment is also characterized by POs: an initialization PO identical to (21), and a “correctness” PO which weakens (22) by inserting within , output and concedes relations, W O p , O O p , C O p respecti vely into (22), to gi ve extra flexibility and expressivity . In particular , the conces- sion C O p weakens the conclusions of (22) disjunctively , gi ving room for many kinds of “e xceptional” behaviour . The result is: ∀ x , is , y , ys , y 0 , j s , ps • y :: ys :: y 0 ∈ CF rags ∧ R ( x , y ) ∧ W A O ps , CO ps ( is , j s , x , y ) ∧ CO ps ( y :: ys :: y 0 , j s , ps ) ⇒ ( ∃ xs , x 0 , os • AO ps ( x :: xs :: x 0 , is , os ) ∧ (( R ( x 0 , y 0 ) ∧ O A O ps , CO ps ( x :: xs :: x 0 , is , os , y :: ys :: y 0 , j s , ps )) ∨ C A O ps , CO ps ( x :: xs :: x 0 , is , os , y :: ys :: y 0 , j s , ps ))) (23) T o ensure that retrenchment only deals with well defined transitions, and to ensure smooth retrench- ment/refinement interw orking, we also insist that R ∧ W O p always falls in the domain of the requisite operations, though this is another thing not needed here. The smooth interworking between refinements and retrenchments is guaranteed by the T ower P attern . The basic construction for this is sho wn in Fig. 2. There, refinements are vertical arrows and retrench- ments are horizontal, and the two paths round the square from A to D (giv en by composing Re f A , C with Re t C , D on the one hand, and on the other , by composing Ret A , B with Re f B , D ) are compatible, in the sense that they each define a portion of a (potentially lar ger) retrenchment from A to D . At this point one might legitimately ask what all the abov e has to do with our case study , in which the dynamics that we considered is entirely in the continuous domain (albeit taking into account discon- tinuous control inputs when necessary). The answer lies in the focus on the use of paths through the system at both abstract and concrete le vels in the POs of ASM. W ith this focus, it is unproblematic to reconfigure the ( m , n ) rules (22) and (23) to deal with continuous paths rather than discrete ones. Thus CF r ags and AFr ags can no w refer to fragements of continuous system trajectories, rather than sequences of state-to-state hops. Like wise the is and j s in W A O ps , CO ps ( is , j s , x , y ) now refer to the continuous input R. Banach, H. Zhu, W . Su, R. Huang 129 signals along the trajectories, and so on for the other terms in (22) and (23). W e see this ex emplified in detail in the retrenchment of Section 6.2. 6 F ormalizing the Continuous to Discr ete Modeling Change In the control literature, one finds many ways of discretizing continuous designs (see loc. cit.), and the e valuation of the relationship between continuous and discrete is often based on ad hoc engineering rules of thumb . While these typically yield perfectly good results in practice, the criteria used fall far short of the kind of precision needed for a good fit with model based formal dev elopment techniques. As a consequence, when model based formal de v elopment techniques are used to support the digital implementation of the discrete counterpart of some continuous design, the formal modeling inevitably starts already in the discrete domain. Obviously this yields a weak er formal support for the process than if the formal modeling had started earlier , at the continuous design stage, and was integrated into all the subsequent design steps, including the change from continuous to discrete. Our objecti ve in this paper is to illustrate how to make a judgement about the discretization of a control problem, that has enough precision to integrate well with model based formal technologies. T o achie ve this we have recourse to the rigorous theory of ODEs. It can be shown 4 that two instances of a control problem which dif fer solely in the input control satisfy an inequality: || x x x u − x x x u D D || ≤ K 2 || u − u D || 2 (24) In (24), || x x x u − x x x u D D || is the L ∞ norm of x x x u − x x x u D D , or , in plain English, the maximum value over the interv al [ 0 . . . T St o p ] attained by the dif ference between continuous and discrete values of an y state component. Like wise, || u − u D || 2 is the L 2 norm of u − u D , or , in plain English, the root integrated square dif ference between u and u D , calculated ov er the interval [ 0 . . . T St o p ] . Finally , K 2 is a constant. W e note that the continuous and discrete versions of our case study , with initial states (7) and (20), ov er the time interv al from 0 to T St o p , characterize just such a scenario, since (5) and (7) dif fer from (18) and (20) only in the use of u D rather than u among the independent v ariables. 6.1 Rigorous Bounds on Continuous and Discr ete Systems W e no w flesh out what (24) means for our little case study . W e consider the values of the quantities on the right hand side of (24) in order to obtain a bound for the v alue of the left hand side. Referring to (24), theory furnishes an explicit v alue for the constant K 2 , namely K 2 = e K f f f || k u || 2 (25) In (25) K f is k f T St o p , where k f is the L ∞ norm of f f f x x x , or , the absolute maximum v alue (ov er the interv al [ 0 . . . T St o p ] ) of the Lipschitz constant governing the v ariation of the control la w f f f with respect to the state. In our application, the form of the control law is f f f ( v ( t ) , u ( t )) =  v ( t ) u ( t )  (26) 4 In the extended v ersion of this paper it is shown. 130 Formalising the Continuous/Discrete Modeling Step and it is clear that there is only one component of f f f with a non-zero partial deriv ati ve with respect to either x or v , namely the first ∂ f f f 1 ∂ v = 1 (27) W ith this, the first factor of (25) is just e T St o p . Regarding the second factor , || k u || 2 is the root integrated square value of the Lipschitz constant gov erning the variation of the control law with respect to the input control signal. Again there is only one component of f f f with a non-zero partial deriv ative with respect to u , namely the second ∂ f f f 2 ∂ u = 1 (28) so the root integrated square reduces to p T St o p . So we get K 2 = e T St o p p T St o p (29) T urning to the second factor on the right hand side of (24), || u − u D || 2 , we recall that we know explicitly what u and u D are from our earlier calculations. From (6) and (19) we know that u ( t ) = − at u D ( t ) = − ka D T (30) where, from (3) and (13) a = 2 V T 2 St o p a D = 2 V T 2 St o p ( 1 + 1 / N ) (31) No w (30) sho ws that u ( t ) decreases linearly , and that u D ( t ) is a staircase function, decreasing in equal sized steps near u ( t ) . It is clear from (30) that in the limit t → 0 + , we hav e u ( 0 +) = 0 and u D ( 0 +) = − a D T , so that u ( 0 +) − u D ( 0 +) = a D T . It is also clear from (30) that in the limit t → T St o p − , we hav e u ( T St o p − ) = − aT St o p and u D ( T St o p − ) = − N a D T = − a D T St o p , so that u ( T St o p − ) − u D ( T St o p − ) = ( a D − a ) T St o p = a D T St o p [ 1 − ( 1 + 1 / N )] = − a D T St o p / N = − a D T . Since the staircase has equal sized steps, it e vidently the case that the staircase u D ( t ) ranges around u ( t ) within a bound a D T . | u ( t ) − u D ( t ) | ≤ a D T (32) This furnishes a suitable o verestimate for the root integrated square dif ference between u ( t ) and u D ( t ) as follo ws || u − u D || 2 ≤ s Z T St o p t = 0 [ a D T ] 2 d t = a D T p T St o p (33) Substituting all the v alues we hav e obtained into (24), we get || x x x u − x x x u D D || ≤ e T St o p p T St o p × a D T p T St o p = e T St o p a D T T St o p (34) W e see that despite the potential for the de viation between u ( t ) and u D ( T ) to gro w exponentially with the size of the time interval, a possibility severely exacerbated by our rather crude bound (33), it is always possible to reduce it by an arbitrary amount by making the discretization, measured by N , fine enough. R. Banach, H. Zhu, W . Su, R. Huang 131 6.2 T ur ning Rigorous Bounds into Retr enchment Data No w that we hav e a precise relationship between the continuous and discrete control systems, we can look to incorporate this into our model based formal description. In general, the exigencies of model based formal refinement are too exacting to be able to accom- modate the kind of relationships just deriv ed. Retrenchment though, has been purposely designed to be more forgi ving in this regard, so that is what we will use. Regardless though, of which model based formal description technique is adopted, is the issue that all such techniques are designed for discrete state transitions, and presume a well defined notion of “next state”, to which an equally clear notion of “current state” can be related. In continuous dynamics there is no sensible notion of next state that we can immediately use. Ho w- e ver , as we noted abo ve, the ( m , n ) diagram approach of ASM refinement makes clear that it is paths at abstract and concrete lev els that are being related. Thus, although we a void technical details in this paper , we extend the ASM approach to incorporate continuous paths as well as discrete ones. The in- centi ve to do this was one strong reason for choosing ASMs in this work. (Note that this perspective on refinememt between paths is equally applicable to both the continuous and discretized versions of our control problem. In the continuous problem there is a single continuous path. In the discretized problem there are N consecutiv e shorter continuous “zero order held” paths, interleaved, at the instants at k T , by the discrete recalculations of the output signal, thus constituting a path comprising both continuous and discrete components.) Since the rigorous results we use concern the same starting state for the two systems, our formal statement is constrained to be an end-to-end one. It will express an end-to-end relationship between the smooth dynamics at the continuous lev el, and the discretized level’ s dynamics (which is continuous too, though punctuated at e very multiple of T by a discontinuous change in the acceleration). As we saw before, a retrenchment between two specific operation sequences consists of four things: a retrieve relation between the state spaces, a within relation for the before-states and inputs, an output relation for the after -states and outputs (and before-states and inputs too if necessary), and a concedes relation for the after-states and outputs (and before-states and inputs too if needed). In the relations belo w , we use some ad hoc notations whose meaning should be obvious from the preceding material. Regarding the retrie ve relation R , there is a v ery natural one that we might expect to use, namely the identity between state values in the continuous and discretized worlds. Howe ver , ev en though in our specific case study the two models start out in the same state thus making such a putativ e R true in the hypothesis of the PO (23), in most cases, that assumption will not hold, and so we prefer to follo w a more generic approach, which will be applicable in a wider set of scenarios. A second proposal for R would see it e xpress a mar gin of tolerance between the state values in the continuous and discretized worlds, as discussed in Section 2. This proposal would also work after a fashion, but such a proposal works best when the relationship between the two system states is stable throughout the dynamics — we have then a kind of refinement. In our case study , this assumption does not hold since the discrepanc y between the two system states gro ws steadily through the dynamics. T o accomodate inconv enient situations such as these, retrenchment makes provisions for expressing the relationship (or just aspects of the relationship) between the states at the before- point of the transition being discussed in the within relation W instead of (or in addition to) in R . Since the facts expressed in W do not need to be re-established in the conclusion of the PO (23), this provides the most flexible way of incorporating appropriate f acts about the systems’ before-states in the PO. W ith this strate gy , a global 132 Formalising the Continuous/Discrete Modeling Step retrie ve relation is not appropriate, and we set R to true R ( h x ( t ) , v ( t ) i , h x D ( t ) , v D ( t ) i ) ≡ true (35) The job of expressing that the before-states are suitably matched in the PO, taking into account the input control signals throughout the interv al of interest, is thus taken on by the within relation W W ( u ( t ∈ [ 0 . . . T St o p ]) , u D ([ t ∈ 0 . . . T St o p ]) , h x ( 0 ) , v ( 0 ) i , h x D ( 0 ) , v D ( 0 ) i ) ≡ x ( 0 ) = x D ( 0 ) ∧ v ( 0 ) = v D ( 0 ) ∧ || u − u D || 2 ≤ a D T p T St o p (36) Note that while W relates just the continuous and discrete before-states, it also relates the whole of the continuous and discrete control inputs. The output relation O says what happens at the end of the period of interest. In our case, on the basis of the rather heavy calculations that came earlier , we can use O to say that the after-states di ver ge by no more than the bound deri ved in (34) O ( h x ( T St o p ) , v ( T St o p ) i , h x D ( T St o p ) , v D ( T St o p ) i ) ≡ | x ( T St o p ) − x D ( T St o p ) | ≤ e T St o p a D T T St o p ∧ | v ( T St o p ) − v D ( T St o p ) | ≤ e T St o p a D T T St o p (37) Note that although O itself speaks explicitly only about the after-states that are attained by the two sys- tems, the fact that we derived the properties of the after-states in question using an L ∞ analysis, means that the same bound holds thr oughout the interv al of interest. The adv antage of this formulation is that we automatically get a discreteness of the description in terms of before- and after- states, which will in- tegrate neatly with discrete system reasoners (in the ev ent that such modeling is eventually incorporated into mechanised tools), while yet providing guarantees that hold throughout the interv al of interest. Since our system is so simple, O already captures all that we need to say , and the kind of exceptional behaviour that may need to be taken into account in more realistic engineering situations is not present. This is also connected wsiyth the fact that we hav e trivialised the retriev e relation. Accordingly we can set the concedes relation C to false C ( h x ( T St o p ) , v ( T St o p ) i , h x D ( T St o p ) , v D ( T St o p ) i ) ≡ false (38) W ith these data, the proof obligation (23) becomes prov able on the basis of the results cited earlier, which establishes the formal connection between the continuous and discrete domains in a way that can be integrated with formal refinements on both the continuous and discrete sides. Particularly noteworth y is the fact that the discrepancy between the states gro ws linearly with time; and that this is a property of the exact solutions and not just an artifact of some approximation scheme. If we tried to handle this in a pure refinement framew ork, using a retriev e relation R to capture the rela- tionship between states in the tw o models (reg ardless of whether R was an exact, pointwise relationship, or an approximate one, analogous to the approximate simulation relations discussed in Section 2), then assuming such an R for the before-states would not enable us to re-establish it for the after-states, and the correctness PO could not be prov ed. The greater flexibiity of retrenchment permits us to handle the before-states in the within relation and the after-states in the output relation, o vercoming the problem. 6.3 Corroboration In our case study , exact solvability of the control models in both continuous and discrete domains gi ves us additional and independent confirmation of the approach we are advocating in this paper . R. Banach, H. Zhu, W . Su, R. Huang 133 Both continuous and discrete models “run” for the same amount of time, T St o p , and the output relation (37) giv es an estimate for the discrepancy between the continuous and discrete states reached in the two models after that time. The states themselv es consist of two components, the displacements and the velocities. Regarding the v elocities, both models come to a standstill after exactly T St o p . Consequently both v ( T St o p ) and v D ( T St o p ) are zero, so that | v ( T St o p ) − v D ( T St o p ) | = 0, and any positiv e upper bound is bound to be sound. So (37), which gi ves the overestimate e T St o p a D T T St o p for | v ( T St o p ) − v D ( T St o p ) | is correct regarding the v elocities, but in an unsurprising w ay . Regarding the displacements, the quantization of T St o p in the discrete case, leads to the continuous and discrete dynamics stopping at slightly different places, D and D D respecti vely , which we calculated earlier . On that basis, we can calculate the exact dif ference (disre garding O ( N − 2 ) and beyond): | x ( T St o p ) − x D ( T St o p ) | = 2 3 V T St o p 4 N = 1 2 a D T 2 St o p  1 + 1 N  T St o p 6 N = 1 12 a D T T 2 St o p  1 + 1 N  (39) On the other hand, the output relation (37) gi ves the estimate e T St o p a D T T St o p for this quantity . Thus the exact value falls within the bounds of the estimate, as it should, if and only if (after cancelling the common factor a D T T St o p ): T St o p 12  1 + 1 N  ≤ e T St o p (40) Since a linear function of T St o p of slope less than 1 can ne ver catch an e xponential function of T St o p with coef ficient 1, (40) is obviously true, and we ha ve our corroboration. 7 Continuous to Discr ete Modeling in a Wider Design Pr ocess The previous sections focused in detail on how the rigorous theory of ODEs was capable of yielding re- sults that could be integrated with e xisting model based refinement centred de velopment methodologies, all in the context of a very simple example. The essence of the process is to identify useful results from the mathematical theory , and then to drill do wn into the details of the proof to identify explicit values for the constants etc. that figure in them. The latter process is often required, since it is frequently the case that the goal of a proof of interest is satisfied by merely asserting the existence of the requisite constant, without a specific value being calculated, since that is usually enough to enable the existence of some limit to be prov ed. By contrast, for us, the existence of the limit is insufficient, since no engineering process can completely trav erse the infinite road required to reach it. Rather , we need the explicit value of everything, so that we can judge how far down the road we have to go before we can be sure that we hav e gone “far enough” to achie ve the engineering quality we require. In this section, we outline how a retrenchment obtained in this way could be placed in the context of a dev elopment methodology of wider scope. For lack of space we touch on a number of technical issues that are only dealt with properly in the extended version of this paper . The key idea for the integration is the T ower Pattern, mentioned already in Section 5. This allows the extreme flexibility of retrenchment with its ability to accomodate a very wide variety of system properties, to be shored up with the much stricter guarantees that model based refinement of fers, the latter coming at the price of 134 Formalising the Continuous/Discrete Modeling Step A C D B Ref A , C Ret C , D Ret A , B Ref B , D Achieve[EliminateMalariaFromHumanPopulation] Achieve [Eradicate Mosquitos] Maintain [Negligible Mosquito Population] Maintain [Anti Malaria Therapy] Maintain [Mosquito Repellent Measures] OR Initial goals More detailed goals Continuous control design Continuous ASM model Discretized control design Discretized ASM model Braking model ∗ ∗ Achieve[ComfortableTimelyTrainStopping] Maintain[LinearDecelerationWhileStopping] Maintain[StoppingDistanceAppropriate] Maintain[StoppingTimeAppropriate] Figure 3: An overvie w of a complete dev elopment, starting with abstract goals, proceeding through ex- plicit continuous and discrete deceleration models, and continuing with further low lev el models. V ertical arro ws are (perhaps successiv e) model based refinements. Horizontal arro ws are retrenchments, suited to relating models too dif ferent to be connected by refinement. much more restricted expressi vity as regards system properties. Although we do not hav e the space to discuss the point at length, we claim that a judicious combination of the two techniques can give better cov erage of the route from high le vel domain centred requirements goals to low lev el implementation, than either technique alone. Thus on the one hand, use of refinement alone, forces the consideration of and commitment to, lo w lev el restrictions such as finiteness limits on arithmetic, far too early in the process, in order that all later models can (in ef fect) be conserv ativ e e xtensions of their predecessors. On the other hand, use of retrenchment alone makes it much harder to track how system properties ev olve as the development proceeds, since successi ve models can be connected to their predecessors in a very loose manner , requiring much tighter focus on post hoc v alidation. In our case, it is appropriate to use retrenchment to capture the properties of the discretization step, since that is something that has eluded model based refinement techniques. 5 Ho wev er , either side of the discretization step, we are free to use refinement, since on each side indi vidually , the models display much more consistency regarding the kind of properties that can be handled with sufficient eloquence using refinement alone. The complete process that we hav e in mind may be summarized in Fig. 3. The thick arro ws trace a path through a family of models that a de velopment route could plausibly tak e. The left hand side of the diagram concerns continuous models. At the start, we ha ve high lev el requirements goals, expressed in a notation with formal underpinnings. W e hav e in mind a formalism like KA OS [30, 31] (or more precisely , an adaptation of it to deal more honestly with continuous processes). These requirements goals can then be formally refined till the y can be oper ationalized , i.e. transformed into the operations of a methodology such as ASM (again, adapted to deal with continuous e v olution). Then comes our discretization step, necessitating the use of retrenchment. Once we have crossed the continuous/discrete boundary , we are free to re vert to traditional model based refinement techniques for discrete state transition systems — no 5 It has to be noted that the introduction of approximate simulations has improv ed the situation recently with reg ard to stable systems, but in a more general conte xt the observation remains true. R. Banach, H. Zhu, W . Su, R. Huang 135 worries about continuous phenomena any more. In Fig. 3 we indicate ho w the discrete kinematics that we in vestigated earlier might be refined to a model of train braking, in which concern with the dynamics is replaced by a focus on the actuators that would implement the deceleration increments in practice. Fig. 3 also features other models, indicated by asterisks. These are models whose existence is guar- anteed by the T o wer theorems [8, 28], making the squares of Fig. 3 commuting in an appropriate sense. Ho wev er , we argue that these models are less useful than the others. Thus the lo wer left model would be a continuous version of the braking model, an unrealistic overidealisation so close to implementation. The upper right model would be a discretized version of the highest le vel requirements goals for train stopping. Again this would be inappropriate at such a high lev el, since it clutters what ought to be the most perspicuous expression of the system goals with a lot of material concerning low lev el details of the discretization scheme. This bears out what we said abov e about a combination of refinement and retrenchment techniques providing the best coverage of the route from high lev el requirements to low le vel implementation. Abov e, we mentioned adaptations of KA OS and ASM to deal with continuous beha viour . W e discuss these briefly now . Reg arding ASM, a major part of what we need is already a vailable in the literature, eg. [16, 39] which deal with (Real) T imed ASM . The essential observation is that in the context of con- tinuous time, system states should be modeled as persisting o ver half-open half-closed time intervals, eg. ( t 0 , t 1 ] . This allo ws the typical discontinuous state transition in a typical discrete transition system, say of a state v ariable v , to be represented as the move from v ( t 0 ) (the value of v at t 0 , which lies outside ( t 0 , t 1 ] and is the right hand endpoint of the preceding interval), to lim ε → 0 + v ( t 0 + ε ) (the left hand limit at t 0 from the right, of values of v within the interval ( t 0 , t 1 ] ). Like wise, a period of continuous ev olution can be understood as persisting over such a half-closed interval, go verned by a suitably well posed ODE initial value problem, and with the truth of the initial conditions for the initial value problem at the end of the preceding interval being the trigger for the system’ s subsequently following a trajectory specified by the ODE problem. W ith these conv entions, a version of ASM in which discrete steps alternate with continuous flo ws can be dev eloped, reflecting many of the characteristics of hybrid automata. A similar approach can be adopted for KA OS. Although KA OS depends on a notion of time from the outset, in the normal KA OS formalism, time is discrete, typically index ed by the integers, with requirements goals expressed as temporal logic formulae over time. For a version ov er continuous time, while some temporal operators, eg. always , until , offer no conceptual dif ficulties, the next operator needs to be rethought. Again half-open half-closed intervals, with successor states being defined via the limit from the right at the left hand end of a half-closed interval, can be used. T o av oid problems arising due to an accumulation of next operators, syntactic restrictions hav e to be imposed on the permitted temporal formulae. Howe ver , the kinds of restrictions that need to be imposed are satisfied by the patterns that KA OS requirements are normally built out of. 8 Conclusion In this paper we introduced a small continuous control problem in state space format, and then treated a discretized counterpart of it, utilising a zero order hold. Then came the main novel contribution of the paper , a rigorous treatment of the continuous to discrete modeling transformation, based on cited results from ODE theory . That done, we were able to integrate the results into a retrenchment which related from continuous and discrete models. As noted earlier , model based formal dev elopment normally starts already in the discrete domain, so the ability to connect this with the continuous world in a reasoned way , is a significant extension of the potential of model based formal techniques to underpin dev elopments 136 Formalising the Continuous/Discrete Modeling Step of such systems. Equally importantly , in making essential use of retrenchment to forge the connection between continuous modeling and discrete modeling, this work gi ves a fresh confirmation of the utility of the concept as a worthwhile adjunct to refinement in tackling the wider issues connected with real world formal de velopments. Of course, this paper is by no means the last word in de velopments of this kind. As well as tackling a control problem that was almost tri vial technically , the rigorous result from mathematical control theory that we utilized was relati vely limited, insisting, as it did, that the two behaviours that were compared, started from the same state, using a rather crude L 2 estimate of the difference in the control inputs to deri ve its conclusion, and being based on rather generic properties of the ODEs that gov ern the dynamics of the control problem. (These simple contraints also meant that relativ ely little of the expressi ve po wer of retrenchment was used in this case study .) In more realistic cases, the problem will be less amenable to analytic solution, and feedback mechanisms will help alleviate the inherent uncertainty that arises. More- ov er , while a crude L 2 estimate of the difference in the control inputs allows the two control inputs to get as far away from each other as the bounds on the control space allow , in practice, feedback mechanisms will tend to push them together , and this could be e xploited to deri ve more stringent estimates of the dif ference between continuous and discrete control. All of this remains to be discussed in future work, as does the e xtension of the KA OS and ASM formalisms (or any alternativ es that might be contemplated to act in their place), that can encompass the continuous behaviours that we ha ve described. Our work is to be contrasted with the possibilities offerd by the hybrid systems approach [42]. There, the insistence on (approximate) bisimulation between a continuous system and a discrete counterpart restricts attention to control systems which are stable in the Liapunov sense. In any ev ent, the intense focus on considerations of algorithmic decidability in that field, with automata homomorphism as such a prominent relationship between system models, can inhibit design expressi vity for the purposes that concern us. For instance, techniques that rely on stability , are, strictly speaking, not applicable to our simple case study . Once a suitable collection of widely applicable and useful results of the kind discussed here ha ve been established, the w ay is open for the incorporation of these into appropriate formal de v elopment tools. These would be of a different fla vour to those typically developed for the hybrid systems field, since they would hav e more emphasis on interacti ve proving than is typically the case there. One snag that would have to be overcome is that most proving based tools cope rather badly with the kind of applied mathematics and rigorous analysis techniques that are required for this work. A notable exception is the PVS suite [17, 35], for which substantial library support e xists to underpin both applied mathematics and its more rigorous counterparts, eg. [21]. This would be the obvious jumping of f point for the dev elopment of tools that aligned well with our approach. Refer ences [1] J-R. Abrial (1996): The B-Book: Assigning Pr ogr ams to Meanings . Cambridge University Press, doi:10.1017/CBO9780511624162. [2] J-R. Abrial (2010): Modeling in Event-B: System and Softwar e Engineering . Cambridge Univ ersity Press. [3] N. Ahmed (2006): Dynamic Systems and Contr ol W ith Applications . W orld Scientific. [4] R. Alur , C. Courcoubetis, T . Henzinger & P-H. Ho (1993): Hybrid Automata: An Algorithmic Appr oach to the Specification and V erification of Hybrid Systems . In: Proc. W orkshop on Theory of Hybrid Systems , LNCS 736, Springer , pp. 209–229. R. Banach, H. Zhu, W . Su, R. Huang 137 [5] R. Alur & D. Dill (1994): A Theory of T imed Automata . Theor . Comp. Sci. 126, pp. 183–235, doi:10.1016/0304-3975(94)90010-8. [6] P . Antsaklis & A. Michel (2006): Linear Systems . Birkhauser . [7] R. Banach: Model Based Refinement and the Design of Retr enchments. A vailable from [36]. [8] R. Banach & C. Jeske: Retrenc hment and Refinement Interworking: the T ower Theor ems. Submitted. [9] R. Banach, C. Jeske & M. Poppleton (2008): Composition Mechanisms for Retr enchment . J. Log. Alg. Prog. 75, pp. 209–229, doi:10.1016/j.jlap.2007.11.001. [10] R. Banach, M. Poppleton, C. Jeske & S. Stepney (2007): Engineering and Theor etical Underpinnings of Retr enchment . Sci. Comp. Prog. 67, pp. 301–329, doi:10.1016/j.scico.2007.04.002. [11] S. Barnett (1975): Intr oduction to Mathematical Contr ol Theory . Oxford Uni versity Press. [12] E. B ¨ orger (2003): The ASM Refinement Method . F .A.C.J. 15, pp. 237–257. [13] E. B ¨ orger & R.F . St ¨ ark (2003): Abstract State Machines. A Method for High Level System Design and Anal- ysis . Springer . [14] F . Clarke (1987): Optimization and Nonsmooth Analysis . Society for Industrial Mathematics. [15] F . Clarke, Y . Ledyaev , R. Stern & P . W olenski (1997): Nonsmooth Analysis and Contr ol Theory . Springer . [16] J. Cohen & A. Slissenko (2008): Implementation of T imed Abstract State Machines with Instantaneous Ac- tions by Machines with Delays . T echnical Report TR-LA CL-2008-2, LACL, Uni versity of P aris-12. [17] J. Crow , S. Owre, J. Rushby , N. Shankar & M. Sriv as (1995): A T utorial Intr oduction to PVS . In R. France, S. Gerhart & M. Larrondo-Petrie, editors: WIFT’95: W orkshop on Industrial-Strength Formal Specification T echniques , IEEE Computer Society Press. [18] J. D’Azzo & C. Houpis (1995): Linear Contr ol System Analysis and Design: Con ventional and Modern . McGraw Hill. [19] J Derrick & E Boiten (2001): Refinement in Z and Object-Z: F oundations and Advanced Applications . Springer-V erlag UK, doi:10.1007/978-1-4471-0257-1. [20] R. Dorf & R. Bishop (2010): Modern Contr ol Systems . Pearson. [21] B. Dutertre (1996): Elements of Mathematical Analysis in PVS . In: TPHOLS 1996 , LNCS 1125, Springer . [22] K. Dutton, S. Thompson & B. Barraclough (1997): The Art of Contr ol Engineering . Addison W esley . [23] M. Fadali & A. V isioli (2009): Digital Contr ol Engineering: Analysis and Design . Academic Press. [24] G. Franklin, J. Powell & M. W orkman (1996): Digital Contr ol Systems . Prentice Hall. [25] J. He (1994): F r om CSP to hybrid systems . In A.W . Roscoe, editor: A Classical Mind, Essays in Honour of C.A.R. Hoare , Prentice-Hall International, pp. 171–189. [26] T . A. Henzinger (1996): The Theory of Hybrid Automata . In: Proc. IEEE LICS-96 , IEEE, pp. 278–292. See also http://mtc.epfl.ch/ ~ tah/Publications/the_theory_of_hybrid_automata.pdf . [27] IEEE Standard 1474: IEEE Standard for Communications-Based T rain Control (CBTC) Performance and Functional Requirements: IEEE Std 1474.1-2004; IEEE Standard for User Interface Requirements in Communications-Based T rain Control (CBTC) Systems: IEEE Std 1474.2-2003; IEEE Recommended Prac- tice for Communications-Based Train Control (CBTC) System Design and Functional Allocations: IEEE Std 1474.3-2008. [28] C. Jeske (2005): Algebraic Inte gration of Retr enchment and Refinement . Ph.D. thesis, University of Manch- ester . [29] B. Kuo (1992): Digital Contr ol Systems . Oxford University Press. [30] A. van Lamsweerde (2009): Requir ements Engineering: F r om System Goals to UML Models to Softwar e Specifications . W iley . [31] Letier, E. (2001): Reasoning about Agents in Goal-Oriented Requirements Engineering . Ph.D. thesis, D ´ ept. Ing ´ enierie Informatique, Univ ersit ´ e Catholique de Louvain. 138 Formalising the Continuous/Discrete Modeling Step [32] K. Ogata (2008): Modern Contr ol Engineering . Pearson. [33] P . Paraske v opoulos (1996): Digital Contr ol Systems . Prentice Hall. [34] B Potter, J Sinclair & D T ill (1996): An Introduction to F ormal Specification and Z , 2nd. edition. Prentice Hall. [35] PVS Homepage: http://pvs.csl.sri.com . [36] Retrenchment Homepage: http://www.cs.man.ac.uk/retrenchment . [37] W P de Roev er & K Engelhardt (1998): Data Refinement: Model-Oriented Pr oof Methods and their Com- parison . Cambridge Univ ersity Press. [38] E Sekerinski & K Sere (1998): Pr ogr am Development by Refinement: Case Studies Using the B-Method . Springer . [39] A. Slissenko & P . V asilyev (2008): Simulation of T imed Abstr act State Mac hines with Predicate Logic model Checking . J.U.C.S. 14, pp. 1984–2006. [40] E. Sontag (1998): Mathematical Contr ol Theory . Springer . [41] W . Su, F . Y ang, X. W u, J. Gou & H. Zhu (2011): F ormal Appr oaches to Mode Con version and P ositioning for V ehicle Systems . In: Proc. 3rd IEEE International W orkshop on Security Aspects of Process and Services Engineering . T o appear . [42] P . T abuada (2009): V erification and Contr ol of Hybrid Systems: A Symbolic Appr oach . Springer . [43] J W oodcock & J Davies (1996): Using Z, Specification, Refinement and Pr oof . Prentice Hall.